Machine Translation of "The New Capital Adequacy Rules For Banks - Circolaren. 263 Of 27 December 2006

The New Capital Adequacy Rules For Banks - Circolaren. 263 Of 27 December 2006 - 15Th Update Of July 2, 2013.

Original Language Title: Nuove disposizioni di vigilanza prudenziale per le banche - Circolaren. 263 del 27 dicembre 2006 - 15° aggiornamento del 2 luglio 2013.

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

With this update are included in Title V of the Circular. 263 of 27 December 2006 "New prudential supervisory provisions for banks" Chapter 7 "The internal control system", Chapter 8, "The information system" and Chapter 9, "The continuity 'operational'. Chapter 7 sets out a comprehensive framework of principles and rules which should be inspired by the system of internal controls, but does not exhaust the organizational arrangements applicable to banks. The arrangements set out, in fact, represent the frame of reference in which is the framework rules on checks laid down in specific disciplines (eg., Organizational rules concerning the management of individual risk profiles of the internal measurement systems risk for the calculation of capital requirements, the ICAAP process, the risk of money laundering prevention) ( 'cd hub and spokes model "). The provisions introduce some novelty 'of importance in relation to the existing regulatory framework, in order to give the banks of a comprehensive internal control system, adequate, functional and reliable. In particular, the new rules emphasize the role of the organ charged with the strategic supervision function in the definition of the business model and the Risk Appetite Framework; in this body, and 'also required to encourage the spread of a control culture through the approval of a code of ethics to which they are required to comply with the components of the company bodies and employees. Body with the management function 'instead required to have a thorough understanding of all the business risks and, as part of an integrated management of their mutual interrelationships and developments in the external environment (including the macroeconomic risk) . The provisions require the top of the banks to pay particular attention to the definition of policies and the most important business processes, such as those concerning: risk management; the evaluation of the activities' business; the approval of new products / services or the start of new activities 'as well as' insertion into new markets; the development and validation of internal models of risk do not use for regulatory purposes. The discipline of corporate control functions (internal audit, compliance and risk management), and 'was deeply revisited; in particular: - the appointment and dismissal of the internal control functions are the sole responsibility of the responsibilities with strategic supervision, heard the organ with the control function; - Those responsible for risk control (so-called Chief Risk Officer) and of conformity 'according to the rules are set, at least, the organ employed by the management body, without prejudice to their prerogative to have direct access to with strategic supervision function, and the organ with the control function. The head of the internal audit function and ', however, always placed in the organ hierarchical reporting with strategic supervision; - The three internal control functions are independent of the business areas and separated from each other. If consistent with the principle of proportionality ', and' allowed banks to set up a single function of conformity 'with the rules and risk control, without prejudice to the need to maintain in any case separate the internal audit function to ensure 'impartiality' of audits on other control functions; - The powers of the risk management function has been strengthened. The function, as well as collaborate in the definition of the RAF, and 'call, among other things, to give preventive advice on the consistency of the most significant transactions with the RAF itself. In the event of a negative opinion, the decision on the transaction, and 'throw the body with the management; - Under the regulations on conformity 'with standards - on the understanding that its presence in the risk of non-compliance' done by the compliance function refers to all the provisions applicable to banks, including those of a fiscal nature - the involvement of the function ' graduated according to the survey is that individual standards have for the activities 'carried out and for the consequences of their breach is the existence within the bank of other forms of specialized garrison against the risk of non-compliance' on specific regulations.
To ensure coordination and interaction between the various functions and organs with control tasks (provided by company law, accounting or supervisory board), the strategic body with supervisory approves a specific document in which tasks are specified, responsibility ' and method 'of coordination / collaboration among the various control functions involved. It 'was then introduced an organic framework for outsourcing. Banks are required to closely monitor the risks arising from outsourcing, while maintaining the ability 'to control and responsibility' Activities' outsourced as well as' the essential skills to re-internalize the same in case of need '. Specific provisions concerning the conditions for outsourcing critical business functions or control. less stringent requirements are provided in the case of outsourcing within a banking group. Two specific administrative procedures have been defined for the ban outsourcing of important operational functions or control, respectively, outside or within the banking group (cfr. Sections IV and V); such proceedings integrate its Ordinance of 25 June 2008, in the identification of terms and units' organizational responsible for the administrative procedures within the competence of the Bank of Italy. Chapter 8 contains the rules governing the information system 'was in full magazine, also to transpose the main developments emerged in the international panorama. They were, among other things, determines: the governance and organization of the information system; The IT risk management; the requirements to ensure information security and data management system. The provisions also provide that the definition of security principals for access to critical systems and services through the Internet channel are applicable to the ECB Recommendations on payments for Internet security. Chapter 9 governs the matter of continuity 'operations by reorganizing the current provisions contained in different sources. Among the news 'most important, there' the formalization of the role of CODISE, for coordination of the operational crisis management of the Italian financial market chaired by the Bank of Italy. In addition, and 'was defined as a rapid escalation in emergency incident process to ensure that the declaration of a state of crisis to happen as quickly as possible from the incident detection. The total recovery time will not have to 'exceed four hours, including times for phases of analysis, decision-making, technical assistance and verification. These provisions have been subject to public consultation and analysis of the impact of regulations. The website of the Bank of Italy have published the report on the consultation, the impact analysis report and the comments received during the consultation phase. This update comes into force on the day of publication on the website of the Bank of Italy. Banks shall comply with the provisions contained in Chapter 7 (The internal control system) by 1 July 2014 (the effective date), subject to the following: - with reference to the second level control business functions (risk management and compliance ), banks comply by 1 July 2015 (the effective date) with the provisions of Section III, par. 1, letter. b), second paragraph, second sentence ( "Reporting lines of those responsible for such functions"); - With reference to the outsourcing of business functions (Sections IV and V), banks adjust their outsourcing contracts outstanding at the date of entry into force of these provisions to the first contractual due date and no later than three years after entry into force (1 July 2016). Banks shall comply with the provisions contained in Chapter 8 (The information system), including the ECB's recommendations on payment security on the Internet, by 1 February 2015 (the effective date). Banks adjust their outsourcing contracts of the information system (Section VI) in effect at the date of entry into force of these provisions to the first contractual due date and no later than three years after entry into force (1 July 2016). Banks shall comply with the provisions contained in Chapter 9 (Continuity 'operational) by 1 July 2014 (the effective date).
By 31 December 2013, the recipients of these Guidelines to the Bank of Italy sent a report containing a self-assessment of your business situation compared to the predictions of the new legislation (gap analysis). The report indicates altresi 'the measures to be taken and its time schedule to ensure full compliance with these provisions. By the same date, the bank shall notify the Bank of Italy the outsourcing contracts outstanding at the date of entry into force of these provisions and their duration. From the effective date of the rules contained in Chapters 7 (The internal control system), 8 (Information system) and 9 (Continuity 'operational) The following provisions are repealed: - the internal control system, the tasks of the supervisory board, contained in the "supervisory instructions for banks" Circular no. 229 of 21 April 1999, Title IV, Chapter 11, with the exception of Section V (Issue and management of bank and postal checks); - Continuity 'operating in emergency cases (Communication of July 2004, see. Surveillance Bulletin no. 7 - July 2004); - The management and control of risks. Role of governing bodies, contained in the "New prudential supervisory provisions for banks" Circular no. 263 of December 27, 2006, Title I, Chapter I, Part IV; - Supervisory measures - Particular requirements for the continuity 'of the operational institutions of systemic importance (Communication of March 2007, see. Surveillance Bulletin no. 3 - March 2007); - Security provisions - Outsourcing of cash handling (Communication of 7 May 2007), limited to the aspects relating to banks and the parent banking groups; - Security provisions - the compliance function '(compliance) (Communication of July 2007, see. Surveillance Bulletin no. 7 - July 2007); - Communication of 30 December 2008 - in the credit rating (cfr. Surveillance Bulletin no. 12 - December 2008), limited to the aspects relating to banks and parent companies of banking groups. The update text and 'available on the computer site of the Bank of Italy at: http://www.bancaditalia.it/vigilanza/banche/normativa/disposizion i / vigprud. TITLE V Chapter 7 THE INTERNAL CONTROL SYSTEM Section I PRELIMINARY AND GENERAL PRINCIPLES 1. Introduction. The system of internal controls and 'an essential element of the overall banking system of government; it shall ensure that the activities' business is in line with the strategies and policies and is marked by principles of healthy and prudent management. These provisions set out the principles and guidelines which the internal control system of banks must adjust; in this context, defines the general principles of organization, given the role and responsibilities of governing bodies, outlined the features and tasks of the internal control functions. This framework: - represents the general framework of the business controls system. In the area of prudential supervision, it is' integrated and supplemented by the special provisions on the subject (of the credit risk mitigation techniques and securitization transactions, the ICAAP process, disclosure, risk concentration, risk management and risk control liquidity ', covered bonds, permissible holdings, activity' of risk and conflicts of interest in related subjects, etc.). In addition, banks that use, for regulatory capital purposes, the internal measurement systems for risks other than those basic or standardized, also apply the rules of organization and internal controls of the respective chapters; - Form an integral part of the set of rules concerning the governance structure and control of the banks, such as the organizational arrangements relating to: corporate governance; information and communication technology; ownership structure; requirements for corporate officers; transparency and fairness of the relationships between banks and customers; activities' and investment services (1); preventing the use of intermediaries and other persons who perform activities' financial for money laundering and terrorist financing; usury.
Principals relating to the internal control system must cover all types of business risk. Responsibility 'primary and' remittance to the governing bodies, each within their respective powers. The division of tasks and responsibilities' of the corporate bodies and functions should be clearly defined. Banks apply the principle of proportionality ', that' in view of the size and complexity 'operational, the nature of the attivita' turn, the type of services provided. The Bank of Italy, as part of the review process and prudential assessment, checking the completeness, adequacy, functionality '(in terms of efficiency and effectiveness), the reliability' of the internal control system of banks. 2. Legal sources. Matter and 'adjusted by: - Directive of the European Parliament and Council 2013/36 / EU of 26 June 2013, on access to the attivita' of credit institutions and the prudential supervision of credit institutions and investment firms amending Directive 2002/87 / EC and repealing Directives 2006/48 / EC and 2006/49 / EC; - By the European Parliament and Council Regulation 2013/575 / EU of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 648/2012; - The following articles of the Banking Law: • art. 51, which states that banks send to the Bank of Italy, with the mode 'and times established by it, periodic reports as well as' all the data and documents required; • Art. 53, paragraph 1, lett. d), which gives the Bank of Italy, in compliance 'of the resolutions of the Credit Committee, the power to issue general provisions on administrative and accounting procedures and internal controls of banks; • Art. 67, paragraph 1, lett. d), which gives the Bank of Italy, in compliance 'of the resolutions of the Credit Committee, the power to give to the parent company of a banking group arrangements for the group as a whole or its components relating to the administrative and accounting procedures and internal controls ; - By resolution of the ICRC of 2 August 1996, as amended by resolution of 23 March 2004 concerning the administrative and accounting procedures and internal controls of banks and banking groups; - The Decree of the Minister of Economy and Finance as Chairman of the August 5, 2004 ICRC concerning, among other things, the tasks and powers of the governing bodies of banks and banking groups; - By the decision of the ECB 16 September 2010, n. 14, concerning the authenticity 'control and suitability' of euro banknotes and recirculation; It also takes into account the following documents published by Community institutions and international bodies: EBA / CEBS "Guidelines on the Application of the Supervisory Review Process under Pillar 2 ', 25 January 2006; "Guidelines on outsourcing ', 14 December 2006; "Guidelines on the management of operational risks in market-related activities", 12 October 2010; "Guidelines on Internal Governance", September 27, 2011; Basel Committee on Banking Supervision, "Fair Value Measurement and modeling: An assessment of challenges and lessons learned from market stress," June 2008; "Principle for enhancing corporate governance", October 2010; "The internal audit function in banks", June 2012; "Core Principles for Effective Banking Supervision ', September 2012; Financial Stability Board: "Enhancing Market and Institutional Resilience", 7 April 2008; "Thematic Review on Risk Governance", February 12, 2013; European Systemic Risk Board (ESRB): "Recommendation concerning foreign currency loans (ESRB / 2011/1)," 21 September 2011. 3. Definitions. For the purposes of these provisions shall apply: a) 'organ with strategic supervision' means the governing body to which - pursuant to the Civil Code or by statute - are attributed overall direction of the company management, through, among other things, examination and deliberation on the business or financial plans or strategic transactions; b) 'management body function' means the governing body or parts of it to which - pursuant to the Civil Code or by statute - belong or are delegated routine administrative tasks, meaning implementation of the policies decided in the exercise of strategic supervision. The general manager is the top level internal structure and as such participates in the management;
c) 'organ with the control function' means the supervisory board, the supervisory board or the audit committee on operations; d) 'corporate bodies' means the combination of parts with strategic supervision, management and control. The strategic supervision function is to adhere Management, a unit, the enterprise and can therefore be vested in the same governing body. In the one-tier and two-tier systems, in accordance 'with law provisions, the organ with the control function can' play also the strategic supervision; e) "business function": the set of tasks and responsibilities 'assigned for the performance of a particular of the attivita' business phase. Based on the significance of the breakthrough stage, function and 'is anchored at a specific units' organization; f) "money laundering" function: the function defined by the Bank of Italy of 10 March 2011 laying down detailed implementing rules for the organization, procedures and internal controls to prevent the use of intermediaries and other persons who perform activities' financial to money laundering and terrorist financing, in accordance with art. 7 paragraph 2 of the Decree of 21 November 2007 n. 231, Chapter II, Section I; g) 'internal control functions ": the compliance function' the rules (compliance), the risk control function (risk management function) and the internal audit function (internal audit) (2); h) 'Control functions' means all of the functions for legislative, regulatory provision, statutory or self-regulation have control tasks; i) "significant operational role": an operational function for which is at least one of the following conditions: • an anomaly in its execution or its non-execution can seriously affect: a) the financial results, the solidity 'and continuity 'of the attivita' of the bank; or b) the ability 'of the bank to comply with the conditions and obligations arising from its authorization or its obligations under the regulatory framework; • regards activities' subject to legal reserve; • regards operational processes of internal control functions or has a significant impact on corporate risk management; j) 'risk management process' means the set of rules, procedures, resources (human, technological and organizational) and Activities 'Control of times you identify, measure or assess, monitor, prevent or mitigate well as' talk hierarchical levels appropriate all risks undertaken or assumed (3) in the various segments in the enterprise and group portfolio level, capturing, in an integrated logic, even the mutual interrelationships and developments in the external environment; k) 'risk appetite framerwork "-" RAF "(the risk objective system): the reference framework defining - in line with the maximum assumable risk, the business model and strategic plan - the risk appetite, the thresholds tolerance, risk limits, the risk management policies, reference processes needed to define and implement them (cfr. Annex C). You provide, below, the definitions of relevant concepts for the purposes of the RAF: • risk capacity (maximum assumable risk): the highest level of risk that a bank and 'technically able to assume without violating regulatory requirements or other constraints by shareholders or autorita 'supervision; • risk appetite (risk target or risk appetite): the level of risk (overall and by type) that the bank intends to take to attain its strategic objectives; • risk tolerance (Tolerance threshold): the maximum deviation from the risk appetite allowed; the tolerance threshold and 'fixed so as to ensure in any case the bank sufficient margin to operate, even in conditions of stress, within the maximum assumable risk. In the event that permitted risk-taking beyond the objective of risk attached, subject to compliance with the tolerance threshold, have identified the management actions needed to bring the risk assumed by the objective concerned; • risk profile (actual risk): the risk actually assumed, measured at a given instant in time; • risk limits (risk limits): the articulation of risk objectives into operational limits, defined in line with the principle of proportionality ', for types of risk, united' and or business lines, product lines, customer groups ;
l) 'outsourcing' means an arrangement of any form between a bank and a service provider under which the provider performs a process, a service or an activity 'of the same bank. 4. Scope of the regulations. These provisions apply, as provided in Title I, Chapter 1, Part Two: - banks authorized in Italy, with the exception of non-EU banks branches established in the Ten countries or in those of the Group included in a list published by bank of Italy (4); - The parent company of the banking group; - The reference companies, according to the provisions of Section VI; - To branches of Community banks and branches of non-EC banks established in the Group of Ten countries or in those included in a list published by the Bank of Italy, as provided by Section VII. 5. Unit 'organization responsible for administrative proceedings. Shown below the units' organizational responsible for the administrative procedures referred to in this Chapter, in accordance with art. 9 of the Regulations of the Bank of Italy on 25 June 2008: - ban the outsourcing of important operational functions or control: Service Supervision banking groups, specialized intermediaries Supervision Service, the competent Branch for the territory; - Ban the outsourcing of important operational functions or control within its group: service banking groups Supervision, Supervision Service specialized intermediaries, responsible for branch territory. 6. General principles. The internal control system and 'the set of rules, functions, structures, resources, processes and procedures that aim to ensure, in compliance with sound and prudent management, the achievement of the following purposes': - Verification the implementation of corporate strategies and policies; - Contain risk within the limits set out in the framework for the determination of the risk appetite of the bank (Risk Appetite Framework - "RAF") (cfr. Annex C); - Preservation of the activities' value and protection from losses; - Effectiveness and efficiency of business processes; - Reliability 'and security of corporate information and IT systems (5); - Prevention of the risk that the bank is involved, even unintentionally, in activities' illegal (with particular reference to those related to money laundering, usury and the financing of terrorism); - Compliance 'of transactions with the law and regulatory provisions as well as' with policies, regulations and internal procedures. The internal control system plays a central role in the organization: is a key element of knowledge for the governing bodies to ensure full situational awareness and effective management of business risks and their interrelationships; orients the changes in strategies and corporate policies and allows you to adapt coherently the organizational context; oversees the functionality 'of management systems and compliance with the prudential supervision; It promotes the spread of a proper culture of risks, legality 'and corporate values. For these characteristics, the system of internal controls has strategic importance; the culture of control must have a prominent position in the scale of corporate values: not only about internal control functions, but involves the whole business organization (corporate bodies, structures, hierarchical levels, staff), development and implementation of methods, logical and systematic, to identify, measure, communicate, manage risks. In order to achieve this goal, the internal control system must in general: - ensure the completeness, adequacy, functionality '(in terms of efficiency and effectiveness), the reliability' of the risk management process and its consistency with the RAF; - Provide for activities' of widespread control in every operating segment and hierarchical level (6); - Ensure that such deficiencies are promptly brought to the attention of appropriate levels of the organization (to the governing bodies, if material) able to promptly activate the appropriate corrective action; - Incorporate specific procedures to address possible violations of operating limits. Apart from the facilities where they are placed, you can identify the following types of control:
- Line controls (so-called "first level controls"), aimed at ensuring the proper conduct of operations. They are carried out by the operational structures (eg., Hierarchical controls, systematic and random), including through joint 'dedicated exclusively to control tasks that bring managers of operating units or executed as part of back office; as far as possible, they are incorporated in IT procedures. Operating facilities are the first responsible for the risk management process: during OPERATIONS 'daily such structures must identify, measure or assess, monitor, mitigate and report the risks arising from ordinary activities' company in accordance' with the process risk management; they must respect their operating limits consistent with the risk objectives and procedures which make up the risk management process; - Risk controls and compliance '(so-called "second-level controls"), which have the objective of ensuring, inter alia: a) the proper implementation of the risk management process; b) compliance with the operational limits for the various functions; c) the conformity 'OPERATIONS' corporate standards, including those of self-regulation. The functions assigned to these checks are separate from the production; they contribute to the definition of government policies of the risks and of the risk management process; - Internal audit (so-called "third-level controls"), aimed at identifying violations of procedures and regulations, as well as' to periodically assess the completeness, adequacy, functionality '(in terms of effectiveness and efficiency) and reliability' the system of internal controls and information systems (ICT audit), at predetermined intervals depending on the nature and the intensity 'of risks. The assumption of a comprehensive internal controls and functional system and 'the existence of an adequate business organization to ensure the sound and prudent management of banks and compliance with their provisions. To this end, points out, first, the proper functioning of corporate governance, the characteristics of which must be in line with the provisions of the regulatory provisions concerning the organization and corporate governance of banks (7). In addition, banks comply with the following general principles of organization: - decision-making and the assignment of personnel functions are formalized, and unambiguously identify where duties and responsibilities' and are designed to prevent conflicts of interest. In this context, to secure the necessary separation between operational and control functions; - The human resources management policies and procedures ensure that staff are provided with the skills and professionalism of the 'necessary for the exercise of responsibility' attributed to it; - The risk and 'effectively integrated management process. They are considered integration parameters, given by way of example: the diffusion of a common language in risk management at all levels of the bank; the adoption of the recognition and measurement methods and tools consistent with each other (eg., a single taxonomy of processes and a single risk map); the definition of risk reporting models, in order to facilitate the understanding and proper evaluation, even in an integrated logic; the identification of formal moments of coordination for the planning of their activities'; the provision of information flows on an ongoing basis between the various functions depending on the results of the activities' of its relevant control; sharing in the identification of remedial actions; - The processes and evaluation methodologies, also for accounting purposes, of the attivita 'business are reliable and integrated with the risk management process. To this end: the definition and validation of evaluation methodologies are being handled together 'different; assessment methodologies are robust, tested under stress scenarios and are not over-reliance on a single source of information; the valuation of a financial instrument and 'entrusted to a unit' independent than that negotiates that instrument;
- Operational procedures and control should: minimize the risk of fraud or infidelity 'employees; prevent or, where that is not possible, mitigate potential conflicts of interest; prevent the involvement, even unconsciously, in fact recycling, wear or terrorist financing; - The information system complies with the regulations of Chapter 8 (The information system); - The levels of continuity 'operations are guaranteed adequate and comply with the provisions of Chapter 9 (Continuity' operational). Banks regularly occur, at least annually, the degree of adherence to the requirements of the system of internal controls and the organization and take appropriate measures to address any deficiencies. Section II THE ROLE OF CORPORATE BODIES 1. Introduction. The banks assure the completeness, adequacy, functionality 'and the reliability' of the internal control system. In this context, formalize the framework for the determination of risk appetite (Risk Appetite Framework - "RAF"), the risk management policies, the risk management process, ensure its application and proceed to their review periodically to ensure its effectiveness over time. Responsibility 'primary and' remittance to the governing bodies, each within their respective powers. Later sections will provide minimum information about the role of each corporate body within the system of internal controls, in order to clarify the relevant tasks and responsibilities'. These indications do not cover, therefore, the precautions that can be taken by the competent corporate bodies as part of their management autonomy. 2. Organ with strategic supervision. The organ with strategic supervision: - defines and approves: a) the business model being aware of the risks which this model exposes the bank and understanding of the mode 'through which the risks are recognized and valued; b) the strategic directions, sees to their regular review, in relation to the development of the attivita 'business and the external environment, in order to ensure its effectiveness over time; c) the risk objectives, the tolerance threshold (if identified) and the risk management policies; d) the guidelines of the internal control system, ensuring that it is consistent with the strategic guidelines and risk appetite established well 'is able to grasp the evolution of the business risks and the interaction between them; e) the criteria for identifying the most significant transactions to be submitted to the prior examination of the risk control function (see. Section III, par. 3.3.); - Approve: a) the formation of the internal control functions, the relevant tasks and responsibilities ', the modalities' of coordination and collaboration, the information flows between these functions and between them and their governing bodies (see. Also para. 5); b) the risk management process and assesses the compatibility 'with the strategic guidelines and risk management policies; c) the policies and processes for evaluating activities' business, and, in particular, the financial instruments, checking the ongoing appropriateness; It shall also establish 'the maximum exposure of the bank to financial instruments or products of uncertain or difficult to evaluate; d) the process for the development and validation of internal measurement systems for risks that are not used for regulatory purposes (8) (9) and assesses periodically the proper functioning; e) the process for approval of new products and services, the launch of new activities', entering new markets; f) the company's policy of outsourcing of business functions (cfr. Sections IV and V); g) in order to mitigate the operational risks and reputation of the bank and encourage the spread of a culture of internal controls, a code of ethics which are required to comply with the components of the company bodies and employees. The Code defines the principles of conduct (eg., Professional ethics and rules to be observed in dealings with clients) to which must be guided by the activities' business; - Ensure that: a) the structure of the bank is consistent with the activities 'carried out and with the business model adopted, avoiding the creation of complex structures, not justified by purposes' operational;
b) the system of internal controls and the management team are constantly conformed to the principles specified in Section I, and that the internal control functions fulfill the requirements and comply with the provisions of Section III. Where shortcomings or faults, promotes timeliness' the adoption of appropriate corrective measures and evaluate their effectiveness; c) the implementation of the RAF is consistent with the objectives and risk tolerance threshold (where identified) approved; periodically evaluates the adequacy and effectiveness of the RAF and compatibility 'between the actual risk and risk objectives; d) the strategic plan, the RAF, the ICAAP, the budget and the system of internal controls are consistent, also had in mind the evolution of internal and external conditions in which the bank operates; e) the amount 'and the allocation of capital and liquidity' inmates are consistent with the risk appetite, government policies of risks and the risk management process; - In the event that the bank operates in opaque jurisdictions through highly complex structures, it evaluates its operational risks, in particular legal, reputational and financial, identifies the safeguards to mitigate those threats and ensure the effective control; - At least annually, approve the activities' program, including the audit plan prepared by the internal audit function (see. Section III, para. 2), and consider annual reports prepared by the internal control functions. Approves altresi 'the multi-annual audit plan. It indicates, finally, the body responsible for strategic oversight function with regard to certain specific profiles: - with reference to the ICAAP process, defines and approves the general lines of the process, ensure its coherence with the RAF and the timely adjustment in relation to significant changes in the strategic lines of the organization, the reference operating environment; It promotes the full use of the ICAAP results in setting strategies and in making business decisions; - With regard to credit and counterparty, approves the general lines of the effect of risk mitigation techniques management system that governs the entire process of acquisition, evaluation, control and implementation of risk mitigation tools used. In the case of banks using the internal measurement systems of risk for assessing capital requirements, the body charged with the strategic supervision function also performs the following tasks: - approves the adoption of such systems. In particular, it approves the choice of the considered suitable system and the project in which they are planned activities 'related to its preparation and implementation, identify the responsibility', defined lead times, certain planned investments in terms of resources human, financial and technological resources; - Periodically verify that the choices made over time maintain their validity 'by approving material changes to the system and ensuring the overall supervision on the correct operation of the same; - Ensure that, with the support of relevant departments, the effective use of internal systems for management purposes (use test) and their compliance with other regulatory requirements; - At least annually, review the references provided by the validation function and assumes, with the opinion of the body with the control function, a formal resolution by which certifies compliance with the requirements for the use of the systems. 3. Organ with management function. The management body function has an understanding of all the business risks, including the possible risks of malfunction of the internal measurement systems (the 'model risk'), and, as part of an integrated management of their mutual interrelations and with the evolution of the external environment. In this context, and 'able to identify and assess the factors, including the complexity' of the organizational structure, which can lead to risks for the bank. This body takes care of the implementation of strategic guidelines, the RAF and the risk management policies defined organ with strategic and and 'responsible supervision for taking all actions necessary to ensure the organization's adherence and of the internal control system with the principles and requirements of Sections I and III, monitoring the ongoing compliance. In particular, the management body function: - defines and oversees the implementation of the risk management process. In this context:
a) shall establish operating limits the taking of various types of risks, consistent with the risk appetite, taking explicit account of the results of the stress tests and the evolution of the economic picture. In addition, as part of risk management, it limits the reliance on external ratings, ensuring that for each type of risk are conducted adequate and independent internal analysis; b) facilitate the development and dissemination at all levels of an integrated risk culture in relation to different types of risks and extended to all banks. In particular, they are developed and implemented training programs to raise awareness among employees about the responsibilities' regarding risks so as not to confine the risk management process to specialists or to the control functions; c) establishes the responsibility 'of the structures and functions involved in the risk management process, so they are clearly assigned their duties and avoiding potential conflicts of interest; ensures, altresi ', that the activities' relevant are managed by qualified personnel with the appropriate degree of independent judgment and have the appropriate experience and knowledge to the tasks to be performed; d) examine the transactions most important subject of a negative opinion by the risk control function and, where appropriate, authorize them (see. Section III, par. 3.3.); of these transactions inform the body responsible for strategic oversight and the organ with the control function; - Defines and oversees the implementation of the process (managers, procedures, conditions) to approve investments in new products, the distribution of new products and services or the initiation of new activities' or the entry into new markets. The process: a) ensure that the risks arising from the new operability 'are fully valued, that such risks are consistent with the risk appetite, and that the bank is able to manage them; b) define the customer segments to which you want to deploy new products or services in relation to the complexity 'of the same and any existing regulatory requirements; c) allows to estimate the impacts of the new operability 'in terms of costs, revenues, resources (human, organizational and technological) as well as' to assess the impacts on the administrative and accounting procedures of the bank; d) identifies any changes to the system of internal controls; - Defines and oversees the implementation of the company's policy of outsourcing of business functions (cfr. Sections IV and V); - Defines and oversees the implementation of processes and methodologies for assessing activities' business, and, in particular, the financial instruments; takes care of their constant updating; - Defines the internal information flows aimed at ensuring that corporate bodies and internal control functions the full knowledge and governability 'of risk factors and verification of compliance with the RAF; - Within the RAF, if and 'defined the threshold of tolerance, authorizing the overcoming of risk appetite within the limit represented by the tolerance threshold and gives information promptly inform the organ with strategic supervision, identifying actions management needed to bring the risk assumed by the objective concerned; - Puts in place the initiatives and actions required to ensure the ongoing completeness, adequacy, functionality 'and the reliability' of the system of internal controls and brings the results of checks carried out in organ knowledge with supervisory strategic; - Prepares and implements the necessary corrections or adjustments where shortcomings or faults, or following the introduction of new products, activities', services or relevant processes; - Ensures: a) the consistency of the risk management process with the risk appetite and risk management policies, also had in mind the evolution of internal and external conditions in which the bank operates; b) adequate, timely and secure management of information for accounting purposes, management and reporting. It indicates, finally, the body responsible for the management function with regard to certain specific profiles:
- With reference to the ICAAP, to 'implement this process, making sure that the same is responsive to the strategic directions and the RAF and that meets the following requirements: Consider all material risks; incorporates prospective assessments; using appropriate methodologies; be known and shared by internal structures; It is adequately formalized and documented; identifies the roles and responsibilities' assigned to functions and business structures; It should be entrusted to competent resources, sufficient in quantity, placed in an appropriate hierarchical position to enforce the planning; It is an integral part of the attivita 'management; - With specific reference to credit and counterparty, in line with the strategic guidelines, approves specific guidelines aimed at ensuring the effectiveness of the risk mitigation techniques management system and ensuring compliance with the general and specific requirements of such techniques. In the case of banks using the internal measurement systems of risk for assessing capital requirements, the management body function also performs the following tasks: - and 'responsible for the system and the operation of the chosen system; to accomplish this task the organ components possess adequate knowledge of the relevant aspects; - Imparts the necessary arrangements so that 'the system chosen is made in response to identified strategic guidelines, assigning tasks and responsibilities' within the various departments and ensuring the formalization and documentation of the risk management process steps; - Ensure that the risk measurement systems are integrated into decision-making and OPERATIONS 'business management (use test); - Take into account, in carrying out the tasks assigned, the observations that emerged as a result of the validation process and the audits conducted by the internal audit. 4. Organ with the control function. The organ with the control function has the responsibility 'for ensuring the completeness, adequacy, functionality' and reliability 'of the internal control system and the RAF. In this task, the organ with the control function monitors compliance with the provisions of i) this Section, ii) Sections I and III, and iii) the ICAAP process. For the performance of its duties, this body has adequate information flows from other corporate bodies and control functions. The organ with the control function normally take place, the body's supervisory functions - possibly established pursuant to Legislative Decree. N. 231/2001, regarding the responsibility 'of the administrative bodies - overseeing the operation and observance of the models of organization and management of which shall provide itself with the bank to prevent the relevant offenses for the purposes of the same Legislative Decree (10). Banks can outsource these functions to a body specially set up if deemed necessary. Given the plurality 'of functions having, within the company, duties and responsibilities' control, the organ with the control function and' held at the adequacy of all functions involved in the control system, the proper performance of tasks and proper coordination of the same, promoting action to correct any deficiencies and irregularities' detected (11). In banks that adopt the internal measurement systems of risk for assessing capital requirements, the organ with control function, using the contribution of corporate control functions, monitors - within the more 'general activities' of the process occurs risk management - the completeness, adequacy, functionality, 'reliability', of those systems and their compliance with regulatory requirements. 5. The coordination of control functions. The proper functioning of the internal control system is based on the profitable interaction in the performance of tasks (Address, implementation, verification, evaluation) between the governing bodies, any committees established within the latter (12) and those in charge of the statutory audit, the control functions. The ordering and self-regulatory sources attribute, then, the specific functions control tasks - other than internal control functions - or committees within the administrative body, whose activities' should be seen consistently in the system of internal controls. In particular, they point out:
- The supervisory body that may be established pursuant to Legislative Decree. N. 231/2001; - For banks with listed shares, the manager responsible for preparing corporate accounting documents (art. 154-bis of the Consolidated Finance Act), which, among other things, has the task of establishing adequate administrative and accounting procedures for the preparation of financial statements and all other financial documents. In addition, the Code of Conduct of the Italian Stock Exchange, in which the listed banks can join on a voluntary basis, it introduces the principles and criteria relating to the internal control system and risk management, which provide, among other things, the designation of a or more 'administrators responsible for the internal control system and risk management, and the establishment, within the administrative body, a control and risk committee. To ensure proper interaction between all functions and organs with control tasks, avoiding overlaps or gaps, the body responsible for strategic oversight approves a document, distributed to all interested structures, in which the duties and responsibilities are defined ' of various organs and control functions, information flows between the various functions / organs and between / i and the governing bodies and, in the event that the control procedures present potential areas of overlap or allow for synergies, the modalities' of coordination and collaboration. For example, in the attivita 'of the supervisory body, which relates generally to the fulfillment of laws and regulations, can' be fruitful close coordination, both in terms of division of activity 'that the sharing of information, with of compliance functions' to the rules and internal audit. In defining the modalities 'union, without prejudice to the duties provided by law for the control functions, banks pay attention not to alter, even in substance, the responsibility' primary corporate bodies on the internal control system. Section III FUNCTIONS OF CONTROL COMPANY 1. Establishment of internal control functions. Notwithstanding the self-responsibility 'business for the choices made on the structure of internal controls, the banks set up, as indicated below, corporate as permanent and independent monitoring: i) of conformity' with the standards (compliance); ii) risk control (risk management); iii) internal audit (internal audit). The first two functions pertain to second-level controls, the internal audit to the third level controls. To ensure the independence of the internal control functions: a) these functions have of authority ', the resources and skills needed to perform their tasks. The functions and 'allowed to have access to corporate data and external ones needed to properly perform their duties. Economic resources, may be activated independently, allowing, among other things, the business functions of any outsourcing control. The staff and 'adequate in number, technical and professional skills, updating, also through the introduction of training programs in the continuous. In order to ensure the formation of transversal skills and to gain a comprehensive, integrated view of the attivita 'control carried out by the function, it formalizes bank and encourages rotation of resources programs, including the internal control functions; b) the managers: • possess professionalism 'appropriate requirements; • are placed in hierarchical proper functional position. In particular, the heads of the control functions of the risks and of conformity 'with the standards are placed directly under the body charged with managing or organ function with strategic supervision; the head of the internal audit function and 'always located directly under body charged with the strategic supervision; • have no responsibility 'direct operational areas under it' control are hierarchically subordinate to the managers of such areas; • are appointed and dismissed (stating the reasons) by the authority with strategic supervision, heard the organ with the control function (13). The person in charge of business functions control can 'be an administrative body component, as long as' is recipient of specific powers in the field of control and is the recipient of other delegations that could impair the autonomy;
• relate directly to the governing bodies. In particular, those responsible for risk control and the compliance function 'the rules have, in any case function, direct access to the body with strategic supervision and organ with the control function and communicate with them without restrictions or brokerage; the head of the internal audit function has direct access to the body with control functions and communicates with it without restrictions or brokerage; c) Personnel involved in the internal control functions and not 'involved in activities' that these functions are called upon to examine. In compliance with this principle, in the size of banks or contained with limited complexity 'operational, the staff responsible for tasks related to the monitoring of conformity' with the standards or to risk control, if it is not inserted into its internal control functions, It can 'be integrated into different operational areas; in these cases, such personnel report directly to the heads of internal control functions for matters relating to the tasks of those; d) the internal control functions are separated from each other, under an organizational profile. The respective roles and responsibilities' are formalized; e) staff remuneration policies that participates in internal control functions do not compromise the objectivity 'and work together to create a coherent system of incentives with the purpose' of the function (14). If consistent with the principle of proportionality ', banks may, on condition that checks on the various types of risks continue to be effective: - entrust to a single structure the execution of the compliance function' with the standards and the monitoring function of risks; - Entrust the execution of business functions to outside control, as required by the provisions on outsourcing set out in Section IV and, as regards the outsourcing within banking groups, in Section V. Given that the functions of conformity 'with the rules and risk control must be subject to periodic review by the internal audit function (third-level control), to ensure impartiality' of the checks, the functions of conformity 'with the standards and management of risks can not be entrusted to the internal audit function. 2. Programming and reporting of the attivita 'control. For each corporate control function, the internal regulation indicates responsibility ', tasks, mode' operations, information flows, programming of the attivita 'control. Specifically: - the conformity 'functions to the standards and risk control each year submit to the governing bodies, each according to their respective competencies, an activities' program, in which the main risks are identified and evaluated at which banks and' exposed and are scheduled its management interventions. The planning of measures takes into account any deficiencies found in the controls, as well as possible new risks identified; - The internal audit function annually presented to the governing bodies an audit plan, which indicates the activities 'of the planned inspection, taking into account the risks of various activities' and business structures; the plan contains a specific section to the attivita 'Revision of the information system (ICT auditing). At the end of the management cycle, with annual cadence so, the internal control functions: - present a report to the governing bodies of the attivita 'breakthrough, showing the checks carried out, the results, the weak points and propose interventions to be taken for their removal; - Relate to each aspect of their responsibility, as to the completeness, adequacy, functionality 'and reliability' of the system of internal controls. In any case, the internal control functions promptly inform the governing bodies of any violations or major deficiency detected (eg., Violations that may pose a high risk of legal or regulatory sanctions, major financial loss or significant impact on the financial position or balance, reputational damage, malfunction of critical IT procedures). 3. Specific requirements of the internal control functions. 3.1. Premise. In the following paragraphs are established, in general, the responsibility 'and the main tasks of each of the internal control functions (15).
Signs more 'specifications concerning the responsibilities' and duties of such functions in relation to each individual risk category, operational or activities' particular fields are contained in the respective disciplines (see. Section I, par. 1). 3.2. the compliance function 'the rules (compliance). The risk of non-compliance 'with the rules and' the risk of incurring legal or administrative sanctions, significant financial losses or reputational damage as a result of violations of mandatory rules (laws, regulations) or self (eg., Statutes, codes of conduct, codes of conducts). Since 'the risk of non-compliance' with the rules and 'spread to all levels of the organization, especially in the operation department, the activities' prevention must take place in the first place where the risk is generated: and' therefore necessary proper accountability of all staff. The compliance function 'the rules presides, according to a risk-based approach to the management of the risk of non-compliance' with regard to all the activities' business, making sure that the procedures are adequate to prevent this risk. To this end, and 'necessary that the compliance function' of the rules has access to all the activities' of the bank, central and peripheral, and any information relevant to this end, including through direct conversation with the staff. The main obligations of conformity 'with the rules and' call function to perform are: - the aid to business structures for the definition of methodologies to assess the risks of non-compliance 'with the standards; - The identification of appropriate procedures for the prevention of the risk identified, with possibility 'of requesting the adoption; verifying their appropriateness and correct application; - Identification of the rules applicable in the continuous to the bank and measurement / assessment of their impact on business processes and procedures; - The proposed organizational and procedural changes to ensure adequate supervision of the risks of non-compliance 'identified; - The provision of information flows to the corporate bodies and structures involved (eg .: the operational risk management and internal audit); - Checking the effectiveness of organizational adaptations (structures, processes, operational and commercial procedures) suggested for the prevention of the risk of non-compliance 'with the standards. For more 'relevant rules for the purposes of risk of non-compliance', such as those concerning the exercise of 'banking and brokerage, management of conflicts of interest, transparency to customers and, piu' in general , the rules for the protection of the consumer, and those standards for which they are not already 'provided for forms of specialized supervision within the bank, function and' directly responsible for the risk management of non-compliance '. With reference to other standards which are already 'provided for specific forms of specialized coverage (eg .: rules on safety at work, on the subject of personal data), the bank, based on an evaluation of the adequacy of controls specialist to manage the risk profiles of non-compliance ', can' graduate the tasks of compliance, however, and that 'responsible, in collaboration with the specialized functions responsible, at least in the definition of risk assessment methodologies of non compliance' and the identification related procedures, and verifies the adequacy of the procedures to prevent the risk of non-compliance '. The bank may 'adopt this approach also with reference to the oversight of the risk of non-compliance' with the tax regulations (16), which requires at least: (i) the definition of procedures (17) to prevent circumvention or infringement of this legislation and to mitigate the risks associated with situations that could complement of abuse of the right case, in order to minimize the consequences both penalties, either reputational arising from the incorrect application of tax legislation; (Ii) checking the adequacy of these procedures and their suitability 'to actually achieve the objective of preventing the risk of non-compliance'.
Without prejudice to the responsibility 'of the compliance function for the tasks defined by specific laws (such as, eg., The disciplines relating to remuneration policies and practices and incentives, transparency of operations and correctness of relations between intermediaries and customers and activities' risk and conflicts of interest in related subjects), other areas of intervention are: - the involvement in the ex ante assessment of conformity 'with the regulations applicable to all innovative projects (including operability' in new products or services) that the bank intends to take as well as 'in the prevention and management of conflicts of interest and between the various activities' carried out by the bank, both in relation to employees and corporate officers; - Advice and assistance in respect of the bank's governing bodies in all subjects with a significant risk of non-compliance 'as well as' the collaboration in the activity 'staff training on the provisions applicable to the activities' carried out, in order to spread a corporate culture founded on principles of honest ', fairness and respect for the spirit and the letter of the rules. From an organizational perspective, taking into account the multiple profiles required for the completion of these formalities, the various stages that comprise the activities 'of the function of conformity' with the standards can be handled by resources belonging to other organizational structures ( eg., legal, organization, operational risk management), as long as 'the risk management process and the operability' of the function are not brought back to united 'by appointing a manager who coordinate and oversee the various activities'. 3.3. the risk control function (risk management function). The risk control function has the purpose 'to collaborate in the definition and implementation of the RAF and the related risk management policies, through an appropriate risk management process (18). The risk control function should be organized to efficiently and effectively achieve this goal. It can 'be variously articulated, for example in relation to the individual profiles of risk (credit, market, operational, model, etc.), As long as' the bank maintains an overview of the different risks and their mutual interaction. Banks that adopt internal systems for measuring risk, if it is consistent with the nature, size and complexity 'of the attivita' breakthrough, identify within the combined risks control function 'responsible for validation of these systems by independent united 'responsible for the development of the same. Especially in the more 'complex banks, can' be set up for this specific management committees of the various risk profiles (eg., Committees for credit risks and operational, liquidity 'Committee, Finance Committee, Committee for the asset and liability management), clearly defining the different responsibilities 'and mode' of intervention and participation of the function, so as to guarantee its complete independence by the risk-taking process; it should also be avoided that the establishment of such committees can weaken the prerogatives of the risk control function. At the same time, they should be identified organizational solutions that do not result in an excessive distance from the operating environment. For the full awareness of the risks and 'there must be a continuous critical interaction with the units' business. The risk control function - and 'involved in the definition of the RAF, of government policies and the risks of the various phases that make up the risk as well as' management process in setting operational limits intake of various types of risk. In this context, has, inter alia, the task of proposing the quantitative and qualitative parameters necessary for the definition of the RAF, which reference also to stress scenarios and, in case of changes of the internal and external operating context of the bank, the adaptation of these parameters; - Verifies the adequacy of the RAF; - Occurs in the continuing adequacy of the risk management process and the operational limits;
- Subject to the provisions under the regulations of the internal systems for the calculation of capital requirements, and 'responsible for the development, validation and maintenance of systems of measurement and control of risks by ensuring that they are subject to periodic backtesting, which are analyzed an appropriate number of scenarios and are used conservative assumptions about dependencies and correlations; in the measurement of the risks taken into account in general of model risk and the possible uncertainty in the assessment of certain types of financial instruments and informed of these uncertainties the organ with the management; - Defines common assessment metrics of operational risks consistent with the RAF, in coordination with the function of conformity 'with the standards, with the ICT department and the function of continuity' operational; - Defines mode 'evaluation and control of reputational risk, in coordination with the function of conformity' with the rules and the most exposed business functions; - Assists the governing bodies in the strategic risk assessment by monitoring the significant variables; - Ensure consistency in the risk measurement and control systems with processes and methodologies to assess the activities' business, in coordination with the company structures; - Develops and applies indicators to highlight anomalous situations and inefficiency of systems of measurement and control of risks; - Analyzes the risks of new products and services and those deriving entry into new business segments and market; - From 'preventive advice on consistency with the RAF of the most significant transactions possibly acquiring, depending on the nature of the transaction, the opinion of other departments involved in the risk management process; - Constantly monitors the actual risk assumed by the bank and its coherence with the risk objectives as well as' compliance with the operating limits assigned to operating units in relation to the intake of various types of risk; - Verify the correct performance of the performance monitoring on individual credit exposures (cfr. Annex A, para. 2); - Verify the adequacy and effectiveness of measures taken to address any deficiencies in the risk management process. 3.4. the internal audit function (internal audit). The internal audit function and 'time, on the one hand, to control, with a third-level controls, even with spot checks, regular trading OPERATIONS' and the evolution of risks, and, on ' another, to assess the completeness, adequacy, functionality 'and the reliability' of the organizational structure and other components of the system of internal controls, bringing to the attention of governing bodies possible improvements, with particular reference to the RAF, the the risk management process as well as' to the measuring instruments and control them. Based on the results of its controls make recommendations to the governing bodies. In this context, in line with the audit plan, the internal audit function: - assesses the completeness, adequacy, functionality ', the reliability' of the other components of the system of internal controls, the risk management process other business processes, having also regard the students 'ability to identify errors and irregularities'. In this context, it shall submit, among other things, to verify the business functions of risk control and compliance 'with the standards; - Evaluate the effectiveness of the process of defining the RAF, the internal coherence of the overall scheme and compliance 'OPERATIONS' company to the RAF and, in the case of particularly complex financial structures, the compliance 'of these strategies with the approved by the corporate bodies ; - Verification, including through Inspections findings: a) the regularity 'of various activities' business, including those outsourced, and the evolution of risks both in the general direction of the bank, both in the branches. The frequency of inspections and 'consistent with the activities' carried out and the risk appetite; however they are also conducted random inspections, unannounced; b) monitoring compliance 'with the standards of the attivita' of all company levels; c) compliance in the various operating segments, the limits set by the delegation mechanisms, and the full and proper use of the information available in the various activities';
d) the effectiveness of the risk control function powers to give preventive advice on the consistency with the RAF of the most important operations; e) the adequacy and proper functioning of processes and methodologies for assessing activities' business and, in particular, the financial instruments; f) the adequacy, reliability 'and security of the entire information system (ICT audit); g) the removal of the irregularities found in operations 'and operation of the controls (activity' a 'follow-up'); - Performs periodic tests on the operation of the operating procedures and internal control; - Carries out tasks of assessment also with regard to specific irregularities'; - Regularly monitor business continuity plan 'operational. In this context, it takes notice of the compliance programs, present at the tests and checks the results, proposed changes to the plan based on the identified deficiencies. The internal audit function monitors altresi 'plans of continuity' operational service providers and critical suppliers; it can 'decide to rely on the structures of the latter if they are deemed professional and independent as to the results of the checks and reviews the contracts to ensure that the level of protection is adequate to the objectives and company standards; - If part of the collaboration and exchange of information with the entity in charge of statutory audit, becomes aware of criticality 'emerged during the activity' of the statutory audit, is activated so that 'the competent corporate functions adopt the principals needed to overcome these critical issues'. With specific reference to the risk management process, the internal audit function currency also: - the organization, powers and responsibilities 'of the risk control function, including with regard to quality' and the adequacy of resources allocated to this ; - The appropriateness of the assumptions used in the sensitivity analysis' and scenario and the stress test; - Alignment with the best practices adopted in the field. In carrying out their tasks, the internal audit function takes into account the requirements of professional standards widely accepted. The organization of the internal audit function and 'consistent with the structure and the degree of complexity' of the bank. It being understood that the function should be placed directly under the body charged with the strategic supervision function are, however, preserved the fittings with the management body function. Regardless of organizational choices, and provided that the recipients of the communications activities of the 'audit are the corporate bodies and units' under control, the internal regulation and' expressly provided the power for the internal audit function to communicate live via the results of the assessments and evaluations to the governing bodies. The results of the investigations ended with negative judgments or highlighting major shortcomings are transmitted in full, promptly and directly to the governing bodies. To properly perform their duties, the internal audit function has access to all the activities', including those outsourced, the bank carried out both at the central offices both at the peripheral structures. In the case of allocation to third parties of activities' relevant to the functioning of the internal control system (ie., Of the 'data processing), the internal audit function should also have access to the activities' carried out by these entities . 3.5. Relations between the business functions of control and other corporate functions. Notwithstanding the mutual independence and their respective roles, the internal control functions and collaborate with each other with the other functions (eg., The legal department, organization, security) in order to develop their own methods of control in a manner consistent with the strategies and the operability 'business. Given the strong links between the different corporate control functions, especially among the activities 'of compliance monitoring' the rules, control of operational risks and internal audit, and 'necessary that the duties and responsibilities' of the various functions are communicated within the organization, particularly as regards the division of responsibilities regarding the measurement of risk, the advice on the adequacy of control procedures as well as 'the activities' verification of the procedures.
Specific attention and 'placed in the articulation of information flows between the internal control functions; in particular, those responsible for risk control function and of conformity 'with the rules function inform the head of the internal audit function of the criticality' detected in their activities 'control that may be of interest in the activities' audit. The head of internal audit informs the heads of other control functions for any inefficiencies, weaknesses or irregularities 'emerged during the activity' verification of their own competence and on the competence of these specific areas or subjects. Section IV FUNCTIONS OF BUSINESS OUTSOURCING (OUTSOURCING) OUTSIDE THE BANKING GROUP 1. General principles and requirements. Banks that use the outsourcing of corporate functions manage risks arising from the choices made and retain the ability 'to control and responsibility' on the activities' outsourced as well as' the technical and management skills essential to re-internalize, in case of need ' , their celebration. The decision to outsource to carry out certain business functions (also not important) and 'consistent with the company's policy of outsourcing. In line with the principle of proportionality ', the policy shall at least: - the decision-making process to outsource business functions (decision-making levels involved functions, assessment of risks, including those associated with potential conflicts of interest of the service provider, and the impact on business operations; impact assessment in terms of continuity 'operational; criteria for the selection and due diligence of the vendor); - The minimum content of outsourcing contracts and expected service levels of activity 'outsourced; - The modalities' control, in continuous and with the involvement of the internal audit function of the outsourced functions; - Internal information flows aimed at ensuring that corporate bodies and internal control functions the full knowledge and governability 'of risk factors related to the outsourced functions; - The plans of continuity 'operational (contract terms, operational plans, etc.) In case of inadequate execution of the outsourced functions by the service provider. The bank, through the use of outsourcing, can not ': - delegate its responsibility', it 'responsibility' of the company bodies. In line with this principle, for example, it not 'allowed the outsourcing of activities' which fall within the tasks of governing bodies (see. Section II) or concerning crucial aspects of the lending process (eg., the process of evaluation of creditworthiness and monitoring of credit relationships); the outsourcing of business functions and control 'allowed within the limits and conditions set forth in Sec. 2; - Alter the relationship and obligations towards its clients; - Jeopardizing their ability 'to meet its obligations under the regulatory provisions will' get the power to violate the reserves of activities' provided for by law; - Affect the quality 'of the system of internal controls; - Hinder supervision. Notwithstanding the need to ensure, for each type of outsourcing, the proper conduct of the same by the supplier, the proper functioning of the internal control system and the continuous monitoring of the attivita 'carried out by the service provider, in the event that intending to outsource important operational functions, the banks ensure that they meet the following conditions: - in the written agreement between the bank and the service provider are formalized and clearly defined: a) the respective rights and obligations; the expected service levels, expressed in objective and measurable terms, as well as' the information necessary for verification of compliance with them; any conflicts of interest and the appropriate precautions to prevent or, if not possible, mitigate them; the conditions to the occurrence of which may be made to the Agreement; the duration and mode 'renewal as well as' reciprocal commitments associated with the interruption of the relationship;
b) the service levels in case of emergency and continuity 'compatible solutions with business needs and consistent with the Authority' supervisory requirements. They are altresi 'set out the modalities' participation, direct or through user committees, inspections of the plans of continuity' operational supplier. They also provide termination clauses that allow the bank to terminate the arrangement for outsourcing in the presence of events that could compromise the ability 'to ensure the service provider or when you experience failure to comply with the agreed service levels; - The service provider: a) has the expertise, the capacity 'and the permits required by law to perform in a professional and reliable manner, the outsourced functions; b) inform the bank of any event which might affect its ability 'to carry out the outsourced functions effectively and in compliance' with current legislation; in particular, promptly notify the occurrence of safety accidents, also in order to allow the timely activation of the corresponding management or emergency procedures; c) ensure the security of the information related to the attivita 'of the bank, in the aspect of availability', integrity 'and confidentiality; in this area, ensuring compliance with the rules on personal data protection; - The bank: a) keep the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing, including those arising from potential conflicts of interest of the service provider; in this context, identify, within their organization, an official of the individual outsourced functions control with adequate professionalism requirements '(' referent for the activities 'outsourced'); b) acquires the plans of continuity 'operative of the service provider or has adequate information in order to evaluate the quality' of the measures and to integrate them with continuity 'made solutions within; - The bank, his entities in charge of statutory audit and the Authorities 'supervision have effective access to data related to activities' outsourced and premises in which the service provider. The right of access to the Authority 'surveillance must be expressly in the contract, no additional costs to the intermediary; - The sub-outsourcing (ie the possibility 'of the outsource provider in turn a part of the attivita' object of the outsourcing contract) must not jeopardize compliance with the principles and conditions for the outsourcing set out in this framework; to this end, the contract with the service provider is expected that any reports of sub-outsourcing are agreed in advance with the bank and are defined to allow full compliance with all the conditions listed above related to the host contract, including the possibility ' for the Authority 'supervision to have access to data related to activities' outsourced and premises in which the sub-service provider. 2. Outsourcing of internal control functions. The outsourcing of business functions to third parties control (19) with the appropriate requirements in terms of professionalism 'and independence and' admitted, as a rule, only for the banks classified, for purposes SREP, in the macro-category 4 (20) . In addition to the provisions of par. 1 and Section III, banks wishing to outsource, in whole or in part, the internal control functions define the outsourcing: - the objectives, methodology and frequency of checks; - The modalities 'and the frequency of reporting due to the contact person for this activity' outsourced and to the governing bodies audit. The obligation of replying promptly to any request for information and advice on the part of the latter in any case remain responsible for the proper discharge of the activities' of outsourced control; - The confidentiality of information acquired in the exercise of the function; - Connections with the activities' carried out the organ with the control function; - The possibility 'to request specific activities' control the occurrence of unexpected needs; - The property 'exclusive of the results of the checks the bank.
In line with the provisions of par. 1, the bank-specific contact persons appointed for each of the individual control of outsourced business functions Ai contacts for control of outsourced business functions, the provisions set forth in Section III, par. 1, letter. b). It can 'be appointed a single contact for business functions of level control outsourced. The service provider from whom you intend to outsource internal control functions it meets the following conditions (21): - and 'independent of the bank at which he was appointed; - Not cumulative assignments related to business functions of second- and third-level control to a single bank or banking group; - It does not place simultaneously, for the same bank or banking group, assignments related to corporate functions and control activities 'that would be required to check in quality' of the service provider; - Does not carry out the statutory audit of the accounts for the bank that outsources or to other societa 'of the group. Subject to the same conditions, in addition, the banks, if in line with the principle of proportionality ', can outsource specific controls, which require specialized professional knowledge in operational areas of small size and / or risk'. 3. Communications to the Bank of Italy. Banks wishing to outsource, in whole or in part, the performance of important operational functions or control they give prior notification to the Bank of Italy. The communication, which provides all the information necessary to verify compliance with the criteria set out in this Section, and 'made at least 60 days prior to appoint and specific business needs that determined the choice. Within 60 days of receiving the notification, the Bank of Italy may 'initiate an administrative order for outsourcing ban office which shall be completed within 60 days. By April 30 of each year sent by banks to the Bank of Italy a report, prepared by the internal audit function - or, if outsourced, the company representative - with organ considerations with the control function and approved by the organ strategic supervision on the checks carried out on important operational functions or outsourced control, the shortcomings that were found and corrective actions taken. 4. Outsourcing of cash handling. Subject to the application of provisions on outsourcing of important operational functions of this Section and to minimize operational risks, in particular legal, and reputation associated with the eventual delivery of banknotes to clients false or quality ' that does not make them suitable for circulation, banks that outsource the activities' cash processing take specific precautions in handling relations with the parties to whom the activity 'and' outsourced either upon the contractor's choice, which must be based on the assessment of its full reliability ', the correctness of management and the structures and organizational processes, both in the exercise of effective subsequent checks, to be carried out continuously in order to verify the smooth and orderly conduct of the attivita', in full compliance with existing rules. In particular, the internal control functions carried out, each for competence profiles, a specific assessment of the procedures for connecting and managing relations with the parties to whom and 'outsourced the activities' cash processing as well as' the overall structure of the controls on the activities' outsourced. In addition, these functions ensure compliance with the obligations under the Decision of the European Central Bank of 16 September 2010, n. 14 concerning the authenticity 'control and suitability' of euro banknotes and recirculation. The bank intends to outsource the activities' cash processing concludes with the service provider a contract concluded in writing that, in addition to meeting the requirements in the previous paragraph, provides for: - the obligation to comply with the Community provisions referred to above , concerning in particular: (i) the exclusive use of equipment complying with that regulation; (Ii) to the equipment verification procedures; (Iii) the activities' monitoring that may be conducted by the Bank of Italy;
- The possibility 'for banks to verify the performance of the service rendered and take any corrective measures; - The right for the bank to withdraw, without penalty ', in case the other party in breach of its contractual obligations and will put not remedied within the time period specified in the contract. Section V THE RAF, THE SYSTEM OF INTERNAL CONTROLS AND OUTSOURCING IN THE BANKING GROUPS 1. The RAF banking groups. The parent company defines and approves the Group RAF according to the instructions contained in Annex C, mutatis mutandis, by ensuring consistency in the operability, 'complexity' and the size of the group and the RAF itself. The RAF group takes into account the specific operability 'and related risk profiles of each of the companies' members of the group so as to be integrated and coherent. For the achievement of this objective and 'necessary that the parent company's corporate bodies carry out their tasks with reference not only to its own reality' business but also evaluating the operability 'of the entire group and the risks to which it and' exposed. The corporate bodies of the companies 'members of the group, according to their respective responsibilities, act in line with the Group RAF and are responsible for its implementation with regard to issues relating to their own reality' business. To this end, and 'necessary that the parent may enable, in the manner deemed most' appropriate, the governing bodies of the subsidiaries of the choices made regarding RAF. 2. Group internal controls. The parent company, within the framework of the attivita 'of management and coordination of group exercises: a) strategic control over the different areas of activity' in which the group operates and the risks incumbent on the activities' exercised. It is a check on the performance of both activities' carried out by the companies' belonging to the group (growth or reducing endogenously), both on acquisition and divestment policies by the company 'group (growth or reduction exogenously) ; b) management control aimed at ensuring the maintenance of conditions of economic equilibrium, financial and equity of both individual companies', and the group as a whole. These control requirements should preferably be met through the preparation of plans, programs and budgets (company and group), and through the analysis of the interim reports, the infra-annual accounts, the annual financial statements of the individual companies' and the consolidated ; this 'is for homogeneous sectors of activity' and with reference to the whole group; c) a technical-operational control aimed at evaluation of different risk profiles brought to the group by the individual subsidiaries and the overall risks of the group. The parent company that exercises the attivita 'of management and coordination in violation of the principles of proper corporate and entrepreneurial management and' liable under Articles. 2497 et seq. of the Civil Code. The parent company equips the group of a unitary system of internal controls that allow the effective monitoring of both the strategic choices of the group as a whole and the balanced management of the individual components. To define the system of internal controls of the banking group, the parent company applies, mutatis mutandis, the provisions laid down in the previous sections. At group level - taking into account the provisions relating to the organization and control of entities other than banks - should also be established and defined: - formalized procedures for coordination and linkage between the companies' belonging to the group and the parent company for all areas of activity '; - Tasks and responsibilities' bodies and control functions within the group, the coordination procedures, the official organization chart, information flows and fittings; for such purposes, the body responsible for strategic oversight of the parent company approves a special document control coordination within the group. The report that the business functions of the parent control must submit to the governing bodies (see. Section III, para. 2) illustrates the checks carried out, the results, the weak points with reference not only to the same parent company, also to banking group as a whole and proposes actions to be taken for the removal of shortcomings;
- Mechanisms of integration of information systems and data management processes (especially for companies 'belonging to the group incorporated in countries that adopt different schemes / accounting criteria or detection), also in order to ensure the reliability' of the surveys on a consolidated basis; - Periodic information flows that enable the effective exercise of the various forms of control over all members of the group; - Procedures that provide, at a centralized level, an effective unified process of managing the risks of the consolidated group. In particular, there must be a register only, or more 'registers that are easily connectable, at the various companies' group in order to identify it uniquely, by the various entities', of individual customers and counterparties, groups of related customers and related parties and correctly detect, at a consolidated level, their overall exposure to the different risks; - Systems to track financial flows, credit reports (in particular the provision of guarantees) and other relations between the parties members of the group; - Controls on the achievement of security objectives and continuity 'operations defined for the entire group and individual components. The organ with the company 'parent control function also supervises the proper exercise of the attivita' control carried out by the parent company on society 'of the group. The parent company formalizes and makes it known to all the companies' group, the criteria governing the different stages that make up the risk management process. It also validates the risk management processes within the group. Regarding in particular the credit risk, the parent company establishes the positions of evaluation criteria and creates a common information base that allows all companies 'belonging to the group to know the exposure of clients against the well' the feedback group inherent to the positions of borrowers. The parent company decides, finally, on the adoption of the internal measurement systems of risk for the determination of capital requirements and determines the essential characteristics, assuming the responsibility 'of the project as well as' for overseeing the proper functioning of such systems and their constant adaptation from a methodological, organizational and procedural. Each company 'of the group was equipped with a system of internal controls that is consistent with the strategy and the group's policy on checks, subject to compliance with any relevant legislation on an individual basis. In the case of foreign subsidiaries, and 'necessary that the parent company, according to local constraints, to take all steps to ensure that the control standards and safeguards comparable to those provided by the Italian supervisory provisions, even in cases where the legislation of the countries in which they are located subsidiaries not provide for similar levels of attention. To verify that the behavior of the company 'in the group to the parent company as well as' addresses the effectiveness of the internal control system, the parent company is active so that', in order limits, the internal audit function periodically carries out on a consolidated basis spot checks on the group, but given the importance of the different types of risk assumed by the different entities'. 3. Outsourcing of business functions within the banking group. The parent company defines the company's policy of outsourcing within the banking group. The policy establishes a minimum: - the decision-making process to outsource business functions at the parent company and other members of the group; - The mechanisms adopted to ensure adequate protection of the interests of any minority members; - The criteria for identifying the service provider within the group, and the obligations relating to that entity; in particular, with reference to important operational functions, the service provider: a) has the expertise, the capacity 'and the permits required by law to perform in a professional and reliable manner, the outsourced functions; b) inform the parent company and the bank that outsources any event that could affect its ability 'to carry out the outsourced functions effectively and in compliance' with current legislation;
c) promptly notify the occurrence of safety accidents, also in order to allow the timely activation of the corresponding management or emergency procedures; d) ensure the security of information related to the attivita 'of the bank that outsources, in the aspect of availability', integrity 'and confidentiality; in this area, ensuring compliance with the rules on personal data protection; - The minimum content of outsourcing contracts and expected service levels of activity 'outsourced; - The service levels in case of emergency and solutions of continuity 'compatible with business needs and consistent with the requirements of the Authority' supervision; - The information flows aimed at ensuring that the parent company's corporate bodies and the bank that outsources and corporate functions to control these persons full knowledge and governability 'of risk factors related to the outsourced functions. The bank belongs to a banking group without prejudice to the responsibility 'for the activities' outsourced, may' derogate from the provisions on outsourcing referred to in Section IV if it respects the company's policy of outsourcing within the group. Through outsourcing, the bank can not ': - delegate its responsibility', it 'responsibility' of the company bodies. In line with this principle, for example, not 'allowed the outsourcing of activities' which fall within the tasks of governing bodies (see. Section II); - Alter the relationship and obligations towards its clients; - Jeopardizing their ability 'to meet its obligations under the regulatory provisions will' get the power to violate the reserves of activities' provided for by law; - Affect the quality 'of the system of internal controls, taking into account the overall arrangement of group membership controls; - Hinder supervision. 3.1. Outsourcing within the corporate control function group. Except as provided in par. 3, in order to ensure the effectiveness' and integration controls, outsourcing of internal control functions at the parent company or the other members of the group and 'permitted, regardless of size and complexity' operative bank, in fulfilled the following criteria: - are assessed and documented, in a group logic, costs, benefits and risks to the base of the solution reached; This analysis must be periodically updated; - The governing bodies of the group members are aware of the choices made by the parent company and are responsible, each according to its competence, the implementation, within their respective reality 'business, the strategies implemented and policies on controls, fostering the 'integration within the group controls; - Within the banks of the group and other entities' which, in the opinion of the parent, taking considered risks relevant for the group as a whole, special representatives are appointed who: i) carry out support tasks for corporate control function outsourced; ii) offices report to the corporate function outsourced control; iii) promptly report events or situations, which would alter the risks generated by the subsidiary. (22) In these contacts, the provisions set forth in Section III, par. 1, letter. b). It can 'be appointed a single contact for single business functions of level control outsourced. 4. Information to the Bank of Italy. Banks wishing to outsource, in whole or in part, the performance of important operational functions or control within its group they give prior notification to the Bank of Italy, through its parent company. The communication, which provides all the information necessary to verify compliance with the criteria set out in this Section, and 'made at least 60 days prior to appoint and specific business needs that determined the choice. Within 60 days of receiving the notification, the Bank of Italy may 'initiate an administrative order for outsourcing ban office which shall be completed within 60 days.
The parent company, on the basis of the internal control functions reports (see. Section III, par. 2 and par. 2 of this Section), annually send the Bank of Italy a report on the findings of the company 'subsidiaries and the results , the weaknesses detected in relation to both the banking group as a whole and to individual entities' and the description of the interventions to be taken for the removal of detected deficiencies. Section VI REFERENCE COMPANIES The reference companies are responsible for the calculation of capital requirements and compliance with the prudential rules applicable on a consolidated basis (23); for these purposes, the internal control system as a whole ensures the fairness, adequacy and timeliness' of information flows with the other companies' banking, financial and instrumental companies controlled by the company 'parent financial participation in the EU needed to meet the obligations imposed by the prudential rules. Section VII BRANCHES OF COMMUNITY BANKS AND NON-EU BANKS INCORPORATED IN THE COUNTRIES OF THE GROUP OF TEN OR IN THOSE INCLUDED IN A LIST PUBLISHED BY THE BANK OF ITALY In the case of branches of EU banks and non-EU banks branches established in the Group's countries Ten or those included in a list published and periodically updated by the Bank of Italy, the legal representative certifies annually and that 'We conducted a verification of conformity' of corporate conduct with respect to the Italian rules applicable to the branch and refers briefly to the Bank 'Italy on the outcome of the review (24). To this end, the bank verifies that the internal procedures adopted by the branch itself are proportionate to the objective of preventing the violation of the Italian rules applicable to the branch. In the case of branches of non-EC banks established in the Group of Ten countries or those included in a list published and periodically updated by the Bank of Italy, the legal representative testifies altresi 'that the completeness, adequacy, functionality', reliability 'of the internal control system' was verified through an internal review process. Section VIII INFORMATION TO THE BANK OF ITALY Banks must promptly inform the Bank of Italy the appointment and revocation of the corporate control functions. In the case of banking groups such communication and 'performed by the parent company. Banks not belonging to banking groups also forward to the Bank of Italy: - timely, reports on the activity 'breakthrough drafted annually by the risk control functions of conformity' with the rules and internal audit (see. Section III, par . 2). If one or more 'of these functions are outsourced, the report and' prepared by the company representative; - By 30 April of each year a report, drawn up by the internal audit function - or, if outsourced, the company representative - with organ considerations with the control function and approved by a strategic oversight function on the checks carried out on important operational functions outsourced, the deficiencies that were found and the resulting corrective actions taken (see. Section IV, para. 3); - If any of the conditions, the report referred to in paragraph 2.1 of Appendix A. The banks not belonging to groups wishing to outsource, in whole or in part, the performance of important operational functions or control they give prior notice to the bank of Italy (cfr. Section IV, para. 3). In the case of banking groups, the parent coordinate and submit to the Bank of Italy, for all the banks in the group, the same documentation required in the case of not belonging to banking groups banks, with the exception of the reports of the business functions of the company 'control subsidiaries (Section III, para. 2). In place of these, each year send to the Bank of Italy to the report referred to in Section V, para. 4 regarding the investigations carried out on the company 'subsidiaries and the results of, the weaknesses detected in relation to both the banking group as a whole and to individual entities' and the description of the interventions to be taken for the removal of detected deficiencies.
The parent company shall give prior notice to the Bank of Italy of the intention of banks to outsource, in whole or in part, the performance of important operational functions or control within the banking group (see. Section V, para. 4 ). In the case of branches of EU banks and non-EU banks branches established in the countries of the Group of Ten or in those included in a list published and periodically updated by the Bank of Italy, the legal representative certifies annually and that 'We conducted a verification of conformity 'of corporate conduct with respect to the Italian rules applicable to the branch and refers briefly to the Bank of Italy on the outcome of such verification (see. Section VII). In the case of branches of non-EC banks established in the Group of Ten countries or those included in a list published and periodically updated by the Bank of Italy, the legal representative testifies altresi 'that the completeness, adequacy, functionality', reliability 'of the internal control system' was verified through an internal review process (see. Section VII). Branches of non-EU banks are not established in the Group of Ten countries or those included in a list published and periodically updated by the Bank of Italy, identify a contact person for each corporate department of the branch control. The names of contact persons and any changes will be communicated to the Bank of Italy. Annex A SPECIAL PROVISIONS RELATING TO CERTAIN CATEGORIES OF RISK 1. Introduction. Are hereby identified special provisions on internal controls, taking value for the generality 'of banks and banking groups, in relation to specific risk categories. In the event that the bank uses internal measurement systems of risk for the determination of capital requirements (credit, counterparty, market, operational), these indications must be integrated with the principles of organizational provided by the respective disciplines, which constitute one of the conditions for recognition, for prudential purposes of such systems. 2. Credit risk and counterparty risk. The whole process of credit risk management and counterparty (risk measurement, assessment, delivery, performance control and monitoring of exposures, review of credit lines, classification of risk positions, intervention in case of failure, the classification criteria , assessment and management of impaired loans) should be the rules of procedure and be periodically tested. In defining the criteria for the granting of credit, the rules of procedure ensures that the diversification of the various portfolios exposed to credit risk is consistent with market objectives and overall strategy of the bank. The correct measurement of credit risk implies that banks have at all times aware of their exposure to each customer and to each group of connected clients (with relevance both of legal connections both of those economic and financial problems). To this end, and 'indispensable availability' of complete and updated data bases, of an information system that allows its use for the purpose required, a register of customers through which to generate and update, on an individual level and in the case of a banking group, consolidated, identification data of customers, legal, economic and financial connections between different customers, the technical forms from which the exposure, the updated value of risk mitigation techniques. The proper detection and management of all the necessary information is particularly important in the procedures for taking large risks. To this end, banks are required to comply with the provisions laid down in Title V, Chapter 1, Section V.
At the preliminary stage, banks acquire all the necessary documentation for an adequate assessment of the borrower's creditworthiness, under the balance sheet and earnings profile, and a correct remuneration of the risk taken. The documentation must allow assessment of the consistency between the amount, type and project; it must also enable the identification of the characteristics and quality 'of the borrower, especially in light of all the relationships relations. In the case of loans to companies, they have acquired the financial statements (individual and, if available, consolidated), the other from Central inferred information of financial statements and other information, meaningful and relevant, to assess the current business situation and future of the company, also qualitative (validity 'of the business project, ownership structure, examination of the situation of the economic sector of belonging, the situation of the markets and supply, etc.). The procedures of exploitation of the information must provide detailed information on the level of reliability 'of the customer (eg., Through credit scoring systems and / or rating). In the case in which the given part of a group, the evaluation also takes into account the situation and the prospects of the group as a whole. In order to know the assessment of borrowers from the banking system banks use, even in the next phase of performance control and monitoring of exposures, the information provided by the Central Risk. The powers in terms of provision of credit must result from a specific resolution body charged with the strategic supervision and must be commensurate with the size characteristics of the bank. In case of setting "cascading limits" (when, that 'the chief delegate in turn within the limits attributed to him), the limits of the resulting grid has to be documented. The delegating subject must also be informed periodically on the exercise of the powers, in order to carry out the necessary checks. The performance control and monitoring of individual exposures should be carried out with sistematicita ', using effective procedures to promptly report the occurrence of anomalies and to ensure the adequacy of value adjustments and transfers to losses. The criteria for classification, valuation and management of impaired loans (25) as well as' their units' managers must be defined by strategic oversight function by resolution also indicating the mode 'of connection between these policies and those expected for regulatory reporting. The exception to the application of pre-established criteria and 'permitted only in cases and following predetermined strengthened procedures, implying the involvement of the organ with the management function. Must be altresi 'established procedures to investigate, in detail, the actions to be implemented in the presence of deterioration in risk positions. In particular, the determination of the non-performing loan recovery value takes into account the following factors: i) type of enforcement proceedings turned on and the outcome of the steps already 'exhausted; ii) a readily realizable value of collateral (for calculating property haircut in update function of the expertise and market context for the activities' financial waste consistent with the nature of the product and the market situation); iii) criteria for the estimation of the recovery period and the present value of expected cash flows rates. The above guidance is regularly updated according to the evolution of the framework. The verification of the correct execution of the performance monitoring on individual exposures, particularly those impaired, and evaluation of the consistency of classifications, the congruity 'provisions and the adequacy of the recovery process and' turning point, at central and peripheral level, by function of the risk or, for banks to greater size and complexity 'operational control, by specific units', which reports to the manager of the risk control function. These units' occur, among other things, the work of the units' operational and credit recovery, ensuring the correct classification of impaired loans and the adequacy of the relative degree of non-recoverability '(26). In the case of divergent assessments, apply the findings made by the risk control function.
The internal audit assures periodic checks on reliability 'and effectiveness of the overall process. Their governing bodies, within their respective competences, are constantly updated the results of the application of the criteria and procedures identified and assess the need to establish measures to improve these criteria and procedures. The internal control system must ultimately ensure that the entire risk management process encompassed by the exposure to credit risk from operations 'different from the typical activities' funding, made up of financial derivatives and credit, from transactions SFT ( "securities financing transactions") and those with long-term settlement, so 'as defined in the rules relating to the prudential treatment of counterparty risk. To this end, banks are also required to comply with the organizational requirements for operability 'in credit derivatives (27). In the case of participation in netting agreements on a bilateral or multilateral basis, measuring the counterparty risk exposure on a net basis rather than 'Gross, the banks ensure that the agreements have legal basis. In the event that the aforementioned agreements also wish to recognize prudential purposes the effect of risk reduction should follow the fulfillment of the criteria prescribed by the regulations (see. Title II, Chapter 3, Section II, para. 10). The need to ensure appropriate safeguards are no less in cases where loans are granted in the form of the issue of guarantees, since the signing of granted credit exposes the bank to the risk of having to intervene later with a cash disbursement, consequently activating the recovery actions. This 'particularly when the issue of guarantees constitutes the attivita' exclusively or primarily of the bank. The organizational controls must therefore also ensure: - in-depth knowledge - from the beginning of the report and for the duration of the same - the ability 'of guaranteed to fulfill its obligations (including those to do); - Constant monitoring of the commitments made with reference both to the volume of the degree of riskiness' of the same, especially in high rotation of guarantees given situations. Particular attention should also be paid to the definition of contracts, in order to prevent or minimize the occurrence of disputes with reference both to the activation of guarantees issued, both to any subsequent remedy actions against guaranteed. Banks shall refrain from entering into agreements relating to guarantees issued prior to the determination of all the essential elements of the relationship (in particular: details of the beneficiary, the benefit due from guaranteed, the amount and duration of the guarantee, mode 'liberation from the guarantee obligation or renewal thereof). In order to ensure the monitoring of exposure, even for the respect of prudential requirements for high rotational presence of collateral, the system of corporate accounting records must allow to reconstruct the temporal sequence of transactions. 2.1. Assessment of creditworthiness. The provisions relating to the determination of capital requirements for credit risk under the standardized approach, provide for the application of diversified weighting coefficients depending on the credit assessments issued by ECAIs. The recognition of an ECAI, made by the Bank of Italy by the procedure laid down in Title II, Chapter 1, Part I, Section VIII, does not imply an evaluation of merit on the validity 'of the assigned ratings or the methodologies used media, of which ECAIs are solely responsible; it and 'designed to allow banks the use of external ratings for the calculation of capital requirements. The use of external ratings does not exhaust the process of evaluation of creditworthiness that banks have to play against the sovvenuta customers; it represents only one of the elements that can contribute to the definition of the information framework on quality 'credit customer. The banks have in place, therefore, the internal methods that allow for the assessment of credit risk arising from exposures to individual borrowers, securities, securitization positions as well as' credit risk at the portfolio level (28). These methods should not rely mechanically on assessments made by ECAIs.
The assessment of creditworthiness conducted by the bank based on the results of the attivita 'preliminary investigation and its internal methodologies may' differ from those by ECAIs. Frequent differences in the credit assessment may indicate incompleteness and inaccuracy of the external evaluation of the agency system and provide useful information for periodic evaluation that the Bank of Italy performs on the conditions stay for recognition of ECAIs. The banks, in addition to analyzing the quality 'of individual borrowers as part of the risk management process, are required to carry, with periodicity' at least annually, a specific assessment of the overall consistency of the ECAI rating with ratings developed independently. The results are formalized in a document approved by the organ of management function and brought to body charged with the strategic supervision function, and the organ with the control function. Where examination emerge frequent and significant misalignments between internal and external evaluations, copies of the report and 'transmitted to the Bank of Italy. 3. Risks arising from the use of credit risk mitigation techniques. specific organizational requirements for the management of risks arising from the use of credit risk mitigation techniques are contained in Title II, Chapter 2, Part I, Section II. 4. Concentration of risks. specific organizational rules on large exposures are contained in Title V, Chapter 1, Section V. In addition, the system of internal controls ensures the management and control, including through specific corporate policies and procedures, the concentration risk arising from exposures to customers, including central counterparties, groups of connected customers, customers operating in the same economic sector, in the same geographic region or from the same activity 'or treat the same merchandise as well as' from the application of credit risk mitigation techniques , including in particular the risks related to indirect exposures, for example, against individual providers of guarantees (see. Title III, Chapter 1, Annex B). 5. Risks arising from securitization transactions. specific organizational rules on securitization operations are contained in Title II, Chapter 2, Part II, Section VII. In particular, the system of internal controls ensures that the risks related to these transactions including reputational risks arising, for example, by the use of complex structures or products, are managed and evaluated through appropriate policies and procedures to ensure that the economic substance of these transactions is fully in line with their assessment of risk 'and the decisions of the governing bodies. 6. Market Risk. The main requirements for the market risk management process are described in Title II, Chapter 4. The system of internal controls, in particular, ensures the implementation of policies and procedures to identify, measure and manage all the sources and effects resulting from exposure to market risks. In cases where a short position has a maturity of less than the corresponding long position, the bank shall take appropriate safeguards to prevent the risk of liquidity '. In any case, the banks that are not able to properly measure and manage the risks associated with financial instruments sensitive to more 'risk factors must refrain from trading in these instruments (see. Title II, Chapter 4, Part Two, Section II ). 7. Interest rate risk arising from activities' not belonging to the trading portfolio for supervisory purposes. The banks draw up appropriate systems to identify, assess and manage the risks arising from potential changes in the level of interest rates on activity 'not belonging to the trading portfolio for supervisory purposes (cfr. Title III, Chapter 1, Annex C). 8. Operational risks. Unlike other risks 'first pillar', for which the bank, based on its risk appetite, knowingly assumes credit or financial positions to achieve the desired risk / return profile, taking operational risk was implicit in the decision to undertake a particular type of activity 'and, piu' in general, in the performance of the attivita 'business.
In this context, the internal control system must be the main garrison for the prevention and containment of such risks. In particular, they need to be approved and implemented corporate policies and procedures to define, identify, evaluate and manage the exposure to operational risks, including those arising from events characterized by low frequency and particular gravity '. The provisions relating to governance and management of operational risks are described in Title II, Chapter 5. They differ depending on the type of conservative treatment adopted by the bank. Banks also apply the guidelines of the CEBS / EBA with regard to operational risk management arising of the attivita 'of trading (see. CEBS / EBA GL35,' Guidelines on the management of operational risks in market-related activities "). 9. Liquidity Risk '. Given the growing importance that the liquidity risk 'has taken over the years, the principles and guidelines of the internal control system are discussed in more' broader context of organizzavi principals to be prepared in the face of this risk category (Title V, Chapter 2, Section V). 10. Risk of excessive leverage. Banks shall have corporate policies and procedures to identify, manage and monitor the risk of excessive leverage. Indicators of this type of risk are the leverage ratio and misalignment between the activities 'and liabilities'. The banks are run conservatively the risk of excessive leverage considering potential increases in this risk due to the bank's own funds reductions caused by expected losses or realized arising from the accounting rules applicable. To this end, the banks must be able to cope with different situations of stress with reference to the risk of excessive leverage. 11. Risks associated with the issuance of covered bonds. Detailing rules relating to responsibility 'of corporate bodies and controls on banks issuing covered bonds can be found in Title V, Chapter 3, Section II, para. 5. 12. Risks associated with the acquisition of holdings. In order to manage the specific risks associated with taking holdings by banks and banking groups, specific organizational rules and corporate governance are contained in Title V, Chapter 4, Section VII. 13. Activities' risk and conflicts of interest in related subjects. With specific reference to transactions with related parties will apply specific provisions on internal control and responsibility 'of corporate bodies contained in Title V, Chapter 5, Section IV. 14. Risks associated with the activities' depositary bank of mutual funds and pension funds. Banks that take on the task of custodian comply with the specific rules on internal controls contained in Title V, Chapter 6, Sections II and IV. 15. Country risk and transfer risk (Country and transfer risks). Banks are required to patrol effectively, in line with the principle of proportionality ', the country risk (29) and risk transfer (30). In particular, banks, take account of these risks in the context of the RAF, the process to determine the total capital adequacy in the present and the future (ICAAP) (31) and of the risk management process. Banks formalize criteria for the determination of appropriate provisions in respect of individual exposures subject to the risks mentioned. Annex B CONTROLS ON FOREIGN BRANCHES The foreign branches of Italian banks have particular monitoring requirements. Below are some guidelines formulated minimal character that banks must follow in directing their choices regarding internal controls. In particular, banks must: - check the consistency of the attivita 'of each branch or group of foreign branches with the objectives and strategies; - Adopt information and uniform accounting procedures or otherwise fully connectable with the central system, in order to ensure adequate and timely information in respect of the governing bodies; - Conferring powers of decision according to the criteria rapportati potential 'of branches and allocate responsibilities among the units' operating of each branch to ensure the necessary in the exercise of dialectics';
- Provide for the exercise of signatory powers jointly; if the characteristics and riskiness' of operations so require, it must be provided for the intervention of the chief executives-area branch, if any, or body charged with the management function. Any exceptions for operations and risk 'limited should be governed by appropriate regulations; - Require that foreign branches to the audit of internal controls, to be carried out by personnel with the necessary expertise; - Set up at branches with a operability 'significant, taking into account both the risk' of the branch relative to the overall risk appetite of the bank, both of complexity 'operational / organizational branch of the same, a unit' in charge of second-level checks, and a unit 'having internal audit functions. The persons assigned to those units', usually hierarchically dependent on central control business function, relate, and that persons responsible for such functions, through specific reports directly to the chief executive responsible for the area branch, if any, and the organ function with management; - Carry out document checks on all aspects OPERATIONS 'and extend it to the merits of management in order to lead to an overall assessment of the foreign branches, under the income profile of the product and the risks assumed; the outcome of the checks must be submitted to the body with the management function, which will cure ', at least once a year, a specific reference to the body with strategic supervision. The management body function must take care to step up, for reasons of control on their peripheral structure, relations with parallel central structures of the main correspondent banks, agreeing among other suitable procedures for the verification of each other's position. To be given preference in the selection of executives at the helm of the foreign branches, corporate bodies must take into account the capacity 'of the parties concerned to adapt to the business logic of the organization and rules of conduct applicable in general to Italian banks. Are provided for checks, the frequency of which should be consistent with the type of risks assumed by foreign branch, by the body with the control function, the internal audit function and the company 'external audit. The-spot checks conducted by the internal audit function should be extended and cover at least the risks assumed, the reliability 'of the operating structures, information systems, the operation of internal controls, the inclusion in the market. Periodicity 'minimum of checks and' graduated in relation to transactions' performed and the settlement markets. The results of inspections are brought promptly to the governing bodies. Annex C THE RISK APPETITE FRAMEWORK 1. Introduction. Banks define a framework for the determination of risk appetite (Risk Appetite Framework - "RAF"), which fixed ex ante the risk / return targets that the intermediary intends to achieve and the resulting operational limits. The formalization, through the definition of the RAF, risk objectives consistent with the maximum assumable risk, the business model and the strategic direction and 'an essential element for the determination of a risk management policy and a risk management process based on principles of sound and prudent business management. Banks also coordinate the framework for the determination of risk appetite with the ICAAP process (see. Title III, Chapter 1) and ensure the proper implementation through an organization and a system of adequate internal controls. 2. Information on the content of the RAF. In this paragraph is provided minimal indications for the definition of risk appetite Framerwork, it being understood that the actual structure of the RAF must be calibrated according to the dimensions and complexity 'operation of each bank. Banks ensure a close link between coherence and timely: the business model, the strategic plan, the RAF (and parameters used to define it), the ICAAP process, the budget, the organization and the internal control system.
The RAF, taking into account the strategic plan and the significant risks identified therein, and defined the maximum assumable risk, indicates the types of risk that the bank intends to take; for each type of risk, determine the risk objectives, any tolerance thresholds and operational limits under both normal operability ', both of stress. Are, altresi ', given the circumstances, including the results of the stress scenarios, the use of which the hiring of certain categories of risk must be avoided or limited to the objectives and the limits. The risk targets, tolerance thresholds and risk limits are normally declined in terms of: a) meaningful measures of economic capital at risk or capital (VaR, expected shortfall, etc.); b) capital adequacy; c) Liquidity '. With reference to quantifiable risks, the declination of the constituent elements of the RAF is through the use of appropriate quantitative and qualitative parameters, calibrated according to the principle of proportionality '; to this end, banks may refer to the risk measurement methods used for the purposes of business valuation (ICAAP) (cfr. Title III, Chapter 1, Section II). With reference to the risks are difficult to quantify (such as, for example, strategic risk, reputational risk or compliance risk), the RAF provides specific indications of a qualitative nature that are able to guide the definition and updating of processes and principals of the internal control system. In RAF are defined the procedures and the management actions to be activated in the event that it is necessary to bring the level of risk within the target, or the pre-established limits. In particular, they have defined the management actions to be taken to achieve the tolerance threshold (if defined). They are also spelled out the timing and mode 'to be followed for updating the RAF. The RAF finally setting out the tasks of the organs and all functions involved in the process definition. TITLE V Chapter 8 THE INFORMATION SYSTEM Section I GENERAL PROVISIONS 1. Introduction. The information system (inclusive of technological resources - hardware, software, data, electronic documents, computer networks - and human resources devoted to their administration) is a major tool for achieving the strategic and operational objectives of the intermediaries, in view of criticality 'of business processes that depend on it. In fact: - from a strategic point of view, a safe and efficient information system, based on a flexible, resilient and integrated at group level allows you to take advantage of the opportunity 'offered by technology to expand and improve our products and services for customers , improve the quality 'of work processes, promote dematerialization of values, reduce costs through virtualization of banking services; - In view of the sound and prudent management, the information system allows management to have detailed information, relevant and up to date to recruit knowledgeable and timely decisions and the proper implementation of the risk management process (see. Chapter 7 ); - With regard to the control of operational risk, the smooth running of the internal processes and the services provided to customers, the integrity ', confidentiality and availability' of information handled, rely on the function 'of processes and automated controls; - In terms of compliance, the information system and 'given the task to record, store and correctly representing management and relevant events for the purpose' provided for by law and by internal and external regulations. The forecasts contained in this Chapter are general requirements for the development and management of the information system by brokers; the concrete measures to be taken shall take account of the specific strategic objectives and according to the principle of proportionality ', the size and complexity' operational, the attivita 'breakthrough nature, the type of services provided as well as' the level of automation of processes and services of the bank.
In this regard, banks assess the opportunity 'to make use of the standards and best practices defined at international level in the field of governance, management, security and control of the information system. 2. Legal sources. Matter and 'adjusted by: - Directive of the European Parliament and Council 2013/36 / EU of 26 June 2013, on access to the attivita' of credit institutions and the prudential supervision of credit institutions and investment firms amending Directive 2002/87 / EC and repealing Directives 2006/48 / EC and 2006/49 / EC; - The following articles of the Banking Law: • art. 51, which states that banks send to the Bank of Italy, with the mode 'and times established by it, periodic reports as well as' all the data and documents required; • Art. 53, paragraph 1, lett. d), which gives the Bank of Italy, in compliance 'of the resolutions of the Credit Committee, the power to issue general provisions on administrative and accounting procedures and internal controls of banks; • Art. 67, paragraph 1, lett. d), which gives the Bank of Italy, in compliance 'of the resolutions of the Credit Committee, the power to give to the parent company of a banking group arrangements for the group as a whole or its components relating to the administrative and accounting procedures and internal controls ; - By resolution of the ICRC of 2 August 1996, as amended by resolution of 23 March 2004 concerning the administrative and accounting procedures and internal controls of banks and banking groups; - The Decree of the Minister of Economy and Finance as Chairman of the August 5, 2004 ICRC concerning, among other things, the tasks and powers of the governing bodies of banks and banking groups; - The Recommendations for the security of internet payments issued by the ECB 31 January 2013 (32). And 'it is taking into account the Principles document for effective risk data aggregation and risk reporting, published by the Basel Committee on Banking Supervision in January 2013 (33). 3. Definitions. For the purposes of this framework it defines: - "accountability": the allocation of responsibility 'of an activity' or business process, with the consequent task of answering the steps taken and the results achieved, to a certain figure business; technical, means the guarantee of being able to assign each operation to entities (users or applications) uniquely identifiable; - 'Authentication' means the procedure for verification of identity 'of a user as part of a system or service; - "Authorization" means the procedure that checks whether a customer or other person inside or outside has the right to do a certain action, eg. to transfer funds or access to sensitive information; - "Critical component of the information system 'means the system or the application for which an incident of computer security can' affect the smooth and safe running of important operational activities (see. Chapter 7, par. 3) to the intermediary, including the effective performance of the duties of corporate bodies and control functions; risk analysis defines the business functions and components of the information system which present significant risks to the bank; - 'Credentials' means information - generally reserved - used by a user for authentication to a system or service. Are included in defining the physical tools that provide or store information (eg., Non-reusable password generators, smart card) or something that reminds the user (eg., Password) or is (eg., Biometric features ); - "Computer security incident 'means any occurrence that the violation or the imminent threat of violation of rules and business practices in the field of information security (eg., Computer fraud, attacks through the internet and malfunctions and outages); - 'Serious incident information security' means a computer security incident and resulting in at least one of the following consequences: a) high economic losses or prolonged disruption to that provider, even after repeated incidents of minor entity '; b) Significant disruption on customers and other parties (eg., intermediaries or payment infrastructure); the gravity 'assessment considers the number of potentially affected customers or counterparties and the amount at risk; c) the risk of undermining the capacity 'of the bank to comply with the conditions and obligations of the law or required by regulatory provisions;
- "Least privilege (least privilege)": the principle which states that each user or system administrator are assigned authorizations strictly necessary to accomplish the assigned tasks; - "No single point of failure ': the architectural principle that the failure of a single component of a system does not affect the proper functioning of the entire system; - "Critical operations": operations relating to important operational functions performed in the production environment that, if incorrect or not carried out, may affect the smooth functioning of critical components of the IT system (with reference to data, programs or the system configuration ) as well as' those that may affect, directly or indirectly, the company's values; - "Contingency procedure 'means a procedure which, in the event of unavailability' or serious malfunction of the system, provides for the use in emergency conditions at low integration tools into business processes (eg., By resorting to attivita 'manuals) in order to complete a limited set of operations of particular criticality '; - "Fallback procedure": a procedure activated in the event of major problems in the case of technological upgrading or migrating to new platforms, aimed at providing mode 'alternative for the performance of non-functioning application functions; - "IT risk (or ICT)" means the risk of incurring financial losses, reputation and market share in relation to the use of information and communications technology (Information and Communication Technology - ICT). In the integrated view of the business risks for prudential purposes (ICAAP), this type of risk and 'it considered, according to the specific aspects, including operational risk, reputational and strategic; - "Residual information risk 'means the information risk to which the intermediary and' exposed after application of the mitigation measures identified in the process of risk analysis; - "Computer resource (or ICT) 'means a company asset relating to ICT that contributes to the receipt, storage, processing, transmission and use of information handled by the intermediary; - "Segregation of duties (segregation of duties)" means the principle that states that the execution of transactions of particular criticality 'is carried out through the cooperation of more' users or system administrators with responsibility 'formally divided; - "Responsible person": the corporate figure identified for each system or application and which formally assumes responsibility ', representing users and relations with the departments responsible for the development and technical management; - 'Verifiability' ': the guarantee of being able to reconstruct, if and also after some time, events related to the use of the information system and data processing. 4. Scope of the regulations. These provisions apply, as provided in Title I, Chapter 1, Part Two: - banks authorized in Italy, with the exception of non-EU banks branches established in the Group of Ten countries or in those included in a special list published and periodically reviewed by the Bank of Italy (34); - The parent company of the banking group; - The reference companies, as provided by Section VI of Chapter 7. Section II GOVERNMENT AND ORGANIZATION OF INFORMATION SYSTEM 1. Introduction. Within the general framework of the organization and internal controls, they are attributed to the organs and corporate functions roles and responsibilities', relating to the development and management of information system, while respecting the principle of separation of control functions from those of supervision and management. 2. tasks of strategic oversight function. The organ with strategic supervision shall have overall responsibility 'of direction and control of the information system, with a view to optimum use of technological resources in support of corporate strategies (ICT governance). In this context it: - approve the development of the information system strategies, given developments in its sector and in line with the joint in place and tighten the areas of operability ', processes and organization; in this context approves the reference model for the architecture of the information system; - Approves the information security policies (35);
- Approve the guidelines in the field of personnel selection with technical functions and procurement of systems, software and services, including the use of outside suppliers (see. Section VI); - Promotes the development, sharing and updating knowledge of ICT within the company; - And 'informed at least annually on the adequacy of the services provided and the support of such services to the evolution OPERATIONS' company, in relation to costs incurred; and 'it informed promptly in the event of serious problems for the activities' business resulting from accidents and malfunctions of the information system. With specific regard to the exercise of the responsibilities' of IT risk analysis supervision (see. Section III), the same organ: - approves the organizational and methodological framework for the analysis of IT risk, promoting the appropriate exploitation of 'information on the technology risk within the ICT function and integration with systems for measuring and managing risk (particularly operational, reputational and strategic); - Approves the propensity to IT risk, having regard to internal services and those offered to customers, in accordance 'with the risk objectives and the framework for determining the propensity to enterprise-wide defined risk (see. Chapter 7, Annex C); - And 'it informed at least annually on IT risk situation compared with the risk appetite. Appendix A lists the documents that the body responsible for strategic oversight approves part of its role and responsibilities' in the matter. 3. tasks of the management body. The organ with the management function is responsible for ensuring the completeness, adequacy, functionality '(in terms of effectiveness and efficiency) and reliability' of the information system. In particular, this body shall: - defines the organizational structure of the ICT function (if any) (36) ensuring their compliance strategies and architectural models defined organ with strategic supervision; ensures the correct sizing and quantitative human resources; - Defines the organizational structure, methodology and process for the review process of information risk by pursuing an appropriate fitting level with the risk management function for the estimation processes of operational risk; - Except in the case of full outsourcing, approves the design of the information system management processes, ensuring the effectiveness and efficiency of the plant as well as 'the overall completeness and consistency, particularly with regard to a functional assignment of tasks and responsibilities', the robustness of the controls, the validity 'of the methodology and process support; - Approves the data governance standards, the procedures for managing the change and incident (where appropriate, in connection with the procedures of the service provider) and normally on an annual basis, the operational plan of the IT initiatives, checking their consistency with the information needs and automation of business lines well 'with business strategies; - Currency least annually the performance of the ICT function in relation to strategies and objectives, in terms of cost / benefit ratio or using integrated performance measurement systems (37), taking appropriate actions and improvement initiatives; - At least annually approves the risk assessment of critical components nonche 'the report on the adequacy and cost of ICT services, by informing in this respect the body with strategic oversight; in this context, finds the overall situation of the IT risk in relation to the risk appetite defined, for the purpose of providing appropriate information regarding, at least, the level of residual risk for the different IT resources, the status of implementation of mitigation principals risk (see. Section III), the evolution of the threats associated with the use of ICT as well as' accidents registratisi during the reporting period; - Monitors the smooth conduct of the management processes and the services control ICT and, in the face of anomalies, shall put in place appropriate corrective actions;
- Take timely decisions about serious computer security incidents (see. Section IV), and provides information to the body with strategic supervision function in the event of serious problems for the activities' business resulting from accidents and malfunctions. In relation to the responsibility 'and to the tasks assigned, the management body function and' equipped with technical and managerial skills, given the size, complexity 'and organizational structure as well as the intermediary' of sourcing strategies. Appendix A shows the procedures, standards and plans subject to the approval of the management body. 4. Organization of the ICT function. The organizational structure of the ICT function is dependent on factors such as the complexity 'of the corporate structure, size, areas of activity', business strategies and management. It is inspired by criteria of functionality ', efficiency and safety, by clearly defining the tasks and responsibilities' and contemplating in particular: - direct reporting lines to the organ level management function (38) to guarantee the unity' of management vision and risk as well as 'uniformity' of application of the rules regarding the information system; any units 'of decentralized development under the control of the business lines are still placed in the more' general architectural design and operate under rules defined at the corporate level; - The responsibilities' and assets associated with the planning and control of the portfolio of IT projects, with the evolution of architecture and technological innovation as well as government 'with the activities' of the information system management (39); - The implementation of appropriate means of forging links with the business lines, with particular regard to activities 'identification and planning of IT initiatives (regular survey of the needs of IT services and the promotion of opportunities' technology offered by the evolution of the information system). 5. The computer security. The information security function and 'tasked with the performance of specialist tasks in the field of ICT security resources. In particular: - follow the drafting and updating of security policies and operating instructions; - Ensure consistency in the security principals with approved policy; - Participates in the design, implementation and maintenance of data center security safeguards; - Participates in the evaluation of potential risk as well as' the identification of security principals within the IT risk analysis process (see. Section III); - Ensures the continuous monitoring of the threats applicable to different computing resources (see. Section IV, para. 3); - Follows the performance of safety tests before starting production of a new or modified system (cfr. Section IV, para. 5). In reality 'more' complex, independent judgment of the operating units and 'assured by adequate organizational position. 6. The control of information risk and compliance ICT. As part of the internal control system are clearly assigned responsibility 'of the progress of the following second-level control tasks: - control of risk, based on continuous flow of information on the evolution of the IT risk and monitoring of' effectiveness of ICT resources protection measures. The management of the overall IT risk is connected with the process of analysis on individual ICT resources (cfr. Section III). The valuations are documented and reviewed in relation to the monitoring results, and at least once a year. With reference to banks with an internal model validated the operational risk, data on operating losses in ICT are integrated with data and scenarios relating to other corporate functions, and they are manned quality 'and completeness; - Compliance with internal rules and external regulations on ICT (ICT compliance) ensuring, among other things: • the assistance of technical aspects in case of legal issues related to the processing of personal data; • the appropriate organizational structure to external regulations, for the parts related to the information system; • an analysis of conformity 'of outsourcing contracts with suppliers (including intra-group contracts). 7. Duties of the internal audit function.
The internal audit has - inside or through the use of external resources (40) - the specialized skills needed to perform its tasks of assurance relating to the company information system (ICT audit). The planning of inspection interventions over time ensures adequate coverage of the various applications, infrastructure and management processes, including any outsourced components (41). Regardless of the form chosen for the investigation (eg., Targeted audits or checks on applications and components of the information system as part of inspections of production processes or organizational structures), Audit and 'internal able to provide feedback on the main technological risks identified and the overall management of the intermediary's information risk. Section III ANALYSIS OF RISK COMPUTER IT risk analysis is one tool in ensuring the effectiveness and efficiency of ICT resources protection measures, allowing to grade the mitigation measures in different environments depending on the risk profile of ' intermediary. The process of analysis 'done with the user responsible for competition (42), the function of ICT personnel, risk control functions, information security and, where appropriate, of the audit methodology and responsibility' formally defined organ with the management function. It consists of the following stages: - the assessment of the potential risk faced by examined IT resources; such activities' affects all development initiatives for new projects and significant modification of the information system (43). This stage starts off with the classification of ICT resources (44) in terms of IT risk (45); - Treatment of risk, aimed at identifying, if necessary, mitigation measures - technical or organizational - proportionate to contain the potential risk. The analysis determines the residual risk to be subjected to formal user acceptance responsible (46). If the residual risk exceeds the propensity to IT risk, with the approval of a strategic supervision (see. Section II, para. 2), the analysis proposes the adoption of alternative measures or further risk treatment (47) , agreed with the involvement of the risk control function, and subject to the approval of the management body. For procedures in operation, for which no and 'analysis was made of the risk in the development phase, and' However, an additional assessment, in order to identify any principals in addition to those already 'in place, to be implemented according a specific implementation plan. The timing of implementation of the plan and compensatory principals organizational or procedural pending the implementation, are documented and brought formal acceptance user's manager. The results of the process (classification levels, potential risks and residues, list of threats considered, list of identified devices), all their subsequent updates, the assumptions made and the decisions taken are documented and brought to the attention with organ function management. The process of risk analysis and 'repeated with periodicity' appropriate to the type of ICT resources and the risks and in any event, in the presence of situations that may affect the overall IT risk level (48). Section IV MANAGEMENT OF COMPUTER SECURITY 1. Introduction. The Information Security Management includes the processes and measures aimed, in connection with the general corporate action to preserve the security of information and corporate assets, ensure each computer resource protection, in terms of confidentiality, integrity, 'availability' , verifiability 'and accountability, appropriate and consistent throughout the entire lifecycle. Goal of this process and 'also to contribute to the compliance' of the information system with the law and internal and external regulations. The process structure and intensity 'of principals to be implemented depends on the results of the risk analysis process (see. Section III). 2. Security Policy. The information security policies and 'approved by a strategic oversight function and communicated to all staff and third parties involved in the management of information and components of the information system. It reads:
- The objectives of the information security management process in line with the IT risk appetite defined at the enterprise level (see. Section II, para. 2); these objectives are expressed in terms of security needs and technology risk control; - The general safety principles for the use and management of information system by the different company profiles; - The roles and responsibilities 'relating to information security function as well as' updating and checking the policy; - The organizational and methodological framework of ICT management processes deputies to ensure the appropriate level of protection; - The guidelines for the activities' of communication, training and awareness of the different classes of users; - A reference to the internal rules governing the consequences of the policy violations found by the staff; - A reference to the laws and other external regulations applicable security-related information and ICT resources, including the rules set forth in this Section. The security policy may 'refer to more detailed documents, eg. guidelines and operating manuals in terms of configurations and security procedures for particular components and applications; dedicated policy for payment services via Internet; rules for the proper use of cross-business applications, such as email and internet browsing. The regular review of the security policy takes account of the activities of 'field of the supplied products, technologies and risks faced by the intermediary (cfr. Section III). 3. Information security and ICT resources. Information security and IT resources and 'guaranteed by protective measures at the physical and logical level, whose intensity' application and 'graduated in relation to the results of the risk assessment (classification of IT resources in terms of safety). These measures are distributed on different layers, so 'that a possible flaw in a line of defense is covered by the next (' defense in depth ''), including: - the physical principals of defense and the authorization and control procedures for the 'physical access to systems and data (eg., perimeter barriers with supervised entry points, local-access-controlled recording of inputs and outputs); - The regulation of access to logical networks, systems, databases on the basis of actual operational requirements (principle of need to know); the access rights are granted by recourse to appropriate authorization profiles, after formal approval; the list of authorized users and 'tested with frequency' defined; - The authentication procedure for access to applications and systems; in particular they are guaranteed unique connection to each user their own login credentials, the garrison of the confidentiality of the authentication factors (49), compliance with the standards defined within as well as' the applicable regulations, eg. compositional and password management, limits the access attempts, the length of cryptographic keys; - Segmentation of the telecommunication network, with control of the exchanged flows, particularly between domains characterized by different levels of security (eg., Systems and internal users, core applications, external systems and users); access to critical systems and services through public channels (eg., in case of e-banking via Internet) are manned in order to meet strict safety requirements and provide a level of protection complies with the risks to be faced (50) ; - The adoption of methodologies and techniques for the safe development of the software as a possible defense garrison components evaluated in the analysis of IT risk at a high hazard level; - The separation of the development, test and production, with adequate formalization of the software modules pass between them (para. 5), in order to avoid - as a rule - the access to confidential data and critical components from the staff personnel development (51); the production environment and 'subjected to more' restrictive measures of access and change control;
- The criteria for the selection and management of staff used to process data and conduct critical operations (system administrators and privileged users) with particular regard to assessment of skills and reliability 'staff, the signing of specific commitments confidentiality as well as' the management in the continuous of assigned tasks (eg., by means of periodic checks of personnel enabled and lists of job rotation measures); - The procedures for carrying out critical operations, guaranteeing compliance with the principles of least privilege and segregation of duties (eg., Specific qualification procedures and authentication, type controls four eyes (52), or former daily check post); - Monitoring, including through the analysis of logs and audit trails, access, transactions and other events in order to prevent and manage computer security incidents; activities' for system administrators and other privileged users of critical components are subjected to strict control; - The continuous monitoring of threats and vulnerabilities' safety; - The traceability of 'rules of the actions carried out, aimed at enabling a posteriori monitoring of critical operations, with the author's archive, date and time (53), business environment and other salient features of the transaction. The electronic records shall be retained for a period not less than 24 months in archives can not be modified or whose changes are recorded promptly. 4. The security of the applications developed by the units' operational and control. The development of applications directly to the load units 'operational and control and' subjected to the organizational and methodological measures, designed to ensure a level of security comparable to the applications developed by the ICT function. A periodic census monitoring applications developed with user computing tools and verifies the compliance with security policies, in particular when used in activities' relevant such as the preparation of financial information, risk management, finance and management reporting , in order to contain the operating risk (54). 5. How to manage change. The procedure for handling applications and resources changes ICT and 'formally defined and ensures control over modification, substitution or technological adjustments, especially in the production environment. The process takes place under the responsibility 'of a figure or structure with a high degree of independence from the development function and provides, in a proportionate manner to the complexity' and the technological risk of the intermediary: - the preparation and constant updating in time of an inventory or map of the heritage ICT (hardware, software, data, procedures) (55); - Evaluating the impact of the changes on the system and the risks associated with the proposed modifications; - The formal authorization of any changes in the production environment (56); This procedure includes the acceptance, in critical cases identified in the risk analysis, the new residual risk; - Planning, coordination and documentation of modifications, providing activities' testing and safety testing, in an environment deputy and distinct from that of production; - The use of a suitable system of management of the system (hardware, software, operating procedures and use, mode 'interconnection), for monitoring the implementation of the changes, including the possibility' restore the ex ante situation. Changes in an emergency can be handled with principals do not fully comply with the ordinary policy but appropriate to the particular situation. These changes are still subject to tracking and notified ex post to the user responsible.
The broader impact on the information system initiatives (eg., Significant changes in critical components, adjustments as a result of mergers or divisions, migration to other platforms) - that fit the norm in strategic plans to the attention of the organ function with strategic oversight - have been communicated to the Bank of Italy and provide, in addition to the above, appropriate measures, technical, organizational and procedural, to ensure an operational start-up controlled, with limited impact on services provided to customers (for eg., implementation in stages, the exercise periods in parallel with the above steps, fallback and contingency procedures). information flows to the various managerial levels and their governing bodies allow the monitoring of project progress.

The New Capital Adequacy Rules For Banks - Circolaren. 263 Of 27 December 2006 - 15Th Update Of July 2, 2013.

Original Language Title: Nuove disposizioni di vigilanza prudenziale per le banche - Circolaren. 263 del 27 dicembre 2006 - 15° aggiornamento del 2 luglio 2013.

Subscribe to a Global-Regulation Premium Membership Today!

Search Translated Laws of Italy