79191 This volume is a product of the staff of the International Bank for Reconstruction and Development/The World Bank. The World Bank does not guarantee the accuracy of the data included in this work. The findings, interpretations, and conclusions expressed in this paper do not necessarily reflect the views of the Executive Directors of the World Bank or the governments they represent. The material in this publication is copyrighted. FINANCIAL SECTOR ASSESSMENT PROGRAM UPDATE EL SALVADOR BASEL CORE PRINCIPLES FOR EFFECTIVE BANKING SUPERVISION ASSESSMENT OF COMPLIANCE NOVEMBER 2010 INTERNATIONAL MONETARY FUND THE WORLD BANK MONETARY AND CAPITAL MARKETS FINANCIAL AND PRIVATE SECTOR DEPARTMENT DEVELOPMENT VICE PRESIDENCY LATIN AMERICA & THE CARIBBEAN REGION VICE PRESIDENCY 2 Table of Contents Page I. Summary, Key Findings, and Recommendations ..................................................................3 Introduction ........................................................................................................3 Information and methodology used for assessment ...........................................3 Institutional and macroeconomic setting and market structure—Overview......4 Preconditions for effective bank supervision .....................................................5 Main Findings ....................................................................................................7 Recommended action plan and authorities‘ response ......................................16 Tables 1. Summary Compliance with the Basel Core Principles—Detailed ......................................12 2. Recommended Action Plan to Improve Compliance with the Basel ...................................17 3. Detailed Assessment of Compliance with the Basel Core Principles ..................................21 3 I. SUMMARY, KEY FINDINGS, AND RECOMMENDATIONS Introduction 1. This assessment of the Basel Core Principles (BCP) was conducted as part of the FSAP Update evaluation of the El Salvador financial system from April 22–May 10, 2010. As agreed, the supervisory framework was assessed against the BCP methodology issued in October 2006. The assessment was conducted by Mr. Miquel Dijkman, World Bank, and Ms. Socorro Heysen, a consultant with the IMF. Information and methodology used for assessment 2. The Salvadoran authorities generously provided the assessment team with key documentation, including a self-assessment of compliance with the 25 Basel Core Principles, the legal and regulatory framework for banking supervision, off-site monitoring reports and various other reporting schedules submitted by the banks. During their stay, the assessors held extensive discussions with the supervisory staff of the Superintendencia del Sistema Financiero (SSF). The assessors also met with representatives from the Banco Central de Reserva (BCR), a number of external auditors and private bankers. As part of the assessment of home host relationships, the assessors had telephone interviews with two home supervisors of major Salvadoran banks. The assessors enjoyed excellent cooperation with their counterparts and received all the information requested, including a self assessment, relevant regulations, laws, and various supervisory reports. The team extends its thanks to the staff of the various institutions and in particular to the staff of the SSF for their participation in the process and their hospitality. 3. The assessment of compliance with each principle is made on a qualitative basis. A four-part assessment system is used: compliant; largely compliant; materially noncompliant; and noncompliant. To achieve a ‗compliant‘ assessment with a principle, all essential criteria generally must be met without any significant deficiencies. A ‗largely compliant‘ assessment is given if only minor shortcomings are observed, and these are not seen as sufficient to raise serious doubts about the authority‘s ability to achieve the objective of that principle. A ‗materially noncompliant‘ assessment is given when the shortcomings are sufficient to raise doubts about the authority‘s ability to achieve compliance, but substantive progress has been made. A ‗noncompliant‘ assessment is given when no substantive progress toward compliance has been achieved. 4. The ratings assigned during this assessment are not comparable to the ones assigned in the 2000 FSAP, as the bar to measure the effectiveness of a supervisory framework has been raised in the new methodology. New criteria have also been added while existing ones have been redefined. 4 Institutional and macroeconomic setting and market structure—Overview 5. The Salvadoran financial sector is dominated by the banking industry. There are currently nine private banks, two state banks, two foreign branches, two savings and loan associations, and six cooperative banks operating in El Salvador. The SSF is responsible for the licensing, regulation and supervision of the above-mentioned banks, hereinafter called ‗scheduled banks.‘ 6. Bank ownership has changed substantially in the last few years. All private domestic banks have been bought by international or regional banks (e.g., Citibank Cuscatlán, HSBC Banistmo, Scotia, Bancolombia Agrícola, and BAC). As before, financial groups (i.e., those including a combination of banks, insurance and securities companies), remain an important feature of the financial system, but now have a an increasingly international dimension: at end- 2005, the four largest groups (HSBC, Citibank, UNO and Bancolombia) represented 31 percent of the financial company assets in the region; and, in El Salvador, HSBC, Citibank (which acquired the UNO and Cuscatlán group), and Bancolombia accounted for close to 63 percent of the banking assets at end-2009. 7. The Salvadoran financial system is comparable with its regional peers in terms of size. Although (foreign-owned) banks still constitute the backbone of the financial sector, the banking sector‘s share has been falling. As of end-2009, banks‘ assets amounted to over US$13 billion, equivalent to about 64 percent of total financial assets, compared to US$11 billion or 74 percent in 2004. By contrast, the market share of private pension funds expanded rapidly from US$2.2 billion to US$5.2 billion (14.7 percent to 25.2 percent of financial assets). Consumption and mortgage credit have increased at the expense of corporate loans. Following a similar pattern as in Guatemala and in Honduras, credit to firms has dropped continuously. 8. The financial system has weathered the global financial crisis reasonably well. Reflecting a flight out of riskier assets and a number of recapitalization rounds, capital adequacy levels slightly increased and currently averages nearly 17 percent. Nonperforming loans (NPL) amount to 3.8 percent of total loans, up from about 2 percent before the crisis. Specific provisions currently cover some 110 percent of total NPLs, which are defined as loans more than 90 days overdue. At the backdrop of a severe deterioration of the real economy, provisioning increased significantly in 2009. This affected profitability, as the return on assets fell from 1.2 percent in 2007 to 0.4 percent in early 2010. 9. The SSF is responsible for the licensing, supervision and regulation of the banking sector and fulfills this through on-site inspections and off-site supervision. Since the last FSAP, the SSF has embarked upon an ambitious project to move towards risk-based supervision. The SSF was reorganized in 2008 and now features a Dirección de Riesgos with specialists in various risk categories, which allows the supervisory teams to tap on the specialized expertise that is available in the Dirección. 5 10. In response to the changing ownership structures in the Salvadoran banking sector, the SSF has also stepped up efforts to enhance cross-border cooperation, both bilaterally and regionally. The SSF has signed Memoranda of Understanding with all home supervisors. These agreements primarily cover exchange of information in the context of ongoing supervision. In addition, the Comité de Enlace of Central American supervisors (CECAS) has stepped up regional coordination. CECAS has quarterly meetings and monthly teleconferences where supervisors present relevant information, risks and concerns about the banks operating under their jurisdictions. 11. The Salvadoran authorities are also in the process of overhauling the supervisory landscape. A draft Law1 is currently discussed in the Asamblea, and agreement is expected in the course of this year. The law aims to separate powers of regulation, supervision and sanctioning. It does so by (i) transferring the right to issue regulation from the Superintendency of Banks (SSF) to the central bank (BCR) and (ii) merging the superintendencies of banks, securities firms, and pension funds, thus creating a sole supervisory authority. 12. Notwithstanding these positive developments, there are serious enforcement issues. The SSF‘s effectiveness as a supervisory agency is affected by a lack of legal protection of supervisors. Litigation can and does occur in practice. The SSF ability to address imprudent behavior by banks is also compromised by gaps in the regulatory framework. Regulation is lacking in such areas as corporate governance, credit risk, liquidity risk, market risk, operational risk, interest rate in the banking book, information technology and investment valuation and derivatives. Although supervisory practices in these areas have improved, the lack of standards puts the SSF at a disadvantage in addressing imprudent behavior by banks. This is aggravated by the limitations of the current remedial action framework, which includes only limited powers for the SSF to take preventive action at an early stage, i.e. before inadequate practices or vulnerabilities lead to undercapitalization. The toolkit does for instance not include powers for the supervisor to limit the distribution of dividends, constrain existing or new operations and acquisitions, or enforce the sale of assets. 13. In pushing forward the transition towards risk-based supervision, the SSF faces human resource constraints. The SSF‘s supervisory capacity already seems stretched, which is aggravated by the addition of new tasks to the supervisors‘ responsibilities, in particular with regard to consumer protection. A further upgrading of supervisory capacity, both in quantitative and in qualitative terms, is therefore necessary. Preconditions for effective bank supervision 14. The Salvadoran economy is characterized by full dollarization and tight links to the United States. The fully dollarized exchange regime instituted in 2001 replaced a peg to the U.S. dollar that had persisted since 1994. Merchandise exports to the United States amount to 12 percent of GDP, over half of total shipments. Remittances receipts were the highest in Central 1 The Ley de Supervisión y Regulación del Sistema Financiero. 6 America at over 17 percent of GDP from 2003–2007, and also come mainly from the United States. 15. Between the 2004 Update and the onset of the global financial crisis in late 2008, economic growth accelerated and macroeconomic fundamentals improved. Helped by buoyant external demand and ample accommodative financing conditions, real GDP grew by an average of 3.6 percent from 2005–2008, compared to 2.1 percent from 2001–2004. Inflation has averaged about 4 percent, anchored by dollarization. 16. The global financial crisis and political uncertainty hit economic activity hard in 2009. The deteriorating external environment, coupled with uncertainty over macroeconomic policies in the run-up to the 2009 elections sharply reduced trade flows and remittances and raised deposit and lending rates. Private capital flows became negative, as banks and companies paid down foreign liabilities. Domestic credit to the private sector also declined, reflecting both banks‘ increased risk aversion and lower demand for credit. Private consumption and investment fell sharply, and real GDP declined by 3.5 percent in 2009, after growing by 2.4 percent in 2008. 17. The public infrastructure in El Salvador is reasonably developed. More than 4000 chartered accountant individuals and firms operate in El Salvador, including representatives of the five large international firms. The Accounting and Auditing Oversight Board (CVCA) is responsible for the oversight of the accounting profession in El Salvador. A transition to IFRS was initiated in 2004, but it is still in progress. All listed companies are required to publish their audited financial statements, according to the IFRS for the nonfinancial firms, and according to the accounting standards defined by their regulators in the case of the financial sector firms. Nonlisted companies are also subject to various reporting requirements including filing their year end balances with the Commercial Registry. Starting on 2011, all listed companies (with the exception of those in the financial sector) will be require to issue their financial statements using IFRS, while all unlisted companies will use IFRS for small and medium entities. However, the CVCA has limited resources and there is little oversight regarding the compliance with these requirements. 18. The SSF has set up a so-called Central de Riesgo, which collects credit information of Salvadoran nationals and legal persons provided by supervised institutions only. In addition to the Central, a number of private companies collect credit information for debt provided by unsupervised institution. There is also a functioning central registry that records liens on collateral pledged by debtors. Nonetheless, multiple mortgage loans to one single underlying asset do occur, provided that the total sum of mortgages does not exceed the value of the underlying. Although the primary mortgage provider has to approve the granting of additional mortgage loans, complications in collateral seizure may arise in case the debtor remains current on the primary mortgage but defaults on the other loans. Periodic valuations of real estate assets are mandatory and are conducted by certified specialists. 19. The Salvadoran banking sector has demonstrated considerable dynamism, as is evidenced by major changes in the ownership structure of the local banks and a new bank 7 starting operations. Furthermore, Salvadoran banking is among the most efficient in the region, as is illustrated by the fact that Salvadorian banks present the lowest administrative costs in Central America, suggesting relative efficiency in banking service delivery. 20. The deposit insurance fund (IGD) was created in 1999 and currently covers deposits of up to $9,000 at 12 commercial banks and, as of 2010, at 6 cooperative banks and 2 savings and loans associations.2 It however lacks resources to undertake its mandate effectively. The IGD is funded by a loan from the BCR (currently $13 million) and premiums (equivalent to an annual rate of 0.10 percent of deposits) paid quarterly by member banks. IGD‘s current reserve fund from BCR and bank contributions (US$96 million or 1.1 percent of total deposits) is enough to finance the resolution of each of the seven smallest banks and one saving and credit institution individually. 21. There are potentially serious weaknesses in the arrangements for systemic liquidity. The high liquidity ratios for the Salvadoran banks need to be seen against a background of a lacking interbank market, limiting the scope for banks with liquidity surpluses to lend to banks with liquidity shortages. Furthermore, the BCR is as of yet by law prohibited to lend to the banking sector and can therefore not function as a Lender of Last Resort. The BCR is however making preparations to enhance its ability to provide systemic liquidity. Main Findings 22. Since the FSAP in 2004 the SSF has taken a number of initiatives to strengthen and upgrade supervision. This includes amongst others the creation of a risk unit with specialized expertise and continued efforts to foster cross border cooperation and coordination. While the efforts have been considerable, and the SSF is lauded for its efforts, the lack of regulation in practically all risk categories is a major impediment for further progress. The lack of standards in those areas, combined with severe shortcomings in legal protection and deficiencies in the remedial action framework for addressing minor transgressions limit the SSF‘s ability to address imprudent behavior by banks. While supervisory practices have improved considerably, the transition to risk based supervision is as of yet incomplete. Procedures used by the supervisors are still primarily compliance based and appear to focus on verifying the existence of policies and risk management procedures rather than determining if they appropriate to the size and nature of the bank‘s activities. 23. The following summarizes the main findings of the detailed assessment of compliance with the BCP. Objectives, independence, powers, transparency and cooperation (CP1) 24. The SSF is responsible for the licensing, supervision and regulation of the banking sector and fulfills this through on-site inspections and off-site supervision. The SSF has 2 The IGD does not insure BFA deposits as the BFA is government owned. This exception, established by law, affects the playing field with the rest of financial entities. 8 valuable institutional assets to preserve, including its prestige among the general public, banks, auditors, the financial markets, the trust of the Salvadoran government and the dedication and capacity of its technical staff. It has also undertaken significant efforts to enhance cross-border cooperation, both bilaterally and regionally. 25. In exercising its supervisory tasks, the SSF however suffers from a lack of regulation in key risk areas. Regulation is lacking in such areas as corporate governance, credit risk, liquidity risk, market risk, operational risk, interest rate in the banking book, information technology and investment valuation and derivatives. Although supervisory practices in these areas have improved, the lack of standards puts the SSF at a disadvantage in addressing imprudent behavior by banks. 26. This is aggravated by a lack of legal protection for supervisory staff. Litigation can and does occur. Legal challenges not only distract supervisory resources from where they are needed most, it also impacts the willingness of the SSF to use its corrective powers. Another concern is that the remedial action framework includes only limited powers for the SSF to take preventive action before inadequate practices or vulnerabilities lead to undercapitalization. In particular, the toolkit does not include powers for the supervisor to limit the distribution of dividends, constrain existing or new operations and acquisitions, or enforce the sale of assets. Such measures are necessary to bring about improvements in management and penalize minor transgressions before undertaking more drastic measures, such as regularization. 27. Lastly, the SSF’s supervisory resources are stretched, complicating the transition towards risk-based supervision. This is made worse by new tasks added to the supervisors‘ work load, particularly with regard to consumer protection. Priority should therefore be given to upgrading supervisory capacity, both in quantitative and in qualitative terms. Licensing and structure (CPs 2–5) 28. The term ‘bank’ is defined in the law, as are the permissible activities. Cooperative banks are authorized by the SSF to accept deposits and are automatically regulated and supervised by the SSF as established in the Law on Cooperative Banks. They are also covered by the deposit insurance fund. Cooperatives with assets exceeding US$68.57 million are also subject to mandatory supervision. In practice, a considerable number of cooperatives is factually engaged in attracting deposits (which are instead described as ―member contributions‖) and are below the US$68.57 million threshold. Effective supervision and oversight of this segment is lacking, nor are these cooperatives restrained by the definition of permissible activities for cooperative banks of Art. 34 of the Cooperative Banks and Savings and Loan Partnerships Law. 29. Before starting a bank in El Salvador, the SSF must authorize the public call to buy shares. Once the public promotion has been approved, the founders request the SSF‘s authorization to set up a corporation. The main criteria for the SSF in deciding on the application are the outcomes of the fit and proper test of the shareholders representing more than 1 percent ownership and the assessment of the submitted financial projections and business plans of the new bank. The current bank law does however not explicitly allow the SSF to revoke the license 9 if it is based on false information. By lack of corporate governance regulation there is also no clear norm for start up banks to comply with in this area. 30. Regarding transfer of significant ownership, the SSF applies two thresholds of 1 and 10 percent of the shares of the bank. Prior authorization by the SSF is required to exceed these thresholds, which is based on a fit and proper test of the incumbents. The SSF expressed that it did not always manage to identify the ultimate beneficial owners of banks. Reflecting a very high degree of foreign penetration in the financial system, it relies on home supervisors to identify ultimate beneficial owners of the banks with sizable operations in El Salvador. Shareholders who are in the 1–10 percent bracket and who are no longer considered fit should be prevented from exercising their shareholder rights, as is the case for shareholders owning more than 10 percent. In addition to the annual sworn declarations, shareholders should be required to proactively inform the SSF about any event affecting their suitability. 31. The SSF has the power to review all major acquisitions or investments, against prescribed criteria, including the establishment of cross-border operations. The invested amount may not exceed 50 percent of the equity fund or 10 percent of the loan portfolio, whichever is greater. There is scope for enhancing the legal criteria on the basis of which the SSF assesses acquisition or investment proposals. The SSF assesses the economic feasibility of the proposal, but a risk assessment is not a legal or regulatory requirement, even though it is in practice demanded by the SSF. Also, the criteria should include a check whether the proposed investment does not impede effective supervision. Prudential regulation and requirements (CPs 6–18) 32. El Salvador’s required level of capital adequacy is 12 percent, higher than the required ratio applied in other Central American countries. The capital adequacy framework is however not fully in line with international standards. The statutory minimum requirement must be seen against a background of a liberal treatment of intangible assets (mostly goodwill), which are not subtracted from capital as required under Basel I. Risk weights currently provide little differentiation for the risk profile of asset base. 33. A tightening of the asset classification and provisioning rules has contributed to an improvement in the management of problem assets. Provisioning levels are now broadly in line with international practices, and the SSF monitors banks‘ delinquent loan portfolio intensively. The SSF currently lacks the authority to oblige banks to raise provisioning levels over and above the levels that are required according to regulation. Although not required to meet the Core Principle, a number of additional suggestions for further strengthening can be made. Banks are currently required to downgrade corporate loans on the basis of past-due days, with an obligation to further downgrades if the repayment capacity of the debtor so warrants. This obligation only applies to corporate debtors, i.e. not to consumer or mortgage loans. Also, when debtors with multiple loans with various banks default on one loan, but stay current on others, the nonaffected loans are not automatically downgraded at all banks. Lastly, the practice of granting several mortgages on the basis of one underlying asset warrants monitoring. 10 34. There are important gaps in the existing regulatory framework. A considerable amount of regulation is under development, but is slow to be released. Regulation is lacking in such areas as corporate governance, credit risk, liquidity risk, market risk, operational risk, interest rate in the banking book, information technology and investment valuation and derivatives. Supervisory practices in these areas have improved, while the arrival of reputable foreign banks has raised risk management standards. Still, the lack of standards raises compliance issues as the SSF cannot coerce banks to comply with its requirements. There is therefore an urgent need for the SSF to issue standards on key risk categories. The need for doing so is most urgent for credit risk, liquidity risk and corporate governance. Considering that the legal framework is rather vague, a key issue that needs to be addressed in these regulations is to spell out the responsibilities of banks‘ directors regarding the oversight of management and the internal controls system to ensure that these are adequate relative to the risks and complexity of their operations. It is vital that the upcoming overhaul of the supervisory process, which amongst others entails a transfer of the authority to issue regulation to the BCR, does not delay the issuance of regulation. In this context, the BCR needs to build on the draft regulations that are under development within the SSF. Methods of Ongoing Supervision (CPs19–21) 35. The transition towards risk based supervision needs to be enhanced by further upgrading supervisory techniques and practices. The SSF currently uses CAMELS models in order to generate bank-specific risk profiles. After establishing banks‘ risk profiles, the SSF makes an assessment of the effectiveness of risk mitigants to determine residual risk. There is however a need to bring in more qualitative judgment in this assessment. In addition to checking whether procedures and policies are in place, the SSF faces the challenge of assessing the quality of risk management. The adequacy of risk management needs to be evaluated, considering the bank‘s characteristics, such as size, complexity and risk appetite. 36. In doing so, the SSF faces human capacity constraints, due to organizational issues and a lack of resources. Offsite responsibilities are currently split over two divisions (Risks and Analysis), and the role and responsibilities of offsite supervision are not well specified. In addition, individual supervisory staff is often given a number of different roles, which is most problematic in the Risk Division. The unit leaders of this Division are not only responsible for a specific risk for all banks but are also the designated ―relationship managers‖ for a financial conglomerate. The Supervisory Department is resource-constrained, as the increased consumer protection responsibilities entrusted to the SSF have been assigned to this department, diverting supervisory resources away from prudential supervision. 37. A further upgrade of supervisory practices therefore requires capacity building and reorganization of duties. The SSF‘s supervisory capacity already seems stretched. The mission therefore recommends that the SSF give priority to further upgrading supervisory capacity, both in quantitative and in qualitative terms. 11 Accounting and Disclosure (CP 22) 38. The SSF receives a fairly comprehensive set of information on banks and banking groups, with the exception on relevant data on market and interest rate risks. The accounting manual, which is the basis for the reports submitted to the SSF and the audited financials published by banks, is prudent but outdated and does not conform to international standards. The norm differs from international accounting standards in the calculation of loan loss provisions, valuation of investments, deferred taxes and the extent to which risks and other material issues are revealed. Corrective and Remedial Powers of Supervisors (CP 23) 39. The remedial action framework includes only limited powers for the SSF to take preventive action at an early stage, before inadequate practices or vulnerabilities lead to undercapitalization. In particular, the toolkit does not include powers for the supervisor to limit the distribution of dividends, constrain existing or new operations and acquisitions, or enforce the sale of assets. Such measures are necessary to bring about improvements in management and penalize minor transgressions before needing to take more drastic measures, such as regularization. 40. This is aggravated by a lack of legal protection for supervisory staff, as litigation can and does occur. Such legal challenges not only distract supervisory resources from where they are needed most, it also impacts the willingness of the SSF to use its corrective powers. The SSF has not issued regulation on sanctions to clearly define the severity of the violations and the corresponding scale of sanctions and make the sanctioning process more transparent for supervised entities and individuals. Consolidated and Cross-Border Banking (CPs 24–25) 41. The SSF has stepped up its efforts to enhance cross-border cooperation, both bilaterally and regionally. In response to the changing ownership structures in the Salvadoran banking sector, it has signed Memoranda of Understanding with all home supervisors. These agreements primarily cover exchange of information in the context of ongoing supervision. In addition, the Comité de Enlace of Central American supervisors (CECAS) has stepped up regional coordination. CECAS has quarterly meetings and monthly teleconferences where supervisors present relevant information, risks and concerns about the banks operating under their jurisdictions. Some progress has also been made in the coordination with local supervisors of entities belonging to the conglomerates, to gather information and conduct simultaneous onsite exams, but additional efforts are needed to have a comprehensive framework to assess the risks that nonbanking local activities conducted by a bank or banking group may pose to the bank or banking group. 42. Table 1, to be included in detailed assessments, offers a summary of the main findings, including a column for ratings (please see next page). 12 Table 1. Summary Compliance with the Basel Core Principles—Detailed Assessments Core Principle Compliance Comments 1. Objectives, independence, powers, transparency, and cooperation Regulation in many main risk areas affecting banking operations is currently lacking. Establishing standards is essential to allow the 1.1. Responsibilities and LC SSF to enforce remedial actions on banks objectives engaged in imprudent behavior but also to ensure that the overall supervisory framework keeps up with industry practices. Additional human resources are needed to conduct current supervisory tasks more thoroughly. Supervisory capacity is stretched and adding responsibility for consumer protection aggravates the problem. It would be 1.2. Independence, preferable to establish a separate unit for these accountability and LC tasks and the SSF should be provided with transparency extra resources for additional responsibility. The involvement of the Council in day-to-day administrative and operational matters slows down decision-making. The appointment cycle for the Superintendent currently follows the presidential cycle. Although the Salvadoran authorities are 1.3. Legal framework C currently compliant, the transfer of the authority to issue norms will affect future compliance. The remedial action framework contains only minor corrective powers for the SSF in the 1.4. Legal powers LC preventive stage. Legal protection issues also adversely impact its effectiveness. Legal protection for the SSF’s staff is lacking. 1.5. Legal protection NC This is a serious issue. Current cooperation arrangements do not 1.6. Cooperation C include financial crisis management issues. There is insufficient oversight of the cooperatives. Similarly, transparency as to 2. Permissible activities LC which cooperative banks are regulated and covered by the deposit insurance fund needs to be enhanced. 13 The current Bank Law does not explicitly allow the SSF to revoke the license if based on false 3. Licensing criteria LC information. By lack of corporate governance regulation there is also no clear norm for start up banks to comply with. Shareholder who are in the 1–10 percent bracket and who are no longer considered fit should also have their shareholder rights frozen. In addition to the annual sworn 4. Transfer of significant LC declarations, shareholders should be required ownership to proactively inform the SSF of any event arising in the course of the year affecting their suitability. The SSF should be allowed to annul unauthorized transfers of ownerships. Criteria on the basis of which investment proposals are evaluated are not enshrined in 5. Major acquisitions LC law or regulation. The legal criteria also don’t include a check whether the proposed investment does not impede supervision. The list of deductibles does not include intangible assets (including goodwill). The SSF 6. Capital adequacy LC is currently constrained in ties ability to impose capital add-ons. The lack of a standard is the key issue in this area, even though the quality of risk 7. Risk management process MNC management processes in banks is likely to be better than the lack of risk management regulation suggests. There is no regulation which specifies the standard. Although the supervisors expend considerable resources on the review of credit portfolios, they do not assess the suitability of the credit risk management activities. As the supervisors gain experience in the conduct of 8. Credit risk MNC risk based supervision, it is anticipated that the credit risk area will be one of the first areas to be addressed, as it is an important risk and is a risk that is fairly well understood. The practice of multiple mortgages on one underlying asset requires monitoring. The SSF currently lacks the authority to oblige banks to raise provisioning levels over and 9. Problem assets, provisions, LC above the requirements of the regulation. The and reserves practice of multiple mortgage loans on the same underlying asset warrants monitoring. 14 Without necessarily violating single party limits, banks may still be exposed to significant concentration risks. The SSF has the authority to aggregate individual exposures for which 10. Large exposure limits LC credit risk is linked, but uses this power infrequently. The SSF should be challenging the adequacy of banks’ own internal limits on various types of concentration risks. Delinquent loans to related parties are not subject to enhanced monitoring requirements for the Boards of banks. Laws and regulation 11. Exposure to related parties LC are not specific enough regarding conflict of interest in granting new loans to related parties. 12. Country and transfer risks C Limited enforcement capacity without regulation on market risks. Need further 13. Market risks MNC training for supervision to be effective. Follow up on onsite observations pending. Limited enforcement capacity without regulation on liquidity risk management. Need 14. Liquidity risk MNC further training for supervision to be effective. Follow up on onsite observations pending. Limited enforcement capacity without regulation on operational risks and a specific norm on IT risks. Need to develop supervisory 15. Operational risk MNC processes and further training for supervision to be effective. Only two supervisors responsible for this risk. Follow up on onsite observations pending. Limited capacity for the offsite monitoring of this risk and to enforce adequate management 16. Interest rate risk in the MNC without regulation on interest rate risk banking book management. Follow up on onsite observations pending. Absence of regulation on corporate 17. Internal control and audit LC governance leaves the Board responsibility on this rather general and difficult to enforce. Gaps in regulation include: no requirement of a customer acceptance policy identifying the relationships that the bank will not accept; no 18. Abuse of financial services LC requirement that banks have due diligence policies and processes regarding correspondent banking. 15 The SSF is moving toward risk based supervision, but it needs to address these shortcomings: lack of risk regulation undermines enforcement capacity of supervisors; reports lack depth to identify problems with the adequacy of risk policies, 19. Supervisory approach LC practices and systems; supervisory resources are stretched and the multiple responsibilities of some staff and divisions may hinder their capacity for effective supervision; and a complete picture of the overall risks of the financial system is not available. There is room for improvement in the consistency and quality control of reports; more 20. Supervisory techniques LC training on the supervision of specific risks and stress testing techniques is needed. The accounting manual, which is the basis for the reports submitted by banks, is outdated 21. Supervisory reporting LC and does not conform to international standards. The accounting manual differs from IAS in the calculation of loan loss provisions, valuation of 22. Accounting and disclosure LC investments, deferred taxes and the extent to which risks and material issues are revealed. The responsibilities and intensity of the follow up of corrective actions, based on the risks, need to be formally defined by the SSF. The absence of regulations regarding various risks limits enforcement. The SSF has not issued regulation on sanctions to clearly typify the 23. Corrective and remedial LC severity of the violations and the corresponding powers of supervisors scale of sanctions. Before Regularization the SSF has a limited range of preventive measures (no powers to restrict the distribution of dividends, bonuses, new acquisitions, sales of assets or specific operations). Progress has been made in coordinating with local and foreign supervisors, but efforts are needed to have a comprehensive framework to 24. Consolidated supervision LC assess the risks that non-banking local activities conducted by a bank or banking group may pose to the bank or banking group. 25. Home-host relationships C Aggregate: Compliant (C) – 4, Largely Compliant (LC) – 18, Materially Non-Compliant (MNC) – 7, Noncompliant (NC) – 1, Not Applicable (N/A) – 0 16 Recommended action plan and authorities’ response 43. In the immediate term, the SSF can take advantage of the window of opportunity in the revision of the SSF Law to consider necessary amendments, not included in current drafts.  Legal protection for bank supervisors.  Wider supervisory powers before the regularization stage (i.e. restrict the distribution of dividends and acquisitions or activities).  Broaden the requirement that the Board reports on aspects that could affect the stability of the bank to include also other material aspects and events that could affect the bank, short of threatening insolvency or illiquidity. 44. In the short term, it is recommended that the SSF expedite its regulatory process to issue important drafts necessary to enable enforcement of the necessary supervisory actions. 45. Table 2 below contains the specific recommendations to bring the supervisory framework up to international standards. 17 Table 2. Recommended Action Plan to Improve Compliance with the Basel Core Principles Reference Principle Recommended Action Expediting the process to issue regulations on the CP 1.1 Responsibilities and objectives basis of existing drafts. The Council should focus on its oversight role and on key strategic decisions, rather than being involved in day-to-day administrative and operational matters. The grounds for dismissal of the Superintendent should be described specifically, while the appointment process should CP 1.2 Independence be decoupled from the presidential cycle. Additional human resources are needed to conduct current supervisory tasks more thoroughly, and in view of additional consumer protection tasks. These tasks are best delegated to a separate unit. Further refinements to the remedial action CP 1.4 Legal powers framework could be made by enhancing the SSF’s powers to act in the preventive stage. As a matter of priority, the SSF’s staff needs to be provided with legal protection for actions CP 1.5 Legal protection undertaken in good faith. The upcoming overhaul of the supervisory landscape is a window of opportunity to address this urgent issue. Consideration should be given to broadening the CP 1.6 Cooperation current cooperation arrangements to include financial crisis management issues. It is recommended to strengthen oversight of the cooperative banking segment and enhance transparency as to which cooperative banks are regulated and covered by deposit insurance. A CP 2 Permissible Activities legal amendment needs to be passed to require that the Federations collect information on their member cooperatives and are obliged to submit it to the SSF. The legal threshold of C$ 600 million seems high The current bank law does not explicitly allow the SSF to revoke the license if based on false CP 3 Licensing criteria information. By lack of corporate governance regulation there is also no clear norm for start up banks to comply with. 18 Reference Principle Recommended Action Shareholders who are in the 1–10 percent bracket and who are no longer considered fit should also have their shareholder rights frozen. In addition to the annual sworn declarations, shareholders CP 4 Transfer of significant ownership should be required to proactively inform the SSF of any event arising in the course of the year affecting their suitability. The SSF should be allowed to annul unauthorized transfers of ownerships. Legal criteria should be extended to include a forward-looking risk analysis. The criteria should CP 5 Major Acquisitions also include a check whether the proposed investment does not impede supervision. The list of deductibles needs to be broadened to include intangible assets (including goodwill). The SSF should also be granted additional discretion in CP 6 Capital Adequacy imposing capital add-ons, also with regard to the size of the add-ons. The latter requires legal changes. Establishing appropriate regulation. The problem CP 7 Risk Management Process is that the SSF cannot enforce compliance because a standard is lacking. Establishing regulation which specifies the standard is a priority, as is enhancing the CP 8 Credit Risk supervision of risks, rather than procedures and policies. The practice of multiple mortgages on one underlying asset requires monitoring. The SSF should be given authority to oblige banks to raise provisions over and above the levels that are required according to regulation. Although not required for compliance with the core principle, a number of additional recommendations for further strengthening can be made. The mandatory periodic reassessment of the debtors’ repayment capacity that currently only applies to debt to the CP 9 Problem assets, provisions and reserves corporate sector could be extended to loans to the consumer and mortgage sector. This would require changes to existing regulation. In case a debtor with multiple debts to various banks is delinquent on one loan, all other loans (including the ones to non-affected banks) should also receive similar classification and provisioning treatment. 19 Reference Principle Recommended Action The SSF has the authority to aggregate individual exposures for which credit risk is linked, but should use it more vigorously. The SSF should establish CP 10 Large Exposure Limits aggregate limits for individual large exposures and for which credit risks are linked. The SSF should take a more proactive role in discussing risk concentrations. It is suggested to establish enhanced monitoring requirements for the Boards of banks regarding delinquent loans to related parties. Laws and regulation should be made more specific regarding conflict of interest in granting new loans. In case CP 11 Exposures to related parties of loans to related parties by administration, the Board needs to authorize, without the presence of the interested Board member. There is however a need to extend this clause to other categories of related parties, including by ownership. CP 13 Market risks Issue norm on market risks. Issue norm on liquidity risks, including requirements to have adequate policies to control CP 14 Liquidity risk concentration and other liquidity risks, stress testing and contingency plans . Issue norm on operational risks and a specific CP 15 Operational risk norm on information technology risks. The Operational risk unit requires additional staff. Issue norm on interest rate risks, including reports CP 16 Interest rate risk in the banking book suitable for the off site supervisory follow up of this risk. Issue corporate governance regulation, establishing clear responsibilities of the Board CP 17 Internal control and audit regarding the adequacy of the internal control system Issue a circular letter requiring banks to have a customer acceptance policy identifying the CP 18 Abuse of financial services relationships that the bank will not accept as well as due diligence policies and processes regarding correspondent banking Continue implementation of risk based supervision. The SSF should focus on whether risk management policies and procedures are adequate given the risk characteristics of the respective bank, rather than checking whether CP 19 Supervisory approach policies and procedures are in place. Broaden the scope of the financial system report of the SSF to include unsupervised entities (cooperatives). Appoint dedicated relationship managers responsible for the overall supervision of each bank. 20 Reference Principle Recommended Action Specialized training on the supervision of risks and CP 20 Supervisory techniques risk management. Include in the draft SSF law a requirement that the CP 21 Supervisory reporting Board and managers report to the SSF all events that are material. Revise accounting manual to improve disclosure CP 22 Accounting and disclosure on risks and introduce rules on derivatives and investments. Include in the draft SSF law a broader range of preventive measures prior to regularization (restrict the distribution of dividends, bonuses, new CP 23 Corrective and remedial powers of acquisitions, sales of assets or specific supervisors operations). Issue regulation on sanctions to clearly typify the severity of the violations and the corresponding scale of sanctions. Establish a comprehensive framework to assess the risks that non-banking local activities CP 24 Consolidated supervision conducted by a bank or banking group may pose to the bank or banking group 21 Table 3. Detailed Assessment of Compliance with the Basel Core Principles Principle 1. Objectives, autonomy, powers, and resources. An effective system of banking supervision will have clear responsibilities and objectives for each authority involved in the supervision of banks. Each such authority should possess operational independence, transparent processes, sound governance and adequate resources, and be accountable for the discharge of its duties. A suitable legal framework for banking supervision is also necessary, including provisions relating to authorization of banking establishments and their ongoing supervision; powers to address compliance with laws as well as safety and soundness concerns; and legal protection for supervisors. Arrangements for sharing information between supervisors and protecting the confidentiality of such information should be in place. Description Assessment Comments Principle 1(1). Responsibilities and objectives. An effective system of banking supervision will have clear responsibilities and objectives for each authority involved in the supervision of banks. Description EC1: The objectives of the SSF are described in the prelude of the Organic Law of the Superintendencia. The SSF is to contribute to the stability of the financial market and the trust of the public through exercising preventive surveillance. The responsibilities of the SSF regarding banking supervision are spelled out in detail in the Bank Law and in the Organic Law of the Superintendencia. The Laws establish the SSF’s authority as a bank supervisor and grant it the following attributions (Art 3 Organic Law): - Comply and enforce laws, regulations and other legal provisions to the entities under its oversight. - Set standards for the operation of the institutions under its control. - Authorize the constitution, operation and closing of Banks, Savings and Loan Associations, Insurance Companies and all other provided for in the laws. - Other oversight and inspection duties in accordance with the laws. The SSF is also the relevant supervisor of financial conglomerates. The Superintendencia de Valores is responsible for overseeing the stock market, external auditors, and rating agencies, while the Superintendencia de Pensiones supervises pension funds. The Banco Central de Reserva (BCR) is authorized under Art 52 of the Banking Law to dictate standards regarding the terms and negotiability for attracting funding, either in domestic or foreign currency (See also BCP 14 on Liquidity Risk). The supervisory landscape in El Salvador is in the process of a major overhaul, with a draft law submitted for approval to the Asamblea. Among the main changes are the integration of the three Superintendencies and the transfer of the authority to issue regulation from the SSF to the central bank. This overhaul is yet to be approved. This assessment is therefore based on the current institutional set-up, but contains references to the upcoming overhaul where relevant. EC2: The Law on Banks and supporting regulation set out a framework for minimum 22 prudential requirements for banks. This entails amongst others a 12 percent capital adequacy requirement over risk weighted assets, liquidity requirements and asset classification requirements. Prudential standards are however lacking in a number of important risk management areas (credit risk, market risk, interest rate risk and operational risk) and for corporate governance. Although a considerable number of regulations are under development, they are slow to pass. EC3: Minor changes can be accommodated by making amendments to the bank law and to existing regulations. However, regulation is lacking in many risk areas. Establishing an appropriate standard is essential to allow the SSF to address imprudent behavior and to use the remedial action framework. Among the explanations cited for the backlog in issuing new regulation are bottlenecks in the approval process (which involves the regulation department and the approval by the Consejo) and lengthy industry consultation practices. EC 4: Banks are required to publish their annual financial statements during the first 60 days of the year in two newspapers. The statements must be approved by the Shareholders General Meeting and by the external auditors. The requirements are set out in greater detail in NCB-017) and include relevant indicators on financial strength. Banks are also required to provide a three monthly financial report (NPB4- 38) that should also be publicly available. Assessment Largely Compliant Comments The SSF does have the authority to issue new regulation, but new regulation is slow to be released. One of the main challenges facing the SSF is to establish appropriate regulation for all main risk areas affecting banking operations in El Salvador, which affects he CPs on specific risk management areas. Regardless of the outcome of the upcoming overhaul of the supervisory framework, this process needs to be accelerated. Establishing standards is essential to allow the SSF to enforce remedial actions on banks engaged in imprudent behavior but also to ensure that the overall supervisory framework keeps up with industry practices. Principle 1(2). Independence, accountability and transparency. Each such authority should possess operational independence, transparent processes, sound governance and adequate resources, and be accountable for the discharge of its duties. Description EC1: Part III of the prelude of the Organic Law states that the SSF is granted with the autonomy and with the resources to carry out its duties efficiently. The Board of Directors of the SSF (i.e., the Consejo—the Council) is the key executive body. The Council consists of the Superintendente, the governor of the central bank, representatives from the ministry of economy and the ministry of finance and a delegate from the Surpreme Court. The Council is supervised by the Asamblea and subject to control by the Corte de Cuenta. The Council is meant to have an oversight role, but also has the final say in key strategic decisions, including the approval of new regulation, the use of remedial action and licensing. Despite its envisaged oversight role, the Council has in practice become increasingly involved in operational matters, including minor budgetary issues, individual salary increases and other administrative issues. Although the SSF does not experience the involvement of the Council as interference in its autonomy, decision-making is slowed down. The lack of legal protection for supervisory staff (which is discussed in detail in CP 1.4) is a factor that has the potential of seriously affecting the SSF’s independence. The superintendent is in principle appointed for a five-year term, but in practice appointments and dismissals follow the presidential cycle. Article 8 of the Organic Law spells out a number of fit and proper criteria, but reasons for dismissal from 23 office are not mentioned specifically. EC2: The prelude of the Organic Law states that El Salvador’s economic advancement requires stability of the financial market and the trust of the public. Preventive surveillance is the best way to protect these interests, and the SSF is the designated entity in charge of overseeing the compliance with legal and financial standards. The SSF prepares quarterly bulletins and annual reports in which it reports on the state of supervised institutions in an aggregated manner. The objectives of the SSF are specified in greater detail in the new draft Law, which states the SSF’s objective as contributing to the stability of the financial system. EC3: The SSF has valuable institutional assets to preserve, including its prestige among the general public, banks, auditors, the financial markets, the trust of the Salvadoran government and the dedication and capacity of its technical staff. The SSF has internal regulation for its staff (Art 23–27 of the Ley Orgánica). However, frequent litigation, made possible because of shortcomings in legal protection to its staff, represents a continuous threat to the SSF’s credibility. Although it has so far won all major cases, the SSF could suffer severe reputational damage in case it would lose an important case. EC 4: The SSF currently has 54 full time supervisors, of which 20 are engaged in offsite and 34 in onsite work. In 2009, a total of two full inspections, seven inspections of delinquent loans and four credit risk evaluations were conducted. Based on inspection of the Annual Inspection plan, the capacity of the SSF seems rather stretched, with little time allotted to specific projects. This is made worse as new tasks may be added to the supervisors’ responsibilities, notably in the area of consumer protection. These tasks add to an already high work load, and may potentially conflict with the supervisors’ prudential responsibilities. The SSF’s budget consists of a contribution of the supervised institutions (which consists of a fixed promillage of assets) which is topped up by a contribution of the Central Bank (maximum 50 percent of the total budget). The new supervisory law envisages a higher contribution by the supervised institutions, with a maximum central bank contribution of 10 percent. The SSF has the disposal of a training and travel budget for its staff, and it has the ability to commission outside experts. The competitiveness of the salary scales is evaluated every two years. According to the SSF’s assessment, the current package is reasonably competitive. It compares favorably with the salaries offered by the other Superintendencias. Salaries are also reasonably competitive with salaries for similar positions in the private sector, although the private sector offers better promotion prospects. Other than the budgetary restrictions, there is no limit on the headcount. Rotation figures over the last three years were very low (2–7 percent), suggesting that the SSF does not experience serious difficulties in retaining qualified staff. These figures must however be seen against a background of a slump in the private sector. Assessment Largely Compliant Comments The Council should focus on its oversight role and on key strategic decisions, rather than being involved in day-to-day administrative and operational matters. The grounds for dismissal of the Superintendent should be described specifically, while the appointment process should be decoupled from the presidential cycle. Additional human resources would be welcome to conduct current supervisory tasks more thoroughly. Rather than burdening supervisors with additional responsibilities for consumer protection, it would be preferable to establish a separate unit. Also, the SSF should be provided with extra resources to take on this additional responsibility. 24 This would also help to avoid conflicts of interests between prudential and consumer 3 protection objectives. Principle 1(3). Legal framework. A suitable legal framework for banking supervision is also necessary, including provisions relating to authorization of banking establishments and their ongoing supervision. Description EC1: Title two, chapter I of the Bank Law identifies the SSF as the main authority for granting and withdrawing bank licenses. Title four, chapter III deals with ceasing operations. Art 15 stipulates that any Salvadoran partnership with the intention to operate as a bank must have the SSF’s prior authorization. EC2: The SSF currently has the authority to set prudential rules, without changing the laws, by issuing regulation. As indicated above, the emission of new regulation has been relatively slow and for a number of important risk management areas standards are yet to be established. As part of the upcoming overhaul of the supervisory landscape, the authority to issue norms will be transferred from the SSF to the BCR. It should however be noted that the transfer of the authority to issue norms to the BCR will render El Salvador incompliant with this criterion. EC3: Art 31 of the Organic Law empowers the SSF to access all the businesses, goods, books, accounts, files, documents and correspondence of the institutions under its purview. It may also require that the administrators provide all information and explanation necessary to clarify any issue of concern. Assessment Compliant Comments Although the Salvadoran authorities are currently compliant, the transfer of the authority to issue norms will affect future compliance. Principle 1(4). Legal powers. A suitable legal framework for banking supervision is also necessary, including powers to address compliance with laws as well as safety and soundness concerns. Description EC1: Art 37 of the Organic Law allows the SSF to impose fines of up to 2 percent of capital to financial institutions that violate the laws, regulations, bylaws or other standards, or that do not comply with the instructions or SSF’s orders. The current legal framework also sets out corrective actions for predetermined levels of undercapitalization. In doing so, it does however restrain the scope for the supervisor to exercise qualitative judgment. Title IV of the Law on Banks sets out the main characteristics of the remedial action framework, which includes the authority to initiate regularization process, restructuring, and liquidate a financial institution. If solvency is between 10 and the required 12 percent, the SSF requires the institution to submit the measures and commitments necessary to solve the shortcomings (Art 78). Regularization is mandatory if the capital adequacy falls below 10 percent. Banks that are working on a regularization plan can also be brought under undergo special supervision. It’s primarily the bank’s responsibility to draft a regularization plan. If this is insufficient to bring the bank into safe waters again, the SSF may order restructuring. The SSF is authorized to adopt (i) reduce equity in order to absorb losses, (ii) order the bank to raise capital, (iii) decide on the exclusion of assets and liabilities, (iv) require the legal take over to a bank and (v) all other technically necessary steps (Art 93 Law on Banks). 3 As an illustration, conflicts of interest could occur in the event of massive mis-selling of financial products. Consumer protection considerations would call for compensation to disadvantaged clients, which may conflict with prudential concerns. 25 EC2: See BCP 1(3): Art 31 of the Organic Law empowers the SSF to access all the businesses, goods, books, accounts, files, documents and correspondence of the institutions under its purview. It may also require that the administrators provide all information and explanation necessary to clarify any issue of concern. EC3: The SSF has the authority to impose fines on financial institutions that are not complying with the laws or regulations. Banks that are engaged in imprudent behavior but otherwise observe the legal and regulatory requirements can only be submitted to the remedial actions outlined above once their capital falls below the 12 percent threshold. This is a restraint on the SSF’s capacity to exercise qualitative judgment in safeguarding safety and soundness of he banks within its jurisdiction. The SSF’s remedial action framework does not address situations in which solvency is still above the 12 percent ratio, but is showing a downward trend (or is expected to do so). The SSF has limited powers to intervene in the preventive stage (e.g. limits on the distribution of dividends, limits on conducting operations, acquisitions or sales of assets) to achieve necessary improvements in management and penalize minor transgressions without resorting to far-reaching measures, such as regularization. Although the SSF’s legal authority for imposing remedial actions seems adequate at face value, it could face difficulties in using this authority. This includes a lack of legal protection for SSF staff. Assessment Largely Compliant Comments The effectiveness of the remedial action framework could be enhanced by strengthening legal protection for the SSF staff. Further refinements could be made by enhancing the SSF’s powers to intervene in the preventive stage (see CP 23). Principle 1(5). Legal protection. A suitable legal framework for banking supervision is also necessary, including legal protection for supervisors. Description EC1: the current legal framework does not foresee in legal protection against supervisory staff. Litigation by banks does occur in practice. Even though the SSF has so far won all cases, the possibility of legal action against its supervisors is a source of distraction and personal stress, while the prospect of litigation may also adversely impact the SSF’s readiness to impose sanctions and remedial actions. The upcoming overhaul of the supervisory landscape does not address this issue. On the contrary, it explicitly states that ―….Any decision, action or omission of the Superintendent, Assistant Superintendents or the Oversight Committee that violates the constitutional provisions will incur personal liability for damages caused. This needs to be redressed urgently.‖ EC2: the SSF has an insurance policy in place, covering the costs of defending staff’s actions and/or omissions made while discharging their duties in good faith. Assessment Non Compliant Comments As a matter of priority, the SSF’s staff needs to be provided with legal protection for actions undertaken in good faith. The upcoming overhaul of the supervisory landscape is a window of opportunity to address this urgent issue. Principle 1(6). Cooperation. Arrangements for sharing information between supervisors and protecting the confidentiality of such information should be in place. Description EC1: Domestically, the SSF is involved in a number of coordination committees: - Comité de Superintendentes (―comité interinstitucional‖). This committee is established by Law of the Superintendencia de Valores. The three Superintendentes participate. The committee discusses matters related to ongoing supervision, developments and the outlook in the financial system; - The CISF, in which the central bank, the deposit insurance agency and the three superintendencias participate. This committee, which consists of six sub committees, functions as a forum for information sharing and a coordination 26 point for financial sector laws amongst other. - Comité de Riesgos: This committee monitors the investments of the pension funds. It consists of the three superintendents and the cb president. - Gabinete de Gestión Financiera: This committee includes representatives from the Ministries of Finance, Economy and Agriculture, the Superintendente of the SSF, the governor of the central bank, the superintendente of the SSF, and the presidents of the deposit insurance fund and the development bank (BMI). This committee deals primarily with long term issues such as the question how the financial system can better support economic advancement of the country and developing a master plan for the financial system. The Comité de Superintendentes and the CISF are the main are the main domestic committees for exchange of information regarding ongoing supervision and financial stability matters. There seems scope for strengthening domestic arrangements for crisis preparedness: there is no Memorandum of Understanding (MoU) in which the responsibilities of each agency are spelled out, nor is there a ―crisis committee.‖ Considering the number of agencies involved, this could lead to serious coordination issues in the event of financial crises. EC2: The banking law demands signed memoranda of understanding in case of foreign banks seeking authorization to operate in El Salvador (Art 29) or in case of Salvadoran banks seeking to start operations abroad (Art 23 Bank Law). Signed MoUs are a precondition for receiving the SSF’s authorization to start operations. Reflecting the high level of foreign penetration in the Salvadoran banking system, the SSF has a considerable number of bilateral MoUs. There is however considerable variety as to the home supervisor’s proactiveness with regard to information sharing. The MoUs deal primarily with information exchange issues for ongoing supervision purposes, rather than with crisis management issues. Besides the bilateral MoU, El Salvador is part of the Comité de Enlace, which includes the Central American countries and the Dominican Republic. Discussions with the SSF and telephone interviews with two home supervisors confirmed that the SSF takes international cooperation and information exchange very seriously. Nonetheless, current arrangements could be strengthened considerably to include crisis management issues as well (see BCP 25). EC3 and 4: There are no legal impediments to exchange information with other supervisors other than Art 232 of the Bank Law, which prevents it from exchanging information on individual accounts and deposits (unless by Court order). Assessment Compliant Comments It is recommended to broaden current cooperation arrangements to include financial crisis management issues. Principle 2. Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks must be clearly defined and the use of the word ―bank‖ in names should be controlled as far as possible. Description EC1: Art 2 of the Bank Law defines banks as all those institutions that habitually operate in the financial markets, calling on customers to attract their deposits, issue and place securities, or any other lending activity, being directly obliged to cover capital, interests and other accessories, to place them in lending activities for the public. EC2: Permissible activities are outlined in Art 51 of the Bank Law. It includes (i) deposit taking activities, (ii) issuing bonds, securities, deposit certificates, (iii) acquiring, assigning and entering into repo contracts, (iv) trust management, (v) contract credits and undertake obligations with the central bank, domestic and 27 foreign banks and financial institutions in general, (vi) accept, negotiate, confirm and issue letters of credit, (vii) undertake contingent obligations, (viii) issue credit cards, (ix) grant any type of loans, (x) act as custodians, (xi) act as financial agent on behalf of other financial institutions or enterprises, (xii) other credit asset and liability operations approved by the central bank. Art 23 and 24 of the Bank Law stipulate that subsidiaries of Salvadoran banks may only be engaged in financial operations offering servic es that supplement a bank’s financial services. EC3: Art 4 of the Bank Law states that the name ―Bank‖ is exclusive and of obligatory use of those institutions authorized by the SSF to operate as banks. Entities that are not supervised by the Superintendence or by a special law may not use this name or any derivation. EC4: See EC1 and EC3: only banks can take deposits, and all banks are licensed and supervised by the SSF. The legal provisions are adequate for regular banks. However, there may be some confusion regarding the status of cooperative banks. Cooperative banks are authorized by the SSF to accept deposits and are automatically regulated and supervised by the SSF as established in the Law on Cooperative Banks. They are also covered by the deposit insurance fund. Cooperatives with assets exceeding 600 million colones (around US$84 million) are also subject to mandatory regulation and supervision. In practice, a considerable number of cooperatives is de facto engaged in attracting deposits (which are instead described as ―member contributions‖) and are below the C$ 600 mln threshold—which is quite high. Effective supervision and oversight of this segment is lacking. These cooperatives are not restrained by the definition of permissible activities for cooperative banks of Art. 34 of the Cooperative Banks and Savings and Loan Partnerships Law. A number of cooperative networks in El Salvador, of which the associated banks are operating under the same brand name, include a mix of regulated cooperative banks and unregulated cooperatives. As a result, the distinction between regulated cooperative banks and unregulated cooperatives is not always clear to the general public. As part of the overhaul of the supervisory landscape, the authority to issue regulation for the cooperative banking segment will shift to the BCR. EC5: The SSF keeps a list an updated list of banks and branches on its website. Currently a total of 19 scheduled banks have operations in El Salvador. Assessment Largely Compliant Comments It is recommended to strengthen oversight of the cooperative banking segment and enhance transparency as to which cooperative banks are regulated and covered by the deposit insurance fund. At a minimum, a legal amendment needs to be passed to require that the Federations collect information on their member cooperatives and are obliged to submit it to the SSF. The legal threshold of C$ 600 million seems quite high. Principle 3. Licensing criteria. The licensing authority must have the power to set criteria and reject applications for establishments that do not meet the standards set. The licensing process, at a minimum, should consist of an assessment of the ownership structure and governance of the bank and its wider group, including the fitness and propriety of Board members and senior management, its strategic and operating plan, internal controls and risk management, and its projected financial condition, including its capital base. Where the proposed owner or parent organization is a foreign bank, the prior consent of its home country supervisor should be obtained. Description EC1: The Bank Law identifies the SSF as the competent licensing authority. Although the operational aspects of the application process are handled by the SSF, the 28 Consejo has the final say (see Ley Orgánica, Art 10 d and f). EC2: The SSF has set out a set of criteria for licensing banks. Before starting a bank undertaking in El Salvador, the SSF must authorize the public promotion, i.e. the public call to buy shares. Once the public promotion has been approved, the founders request the SSF’s authorization to set up a corporation. The main criteria for the SSF in deciding on the application are the outcomes of the fit and proper test of the shareholders representing more than 1 percent ownership (see EC6) and the assessment of the submitted financial projections and business plans of the new bank. EC3: The fit and proper criteria are consistent with those applied in ongoing supervision (see BCP 4 on transfer of significant ownership). During the first three years of their existence, new banks are subject to a 2.5 percent capital surcharge, in order to do justice to their higher risk profile. This may be prolonged by another three year, if necessary. EC4: The SSF has the authority to reject an application if it judges that the fit and proper criteria are not met or if the financial foundations are not thoroughly proven. Over the past six years, some three banks have made an application. The SSF has not rejected the application, but in a few cases the applicant banks lost interest halfway through the application process. EC 5: In assessing the proposal, the SSF makes an assessment of the bank’s organization and management layout. The emphasis is however on the bank’s viability. Although the SSF claims that there have been no difficulties in practice, the SSF does not make a prior assessment as to whether the proposed organization structure allows for effective supervision. EC6: The SSF verifies the financial status and creditworthiness of the shareholders representing more than 1 percent ownership. This includes the set of companies, business, properties and debts that affect them. Their equity must be at least equal to their pledged capital and they must demonstrate the legal source of the funds. Aspiring shareholders are subject to the following fit and proper criteria. They may not be (Art. 11, Bank Law): - in a state of bankruptcy payment or payment suspension; - sentenced for criminal acts, including narcotraffic or money laundering; - indebted for loans requiring a loan loss provision of 50 percent or more of the balance; - a former manager, director, administrator, official of a financial institution that was more than 20 percent undercapitalized, and - sentenced for a serious violation of the Bank Law or the SSF’s regulations The SSF indicated that it experiences some difficulties in identifying ultimate beneficial owners, especially for the international banks, for which it depends on the information provided by foreign supervisors (see CP5). EC7: During the first three years of their existence, new banks are subject to a 2.5 percent capital surcharge, in order to do justice to their higher risk profile (see EC3). EC8: Although the Bank Law does not separately address the fit and proper test of Board members and managers for start-ups, the general requirements of Art 33 of the Bank Law apply, which includes the following requirements: - The Board Chairman is required to have a minimum of five years of experience 29 in a managing position in a financial or banking institution. Executive directors, directors with executive positions and CEOs should have a minimum of three years of experience if they have the authority to grant loans. - No criminal record, no involvement in narcotraffic related crime or money laundering. - No previous conviction for serious crimes against financial laws and standards, particularly illegal deposit taking. - The incumbents may not have been involved as managers in financial institutions that were undercapitalized by 20 percent. They may also not be in a state of bankruptcy, or be debtors for delinquent loans requiring more than 50 percent provisions. The latter seems very generous. It would be preferable to demand that the incumbents are and have been current on all their loans. EC9: Although the Bank Law does not separately address internal controls, corporate governance and risk management requirements for startups, new banks are subject to the general requirements for existing banks. The SSF has however not yet issued specific regulation on these topics, in which the appropriate standards are elaborated in greater detail. The current legal requirement (Art 32 and 63) is rather general. It gives directors and managers responsibility for the sound administration of the bank and it requires banks to elaborate and implement policies and control systems that allow them to handle their financial and operational risks in a sound manner. The SSF does perform checks. However, in absence of well-defined standards, a clear norm has not been established. This also puts the SSF in a disadvantaged position to enforce its demands regarding internal controls, corporate governance and risk management on banks. EC10: The SSF reviews the organization structure, the financial projections of the start up, the commercial plan as well as the financial information of shareholders representing more than 1 percent ownership (see EC6)—their equity needs to be at least equal to their participation. Once the new bank has started operations, the SSF routinely checks during the first years of operation whether the financial outcomes are in line with the projections. EC11: Foreign banks intending to start banking activities in El Salvador are required to prove that the overseas operations are authorized, both by the headquarters of the bank and by the authority in charge of overseeing the bank in the country of origin (see Art 27 b). The SSF does not demand that the home supervisor conducts global consolidated supervision. EC12: the Bank Law does not address situations in which the licence was based on false information. It is therefore unclear whether this would allow the SSF to revoke the license of a bank that already has started operations. EC13: In absence of regulation on corporate governance and risk management, the SSF is not well-positioned to ensure that the Board has sufficient knowledge of the types of activities that the bank intends to pursue and the associated risks. Assessment Largely Compliant Comments The current Bank Law does not explicitly allow the SSF to revoke the license if based on false information. By lack of corporate governance regulation there is also no clear norm for start up banks to comply with. Principle 4. Transfer of significant ownership. The supervisor has the power to review and reject any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. Description EC1: The Bank Law defines two ownership thresholds. The first applies to individuals or legal entities aiming to obtain more than 1 percent of the shares of the bank, which 30 requires prior approval by the SSF. This entails a mandatory fit and proper test of the incumbents (Art 11). These owners also have to fill out a yearly declaration that they still meet the fit and proper criteria. The second threshold applies to owners that are seeking to expand their ownership beyond 10 percent of capital (Art 12), or to owners that can directly or through a joint agreement with other shareholders elect one or more directors. The SSF however indicated that the latter is not applied actively. Supervisory authorization is again required once the 10 percent threshold is exceeded (NPB 4-23, Art 4). These owners are subject to an enhanced monitoring regime, which besides the annual fit and proper declaration includes the yearly submission of audited financial statements to the SSF. EC2: See EC1. Prior supervisory approval is required only upon exceeding the 1 percent ownership limit. In the discussion with the assessors, the SSF expressed that it did not always manage to identify the ultimate beneficial owners of banks. Reflecting a very high degree of foreign penetration in the financial system, it relies on home supervisors to identify ultimate beneficial owners of the banks with sizable operations in El Salvador. The SSF has undertaken attempts to enhance the exchange of information on ultimate beneficial ownership with home supervisors. EC3: The current framework allows the SSF to reject applications when the 1 percent or 10 percent thresholds are exceeded. Once the 10 percent threshold is exceeded, the shareholders’ financial situation is also subject to an enhanced monitoring arrangement. In case their sworn annual declaration or audit reveal shortcomings (i.e. unfit according to the criteria in Art. 11 or insolvent), the rights of the respective shareholder cease. The latter only applies to shareholders owning more than 10 percent—the Bank Law does not mention similar sanctions for shareholders in the 1–10 percent bracket. There is no obligation on behalf of the shareholder to proactively inform the SSF of any material fact or circumstances affecting their suitability. The SSF indicated that in practice it is very rare to reject applications. EC4: Banks are required to keep an updated Book of Recorded shares, that registers ownership above the 1 percent threshold. Banks report to the SSF on a monthly basis. Reflecting a very high degree of foreign penetration in the Salvadoran banking system, the SSF reported difficulties in tracking down the ultimate beneficial owners of its banks. For those banks, it essentially has to rely on the work that the foreign supervisors are undertaking. EC5: The Bank Law and Regulation NPB 4-23 do not explicitly mention the SSF’s right to modify or reverse a change of control that has taken place without proper supervisory notification and authorization. NPB 4-23 (Art 14) mentions that the owners that do not meet the fit and proper criteria cannot exercise their shareholders rights. Assessment Largely Compliant Comments Shareholder who are in the 1–10 percent bracket and who are no longer considered fit should also have their shareholder rights frozen (as for shareholders owning more than 10 percent). In addition to the annual sworn declarations, shareholders should be required to proactively inform the SSF of any event arising in the course of the year affecting their suitability. The SSF should be allowed to annul unauthorized transfers of ownerships. Principle 5. Major acquisitions. The supervisor has the power to review major acquisitions or investments by a bank, against prescribed criteria, including the establishment of 31 cross-border operations, and confirming that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. Description EC1: Domestically, banks are allowed to invest in shares of companies that offer services that supplement a bank’s financial services (including capital corporations, currency exchange houses, stock exchange offices, credit card issuers, general deposit warehouses, firms providing goods payment, custody and transportation etc). The SSF’s authorization is required. The sum of the participation in loan capital, bonds and guarantees that banks may provide to their subsidiaries directly or indirectly may not exceed (i) 50 percent of the equity fund or (ii) 10 percent of the loan portfolio, whichever is lower. The sum of the participation in capital, loans or guarantees that banks may provide to subsidiaries in which they have a minority share, may not exceed 25 percent of its equity fund (Art 24 Bank Law). Salvadoran banks are allowed to carry out financial operations abroad through their subsidiary bank entities and offices, provided that the countries have prudential regulations and supervision that meets international standards. Prior approval by the Superintendencia is required. The total invested amount may not exceed (i) 50 percent of the equity fund or (ii) 10 percent of the loan portfolio, whichever is lower. In practice, it’s rare for Salvadoran banks to make major acquisitions requiring supervisory approval. EC2: The Law on Banks only establishes criteria by which to judge proposals involving foreign operations (Art 145 Bank Law). The SSF verifies the following requirements: - that the controlling company at the consolidated level and all member corporations comply with the solvency requirements - that the investment is justified according to economic feasibility studies - that the country in which the investment takes place has prudential regulation and supervision that meets international standards - that participating partners representing more than 10 percent ownership meet the fit and proper criteria (see BCP4) - that the license granted in the host country enables the bank to operate with the local public - that the Salvadoran supervisor has established a MoU with the host supervisor - that the statutes of the foreign entity allow the Salvadoran supervisor to exercise oversight and request information. Similar requirements apply to domestic proposals and are spelled out in Art. 6 of NPB 1-10. The underlying philosophy is that adequate oversight regimes are in place, as banks are only allowed to invest in companies that are offer related services (which for the most part are supervised). EC3: The supervisor assesses the economic feasibility of the proposal, but a risk assessment is not a legal or regulatory requirement, even though it is in practice demanded by the SSF. In the case of foreign operations the SSF verifies whether the 32 statutes of the foreign entity allow the Salvadoran supervisor to exercise oversight and request information. EC4: The Bank Law only partially addresses the financial capacity of the bank to handle the acquisition through the solvency requirements. Banks are to subtract their investment in subsidiaries from capital, while ensuring that the individual entities and the controlling company meet their respective solvency requirements. These requirements do however assess the financial capacity at the time of the proposal; it does not include a forward-looking risk analysis, nor does it address the likely impact of the materialization of risks on capital. The Bank Law is silent on the organizational capacity of the bank to handle the acquisition/investment. EC5: Supervisory approval is required in all cases involving major acquisitions. There is no threshold. EC6: The SSF relies on the capacity of the respective supervisors to assess the risks of non banking activities. A more proactive approach would however be helpful to ensure that the SSF has an integral view of all the risks to which the banking group is exposed. Assessment Largely Compliant Comments The Law or regulation should require banks to conduct a risk assessment, even though it is demanded in practice by the supervisor. The risk analysis should have a forward-looking character. The criteria should also include a check whether the proposed investment does not impede supervision. Principle 6. Capital adequacy. Supervisors must set prudent and appropriate minimum capital adequacy requirements for banks that reflect the risks that the bank undertakes, and must define the components of capital, bearing in mind its ability to absorb losses. At least for internationally active banks, these requirements must not be less than those established in the applicable Basel requirement. Description EC1: Art 41 of the Law on Banks stipulates that the ratio of capital over risk-weighted assets should be at least 12 percent. The Law sets out risk weights for different asset categories as well as a definition of primary and supplementary capital (Art 42). Primary capital consists of paid-in capital and the capital reserve. Supplementary capital includes retained earnings that are earmarked as capital (―utilidades no distribuibles‖; 100 percent), other retained earnings (―resultados de ejercicios anteriores (100 percent), earnings in the present year (50 percent)), utilidades no distribuibles retained earnings (100 percent), revaluations (75 percent), voluntary provisions (50 percent), convertible bonds (100 percent) and subordinated debt (100 percent). Supplementary capital may not exceed primary capital. EC2: The capital adequacy framework does not distinguish between domestic and internationally active banks. There are some inconsistencies between the definition of capital applied by the SSF and the Basel requirement, mainly with regard to the treatment of deductions from capital. Art 42 of the Law on Banks stipulates that only accumulated losses and participations in subsidiaries need to be subtracted from capital. It does not include intangible assets. After a recent takeover wave in the Salvadoran banking industry, goodwill has become the principal intangible asset, although one particular bank reported an unrealistically high software post under its capital (representing more than 7 percent of capital). Goodwill (and other intangible assets) are amortized over three years, as a result of which the relative importance of intangible assets will diminish over time. On the basis of the available financial information, it could not be assessed whether goodwill assets still represented a significant part of capital. Risk weights are consistent with Basel I and hence offer limited differentiation according to risk category. As an illustration: Sovereign risk currently has a 0 risk 33 weight (0–150 percent under Basel standardized approach) while all credits under the loan book are currently weighed at 100 percent. Also, there is currently no possibility to impose additional capital requirements for market and operational risk. EC3: The SSF has the authority to impose specific capital charges, but is quite restricted in doing so. It is authorized under the following cases: - New banks, which during the first three years of operation are subject to a 14.5 percent CAR (subject to yearly reappraisal after that). This regime currently implies to one recent start-up). 4 - Exposures to country risk: Total foreign credits above 75 percent of capital are subject to supervisory approval and imply an additional capital charge up to 2 percent. Since all banks are below the 75 percent threshold, this is not used in practice. - The SSF also has the authority, upon prior approval by the Central Bank, to impose a specific capital charge of up to 2 percent (art. 41 of the Law on Banks). It can only impose this capital charge in order to safeguard depositors’ interests. This clause is currently not being used, nor has it been used over the past few years. Also, this article is understood to be applied only in the context of a generic crisis affecting several banks at the same time. It would be helpful to grant the SSF greater discretion in imposing capital add-ons. The current conditions appear quite restrictive. EC4: Off balance sheet items are included in calculating the CAR, but a number of off-balance sheet items (Contingencies for guarantees and fianzas and guarantees fully backed up by deposits) receive 0 risk weight. The risk weight of guarantees depends on the rating of the guarantor (20 percent for AAA – A-; 50 percent below). Off balance sheet items account for 3.8 percent of the assets of the entire banking system. For a number of specific banks, this ratio amounts to 5 percent. Basel II implementation is currently being discussed among Central American supervisors, but is unlikely to take place over the next few years. In order to avoid regulatory arbitrage, the intention is to move ahead jointly. EC5: El Salvador’s capital requirement of 12 percent seems conservative compared to the 8 percent minimum CAR under Basel. However, this figure needs to be seen against a background of a liberal definition of capital, especially regarding the treatment of deductibles (see EC 1). EC6: The SSF has the authority to impose remedial actions in case a bank falls below the statutory minimum capital adequacy ratio (Art 76 – 78 Law on Banks; see also BCP 23, in which this is discussed in greater detail). It can impose regularization plans and restructuring plans, and it can order intervention and –ultimately- liquidation depending on the level of undercapitalization. When banks’ capital adequacy falls below 12 percent, but is still above 10 percent, it requires banks to submit a recapitalization plan (art 78). If capital falls below 10 percent it can demand a regularization plan, which entails a detailed set of measures authorized by senior management. It may also order a special audit. The remedial action framework was used for the last time in 2006. The particular 4 The ratio of foreign loans to capital may not exceed 150percent. 34 bank demonstrated imprudent lending behavior, leading the auditors to conclude that it was underprovisioned and prone to liquidity difficulties. The bank in question unsuccessfully reclaimed against the supervisory action for demanding excessive reserves. A regularization plan was imposed. Half the asset portfolio was sold (which was possible under the favorable market circumstances prevailing at the time). The remainder of the bank was bought acquired by a small foreign bank. EC7: El Salvador has not moved to Basel II implementation. Internal assessments of risk as inputs to the calculation of regulatory capital do therefore not apply to the country. Assessment Largely Compliant Comments The list of deductibles needs to be broadened to include intangible assets (including goodwill). The SSF should also be granted additional discretion in imposing capital add-ons, also with regard to the size of the add-ons. Principle 7. Risk management process. Supervisors must be satisfied that banks and banking groups have in place a comprehensive risk management process (including Board and senior management oversight) to identify, evaluate, monitor and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the institution. Description EC1: The SSF has not yet issued regulation spelling out detailed requirements and standards regarding risk management policies and processes. There is only a general reference in the Bank Law (Art 63), which obliges banks to put in place policies and control systems that allow them to handle their financial and operational risks in a sound manner. By lack of a standard, the SSF is at a disadvantage in addressing possible imprudent behavior. Regulation is under development. EC2: Although the majority of banks operating in El Salvador have such strategies in place – and the SSF looks into those strategies – the SSF cannot demand banks to establish risk management strategies as the corresponding regulation is lacking. Neither can it require major shortcomings to be redressed. In practice, the SSF notes considerable variety with regard to the quality of risk management. As a general rule, the bigger international banks have stronger risk management policies than the smaller local ones. Many of them can drawn on the expertise available elsewhere in the group. A particular bank that the assessors interviewed had various levels of decentralization for each risk area. Implicitly, the quality of risk management is taken in consideration in supervision. The SSF uses a CAMELS framework, with the quality of (risk) management allowing for mitigation of inherent risks. EC3: The assessors were provided with supervisory reports on a major bank in El Salvador, which confirmed that the SSF gives proper attention to the procedural aspects, especially regarding the requirements to inform the Board. However, the SSF has not provided guidance to the industry regarding the threshold amounts of loans requiring Board approval. Similarly, it has not established standards regarding limits for loans, other than the general large exposure limits. The large international banks have established their own policies and procedures, drawing on the expertise available further upstream in the banking group. However, this outcome was achieved because the respective banks chose to impose these restrictions on themselves as part of their overall risk management strategy, rather than by requirements of the SSF. EC4: The SSF is currently engaged in a transition process towards risk based 35 supervision. A review of the supervisory documents on a major bank and discussions with the SSF suggested that the SSF’s focus is primarily on checking whether procedures and policies are in place, rather than assessing whether these policies and procedures are adequate given the overall characteristics of the respective financial institution (e.g. size, complexity and risk profile). This would require a greater role for qualitative judgment in assessing the adequacy of risk management strategies, which as of yet plays a limited role. EC5 and 6: There are no requirements for banks to assess their overall capital adequacy in relation to their risk profile. Similarly, the SSF does not assess whether banks have economic capital models in place, nor does it assess their adequacy for those that have. EC7: Banks in El Salvador report their total exposures on a monthly basis to the SSF, on the basis of a database that is kept up to date. The exposures can be disaggregated to the level of individual loans and contain characteristics such as size, classification category, data on the debtor, purpose etc. The SSF checks whether the Board and senior management are periodically informed, typically once a month, but this is not a requirement. EC8: By lack of regulation on risk management, there is no requirement on banks to have policies and procedures in place that new products and major risk management initiatives are approved by the Board. Nonetheless, the SSF noted that most banks do require Board approval before launching new products. In some cases, products existing in other countries are launched in the El Salvador market, in which case lighter approval procedures apply. EC9: Again, there is no specific requirement on banks to separate front office and back office, but the SSF notes that all banks do in fact have separations between the front and the back office in place, which is routinely checked as part of its supervisory operations. EC10: The SSF has not yet issued regulation on credit risk, market risk, interest rate risk and operational risk. A considerable amount of regulation is under development, but is slow to be released. Establishing appropriate standards for these important risk areas is one of the most urgent challenges facing the SSF. As part of the overhaul of the Salvadoran supervisory landscape, the authority to issue regulation will be transferred from the SSF to the central bank. Assessment Materially Noncompliant Comments The quality of risk management processes in banks is likely to be better than the lack of risk management regulation suggests. However, the problem is that the SSF cannot enforce compliance because a standard is lacking. This concern applies to most of the risk areas that follow. Principle 8. Credit risk. Supervisors must be satisfied that banks have a credit risk management process that takes into account the risk profile of the institution, with prudent policies and processes to identify, measure, monitor and control credit risk (including counterparty risk). This would include the granting of loans and making of investments, the evaluation of the quality of such loans and investments, and the ongoing management of the loan and investment portfolios. Description EC1: Other than a general requirement for banks to put in place policies and control systems allowing for an orderly management of financial and operational risk (art 63) and a number of principles for granting credits (art 59), there is little specific guidance with regard to credit risk. Annex 1 of NCES 022 establishes that banks are obliged to establish policies and procedures for the granting, monitoring and documentation of credit risks. These policies need to be approved by the Board and be well- 36 documented, establishing amongst others principles for granting loans, loan approval procedures and documentation requirements. The Board is ultimately responsible to ensure compliance with the policies. 5 More detailed regulation on the matter is as of yet lacking . The lack of a regulatory framework implies that the SSF cannot use its remedial action framework in order to address non compliance. Given that credit risk is among the principal risk category in El Salvador, issuing detailed regulation is a priority area. In the discussions with the assessors, the SSF indicated that the large international banks in El Salvador have however established credit risk strategies, as they can make use of the risk management expertise available elsewhere in the group. The smaller banks have however been slower to follow suit. The assessors inspected supervisory reports that confirmed that the supervisor checked whether the board is informed on a regular basis about relevant policies regarding credit risk. On the basis of the available information it could not be assessed whether the supervisor also assesses whether the Board has a full understanding of the credit risk to which the bank is exposed, and whether it is sufficiently in control to manage credit risk adequately. EC2: Requirements for granting new loans are set out in general terms in NCES 022 and in Art 59 of the Law on Banks, which requires Salvadoran banks to make an assessment of the repayment capacity of the debtor in the loan application process. They also need to consider the payment and entrepreneurial capacity of applicants, as well as their moral standing, and present and future economic and financial status, for which they require the audited financial statements. The article applies to new applications and to restructurings of existing loans. In practice, banks demonstrate considerable variety with regard to threshold values for new loans requiring Board approval. Some banks have not established threshold values, and practices diverge for those that do. Although this may be justified on the basis of differences in business models and risk exposures, the SSF’s involvement with the suitability of the limits seems rather limited. Internal and external audits conduct periodic verifications of the problem asset portfolio, with particular emphasis on the adequacy of provisioning coverage. The SSF was generally satisfied with banks’ compliance with problem loan regulation (NCB-022). It does screen the classification and provisioning of individual loans and rarely notes infractions (see CP 9). Collateral in the form of deposits that can be easily withdrawn are not subject to periodic valuation. Residential property is revalued at least once per 48 months and commercial real estate at least once per 24 months. Depending on the classification category of the associated loan, collateral is valued at 50–70 percent. In practice it’s not unusual in El Salvador to have more than one mortgage on one single home, as long as the total value of the mortgages does not exceed the value of the underlying asset. The claims are registered at the Centro Nacional de Registro, and the various creditors are aware that they are not the only claimholders. The first mortgage lender needs to agree with the provision of the second mortgage. A somewhat complicated situation could arise in the rare case when a mortgage debtor defaults on the second mortgage loan (which is lower in seniority) but stays current on the primary mortgage. Collateral seizure will in that case require cooperation by the bank that owns the 5 The SSF has prepared a first draft. 37 current loan. This needs to be resolved on a case-by-case as there is typically no prior agreement between creditors on how to deal with such a situation. Banks provide the SSF on a monthly basis with data about their loan portfolio. The data are available on an aggregate and on an individual loan basis. The reported data are squared with the data that the SSF has on individual debtors (NPB 4-17). Banks also report all their contingent operations and other off-balance sheet items involving credit risk. Limits to credit to domestic counterparts are max 25 percent of capital with the excess over 15 percent collateralized. The limit for single credits to foreign counterparts is 10 percent of capital. There is a cap for total credits to foreign counterparts only. The sum of credits to foreign counterparts is 75 percent of capital, which may be raised to 150 percent upon supervisory approval. EC3: Dealing with conflicts of interests is only partly covered in the Law on Banks, which only stipulates that credit to related companies by management (i.e. a director fulfills a management function in the related company) need to be unanimously approved by the Board, in absence of the respective director. Other categories of related companies (i.e., companies in which directors have participations) are not covered by the Law. The SSF assessed that in practice banks follow the procedure of unanimous approval in absence of the respective director. This is verified on the basis of inspection of the Minutes. Nonetheless, it is recommendable to extend the procedure to the credit granting processes for all sorts of related companies. EC4: Art 31 of the Law on Banks provides the SSF with full access to information in the credit and investment portfolios, as well as to specific bank staff. Assessment Materially Noncompliant Comments The main priorities in this area are (i) Establishing detailed regulation (which is a necessary condition to establish a standard on the basis of which noncompliance can be addressed by the supervisor) and (ii) Further upgrading supervisory practices. Although the supervisors expend considerable resources on the review of credit portfolios, there is still scope for upgrading supervision of the suitability of the credit risk management activities. As the supervisors gain experience in the conduct of risk based supervision, it is anticipated that the credit risk area will be one of the first areas to be addressed, as it is an important risk and is a risk that is fairly well understood. The practice of multiple mortgages on one underlying asset requires monitoring. Principle 9. Problem assets, provisions and reserves. Supervisors must be satisfied that banks establish and adhere to adequate policies and processes for managing problem assets and evaluating the adequacy of provisions and reserves. Description EC1: The loan classification and provisioning regime is set out in detail in NCB-022, which became effective as of January 2007. Banks are required to classify all loans in the appropriate classification category, ranging from A to E, with a number of classification categories divided in subcategories. Only the uncollateralized fraction of the loan is subject to provisioning. In prescribing the classification and provisioning requirements, the SSF distinguishes between three different categories of loans (consumer retail, mortgage and corporate), each of them applying different classification criteria regarding the number of days overdue. The table below sets out the provisioning requirements per loan category. Banks report their problem asset portfolios on a three monthly basis to the SSF. Both cumulative and disaggregated data are available. In case a debtor has multiple debts to the same bank, the worst classification and provisioning category applies (Art 9), but this arrangement does not apply to a situation in which one debtor has various debts to multiple banks. Although beyond 38 the requirements of this CP, consideration may be given to introducing an element of co-movement in classification and provisioning for such a situation, also because the information to do so is available in the central de riesgo. Mortgage and consumer loans are classified exclusively on the basis of the number of days past-due. In the case of corporate loans, the bank is required to make periodic assessments of the debtor’s repayment capacity. If the repayment capacity is compromised, the loan needs to be put in a less favorable classification category regardless of the repayment behavior of the debtor (art 9 of NCB 022). Based on experience elsewhere, it is suggested to extend the mandatory reassessment of the debtors’ repayment capacity to the consumer and mortgage sector. Repayment capacity for the 50 largest corporate debtors needs to be reassessed at least monthly, while less frequent assessments are required for other loan categories. Overdue days per loan category Classification Provisioning categories levels Corporate Retail Mortgage A1 0 percent < 7 days < 7 days < 7 days A2 1 percent 7–14 days 7–30 days 8–30 days B 5 percent 15–0 days 31–60 days 31–90 days C1 15 percent 31–90 days 61–90 days 91–120 days C2 25 percent 91–120 days 91–120 days 121–180 days D1 50 percent 121–150 days 121–150 days 181–270 days D2 75 percent 151–180 days 151–180 days 271–360 days E 100 percent >181 days > 181 days > 361 days EC2: Internal audit performs a first round of verification of the portfolio of problem assets. External audit is also required to conduct a yearly verification (Art 32). It expresses its opinion on the portfolio of problem assets and the sufficiency of provisions. The SSF aims for 100 percent coverage, but this is not hardwired in regulation. Four times a year the supervisor receives detailed accounts of the problem loan portfolio (Art 30), which is both available on an aggregate and on an individual loan basis. The adequacy of specific provisions is assessed by comparing them to the total of loans that are more than 90 days overdue (―the cartera vencida‖; see NCB-005). A cross-check with bank data provided by the SSF indicated that for the banking sector as a whole, the coverage amounts to around 110 percent. There is however significant variation and a considerable number of banks do not meet the 100 percent informal threshold. The SSF reviews the development of the delinquent loan portfolio. The assessors were provided with an off-site analysis report of credit risk of a major bank. The report contained a descriptive stock-taking exercise of the development of (i) the cartera vencida as a percentage of the entire loan portfolio, (ii) NPLs as a percentage of the entire loan portfolio, (iii) provisions as a percentage of the entire loan portfolio and (iv) provisions as a percentage of required provisions. EC3 Art 4 of Regulation NCB 022 establishes that the regulation on non performing assets includes ―all assets that are subject to credit risk‖. It specifically mentions the example of contingent credits on loan classification. 39 EC4. The loan classification and provisioning requirements set out in NCB-022 are roughly in line with levels seen elsewhere, although loss recognition for mortgage loans seems comparatively slow. Availability of collateral and higher repayment discipline are the rationales for the more flexible classification and provisioning rules for mortgage loans. Banks are required to reclassify and raise the provisioning levels of specific debtors if the debtor’s repayment capacity is severely compromised, or when its repayment capacity is related to another weaker debtor, e.g. due to ownership, administration or business interconnections. Specific criteria for assessing the debtor’s repayment capacity are provided in Annex 3 of the regulation on problem assets (NCB 022; this includes indicators of returns, liquidity, indebtedness, cash flows etc). Even though these criteria leave open some room for different interpretations, the SSF was satisfied with banks’ compliance. This preemptive reclassification is only required for corporate loans: Consumer and mortgage loans are not subject to a similar requirement, nor are banks inclined to establish voluntary provisions for such eventuality. Inspection of on site and off site documents and discussions with supervisory staff confirmed that compliance with regulation on problem assets receives serious attention in ongoing supervision. According to the SSF, the validation processes by internal and external audit work well, and the SSF indicated that it only rarely needs to instruct banks to reclassify loans in a worse category or to raise provisions. However, some of the banks and the external accountants indicated that the banks and the SSF sometimes do have different views, especially regarding the classification of loans to corporate debtors, whose repayment capacity needs to be assessed continuously. Similarly, the SSF noted that compliance with requirements regarding restructured loans is satisfactory. Before honoring a request for restructuring, banks should apply the same criteria as those prevailing for applications for new finance (see also Art 59 de la Ley de Bancos; see also BCP 8), including documentation requirements. The debtor’s loan retains the same classification category, but an upgrade of one notch is possible. This requires that the debtor stays current on his interest and repayment obligations and provides a 5 percent repayment of the principal. Banks are required to keep detailed accounts of restructured loans, which are closely monitored by the SSF. If banks preemptively (i.e., in order to avoid repayment difficulties) decide to lower interest rate on account of ―macroeconomic factors‖, the loan will not be reclassified or considered as a restructured credit. EC5: See EC 3 and 4. The SSF devotes considerable resources to monitor compliance with problem asset regulation and notes that verification by the supervisor has indicated that compliance is generally satisfactory. Banks fully bear the losses for non performing assets that enter the ―irrecuperable‖ category. In practice, banks in El Salvador still try to recover their assets after the losses have been incurred (Art 8 and 13 of NCB 012 grants them with this right). EC6: The supervisor is informed every three months and receives monthly data for the 50 biggest corporate debtors. Information is available on an aggregate basis, but can also be broken down to individual loans. See EC1. EC7 The SSF does not have the authority to oblige banks to raise provisions over and above the requirements of the regulation, when the exposure to problem assets is a concern (NCB 022). 40 EC8: The SSF assesses whether provisions are sufficient to match loans that have fallen in the ―cartera vencida‖ category. This was confirmed in an offsite report that the assessors received that covered one of the major banks. However, the requirement is not hardwired in regulation and the SSF can therefore not resort to its remedial action framework to address noncompliance. The SSF can require additional provisioning only if specific loans are classified in a more favorable category than warranted on the basis of the corresponding regulation. EC9: The valuation of collateral is required to reflect the net realisable value. Collateral held in the form of deposits is valued at 100 percent. Real estate is valued at 50 percent–70 percent of the original value, depending on the classification category of the loan. Only mortgages are periodically valuated. Residential mortgages are valuated at least once per 48 months, while commercial real estate is valuated every 24 months (Art 16c of NCB 022). Valuations are conducted by certified specialists and are generally reliable. Deliberate misevaluation can result in loss of certification and is therefore not a material issue, according to the SSF. EC 10 Loans are considered impaired after more than 180 (corporate and consumer) or 360 (mortgage) days overdue. EC11: The Board is required to articulate an assessment about the sufficiency of provisions (Art 31, NCB 022). Although there are no specific requirements for informing the Board regarding problem assets, the SSF checks whether the Board is informed periodically. According to the SSF, the Boards of the bigger banks are generally well-informed. Standards in the smaller banks are however lower. The SSF typically doublechecks the minutes of the board meetings to assess whether the Board has taken note of the information. EC 12: See EC1. An enhanced reporting requirement is in place for the 50 largest corporate loans of a bank. The SSF receives monthly information about these debtors, which is both available on an aggregate and on an individual item basis. For other categories of debtors, reporting is on a three month cycle. The information can be disaggregated to an individual item basis. This was confirmed in a presentation in which the supervisors demonstrated the database to the assessors. Assessment Largely Compliant Comments The SSF currently lacks the authority to oblige banks to raise provisioning levels over and above the requirements of the regulation. This is the main shortcoming for full compliance with the core principle. Although not a requirement to achieve full compliance, consideration could be given to extending the mandatory periodic reassessment of the debtors’ repayment capacity that currently only applies to debt to the corporate sector to the consumer and mortgage sector. In case a debtor has multiple debts to the same bank, the worst classification and provisioning category applies (Art 9), but this arrangement does not apply to a situation in which one debtor has various debts to multiple banks. Consideration may be given to introducing an element of co-movement in classification and provisioning for such a situation, also because the information to do so is available in the central de riesgo.. Principle 10. Large exposure limits. Supervisors must be satisfied that banks have policies and processes that enable management to identify and manage concentrations within the portfolio, and supervisors must set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties. 41 Description EC1: Art 197 of the Bank Law and Art. 4 of NPB 4-36 allow the SSF to add up loans of various debtors as a single loan when there are facts that suggest that the loans granted to various debtors constitute one single transaction or credit risk. In practice, this clause is rarely put to use. It is used only in case of ―vinculación accionari a‖, i.e. ownership links between companies. EC2: Credits to a single Salvadoran party may not exceed 25 percent of capital, with the excess above 15 percent being subject to mandatory collateralization. Although these levels are common in the region, they seem on the high side. Credits to nonresidents may not exceed 10 percent of capital. The sum of total credits to nonresident may not exceed 150 percent of capital, with the excess above 75 percent subject to supervisory approval and additional capital requirements. The SSF applies a comprehensive definition of ―credits‖, which covers a wide range of exposures, including off-balance sheet items and other operations that represent a financial obligation (see Art 16 of NPB 4-36). Banks keep databases that allow for aggregation of loans on the basis of various criteria. The SSF routinely checks compliance with these limits by comparing these databases with the information available in the Central de Riesgo (see EC 3). EC3: Banks are required to set up units responsible for monitoring credit concentration risk (NPB 4-36, Art 5). The unit is to provide a monthly report to the Board, which is shared with the SSF. The assessors were provided with a short presentation on the SSF’s database. The database contains sufficient information to allow for aggregation of loans on the basis of various criteria (e.g. sectoral aggregation; aggregation on the basis of common shareholders). On the basis of periodic cross checks with the information available in the Central de Riesgo, the SSF indicated that it was broadly satisfied with the reporting standards by the sector. EC4: The Board receives monthly updates on the concentration of credit risks (EC3). The supervisor monitors compliance with the overall single party limits (EC1), but within these broad guidelines banks are free to establish their own policies and limits. Discussions with the SSF indicated that the SSF’s supervision in this area consists mainly of checks whether banks follow the procedural requirements, rather than checking whether strategies for managing credit concentration risk are adequate given the overall characteristics of the respective financial institution. EC5: Banks report to the SSF on credit concentrations on a monthly basis. It allows the supervisor to detect sectoral and currency exposures, but not geographical concentrations. Given the small size of the country, this is however not problematic. The SSF can only resort to remedial actions when the overall limits for exposures to a single party are exceeded. Assessment Largely Compliant Comments Without necessarily violating single party limits, banks may still be exposed to significant concentration risks. The SSF has the authority to aggregate individual exposures for which credit risk is linked, but should use it more vigorously. The SSF should take a more proactive role in discussing risk concentrations. The SSF should be able to require a reduction in concentration risks or a better management of these risks by challenging the adequacy of banks’ own internal limits on various types of concentration risks. Principle 11: Exposures to related parties In order to prevent abuses arising from exposures (both on-balance sheet and off-balance sheet) to related parties and to address conflict of interest, supervisors must have in place requirements that banks extend exposures to related companies and individuals on an arm’s length basis; these exposures are effectively monitored; appropriate steps are taken to control or mitigate the risks; and write-offs of such exposures are made according to standard policies and processes. 42 Description EC1: Laws (Art 204 of the Law on Banks) and regulation (NPB 3-09) distinguishes between various categories of related parties. Parties may be related by ownership (i.e. when banks’ senior management or board plus their direct relatives and spouses own more than 3 percent of the common shares of the company) or by administration (i.e. when senior management/board members fulfilling similar functions in another company). The following are considered related companies: - Companies in which a related shareholder of the bank owns 10 percent or more of the voting shares. - Companies in which a director or manager of the bank owns more than 10 percent of the voting shares - Companies in which two or more directors or managers jointly hold more than 25 percent of the voting shares - Companies that have common shareholders with a bank, in which the common shareholders, jointly possess at least 25 percent of the voting shares and 10 percent or more of the shares of the bank in question. - loans granted to borrowers or groups of borrowers against preferential terms or of a size disproportionate to the debtor's assets or its ability to pay; To determine the percentages above, the shares of relatives within the first degree of consanguinity and spouses are added to the equity of the shareholder, director or manager. The above needs however to be seen against a background of the difficulties noted above in identifying ultimate beneficial ownership. Related parties may not always be recognized as such. Art 206 of the Law on Banks grants the Superintendencia some discretion in identifying related parties, although this discretion is not used in practice: - loans granted to borrowers or groups of borrowers, without adequate information; - credits granted to borrowers or groups of debtors by reciprocity with another financial institution; - The debtors have business relationships and management of such a nature that allow permanent influence on each other or persons involved, in any form, in granting loans and - There are facts suggesting that loans to one person will be used for the benefit of another. The SSF keeps a database of related parties, which was shown to the assessors. Existing related parties need to send a sworn declaration every year, those who become related party in the course of the year are included at that time. On site inspection compares the data of the sistema with bank level data. There is a doublecheck. It is rare to find that banks do not report all related parties. Banks sometimes exceed the maximum level for total loans (5 percent of capital), in which 43 case art 207 allows for fines. The SSF also indicated that following the arrival of foreign banks with foreign managers (who typically would not have debts to Salvadoran banks) helped to reduce the problem. EC2: Art 203 of the Law on Banks states that loans to related parties may not be provided against preferential terms (terms, rates, collateral requirements) than similar transactions with third parties. Banks do however offer loans against more favorable terms to their own staff. In determining whether terms are preferential, current market rates are taken as a reference. Checking this is a very labor-intensive process. The SSF performs random checks, with emphasis on the largest related party exposures as reported in the related party information system. Occasionally, the SSF cross checks with the Central de Riesgos. External audit is required to make an assessment of the total of exposures to related parties (Art 205 and Art 21b del NPB 2-05). EC3: Art 29 of NPB 3–09 require that all loans to related parties need to be approved and ratified by the Board or equivalent organ in order to ensure compliance with legal requirements. There are no special requirements in place regarding the write-off of loans to related party. The general requirements of NCES-022 apply, which states that the Board needs to approve the restructuring and discharge of loans. Similarly, there are no special requirements in place regarding the monitoring of delinquent loans to related parties. EC4: The legal framework only gives consideration to the loan approval process for related parties by administration, i.e. companies where the bank’s directors and senior management’s fulfill senior function. In case of loans to related parties by administration, the Board needs to authorize, without the presence of the interested Board member. There is however a need to extend this clause to other categories of related parties, including by ownership. EC 5: Art 203 of the Law on Banks states that total loans to related parties may not exceed 5 percent of the sum of paid-in capital plus reserves, which is stricter than the limits for single counterparties. The law does not differentiate between collateralized and uncollateralized loans, but loans that are backed up by 100 percent of deposits do not count as related party loans. Loans to related parties are not subtracted from capital (see CP 6 on Capital Adequacy) unless provided to a subsidiary. EC6: In line with Art 26 of NPB 3-09 banks keep an updated register with credits to related parties. The register is shared with the superintendencia on a monthly basis and it can be disaggregated to an individual loan basis. External audit also assesses total exposures to related parties on a yearly basis. There are no requirements to deal with exceptions to policies, processes and limits. The supervisor checks whether the Board is updated regularly on related party exposures. However, reflecting the incipient transition towards risk based supervision, there is little scrutiny on behalf of the supervisor whether the arrangements are adequate and whether the Board and management have a thorough understanding of the risks posed by related party transactions. EC7: See EC 1 and 6: Banks report their related party exposures on a monthly basis to the SSF, which keeps an updated register of related party transaction. Assessment Largely Compliant Comments It is suggested to establish enhanced monitoring requirements for the Boards of banks regarding delinquent loans to related parties. Laws and regulation should be made more specific regarding conflict of interest in granting new loans. In case of loans to related parties by administration, the Board needs to authorize, without the presence of the interested Board member. There is however a need to extend this clause to other categories of related parties, including by ownership. 44 Principle 12: Country and transfer risks Supervisors must be satisfied that banks have adequate policies and processes for identifying, measuring, monitoring and controlling country risk and transfer risk in their international lending and investment activities, and for maintaining adequate provisions and reserves against such risks. Description EC1: Country risk is one of the few risk areas for which the SSF has issued regulation, which was required by the Consejo Centroamericano in 2003 (NCES 02). Country risk is defined as the sum of sovereign, political and transfer risk. The respective regulation applies to all assets and rights (i.e., also off-balance sheet items) granted outside the country. Liquidity reserves are excluded, as are participations in foreign subsidiaries (see Art 23 and 144 of the Law on Banks). Senior management is responsible for ensuring appropriate diversification and establishing limits per country (see Art. 197 of the Bank Law). Art 7 of NCES 02 sets out the requirements regarding the identification, measurement, monitoring and control of country and transfer risk. It requires banks to identify exposures on a per-country basis and to provision on the basis of long term sovereign credit ratings or internal models (which Salvadoran banks are not using). Provisions for country risk are additional to other mandatory provisions (e.g. for credit risk). Other than the general large exposure limits (10 percent of capital max per foreign credit; sum of foreign credits may not exceed 150 percent of capital6) there are no supervisory requirements to establish country-specific limits. EC2: Banks are required to set up administrative units responsible for controlling and monitoring country risk, which should report at least once a month to the Board. Banks are required to have information systems, risk management systems and internal control systems in place that accurately keep up-to-date data on country-specific exposures. There is however no supervisory guidance regarding the establishment of appropriate country-specific limits other than the general single party limits (see EC1). EC3: Minimum provisioning levels for country risk may be based on the long term sovereign ratings by the main rating agencies, or based on internal models (provided that the use of the latter does not allow for lower provisioning). Salvadoran banks in practice use the ratings. Provisions for country risk are additional to other mandatory provisions (e.g. for credit risk). EC4: An administrative unit responsible (art 6b of NCES 002) for controlling and monitoring country risk needs to be established, which should report at least once a month to the Board. This includes an assessment of the adequacy of provisions. Information on per-country exposures should be kept up-to-date. Internal and external audits and the SSF should be provided with sufficient information in order to assess exposure to country risk. Assessment Compliant Comments Principle 13. Market risk. Supervisors must be satisfied that banks have in place policies and processes that accurately identify, measure, monitor and control market risks; supervisors should have powers to impose specific limits and/or a specific capital charge on market risk exposures, if warranted. Description C1: The market risk unit within the Risk Division (RD) has 4 supervisors who conduct evaluations of the market, interest rate and liquidity management policies and processes of Salvadoran Banks. A report containing its main findings and requirements is submitted by the SSF to the Board of Directors of the Bank. The assessors had access to a sample of these reports and observed that the SSF stresses the importance of having an 6 Above 75 percent supervisory approval is required. 45 appropriate organization to manage this risk, having internal policies and processes and are subject to appropriate Board and senior management oversight. The supervision of risks is at an early stage and reports generally do not comment on the adequacy of policies and practices. While large foreign banks have developed systems for managing this risk, the small local and regional banks are behind in this respect. The absence of a regulation defining a minimum standard for managing this risk will hinder the capacity of the SSF to enforce the necessary improvements in these banks. The legal framework in this regard is limited to one general article in the BL (art. 63) stating that banks are required to approve and implement policies and control systems to manage adequately their financial and operational risks. Foreign exchange risk is very limited, since El Salvador uses the dollar as its legal tender and banks do not hold assets or liabilities in other currencies. Market risks arising from investments in securities are mainly limited to their holdings of Central Bank and government bonds, since corporate bonds issuance in the local market is almost nonexistent, investments abroad are very low and investments in stock are prohibited. Operations with derivatives are also few and not significant, and mostly carried out by the foreign parent or affiliate companies of the large international banks. C2: The market risk unit verifies that the bank has set market risk limits for market risk and that these limits are approved by the Board and adhered by management. The evaluation is conducted onsite and generally does not comment on the adequacy of these limits. The SSF has issued a regulation establishing that the mismatches between foreign currency assets and liabilities cannot exceed 10 percent of own funds. With the exception of the reporting to verify compliance with this regulation, the SSF does not receive adequate information to conduct an off-site assessment of banks’ market risks. C3: The SSF has not issued a regulation on market risk management and, while the supervisory framework is ahead of the regulation in reviewing policies, systems and controls, enforcement cannot be assured. Additionally, the supervisory processes are relatively new and supervisors need further training for these processes to be effective. The accounting standard for investments requires banks to value them at the lower between purchase price and market price. C4: The SSF does not require that banks perform scenario analysis, stress testing and contingency planning and periodic validation or testing of the systems used to measure market risk. The SSF does not have a framework to verify that the approaches are integrated into risk management policies and processes, and results are taken into account in the bank’s risk-taking strategy. Assessment Materially Noncompliant Comments There is a draft regulation on market and interest rate risks, pending internal review at the SSF. While the supervisory framework is ahead of the regulation in that the market risk unit of the SSF reviews policies, systems and controls, there is limited enforcement capacity without a regulation. Additionally, the supervisory processes are relatively new and supervisors need further training for these processes to be effective. The accounting standard for investments requires banks to value them at the lower between purchase price and market price. Market risks appear to be lower than other risks. Foreign exchange risk is very limited, since El Salvador uses the dollar as its legal tender and banks do not hold assets or liabilities in other currencies. Market risks arising from investments in securities are mainly limited to their holdings of Central Bank and government bonds, since corporate bonds issuance in the local market is almost nonexistent, investments abroad are very 46 low and investments in stock are prohibited. Operations with derivatives are also few and not significant, and mostly carried out by the foreign parent or affiliate companies of the large international banks. Principle 14. Liquidity risk. Supervisors must be satisfied that banks have a liquidity management strategy that takes into account the risk profile of the institution, with prudent policies and processes to identify, measure, monitor and control liquidity risk, and to manage liquidity on a day-to-day basis. Supervisors require banks to have contingency plans for handling liquidity problems. Description C1: The SSF has issued various regulations requiring banks to hold a minimum ratio of liquid reserves and stipulating the reporting for this purpose (NPB3-06, NPB3-08, NPB3- 10 and NPB3-11). The SSF verifies compliance with these regulations through offsite reporting by banks and onsite examinations. However, the SSF has not set guidelines or regulations on liquidity risk management by the banks. C2: The following comments of the supervision of liquidity risk management are based on the assessors’ review of selected onsite reports prepared by the market risk unit. These reports include a review of the banks liquidity management strategies, policies and processes, focusing mainly on verifying that these have been approved by the Board, that the Board receives reports on liquidity risks and that the approved policies and processes are implemented by management. C3: The market risk unit verifies that a bank’s senior management has established policies and processes to monitor, control and limit liquidity risk and implements such policies and processes. However, the supervisory process for assessing the adequacy of these strategies, policies and processes has not been implemented. C4: The SSF has not established requirements regarding policies and processes for the ongoing measurement and monitoring of net funding requirements. C5: The regulation NPB3-07 on foreign currency mismatches allows the SSF to obtain detailed information on foreign currency assets and liabilities. The US dollar is the legal tender in El Salvador, and very few operations are carried out in other currencies, thus there are no Salvadoran banks carrying out significant foreign currency liquidity transformation. C6: The market risk unit verifies that banks have contingency plans in place for handling liquidity problems. However, there is no regulation requiring this. Assessment Materially Noncompliant Comments The SSF has not issued a regulation on liquidity risks and therefore there are no formal requirements regarding policies and processes for the ongoing measurement and monitoring of net funding requirements, stress testing and contingency plans. While the market risk unit conducts a review of banks liquidity policies, systems and contingency plans, the absence of clear guidelines will hinder enforcement of the supervisory recommendations. Currently there is abundant liquidity in the system, but just a year ago there were liquidity concerns and this is a very important risk for the Salvadoran banking system. Principle 15. Operational risk. Supervisors must be satisfied that banks have in place risk management policies and processes to identify, assess, monitor and control/mitigate operational risk. These policies and processes should be commensurate with the size and complexity of the bank. Description C1, C2 & C3: The operational risk unit of the RD has only 2 supervisors to conduct an assessment of banks operational risks and management. The supervisory framework for these risks has not yet been fully developed and the SSF has not issued regulation providing a benchmark against which banks are to be measured. The only regulatory framework is Art. 63 of the BL, which requires that banks approve and implement 47 policies and control systems to manage adequately their operational risks. The operational risk unit has conducted a first onsite review of operational risk management in seven banks and the SSF has submitted a report with observations and areas of improvement. The reviews have focused mainly on verifying that the responsibility for managing this risk has been assigned at the proper level and with adequate segregation of functions and independence, that bank boards have approved policies to identify and manage the various operational risks and that these policies are adhered to by management. Banks have generally not conceptualized this risk and do not have a proper framework to control it. Follow up on the implementation of these observations has not yet been carried out. C4: The operational risk unit verifies that banks have business continuity and contingency plans to satisfy itself that the bank is able to operate as a going concern and minimize losses. However, the SSF has not issued a regulation establishing the minimum elements of these plans, so the banks and the examiners do not have a benchmark against which banks’ plans are judged. C5: The SSF has not issued regulation on information technology, in spite of the existence of a draft prepared 4 years ago by the SSF IT specialists. The CD has a team of 5 information technology auditors who have received training on audit of financial institutions and conduct IT reviews following the IT supervisory guides prepared by a consultant. The IT supervisory guides focus on the following aspects: information security, IT development, business continuity and contingency planning and outsourcing. As with other risks, the enforcement capacity of the observations is limited in the absence of a formal regulatory framework. C6: The SSF has not issued regulation requiring that appropriate reporting mechanisms are in place to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. C7: The operational risk unit is supported by a legal expert to verify that legal risk is incorporated into the operational risk management processes of the bank. However, adequate frameworks to manage legal risks have not been implemented in most banks. C8 & C9: The operational risk supervisors during their onsite visits have reviewed that banks have policies to assess, manage and monitor outsourced activities. According to SSF staff, the onsite teams have also selectively reviewed the outsourcing contract for those services considered important. However, the reports that the assessors reviewed did not contain information on the reviews of out-sourced activities. According to the SSF staff, outsourcing operations and information systems is not a common practice. Outsourced activities are generally associated with the distribution of documents, the collection of delinquent loans and the register of collateral. Assessment Materially not compliant Comments The supervisory framework for these risks has not yet been fully developed and the SSF has not issued regulation providing a benchmark against which banks are to be measured. Draft regulations on Operational risks and a specific norm on IT risks are pending the internal review within the SSF and industry consultation. The operational risk unit of the RD has only 2 supervisors to conduct an assessment of banks operational risks and management. Additional staff and specialized training on these risks are needed to effectively supervise these risks. Principle 16. Interest rate risk in the banking book. Supervisors must be satisfied that banks have effective systems in place to identify, measure, monitor and control interest rate risk in the banking book, including a well defined strategy that has been approved by the Board and implemented by senior management; these should be appropriate to the size and complexity of such risk.. 48 Description C1: Since June 2008, the market risk unit of the RD started conducting onsite reviews to verify that the Board approves the policies and processes for the identification, measuring, monitoring and control of interest rate risk and also to verify that these are implemented. All banks, with the exception of the 2 state owned, have undergone such a review and have received a report with a list of observations. Banks have submitted action plans to implement the SSF recommendations, but follow up of the implementation of these plans is pending. As with the other risks, the absence of a regulation will hinder the capacity of the SSF to enforce improvements in the relatively small local and regional banks. The large international banks have implemented the systems in place in their parent companies and supervisory reports reveal a few formal observations that the banks have received favorably. The offsite verification of interest rate risks is also limited by the absence of a regulation on this risk, because the SSF does not receive a repricing gaps report to monitor this risk. Off site monitoring is limited to reviewing the volatility of interest rates reported by banks. The draft regulation on market risks, which is pending internal discussion at the SSF and industry review, provides guidelines for the management of interest rate risks, including stress testing, and includes reporting requirements that would allow the SSF to monitor this risk. C2: The SSF staff has stated that only the subsidiaries of large international banks have in place interest rate risk measurement systems. There has been no such requirement for the smaller banks. C3: The SSF has not required that banks periodically perform appropriate stress tests to measure their vulnerability to loss under adverse interest rate movements. These are included in the draft regulation on market risks that is pending approval. Assessment Materially Noncompliant Comments The SSF has started to look at this risk, but the supervisory processes are relatively new and the implementation by banks of the SSF observations has not been carried out. The lack of a regulation limits the capacity of the SSF to monitor this risk offsite and will hinder the capacity of supervisors to enforce the implementation of the SSF observations. Principle 17. Internal control and audit. Supervisors must be satisfied that banks have in place internal controls that are adequate for the size and complexity of their business. These should include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. Description C1: The BL (article 32) establishes the oversight responsibility of Directors to ensure that the deposits from the public are managed with criteria of honesty, prudently and efficiently. They are responsible to ensure that management of their bank is conducted abiding to laws, regulations, instructions, and internal norms. Article 63 stipulates that banks are to have and implement policies and control systems to adequately manage financial and operational risks. According to the same article, these policies have to be presented to the Board for approval. Both articles are rather general and there are open for interpretation regarding the direct oversight responsibility of the Board with respect to the internal control system. Moreover, the SSF has not issued a regulation that establishes specific responsibilities for the members of the Board and defines the elements of an effective internal control system of the bank’s entire business. C2: The onsite exams reviewed by the assessors included an evaluation of internal controls, with specific observations and requirements for the banks. The evaluation 49 seeks to ensure that the internal controls are adequate that there is effective oversight of the Board. The evaluation includes: organizational structure (definition of responsibilities, clear delegation of authority, and separation of critical functions), checks and balances, control policies and practices in various areas and activities of the bank (e.g. cash reserves, expenses, fixed assets). C3: Articles 32 and 63 combined could be interpreted as placing the responsibility for the control environment on the Board and senior management of the bank. Also, the regulation on internal audit (NPB2-04) establishes that the internal audit is responsible for verifying that internal controls are adequate and that internal audit reports to the Board. However, the two articles in the BL are rather general and are open for interpretation regarding the direct oversight responsibility of the Board with respect to the internal control system. Moreover, the SSF has not issued a regulation that establishes specific responsibilities for the members of the Board and defines the elements of an effective internal control system of the bank’s entire business. In practice, however, the SSF does require the Board to conduct an oversight role to ensure that there is an adequate control environment and to be properly informed on the risks in their business. C4: The SSF has the power to require changes in the composition of the Board and senior management only during a regularization process (the first step into the bank resolution processes) and when they have fallen under the impediments to become directors or managers (art. 33 of the BL). The SSF does not have powers to require these changes to address any prudential concerns related to the satisfaction of the criteria for an effective internal control environment. C5: During the evaluation of internal controls conducted during regular onsite inspections, supervisors assess the appropriate segregation of duties between the back office and control functions relative to the front office/business origination. However, not a lot of attention is paid to the adequate balance of resources between these two areas. C6: The SSF ensures that there is a permanent compliance function associated with the prevention of money laundering and terrorism, that the compliance function is independent of the business activities and that the Board exercises oversight of the management of this function (see CP 18). However, there is no requirement that the Compliance function have a broader role in ensuring compliance of other laws and regulations and that it assists management in managing effectively the compliance risks faced by the bank. C7: The SSF has issued regulation NPB2-04 that requires that banks have an independent, permanent and effective internal audit function. Article 5 of this regulation states that the main objective of the internal audit function is to oversee permanently the bank, using generally accepted audit techniques, oriented to minimize risks and important errors in the financial statements; and verify that accounting and administrative operations, policies, controls, methodologies, and procedures be those approved by the entity and complying with laws and regulations. The regulation (Annex 1) has a list of functions that are recommended to achieve these goals. The regulation does not refer to the adequacy of these relative to the bank’s business. The review of the audit function, focusing on compliance with this regulation, is a regular activity of onsite examinations. C8: The regulation NPB2-04 states that the Board of Directors is responsible for ensuring that the internal audit unit has the human and other resources necessary to comply with its role adequately and effectively (article 13). Article 3 states the qualifications of the chief of the internal audit unit. Article 8 requires that the audit plan, that has to be submitted to the SSF, include information on the resources available in the unit and the resources required to achieve each objective of the audit plan. 50 Article 2 states that internal audit must report directly to the Board of Directors, to ensure the necessary independence of its controlling function. The decision to layoff or transfer the chief internal auditor can only to be taken by the Board of Directors, expressing the reasons in the Board minutes and communicating them within 5 days to the SSF (article 4). The audit plan is required to determine the critical and important areas of the bank and to establish the level of audit risk for each category of the financial statement (article 7). All these aspects are verified during the onsite review of internal audit. While the regulation does not require that internal auditors has full access to any member of staff an any records, files or data of the bank and its affiliates, or to the outsourced functions, the SSF staff indicated that onsite examiners also verify that this is true. During the review of the internal audit plan, the onsite examiners asses the relevance of the planned reviews and the resources allocated. These reviews generally take place during the onsite exam. Assessment Largely Compliant Comments The BL is rather general and the wording could be open for interpretation regarding the direct oversight responsibility of the Board with respect to the internal control system, especially in the absence of a regulation on corporate governance that spells this out. Assessors had access to a draft regulation on corporate governance that spells out the functions of the Board and addresses this flaw. Approval and full implementation of this regulation would address the main weaknesses in the supervision of internal control and audit. The compliance officer should have a broader role, not only be circumscribed to ensuring compliance with AML and terrorism finance. Principle 18. Abuse of financial services. Supervisors must be satisfied that banks have adequate policies and processes in place, including strict ―know-your-customer‖ rules, that promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities. Description C1: The AML/CFT legal framework is mainly made up by the following elements: • Laws: 1) Legislative Decree Number 498 issued on December 1998 or ―Anti- Money Laundering Law‖ (AML Law); 2) Legislative Decree Number 108 issued on September 2006 or ―Special Law Combating the Financing of Terrorism‖ (CFT Law). ―Regulation of Anti-money Laundering Law‖. Decree of the President of the Republic No. 2 dated January 31, 2000 (AML Decree). • Regulations: ―UIF Instructions‖ (Agreement 356 dated 2001, of the Attorney General´s Office of the Republic). These regulations contain details of AML/CFT obligations for financial institutions. According to these laws, the SSF has the responsibility of supervising compliance with AML/CFT laws and regulations by its supervised financial institutions. However, the SSF is not empowered to issue regulations in terms of AML/CFT -such power is entrusted to UIF. The SSF has issued guidance regarding this matter, which is contained in various Circular letters. Circular Letter No. IS-55072 dated December 9, 2004 instructs Banks on the application of 40 + 8 recommendations of FATF, in order to implement controls, policies and monitoring, making emphasis on fund transfer operations and pretending to include issues related with PEPS. Additionally, the SSF has issued various circular letters on specific topics, including the implementation and control of policies and monitoring of operations with entities without profit, cybernetic terrorism, and funds transfer operations; and the prohibition to open deposit accounts of clients domiciled abroad. C2: Article 4 of the AML decree requires that banks adopt, develop and implement 51 programs, internal norms, procedures and internal controls to prevent and detect activities related with money laundering and financing of terrorism. It is required that they adopt an adequate KYC policy (according to detailed requirements listed in the UIF Instructions), to have a procedures to ensure a that their staff has a high level of integrity and adequate training to detect irregular and suspicious transactions, establish procedures to immediately inform the UIF of these transactions and appoint a person in charge of communicating these transactions to the UIF and have an internal audit system capable of verifying compliance with the laws and UIF instructions. The units in charge of implementing and monitoring this framework are required to have sufficient human and material resources and authority to comply with their functions. Banks are also required to keep the necessary confidentiality regarding all the information transmitted or required on the basis of this framework. C3: Article 9 of the AML Law stipulates that, in addition to reporting to the UIF, banks must report to the SSF suspicious activities and incidents of fraud when they are material to the safety, soundness or reputation of the bank. Onsite supervisors keep statistics of these reports and use the frequency of the reports relative to the banks size and transactions as one of the tools to assess the effectiveness of their detection and reporting systems. During 2009, banks reported to the UIF 560 suspicious transactions, while credit card companies and non bank financial institutions reported 54 and 13 of these transactions respectively. These reports involved transactions for a total of US$ 139 million and involved 700 personas naturales and 90 personas juridicas. C4: Onsite supervision reports examine the ―know-your-customer‖ (KYC) policies and processes to verify that they are well documented and known by all relevant staff. Examiners selectively review customers’ files and interview staff in risk key points to ensure that they are aware of these procedures. KYC requirements include: customer identification, verification and due diligence program, policies and processes to monitor and recognize unusual or potentially suspicious transactions, particularly of high-risk accounts; clear rules on what records must be kept on consumer identification and individual transactions and a five year retention period. There is, however, no requirement regarding a customer acceptance policy that identifies the relationships that the bank will not accept. C5: There are no requirements that banks have enhanced due diligence policies and processes regarding correspondent banking. According to the SSF, the large international banks have such policies. C6: The Reputational Risk Unit (RRU) of the SSF, which has 4 supervisors, conducts periodic onsite exams of the AML/CFT policies, practices and control systems. These exams focus on compliance with the above mentioned legal framework on AML/CFT, including KYC policies and procedures, policies and to prevent and detect criminal activity, and report of such suspected activities to the UIF. The assessors had access to a very detailed questionnaire that the RRU uses to assess the adequacy of the compliance unit function and to one of these exams. The exam examined the compliance unit (CU), its work plans, its reports, including suspicious transactions reports and cash reports, and provided detailed observations and recommendations for improvements. The reported observations included, for instance, files with insufficient information that violates the KYC requirements and weaknesses in the risk analysis of some customers. C7: The SSF has issued sanctions for lack of compliance with the AML/CFT framework, and has communicated these sanctions and violations to the UIF and, the cases that could be criminal, to the Prosecutors office. The UIF, in turn, does not have the power to issue administrative sanctions to institutions supervised by the SSF, but has powers to initiate criminal prosecution. 52 C8: The Appendix of the UIF Instructions require that internal and external auditors include a review of compliance of the above mentioned control systems. The SSF have access to their reports, and uses this information in their own evaluations of compliance with the AML/CFT regulatory framework (see CP 17 and 22). Chapter VIII of the UIF, refering to the role of the Compliance Officer (CO) in the AML/CFT prevention and control system of financial institutions, clearly indicates that the CO must have a management level, be apointed by the Board, be independent and capable of taking decisions. Article 11 lists the faculties and responsibilities of the CO, which include the responsibility for controlling the compliance with AML/CFT, receiving and investigating the information on suspicious transactions and reporting them to the UIF. Article 10E of the AML Law requires that bank staff is adequately trained on KYC and methods to detect suspicious activities and abide by high ethical and professional standards. The SSF reviews compliance with all these during their onsite inspections. C9: The RR unit, during its onsite reviews, verifies that banks have clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to the compliance unit. The supervisors also comment on the limitations of information systems to provide the CU with sufficient information on such activities. C10: Article 4 of the AML Law states that the persons who inform on criminal activities related to the AML Law, to the relevant authorities in a timely manner, will not incur in any personal responsibility and cannot be held liable. C11: Article 8 of the AML Decree requires that the SSF inform the UIF and of any suspicious transactions within 3 days of being informed. In addition, the SSF is required to share information with the judicial authorities and submit to the Prosecutors office any information that has come to its knowledge, which may have criminal implications. According to the SSF staff, in compliance with this, the SSF has submitted several reports to the General Prosecutors office and to the UIF. C12: Articles 6 and 9 of the AML Decree, establish that the SSF is required to cooperate with the local UIF and Prosecutors Office. The SSF can also cooperate with foreign supervisors, on issues related to supervision matters, as long as they do not involve violating the secrecy laws (on deposit information). If foreign supervisors require information that is subject to secrecy laws, the SSF will cooperate by contacting the UIF or the Prosecutors Office and assisting the foreign supervisor with the necessary legal procedures to obtain the required information. Assessment Largely Compliant Comments The regulatory framework is limited to regulation issued by the UIF and general circular letters issued by the SSF. Gaps in regulation include the following: there is no requirement regarding a customer acceptance policy that identifies the relationships that the bank will not accept; there are no requirements that banks have enhanced due diligence policies and processes regarding correspondent banking. Principle 19. Supervisory approach. An effective banking supervisory system requires that supervisors develop and maintain a thorough understanding of the operations of individual banks and banking groups, and also of the banking system as a whole, focusing on safety and soundness, and the stability of the banking system. Description C1: In 2008, the SSF reorganized its structure to implement a more risk oriented supervision. Under the new structure, two Departments have responsibility for the supervision of Banks and Banking Groups. The main supervisory responsibilities are with the Risks and Conglomerates Department (RCD), albeit the Financial Development Department (FDD) has some responsibility for off-site supervision and is responsible for the overall analysis of the financial system. The FDD produces a set of CAMELS indicators that is the basic input for the analysis conducted by the RCD. The Risk 53 Division (RD) within the RCD establishes the ―inherent risks‖ of banks and banking groups and conducts an onsite exam to assess the risk management policies and procedures of banks and banking groups and to establish the extent to which these mitigate the ―inherent risks‖. The outcome of this process is an internal supervisory report that includes ratings for each of the risks in all banks and identifies areas of concern that need further examination by the Conglomerates Division (CD) of RCD. The report also makes recommendations for the improvement of risk management. Currently, only this section of the report is handed to bank management but, after a period of internal testing, the SSF plans to hand banks a complete report including their ratings. The RD report is a key input for the planning of onsite examinations by the CD. C2: The FDD conducts an analysis of the overall banking system and produces a set of CAMELS indicators for all banking institutions. The main elements of this analysis are included in an internal SSF report that is presented to the Board of the SSF. The report includes indicators for the insurance sector and the non-bank financial institutions supervised by the SSF, but it does not cover financial institutions that are not supervised by the SSF. The SSF maintains frequent contact with the supervisors of the securities markets and pensions administrators, and follows these sectors through the reports of these supervisors in the various financial sector coordination committees that meet regularly. However, part of the cooperative sector is unsupervised and information on this sector is scant and incomplete, so the SSF does not have an assessment of the relevance of this sector and the risks that it could pose for the financial system. C3: The SSF supervisory process is guided by two supervisory manuals (onsite and offsite) drafted in 2008. The process includes an assessment of key risks, including: credit, liquidity, market, operational and reputational risks, conducted by the RD. It also includes an assessment of corporate governance, business plans and internal controls conducted by the CD. The CD uses the reports drafted by the RD to identify the risk areas that need a more thorough evaluation as well as prepare its annual supervisory plan, identifying the onsite exams to be conducted each year and to adjust this plan if a pressing issue of concern is identified by the RD. The methodology includes a CAMELS system to identify inherent risks and a final rating system produced after the onsite evaluation of risk management, which provides a basis for relevant comparisons across banks. C4: The SSF supervision process has a strong component of verification of compliance with laws and regulations. The assessors had access to evidence of actual onsite and offsite reports showing evidence of the verification of compliance. Compliance verification includes loan classification, provisioning, capital, legal limits as well as internal controls, corporate governance and management. C5: The BL (Art. 76) stipulates that when the Board of Directors or one of its members has reasonable doubt or proof that the bank has incurred in one of the triggers for regularization regime, the Board has to notify the SSF, within one day. However, the information requirement in the BL applies only to extreme events. The BL does not require Directors or managers to inform the SSF of any material adverse developments, including a breach of prudential or legal requirements. The internal auditor submits quarterly reports to the SSF (Regulation NPB2 04). External auditors are required to inform the SSF when they obtain evidence of wrongdoing or lack of compliance with laws and regulations that could compromise the sustainability of the institution (art. 31 of Regulation NPB 05). In addition external auditors are required to submit to the SSF a copy of their reports on the financial statements and internal controls on the same day these are released to the bank (art. 26 and 34 of NPB2 04 C6: The SSF has four information systems which facilitate the processing, monitoring and analysis of prudential information. The first one contains all the reports derived from banks financial statements. The second system contains the SSF credit registry, with detailed information on all debtors. The third system contains the information on the 54 related parties and groups, to be used to assess concentrations and violations of large exposures and related party limits. The last one is s specialized system for managing audit processes. This software contains all the information needed to plan an onsite inspection and to follow up on the implementation of onsite recommendations and associated corrective actions. The assessors were shown how these systems are used in practice and, in their opinion, these are adequate. However, due to the absence of norms and reporting requirements, the information systems lack adequate information on market and interest rate risks. Assessment Largely Compliant Comments The SSF has initiated the implementation of risk based supervision, but it needs to address some shortcomings to assist supervisors to understand the risks of banks and banking institutions and to achieve the needed improvements in banks’ risk management. First, the lack of a regulatory framework for banks risk management undermines the capacity of supervisors to enforce the identified weaknesses in risk management and to have relevant off-site information on interest rate and market risks. Second, additional training on risk assessment is necessary to ensure that supervisory can assess the adequacy of risk management. Currently, the reports of the RD focus mainly on ensuring that policies exist and identify some problems with the adequacy of policies and practices. Third, regulatory improvements are also needed to require banks to notify it of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. Fourth, supervisory resources seem to be rather stretched and the multiple responsibilities of some staff and divisions may hinder their capacity to conduct an effective supervision. Fifth, a complete and comprehensive picture of the overall risks of the financial system is not available, as the FDD report does not include an analysis of the trends in financial markets (interbank loans, derivatives and securities) and the interaction of these markets with the financial sectors. Additionally, information on the unsupervised cooperatives needs to be collected by a government institution and shared with the SSF to ensure that potential risks stemming from this sector are under control. This would require that a law is issued. Principle 20. Supervisory techniques. An effective banking supervisory system should consist of on- site and off-site supervision and regular contacts with bank management. Description C1: Under the new organization of supervision, the Risks and Conglomerates Department (RCD) has two divisions: the Conglomerates Division (CD) and the Risk Division (RD). Off-site supervision has been strengthened with the creation of the Risk Division (RD) producing a more balanced distribution between onsite and offsite. The CD, responsible for overall on-site supervision, has 34 supervisors, including 4 in a unit responsible for assessing corporate governance. The RD, with 18 supervisors, is responsible for the onsite and offsite supervision of risks and participates in the elaboration of norms pertaining to risks. The RD has 4 Units specialized in the supervision of risks: Credit, Market, Operational and Reputational Risk. The Financial Development Department (FDD), through its Division of Analysis and Standards (DAS), with 12 supervisors, is in charge of processing the information submitted by banks, conducting an analysis of the banking system and generating CAMELS indicators for all banks. As mentioned in the description of the previous CP, supervisory processes include the determination of inherent risks, the assessment of the banks’ systems to mitigate these risks and the definition of corrective actions to address the identified weaknesses. The SSF has a unit in charge of quality control, but this unit mainly focuses on onsite supervision. The assessment of offsite processes and the interaction of onsite and offsite are not yet carried out. C2: While the SSF has a coherent process in place for planning and executing on-site and off-site activities, and manuals exist to ensure that these are conducted in a thorough and consistent basis, the processes are relatively new, and the assessors have noted, by reviewing a few reports, that reports have uneven quality and form and that onsite reports lack an executive summary that would allow the Board members of the 55 bank to readily identify the main problem areas. In addition, while supervisors appear to know their responsibilities, the functions and responsibilities of the reorganized supervision departments and divisions are not have not been written and approved in a formal document. At this early stage of the reform process, coordination between the two main supervisory divisions RD and the CM appear to be adequate. However, the SSF has not defined policies and procedures to ensure that the coordination and information exchange takes place. C3: On site examinations include an assessment of corporate governance (including risk management and internal control systems) and fairly detailed recommendations and corrective actions on these matters. Since there are no specific norms on these two subjects, supervisors conduct their analysis and issue recommendations and corrective actions on the basis of the general stipulations that the BL has on this matter (Art. 63), on other prudential norms, and on the guidance provided by their supervisory manuals. External auditors are also required to conduct an assessment of internal controls and submit their report to the SSF. The verification of the quality of the information submitted to the SSF is carried out, both, offsite and onsite. Basic consistency checks are conducted off site. The onsite analysis is conducted by a team of 5 experts on information audit. The 2008 reorganization did not define the responsibilities for follow-up. In practice, each division is responsible for following up on their own recommendations. The follow-up of the onsite recommendations and corrective actions is usually carried out during the following general onsite inspection (which may take place after two years) or, if the matter is considered material, during a specific onsite follow up visit. Under the current organization, focused onsite reviews conducted by the RD assist supervisors to identify which areas and entities require additional attention of onsite examiners. C4: On a monthly basis, the DAS reviews and analyzes the financial condition of banks and issues a report that includes CAMELS indicators of all banks. This analysis is carried out using the prudential and financial reports that banks submit to the SSF. A more specialized analysis, which includes a qualitative assessment of risk management, is carried out by the RD. As these assessments involve an onsite component, they are resource intensive, so they will be issued once a year for each of the banks (except for the most risky ones). This work helps the RD and CD to set the priorities for their future work and is one of the key inputs for the planning of onsite inspections. C5: Both the RD and the CD have contact with management during their onsite inspections, whose frequency is determined by the risk profile of the institutions. In addition, both, the RD and the DAS contact bank staff to inquire about issues arising during their offsite analysis. The head of the CRD Department has meetings with management or the President of the Board, whenever there are supervisory concerns. In addition once a year, the Superintendent and senior SSF staff meet with the Board of Directors of each bank to discuss the bank’s business strategy and supervisors concerns. C6: The CD has a group of supervisors that specialize on the assessment of corporate governance. During onsite inspections, these supervisors focus on an assessment of the role of the Board of Directors (by reviewing the Board minutes, policies and directives) and bank strategies. C7: The supervisors evaluate the work of the bank’s internal audit function during onsite examinations. In addition, the SSF receives the internal audit plans and quarterly progress reports. However, these are not reviewed until the period of the onsite planning. There is room for a more timely assessment of the internal audit plans, to 56 ensure that the internal audit is adequately used to fill potential gaps in bank supervision. C8: The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses by means of written onsite reports, letters addressing specific issues or concerns or through discussions or meetings with management. Assessment Largely Compliant Comments While there is balance between off-site and onsite supervision, the following shortcomings could create gaps and hinder supervision: (i) the new responsibility for addressing complaints of bank clients, entrusted by law to the SSF and assigned to the CD, reduces the onsite capacity. The CD has 3 teams of onsite supervisors and one of them is currently dedicated fully to process these complaints. The task of processing these complaints is important, intensive in human resources and has potential conflicts of interest with the supervisory function; therefore it should be assigned to a specialized Department, endowed with its own resources, without taking away resources from the supervisory activities. (ii) The responsibility for the overall supervision of each institution has been allocated to the chiefs of the various risk units and divisions, thereby assigning them two different functions. I would be advisable to have dedicated relationship managers for each of the major conglomerates, to prevent gaps in supervision and follow up. There is also room for improvement in the consistency and quality control of reports, as well as in a more timely review of internal audit plans, to ensure that the internal audit complements the supervisory work by filling potential gaps in risk assessment. An organizational manual has been drafted containing the responsibilities and coordination requirements between onsite and offsite, but it is not well known among the staff. Principle 21. Supervisory reporting. Supervisors must have a means of collecting, reviewing and analyzing prudential reports and statistical returns from banks on both a solo and a consolidated basis, and a means of independent verification of these reports, through either on-site examinations or use of external experts. Description C1 & C7: Article 31 of the Law of the SSF (LSSF) states that, for the purposes of conducting supervision, the SSF can examine, through the means it deems suit, all the business, books, files, documents, archives and mail of the supervised institutions. It can also require all the background information and explanations to clarify any issue of interest. On this basis, the SSF has issued norms requiring that banks submit a broad range of financial and prudential reports on a regular basis. These reports include detailed financials on a solo (monthly) and consolidated (quarterly) basis, including on and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, loan classification and provisioning, large and related exposures, asset concentration (including by sector and region), among others. The SSF has not issued specific information requirements for market and interest rate risks. C2: The reports are based on the Accounting Manual and Chart of Accounts issued by the SSF in 1999, with amendments issued in 2000 and 2002. The manual indicates that International Accounting Standards apply on all matters not regulated by this norm. The norm differs from international accounting standards in various respects, including loan loss provisions, valuation of investments, deferred taxes and the extent to which risks and other material issues are revealed. C3: The valuation rules issued by the SSF may be prudent, but not necessarily realistic. For instance, investments are valued at purchasing price or market price, the lowest. Loan loss provisions are constituted according to the regulations issued by the SSF (see CP 9). Voluntary reserves are accounted as expenses. C4 & C5: The supervisor collects most information on banks on a monthly basis, with the exception of liquidity data that is collected on a daily basis. Consolidated information is 57 collected on a quarterly basis and annual basis. C6: Art. 136 of the BL stipulates that, for the purposes of conducting consolidated supervision, the SSF has the power to request and receive any relevant information from banks, as well as any of the members of the conglomerate. C8: The LSSF grants the SSF the power to impose sanctions for any violation to the laws and regulations (article 37). The supervisor determines that the appropriate level of senior management is responsible for the accuracy of supervisory returns, can impose penalties for misreporting and persistent errors, and can require that inaccurate information be amended. C9: The SSF utilizes various means to verify the accuracy of the information. The first level of verification is the various filters included in the SSF information systems. In addition, during onsite inspections the SSF conducts information audits to check the accuracy of financial statements, loan classification and provisioning, reporting on past due loans, among other. Also on site supervisors examine a sample of loan files and other documents to ensure the information in the system is consistent with these. The final level is the verification of the policies and processes associated with the security, integrity and accuracy of information. External auditors also conduct a review of all these. C10: Regulation NPB2-05 contains the norms for conducting external audits. The SSF has a registry of external auditors authorized to conduct audits in the financial system, with clear requirements of experience and proficiency to be admitted in the registry. External auditors are required to conduct their work using International Audit Standards. The external auditors submit to the SSF their audit plans within 30 days of having been appointed and the SSF has access to all their reports and working papers. The regulation includes a list of minimum requirements that the audit plan should include. Usually, one of the members of the onsite team is assigned the responsibility of evaluating the adequacy of external audit. C11: The external auditors are required to submit the SSF their reports when they release them to the banks. In addition, art. 31 of regulation NPB2-05 states that if external auditors identify any shortcoming that could pose material risks for the stability, solvency or liquidity of an institution, they have to communicate it to the SSF promptly in a written way. Additionally auditors are required to promptly communicate to the SSF if they phase information limitations that can affect the scope or depth of their work. Assessment Largely compliant Comments The SSF receives a fairly comprehensive set of information on banks and banking groups, with the exception on relevant data on market and interest rate risks. However, the accounting manual, which is the basis for the reports submitted by banks, is outdated and does not conform to international standards. Principle 22. Accounting and disclosure. Supervisors must be satisfied that each bank maintains adequate records drawn up in accordance with accounting policies and practices that are widely accepted internationally, and publishes, on a regular basis, information that fairly reflects its financial condition and profitability. Description C1: Article 224 of the BL establishes the responsibility of the Board of Directors for the accuracy of the financial statements. This applies to the annual as well as the quarterly report that banks must publish (Art. 225 of the BL), which includes at a minimum financial statements and relevant information on capital adequacy, loans and contracts with related parties, quality and diversification of the loan portfolio and maturity mismatches. These must be signed by the Board, and the Board members are personally responsible that they reflect accurately the solvency and liquidity of the bank. Art. 39 of the LSSF establishes a fine equivalent to a maximum of 0.5 percent of the 58 capital and reserves of the bank for the members of the Board, managers, external and internal auditors and liquidators of a supervised institution that knowingly have approved or presented altered or false financial statements, or who alter data or inputs to the balance sheets, books, accounts, mail or any other document or that hide or destroy any of these. In case of bankruptcy of the institution, they will be held responsible for the fraudulent bankruptcy of the institution. Also other infractions not explicitly mentioned in the LSSF are subject to fines of up to 0.25 percent of the capital and reserves. C2: Art. 224 of the BL states that banks must publish, within 60 days after the end of each year, financial statements audited by an external auditor registered in the SSF registry. The publication must include the auditor’s opinion and notes. The assessors were shown these publications. C3: Financial statements are prepared using the accounting rules established by the SSF. These rules were issued in 1999 and modified partially in 2000 and 2002. The manual indicates that International accounting Standards apply on all matters not regulated by this norm. The norm differs from international accounting standards in the calculation of loan loss provisions, valuation of investments, deferred taxes and the extent to which risks and other material issues are revealed. The accounting rules for banks appear to be generally prudent. Loan loss provisions are calculated on the basis of a regulation issued by the SSF and profits are shown net of these provisions. Investments are recorded at the lowest between purchasing price and market value. The accounting manual does not consider rules for deferred taxes and derivatives. C4: Regulation NPB2-05 contains the norms for conducting external audits. External auditors are required to conduct their work using International Audit Standards. The external auditors submit to the SSF their audit plans within 30 days of having been appointed and the SSF has access to all their reports and working papers. The regulation NPB2-05 includes a list of minimum requirements that the audit plan should include. The SSF has also the right to require that additional specific topics be included in the external audit plan. However, this is not generally done, as the SSF only reviews the audit plans as part of the general onsite exam, stage at which the external audit report is also reviewed. C5: According to Regulation NPB2-05 (Art. 21) the minimum elements for the external audit review are: loan classification and provisioning (with a view to ensure compliance with the SSF regulation), loan portfolio, liquid assets, investments, deposits, off balance sheet items, foreign currency transactions, revenues and expenses. In addition the external audit is required to issue a special report on internal controls and to review the procedures and verify compliance with various prudential regulations, including: minimum required reserves, limits on connected lending and large exposures, capital adequacy and maturity mismatches. C6: Bank can only appoint external auditors that belong to the External Auditors Registry of the SSF. Regulation NPB2-05 establishes experience, proficiency and other requirements an auditor must meet to be included in the registry. Art. 226 of the BL establish that external auditors can be sanctioned with fines, one year suspension or exclusion from the External Auditors Registry kept by the SSF. C7 & C8: Art. 224 of the BL states that banks must publish, within 60 days after the end of each year, financial statements audited by an external auditor registered in the SSF registry. The publication must include the auditor’s opinion and notes. Directors are responsible that these financial statements reflect accurately the bank’s solvency and liquidity. Financial statements are prepared using the accounting rules established by the SSF (see C3). 59 C9: The required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, transactions with related parties, accounting policies, and basic business, management and governance. Risk management strategies and practices and other risk exposures are not revealed. C10: As stated earlier the legal and regulatory framework for the enforcement of compliance with disclosure standards is contained in the BL (Arts. 224 and 226) and the SSFL Law (Art. 39). See C1 and C6 to C8. During onsite exams, the SSF reviews the compliance with these norms. C11: The web page of the SSF publishes aggregate and individual information on banks and the banking system to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes data on balance sheet and prudential indications that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). Assessment Largely compliant Comments The accounting manual, which is the basis for the external audit reports, is generally prudent but it is also outdated and does not conform to international standards. The norm differs from international accounting standards in the calculation of loan loss provisions, valuation of investments, deferred taxes and the extent to which risks and other material issues are revealed. Principle 23. Corrective and remedial powers of supervisors. Supervisors must have at their disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability, where appropriate, to revoke the banking license or to recommend its revocation. Description C1: The SSF uses three moments to raise its supervisory concerns. First, the SSF submits a report containing the main aspects to be corrected or improved, after a risk management review conducted periodically by the RD. Banks are required to submit an action plan to address these areas of concern, and the SSF intends to conduct follow up on these areas during subsequent onsite exams. Since this is a new supervisory process, it is too soon to see how effective the follow up of these plans will be. Second, after the regular onsite inspections, the SSF submits a comprehensive report requiring the bank to present a plan to address the onsite findings. These action plans have to be approved by the Board. General onsite exams take place broadly every two years (albeit a training exercise that took place during 2009 caused that only two pilot general onsite exams were conducted). According to the 2010 onsite supervisory plan, which takes into account the risks identified by the RD, exams could be more frequent if high risks are identified. Third, the SSF requires a bank to take corrective actions when during offsite supervision it detects violations of compliance with laws or regulations. C2: The BL clearly establishes that the SSF is responsible for deciding when and how to conduct the orderly resolution of a problem bank situation. This includes the regularization, restructuring, intervention and liquidation of a banking institution. The BL stipulates that the Board of the SSF can require a regularization plan (art. 77) under which shareholders of the bank have a limited amount of time to restore solvency and address the problems that triggered the regularization. To protect depositors and upon the request of the Superintendent, the Board of the SSF can also require the restructuring of a bank (article 91), decide the exclusion of a bundle of assets and liabilities (article 94), require a judicial intervention of the bank (article 104), suspend its operations (art. 105) or revoke the license (art. 106). C3: The laws provide the SSF a broad range of supervisory tools for use when a bank is in violation with laws or regulations. These include a variety of fines for supervised entities and individuals, the removal of those that are unfit to perform their job and the specific conditions that trigger the need for the institution to present a regularization plan 60 or trigger its resolution. The LSSF (art. 37 to 46) and the BL establish a list of violations with specific sanctions. The LSSF also sets the range of sanctions for violations that are not explicitly defined in the Law with an upper bound of 2 percent of capital and reserves. Both supervised entities and individuals can be subject to the fines. The SSF has an internal process by which the Legal Department proposes to the SSF Board the sanctions in accordance to the gravity of a situation. In addition to the sanction, the SSF requires that supervised entities take corrective actions to amend the problem that cause the sanction. C4: The LB provides a limited range of measures prior to regularization (art. 78) and a very wide range of measures during regularization and (art. 77, 87 and 88) thereafter (art. 93 to 102). Prior to Regularization, the SSF can require the bank to take measures to restore its solvency and liquidity including by: restricting new loans and investments, renegotiating liabilities, selling assets or capitalize the bank. However, at this stage, the legal framework does not support key supervisory preventive actions such as: restricting the distribution of dividends or bonuses, stopping authorizations on new operations or acquisitions and prohibiting the sales of assets. There is evidence that, at least in one case, when the SSF gave written instruction to a bank to stop the distribution of dividends as a preventive measure, the shareholders meeting decided to go ahead and distribute the dividends. During the regularization process the SSF can: restrict new loans or new investments, require the sale of assets or the renegotiation of liabilities, require that all new deposits be kept in an account at the Central Bank and charge of identified losses against capital and reserves. In addition, during Regularization, the SSF can conduct a Special Supervision, effectively taking control of the bank by appointing a Supervisor who will sit at all the Board meetings; such that Board sessions that are conducted without his/her presence or decisions without his approval are considered invalid. Alternatively, the SSF could remove the management of the bank and the Board of Directors (art. 88) and require that they be replaced according to the Social Statutes. During the restructuring process, the SSF has a broad range of tools and measures at its disposal (art. 93 to 102), including: giving shareholders up to 30 days to restore capital to the required levels, facilitating the takeover or merger by a healthier institution, transferring blocks of assets and liabilities, among others. The most recent case of a seriously troubled institution happened between 2005-2006, when a small bank had undercapitalization and liquidity difficulties. The SSF used the tools at hand to require the shareholders to capitalize the institutions and take corrective measures. The shareholders contested in administrative courts the SSF decision to require them to constitute additional provisions. The bank was not under a regularization process. Eventually, the bank was sold by shareholders to a foreign banking group, at a fraction of the capital recorded in the bank books. C5: The supervisor has the power to take measures should a bank fall below the minimum capital ratio. The BL defines two stages. First, when the CAR is below the 12 percent minimum but above 10 percent, the SSF has discretion to define the corrective actions (article 78 of BL). However, the range of measures is rather limited, as mentioned in C1. When CAR is below 12 percent, the regularization process is triggered. At this stage, usually the Board loses control of the bank, as the SSF may appoint a Supervisor who would oversee and approve all the Board decisions. C6: The LSSF grants the SSF powers to impose sanctions to supervised entities and to Board members, managers, auditors (internal and external), interventors and liquidators 61 of supervised entities, and the assessors were shown evidence that these powers are used. The SSF publishes statistics on the sanctions imposed to supervised institutions. During 2009, banks had 21 sanction processes. The assessors have been informed that to save costs, several sanctions to one institution are included in one sanction process. Assessment Largely compliant Comments The SSF needs to establish an effective system for the follow up of preventive and corrective measures, with clear responsibilities and intensity of the follow up on the basis of the seriousness of the concerns and risks to be addressed. It should be clear that follow up during the next onsite inspection is not sufficient in high risk cases. It could be useful to complement the resource intensive onsite follow up with more frequent meetings with management and a detailed progress report of the banks (at periodical intervals depending on the extension of the plan and severity of the problem). Progress reports could be reviewed off-site and confirmed onsite. According to the SSF staff the supervisory process, organized as a chain, with the Analysis Unit providing information to the RD, and the RD reports feeding the planning process of the CD, makes the chance that following up on material corrective actions unlikely. In the assessors’ opinion, this may be true, but to ensure the timeliness of follow up it is advisable to also have somebody responsible for the overall supervision of each institution (―a relationship manager‖). The absence of regulations regarding various risks, somewhat limits the capacity of the SSF to take (and enforce) a more preventive stance to strengthen the risk management process. The SSF has not issued regulation on sanctions to clearly define the severity of the violations and the corresponding scale of sanctions and make the sanctioning process more transparent for supervised entities and individuals. Before Regularization, the SSF has discretion to define the corrective actions (article 78 of BL) but the range of measures is rather narrow. It would be desirable to strengthen the powers of the SSF to enforce preventive and corrective actions. It is recommended that the Law of the Supervision and Regulation of the Financial System (LSRFS), currently being reviewed by Parliament, also provide the SSF powers to restrict the distribution of dividends or bonuses or restrict new acquisitions, sales of assets or specific operations. The regularization process is triggered only after a bank’s failure to comply with the laws is significant or its risk of insolvency is high. For instance, while the minimum CAR is 12 percent, the regularization process is only triggered when the CAR is below 10 percent. At this stage, usually the Board loses control of the bank, as the SSF may appoint a Supervisor who would oversee and approve all the Board decisions. In sum, there are some drawbacks with ECs 3 and 4, which make this a borderline case, as the rating could have gone either way (LC or MNC). The practice inclined the balance in favor of LC, as the SSF is proactive in applying corrective actions. Also, in the cases of legal challenges to the SSF decisions, the Judicial courts have always decided in favor of the SSF. Principle 24. Consolidated supervision. An essential element of banking supervision is that supervisors supervise the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential norms to all aspects of the business conducted by the group worldwide. Description C1: The SSF is familiar with the overall structure of banking groups operating in El Salvador and has an understanding of the activities of all material parts of these groups. There are seven financial conglomerates operating in El Salvador, all of them owned by foreign banking groups. The BL does not allow that the local conglomerate be owned by a nonbanking institution. The assessors were provided with an example in which the SSF required that a foreign conglomerate modify its proposed ownership structure prior 62 to granting a license to operate in El Salvador. The assessors also were informed that applicants that did not have an acceptable ownership structure or were subject to consolidated supervision, desisted of their license application once they were informed of the requirements. To operate in El Salvador, all of these banking groups have established a local conglomerate with a local controlling holding of all the Salvadoran financial entities. The BL (Art. 113) stipulates that these conglomerates are under the consolidated supervision of the SSF. These local conglomerates cannot hold investments in non financial institutions. The Salvadoran financial conglomerate may have a bank, an insurance company, a pension administrator, a leasing company, a securities firm, a credit card company, a deposit warehouse and money transfer companies. In general, banks are the most important entity in a Salvadoran conglomerate, with over 95 percent of the assets. C2: The BL stipulates that the SSF has the power to review the overall activities of a banking group, both domestic and cross-border (art. 136). While the SSF has the power to supervise the foreign activities of banks incorporated within its jurisdiction, currently Salvadoran banks do not have any cross border operations, with the exception of money transfer companies in the United States. C3: The CRD, within the SSF, supervises all financial conglomerates operating in El Salvador. The CRD receives financial and other relevant information of all the members of a conglomerate and reviews compliance with laws and regulations. In addition some progress has been made to coordinate the onsite inspection in the various members of the conglomerate, however, the CRD does not yet have a fully developed framework to assess the risks that non-banking activities conducted by a bank or banking group may pose to the bank or banking group. C4: The BL establishes a consolidated capital requirement for the conglomerate, which should not be lower than the sum of the capital requirements of all the individual members of the conglomerates (art. 127). To prevent multiple gearing, the BL stipulates that any investment in other members of the conglomerate has to be deducted from the capital (art. 128). While there is no explicit exposure limits for the conglomerate, Regulation NPB4-36 stipulates that all the members of a conglomerate are subject to the same large exposure limits applying to banks (article 2f), which in practice would be equivalent to an overall conglomerate limit. The SSF checks compliance regularly with the exposure limits on the banks, but not on the other members of the conglomerate. The bank is by large the most important entity of a conglomerate, and the only one that does significant lending activities, but it is recommended that SSF develop a process to check compliance with the large exposure limits of the other entities of the conglomerate. The BL also establishes several exposure limits of the bank member of the conglomerate, with the other members of this conglomerate, both locally and abroad (art. 129). C5: The supervisor has arrangements with other cross-border, to receive information on the financial condition and adequacy of risk management and controls of the different entities of the banking group. Agreements with all Central American countries have been signed, including a multilateral agreement, which allows the SSF to receive information on the regional groups that have presence in El Salvador (see CP 25, C2). The SSF also receives information from the Salvadoran pensions and securities supervisors and has access to their reports. The BL stipulates that pensions and securities supervisors have to inform the SSF regarding the compliance of their supervised entities with their laws and regulations in the frequency and manner established by the SSF (art. 138). The BL also allows the SSF to have onsite inspections to the entities that are not directly under its supervision; to this end, the SSF has to coordinate with the respective supervisor (art. 139). The laws also establish various committees for the coordination of the local agencies with supervisory responsibilities in the financial sector (see CP 1.6). 63 C6: Article 113 of the BL clearly indicates the types of entities that can be part of a conglomerate (see C1). The controlling holding of a Salvadoran conglomerate requires authorization to invest in any company that is already operating (art. 118 of the BL). To invest in a new company, the SSF will participate in the authorization process as established by the laws and regulations of the entity to be established. The BL (art. 121) clearly establishes that the sole purpose of the controlling holding is to hold the shares of the members of the conglomerate. According to the same article, the holding cannot issue any type of liabilities to third parties above 20 percent of its capital. A foreign bank can be part of the Salvadoran conglomerate under the following strict conditions: (i) the local holding has to acquire at least 45 percent of its shares; (ii) the bank must be under the consolidated supervision of the SSF and in its country of origin it must be subject to supervision according to international standards; (iii) the SSF has signed an MOU with the supervisor in the country of origin. Any foreign investment of any member of the conglomerate requires authorization of the SSF (art. 144). C7, C8 & C9: The SSF reviews the main policies and procedures of the only members of the Salvadoran conglomerates abroad, which are money transfer companies in the US. Art. 124 of the BL authorizes the SSF to require the sale of dissolution of any entity member of the conglomerate that is poorly managed or poses solvency risks to the rest of the conglomerates. The BL does not authorize the SSF to require the closing if, authorization has been granted by the SSF, it turns out that oversight by the bank and/or supervision by the host supervisor is not adequate relative to the risks the office presents; and/or it cannot gain access to the information required for the exercise of supervision on a consolidated basis. However, no such cases have ever occurred. C10: Not applicable. The Salvadoran conglomerates to do not have banking investments abroad; only money transfer companies. Assessment Largely compliant Comments While the SSF reviews compliance with laws and regulations, such as the consolidated capital requirements, and some progress has been made in the coordination with local supervisors of entities belonging to the conglomerates, additional efforts are needed to have a comprehensive framework to assess the risks that non-banking local activities conducted by a bank or banking group may pose to the bank or banking group. Principle 25. Home-host relationships. Cross-border consolidated supervision requires cooperation and information exchange between home supervisors and the various other supervisors involved, primarily host banking supervisors. Banking supervisors must require the local operations of foreign banks to be conducted to the same standards as those required of domestic institutions. Description C1: As a host supervisor, the SSF provides a broad range of information to the home supervisors of the cross border conglomerates operating in El Salvador. The information to Central American supervisors is provided on the basis of the framework established by the Comite de Enlace of Central American Supervisors (CECAS), which has quarterly meetings and monthly teleconferences were supervisors present the relevant information, risks and concerns on the bans operating under their jurisdiction. The CECAS has significantly improved the cooperation among Central American bank supervisors. The SSF, as a host supervisor, also provides financial information and shares its onsite findings with the supervisors of the US, Canada, UK and Colombia. The assessors had telephone conversations with the supervisors of Colombia and Panama, and both indicated that they haven’t faced limitations on accessing information on their supervised banking operations in El Salvador. Similarly, El Salvador receives from the home supervisors, information on the overall financial condition of the cross border conglomerates of the banks operating in El Salvador. In the case of Central America, it also receives information on the financial performance of the individual banks within the conglomerate. 64 C2: El Salvador has information sharing and cooperation arrangements with the home supervisors of all the banks operating in El Salvador. These include all the countries of Central America, Canada, United States, Colombia, Canada and the UK. With the exception of the letter of the UK FSA, all the other MOUs are published in the SSF web page. The multilateral MOU, signed in September 2007 by all Central American bank supervisors, including Panama and the Dominican Republic, creates a technical committee, with representatives of all the member countries and includes provisions for the information exchange and the preservation of the confidentiality of the information exchanged. The technical committee has four basic mandates: i. Plan and coordinate the cross-border consolidated supervision of all the financial conglomerates in the region, identifying the key risks for each conglomerate; this plan is to be presented for approval of the national supervisory agencies; ii. Share relevant information on the operations of cross-border groups, including the identity of their shareholders; iii. Request to the home supervisor, when deemed convenient, a presentation on the performance of the financial conglomerates under its jurisdiction; and iv. Exchange whenever possible and in a timely manner, information on events that could endanger the stability of cross-border operations. C3: El Salvador is not a home supervisor of any conglomerate. However, within the Comite de Enlace of Central American Supervisors, the SSF acts as the regional home supervisor of Citibank and Scotiabank, because the largest regional operations of these conglomerates are in El Salvador. As a ―home‖ supervisor, the SSF gathers the information on all the Central American operations of these conglomerates, and prepares presentations on these conglomerates for the other regional supervisors. C4: The SSF, as a host supervisor, provides information to home supervisors, on a timely basis, concerning:  material or persistent non-compliance with relevant supervisory requirements, such as capital ratios or operational limits, specifically applied to a bank’s operations in the host country;  adverse or potentially adverse developments in the local operations of a bank or banking group regulated by the home supervisor;  adverse assessments of such qualitative aspects of a bank’s operations as risk management and controls at the offices in the host country; and  any material remedial action it takes regarding the operations of a bank regulated by the home supervisor. C5: The BL stipulates that that the cross-border operations of foreign banks are subject to supervision according to international standards (Article 27a). All foreign banks constituted in El Salvador are subject to a consolidated supervision by their home supervisors. C6: Before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received (article 27b). C7: The SSF has provided to home country supervisors on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with KYC requirements. Usually, an SSF staff supervisor will accompany the home supervisory team during the onsite visit. Several visits have been conducted by the Panamanian supervisor in the Salvadoran operations 65 of HSBC and BAC. During 2010, the Colombian supervisor has plans to conduct an onsite inspection of Banco Agricola, the Salvadoran operation of BanColombia C8: Shell banks and booking offices are not allowed in the Salvadoran legal framework. According to the SSF supervisors, such offices are no part of Salvadoran conglomerates and do not operate in El Salvador. C9: According to the SSF supervisors, the SSF will consult with foreign supervisors, if it were to take consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. One such case occurred in 2009, when the SSF prohibited that a Salvadoran bank, that belongs to a regional conglomerate, provide any financing to its parent bank, after the SSF was informed that some government securities held by the parent company would not be paid at their original due date. Assessment Compliant Comments Authorities’ response to the assessment 46. The authorities agreed with the assessment.