99620 BULGARIA September 2015 DETAILED ASSESSMENT OF OBSERVANCE BASEL CORE PRINCIPLES FOR EFFECTIVE BANKING SUPERVISION Prepared By This report was prepared in the context of a joint IMF-World Bank standards Monetary and Capital Markets assessment mission in Bulgaria during Department, IMF, and Finance and March, 2015, and overseen by the Markets Global Practice, World Bank Monetary and Capital Markets Department, IMF, and the Finance and Markets Global Practice, World Bank. INTERNATIONAL MONETARY FUND THE WORLD BANK BULGARIA CONTENTS Glossary .................................................................................................................................................................................3 Introduction .........................................................................................................................................................................5 Methodology .......................................................................................................................................................................7 Institutional and Market Structure—Overview.......................................................................................................8 Preconditions for Effective Banking Supervision ................................................................................................ 10 Detailed Assessment ..................................................................................................................................................... 17 A. Supervisory Powers, Responsibilities and Functions .................................................................... 17 B. Prudential Regulations and Requirements.....................................................................................106 Summary Compliance with the Basel Core Principles ....................................................................................222 Recommended Actions and Authorities’ Comments......................................................................................232 A. Recommended Actions .........................................................................................................................232 B. Authorities’ Response to the Assessment ......................................................................................238 2 BULGARIA GLOSSARY AC Additional Criteria (of the Core Principles) AMA Advanced Measurement Approaches AML/CTF Anti Money Laundering/Countering Terrorist Financing BCBS Basel Committee for Banking Supervision BCP Basel Core Principles BNB Bulgarian National Bank BRRD Bank Resolution and Restructuring Directive CBA Currency Board Arrangement CEBS Committee of European Banking Supervisors CISD Credit Institution Supervision Directorate CPOSA Commission for Public Oversight of Statutory Auditors CPs Core Principles CRDIV Capital Requirements Directive IV (2013/36/EU) CRR Capital Requirements Regulation (EU Regulation 575/2013) EBA European Banking Authority EC Essential Criteria (of the Core Principles) ECB European Central Bank ESAs European Supervisory Authorities ESRB European Systemic Risk Board EU European Union FATF Financial Action Task Force FSAC Financial Stability Advisory Council FSCA Financial Supervision Commission Act FSB Financial Stability Board FSC Financial Services Commission FX Foreign Exchange HQLA High Quality Liquid Assets IAS International Auditing Standards ICAAP Internal Capital Adequacy Assessment Process IFRS International Financial Reporting Standards IRB Internal Ratings Based LCR Liquidity Coverage Ratio LOA Law on Accounting LBNB Law on the Bulgaria National Bank LCI Law on Credit Institutions LIFA Law on Independent Financial Audit MOU Memorandum of Understanding MPFSD Macro Prudential Financial Stability Directorate NPL Non Performing Loan NSFR Net Stable Funding Ratio 3 BULGARIA RAS Risk Assessment System RWA Risk Weighted Asset SREP Supervisory Review and Evaluation Process SSD Special Supervision Directorate UBO Ultimate Beneficial Owner 4 BULGARIA INTRODUCTION1 1. This assessment of the current state of the implementation of the Basel Core Principles for Effective Banking Supervision (BCP) in Bulgaria has been completed as a stand-alone Report on the Observance of Standards and Codes undertaken by the International Monetary Fund (IMF) and the World Bank (Bank) during March of 2015 at the request of the Bulgarian authorities. It reflects the regulatory and supervisory framework in place as of the date of the completion of the assessment. It is not intended to assess the response to the 2014 banking crisis, and it is not intended to represent an analysis of the state of the banking sector or crisis management framework. 2. The BNB has an internal governance structure which, by vesting the majority of the powers of supervision in the Deputy Governor for banking supervision, exposes the supervisory function to risks. The law gives the Deputy Governor strong powers to act separately and independently, even though the Governing Council has a role and responsibilities over troubled banks in addition to its licensing and regulatory powers. Under the BNB’s legal structure, supervision and enforcement is dissociated from the Governing Council, and the Governing Council has no right to compel transparency of decision making or to impose a framework to ensure consistency in the use of the enforcement regime. The Governing Council is, however, responsible for issuing the regulations that articulate and establish the BNB’s supervisory standards and expectations despite the disadvantage of being at arms’ length from the supervisory process. The distribution of powers and lack of transparency and accountability including the lack of an internal framework to ensure consistency in decision making in the use of many of the enforcement powers are not conducive to an assertive and confident supervisory process. It is of particular concern that the potential for pressure to be exerted on a single individual may in fact inhibit any Deputy Governor from using powers as strongly or as frequently, or using escalating severity as needed. Further, it is noted that should the position of Deputy Governor fall vacant unexpectedly, there is no legal possibility for the enforcement powers to be delegated to another individual. This flaw exposes the BNB to unnecessary uncertainties in its supervisory activities. 3. There are material concerns that the BNB is too resource constrained to deliver effective minimum levels of supervision. Demands on regulators have increased markedly through the international regulatory reform agenda in the wake of the global financial crisis and which are transmitted to Bulgaria mainly through the EU legislative and convergence program. The supervisory mandate for AML/CTF brings additional demands not least through support provided to external bodies such as the Prosecutor and the Financial Intelligence Unit in investigative matters in complex cases of fraud, embezzlement and money laundering. Furthermore, the BNB’s mandate for transparency of products and monitoring of consumer trends is also resourced from the supervisory 1 This Detailed Assessment Report has been prepared by Katharine Seal, IMF and Pierre-Laurent Chatain, World Bank. 5 BULGARIA department. As a consequence, many areas of the BNB’s supervisory operations, ranging from the scope and scale of its supervisory inspections, ability to launch proactive investigations, and ability to ensure a sufficiently high level of supervision for the local segment of the banking market, which as a cluster represents nearly a quarter of the market, are notably under strain. Certain specialist skills are also lacking or under-represented at the BNB, including IT, market risk and quantitative skills. The BNB staff have been further diverted from their supervisory tasks by the additional demands of dealing with a banking failure and liquidity stress in 2014. This necessary diversion of resources has, though, inevitably adversely affected the BNB’s planned supervisory program and will lead to a number of institutions not being brought under scrutiny in a timely manner and follow up monitoring and actions may be unduly delayed. 4. Despite a broad range of supervisory powers, there are some gaps in the legal framework that unduly restrict the BNB’s locus. There are a number of elements which may have the cumulative effect of discouraging an intrusive supervisory approach. The relevant gaps touch on a range of areas but most notably including the relationship with the Board of a bank – the BNB cannot instruct banks to change their internal organization or structure or composition of the Board; or to insist upon a change of the external auditor of a bank; and an aspect of the legal protection available to BNB staff. On a related issue, the continued delays in the transposition of the Directive on Bank Recovery and Resolution has prevented the BNB from being able to carry out a number of tasks in relation to preparation for orderly resolution procedures should they be necessary. 5. As Bulgaria is a Member State of the European Union, the regulatory framework is based on EU legislation and architecture. The recent changes to the EU framework have, however, removed some flexibility from the supervisory authority. Previously the BNB applied a minimum capital adequacy ratio of 12 percent, but this requirement is now capped at 8 percent under the Capital Requirements Regulation. In response, and at a period of heightened systemic stress, the BNB has “frontloaded” capital buffers so that the capital conservation buffer and the systemic risk buffer are both currently in force. The advent of the CRR and its implementing technical standards has also removed the BNB’s former power to set supervisory provisions against problem exposures. The BNB retains, however, the power to set higher capital requirements in respect of problem assets. At present the BNB is practicing close monitoring of the evolution of the relevant portfolios and is exercising what might be termed an “informal Pillar 2 approach.” The BNB does, however, need to be ready and able to apply additional capital requirements through Pillar 2 in future. 6. The BNB employs a risk-based approach to supervision and enjoys a cadre of dedicated and professional staff. The BNB employs sound methodologies for the analysis and assessment of individual banks and banking groups. This work is strongly enriched by the efforts of the macro-prudential and financial stability directorate. The supervisory approach in the BNB relies to an important extent on its on-site inspection process, but is undermined by scarcity of resource to implement a sufficiently broad and frequent program of inspections. In the resource constrained environment it is important for the BNB to maximize its internal arrangements and use of its supervisory tool kit. This includes an internal skills audit and strategy to identify gaps, a review of 6 BULGARIA internal organization to maximize efficiency and communication and a greater use of such supervisory techniques as horizontal assessments. 7. The BNB has a good understanding of risk and many strong practices, and also making good use of international standards and guidelines, but there are some important system wide vulnerabilities. The most significant risk in the banking sector is credit risk and while the BNB takes an assiduous approach to credit risk, this is undercut by system-wide weaknesses in concentration risks, related party and connected lending as well as corporate governance. Although the BNB is alert to these concerns and has identified many violations and bad practices in the banking institutions, overall, enhancements in supervisory approach are needed. Enhanced transparency in ownership structure of clients, especially for legal entities located overseas (including in off-shore centers) with undisclosed ultimate beneficial owners is of paramount importance. The BNB could employ horizontal inspections and the issue requirements for more robust processes for determining connectedness between customers or groups of affiliated parties. METHODOLOGY 8. It should be noted that the ratings assigned during this assessment are not directly comparable to previous assessments. The current assessment of the BNB was against the BCP methodology issued by the Basel Committee on Banking Supervision (BCBS) in September 2012. The authorities took a rigorous approach and opted to be assessed against both essential and additional criteria. The last BCP assessment in was conducted in 2002. The methodology has been revised twice since the last assessment in Bulgaria, first in 2006 and again in 2012. There was an FSAP update in 2008 but it did not include a BCP assessment. 9. In the 2012 revision of the Core Principles, the BCBS sought to reflect the lessons from the recent financial sector crisis, to raise the bar for sound supervision reflecting emerging supervisory best practices. New principles have been added to the methodology along with new essential criteria (EC) for each principle that provide more detail and additional criteria (AC) that raise the bar even higher. Altogether, the revised Core Principles now contain 247 separate essential and additional criteria against which a supervisory agency may now be assessed. In particular, the revised BCPs strengthen the requirements for supervisors, the approaches to supervision and supervisors’ expectations of banks. While the BCP set out the powers that supervisors should have to address safety and soundness concerns, there is a heightened focus on the actual use of the powers, in a forward-looking approach through early intervention. 10. The assessment team reviewed the framework of laws, rules, and guidance and held extensive meetings with officials of the BNB, and additional meetings with the Finance Ministry, auditing firms, professional bodies, and banking sector participants. The authorities provided a comprehensive self-assessment of the CPs, as well as detailed responses to additional questionnaires, and facilitated access to supervisory documents and files on a confidential basis as well as staff and systems. 7 BULGARIA 11. The team appreciated the very high quality of cooperation received from the authorities. The team extends its thanks to staff of the authorities, who provided excellent cooperation, including extensive provision of documentation and technical support, at a time when many other initiatives related to domestic concerns and international regulatory initiatives were in progress. 12. The standards were evaluated in the context of Bulgaria’s financial system’s sophistication and complexity. The CPs must be capable of application to a wide range of jurisdictions whose banking sectors will inevitably include a broad spectrum of banks. To accommodate this breadth of application, a proportionate approach is adopted within the CP, both in terms of the expectations on supervisors for the discharge of their own functions and in terms of the standards that supervisors impose on banks. An assessment of a country against the CPs must, therefore, recognize that its supervisory practices should be commensurate with the complexity, interconnectedness, size, and risk profile and cross-border operation of the banks being supervised. In other words, the assessment must consider the context in which the supervisory practices are applied. The concept of proportionality underpins all assessment criteria. For these reasons, an assessment of one jurisdiction will not be directly comparable to that of another. 13. An assessment of compliance with the BCPs is not, and is not intended to be, an exact science. Reaching conclusions required judgments by the assessment team. Banking systems differ from one country to another, as do their domestic circumstances. Furthermore, banking activities are undergoing rapid change after the crisis, prompting the evolution of thinking on, and practices for, supervision. Nevertheless, by adhering to a common, agreed methodology, the assessment should provide the Bulgarian authorities with an internationally consistent measure of the quality of their banking supervision in relation to the revised Core Principles, which are internationally acknowledged as minimum standards. INSTITUTIONAL AND MARKET STRUCTURE— OVERVIEW 14. Banking represents the most significant sector of the Bulgarian financial system. As at June 2014, financial system assets in Bulgaria accounted for 141.5 percent of GDP with the banking sector representing 76 percent of this. There is a relatively low exposure of the financial system to external markets and little use of external market financing which may have contributed to relative insulation from the global financial crisis. The risk profile of the banking system is largely focused on credit risk. 8 BULGARIA 15. The structure of the non-banking sector of the financial system is relatively evenly distributed between sub-sectors. Sector Asset size BGN bn Insurance Companies 5.5 Supplementary pension insurance funds 7.6 Local investment funds 0.8 Non-bank investment firms 4.6 Vehicle finance corporations 1.5 Leasing companies 4.3 Specialized lenders 2.6 Source: BNB Quarterly Bulletin on Banks. 16. Bulgaria is predominantly a host state to EU banking groups. While most banks in Bulgaria are locally incorporated, less than a quarter of the market share, 23 percent, is held by domestic banks and 73 percent is held by subsidiaries with EU parents. Approximately a quarter of the market share, 24 percent, is held by Greek-owned subsidiary banks.2 Altogether there are 28 banks in Bulgaria (excluding one recently failed bank), of which 6 are branches. Banking establishments from outside of the EU represent less than 1.5 percent of the banking system. 17. The banking sector weathered the global financial crisis, but stress emerged in June 2014 with two bank failures. Following runs on deposits, the BNB put two banks into conservatorship. Soon after this intervention, a third domestic bank suffered a depositor run and was supported by emergency liquidity (state aid approved by the EC). As Bulgaria introduced a currency board arrangement (CBA) in July 1997, following a systemic banking crisis, the Lender of Last Resort function from the BNB is limited to the excess coverage of the arrangement. 18. Notwithstanding the damage to confidence from the banking crisis the banking system has shown resilience. Reported system wide capital adequacy figures remain strong. Capital adequacy has been calculated under the EU Capital Requirements Regulation since January 2014, which permits a slightly more generous treatment for some risk weights than the previous BNB regime. As of December 2014, the system CAR stood at 22 percent, and the Tier 1 capital ratio 2 Data as of end December 2014. 9 BULGARIA was 19.9 percent. In Bulgaria, the majority of tier 1 is held in common equity and the system wide CET1 ratio was 19.5 percent. With the advent of the CRR, the BNB can no longer apply a minimum 12% CAR as it had formerly done. The BNB has however, imposed the capital conservation buffer of 2.5 per cent since May 2014 and has also applied a capital buffer for systemic risk of 3 percent of total risk weighted exposures located within the country and calculated in accordance to Article 92 (3) of Regulation 575/2013/EC. 19. Resilience to liquidity shocks is also important in the Bulgarian context. Here too, reported liquidity indicators are strong. The liquid assets-to-liabilities ratio in the banking system, as at end January reached 31.8 percent. The EU equivalent of the Basel Liquidity Coverage Ratio (LCR) is not yet fully in force and will not be until October 2015 according to the EU timetable, but the BNB continues to maintain its prior liquidity regime, which requires banks to avoid maturity mismatches over a range of maturity bands. Daily reporting enables the BNB to monitor the situation closely. 20. However, system wide non-performing loans (NPLs) are also high. The reported NPLs (on a gross basis), and excluding the failed bank, in Bulgaria stood at 18.1 percent as of end- September 2014, representing an increase of 15 percent of total loans since the global financial crisis began in 2008. PRECONDITIONS FOR EFFECTIVE BANKING SUPERVISION Sound and sustainable macroeconomic and financial sector policies 21. Bulgaria’s supervisory credibility came under scrutiny in 2014, following the banking failures. In addition to the shock to the banking system stability there was a sharp deterioration in the hitherto strong fiscal stance. Political turbulence and unaddressed governance issues have heightened concerns about the direction of macroeconomic and financial policy, putting increased strain on the economic outlook. The currency board arrangement (CBA)—which has served as an effective policy anchor since 1997 and helped Bulgaria successfully weather the global and Euro- area crises—both reinforces and relies on sustained, sound macro-financial policies, comfortable buffers, and progress in advancing the convergence agenda with the EU. Under the rules of the CBA, the aggregate amount of the Bulgarian National Bank’s monetary liabilities (including all banknotes and coins in circulation) may not exceed the equivalent in Bulgarian levs of the gross foreign exchange reserves. The Bulgarian lev is fixed to the euro (BGN 1.95583 equals €1). The Framework for Financial Stability Policy Formulation Institutional and Legal Setting 22. Responsibilities for supervision of financial institutions and markets are divided between the BNB for banks and the Financial Supervision Commission (FSC) for non-banks 10 BULGARIA and markets. The FSC was established on March 1st, 2003 under the Financial Supervision Commission Act. The FSC is established as an independent institution and reports to the National Assembly of the Republic of Bulgaria. The Commission is responsible for the regulation and supervision of the non-banking financial sector, including markets, insurance and pensions. Financial stability coordination 23. The BNB and FSC, together with the Ministry of finance cooperate and share information within a formal macroprudential framework, namely the Financial Stability Advisory Council (FSAC). The FSAC is established under the Financial Supervision Commission Act (FSCA) as an advisory body. The FSAC consists of the Minister of Finance, the Governor of the BNB and the Chairman of the FSC. The macro-prudential framework in Bulgaria was initially implemented in 2003 and further enhanced in 2010 through amendments to the Financial Supervision Commission Act (FSCA) that provides for significantly strengthened role of the Financial Stability Advisory Council (FSAC). 24. The BNB, FSC and FSAC are the authorities and bodies responsible for financial stability policy formulation According to the existing framework for financial stability and macro- prudential policy in Bulgaria, the Bulgarian National Bank and the Financial Supervision Commission are responsible for maintaining financial stability in their respective areas of competence. Furthermore FSAC has competence for carrying out advisory and coordination functions. The FSAC is chaired by the Minister of Finance, had adopted Rules on its Operation, and takes all decisions by consensus. The FSAC can address proposals and recommendations to its members in connection with the powers of the institutions represented by them with regard to the protection and maintenance of the financial stability, and to the prevention and management of financial crises. Moreover, with regard to the improvement of macro-prudential policies in the country, the FSAC shall discuss proposals arising from recommendations or warnings of the European Systemic Risk Board (ESRB), on the initiative of each of the Council’s members. The Council also has the responsibility to approve a national action plan in the event of crisis. The FSAC meets quarterly, though more frequently at will, and is supported by a standing committee. 25. The FSCA stipulates that: the main objective of the FSAC shall be to foster a more efficient cooperation for maintaining the financial stability through information exchange and assessment of the status and development of the financial system and the financial markets in Bulgaria and the potential impact of external and internal factors on its stability, and co-ordinating the actions in this direction. FSAC conducts its monitoring and analysis of systemic risks based on analytical work carried out by its member institutions. 26. The BNB is responsible the assessment of systemic risks facing the banking system, while the FSC – for the non-bank financial sector. The analytical contribution from the BNB comes from the the Macro-prudential Supervision and Financial Stability Directorate, which was created in 2014 out of a merger of two previous units and with the objective of achieving synergies between financial stability and prudential supervision. The unit also contributes to the work of the 11 BULGARIA BNB’s macro-prudential mandate and is in line with the new EU supervisory architecture (ESRB and the ESA’s) and the ESRB recommendation on the macro-prudential mandate of national authorities. A Well Developed Public Infrastructure System of business laws 27. As a member of the EU, Bulgaria is subject to a comprehensive suite of EU legislation on company law. This includes the EU First, Second, Fourth, Seventh, and Eighth Company Law Directives, as well as the Transparency Directive, the IAS Regulation, and the Banks and Insurance Accounts Directives. According to European Commission monitoring of transposition at January 2012, Bulgaria had notified, and been examined by the Commission on the implementation of 90 percent of applicable Company Law and Anti-Money Laundering Directives. Only one directive post- dates the monitoring exercise, relating to coordination of safeguards in respect of the formation of public limited liability companies and the maintenance and alternation of their capital. The prevailing business legislation in Bulgaria includes the Commerce Act, the Bank Bankruptcy Act, the Obligations and Contracts Act, the Consumer Protection Act, the Ownership Act, etc. The Consumer Protection Act and the Consumer Credit Act contain specific mechanism for the fair resolution of disputes. Efficient and independent judiciary 28. The judiciary is formally independent. Pursuant to the Bulgarian Constitution (Article 117) the judiciary protects the rights and legitimate interests of the citizens, the legal persons, and the State. In the performance of their functions, all judges, jurors, prosecutors and investigating magistrates are subservient only to the law. The judiciary has an independent budget. The right to a fair and open trial within a reasonable time before an independent and impartial court, according to the Judiciary System Act (Article 7) all citizens are entitled to a fair and open trial. Citizens and legal entities are entitled to judicial protection that can not be denied to them. The fundamental principles of efficient and independent judiciary are stipulated also in the Code of Civil Procedure, Criminal Procedure Code, Criminal Code and Administrative Procedure Code. 29. External perception of judicial independence and efficiency in Bulgaria is, however, weak. According to the 2015 EU Justice Scoreboard (an annual exercise) the perceived independence of justice in Bulgaria has decreased, with Bulgaria now jointly sharing the worst rating in the EU. The Global Competitiveness Report for 2014-15 ranks Bulgaria 126th out of 144 countries on judicial independence, 124th on the efficiency of the legal framework in settling disputes and in challenging regulations, and 110th on protection of property rights. In December 2014, the government adopted a new judicial strategy to guarantee the independence and professionalism of the courts and other judicial authorities. Bulgaria is also preparing to amend the Judicial System Act. 30. The administration of justice in Bulgaria is based on three instances and the courts administer civil, criminal and administrative cases. The governing law is the Judicial System Act, which sets out the structure and operating principles of the judicial bodies and governs their 12 BULGARIA interaction with each other and with the legislative and executive bodies. The Supreme Judicial Council is the highest administrative authority and is responsible for managing the judiciary and ensuring its independence. It determines the composition and organization of the judiciary. 31. The legal profession is governed by the Constitution of the Republic of Bulgaria and the Judicial System Act. The main legal professions in Bulgaria are the public prosecutor, investigator, judge, attorney-at-law, notary public, private bailiff, State bailiff and registration judge.  The public prosecution service in the Republic of Bulgaria consists of a number of offices, including but not limited to, the Prosecutor-General, and the National Investigation Service. All prosecutors and investigators are subordinate to the Prosecutor-General. The prosecutor leads an investigation as supervising prosecutor and the prosecutor’s acts are open to appeal unless subject to judicial review. The Prosecutor-General is appointed (and removed) by the President of the Republic of Bulgaria, acting on a proposal from the Supreme Judicial Council for a period of seven years, and is not eligible for a second term in office. Subject to a positive appraisal of performance, prosecutors acquire tenure after five years in office. The Prosecutor-General may refer matters to the Constitutional Court.  Investigators in the Republic of Bulgaria have the status of magistrates (judges and prosecutors) under the Judiciary Act. Investigative bodies are the National Investigation Service (NSlS), the provincial investigation departments at the provincial prosecutors' offices and the investigation department at the Specialized Prosecutor's Office. When carrying out their tasks in connection with criminal proceedings, the investigating authorities act under the direction and supervision of a public prosecutor. Orders issued by investigators in the course of an investigation are binding on all State bodies, legal entities and citizens.  Judges in Bulgaria are appointed, promoted and demoted, transferred and relieved of office by decision of the Supreme Judicial Council. Subject to a positive comprehensive appraisal of their performance, judges acquire tenure by decision of the Supreme Judicial Council after five years in office. The profession of attorney-at-law is an activity governed by the Constitution. The status, rights and obligations of attorneys-at-law are regulated by the Bulgarian Bar Act. The Supreme Bar Council is a legal entity comprising representatives of the provincial bar associations, keeps a register of attorneys-at-law. Registration judges order or refuse entries, endorsements and removals from the property register and decide whether references and certificates are issued; they perform notarial and other deeds laid down by law. Registration judges may act only in their own district and their number is decided by the Minister for Justice. Accounting principles and rules 32. Under the EU's legislation, all listed EU companies must prepare their consolidated accounts in accordance the International Financial Reporting Standards (IFRS). Bulgaria has applied IFRS since 2003, predating its accession to the EU. Hence all listed companies in Bulgaria, as well as banks, insurance companies, mutual funds, and other financial institutions, have been required to prepare their consolidated financial statements using IFRSs since 2003. The obligation of 13 BULGARIA listed companies and financial institutions and all large Bulgarian limited liability entities to report both the consolidated and individual company financial statements has been in place since 2005, again pre-dating membership of the EU which took place on 1 January 2007. National Financial Reporting Standards for Small and Medium-sized Enterprises apply to entities which fall under de minimis criteria. Such entities may, though, adopt International Accounting Standards. All credit institutions are subject to International Accounting Standards, regardless of being listed companies or not. System of independent external audits 33. The annual financial reports of the banks are subject to independent financial audit, according to the Law on Accountancy. The annual report must be audited and has to include the full audit report. The auditor shall perform the audit in accordance with ISA’s generally accepted auditing practices, which are introduced with the Law on Independent Financial Audit. The audit of the public financial reports is conducted in accordance with internationally accepted auditing practices and standards and related procedures determined by International Auditing Standards (Article 2 of the Law on Independent Financial Audit). Under the LCI the annual financial statements of each bank, and the supervisory reports as determined by the BNB are subject to audit and certification by a specialized auditing company which is a registered auditor under the Law on the Independent Financial Audit. 34. Bulgaria has established a Commission for Public Oversight on Statutory Auditors (CPOSA). The CPOSA was established in compliance with the European Union Directive on statutory audits (Directive 2006/43/EC). 35. The profession of Registered Auditors is a protected title in Bulgaria. Statutory Audit and consulting services are reserved to Registered Auditors. In 2011 there were over 600 qualified professional and over 90 specialist auditing companies. New trainees were accepted to the profession at a rate of approximately 150 per year. As in other jurisdictions, auditors must pass professional exams and have two years professional experience as an assistant auditor before qualification. The Institute of Certified Public Accountants, which also acts as the professional body for accountants, is responsible for the registration of auditors. Payment and clearing systems 36. The BNB has responsibility for assisting in the establishment and overseeing the functioning of efficient payment systems and for supervising payment systems operators in Bulgaria under the organic Law on the Bulgarian National Bank (LBNB). The Banking Integrated System for Electronic tRAnsfers (BISERA; the system processing customer transfers which are to be settled at a designated time) was introduced in 1992. A system for servicing interbank client payments in euro initiated for settlement at a designated time (ie not RTGS) BISERA7-EUR was put into operation in 2010. The BNB launched the national component system TARGET2-BNB on February 1, 2010. The ancillary system BISERA7-EUR, operated by BORICA-BANKSERVICE JSC, joined TARGET2 on the same date. Membership of TARGET2 is not yet mandatory for Bulgaria as it is not 14 BULGARIA yet a Eurozone member. The national card operator, the Bank Organization for Payments Initiated by Cards (BORICA), was established in 1995 to process card payments in Bulgaria. Two securities settlement systems have also been established: the Government Securities Depository (GSD) in 1992 and Central Depository AD (CDAD) in 1996. In June 2003 the RTGS system RINGS was launched. This provides final settlement for all payments in the country. Framework for Crisis Management, Recovery and Resolution 37. The current legal framework for the recovery and resolution of credit institutions needs essential improvements since it does not grant the authorities sufficient scope to manage a crisis fully effectively. The collapse of Corporate Commercial Bank AD (KTB) in 2014 revealed a series of major weaknesses in the domestic regime for dealing with problem banks, including the absence of a good bank/bad bank option. As of today, the BNB can address problem banks (including in case of risk of insolvency) by subjecting a bank to a special supervision regime. The BNB Governing Council will appoint one or several conservators who will take, under the authority of the BNB, all measures to redress the bank. If the conservatorship of the bank does not improve its financial situation (i.e. its solvency or liquidity position is still deteriorating), the BNB can withdraw the license and petition to the competent court for initiation of bankruptcy proceedings. 38. The difficulty to apply an orderly resolution has prompted the authorities to revisit its legal framework for the recovery and resolution of credit institutions. Such framework will be available after the implementation of the BRRD (EU Directive 2014/59/EC (Resolution and Recovery of Credit Institutions and Investment Firms)) in the Bulgarian legislation by means of new legal provisions and amendments to the existing legal framework (e.g., the Law on Credit Institutions, the Law on Bank Bankruptcy, and the Law on the BNB). At the time of the assessment it was expected that the BNB would be designated as the Resolution authority and the Bulgarian Deposit Insurance Fund (BDIF) as the Resolution fund. This transposition into the national regime is in progress and it is expected to come in force by end of 2015.3 The adequacy of systemic protection (public safety net) 39. The Bulgarian Deposit Insurance Fund (BDIF) is a legal entity established by the 1998 Law on Bank Deposit Guarantee. The Fund protects depositors’ funds in banks up to BGN 196,000 (EUR 100.000) as well as creditors’ interests in bank bankruptcy proceedings. The BDIF is entering in a transition phase in the context of the revision of the law on bank deposit guarantee and the transposition into the Bulgarian regime of the EU Bank Recovery and Resolution Directive.4 The BDIF expects to be granted more powers particularly in relation to funds management and to new approaches for banks’ contribution calculation. Also, the new law will address important weaknesses 3 Post-assessment update: The Bulgarian Law on recovery and resolution of credit institutions, transposing Directive 2014/59/EC, was officially adopted by the Bulgarian Parliament on July 30, 2015. 4 Post-assessment update: The amendments in the Law on bank deposit guarantee, transposing Directive 2014/49/EC, was officially adopted by the Bulgarian Parliament on July 30, 2015. 15 BULGARIA that have surfaced during the KTB crisis, including by facilitating timelier payout of insured deposits.5 Further, in the wake of the KTB collapse, the BDIF has processed through a network of nine participating banks the claims of 104,640 depositors of the bank for a total amount of BGN BGN 3,5 billion (EUR 1.7 billion). Effective market discipline 40. Transparency in banks’ ownership structures is a reducing concern. The Banking Supervision Department of the BNB expressed doubts on transparency in a few banks, including one in which three companies with qualifying shareholdings were located in off-shore centers with undisclosed UBO. Further analysis was performed to collect information to establish the true identity of the beneficial owners and lift any reservation about the transparency of the institutions. In addition, the BNB has fostered its due diligence in that regard by sending every year a letter requesting shareholders (holding more than 3% of share or voting rights) to confirm information about their business, type of investments (shares, bonds), and audited financial statements. The BNB told the mission that it is confident about the transparency of ownership structure in banks. 5 The Bulgarian Law on Bank Deposit Insurance uses the withdrawal of a bank’s license as the only trigger for pay-out of guaranteed deposits. Both the European Commission and the European Banking Authority have claimed that this situation is in breach of the EU Deposit Guarantee Scheme Directive (DGSD). 16 BULGARIA DETAILED ASSESSMENT A. Supervisory Powers, Responsibilities and Functions Principle 1 Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.6 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.7 Essential criteria The responsibilities and objectives of each of the authorities involved in banking supervision 8 are EC1 clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. Description In Bulgaria, the provisions relating to responsibilities, objectives and powers can be found in two and findings major legislations, (i) the Law on the BNB (hereafter LBNB) and (ii) the Law on Credit Institutions re EC1 (hereafter LCI) that governs the activity of financial institutions. The BNB has sole responsibility for banking supervision in accordance with the laws mentioned above. The LBNB (art. 20, paragraph 3) explicitly empowers BNB to be the bank supervisor, with authority over banks and branches of foreign banks operating in Bulgaria, and branches of Bulgarian banks operating in other countries. Along the same lines, the LCI art. 1 (2) stipulates that the BNB “ is empowered to supervise banks.” The BNB is also competent for the supervision of financial holding companies and mixed financial holding companies. The Law states that BNB has the power to supervise such institutions, and in doing so, is authorized to develop standards of safety and soundness. Both the LBNB and the LCI, through various articles therein, empower BNB with the authority to carry out virtually all supervisory functions, such as conducting on-site examinations, licensing banks, and collecting information for supervisory purposes. It is noteworthy that supervision and monitoring over the implementation of the AML/CFT requirements is placed under the oversight of both the BNB and the Financial Intelligence Directorate (FID) [the Financial Intelligence Unit located within the State Agency for National Security (SANS)]. The primary responsibility for the supervision of AML/CFT measures for banks (and all obliged persons) rests with FID-SANS. However, the BNB is also empowered to conduct on-site AML inspections either on its own –through its Special Supervision Directorate within the Banking Supervision Directorate (BSD)- or jointly with the FID. According to the BNB, this dual oversight arrangement does not create gaps or duplication and the delineation of duties between the two 6 Inthis document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation. 7 The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles. 8 Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification. 17 BULGARIA bodies are clear. The Internal Manual on Banking Supervision Process sets the governing structure of the Banking Supervision Department. This manual describes the banking supervision process and determines the responsibilities of the separate directorates as well as their interrelationship in executing their tasks. The BNB has no supervisory responsibilities over non-bank financial institutions. This functions lies with the Financial Securities commission (FSC) which regulates, licenses and oversees participants to the non-banking financial market (Insurance, Pension funds, Securities). The responsibilities and objectives as described above are defined in legislations and publicly disclosed, particularly on the BNB website. On the other hand, the normative acts of the BNB, which are compulsory for financial institutions, are also available on the BNB website. The primary objective of banking supervision is to promote the safety and soundness of banks and EC 2 the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. Description There are several provisions either in the LBNB or the LCI stipulating that supervision related and findings activities are performed with the goal of achieving banking system safety and soundness. Art. 1 (1) of re EC2 the LCI stipulates that BNB’s activities particularly in relation tosupervision of “compliance with the prudential requirements” aim to ensure a “stable, reliable and sound banking system.” According to art. 2 (1) of the LBNB, the primary objective of the BNB is to maintain price stability. There are however several provisions that seem to satisfy the requirement under EC2. Art.2 of the LBNB, in paragraph (6), stipulates that the objectives of the BNB are also to “ regulate and supervise other9 banks’ activities in this country for the purpose of ensuring the stability of the banking system and protecting depositors’ interests.” Further, the LCI, in its art. 79 (2) indicates that the BNB “shall exercise also macro-prudential supervision of banks in order to maintain the stability of the banking system.” Lastly, pursuant to art 14 (3), subparagraph 4, the BNB should, before granting a banking license, determine whether the activities that the applicant intends to carry out “ ensures the required soundness and financial stability.” On its website, the BNB has also made clear that a “strong and efficient banking supervision, together with an effective macroeconomic policy, is vital for the financial stability of a country. Supervising the credit institutions operating in Bulgaria is a major function of the BNB, and it aims to maintain the stability of the banking system and to protect the interests of depositors .” It is noteworthy however that the BNB exercises other functions, in particular with regards to transparency of products and monitoring of consumer trends. Within the Banking supervision Department, the Special Supervision Directorate (SSD) has been assigned multiple activities that go beyond its primary objective of ensuring integrity in the banking sector. Originally, the directorate was established for AML/CFT supervision only but progressively, as the BNB mandate expanded, the directorate was assigned additional activities including transparency of products10 related issues and compliance with deposit insurance rules to be performed together with AML. It is also important to note that the employees of SSD are frequently asked to assist the law enforcement authorities and 9 “other” meaning other banks than the BNB. 10 E.g., transparency of banking products and monitoring existing complaints’ handling procedures. 18 BULGARIA Bulgarian Courts in investigations of ML cases. Against this background, the assessors come to the conclusion that these activities should continue to be addressed efficicently by ensuring additional staff to be employed at SSD. It would be advisable to refocus the Special Supervision Directorate on its core AML mandate by assigning non-AML related activities to other relevant BNB departments. Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential EC3 standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile 11 and systemic importance.12 Description In Bulgaria, the LBNB and the LCI provide the main general framework for the supervisor to set and and findings enforce prudential standards for banks and banking groups. The legal basis for the BNB to exercise re EC3 pillar II types of measures are contemplated in the LCI art. 79 (c) as well as art. 103 (2). According to the latter (in subparagraph 5), the BNB can impose additional capital and/or liquidity requirement based on the risk to which the bank is exposed or the risks that the said bank pose to the financial system. Another provision can be found in art. 20 (3) of the LBNB whereby, in exercising his supervisory powers, the Deputy Governor is empowered to “apply, separately and at his own discretion, the actions and penalties as provided for by law ” on Credit Institutions. One can infer from this statement that the DG in charge of supervision can subject banks to increased prudential obligations in light of their risk profile. Banking laws, regulations and prudential standards are updated as necessary to ensure that they EC4 remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. Description Since the last FSAP update (2008), the legal and regulatory framework for banking supervision has and findings been updated several times, with several amendments over the last years in laws and subsequent re EC4 regulations. The most prominent recent changes to the laws governing banking and banking supervision relates to supervisory requirements imposed on European banks as set forth in EU Regulations. In effect, the European framework for banking supervision including the EU Directive 2013/36, the EU Regulation №575/2013 that entered into force on January 1 st, 2014 as well as the amendments in the Law on Credit Institutions (LCI) published in the State Gazette on March 25, 2014 led the BNB to issue new ordinances, such as the Ordinance №7 on the Or ganization and Risk management in Banks and Ordinance №8 on the Formation of Capital Buffers. Other recent amendments have included developing criteria relating to licensing, independence of Audit Committee members, among others. These new reforms also led the BNB to dropping off some of the existing ordinances as Ordinance №7 on the banks’ large exposures, Ordinance №8 on the capital adequacy of credit institutions and Ordinance №9 on the evaluation and classification of 11 In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a bank. 12In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement , November 2011. 19 BULGARIA risk exposures of banks and the allocation of specific provisions for credit risk as well as for supplement to the existing ordinances. More significant are the amendments in Ordinance №20 on the issuance of approval under Art.11, para 3 of the LCI, Ordinance №4 on the requirements for remunerations in banks13 and in Ordinance №11 on bank liquidity management and supervision. The law on Bank Bankruptcy is also expected to undergo a major revision in the wake of the KTB crisis. While in practice the BNB generally consults on draft regulations (e.g ordinance), these drafts are always subject to “unofficial” consultation with the Bulgarian banking industry (the Association of Banks in Bulgaria); there is however no legal obligation on it to do so. As indicated by the authorities, the BNB is normally heavily involved in drafting new laws affecting banking activities or any amendments to existing laws. When it comes to transposing EU regulation for examples, the MoF set up an inter-institutional working group involving the BNB, the Banking Association, the FSC and all other relevant stakeholders. The supervisor has the power to: EC5 (a) have full access to banks’ and banking groups’ Board, management, staff and records in order to review compliance with internal rules and limits as well as external laws and regulations; (b) review the overall activities of a banking group, both domestic and cross-border; and (c) supervise the activities of foreign banks incorporated in its jurisdiction. Description a) The BNB has the power to have access to banks and banking group’s information for supervisory and findings purposes. In effect, as stated in art. 4 (1) of the LBNB, the BNB is empowered to ”demand from banks re EC5 to submit any documents and information, and may also carry out the requisite examinations.” The LCI also provides similar broad powers to the BNB. As per art. 80 (1), the BNB “ shall have the right to require banks and, when applicable financial holding companies, mixed financial holding companies and their shareholders or partners to submit to it all the relevant accounting and other documents, and any information on their activities, and to conduct on-site inspections […], and to investigate possible breaches of [regulations].” Further, art. 80 c of the same law stipulates that the BNB has the right to (i) have free access to the office premises and information systems of the bank, (ii) demand documents and collect information in relation to the performance of its tasks, (iii) attend the meetings of the managing and controlling bodies of banks and express opinions that are to be written down in the minutes of the meeting, etc. b) For banking groups, in virtue of LCI art. 89 (1), the BNB is empowered to carry out supervision on a consolidated basis over banks, banking groups, financial holding companies, mixed financial holding companies and mixed holding companies. These institutions are required to implement arrangements, processes and mechanisms required by the LCI also in their subsidiaries, including these which are not subject to this law. Those arrangements, processes and mechanisms shall also be consistent and well-integrated and those subsidiaries shall also be able to produce any data and information relevant to the purpose of supervision. Therefore, the BNB can require parent companies and banks’ subsidiaries to provide all the relevant documents and information, as well as right for free access to the information. 13The most significant change in Ordinance №4 refers to the implementation of a requirement to the size of the variable elements in the remuneration not to exceed 100% of the size of the constant elements in the total remuneration. 20 BULGARIA c) Foreign banks incorporated in Bulgaria are subject to the same degree of regulation and supervision, and locally incorporated operations of foreign banks are treated as local banks. When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely EC6 to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to: (a) take (and/or require a bank to take) timely corrective action; (b) impose a range of sanctions; (c) revoke the bank’s license; and (d) cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate. a), b) and c): The LCI and the LBNB grant powers to the BNB to take (and/or require a bank to take) Description corrective actions and impose sanctions. Art. 103 (1) of the LCI sets out a list of measures that can be and findings taken by the BNB when banks do not comply with regulations or, for example, when they constitute re EC6 a threat to depositors’ interest. Art. 103 (2) sets out the type of administrative sanctions available to the BNB. The list appears comprehensive with a very few exceptions, ranging from issuing wrtiien warnings to revoking the licence. The BNB, however, seems not to be able to dismiss other relevant staff beyond senior management. As indicated above, the BNB can dismiss one or more individuals authorized to manage and represent the bank as well as members of the management board, board of directors or supervisory board. If within the time limit set by the BNB the bank has not dismissed the respective person, the BNB may remove that person from office and appoint another person in his place. Nevertheless, this power does not seem to apply to other staff, particularly to risk officers and other relevant staff holding important functions in the bank (Compliance, RM, AML and credit Officers). The BNB is not empowered either to change bank’s internal structure. The LCI, Art. 103 (2)15 empowers the BNB to change bank’s internal rules and procedures but not its internal organization or structure. In assessors’ opinion, this is an important power to have, even though it should be used only in extremis. The LCI provides the BNB with other enforcement power under the so-called “Special Supervision” regime (art. 115) according to which the BNB may establish a special supervision procedure concerning a bank if it finds that the bank is “at risk of insolvency.” In such case, a “conservator” is appointed by the BNB for a period of 6 months. An example of this is the decisions taken in June 2014 by the BNB Governing Council to place Corporate Commercial Bank AD (‘KTB’) and Victoria Commercial Bank EAD (‘VCB’) under respectively conservatorships and special supervision due to a risk of insolvency, for a period of three months.14 Lastly, the BNB is also vested with the power to impose fines and pecuniary sanctions in the conditions established in art. 152 of the LCI. d) In consonance with art. Art. 121a of the LCI, the BNB has some resolution powers. The law empowers it to prepare a plan for “orderly resolution of each bank, licensed in the Republic of 14 The license of KTB was revoked right after this conservatorship as the bank was found to be insolvent. 21 BULGARIA Bulgaria, which might be applied if the bank is in financial difficulties .” However in light of the collapse of KTB in 2014, the fourth bank in the country, the resolution regime for banks has exhibited major weaknesses (see CP 11 for more details). As indicated by the authorities, the country has not developed yet a single legal framework for the recovery and orderly resolution of credit institutions. Further, the Resolution authority is still to be established under the new regime. In fact, Bulgaria is currently in the process of transposing the EU Bank Recovery and Resolution Directive (BRRD) into its legal apparatus and the final transposition of the BRRD framework for banks is set to August 2015.15 As a result, the conditions for cooperation and collaboration with relevant authorities -as required under this EC- are still to be determined and implemented. The supervisor has the power to review the activities of parent companies and of companies affiliated EC7 with parent companies to determine their impact on the safety and soundness of the bank and the banking group. The BNB is empowered to carry out supervision on a consolidated basis over banks, banking groups, Description financial holding companies, mixed financial holding companies and mixed holding companies. The and findings supervisor enjoys free access to all relevant information. re EC7 Assessment Largely Compliant. of Principle 1 Comments Primary objective of banking supervision (CP 1, EC 2) In addition to promoting the safety and soundness of banks and the banking system, the BNB exercises other functions in particular with regard to transparency of products. Within the Banking supervision Department, the Special Supervision Directorate (SSD) has been assigned multiple activities that go beyond its primary objective of ensuring integrity in the banking sector. Originally, the directorate was established for AML/CFT supervision only but progressively, as the BNB’s mandate expanded, the directorate has been given additional responsibilities including transparency of products and monitoring of consumer trends related issues (e.g., transparency of banking products and monitoring of existing complaints’ handling procedures ) as well as oversight of compliance with deposit insurance rule. It is also noteworthy that in addition to their responsibilities, the employees of SSD are frequently asked to assist the law enforcement authorities and Bulgarian Courts in investigations of ML cases. Against this background, the authorities are recommended to find a way to permit the SSD to focus on its core objective. The transfer of non-core activities outside the Supervisory ambit could be an option. Another aspect, less essential tough, is the title of the SSD that may create some confusion with the “special supervision” regime contemplated in the LCI. It is advisable to rename the department. Supervisor’s power to impose a range of sanctions (CP1, EC 6(b)) The BNB has available a wide range of supervisory tools to address situations where banks do not comply with laws and regulations or where banks engage in unsound practices. Under the LCI Art. 103 (2), the BNB may, depending on its view of the seriousness and nature of detected shortcomings take one or more of a broad selection of supervisory measures, as deemed appropriate. These measures include both administrative compulsory measures and administrative penalties. In more serious scenarios, the BNB can force the bank to change its internal rules and procedures. However, the BNB is not empowered to require a bank to change its internal organization or structure. As indicated above, this is an important power to have, even though it should be used only in extremis. If a management fails, then it may be necessary for the BNB to ensure a new one can be put into 15 See the footnote on page 16. 22 BULGARIA place. It is of course of paramount importance to ensure that the BNB under its capacity of supervisor does not interfere in bank’s management. Cooperation and collaboration with relevant authorities for orderly resolution of banks(CP1 EC 6 (d)) The collapse of Corporate Commercial Bank AD (KTB) in 2014 revealed a series of major weaknesses in the domestic regime for dealing with problem banks, exacerbated by the lack of certain types of resolution powers. In the midst of the KTB crisis the BNB worked with the relevant authorities to draft a law that would have increased BNB powers to address KTB’s situation, including the creation of a good bank/bad bank option. The law was not passed but the incident illustrated that the current legal framework permitted the authorities insufficient scope to manage a crisis fully effectively. The eventual transposition and implementation of the EU Bank Recovery and Resolution Directive (BRRD) into national law is critical to address the gaps in the resolution and crisis management toolkit, and to provide for coordinated and timely remedial actions to deal with problematic banks. In considering this criterion it is important to make the distinction that the deficiency for the purposes of the BCP is that the BNB does not, at present, have sufficient options in order to cooperate and collaborate to achieve the orderly resolution of a bank. The lack of resolution powers is not a valid basis for a downgrade because the BCPs do not expect the supervisory authority necessarily to be the resolution authority. Once the BRRD is trasnsposed and implemented and the archtiectures for resolution is put into place, including designation of the resolution authority for banks and investment intermediaries as well as resolution funds and adequate resolution and recovery planning. Recommendations o Refocus the Special Supervision Directorate on its core AML mandate by assigning non-AML related activities to other relevant BNB departments. o Explore possible amendments to the LCI to provide the BNB with additional powers including the possibility to impose changes in banks’ internal organization and structure. o Consider the possibility to remane the SSD in a way that does not introduce confusion with the “special supervision” regime. Independence, accountability, resourcing and legal protection for supervisors . The supervisor Principle 2 possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. Essential criteria The operational independence, accountability and governance of the supervisor are prescribed in EC1 legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. The BNB, as noted in CP1, is the institution with responsibility under the law for the regulation and Description supervision of banks (Law of the BNB 2(6)). and findings re EC1 The BNB itself is managed by its Governing Council which is composed of the Governor, three Deputy Governors and three non-executive members. Each of the three Deputy Governors is responsible for one of the three “basic” departments of the BNB as established in law (Law of the BNB Art 19). The three deputy governors of the BNB are proposed by the Governor and elected by 23 BULGARIA the National Assembly for a term of 6 years. The remaining three members of the Governing Council are appointed by the President. (Art 12 Law on BNB). The Banking Supervision Department of the BNB is one of the three “basic” departments and the Deputy Governor heading the Banking Supervision Department exercises supervision over the banking system (Article 20(3) of the Law of the BNB). The Deputy Governor for the banking supervision department may organize, direct and is responsible for the activities of the department. (Article 19 (3) of the Law on BNB). In exercising his supervisory powers under the law, the Deputy applies, separately and at his own discretion, the actions and penalties as provided for by the law on Credit Institutions (LCI) (Article 20 (3) of the Law on BNB). As set out in Article 151 (1) of the LCI, there are three types of decision that the Governor and the Deputy Governor with responsibility for supervision present jointly to the Governing Council for a decision. These are decisions for license (or its rejection), revocation of authorization or appointing a conservator or placing a bank into special supervision measures when at risk of insolvency. The Governing Council also has responsibility for issuing regulations. In all other cases, the supervisory decision to issue an administrative act, meaning the use of the corrective and remedial powers of the supervisor (whether fines, restrictions or dismissals etc) which are found in Article 103 of the LCI rests with the Deputy Governor. The Deputy Governor may delegate this authority. At the time of the assessment, the Deputy Governor with responsibility for supervision had been dismissed by the National Assembly and an Acting Deputy Governor was in place. The dismissal of the former Deputy Governor took place on 21 January 2015, two months prior to the assessment. The Deputy Governor had initially stepped down, taking leave from his office, in June 2014 as a result of the events surrounding the failure of Corporate Commercial Bank (KTB). When the Deputy Governor took leave of absence from the BNB, the supervisory powers were delegated by the Deputy Governor to the Acting Deputy Governor. The LBNB does not address the situation where the Deputy Governor is absent or unavailable due to unforeseen reasons (for example, sudden fatal illness). The process for the appointment and removal of the head(s) of the supervisory authority and EC2 members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. As noted above, the Deputy Governor for supervision is proposed by the Governor and is elected by Description the National Assembly (Art 12(1) LBNB). The BNB has no authority to suspend or dismiss any and findings member of the Governing Council. Only the National Assembly has the authority to dismiss the re EC2 appointees it has elected, which are the Governor and the three Deputy Governors of the BNB. The remaining three members of the Governing Council, who do not hold executive positions in the BNB are appointed by the President, who has the power of dismissal in respect of these positions. Under the LBNB (Art 11(3)) all Members of the Governing Council must be persons of the highest integrity and prominent qualifications in economics, finance or banking. The law further sets out a number of conditions that disqualify an individual from being appointed as a member of the Governing council. These conditions include, broadly, having served a custodial sentence, bankruptcy, conflicts of interests, or having a close relationship to another member of the Governing Council (Article 11(4) LBNB). The term of office of the Deputy Governor heading the Banking Supervision Department is six years (Art 12 (4) LBNB). 24 BULGARIA Article 14 (1) of the LBNB establishes that a member of the Governing Council may only be relieved from office if that person meets any of the terms of disqualification as set out in Article 11(4)LBNB or for reasons of incapacity for more than six months or for serious misconduct. (Art 14(1) LBNB). The LBNB follows the statutes of the ECB with respect to this issue. There is no legal requirement for the reason for dismissal to be publicly disclosed within the LBNB but disclosure is required under the rules of procedure of the National Assembly itself. The decision to relieve the Governor from his or her post may be referred to the Court of Justice of the European Union by the Governor or the Governing Council of the ECB. (Art 14(3)). As also noted in EC1, the Deputy Governor for Supervision was dismissed in January 2015. At the time of the assessment, the Governor had made a proposal for a new candidate but the National Assembly had not taken any decision and no further actions could be taken to replace the Deputy Governor could take place until the National Assembly had made its determination. The supervisor publishes its objectives and is accountable through a transparent framework for the EC3 discharge of its duties in relation to those objectives. 16 The objectives and responsibilities of the Banking Supervision Department are set in the BNB law and Description the LCI. The performance of the main tasks of BSD is reflected in the semi-annual and annual BNB and findings reports to the Parliament. re EC3 The BNB annual report, (published both in Bulgarian and in English), is adopted by the BNB Governing Council under LBNB (Art 1 (2) and Art 51), and is presented to the National Assembly for information. This report, against the background of the analysis of the macroeconomic development in Bulgaria and the global economic developments, reviews the Bank’s activities and functions over the year and the forthcoming tasks. The report includes the Bank’s consolidated financial statement for the respective year, as well as statistical appendices. With respect to supervision, the reports outline the condition of the banking sector, regulatory developments and any other developments, such as changes in the management of banks in Bulgaria, issuance of capital instruments, and notifications such as inward or outward use of EU “passporting” to provide services within the EU. The supervisor has effective internal governance and communication processes that enable EC4 supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. The governance structure of the BNB as set out in the LCI and BNB provides that most supervisory Description decisions and actions must be taken by the Deputy Governor for supervision, unless powers have and findings been delegated by the Deputy Governor. Decisions on licensing, revocation, special supervision re EC4 (putting a bank into conservatorship) or issuance of regulations are made by the Governing Council on the basis of a joint proposal by the Governor and Deputy Governor. Prior to the stepping down of the Deputy Governor in 2014, powers of decision making had not been delegated. The internal document, “Manual for the banking supervision process,” (dated June 2010) sets out the roles and functions of the various directorates within the banking supervision department, including the relationship between the directorates. 16 Please refer to Principle 1, Essential Criterion 1. 25 BULGARIA The manual confirms that there are processes to ensure the review of reports before they are submitted to the director. Also the manual indicates at which level of seniority which functions need to be carried out (whether identification of issues, or upward reporting). When supervisory measures or administrative penalties are initiated, time lines are set out for certain procedures. The manual does not, however, describe processes to scutinise key supervisory decisions that might need to be made (ie a “four eyes” process). Nor does the manual specify procedures for instances when a more rapid escalation of an issue might be required. Staff indicated that in such cases, such as occurred in 2014, the process was to increase the speed and intensity of supervisory engagement to ensure that information was provided to senior management as quickly as possible. In practice the Governing Council met on a daily basis as needed. It is permissible for a member of the Banking Supervision Department to hold shares in a bank that is authorized in Bulgaria but the interest must be declared (see EC5). The LBNB has extensive provisions seeking to prevent the possibility of conflicts of interest in the Governing Council of the BNB. The law excludes certain persons from eligibility to sit on the Governing Council. According to Article 11(4) of the LBNB no member of the Governing Council may have a close relationship with another member of the Governing Council (item 5) or be the owner or board member of a commercial company (including a cooperative) (item 4). Furthermore, there are restrictions on the activities in which the Members of the Governing Council may engage in order to prevent conflicts of interest from arising (Art 12(5) and (6) LBNB). Essentially these provisions state that the Members of the Governing Council may not engage in remunerative activities, including working for financial institutions (including banks and insurance companies). The Governor and the Deputy Governor are permitted to take teaching engagements and may perform unremunerated activities if there is a unanimous decision by the Governing Council and there is no conflict of interest. The law also states that Members of the Governing Council shall not participate in the deliberation and shall abstain from decision-making on issues in which they or members of their families may have interest. They must notify the Governing Council in advance of any such interests. (Art 17(4) LBNB). As public office holders the Members of the Governing Council and the staff of the Banking Supervision Department shall observe the requirements of the Conflict of Interest Prevention and Ascertainment Act (Article 3, items 13 and 25). The supervisor and its staff have credibility based on their professionalism and integrity. There are EC5 rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. The staff of the BNB working in the Banking Supervision Department is appointed by a transparent Description competition – vacancies are publicly advertised - and aims to promote principles of professionalism and findings and ethics. re EC5 Professional secrecy The LCI contains a range of provisions establishing professional secrecy requirements, and administrative sanctions (fines) for failure to maintain such restrictions. 26 BULGARIA Employees of the BNB must observe professional secrecy regarding the banking activities and relationships of the BNB (Art 23(2)). Sanctions are applied under the LBNB (Art 61(2) unless the violation constitutes a criminal offence. The members of the Governing Council, employees, external auditors, experts and other persons working for the BNB are bound by professional secrecy even after the termination of their relations with the BNB. (Arts 63 and 64 LCI). Furthermore any violation under LCI, Regulation (EU) No 575/2013 (ie the CRR) or the regulatory acts governing their enforcement or Regulation (EU) No 1031/2010, provided the act does not constitute a crime shall be sanctioned by a fine, with escalating penalties. (Art 152(1) LCI). Conflicts of interest Safeguards put in place to prevent conflicts of interest for Members of the Governing Council are discussed in EC4 above. All employees are subject to the BNB Code of Conduct which also states (Art 9) that employees of the BNB must behave in such a way that conflicts of interests are avoided. Employees must also declare membership of the governing body of a political party. Employees of the BNB may hold shares in a credit institution but are required to make a written declaration. Also, under a decision of the Governing Council, (Decision № 155/20.12.1999 г.) relationships between employees are not permitted (eg spouse or relative). The Code of Conduct of the BNB Employee contains clear provisions to avoid conflict of interest, in addition to the provisions of Article 3 the Conflict of Interest Prevention and Ascertainment Act (LPACI) which are noted in EC4 and which indicate that neither members of the Governing Council, nor employees of the Banking Supervision Department, as public officials, shall participate in decisions in respect of issues in which they or their families may have an interest. Specifically, under the Code of Conduct affecting them or their affecting an institution:  An employee of the Bulgarian National Bank shall behave in way through which any conflict of interest is avoided (Art. 9. (1)).  An employee shall declare in writing to his/her line superior any election in a managerial or controlling body of a political party. (Art. 9. (2))  An employee, unless occupying a technical function, must file a declaration of incompatibility and for private interests pursuant to Art. 12 of the Law on Prevention and Ascertainment of Conflict of Interest (LPACI) according to a procedure determined by an order of the BNB Governor ( Art. 9. (3))  An employee must resign from exercising the powers or obligations of office, when on a particular occasion there is a private interest. An employee may be removed in a particular occasion from exercising of his/her powers or obligations of office with a written act of the BNB Governor on a proposal by the relevant line manager, if the employee has declared a private interest. Under the law, a technical function is defined as a position that does not include any managerial and controlling functions, or any position that requires the participation in the preparation of decisions, orders, internal rules and acts of legislation, analyses, forecasts, concepts, assessments, expert opinions and correspondence in the BNB sphere of competence. The technical function includes roles such as secretary translator or archivist. Where an issue is not directly regulated by the Code of Conduct, the provisions of the LPACI apply. 27 BULGARIA EC6 The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes: (a) a budget that provides for staff in sufficient numbers and with skills commensurate with the risk profile and systemic importance of the banks and banking groups supervised; (b) salary scales that allow it to attract and retain qualified staff; (c) the ability to commission external experts with the necessary professional skills and independence, and subject to necessary confidentiality restrictions to conduct supervisory tasks; (d) a budget and program for the regular training of staff; (e) a technology budget sufficient to equip its staff with the tools needed to supervise the banking industry and assess individual banks and banking groups; and (f) a travel budget that allows appropriate on-site work, effective cross-border cooperation and participation in domestic and international meetings of significant relevance (e.g., supervisory colleges). Source of funding and budget sufficiency Description and findings The BNB is financed mainly by the revenues from its currency reserves operations. The annual budget re EC6 of the BNB (including the BSD budget) is approved by its Governing Council and is published. The BNB has the full discretion on the internal re-distribution of it's own budget and the ceiling of it's expenditures. The Bulgarian National Bank, pursuant to the LBNB (Art 51) addresses the annual budget, approved by the Governing Council, to the National Assembly and officially reports twice a year on the progress of it’s activities and it’s consolidated financial statement. Salary scales and staff retention By law, the remunerations of the employees of the BNB shall be determined by the Governing Council but it cannot be lower than the average remunerations of employees with respective functions in other banks of the country. (Art 23(3) LBNB). The HR department takes into consideration the salary scales of the commercial banks in making this determination. The salary scales apply across the BNB and are not differentiated for supervisory staff. While the BNB enjoys status and a reputation for security its salary levels are not necessarily commensurate with the market and some skilled staff have been lost over the previous 5 years. Recruiting staff with experience, for example over 10 years, has not proved to be easy. Progression to senior positions within banking supervision has been through internal promotion rather than direct appointment of senior staff from outside the BNB – the position of the Deputy Governor for Banking Supervision has been an external appointment in the past. There were vacancies in the banking supervision department at the time of the assessment and there were very high numbers of applicants for each post. Use of external experts While in practice it has rarely happened, the BNB has the right to appoint external independent experts and to appoint an external auditor for a bank, to carry out a financial or other type of audit (Art 80(3)(3) and (4) LCI). Professional secrecy requirements apply to both external experts as well as to BNB staff, even after the termination of their relations with the BNB. (Art 63(3) LCI) Training budget 28 BULGARIA The Banking Supervision Processes Manual requires the directorates of the banking supervision department to identify training needs and budget for them in each year’s planning process. In the legal department, staff are conscious for the need to maintain continuous professional development and, in terms of delivery, are conscious of the demands made upon them for provision of training by other banking supervision staff as a result of the wide raft of EU legislation in the banking field in recent years. The assessors understood that a general approach was for the HR department notify the banking supervision department of any external training opportunities, such as courses, conferences, lectures and seminars eg from other supervisory institutions or the Vienna Joint Institute so that staff can be given the opportunity to apply. There have been cases where permission had been granted to attend seminars but pressure of work had prevented attendance. Technology budget At the time of the assessment there was a project in train to enhance the IT tools available to supervisory staff. This project was to update the IT and data systems to take into account the changes driven by the introduction of the Capital Requirements Regulation (CRR) and the Capital Requirements Directive IV (CRDIV). The generation of automatic indicators and integration with the ratings databases had been lost with the inception of the new regulatory framework. The project is aimed at replacing lost functionality that was a result of the regulatory changes but is not seeking to introduce new developments. Travel budget The General Director and the five subordinate Directors in the Banking supervision department draft plans and budgets for the operational needs of the department, including not only domestic supervisory activity such as on site inspections, training programs and participation in international meetings, whether international fora such as Basel working groups, supervisory colleges, or meetings and processes driven by the European Commission or European Banking Authority. It is not always possible for representatives from the BNB to attend all meetings related to the EU legislative process (ie preparation and negotiation of proposals), due to limited numbers. However, the BNB has met all its commitments in terms of supervisory cooperation and collaboration, including supervisory colleges, and attendance at (including leading working groups as necessary) meetings of the EBA. Reports are prepared on a semi-annual and annual reports basis to track targets and additional ad- hoc assignments, supervisory knowledge-sharing missions, educational training, etc. As part of their annual resource planning exercise, supervisors regularly take stock of existing skills EC7 and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified. As noted in EC6, the Director General and the five subordinated Directors in the Banking supervision Description department draft programs of the yearly targets and prepares the Directorates’ corresponding and findings budgets. This annual planning process is required to include the identification of training needs and re EC7 skills developments. Although directorates are asked to propose training plans on an annual basis there is no formal process to identify the gaps in skills and the development needs for staff on an individual basis or for directorates or the department as a whole. In the context of a small department it is accepted that the directors and director general will have a general sense of department needs and gaps but at the time of the assessment there has been no opportunity for the 29 BULGARIA BNB to make an effective assessment of current and future skills needs, or indeed to be able to protect time in the calendar for any relevant training. In determining supervisory programs and allocating resources, supervisors take into account the risk EC8 profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. The frequency and intensity of a bank inspection according to the supervisory programs depends on Description the size of the respective bank, the evaluation of its systemic importance and nature, the volume and and findings complexity of its activities. The assessors were able to review the current annual plan for supervision. re EC8 The plan is updated through an annual exercise but can be adapted to take account of emerging issues, as had happened during the course of 2014. Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or EC9 omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. The BNB, its bodies and the persons authorized by them are not liable for any damages caused in Description exercising their supervisory functions, unless they have acted with intent. (Art 79(8) LCI). and findings re EC9 It is in the competence of the BNB Governing Council to a decision to cover such costs case by case. The law contains no explicit reference to the BNB being required to cover such costs. There is a decision of the Governing Council to cover the costs of members of the Governing Council, including Deputy Governors. There is no such decision yet taken for other staff of the BNB but there would be a case by case decision made and the general presumption is that the precedent set by the decision covering costs of the Governing Council would lead to costs being covered for other staff. Assessment Materially Non Compliant. of Principle 2 Internal Governance of the BNB for banking supervision (CP2 EC1, EC4) Comments Even though the legal framework currently in place reasonably provides the necessary powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake corrective actions, the current mission found that the governance structure of the BNB, particularly as it relates to the allocation of enforcement powers presents significant concerns. In presenting the arguments below, the assessors wish to stress that their comments are designed to be read solely in the context of banking supervision. It is not within the scope of the assessment of the BCPs to comment on the governance of the BNB in carrying out its other mandates. The structure of the internal governance in the BNB for banking supervision in relation to the distribution of powers and responsibilities regarding banking supervision which are described in preceding sections presents a significant concern. It is noted that this structure is established under the law, as opposed to the exercise of delegated powers. It is recognized that the concentration of power for supervisory action in a single individual, the Deputy Governor for supervision, was a conscious decision, designed to ensure responsibility and accountability. Some checks and balances have been put in place in the sense that not all powers are reserved to the Deputy Governor. Entry to, exit from the banking sector and handling the extreme distress of an bank (namely licensing, revocation, conservatorship) are decisions that must be made by the full Governing Council based on a joint motion by the Governor and Deputy Governor. Also 30 BULGARIA the Governing Council has responsibility for issuing the regulations of the BNB, including those regulations pertaining to supervision. Nonetheless, there are no internal checks and balances in the majority of the supervisory decision making process. Neither the law nor the internal BNB procedures ensure the quality of due process in terms of transparency, scrutiny or challenge in reaching such decisions. One option would be for the Governing Council and Governor to be fully informed or consulted with in respect of decisions made by the Deputy Governor, or of the grounds for such decisions either before or after the fact. In principle the Governing Council can, of course, be informed but there is no obligation and notification is at the discretion of the Deputy Governor. The LBNB (Article 16 item 10) provides that reports on the activities of the Bank’s basic departments (including banking supervision) must be provided to the Governing Council but this is not equivalent to a timely transparency and consultation requirement on detailed decisions made by the Deputy Governor. The decision making structure exposes the decision making process to the consistency of approach, or otherwise, and appetite for enforcement or lack of enforcement of a single individual. Moreover, the individual holding the position of Deputy Governor of Supervision could become the subject of undue and intense pressures to act or not to act in any given case. In other words, the structure isolates the DG with responsibility for supervision and puts undue pressures on the individual holding the post. It appears to the assessors that the design of the structure is not conducive to supporting a vigorous and intrusive supervisory program. It is noted that the Deputy Governor could institute an internal framework by which to judge individual decisions, as well as to ensure that the Governing Council is both notified of decisions and has the opportunity to comment. Equally, it is recognized that even though a Deputy Governor would be well advised to take this course of action, as recommended in the 2008 FSAP, the Deputy Governor cannot be legally compelled to do so. At the time of the assessment, another unanticipated weakness of the current design had been revealed in that as the supervisory power to make enforcement actions is vested in one individual, then the absence of this individual could impair or cast doubt on the BNB’s supervisory enforcement powers. While the LBNB requires the Deputy Governor to delegate supervisor powers in his/her absence, there is no contingency arrangement foreseen in legislation to take into account a situation when the Deputy Governor might become suddenly and unexpectedly unavailable, for example in the case of a sudden fatal illness. Moreover, the appointment of a new Deputy Governor is not subject to any maximum time limit under law. It is essential for there to be full clarity and certainty with respect to the BNB’s powers to act in all circumstances in order to f oster an assertive and confident supervisory process. In effect, therefore, the LBNB gives the Deputy Governor of Banking Supervision strong powers to act separately and independently, even though the Governing Council has a significant role and responsibilities over troubled banks in addition to its licensing and regulatory powers. The legal structure creates a situation whereby supervision and enforcement is dissociated from the Governing Council even though the Governing Council is responsible for issuing the regulations that articulate and establish the BNB’s supervisory standards and expectations. That is to say that the Governing Council is asked to issue regulations upon which supervisory practice depends while at the same time being at arms length from the supervisory process and key supervisory decisions. Taking all factors together, the assessors find that the internal governance structure considered both from the perspective of the effect on the individual role of the Deputy Governor for supervision and from the effect on the collective role and responsibility of the Governing Council to be unsatisfactory. In particular it is noted that supervision cannot be effective unless effective enforcement powers are in place. The legal structure that has been put into place is, in the view of the assessors, not conducive to timely, consistent, transparent and if necessary persistent and escalating enforcement decisions and actions. 31 BULGARIA Skills and professionalism (CP2 EC5) The professionalism and skills of the BNB staff in banking supervision is impressive. The high reputation of the skill and dedication of the BNB staff was universally commented upon in the assessors’ range of meetings. It is to the significant credit of the banking supervision staff of the BNB that they have maintained their reputation despite resource constraints and heavy pressure of work, particularly over the last year where additional burdens have stemmed from external regulatory changes and domestic issues alike. Budget, training, IT resources, external experts (CP2 EC6(c), (d) and (e)) Resources are insufficient for the range and nature of the tasks the BNB must carry out for effective supervision. It is also noted that as a result of the changes introduced by the global regulatory reform agenda, and implemented largely through EU legislation, demands have increased significantly for all supervisory authorities. The basic investment any supervisory authority must make in order to be able to perform has increased notably in the past 5 years, during which time the budget envelope for the supervisory function of the BNB has remained largely static. This insufficiency adversely affects the numbers of staff as well as their continued training and the IT capabilities that are available to them. The assessors note that the BNB is already conscious that it has insufficient access to certain specialist skills, notably IT and quantitative skills, which are becoming ever more critical components in the supervisory arsenal, even in banking systems focused on credit such as Bulgaria. The supervisory approach of the BNB, not uniquely, depends heavily on the on-site inspection process so the availability of resource to carry out a suitable program of inspections is critical. Although an IT project was in progress at the time of the assessment its objective was primarily to re-instate the loss of functionality that had been triggered by the regulatory reporting changes. A more ambitious and forward looking project to integrate the different quantitative and qualitative data bases would be highly valuable so that staff time - which is at a premium - is spent in analysis rather than in compilation and calculations of data. Skill gaps assessment (CP2 EC7) There is currently no mapping of the skills that are needed in the evolving supervisory processes and assessing the skills of the staff against these needs and ensuring that a strategy is in place to remedy any such gaps. This is an important task to aid current and longer term planning and budgeting for resources. RBS approach (CP2 EC8) It is clear that the BNB carries out an analysis of the risk profile of the banking system, on an annual basis, and allocates its resources and targeted supervisory activity on this basis. There is a particular challenge for supervisors to identify how to distribute its supervisory attention when a banking sector is largely concentrated in a small number of banking institutions but the remainder of the sector is distributed among numerous much smaller entities which typically will have weaker risk profiles and practices. This is the situation in Bulgaria. It is welcome that the BNB undertakes close analysis, published in its regular reports, of the connections between the banks so has a database from which to assess potential for contagion and spillover effects. This analysis provides an important input into making decisions for supervisory activity. Legal protection (CP2 EC9) According to the LBNB (Art 3(4))only the Governor has the legal option to challenge the decision for his/her dismissal at the European court of justice. Such a possibility is not provided for the Deputy Governors. The BNB does have legal safeguards for protection of staff, but it is noted that it is at the discretion of the Governing Council as to whether legal costs incurred by staff, should they be subject to a lawsuit, will be covered by the BNB. A decision has been made in respect of members of the Governing Council and it is presumed that staff would, in practice be covered but no formal decision 32 BULGARIA has yet been taken. Recommendations o Revise the internal governance design of the BNB for banking supervision, through legal amendment as necessary, to ensure that significant powers are not vested in a single individual. Ensure that there are clear checks and balances in decision making processes, including transparency and challenge processes. Ensure that the absence or unavailability of any one individual will not prevent the full and effective use of all of the BNB’s supervisory powers. o Ensure that the Governing Council is supplied with timely information in respect of major developing supervisory issues including advance information on any changes of control or corrective actions, so that it is well placed if becomes necessary to make major decisions at critical junctures – including licensing, revocation, conservatorship and issuance of prudential regulation. o Increase resource allocation to banking supervision to: ensure sufficient skilled personnel available to conduct a full program of on-site inspections; ensure sufficient representation of skill-sets, including IT, quantitative and models analysis and IFRS - training and recruitment will both be needed. o Upgrade the IT capability available to supervisory staff so that they can effectively and efficiently make use of the range of data and information that is submitted to the BNB. This upgrade should be more than replacing functionality that was lost due to the regulatory changes. o Carry out a mapping of the skills that are needed in its supervisory process, taking into account the fact that the nature and volume of demands required in supervision are continuing to increase and evolve, not least as a result of the international regulatory reform agenda. Identify a clear current and projected assessment of any skills gaps and put in place a strategy to address such gaps. o Ensure that the reasons for the dismissal of the Governor and the Deputy Governor are publicly disclosed, ie on a mandatory not discretionary basis. o Ensure that the BNB will cover the legal costs faced by a staff member should a lawsuit be brought against the staff member. Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for Principle 3 cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information. 17 Essential criteria Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of EC1 information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial 17 Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29). 33 BULGARIA system. There is evidence that these arrangements work in practice, where necessary. Description The LCI contains several provisions governing the cooperation and collaboration among supervisors, and findings particularly between the BNB and the Financial Supervision Commission (FSC), the State National re EC1 Security Agency, the Public Prosecutor’s Office and the Ministry of Internal Affairs. Moreover, the modalities of cooperation have been established in the so-called “agreements on cooperation and collaboration” that were signed with the Bulgarian Deposit Insurance Fund (November 3 0, 1999), the Financial Supervision Commission (October 27, 2003), the FIU (2003) and the Prosecutor General’s Office (2006). These agreements formally arrange the conditions for information sharing, cooperation and joint actions to be undertaken by domestic supervisors and other relevant authorities. With the FSC, the BNB collaborates mainly on licensing and on-site inspection related issues. For example, prior to authorize a bank for providing other financial services under the Law on Markets in Financial Instruments, the BNB seeks FSC written opinion. If the opinion is negative, the BNB will not grant the license; otherwise, the BNB will send a copy of the license to the FSC (Art. 15, para. 6 LCI). Another area of cooperation concerns acquisition of significant ownership in banks. For direct or indirect acquisition of qualified holding in a licensed bank by a person licensed by the FSC, before granting the authorization, the BNB has to hold consultations in advance and cooperate with the Commission (Art. 28, para. 6). Joint on-site inspections involving staff from both the FSC and the BNB are also possible in virtue of art. 80 of the LCI. Consultation about draft legislations is another stream of cooperation. In the MoU reviewed by the mission, the BNB and the FSC conduct mutual coordination of draft regulatory acts in the financial market fields. One recent example is the draft law transposing CDR IV and the BRRD. In the area of money laundering, there is a high degree of cooperation between the BNB, and the competent authorities including the prosecutor’s office, national investigative authorities, police authorities and the FIU (FID-SANS). With respect to the latter, the cooperation is governed by a Memorandum of understanding signed between BNB and the SANS in 2003, which is in fact no longer valid due to the fact that the then Financial Intelligence Agency (FIA) was transformed in 2008 into the Financial Intelligence Directorate (FID) within the State Agency for National Security (SANS) pursuant to the Law on State Agency for National Security (LSANS). As indicated by the authorities, BNB is constantly involved in providing expertise and assistance for the analysis of sophisticated transactions and important cases involving embezzlement with EU funds, money laundering, financial fraud, and cross border complex financial transactions. Further, the FIU and the BNB can perform joint missions for assessing compliance with AML/CFT requirements; in that case, meeting are held between the FIU and the SSD (the Directorate responsible, inter alia, for AML matters within the Supervision department) to decide areas to inspect. The two bodies also arrange annual meetings to determine which banks will be subject to joint inspections to avoid duplication of efforts. The BNB also collaborates with the Bulgarian Deposit Insurance Fund (BDIF) by exchanging relevant information. In particular, the BNB Special Supervision Directorate (SSD) carries out inspections at the request of BDIF essentially to ascertain the correct level of contribution of banks to the Fund. Inspection questionnaires are used for checking-up compliance with the Law on Bank Deposit Guarantee (LBDG). However, the cooperation between BNB and the BDIF has been established in a MoU signed in 1999 and there is a need for updating it to broaden the scope of collaboration and information exchange. According to Art. 9 from the Law on Bank Deposit Guarantee, the Deputy Chairperson of the Bank Deposit Insurance Fund is designated by the Governing Council of the BNB. 34 BULGARIA There are also other mechanisms for cooperation (though not formalized) with other relevant Government agencies, in particular the Ministry of Finance (MoF) for sharing relevant information on regular basis on banks (the ones acting as primary dealers of Government bonds) or in case of emergency. The BNB also assists the MoF in preparing national positions for relevant EU or other international fora, as well as in improving the domestic financial and regulatory framework. Inter- agency working groups for legislation drafting are also another work-stream of cooperation between the BNB, the MoF and other relevant stakeholders. The Governor of the BNB has also been participating since 2007 in the Financial Stability Advisory Council. It is an advisory body responsible for maintaining financial stability through the exchange of information and the assessment of the national financial system, as well as the monitoring of potential systemic risks. The Council comprises the Minister of Finance (chairing the Council), the Governor of BNB and the Chair of the FSC. According to the provisions in the Law on FSC (Art. 31), the BNB supports the CFS by providing, inter alia, supervisory reviews on developments in the banking sector and on cross-border related issues that may impact the financial stability. The most recent decisions made by the CFS concerned the KTB case and consisted in recommending the BNB to draft a bank resolution law and take appropriate measures to address the situation by involving all interested parties. A protocol was signed on July 7, 2014 to organize the functioning of this Council. Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of EC2 information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. Description The legal basis for the formal cooperation and for information sharing by the BNB with other and findings supervisory authorities are to be found in several articles of the LCI, in particular the Articles 87-87d. re EC2 These provisions provide powers to the BNB relative to engaging in collaborative arrangements with foreign bank supervisory authorities either within the EU or outside. General principles for cross-border cooperation Article 87 – 87 d of the LCI determine the condition of cooperation between Bulgaria and the EU States. In exercising its supervisory powers, the BNB is empowered to cooperate with the relevant competent authorities of the Member States where a bank licensed in the Republic of Bulgaria carries out activities through a branch in an other Member State or where a bank from another Member State carries out activities through a branch in the Republic of Bulgaria. In that context, the BNB can exchange with its Member States’ counterparts any information and documents relating to the (i) management of and ownership of credit institutions, (ii) as well as to the supervision of credit institutions on a solo or consolidated basis, including their liquidity, solvency, deposit insurance, large exposures restrictions, risk management, other factors that may affect the systemic risk arising from the bank’s activities, administrative and accounting procedures, and internal control mechanisms. The cooperation mechanism also covers situations that warrant immediate attention. For example, the BNB shall inform the competent authorities of all host Member States immediately where liquidity stress occurs or can reasonably be expected to occur in relation to a bank licensed in the Republic of Bulgaria which carries out activities in other Member States through a branch. That information should include details about planning and implementation of a recovery plan and about 35 BULGARIA any prudential supervision measures taken in that context. Information sharing and undertaking of collaborative work arrangements are also expected for on- site supervision purposes. Art. 87 (9) stipulates that the competent supervisory authorities of a Member State which are responsible for the supervision of banks with branches on the territory of the Republic of Bulgaria, after a prior notice to the BNB, may carry out on-site inspection, on their own or with the assistance of duly authorized persons. In that case, the BNB provides assistance to the foreign supervisory authority. The same arrangement also exists when the BNB carries out (in very rare occasions though) on-site visits in Bulgarian branches operating in a Member country. Further, the BNB can, upon request from a Home supervisor, perform an on-site inspection. In that case, a representative of the home Member State supervisor (or an auditor authorized by it) may take part in these inspections. Conversely, the BNB can make the same request and ask the Host authority to conduct an inspection on its behalf. In practice however, there has been very rare occasions of such cooperation. Art. 88 of the LCI lays down the principles the cooperation with non-EU countries; the conditions for cooperation are established through MoUs, particularly in relation to the exchange of information covered by professional secrecy (see below). Cooperation in the context of consolidated supervision Consolidated supervision is another area where cooperation is key. To that end, the BNB is empowered to sign written coordination and cooperation arrangements with the competent supervisory authorities of the respective Member States (LCI, art. 87 and 92). The BNB may take responsibility for the performance of additional supervisory tasks, by agreement with the competent authorities of Member States. Conversely, where a bank licensed in Bulgaria is controlled by a credit institution in another Member State, the BNB may delegate to the parent supervisor the responsibility for supervising the subsidiary bank. For the purpose of consolidated supervision, the BNB has signed MOUs with the competent authorities of Austria, Cyprus, Greece, Italy, The Netherlands, Slovenia, France, Romania and Hungary. Further aspects of cross-border cooperation with national competent authorities can also be found in the LCI, consistent with EC regulations and EBA technical standards. They mostly relate to the following aspects: (i) addressing situations of disagreement with measures taken by other NCAs, (ii) how to send alerts to other relevant NCAs regarding insufficient liquidity, (iii) how to undertake on- site inspections in the relevant country, (iv) how to determine fine with the home/host authority if a local foreign branch is significant, (v) how to exchange regular information or information on measures imposed on significant branches (See Art. 87, paragraphs 3 to 13, and articles 87a to 87d of LCI). The mission got a copy of a cooperation agreement signed with a foreign authority. It was observed that the arrangements include information in connection with the authorization and licensing process, the ongoing supervision of the cross-border establishments, on-site inspections, financial crime, exchange of information in emergency situations, corrective actions, confidentiality requirements, etc. Most of the agreements comprise provisions for requests for additional information and on-going coordination, including cooperation through visits for information purposes and exchange of expert staff. 36 BULGARIA For the conduct of routine supervision or in the context of emergency situations, cooperation is further strengthened through supervisory colleges (SC). The LCI contains several provisions governing the participation of Bulgaria in these bodies. Bulgaria is the host authorities for 9 subsidiaries and one significant branch; as a result, the BNB has signed multilateral agreements, based on the EBA Template for a Multilateral Cooperation and Coordination Agreement on the Supervision and participates in 10 Supervisory Colleges. According to the authorities, participation has been very active and fruitful (especially with the Banca d’Italia) and there has not been any budgetary restriction for staff to attend the meetings. The SCs in which the BNB participates are an opportunity to collect information on groups’ structure and shareholdings. Also, the BNB has recently used the framework of SC for requesting the home supervisor to provide the recovery plans of two foreign banks which did not accommodate BNB requests. Regional cooperation and cooperation with non-EU countries The LCI also governs the condition for cooperation and information exchange with non-EU members. Article 88 stipulates that in performing its supervisory functions, the BNB may conclude agreements with other central banks or supervisory authorities of third countries on cooperation and information exchange on a reciprocal basis, making the commitment to keep bank and professional secrecy. To that end, the BNB has signed Memoranda of Understanding with third countries, e.g.,Turkey, Kosovo, Macedonia, Albania, and other South Eastern Europe countries). Bulgaria is a member of the Group of Banking Supervisors from Central and Eastern Europe (BSCEE). The members of BSCEE consist of banking supervisory authorities from Albania, Austria, Belarus, Federation of Bosnia and Herzegovina, Bulgaria, Croatia, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Macedonia, Montenegro, Poland, Romania, Russia, Serbia, Slovak Republic, Slovenia, Ukraine, and Moldova. The BSCEE Group aims to, among other things, (i) promote and maintain close cooperation and communication among the Central and Eastern European banking supervisory units, (ii) facilitate the Central and Eastern European banking supervisory authorities for a better performance of their supervisory functions, (iii) provide possibility for exchange of supervisory techniques, experiences, information and know-how, and (iv) help with the integration to the European banking supervisory system. Bulgaria is also a member of the South Eastern Europe Initiative that comprises several supervisory authorities from South Eastern Europe (e.g., Albania, Greece, the Federation of Bosnia and Herzegovina, Cyprus, Montenegro, Macedonia, Romania, Serbia). The Initiative promotes a more structured cooperation in the field of banking supervision in order to enhance financial stability in South Eastern Europe and improve the effectiveness and efficiency of supervisory measures. An MoU has been signed between members countries that includes provisions on information exchange, convergence of supervisory practices, monitoring banking groups’ systems and controls, crisis management, cooperation in the field of AML/CFT and confidentiality requirements. The supervisor may provide confidential information to another domestic authority or foreign EC3 supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party. Description The LCI contains several provisions on confidentiality and determines the condition under which and findings professional secrecy can be lifted, including with foreign supervisors. As stipulated by Art. 63 (1), 37 BULGARIA re EC3 professional secrecy –as opposed to bank secrecy- (art. 62) applies to the information which the BNB obtains or generates for banking supervision purposes or in relation thereto, and whose disclosure could damage the commercial interest or reputation of a bank or its shareholders. The same article stipulates that this information covered by professional secrecy can be disclosed under certain circumstances strictly defined. BNB staff can share information with the Bulgarian Deposit Insurance Fund, the State National Security Agency (in particular for AML/CFT purposes) and other relevant counterparties, including but not limited to, liquidators of banks in case of bankruptcy proceedings, auditors of credit institutions, etc. In practice, the BNB has signed MoUs with domestic bodies that govern the conditions for information exchange (see EC1). The same LCI describes the conditions under which confidential information can be shared with foreign counterparties like Member States’s supervisors, and authorities responsible for the oversight of banks under bankruptcy, liquidation or other similar proceedings. The BNB can also exchange information with the authorities which admin- ister deposit-guarantee schemes in Member States, the ECB as well as the European Systemic Risk Board (ESRB). The same law stipulates that the persons and bodies empowered to request and receive information covered by professional secrecy are obliged to keep it confidential and may use it only for the purpose for which they have requested it or for which it was provided to them, according to the law or the agreements concluded, and shall not provide it nor disclose it to third parties, unless otherwise stipulated by law. When it comes to non-EU jurisdictions’ supervisory authority, any information subject to professional secrecy may be provided as long as certain conditions are met: (i) the conditions for the exchange are stipulated in an agreement for cooperation; (ii) the recipient ensures at least the same level of protection of information as provided for in the LCI; (iii) the recipient is authorized and agrees to provide information of the same type to the BNB, where needed, (iv) the information exchange is intended for supervisory purposes; and (v) the recipient has justified the needs for the requested information (Article 66, items 1 - 4 and Article 88 - LCI). The members of the Governing Council, employees, external auditors, experts and other persons working for the BNB shall keep the professional secrecy even after the termination of their relations with the BNB. The supervisor receiving confidential information from other supervisors uses the confidential EC4 information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. Description BNB staff is required to observe professional secrecy obligations that are intended to protect the and findings confidentiality of supervisory information. These obligations can be found in Art. 65 of the LCI and re EC4 stipulate that BNB staff (i.e members of the Governing Council, employees, external auditors, experts and other persons working for the BNB) shall use the information received from the Member States’ 38 BULGARIA competent supervisory authorities only for the performance of the BNB supervisory responsibilities and only for the following purposes: (i) to check if the conditions for granting a bank license have been met, (ii) to facilitate the supervision on a consolidated or a solo basis, including for monitoring liquidity, solvency, large exposures, managerial and accounting procedures, and internal control mechanisms; (iii) to apply measures and sanctions in accordance with this Law or (iv) in proceedings for appeal against administrative acts of the BNB in an administrative or judicial procedure. Confidential information may be provided by the BNB to the Member States’ competent supervisory authorities, the European Systemic Risk Board, the European Banking Authority and the European Securities and Markets Authority as long as these authorities are also bound by professional secrecy. Also, as set forth in LCI Art. 65(3), when the information covered by professional secrecy comes from a foreign body, it may be disclosed or provided only with the express consent of the competent body which has provided the information and, where applicable, only for the purpose for which the consent has been given. In this regard, the MOU reviewed by the mission contains provision addressing the treatment of confidentiality information. The language is relatively standard and governs information acquired by BNB in the course of performing its duties and information received from other supervisors. Lastly, any information received by the BNB employees during on-site examinations carried out in a Member State may not be provided without the express written consent of the competent supervisory authority of the Member State where the examination took place. Processes are in place for the supervisor to support resolution authorities (e.g., central banks and EC5 finance ministries as appropriate) to undertake recovery and resolution planning and actions. Description Bulgaria has not developed yet a single legal framework for the recovery and resolution of credit and findings institutions and has not established a Resolution authority. When the Bank Recovery and Resolution re EC5 Directive (BRRD, 2014/59/EU) is transposed into the domestic legal regime, Bulgaria will have processes in place that will permit resolution authorities (likely the BNB) to undertake recovery and resolution planning and actions, as required by this EC. Assessment Largely Compliant. of Principle 3 Comments BNB is in a position to exchange information and to cooperate effectively with home supervisors over Bulgaria-based subsidiaries of foreign banks through a number of bilateral MOUs. Adequate information sharing arrangements are also in place with all relevant domestic authorities. During interviews, assessors were told that the authorities are satisfied with the quality and effectiveness of existing cooperation arrangements. There are however a certain number of areas where some improvements would be needed. For AML/CFT purposes, the current MoU governing cooperation and information exchange between the BNB and the FIU is no longer valid. The Financial Intelligence Agency (FIA) was initially 39 BULGARIA established as an administrative-type FIU within the Minister of Finance. In 2008, the FIU was transformed into the Financial Intelligence Directorate (FID) within the State Agency for National Security (SANS) pursuant to the Law on State Agency for National Security (LSANS). However, the MoU signed in 2003 with the then FIA has not been revised after the establishment of the new authority. A revised draft version has been in the making for three years and the authorities are encouraged to finalize it. With respect to the issue of safety net, a new draft law is being prepared to transpose into the Bulgarian regime the EU directive 2014/49 on deposit guarantee schemes. The current mechanisms for cooperation and information sharing between the BNB and BDIF was signed in November 1999 and is now outdated. In particular, there is a need to reflect the changes in powers and responsibilities stemming from the new law. Along the same lines, once the draft law transposing in Bulgaria the EU BRRD is enacted, the BDIF will exercise new responsibilities as Resolution Fund while the BNB will likely to be designated as the resolution authority.18 Here again, a thorough revision of the existing MoU between the two authorities will be warranted. In the area of external audit, the Commission for Public Oversight on Statutory Auditors (COPSA) was established following the amendments of the Independent Financial Audit law adopted by the National Assembly in June 2008. The law regulates the establishment and the functioning of the public oversight system of the statutory auditors in Bulgaria. Public oversight of this profession is exercised by CPOSA which is an independent body in charge of the oversight over acquisition of competence, registration of statutory auditors and audit firms, adopting and observing standards for professional ethics, internal quality control of auditors firms, audit quality assurance system, investigation and enforcement. Establishing mechanisms of cooperation and information sharing between the BNB and the CPOSA would be beneficial considering the complementarities of the two bodies. There is no formal mechanism of cooperation between the BNB and the MoF particularly for bank resolution. This would require the enactment of proper legal regime for bank resolution, the designation of an official resolution authority with adequate powers and the development of appropriate procedures to support the latter. With respect to crisis management, the Financial Stability Advisory Council (FSAC) approved in March 2011 the members of the Permanent National Standing Group on Financial Stability and following a proposal on behalf of the BNB Governor entrusted it with the responsibility to develop a National Financial Crisis Action Plan. In July 2011 the FSAC approved this plan. Its main purpose is to outline the institutions’ actions in times of crises so that the normal economic and financial sector processes are ensured and the confidence in public institutions is maintained. According the the BNB, during the KTB crisis in June 2014 the BSD’s actions, in particular the activation of the daily reporting framework and the continuous analysis of the situation, were in accordance with the main provisions of the plan mentioned above. The authorities may wish to consider the following recommendations:  Establish mechanisms for cooperation between the BNB, the MoF and other financial institution 18 This point has been confirmed during a meeting with the MoF. 40 BULGARIA regulators to undertake recovery and resolution planning;  Speed up the revision of the MOU with the Bulgarian Deposit Insurance Fund;  Finalize the new MoU between the BNB and the Financial Intelligence Unit;  Cooperate with the Commission for Public Oversight on Statutory Auditors (CPOSA), in particular on policy issues or information that is publicly available and sign an MoU in due course Permissible activities. The permissible activities of institutions that are licensed and subject to Principle 4 supervision as banks are clearly defined and the use of the word “bank” in names is controlled. Essential criteria EC1 The term “bank” is clearly defined in laws or regulations. The LCI (art. 2) defines a bank as a legal entity accepting deposits or their equivalents ( other Description repayable funds) and extending loans and other financing on its own account and risk. The BNB also and findings uses alternatively the term credit institution for a bank, as opposed to financial institutions which re EC1 include leasing companies, payment services providers, financial holding companies, payment institution, and asset management companies (LCI, art. 3). The permissible activities of institutions that are licensed and subject to supervision as banks are EC2 clearly defined either by supervisors, or in laws or regulations. Description Permissible activities of institutions that are licensed and subject to supervision as banks are defined and findings under the LCI. In effect, art. 2, subparagraph2 lists in detail the financial activities permissible for re EC2 banks, including those that are directly ancillary or supplemental. According to art. 5 of the LCI, a bank may not engage in financial activities that are not included in the authorization. According to the BNB Ordinance No2 on the Licences, Approvals and Permissions granted by the BNB, a license for a bank confers the right to conduct only the activities specified in the license. Within the BNB, the Special Supervision Directorate carries out specific thematic inspections including on-site checks in companies that could perform unauthorised banking activities. Such checks are usually initiated upon alerts submitted by other institutions or natural persons. The use of the word “bank” and any derivations such as “banking” in a name, including domain EC3 names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. Description As stated in the LCI, no one shall use the word ‘bank’ or any derivative thereof without having and findings received a banking license pursuant to this law. In effect, according to Art. 6. (1), a person who does re EC3 41 BULGARIA not have a license to conduct bank activity shall not use either in his name or in his advertising or other activity the word ‘bank’ or any of its derivatives in a foreign language. The same article, in its subparagraph (3) also stipulates that the name of a bank may not bear a resemblance to the name of another bank operating in the Republic of Bulgaria. The taking of deposits from the public is reserved for institutions that are licensed and subject to EC4 supervision as banks.19 Description As stipulated by art. 2 (5) of the LCI, the taking of deposits from the public can be carried out only by: and findings (i) a person who has been granted a bank license by the BNB; (ii) a bank with a seat in a third country, re EC4 which has been granted a license by the BNB to conduct bank activities in the Republic of Bulgaria through a branch; and (iii) a bank authorized by the competent authorities of a Member State to carry out bank activities, which provides services on the territory of the Republic of Bulgaria either directly or via a branch. Along the same lines, art. 5 (2) states that the activity of taking deposits from the public is explicitly regulated by law and by the European Law and is subject to supervision aimed to protect depositors and investors. According to the authorities, there are a growing number of consumer credit companies currently operating in the country. The latter, which are registered at the BNB but not supervised, provide micro loans (below 200 euros) to individuals. The mission was told that none of them collect deposits. The supervisor or licensing authority publishes or otherwise makes available a current list of licensed EC5 banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. Description and findings The licenses granted by the BNB are recorded in a register kept by it under Article 15, para 5 of the re EC5 LCI. The BNB maintains a list of current licensees accessible on its website BNB http://www.bnb.bg). Assessment Compliant. of Principle 4 19 The Committee recognizes the presence in some countries of non-banking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system. 42 BULGARIA Comments Licensing criteria. The licensing authority has the power to set criteria and reject applications for Principle 5 establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)20 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. Essential criteria The law identifies the authority responsible for granting and withdrawing a banking license. The EC1 licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. Description The LCI (art. 13) provides the statutory requirements for the licensing of a bank. The BNB has the and findings exclusive right for the issuance of bank licenses and no person shall engage in financial activities re EC1 without a license issued by the BNB. Foreign banks wishing to establish a subsidiary on the territory of Bulgaria need also to receive a license from the central bank. The BNB has the right to reject an application if the criteria set in the law or in the BNB ordinance No 2 are not fulfilled or if the information provided is inadequate (art. 16). The law also grants the BNB power to set additional requirements and necessary information to be provided while applying for a banking license. The BNB can also issue a limited license (see EC 2). It is noteworthy that in practice, the initiative for granting a license is a joint competence shared between the Governor and the Deputy Governor. In effect, art. 151, para. 1 of the LCI stipulates that for any issuance, rejection or revocation of a license, a motion should be presented by the Deputy Governor in charge of Banking Supervision Department, jointly with the Governor, to the BNB Governing Council. The power of withdrawing the license also belongs to the Governing council of the BNB. The LCI, art. 36-38 set the conditions for the withdrawal, including when, for example, the bank becomes insolvent, the bank conducts unsound practices, the license has been obtained on the basis of false 20 This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction. 43 BULGARIA information, the bank has not commenced operations within twelve months after receiving the license, the bank no longer meets the conditions under which its license was granted or does not ensure the security of the assets entrusted to it. In November 2014, the BNB revoked the license of the troubled Corporate Commercial Bank on the ground that, as indicated by external audit reports, the institution had a negative own capital of 3.75 billion levs ($2.4 billion/1.9 billion euro) as of September 30, and no longer met the relevant capital requirements. In Bulgaria, all banks are following traditional universal banking model and are set up as Joint Stock Companies. There are no-other types of banks (e.g., cooperative banks, mutual saving companies) in the country. Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the EC2 criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. Description and findings Criteria for licensing banks are prescribed by the LCI. re EC2 Art. 13, 14, 15 and 16 of the LCI set the requirements to be met in order to obtain authorization for banking business. The law also grants the BNB power to set additional requirements and necessary information to be provided while applying for a banking license. Other important provisions relevant to licensing can be found in the BNB Ordinance No2. The most relevant information to be provided by the applicants are: a) article of association; b) appropriate information about fitness and propriety of administrators; d) documents containing information on the paid in capital of the bank; e) information about the 20 largest shareholders (name, address and professional activity over the past 5 years); f) origin of funds for persons with subscription of 3% and above of the capital g) a business plan with exhaustive description of the activities to be performed, customer and product structure, objectives, policy and strategy of the bank, financial forecast of development over a three-year period; h) a description of the managing and organizational structure including the activities of individual organizational units, distribution of responsibilities among managing directors and other administrators, organization and management of the bank’s information system; i) a description of the internal control systems and the risk management systems, and a program of anti-money laundering measures; j) the names and addresses of the members of the supervisory and management boards (board of directors) of the bank, and detailed written information concerning their qualifications and professional experience. Further, prior to deliver a license, the BNB is responsible for conducting a review of the valididity and accuracy of the materials provided by the applicant. In virtue of art. 14, the license will be issued if certain conditions are met (in addition to the criteria mentioned above). In particular, the BNB will check whether (i) the activities that the applicant intends to carry out ensure the required soundness and financial stability; (ii) the members of the management board and of the supervisory board are not subject to a legal injunction to hold such a position; (iii) in case of groups, the parent undertaking will not place obstacles to conducting consolidated supervision; and (iv) there is no evidence that the existence of close relations between the bank and other persons can hinder the efficient exercise of 44 BULGARIA banking supervision. The above LCI allows the BNB to reject a bank’s business if the documents submitted by the applicant contained incomplete, contradictory or unreliable information. This happened once in 2008 due to the lack of key information in the application particularly in regard to criminal records and professionalism of prospective applicants. In the same vein, the BNB can revoke authorization for banking business if the authorization was based on false information or if the bank is no longer able to meet the conditions for performing its business (Art. 36 of the LCI). Over the past five years, one license has been revoked (decision of the GC dated November 6 th, 2014) due to the insolvency of the institution. The BNB can also issue a limited license if the applicant is not prepared to carry on all activities as planned. The BNB can limit the scope of these activities. There is no formal mechanism (at least written procedures) to subject the newly established bank to some sort of follow up inspection visit to ascertain that the bank is performing according to the terms and conditions of the license. It is the duty of the Legal Services and Administration Directorate (LSA) to carry out administrative activities in relation to issuing licenses, authorisations, and approvals, maintaining license files and data about the current status of banks and respective registers, and passportisation when the BNB is notified by a bank of an EU Member State. Three staff of the LSA are assigned to these activities. The latter cooperate with their colleagues from other directorates, especially those from the Credit Institution Supervision Directorate before formulating an opinion on the business plan of the prospective bank. The LSA will also consult the Special Supervision Directorate to perform checks on the shareholding structure of the applicant, including for the determination of the UBO of companies holding qualifying interests in the capital of the future bank. EC3 The criteria for issuing licenses are consistent with those applied in ongoing supervision. Description Necessary requirements to be met while applying for a banking license are broadly consistent with and findings those applied in ongoing supervision. As detailed above, criteria include complying with re EC3 shareholding limits, executives (which includes Board members) to meet fit and proper criteria, the entity to meet prudential standards, have adequate internal control and risk management systems in place, adequate human resources, etc. The licensing authority determines that the proposed legal, managerial, operational and ownership EC4 structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.21 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. Description The LCI read in conjunction with the BNB Ordinance No2 on Licenses, Approvals and Permissions and findings granted by the BNB and Ordinance No20 on the Issuance of Approvals to the Members of Board of re EC4 Directors and Supervisory Board of Credit institutions enable the BNB to determine that the proposed legal and managerial structures of the bank will not hinder effective supervision on a solo and consolidated basis. 21 Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003.). 45 BULGARIA The organizational structure of the bank is vetted during the BNB licensing process both in terms of the management structure of the organization and the capacity of the structure to facilitate sound risk management and internal control systems. The applicant has to submit –and the BNB to review- all relevant data, comprising, inter alia, a description of the managing and organizational structure including the activities of individual organizational units, distribution of responsibilities among managing directors and other administrators, organization and management of the bank’s information system, etc. The BNB process also entails the analysis of a business plan of the bank with exhaustive description of the activities to be performed, customer and product structure, objectives, policy and strategy of the bank, financial forecast of development over a three-year period. Also, the suitability of shareholders (3% of sharing and above) as well as their possible links to related parties are also examined by the supervisors. In doing so, the BNB will pay particular attention to the following aspects: -persons having significant shareholdings cannot, either by their activities or through their influence, hamper bank’s safety and soundness; -the existence of close relations between the bank and other persons does not hinder the efficient exercise of banking supervision. With respect specifically to consolidated supervision the BNB will verify that: -the applicant’s charter does not contain provisions, which hinder the application of principles and the best practices of corporate management; -the parent undertaking (in case of a financial holding company, mixed financial holding company or mixed holding company) will not place obstacles to conducting consolidated supervision; -the requirements or difficulties in applying third country’s particular regulation or administrative acts regulating one or more legal or natural persons, with whom the bank has close links, will not impede the efficient conduct of banking supervision. The LCI also stipulates in art.24 on mutual recognition that when it comes to a bank with a seat in Bulgaria but which carries out activities in a member state either through a branch or directly if it is a subsidiary of a Bulgarian bank, or is jointly owned by two or more banks licensed in Bulgaria, the BNB shall exercise a consolidated supervision over the bank above and shall monitor its shareholders’ structure following a procedure defined by the BNB. The team found no indication according to which the BNB determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. The licensing authority identifies and determines the suitability of the bank ’s major shareholders, EC5 including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. Description The legal basis for identifying and determining the suitability of the bank’s major shareholders, and and findings others that may exert significant influence can be found in the LCI art. 13, (2) paragraph 7 and 8 as 46 BULGARIA re EC5 well as in the BNB Ordinances No 2 and 20. Bank’s shareholders with significant interest are subject to BNB scrutiny. As stipulated in the regulations above, the prospective bank should provide the name and address of the persons who have directly or indirectly subscribed for 3 % and above of the voting shares. The same information is also required for all persons holding 10% or more of bank’s capital (the major shareholders) and specifically for the 20 largest shareholders (LCI art. 14 (3)). Further, the BNB will determine if the qualification, experience –during the past five years-, integrity of the shareholders with significant interest are appropriate, including their reliability to provide additional financial support, where needed. As indicated in the law, the BNB will have to be informed –in writing- about the origin of funds used by shareholder for acquiring 3% and above of the capital (to ascertain their transparency and legitimacy) and whether the shareholders have used their own resources to acquire their holdings. Moreover, the law stipulates that the BNB will have to assess whether major shareholders’ financial capacity is commensurate with the scale and activities of the bank (Art. 14, par. 3, p. 12 of the LCI). In case of a legal entity having 10% and more of voting rights in a bank, the Ordinance No2 subject the entity to provide, inter alia, the following data: -structure of the capital and its allocation between the shareholders (partners), -article of association -auditor’s reports and financial statement for the last three years -balance sheets, income statement and -detailed information about the structure of the group in which the applicant participates. Moreover, in case of granting a license to a foreign bank, the BNB will hold consultation with the home supervisor with the view to obtain information about the shareholders (art. 13 (6)). Lastly, the BNB is empowered by law to request any additional information deemed necessary for making a judgment about the suitability of the bank’s shareholders with significant interest (art. 13, (2) 9). Regarding the concepts of indirect holding and beneficial ownership, the LCI does not provide a specific definition of UBO; art. 13 (2) subparagraph 8 stipulates that for licensing purposes, the application should contain “a document of registration and written data about the persons holding shares or equity in their capital or property, or controlling them – for legal persons under item 7 [i.e. shareholders holding 3% and above of voting rights]. There are two provisions however containing the concept of UBO. The first one can be found in the AML law ( a customer acting on his own behalf and for his own account or on behalf and for the account of a third party). It is not clear however whether the obligation to disclose the true identity of the ultimate beneficial owner applies in case of a person applying for a license. The second one, contemplated in Ordinance #2, art 19 (4) seems to apply only in the case where the acquisition of bank shares is done by a trust.22 In practice it is the role of the Legal Services and Administration Directorate to perform the 22 “In case the applicant is a trust that already exists or will be established after the acquisition, the following documents and information shall be submitted: 1. the names and addresses of the persons who will manage the assets of the trust under the terms and procedure of the contract establishing the trust and their respective shares in distribution of the asset management income; 2. the names and addresses of the persons up to the ultimate owner who are beneficial owners of the legal entity. 47 BULGARIA assessment of suitability, on the basis of the “fit and proper” criteria, concerning members of the managing bodies of credit institutions. It is noteworthy that the Special supervision directorate conducts detailed analysis in respect of banks’ ownership structures and control. The main objective of this work is to minimise risks related to the actions of banks’ major sharehol ders and to understand their influence on the operations at the level of individual banks. The mission was given access to SSD reports performed respectively in 2012 and 2014, one assessing the financial status of the shareholders of a few banks and another one analyzing shareholding structure and ownership in the context of the Act on the Economic and Financial Relations with Companies Registered in Preferential Tax Regime Jurisdictions, the Persons Related to Them and Their Beneficial Owners. In that respect, the SSD expressed concerns on several key aspects relating to (i) the poor financial conditions of major shareholders (some of them exhibiting important losses or having no real activity at all) and (ii) the absence of clarity on their ultimate owners some of whom with location in off-shore centers (BVI, Cyprus, Cayman islands). According to the discussion with the BNB, most –if not all- of the missing information have been collected by the SSD. EC6 A minimum initial capital amount is stipulated for all banks. Description The LCI y stipulates that banks must have a minimum initial capital of at least BGN 10 million (EURO and findings 5 million). re EC6 The licensing authority, at authorization, evaluates the bank’s proposed Board members an d senior EC7 management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank. 23 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. Description The suitability, professionalism, qualification, fitness and propriety of board of directors and and findings supervisory board members are assessed under the conditions set forth in the BNB Ordinance No20 re EC7 (28 April 2009). Further, the Regulation on the requirements to Bank’s administrators, under LCI art. 11 establishes the fit and proper requirement, including the criteria on qualification, work experience, reputation and probity (absence of criminal background). When assessing the fitness criteria, the BNB due diligence includes determining whether the elected members of the Board and those of the Supervisory body have the relevant academic background and past professional experience (e.g., at least 5 years of professional experience as manager in a bank or in a company comparable to a bank). For assessing the "propriety" of prospective administrators, prospective administrators are required to fill a detailed questionnaire called “Fitness and Propriety Test Question Form) to prove their fitness and propriety. The form reviewed by the mission appears very detailed covering a wide range of issues including, but not limited to, professional background, former management positions, absence of criminal or administrative sanctions and conflict of interest. The form, however, does not require information about administrator’s income and assets. This due diligence also extends to legal entities managed by elected members of the Board. 23 Please refer to Principle 14, Essential Criterion 8. 48 BULGARIA Regarding potential conflict of interest, the BNB will determine, based on information provided, the personal interests of the applicants, including possible existence of any relationship of the elected members of the Board with other persons in relation to the bank The LCI, Art. 11, (1), subparagraphs 7 and 9 states that a member of the Board of directors as well as a procurator should not be [married] to or a relative, in direct or lateral lineage up to the third degree, to another member of the managing or controlling body of the bank and is not in factual cohabitation with such a member . The Ordinance also requires applicant to submit a declaration in writing stating that own resources have been used for the subscribed shares and also stating the origin of funds used to make these contributions. However, the mission was told that there is no further due diligence to ascertain the reputable source of funds, beyond the analysis of financial statements and the terms of the written declaration. There is no specific requirement for the individual Board members or the Board collectively to have a sound knowledge of the material activities that the bank intends to pursue, and the associated risks. The licensing authority reviews the proposed strategic and operating plans of the bank. This includes EC8 determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank. 24 Description In the LCI, art. 14 (3) subparagraph 14, prospective banks should submit to the BNB a set of and findings documents to support the request. This includes (i) a business plan with exhaustive description of the re EC8 activities to be performed, customer and product structure, objectives, policy and strategy of the bank, financial forecast of development over a three-year period; (ii) the organizational structure; (iii) a description of the AML internal program and (iv) information on the internal audit function and risks management functions. Regarding the later, in consonance with art. 15, the license will be granted if –inter alia- the applicant has confirmed to the BNB that : -internal control rules have been drafted, including clear administrative and accounting procedures; -an internal control office is established and the recruited employees have the qualifications and professional experience required for that activity; -sound internal management rules have been drafted which include a clear organizational structure with well-defined, transparent and adequate levels of responsibilities and efficient procedures for identifying, managing, monitoring and reporting of the risks to which the bank might be exposed. Further, as stipulated in art. 15, the bank’s rules governing internal control systems and risk management should reflect the character, scale and complexity of the bank’s operations and be commensurate with the risks to which the bank may be exposed. 24 Please refer to Principle 29. 49 BULGARIA The law however does not contain particular requirement on the oversight of proposed outsourced functions. The licensing authority reviews pro forma financial statements and projections of the proposed bank. EC9 This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. Description As contemplated in the LCI, art. 13 (2) subparagraph 3, the BNB collects the financial projections for and findings the first three years of operations of the proposed bank. According to the authorities the materials re EC9 are reviewed and analyzed with particular attention focused on the validity of the submitted documents, the applicant’s reliability and financial status. Qualifying shareholders (holding 10% and above of the capital) are assessed as to their financial capacity in terms of their financial strength at the time of the application, and prospective capacity to provide additional capital to the bank in the event it is needed (LCI, art. Art. 14, par. 3, p. 12). Each such prospective qualifying shareholder must provide financial information that demonstrates an appropriate level of financial capacity (BNB Ordinance 2). In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host EC10 supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. Description Since Bulgaria is a member State of the European Union, the principle of the Mutual Recognition and findings applies. As a result, the distinction should be made according to whether or not the prospective bank re EC10 belongs to the EU. If the applicant is licensed in a Member State and is planning to conduct activities on the territory of the Republic of Bulgaria through a branch, a license is not needed provided that the projected activities are covered by its license and that the competent authority which has granted the license has notified the BNB (LCI, art. 20). If the applicant projects to establishing a bank on the territory of Bulgaria as a subsidiary of another bank from a Member State, a licensing procedure under Art. 13 – 15 of the LCI applies. In those cases, the BNB holds preliminary consultations with the competent home supervisory authority in accordance with Art. 13, par. 4 of the LCI. Consultations with the competent supervisory authorities cover issues related to shareholders, reputation and experience of the prospective managers, the assessment of compliance with supervisory requirements, as well as any other information of relevance to granting the license. A bank with headquarters in a non EU-Member country has to apply for a license before operating in Bulgaria through a branch. A written consent for opening of a branch issued by the respective bank supervision authority is a precondition for granting the license by the BNB. In accordance with Art. 17 of the LCI, several pre-requisites should be met. In particular, the third-country applicant bank shall submit an application with the following enclosures: 50 BULGARIA -a verified copy of the registration certificate of the bank and a document issued by the registration authority containing current data on the seat and registered address, subject of activities, amount of capital, management system, and details on the persons who represent the bank; - a verified copy of the license granted by the home authorities; - a verified copy of the Charter; - a business plan including a description of the projected activities; - the organizational structure of the branch; - financial annual reports for the past three years; - a written consent for opening a bank branch given by the home authority; - a written statement of the home supervisor authority containing information on the bank’s financial status and a commitment for cooperation with the BNB; - data about the persons entrusted with the management of the branch, including their qualifications and professional experience in banking. In addition, the LCI subjects the license to other conditions and particularly if (i) the home supervisor supervises effectively the bank and its branches abroad; (ii) an agreement of supervisory cooperation between the BNB and the home supervisor has been concluded; (iii) the home country’s legislation does not create obstacles to the exercise of efficient banking supervision on a consolidated basis, (iv) bank’s financial status is sound and stable, its organizational structure is aligned with the projected activities and bank’s managers meet the requirements in terms of professional expertise and reputation. The licensing authority or supervisor has policies and processes to monitor the progress of new EC11 entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. Description As indicated by the authorities, The BNB is entitled to monitor the progress of new entrants as it and findings monitors all other banks and may undertake certain measures if the bank does not meet the criteria re EC11 as set forth in the license. In particular, the BNB can revoke a license if the bank fails to commence its activity within 12 months after getting the license (LCI, art. 36). There is however no specific mechanism whereby the BNB staff monitors the progress of new entrants in meeting their business and strategic goals. One could suggest that right after the license, an on-site visit be performed to assess whether the bank is implementing the business plan approved by the founders, whether the proposed objectives and policies are achieved and whether the activities are performed according to the terms of the license. Assessment Largely Compliant. of Principle 5 The Bulgarian licensing regime for banks appears exhaustive. The legal and regulatory framework Comments provides the BNB with good leverage to ensure that the licensing process is sound, particularly in relation to ownership structure and governance. The BNB retains adequate powers to require applicants and potential shareholders to submit all information required and there has been a number of instances where licenses have been refused due to concerns over fitness and propriety of prospective applicants or absence of realistic business strategies. Nevertheless, there are a few aspects described below that would merit attention, particularly because the BNB has no day to day exposure to licensing; the last applications were examined in 2008/2009. 51 BULGARIA There is no explicit reference in the LCI to the concept of UBO; the latter is captured only in the AML law. The LCI refers several times to the concept of indirect holdings or indirect acquisition but does not provide an explicit definition of the ultimate beneficial owner. It would be advisable to align the LCI on the AML law so that both laws provide a common definition of UBO. As As discussed above, prospective applicants are obliged to submit information on the source of funds to be used as capital. This includes a declaration in writing stating that own resources have been used for the contributions paid for the subscribed shares and the origin of funds used to make these contributions. However, the types of supporting information that the applicant should provide to establish the legitimacy of funds are not specified in the law or in the ordinance. In addition, the mission was told that there is no further due diligence to ascertain the reputable source of funds, beyond the analysis of financial statements and the writing statement of the applicant whose terms, in practice, are too general. The BNB should enhance its due diligence in that regard; this could entail, for example, approaching the FIU as well as the police (criminal records registry, Interpol office), and other financial sector supervisors in case the same applicants already have engagement with other parts of the financial sector. As set forth in the Ordinance #2, prior to filing an application for a license, the applicant shall hold “preliminary consultations” with the Deputy Governor in charge of the Banking Supervision Department. The ordinance does not specify however the purpose and objectives of this consultation with prospective applicants. It would be useful to clearly indicate in the ordinance that these consultations aim to evaluate further the bank’s proposed Board members and senior management as to their expertise and integrity. Besides, these consultations take place in practice before the application for a license is formally submitted to the BNB; as a result, according to the discussion during the mission, a representative of the applicant could take part of the preliminary consultations in lieu of the prospective applicant. Besides, if the preliminary consultation is mandatory, there is no provision about holding interviews after the formal submission of the application. The Deputy Governor can decide whether or not to hold an interview with such applicant, but it is optional. As a result, in theory at least, there might be situations where there is no formal meeting with the prospective applicants before the license if granted. The authority are advised to amend the Ordinance to establish formal and mandatory mechanism for interviewing future administrators in addition to preliminary consultations. The BNB has the power to restrict in the banking license certain transactions or activities, for which the BNB considers the applicant unqualified, or for which the other requirements, stipulated in a law, are not met. It would be useful to set up a procedure subjecting newly licensed institutions (particularly those with limited scope) to more intensive supervision during their first year of operation. It is recommended to: Include in the LCI a clear definition of UBO in consonance with the definition provided by the AML law; Enhance BNB due diligence with respect to the origin of funds used for disbursement of capital; Include in the relevant regulation a provision requiring the individual Board members or the Board collectively to have a sound knowledge of the material activities that the bank intends to pursue, and 52 BULGARIA the associated risks; Establish formal procedures to subject the newly established bank to follow up on-site inspection to ascertain that the bank is performing according to the terms and conditions of the license; Establish formal mechanism for interviewing applicants after the application is formally submitted to the BNB. The content and objective of these interviews should also be specified and made mandatory; and Include in the Fitness and Propriety Test Question Form information about administrator’s income and assets. Transfer of significant ownership. The supervisor25 has the power to review, reject and impose Principle 6 prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. Essential criteria Laws or regulations contain clear definitions of “significant ownership” and “controlling interest.” EC1 Description The Bulgarian regime regarding transfer of significant ownership is governed by several provisions of and findings the LCI as well as by the BNB Ordinance № 2. These provisions empower BNB to (i) approve such re EC1 transactions; (ii) lay out the criteria for approval of the transfer by making several references to the licensing rules; (iii) stipulate the grounds for rejection of the transaction; and (iv) describe the possible sanction of an ownership interest gained without going through the regulatory process. As set forth in art. 28 of the LCI a preliminary approval of the BNB is needed when the holdings of a natural or legal person, as well as of persons acting in concert are reaching or exceeding the thresholds of 20, 33 or 50 per cent of the shares or voting rights. The same approval is required when holdings of the same persons mentioned above are becoming “qualifying.” There is no specific definition of “qualifying interest” in the law26 but it is understood that any acquisition of share above 10% provides such qualification. A controlling interest is not defined either but according to the BNB, it is understood as a relationship in which a shareholder owns directly or indirectly the majority of shares or voting rights (more than 50%), and de facto determines the policies or practices of the institution, or controls in any way the election, appointment and dismissal of the majority of the bank’s administrators. Although there are no specific definitions of “qualified interest” and “control,” Bulgaria, in that respect, applies the definitions of the EU Regulation 575/2013 by virtue of the Additional provisions of LCI - § 1. (1) points 6 and 7. The LCI does not define the concept of “significant ownership” either but it is assumed that any person holding 10% or more of the voting rights has a significant ownership. The definition of “action in concert” can be found in the LCI (additional provisions (i) 4 (a). Pursuant to Art. 32 of the LCI, where a person has acquired 3 or more than 3 per cent of the shares or 25 While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority. 26 There is however a definition for “qualifying holding” in the CRR (Article 4, para. 1, 36) – qualifying holding means a direct or indirect holding in an undertaking which represents 10% or more of the capital or of the voting rights or which makes it possible to exercise a significant influence over the management of that undertaking. 53 BULGARIA the voting rights, the Central Depository shall notify the BNB of the person’s name and address following the recording of acquisition in the book of shareholders. The acquirer is obliged to submit, at BNB request, a series of documents (comparable to those required to get a license; e.g., name and address of the subscribers, professional experience, origin of funds –see CP 5 for more details). There are requirements to obtain supervisory approval or provide immediate notification of EC2 proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. Description The Bulgarian regime contains provisions whereby changes in ownerships or the exercise of voting and findings rights over a certain threshold require BNB intervention. Such changes are made upon the written re EC2 approval of the BNB, which is issued in accordance with the LCI, which gives the BNB the power to enforce the “fit and proper” requirement. According to Ordinance No. 2, Art.18, any person that intends to acquire holding in the capital of a bank is required to notify the BNB by submitting an application specifying whether the planned acquisition is: - a primary acquisition or an increase of the holdings in the capital, - a direct or indirect acquisition, - is made by the acquirer on his own, or with other persons acting in concert. In addition, natural persons and legal entities shall include in their applications data on bank shares owned by them, the number of shares planned to be acquired and which of the thresholds is to be achieved and/or exceeded. In case of indirect acquisition, data on the manner of implementing the planned acquisition shall be included, as follows: - by acquiring qualifying holding or its increase in the capital of a shareholder who exercises control over the bank, or - by acquiring control over a shareholder owning qualifying holding in the bank. In case the acquisition -or part of- is implemented in concert, the application shall contain detailed information about legal and actual grounds of the actions taken in concert with other persons. Once the BNB has received the application for transferring significant ownership, the Legal and Administrative Directorate will perform a series of due diligence in a timeframe of 60 days. In particular, the BNB will ascertain whether the applicant/acquirer has a good standing, is financial sound and willing to provide financial support if needed. Also, special attention will be given to the following: (i) if the bank becomes a part of a group, the structure of this group shall not impede implementation of prudential banking supervision; (ii) there is no obstacle for exchanging information between the supervisory authorities and there is clear distribution of the responsibilities amongst them; (iii) there is no reasonable grounds to suspect any money laundering or terrorist financing activity. Further, the BNB will capture and analyze the documents and information about the applicant (Article 54 BULGARIA 19a.). In case the applicant/acquirer is a natural person, the application should contain the following: 1. the full name of the applicant, citizenship, identity card number, permanent and present address; 2. a certificate showing no previous conviction or relevant criminal records; 3. details on qualifications and professional experience; 4. information about previous compulsory administrative measure/disciplinary actions. The BNB will also capture information about the financial condition of the acquirer in terms of assets (revenues and earnings, including their sources, property owned) and liabilities (pledges, mortgages in favor of third parties, issued guarantees and other commitments). The BNB will also check about the existence of possible financial linkages or interests of the applicant with affiliated persons of the bank, including bank shareholders, members of the board or controlling bodies, or with any person that may cause conflict of interest with the bank. In case the applicant is a legal entity, the BNB will require other information: a certified transcript of the Articles of Association, a list of the shareholders (associates/partners) of the applicant up to the ultimate owner; the structure and allocation of its capital among the shareholders (as- sociates/partners); a list containing the names and addresses of the persons who manage or rep- resent the applicant, together with detailed written data on their qualifications and professional experience; a description of the group structure if the applicant participates in a group as a subsidiary or as a parent entity, along with its organizational and intra-group corporate structure, specifying relevant participation shares of the other persons in the group, as well as a description of the business activity of the group. The annual financial statements of the applicant for the last three years will also be submitted. In case the applicant is a trust that already exists or will be established after the acquisition, the following documents and information shall be submitted: 1. the names and addresses of the persons who will manage the assets of the trust under the terms and procedure of the contract establishing the trust and their respective shares in distribution of the asset management income; 2. the names and addresses of the persons up to the ultimate owner who are beneficial owners of the legal entity. In addition to collect data on the applicant, the BNB is, by law, obliged to perform other diligence before granting the approval, particularly in relation to the targeted bank. The central bank will be provided with information permitting an understanding of the rationale of the transfer of ownership and its possible impact of the targeted bank. As prescribed by LCI art. 19b the following documents and information concerning the target bank will be submitted: 1. data on the overall aim of the acquisition, the total number of shares acquired; the nominal and total value of the shares, the single and total acquisition price of the shares and their amount in the total capital, in percentage; 2. a written declaration concerning the origin of the financial funds for the acquisition; 3. a declaration and documents on the financing of the acquisition specifying the source of the funds and the means used to provide (transfer) funds for the acquisition. It is noteworthy that the quantity of information to be submitted by the prospective acquirers – acting alone or in concert- increases according to the level of targeted holding (less than 20%, between 20 and 50%). 55 BULGARIA Pursuant to Art. 32 of the same law, where a person has acquired 3 or more than 3 per cent of the shares or the voting rights, the Central Depository shall notify the BNB of the person’s name and address following the recording of acquisition in the book of shareholders. In practice, the request for transferring significant ownership is processed by the Legal Directorate which can request additional information to the applicant, if needed. A memo will be drafted, containing an opinion on the application and will be presented to the Deputy Governor in charge of banking supervision, for review. The latter will make a determination on the application and will sign an official order for approval. It is worthwhile mentioning that the DG has full discretion to approve – or reject- any request for change in shareholding, irrespective of the amount of targeted holding. The approval will take the form of an official order of the DG in which the later “ ascertaines that the conditions for issuance of the approval are met.” The order is an individual administrative act and can be challenged before the administrative court. The supervisor has the power to reject any proposal for a change in significant ownership, including EC3 beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership. Description As a result of the quality assessment of the proposed acquirer, as described under EC2, the BNB will and findings issue or refuse to issue the permission. Clearance will be given only if the BNB is assured of the re EC3 suitability and adequacy of the quality of the proposed acquirer, including its financial strength, qualified experience and integrity. In that respect, BNB due diligence will be comparable to those applied for licensing. As stipulated in the LCI, transactions, decisions and actions concluded and taken without BNB preliminary approval are declared null and void. The same applies when, for example, the acquisition of ownership was based on false or partial information. This will also be the case if there are reasonable grounds to suspect that, in connection with the proposed acquisition, money laundering or terrorist financing is being or has been committed or attempted, or that the proposed acquisition could increase the risk thereof. Further, the righting votes of the shareholder(s) involved can be suspended or the BNB can issue a written order instructing the shareholder to dispose its shares wrongly acquired. Over the past 5 years, 16 requests for transfer of significant ownership have been approved. There were no formal refusals. After prior consultations with the DG of the BNB in charge of Bank supervision department (as required according to BNB regulation #2), some intentions for acquisitions were withdrawn. The supervisor obtains from banks, through periodic reporting or on-site examinations, the names EC4 and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. Description As indicated in the LCI, banks licensed in the Republic of Bulgaria shall notify the BNB within 7 days 56 BULGARIA and findings from becoming aware of any acquisition or disposal of shares of their capital, as a result of which the re EC4 shareholders’ holdings exceed or fall below any of the thresholds contemplated in the law (Article 28, paragraph 1). Further, on a monthly basis, banks are required to submit to the BNB reports detailing bank’s shareholders who hold qualifying holdings. Banks should indicate in these reports the name of the shareholders as well as the size of their holding. As described in the BNB Risk Assessment System manual, the BNB verifies the quality of shareholders’ participation primarily through on-site inspections and, discretionally, by requiring additional information for off-site supervision purposes. In that regard, every year, all changes in ownership structure of banks is assessed by the SSD. The department uses different sources of information including banks’ report and data from the Central Depository. Moreover, The assessors reviewed a series of reports prepared by the SSD in which particular attention has been paid to ownership composition, financial status of companies holding qualifying interest as well as ultimate beneficial ownership of those companies. In that respect, several gaps and missing information, in particular on the true identity of UBOs located overseas have been detected and reported to BNB management (see CP 5 for more details). The supervisor has the power to take appropriate action to modify, reverse or otherwise address a EC5 change of control that has taken place without the necessary notification to or approval from the supervisor. Description The LCI contains some enforcement provisions that allow the BNB to take appropriate actions. The and findings Central bank can suspend the voting rights attached to the shares wrongly acquired. Another re EC5 possible supervisory action is a written order issued by the BNB to force the sale of the shares which were acquired without prior permission. It is worth mentioning that under Article 28 of the LCI, shares acquired without obtaining the appropriate approval from BNB are “null and void.” The mission was also informed that the Officer in charge of the Trade register has to ensure that new acquisitions have received BNB approval. Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become EC6 aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Description There is no such requirement in the Bulgarian law. and findings re EC6 Assessment Materially Non Compliant. of principle 6 Comments The mission reviewed a recent file of a proposed acquisition of significant ownership in a bank by a local private company. The analysis performed by the LSA and the due diligence to ascertain that the acquisition of shares will not have negative impact of the bank were found adequate. The BNB determined in particular whether the documents and information submitted with the application show that the proposed acquirer possesses financial stability and has declared that if a financial support for the development of the Bank’s activities is needed or in case of financial difficulties the later could provide additional funds. The LSA also ascertained that there will be no change in the 57 BULGARIA control the acquirer exercises over the Bank and that there are no indications that the acquisition will cause breach of the applicable supervisory regulations. However, the mission also considered a change of control/acquisition between two banks – ie the 100 percent acquisition by KTB of a French subsidiary (CB Victoria, former name Crédit Agricole, Bulgaria EAD) in June 2014. With respect to this acquisition, the most recent development with the collapse of KTB almost concomitant to the purchase of a subsidiary of a French SIFI 27 raises questions about the adequacy of BNB internal processes for change of control just as much for acquisitions. It seems that due diligence was not robust or intrusive enough to ascertain that the acquirer (KTB) had the risk management capacity to properly manage the subsidiary and that, conversely, the subsidiary would be prudently managed by its new parent. In assessors’ opinion, the change of control left CVB in less stable/vulnerable position due to a failure to consider KTB properly in the light of “ parent of a bank.” Changes of control are by their nature fairly uncommon events in most jurisdictions and as a result, supervisory expectations are high in ensuring that transfer of significant ownership is performed in a consistent way from the perspective of both parties. It is also important to bear in mind that these types of transactions must in fact pass two tests. It is not inevitable that passing CP7 as discussed below means that CP6 is satisfied. Implementing some mechanism to consult the external auditors before any major acquisition would be beneficial as well. Some improvements described below would be needed. The BNB has a full range of option to enforce legal provisions in relation to transfer of ownership in banks. It would be, however, useful to add a clear provision in the LCI stipulating that a person who no longer meets the requirement for holding equity (e.g., when exercising an influence that might jeopardize bank’s sound management) cannot further hold directly or indirectly new s hares in the bank. The authorities should also set a specific timeframe for that prohibition and also get the power to ban the same person from holding interest, directly or indirectly in other banks. The LCI does not contain a provision requiring banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. It is recommended to: o Establish stronger mechanism to ascertain that the new owner, beyond its financial soundness, has the risk management capacity to properly manage the acquisition. o Institute a mechanism whereby external auditors’ opinions are sought before approving a major transfer of significant ownership. o Provide BNB more powers over shareholders who no longer meet the requirement for holding 27 The share of this bank (renamed CB Victoria) accounted for a mere o.45 per cent of banking system assets by June 2014. 58 BULGARIA equity in banks. o Include in the law a provision requiring banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Major acquisitions. The supervisor has the power to approve or reject (or recommend to the Principle 7 responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. Essential criteria EC1 Laws or regulations clearly define: a) what types and amounts (absolute and/or in relation to a bank’s capital) of acquisitions and investments need prior supervisory approval; and (b) cases for which notification after the acquisition or investment is sufficient. Such cases are primarily activities closely related to banking and where the investment is small relative to the bank’s capital. Description a) By virtue of Art. 28 of the LCI, a bank may not, without the preliminary approval by the BNB, and findings directly or indirectly acquire shares or voting rights in another bank licensed in the Republic of re EC1 Bulgaria, if as a result of such acquisition their holding becomes qualifying or if this holding reaches or exceeds the thresholds of 20, 33 or 50 per cent of the shares or voting rights. Preliminary approval from the BNB shall also be required where holdings become qualifying or the thresholds mentioned above are reached or exceeded as a result of acquisition of shares in the stock exchange or another regulated market of securities. Opening a branch in a third country is also subject to BNB approval in consonance with Art. 29, para. 1, point 1 of the LCI. The same obligation to seek BNB clearance applies to other acquisitions realized through merger (LCI – Art. 29, para. 1, point 8. as well as to the acquisition of control over a bank with a seat abroad (Art. 29, para. 1, point 8). To obtain approval, the bank shall notify the BNB via a written proposal of their decision on acquisition within the meaning of Article 28 and attach all necessary documents specified in BNB No 2 on “Approvals and Permissions Granted by the Bulgarian National Bank According to the Law on Credit Institutions.” It is worthwhile noting that acquisitions of banks in a non-financial company do not require notification –even ex post- and thus are not subject to supervisory approval. In that regard, Bulgaria applies the requirements of Art. 89 of Regulation (EU) No. 575/2013 for qualifying holdings outside the financial sector. Furthermore, Art. 26 of BNB Ordinance No. 7 on Organization and Risk Management of Banks states that as regards the application of Article 89, paragraph 3 of EU Regulation above mentioned, the bank may not have qualifying holdings in an entity outside the financial sector, which exceeds the individual limit of 15% of eligible capital and the aggregate limit of 60% of eligible capital. 59 BULGARIA b) According to the BNB, there is no case for which notification after the acquisition or investment is sufficient. EC2 Laws or regulations provide criteria by which to judge individual proposals Description The conditions for judging individuals proposals for major acquisitions are laid out in the LCI as well and findings as in the ordinance No2. re EC2 As stipulated in the LCI, the BNB shall carry out an assessment based on the documents and information provided by the proposed acquirer, as well as on the basis of other information and documents. BNB will issue the approval having regard to the potential influence of the proposed acquirer on the credit institution in order to ensure its sound and prudent management. Due consideration will be paid to the suitability and financial soundness of the proposed acquirer. The assessment shall be based on each of the following criteria: 1. the reputation of the proposed acquirer; 2. the financial soundness of the proposed acquirer, in particular in relation to the type of business pursued and envisaged; 3. the reputation, knowledge, skills and experience of the members of the management boards (boards of directors) and board of supervisors, as well as senior management, who will direct the business of the bank as a result of completion of the proposed acquisition; 4. whether the bank will be able as of the moment of acquisition to comply and continue to comply with the prudential requirements based on the effective legislative framework, including the LCI 5. whether there are reasonable grounds to suspect that, in connection with the proposed acquisition, money laundering or terrorist financing is being or has been committed or attempted, or that the proposed acquisition could increase the risk thereof. The requirements for considering the application are further elaborated in Articles 18-19c of BNB Ordinance No. 2. During the procedure of considering an application for major acquisition, the BNB may request from the applicant to submit additional information with the purpose of ascertaining that all conditions for granting the approval are met. The BNB shall come up with a decision on the application for granting permission within a three-month period after its receipt. Besides the grounds detailed above, the BNB can reject the acquisition if the documents submitted by the applicant contain incomplete, inconsistent, improper or untrustworthy information. The conditions for acquiring control over a bank with residence abroad are stipulated in art. 29 and 30 of BNB Ordinance No. 2. The bank shall submit an application to the BNB along with several supporting documents, including (i) data about the type, number, single and total nominal value of the shares that will be acquired, their portion in the bank’s capital and acquisition price; (ii) data about the type, number, single and total nominal value of the shares, already possessed, their portion in the bank’s capital and acquisition price; (iii) documents and data about the bank to be acquired; (iv) a certified transcript issued by the respective Commercial Register with current information concerning the name, registered office and head office address of the bank, its legal organizational structure and the persons who represent and manage the bank; (v) audited financial statements of the foreign bank for the last two years; (vi) a certified transcript of the Articles of Association (Act of Association) of the bank; (vii) information about bank’s related persons; and, most importantly, (viii) an economic substantiation of the reasons to acquire a bank with residence abroad. The analysis of the project for major acquisition is led by the Legal Directorate that will review, in addition to the materials stipulated in the regulations, other important data including prudential reports, financial conditions of the purchaser, liquidity report on both solo and consolidated basis of 60 BULGARIA the new bank. The BNB will ascertain whether the acquirer has enough liquidity and can cover additional CAR. Moreover, consideration will be given to the strategy of the acquirer, particularly vis- à-vis the target bank (change of business model, business strategy, closing of branches, etc). In this analysis, the Legal department will seek the opinion of the inspectors of the Credit Institution Directorate before submitting the application to the Deputy Governor for final decision. EC3 Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future. 28 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. Description As explained above, the BNB will perform a series of due diligence in relation to the project for major and findings acquisition. The Central bank will ascertain that the acquisition will not expose the bank to undue re EC3 risks. Also, in case of acquisition abroad, the BNB will pay attention to the requirements set forth in the Regulation (EU) No 575/2013, in particular whether the group of which the bank will become a part has a structure that makes it possible to exercise effective supervision, effectively exchange information among the competent authorities and determine the allocation of responsibilities among the competent authorities. Yet, the mission could not find any specific provision according to which the BNB also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future. EC4 The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. Description The notification to the BNB (by submitting an application) is the trigger for initializing the procedure and findings for granting an approval for major acquisition. According to Ordinance No2, the BNB determines that re EC4 the bank has adequate financial, managerial and organizational resources to handle the acquisition (see EC 1 above and comments below). EC5 The supervisor is aware of the risks that non-banking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in non-banking activities. Description 28In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank. 61 BULGARIA and findings As indicated under EC1, acquisitions of banks in a non-financial company are not subject to re EC5 supervisory approval. It is understood, from the discussion with the BNB, that there is no particular process in that regard. Since Bulgaria applies the EU Regulation 575/2013 without any additional diligence, it is difficult to ascertain that the BNB will be in a position to monitor that a bank processing a major acquisition in non-financial sectors does not evade the regulatory limits (individual limit of 15% of eligible capital and the aggregate limit of 60% of eligible capital). The mission was told that in case of breach with the EU limits, deduction from CET 1 will be applied. Yet, in the absence of formal BNB approval, there is no mean to determine whether an investment in or major acquisition of a non-banking company does not pose a risk to the group. The BNB has no ability either to ascertain that the bank has the ability to manage the risk. Additional Criteria The supervisor reviews major acquisitions or investments by other entities in the banking group to AC1 determine that these do not expose the bank to any undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.34 Where necessary, the supervisor is able to effectively address the risks to the bank arising from such acquisitions or investments. It is not a usual (or frequent) practice for BNB to approve the major acquisitions or investments by Description other entities in the banking group. According to BNB practice and observations, such investments and findings are rare and they are not driven by speculative or regulatory circumvention objectives. Most of them re AC1 relate to set-up or buying companies which perform ancillary services to the primary banking business. However, the activities of such entities are being subject to checks and review predominately within the process of supervisory review and on-site inspections, as well as when there are relevant comments on that topic, it is put either in the Capital, Earnings or Management section (depending on the major risk driver related to that investment). The risks raised from non- bank activities, including the investments and acquisitions of the entities within the group in cases of the cross-border banking groups, are also being discussed within the supervisory colleges. As indicated by the BNB, there have been cases in the past where a bank approaches the BNB to discuss it’s planned acquisition of another non-bank company, but the main purpose of the meetings has been to discuss whether (and how) those entities shall be consolidated in the financial reports, as well as what will be the effect on the overall corporate structure. Assessment Largely Compliant. of Principle 7 Comments The following aspects warrant attention: In the past five years, three major acquisitions have been approved by the BNB. Two acquisitions concerned a Bulgarian bank acquiring respectively 100 % of a Bank located in the Republic of Macedonia and 75.961% of a bank established in Russia. As discussed under EC 1, acquisitions of banks in a non-financial company do not require notification 62 BULGARIA –even ex post- and thus are not subject to supervisory approval. In that regard, Bulgaria applies the requirements of Art. 89 of Regulation (EU) No. 575/2013 for qualifying holdings outside the financial sector.29 However, beyond the regulation, the BNB has not established any particular protocol or procedure in relation to major acquisition of banks in non-financial companies. As a result, the BNB seems to lack the systematic ability to (i) assess compliance with the limits, (ii) determine whether an investment in or a major acquisition of a non-banking company does not pose a risk to the group and (iii) ascertain that the bank has the ability to manage the risk, especially the risk relative to regulatory capital. In the past, the BNB regulation #17 contained some restrictions in terms of acquisition/investments in certain sectors (e.g real estate) but the ordinance has been repealed. The approval for major acquisitions is processed by the Legal Directorate with inputs from the banking supervision directorate. An opinion is formed as to whether the acquisition meets all criteria stated in the LCI and the BNB ordinance and whether the project is sound from a financial/prudential perspective. The final decision to approve or reject the acquisition rests with the Deputy Governor in charge of banking supervision only, irrespective of the magnitude of the acquisition. The mission was told that consultation with the Bulgarian Commission on Protection of Competition is established but no formal protocol has been defined. It is not clear either whether the acquisition that has been approved by the BNB is subject to follow up review; here again, the mission understood that the Credit Institution Directorate is responsible for that but no evidence has been given to the mission about the materiality of this mechanism. Against the background, it is recommended to: o Subject any major acquisition to a formal follow up mechanism to ascertain that the new activities acquired do not expose the bank to undue risks. o Subject major acquisitions in non-financial companies to enhanced BNB scrutiny, in particular with respect to the compliance with limits. BNB also needs to know that (i) the structure will not bring additional risks and (ii) actions can be taken to mitigate riks. o Explore the possibility to set restrictions for major acquisitions in non-financial sectors deem to pose particular concern. o Establish an explicit provision by which the supervisor determines, where appropriate, that new acquisitions and investments will not hinder effective implementation of corrective measures in the future. Principle 8 Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. 29 the bank may not have qualifying holdings in an entity outside the financial sector, which exceeds the individual limit of 15% of eligible capital and the aggregate limit of 60% of eligible capital. 63 BULGARIA Essential criteria EC1 The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks: (a) which banks or banking groups are exposed to, including risks posed by entities in the wider group; and (b) which banks or banking groups present to the safety and soundness of the banking system The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. Description Since 2014, the BNB has been under a legal obligation to undertake supervision to evaluate (1) risks and findings to which the banks are or might be exposed and (2) risks banks pose to the financial system. In re EC1 respect of item (2) the BNB must take into consideration the work of the EBA and the ESRB. (Art 79c(1)LCI). The methodology used by the BNB to determine and assess the nature, impact and scope of risks to which banks and the banking system are exposed rests primarily on the Supervisory Review and Evaluation Process (SREP). The SREP is part of the overall Pillar 2 process, (Pillar 2 being the Supervisory Review Process of the Basel capital framework) and is a key tool to relate risk to an appropriate level of capitalization of the banks. In other words, The SREP is to ensure that institutions have sufficient capital to support all material risks to which their business exposes them. It should therefore reinforce the link between risk and capital, so that the institution’s risk management strategy, approaches and systems are integrated with its capital planning and thus the SREP is not a purely quantitative approach but requires qualitative assessment of each type of risk and its management, within the overall context of the institution’s internal governance. The BNB reviews the arrangements, strategies, processes and mechanisms implemented by the credit institutions and determines whether they ensure sound management and coverage of their risks. The Supervisory Review and Evaluation Process (SREP) must take into account the nature, size and complexity of the bank’s operations, and supervisory measures should be imposed, as required. This process includes:  assessment of the bank’s risk profile based on a review of all significant risks and reflecting the quality of risk measurement, reporting, and monitoring systems;  verification of the adequacy and stability of the bank’s internal control and Internal Capital Adequacy Assessment Process (ICAAP) systems;  verification of own funds and internal capital adequacy corresponding to the bank’s risk profile. The SREP is performed on a consolidated basis, but there is a focus on assessing the individual risk profiles and management systems of the individual banks belonging to the relevant group, and the overall SREP takes into account the position of the individual banks within the group. The key factors that may be taken into consideration by BNB’s Banking Supervision Department in the Supervisory Review and Evaluation Process are:  level, structure and stability of regulatory capital;  credit risk, including concentration risk; 64 BULGARIA  market risk;  operational risk;  interest rate risk in the banking book;  liquidity risk;  ability to generate profit;  organisational structure of the bank, including corporate governance and internal control;  financial measures against money laundering and terrorism, financial crimes and reputational risk;  level and allocation of internal capital depending on the specific risk profile of the bank. The BNB must also determine the frequency and intensity of the review and evaluation having regard to the size, systemic importance, nature, scale and complexity of the activities of the credit institution concerned and taking into account the principle of proportionality. Nevertheless, the review and evaluation must be updated at least on an annual basis. Nevertheless, the SREP is performed annually – as required by the legislation. The Supervisory Review and Evaluation Process (SREP) is structured with a view to ensuring consistency of treatment across banks, keeping in mind that institutions differ in risk profile, strategy and management. The findings or “result” of the SREP is a score or rating obtained by the BNB comparing the results of RAS (Risk Assessment System) and the assessment of Risk factors (and including risks and risks controls not covered under RAS) with the outcome of the ICAAP and analyzing the consistency of these separate processes. This approach facilitates constancy of treatment across the banking sector. EC2 The supervisor has processes to understand the risk profile of banks and banking groups and employs a well defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. Description The Risk Assessment System (RAS) is the tool used by the Banking Supervision Department to and findings organize and perform an assessment of the bank’s risk profile. The RAS is structured so as to provide re EC2 common guidance, applied consistently to all credit institutions as the first phase of SREP. Through the RAS, the BNB assigns assessment scores to the material risks and controls in the bank and the quality of their management. The RAS is part of the Supervisory Review and Evaluation Process and includes an assessment of each significant risk. The system includes and operates two core methods: CAMELOS (used for the assessment in on-site inspections) and CAEL (used for the ongoing off-site assessment of the bank). The CAMELOS is performed annually, based on findings from on-site inspections, although it should be noted that inspections are not always performed annually, and the CAEL is updated quarterly though offsite evaluation. The CAMELOS composite rating is based on detailed quantitative and qualitative analysis of the overall bank’s activity, including its risk profile, financial status and the adequacy of the internal control and management mechanisms. The seven basic components used for making this assessment are: C - capital adequacy; A - quality of assets and credit risk; M - management and internal control; E - earnings and profitability; L - liquidity risk and ability to meet liabilities; 65 BULGARIA O - level and management of operational risk; S - sensitivity to market risk. CAEL component ratings are based on quantitative assessment of all bank’s activities, including: risk profile, financial situation and adequacy of the internal control and management mechanisms. The four main components are: C - capital; A - asset quality; E - earnings; L - liquidity. Component ratings for both internal assessment systems (CAMELOS and CAEL) vary from 1 to 5. The composite RAS rating of 1 represents the best performance, very good systems for risk management and requires minimal supervisory attention. Composite rating 5 is the worst score and shows critical performance weak or missing systems for risk management and requires maximum attention from the supervisor. The rating system is also designed to be forward looking, in common with good practice elsewhere, so the direction of risk is indicated for the ratings. EC3 The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. Description Under the LCI (Art 79), the BNB is required to supervise banks, including to ensure the observance of and findings the rules of the Law. The LCI (Arts 89-101) provide that supervision shall also take place on a re EC3 consolidated basis for the banking groups. EC4 The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators. A Macro-prudential Analysis and Strategy Directorate (MPASD) was established in 2009 within the Description Banking Supervision Department with the responsibility for addressing the macro-prudential issues and findings and challenges facing the banking system in Bulgaria. The MPASD was responsible for carrying out re EC4 stress test simulations, developing and proposing macro-prudential instruments and evaluating the risks facing the banking system. It actively cooperated with the Financial Stability Directorate, formed in the beginning of 2010. The main analyses of the two units was presented to the BNB Governing Council through the Report on the State of the Banking System and the Financial Stability Report. The MPASD and the Financial Stability Directorate supported the BNB participation in the work of the ECB (FSC) and the ESRB and the MPASD supported the EBA in its work on studying the risks and vulnerabilities of the EU banking system. Following the LCI amendments and the explicit macro-prudential mandate of the BNB for the banking system, the Macro-prudential Supervision and Financial Stability Directorate was established in April 2014. The reorganization was designed to reflect the need to achieve synergies between the fields of financial stability and prudential supervision and to further strengthen the analysis and skills base. The changes also responded to the new EU supervisory architecture (European Systemic Risk Board (ESRB) and the European Supervisory Authorities) and the ESRB recommendation on the macro-prudential mandate of national authorities. The new Macro-prudential Supervision and Financial Stability Directorate is responsible for evaluating and proposing, as necessary, macro-prudential measures and instruments; formulating recommendations and requirements for to the banking system (via BNB Governing Council 66 BULGARIA decisions), participating in proposals for revisions of secondary legislation (BNB ordinances) and other regulations. The directorate carries out a regular review of the macroeconomic environment and potential macro-related risks for the banking system. This includes, for example, the indebtedness of households and non-financial corporations, their financial profile and the quality of their loan portfolios. The directorate seeks to employ forward-looking approaches and its work examines major factors on the demand-side for credit (households and non-financial corporations) – eg through collection of data not only on credits that have been granted, but on credits that have been rejected. An additional layer of the financial stability analysis is the regular monitoring of the data for non- bank financial institutions, focusing mostly on pension funds, insurers, leasing and credit companies. Interconnectedness with the banking system is monitored, as well as the main risks stemming from their exposures and activities. The analysis is presented in the “Report on the state of the banking system.” Since the merger of the financial stability unit into the Banking Supervision Department this material has been augmented to incorporate parts of former financial stability report – focusing on the macroeconomic risks for the banking and risks stemming from the cross-sectoral developments. The work of the directorate, and its support for the supervisory analysis also is also based on cooperation with other divisions of the BNB that focus on the analysis of international financial markets (re FX reserves management) and the local economy. In terms of cross sectoral work the BNB regularly communicates with the FSC (the supervisor of the non-bank financial sector) and exchanges information. The working level relationships are in addition to the official framework for communication and cooperation between the two supervisory authorities which were introduced with the establishment of the Financial Stability Advisory Council, FSAC. The FSAC consists of the Minister of Finance, the Governor of the BNB and the Chairman of the FSC. The FSAC is chaired by the Minister of Finance, and decisions are taken by consensus. The FSAC can address proposals and recommendations to its members in connection with regard to the protection and maintenance of the financial stability, prevention and management of financial crises. Moreover, with regard to the improvement of macro-prudential policies in the country, the FSAC has the responsibility for discussing any proposals arising from recommendations or warnings of the European Systemic Risk Board (ESRB). The Council also has the responsibility for approving a national action plan in the event of crisis. The FSAC meets quarterly, though can meet more often as needed and is supported by a standing committee at the expert level. The BNB also cooperates with the FSC and the Ministry of Finance in the context of international work connected with the ECB’s Financial Stability Committee and the European Systemic Risk Board (ESRB). The supervisor, in conjunction with other relevant authorities, identifies monitors and assesses the EC5 build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. The monitoring and assessment of risks, trends and concentrations within and across the banking Description system as a whole is carried out by the Macorprudential Supervision and Financial Stability and findings Directorate, part of the Banking Supervision Department described above. The assessors saw re EC5 extensive analysis performed by this directorate. In order to effectively perform its tasks and objectives the directorate monitors and analyses a range of indicators for the separate banks and the banking system as a whole. Examples include: 67 BULGARIA Analysis of asset quality: monitoring of different categories of classified loans, accumulated impairment and coverage with provisions, including by economic sectors, etc. Profitability: the department follows the dynamics of indicators such as ROE, ROA, net interest margin, return on interest-bearing assets, price of interest-bearing liabilities, funding cost, analysis of income sources, price strategies according to banks and instruments, analysis of core v.s. non-core activities. Capital adequacy: analysis naturally covers the total and common equity tier I capital adequacy, leverage, excess capital, capital composition, tendencies and sources of capital formation and support, etc. Liquidity: examples of liquidity monitoring indicators encompass liquidity ratios by maturity brackets, share of liquid assets to attracted funds, currency composition, matching liquidity flows based on scenarios, etc. FX lending (loans in non-euro currencies)/US dollar funding: the BNB has implemented a framework for continuous monitoring and control of FX positions of all banks ever since the early 1990s. Reporting requirements have adapted to developments in the banking system and now includes reporting on the net FX position as a percentage of own funds, liquidity reporting for inflows and outflow in foreign currency (e.g., according to Ordinance No. 11 by currency. Currently for the purposes of monitoring FX lending and funding in foreign currencies the BNB Banking Supervision Department has separate reporting templates on monthly and quarterly basis. In addition to supervisory reporting, the BSD analyses data from the credit register and monetary statistics, broken down by currency. A special reporting form encompasses indicators on FX funding, FX swaps, currency and maturity mismatch for the major foreign currencies. US dollar exposures are also monitored. This reporting allows the BNB to follow the ESRB recommendation on FX lending although the reporting requirements pre-date the recommendation. The directorate further incorporates all the analytical work in “ its assessment of banks and banking groups” by:  Preparing periodical and ad hoc analyses of the tendencies and major risks facing the banking system;  Developing and timely updating the stress-testing methodology, measuring the sensitivity of banks and the banking system to changing risk factors within their activities; In order to “address proactively any serious threat to the stability of the banking system ,” the MPSFS directorate also carries out:  Analysis of the effectiveness of different macroprudential instruments, applied by other supervisory authorities;  When necessary the directorate develops macroprudential instruments and proposes approaches for their introduction with the purpose of minimizing the risks for the banking system stability in the country; The Deputy governor in charge of the BNB Banking Supervision Department, when necessary, issues letters to specific banks or the system as a whole to address certain risks or vulnerabilities. Legally binding measures are also applied. For example in 2014, the BNB implemented a capital conservation buffer of 2.5% and a systemic risk buffer of 3% effective as of October to be applied to all banks in the banking system. As noted in the previous response, in discharging its obligations the BNB regularly communicates with the FSC (the supervisor of the non-bank financial sector) and exchanges information at an expert level. The BNB and FSC also cooperate in terms of on-site inspection of banks for whom the 68 BULGARIA FSC also has regulatory responsibility, such as when the bank is also a custodian bank. Furthermore, and as noted in EC4, the official framework for communication and cooperation between the two supervisory authorities is covered by the FSAC. EC6 Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank -specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. The BNB is required, under, the LCI (Art 121a) to prepare a plan for orderly resolution of each bank, Description licensed in the Republic of Bulgaria, which might be applied if the bank is in financial difficulties. and findings These resolution plans should be updated regularly and banks are required to provide the BNB with re EC6 all the requisite information to prepare such plans. Banks were required to submit their recovery plans to the BNB by end November 2014. Not all banks met the deadline and the BNB has also sought information as necessary from the relevant EU home state supervisors – both bilaterally and through supervisory colleges. The BNB has set internal deadlines to conduct its resolution analysis and prepare the resolution plans. At the time of the BCP assessment this project had not been completed. The deadline for implementing the EU Bank Recovery and Resolution Directive (BRRD, 2014/59/EU) in Bulgarian law was the end of 2014, but at the time of the assessment the directive had not yet been transposed. Technically, therefore “resolvability assessment” does not currently exist as a concept in Bulgarian banking law. It is informally anticipated that the BNB will be the competent authority to be vested with resolution powers for banks but final confirmation was still awaited and there is no formal political assurance on this point. It was hoped, at the time of assessment, that the legal transposition could be made by July 2015, but slippage of the timetable was possible. Notwithstanding the lack of transposition of the BRRD, the LCI already provides significant powers to the BNB to address business strategy, managerial, operational, ownership structures and internal procedures. Hence, where bank-specific barriers to orderly resolution are identified, the BNB may impose a comprehensive suite of measures provided in the LCI, Article 103 (2). EC7 The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. Although the BRRD has not been implemented yet, the BNB has a number of important powers Description should a bank experience stress, including the right to require a bank to submit a rehabilitation plan, and findings to appoint conservators or to place the bank under special supervision (Art 103(2)(21),(23) and (24)). re EC7 In terms of the BNB’s own framework for handing banks at periods of stress, the BNB indicated that there is a formal written framework for crisis situations. Nevertheless, in the context of a small institution and well established working relationships, it is possible to be highly responsive to a crisis situation without recourse to heavily formalized procedures. Records and documentation of decisions and follow-up activity are fully maintained. The assessors discussed some concrete examples with the BNB. It must be noted that the BCP assessment is not a specific assessment or analysis of the circumstances surrounding the handling of the KTB crisis. EC8 Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention 69 BULGARIA of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. The BNB has powers to act should it identify bank like activities outside the regulatory perimeter, Description through the LCI (Art 79(9)) and this provision permits the gathering of information and on-site and findings inspections by the BNB. The BNB has investigated a few cases each year related to unlicensed re EC8 banking activity. It is also worth noting that the LCI (Art 3a) requires an entity to be registered as a financial institution if it carries out lending activities, granting guarantee or acquisition of bank loan portfolios. Ordinance 26, based on the LCI Article 3, establishes the financial information and the procedures which must be regularly presented to the BNB by a registered financial institution. These financial institutions must also submit data to the Central Credit Register. The financial register therefore provides the BNB with an additional tool to monitor the potential for bank-like entities to emerge. While the BNB has never identified banks attempting to re-organise or restructure for purposes of regulatory arbitrage or avoidance, the LCI again provides strong powers under Article 103 in the event of an attempt to “bypass” the banking laws. Assessment Largely Compliant of Principle 8 Comments The BNB employs sound methodologies for the analysis and assessment of individual banks and banking groups. This work is strongly enriched by the efforts of the macro-prudential and financial stability directorate which has worked intensively to provide a spectrum of data and analysis to provide differing perspectives and angles through which to assess the strengths and weaknesses of the banking system. The assessors saw full sets of reports for a range of banks, including the regular quarterly analyses, inspection reports and planning tools. More details are discussed in the individual risk CPs but as a general comment, the methodology and supporting internal guidelines has resulted in consistently detailed and nuanced reports on individual credit institutions. The formality, in the sense of advance planning and documentation, of crisis management is relatively light but this is mitigated by the fact that the banking supervision department of the BNB is sufficiently small and streamlined not to require an elaborate system to be in place. The experience of bank stress in June 2014 demonstrated that the BNB was able to identify relevant data, take decisions, coordinate with other authorities - domestically and internationally - and put effective measures into place to contain the potential for contagion. Nevertheless, despite quick actions in the KTB case there may be scope for improvement of forward planning to deal effectively with crisis scenarios. Work on resolvability is lagging. The existing laws provide almost complete powers for the BNB to carry out the necessary assessments and any required remedial action on resolvability, but factors including the 2014 banking crisis, limited resources and the failure to transpose the BRRD on time, have led to delay. It is welcome that the banking supervision department has progressed as far as it has in these specific circumstances but criteria cannot be seen as fully met. Principle 9 Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. Essential 70 BULGARIA criteria EC1 The supervisor employs an appropriate mix of on-site30 and off-site31 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between on-site and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on- site and off-site functions, and amends its approach, as needed. Description The on-site and off-site supervision functions have been integrated into a single directorate in the and findings banking supervision department of the BNB – the Credit Institutions Supervision Directorate - since re EC1 2009. The supervisory process therefore includes both on and off-site analysis. Off-site analysis is performed according to a regular quarterly timetable based on quarterly (and monthly) returns, supplemented with additional analysis as necessary – which may be required when a bank is subject to enhanced supervision for example. The duration and type of onsite inspections depend on the size, complexity, systemic importance, risk profile and any identified problems and weaknesses in the course of the supervisory review of the credit institutions. In principle the BNB seeks to operate an on-site supervisory inspection cycle of 18 to 24 months, though due to the stress in the banking system, particularly in 2014 and the demands of implementing regulatory changes driven by the EU, this cycle has not been maintained for all banks. The credit institution supervision directorate monitors all banks to ensure that priority risks are taken into consideration and the inspection planning adjusted accordingly. An inspection team, under its chief, is responsible for both on and off-site examination and analysis. Each of the five inspection teams (where each team has approximately 5 staff), has the responsibility for a portfolio of banks. The composition of the inspection teams is not subject to any formal rotation requirements and can be static for extended periods, but the portfolio of banks is rotated approximately every 3 years. The onsite examination for one of the larger and more complex banks will typically be carried out by more than one inspection team. The BNB has policy experts (in the supervisory policy directorate) who support the inspection teams but other than the team dedicated to models analysis does not have internal risk specialists. The duration of an on-site examination reflects the scoping of the particular inspection, whether focused on a particular dimension of the bank (eg one of the CAMELOS risks) or whether it is full scope. An examination could take between 3 weeks to a more extended 15 program. It was noted that where the examination takes place over an extended period, the inspection team will interrupt the examination to return to the BNB to perform the quarterly off-site analyses. The BNB does not differentiate between domestic from foreign-owned institutions when defining the frequency or setting the scope of on-site inspections. There are two types of onsite inspections: 30 On-site work is used as a tool to provide independent verification that adequate policies, procedures and controls exist at banks, determine that information reported by banks is reliable, obtain additional information on the bank and its related companies needed for the assessment of the condition of the bank, monitor the bank’s follow -up on supervisory concerns, etc. 31 Off-site work is used as a tool to regularly review and analyze the financial condition of banks, follow up on matters requiring further attention, identify and evaluate developing risks and help identify the priorities, scope of further off-site and on-site work, etc. 71 BULGARIA • Complete supervisory inspection – the entire CAMELOS risk profile is assessed. The Special Supervision Directorate also performs on-site inspections including a review of AML risks and outsourcing activities. • Targeted supervisory inspection –topics for review may be identified via trend analysis (supported by the work of the Macro Prudential and Financial Stability Directorate), as a result of off-site analysis in the supervisory process and may also be identified as a result of information derived from other sources, such as customer complaints or information from prosecutor’s office. Targeted inspections can be undertaken by more than one directorate, for example CISD and the Special Supervision Directorate. EC2 The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and off-site functions. Description Under Art 80a of the LCI, the BNB is required to prepare, annually, a supervisory examination and findings program. This program must take into account the supervisory review and evaluation process. The re EC2 plan must indicate how the BNB intends to carry out its tasks and allocate its resources, identify the banks to be examined, as well as the banks subject to enhanced examination. For banks that are subject to enhanced supervision – the banks which have the weaker ratings - the plan will be likely to reflect increased numbers of on-site inspection, and enhanced reporting requirements, more frequent review of the operational, strategic or business plans of the institution and officials of the BNB may be placed permanently on site. The off-site organization of activities is supported by the internal supervisory manual and the on-site examination is guided by the Risk Assessment (RAS) manual. The supervisory manual is largely procedural but it ensures clarity of roles and responsibilities, particularly with respect to coordination and cooperation. The RAS manual provides a detailed structure to support analysis of risk. The assessors were able to view and discuss the supervisory plan with the BNB and were able to confirm that the intensity of planned supervisory activity reflected the current known risk profile of the institutions as identified by the BNB in its supervisory processes. As noted in EC1, the responsibility for both on and off-site activity belongs to the same team for any given bank. In terms of ensuring effective supervisory follow up and also planning for the year ahead, the chief inspector of each of the CISD teams submits a memo to the director setting out the proposed priorities and inspection plans for the following year. It is for the director to review the memos, make adjustments as necessary and submit the plan to the Deputy Governor for approval. The plan is not formally sent to the Governing Council by the banking supervision department. While there is no formal internal process to set and monitor a maximum period of time between on- site examinations, the annual planning cycle provides the opportunity for an annual check as to whether the inspection cycle for any bank has become too extended. EC3 The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, 72 BULGARIA information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable 32 and obtains, as necessary, additional information on the banks and their related entities. Description The main sources of information used during the off-site supervision include: and findings  Monthly, quarterly and annual financial statements of commercial banks (acc. the requirements re EC3 of the Law on Credit Institutions, BNB Ordinances, CRR (Regulation 575/2013);  Additional supervisory reporting related to ad-hoc data requests which in some cases are synchronized with the recommendations of EBA, ECB, ESRB, etc.  BNB Credit Register database (minimum threshold for reporting is 1000 Bulgarian Leva).  Public financial statements (eg Annual Reports);  Responses to surveys and questionnaires, including ICAAP policies;  Information from other supervisory authorities or supervisory colleges;  The Central Credit Register, Monetary Statistics;  Rating agency reports  Monitoring of the financial press  Dialogue with banks. When on-site, the BNB examines the banks’ internal documentation, including its rules, procedures and internal guidelines; strategy and budget; management information packages, bespoke information that has been requested from the bank and interviews with bank staff – whether CEO or senior executive, heads of department, heads of internal audit/control. In addition, the BNB’s supervisory function makes use of the research notes of the Macroprudential Supervision and Financial Stability Directorate. A number of data sources feed into these research notes, including: indicators of market stress such as the VIX and its sub-indices, the Bloomberg EU Financial Conditions Index, sovereign and corporate credit default swaps, bond prices and yields. The process of monitoring and analyzing market sensitive information is primarily through Bloomberg. Other information sources and databases include those of ECB, Eurostat, Amadeus, Local Trade Registry, national statistical agencies, etc. EC4 The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as: (a) analysis of financial statements and accounts; (b) business model analysis; (c) horizontal peer reviews; (d) review of the outcome of stress tests undertaken by the bank; and (e) analysis of corporate governance, including risk management and internal control systems. The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and 32 Please refer to Principle 10. 73 BULGARIA soundness. The supervisor uses its analysis to determine follow-up work required, if any. Description The BNB carries out a monthly review of financial statements (prudential returns) through the off-site and findings assessment and also during the on-site inspection where inspectors analyze the most recent re EC4 available balance sheet and P&L statements. When on-site the inspectors on banking supervision perform business model analysis as part of the bank's earnings and profitability review, which forms one of the component ratings of the CAMELOS risk assessment system. The business model analysis includes examination of business line projections and past performance against previous projections. Overall, the business model of banking in Bulgaria is relatively homogenous. The financial system is predominantly banking and the banking system is deposit taking and credit extension. There is limited specialization although different banks might serve different segments of the population. Peer group analysis is more typically undertaken in the context of the macro prudential/financial stability trend analysis. However, there have been occasional horizontal peer reviews, such as on operational risk. Stress tests analysis is carried out during on-site inspections and the Pillar 2 processes require banks to undertake stress tests as part of their ICAAP and under the SREP the BNB reviews the stress tests and overall process taking into consideration the internal framework, assumptions and results of the stress test as part of the relevant risk assessment. The results of the supervisory review and evaluation process are communicated to the banks. Please see EC8 below for more detail. EC5 The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. Description The Macro-prudential Supervision and Financial Stability Directorate (MPSFS) employs surveys and and findings stress tests to investigate and address emerging risks across banks. re EC5 Annual surveys have been undertaken since 2008 to gather industry views and sector-wide information on specific topics. Generally the template has three elements, one part dedicated to the expected dynamics of main balance sheet positions/structure; one to the credit risk parameters (PD,LGD) and indicators (the key risk in the Bulgarian banking system), and the third, occasionally, to seek views on prominent trends or emerging risks. For example, in the past three years topics have included credit products with fixed interest rates; banks business models; impairment and write-off policies; mortgage loan portfolios, focusing on defaulted loans and planned steps to handle such risks; and bank exposures to the Ukraine and Russia. The findings are reported to the Governing Council and summaries of some surveys are shared with the industry. The MPSFS conducts stress testing. Top down stress tests have been performed quarterly since 2002 capturing credit risk and some features of market risk. In 2009 an additional credit risk stress test was introduced, which combines the banks’ credit portfolio quality at the en d of the previous year with the macro-economic forecasts for the coming year (baseline and adverse scenario). For this test, an IMF methodology is applied on the correlation between the growth of GDP and the adversely classified loans. 74 BULGARIA  In line with the European-wide stress-tests conducted in 2010 by CEBS, and since then by the EBA, the Macro-Prudential Analysis and Strategy Directorate has carried out stress tests using the parameters, modeled by the ECB (PDs, LGDs for Bulgaria by type of credit) to test the banks on solo basis.  As a one off stress test in the second half of 2014 MPSFS conducted a stress test using the ECB and EBA scenarios and combining top-down and bottom up approaches over a three year horizon. Under the baseline scenario credit and market risk were tested while for the adverse scenario the sovereign risk and funding risks were added. The emphasis was on credit risk as it is a key inherent risk for Bulgarian banks’ business profile. MPSFS engaged with the banks during the process and made the results available to the supervisory teams, presenting the full analysis and results to the Governing Council.  Liquidity stress testing is also performed, and more frequently since 2011, to enhance analysis of the deleveraging processes. The MPSFS performs two types of test. First a 5-day shock, and also a test to measure the sufficiency of liquid assets to cover a substantial outflow of funds in a bank. The aggregated results feed into the quarterly analyses of the risks and vulnerabilities of the banking sector which are presented to the Governing Council and the individual bank’s results are shared with the relevant supervisory team. Additionally, the BNB has been developing specialized reporting dedicated to macroprudential monitoring of the banking system. Forms have been in development since 2014 – given that previous forms had to be amended as a result of the CRR changes - and are steadily coming on stream. To date three forms have been created. The first, introduced in January 2015 on a monthly reporting frequency, covers currency and residential status and volumes and types of exposures to parent banks. The second and third macroprudential forms will focus on credit activity in the banking sector. The second will be a quarterly report of- LTV, LTI, PTI, and flow of newly granted/renegotiated loans and the third will be an annual submission on credit migration between the categories of past-due status. EC6 The supervisor evaluates the work of the bank’s internal audit function, and determine s whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. Description The evaluation of the banks’ internal audit functions take place through on -site inspection and assess and findings whether the bank has met the standards set out in Ordinance 10 of the BNB on internal controls. The re EC6 inspectors seek to be satisfied that the effective controls and audits are in place and that appropriate actions are taken in response to deficiencies. The elements that inspectors consider when assessing the Internal Audit unit are noted below. However, the BNB uses the findings, conclusions and reports provided by the internal audit unit only for reference, and does not rely on them for completing its supervisory duties/judgment and cannot outsource its supervisory responsibility by using the findings, conclusion and reports of the internal auditors. Assessment of the Internal Audit unit is expected to establish the following:  The quality and comprehensiveness of the internal rules governing the Internal Audit unit;  Degree of independence of the unit (incl. on the level of each individual employee);  Sufficient staffing –number of employees and specialized expertise (incl. at least one IT specialist, specialist operational risk, market risk, etc.); 75 BULGARIA  Quality of reports, the reporting hierarchy and procedure for addressing the identified weaknesses;  To what extent the audits of the unit are risk-oriented and to what - focused on the daily activities of the bank;  Audit plan for the current reporting period and the state of implementation of this plan;  Annual activity report – audits carried out during the previous reporting period: major findings (review the follow-up checks in connection with the most important recommendations);  Major violations – for a period at the discretion of the inspection;  Whether the requirements of Regulation № 10 on the frequency of the checks are observed;  Whether participation of the Head of the Internal Audit Unit in the operational work of the bank is permitted and if so to what extent – eg participation in meetings of committees / councils (e.g., the risk committee). EC7 The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, non - executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models. Description The SREP provides the governing structure for the communication between the BNB and the banks. and findings The BNB indicated that the major findings of the off-site analyses are communicated to the bank’s re EC7 management board where there is such a need (e.g. if the management board should take timely corrective measures). The BNB explained cases in which it had challenged banks and denied the development of certain business plans. EC8 The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. Description The BNB explained that re is a constant dialogue between teams of CISD and representatives and findings throughout hierarchy levels within the banks and the intensity of this dialogue depends on the risk re EC8 profile, size and systematic importance of the different credit institutions. Each bank in the Bulgarian banking system is allocated a primary contact within the BNB banking supervision department, the supervisory teams and supervisory policy staff are in frequent day to day contact with the banks. Much communication is driven by the banks, particularly at the period of the assessment, as there have been many queries related to the introduction of the CRR and other EU regulatory changes. At the inspection end an wrap up meeting is held at the bank`s premises with appropriate bank`s officials for communication the inspections findings, and conclusions and proposed corrective actions. The bank is given 7 working days to reply, explain or lodge objections. The findings and conclusions of the regular on-site inspections performed by the SSD are submitted 76 BULGARIA in written reports to the banks’ executives in the context of a formal meeting held at the bank’s premises. The main findings, conclusions and recommendations are discussed with the CEOs and bank personnel from the relevant areas. The bank is given 14 days reply, explain or lodge objections. For complex cases a separate period is appointed for the bank to present an action plan for the remedial measures to be undertaken. The BNB has the legal right to meet with the members of the supervisory board without executive management being present and does on occasion do so. It is not a systematic practice. EC9 The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory auth ority and to the bank’s Board if action points are not addressed in an adequate or timely manner. Description Monitoring the follow up of supervisory requirements reflects the priority of the issues in question. If and findings the bank has to undertake urgent measures the supervisory authority maintains intensive re EC9 communication with the responsible representatives. Follow-up checks of the non-major requirements from on-site inspections are usually conducted at the next on-site inspection. If action points are not addressed in an adequate or timely manner they are brought to the attention of the Deputy Governor responsible for Banking Supervision, who is empowered to undertake compulsory action based on the nature of the particular supervisory requirement. The assessors were able to review inspection findings and follow up monitoring of banks’ actions as well as the escalation of issues within the BNB when recommendations had not been followed. EC10 The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. Description The LCI provides some safeguards that the BNB will be notified in the event of a substantive change and findings in the condition of a bank, including any material adverse development. However, this criterion is not re EC10 met in two respects. First, the requirements under Article 72 of the LCI for the bank to notify changes regarding for example, scope and procedures for conducting operations, the capital and internal organization, are retrospective as opposed to a requirement to be made in advance. Secondly, although Article 71 of the LCI addresses a number of adverse developments, there is a 10 day notification period and it is not clear that a breach of a prudential norm would automatically trigger notification. In the case of insolvency, however, Art 12(2) provides that notification should be “forthwith. ” EC11 The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. Description and findings The LCI (Art 80(3) and (4)) provides authority for the BNB to appoint external experts if needed. The re EC11 expert may be an “independent external expert” (where the law does not specify the purpose or expertise), or an external auditor to carry out a financial or other type of audit, or independent 77 BULGARIA experts to evaluate a bank’s assets, and in this instance the BNB can require the bank to reflect the results of the evaluation in its financial statements or supervisory reports. The BNB has not made use of this power. EC12 The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. Description At present the IT system is still undergoing a process to embed regulatory reporting changes. and findings One of the most important automated outputs of the IT system is a comprehensive set of more than re EC12 70 predefined indicators focused on the asset quality, provisioning, profitability, capital adequacy and liquidity. The spreadsheet is available in time-series both on monthly and quarterly basis, for the individual banks and for the banking system as a whole. The analyses and conclusions of the banking supervision inspectors including the monthly and quarterly internal reports as well as the reports from on-site inspections are stored in an internal data storage drive with strictly defined rules for access authorization. As noted below not all supervisory information submitted by the banks is integrated within regulatory reporting. The IT Support Division is responsible for developing database queries and macros in order to automatically process and organize the information. There is a limited number of skilled IT staff who are able to create bespoke analytical reports at the request of the supervisory teams. However, the resources are not dedicated solely to this functions and must meet a range of other requests and demands from the BNB. In terms of technical background all reporting information from banks is processed through special dedicated IT platforms, in particular CIBS and VPN which guarantee the security of information flow. It is worth noting that it is the BNB Information Systems Directorate (functionally allocated outside the Banking Supervision Department) that is responsible for the BSD IT systems’ support, budget allocation, planning and implementation of upgrades. The Banking Supervision Department can propose upgrades and outline existing deficiencies of the IT systems, but their implementation is dependent on the available resources (time, budget, etc) and the initiative of the BNB Information Systems Directorate. The core component of the IT infrastructure facilitating the supervisory process at various stages is a web-based application system called “CIBS.” The system is accessed by the banks, which submit the required supervisory reports through a virtual private network (VPN). The data is automatically processed by the information system based on defined templates according to the regulatory requirements and supervisory needs. The database is subject to a process of formal data checking. While formal (logical and mathematical) validations are automatic and performed by IT Support Division, the quality check of the data from analytical point of view is made by the inspectors of the CISD. The Macroprudential Supervision and Financial Stability Directorate further completes the process by monitoring of the data on a system- wide level. The BNB also uses the VPN as a channel for information-exchange with the credit institutions. This supports additional reporting requirements (daily or weekly reporting templates), external audit reports, or other inquiries on bank-specific issues, etc. After receiving the information via VPN, the latter is being on a common internal drive. In contrast to the CIBS platform, the VPN does not have the functionality for formal approval of the received data. Supervisory information submitted via the secure VPN connection is not integrated within the CIBS. 78 BULGARIA Additional criteria AC1 The supervisor has a framework for periodic independent review, for example by an internal audit function or third party assessor, of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate. Description The internal audit unit of the BNB conducts reviews on the directorates of the banking supervision and findings department. The annual plan of the internal audit function is approved by the Governor of the BNB. re AC1 The Credit Institutions Supervision Directorate has been audited once in the last ten years and the Supervisory Policy Directorate is due to be audited in 2015. The review aims to enhance the quality and effectiveness of the supervisory process. The review covers the internal manuals of the CISD as well as the actual supervisory practices. The report, conclusions and recommendations of the internal audit unit is presented to the Governing Council of the BNB. The supervisory processes, tools and their use are also being reviewed by the Bulgarian National Audit Office which is an independent authority and reports directly to the National Assembly. Assessment Largely Compliant of Principle 9 Comments The current phase of introducing and embedding a significant agenda of EU regulatory and supervisory reforms is extremely demanding for all supervisory authorities, particularly those who have limited resources. The supervisory approach in the BNB relies to a very significant, though not inappropriate, extent on determinations and verifications performed by the on-site inspections. In this context it is particularly important that, within the limits of available resources, the BNB maximizes its risk based approach so that the more intense scrutiny is applied to the more significant risks within the system. As noted also in CP2, it is important that the BNB takes particular care to ensure that smaller banks, which taken as a whole are a significant cluster within the market and may have fewer skills and resources, are kept under sufficient frequency of observation. In the view of the assessors the BNB is not, at present, able to perform a sufficient frequency and depth of observation to provide assurance that weaknesses of practice and vulnerabilities may not emerge in some of these smaller entities in particular. Equally, however, it appears inadvisable for the BNB’ to reallocate its inspection resources away from its existing plans. In other words, the BNB is in the difficult position of needing to choose between least worst options. The assessors consider that the BNB has based its decisions on a meaningful and thoughtful risk based assessment of the banking sector, but the potential consequences arising from the BNB having made a wrong decision may be particularly high. The planned Asset Quality Review over the next year will provide some additional information for the BNB in making sure it can deploy its resources most effectively, but in the meanwhile the AQR itself will divert resources from other supervisory activities. Hence, and as indicated in CP2, additional resources are warranted to resolve this concern. The internal coordination and communication practices within the Banking Supervision Department of the BNB are not as developed as they need to be. Although there is a statement of internal policies and procedures which is useful, the assessors found that the individual directorates of the department were too easily able to operate in silos. It was particularly notable that the onsite findings of the special supervision department (which deals, inter alia, with Anti Money Laundering and transparency of products) would not systematically be shared and compared with the directorate for on and offsite supervision of banks. It would, in theory, be possible for the two directorates to 79 BULGARIA evolve a very different view of the quality of management and controls in any given institution. It is also possible and is a concern, as noted below, for silos to exist within a single directorate. The BNB has certain policies and procedures for quality assurance through review of reports and memos before they are communicated upwards in the BNB but they are insufficient to ensure the consistency and quality of on-site inspection work. Given the important role played by the findings of the onsite inspection teams, including but not limited to considering the reliability of information submitted by the banks, and on which all the off-site analysis must depend, this is a very important concern. The inspection teams, at the time of the assessment, were not subject to frequent change or rotation. The portfolio of banks might be shuffled but the teams would remain constant. There are no procedures to ensure that the different inspection teams are using appropriately consistent practices or working to appropriately high standards. If used well, the details and prescriptions of the RAS manual ought to ensure that the quality of on-site inspection is thorough and insightful. The assessors were able to review pre-inspection documentation requests and were impressed by the scope and depth. Nevertheless, the assessors noted some inconsistency between documentation requests and more notably there was variability in the quality of some inspection reports. This variability may be an indication of different standards developing between the different teams. The experience of 2014 demonstrates that severe weaknesses in practice can exist and this points to the need for greater attention to be paid to consistency and quality of work across the department. The consistency and quality of off-site inspection work can be more easily monitored but it is noted by the inspectors that the quality of quarterly analysis was typically less developed than the on-site reports and there was more considered analysis supplied by the directorate on macro prudential and financial stability risks. The assessors noted that it was not good practice to remove an inspection team from its on-site work in order to perform the regular quarterly analyses. The supervision department and particularly the MPFSD makes good use of a range of sources of information. The BNB deploys a range of supervisory tools and the assessors noted that exposure to supervisory colleges was informing thinking in such areas as business model analysis. One tool that the BNB has rarely used is the horizontal review. In the context of limited resources and some key issues affecting the whole market – such as concerns surrounding the identification of related parties – this is a missed opportunity. As well as gathering a broad perspective of the variation in the market’s practices, such exercises can also support consistency of approach between and development of staff. It is also a useful technique target emerging risks or thematic concerns that have been identified and is a key supplement to a successful risk based approach. The BNB has a policy view that it does not wish to make extensive use of external experts. The assessors understand this preference and agree that there can be no question of outsourcing supervisory responsibility. In view of current resource limitations however, there may be scope for considering if effective – potentially targeted use – could be made of external expertise, not limited to investigations when in a post-crisis mode. In terms of quality and frequency of communication with the banks, it was clear that the BNB staff had a good knowledge of the banks and the banks had a clear understanding of the BNB’s supervisory concerns, priorities and requirements. The substantive quality of communication is good. However, the BNB does not have a systematic practice of direct contact with the boards of the banks though there may be some scope for enhancing the focus on key priorities to firms. It is essential that the gravity of the BNB’s supervisory concerns is impressed upon the executive management and directors of the banks, particularly in view of some persistent weaknesses identified in certain banks (please see CP11). Contact with the Supervisory Board is recommended practice and is common in advanced jurisdictions where authorities consider that this relationship is central not only to communicating their views effectively, but also ensuring that their messages are understood, and 80 BULGARIA being able to form a view of the Board’s skill and capaci ty to direct the institution, its business, strategy, risk appetite and culture. In order to avoid double counting, this issue is not reflected in the grading of CP9 as it is also relevant to and considered under CP14. The BNB IT system is currently being updated to deal with the significant changes driven by the EU regulatory reforms. At the time of the assessment, staff did not have access to all information in the same formats as in the past, meaning that the system is not automatically generating key ratios, flagging significant changes or breaches. The system cannot, unlike as in best practice authorities, be interrogated or manipulated easily by the supervisory staff, although a wide and deep range of information is available to them and much additional analysis is provided by the MPFSD. This issue is also commented on (and graded) in CP2. In the context of the major regulatory changes that are in the process of being implemented and embedded as well as in view of thin resources it is difficult for the BNB to apply a systematic or even occasional review of the suitability and quality of its supervisory techniques. However, periodic review and refreshing of practices is an important discipline. Recommendations o There needs to be an improved system for information sharing between the BNB banking supervision directorates, not limited to contact between the directors, but also based on a stock- take and review of common issues and information needs, so that all relevant information is shared in a timely manner and can inform the wider supervisory process. o It is recommended that the BNB initiate a more intensive program of communication with the supervisory and management boards of the banks. One specific element of this communication should encompass ensuring that the Supervisory Board is fully aware of the priority issues identified in an inspection. As meetings with the management Board are already a mandatory part of the inspection process, this should be widened to include a presentation of key findings to the Supervisory Board. Please see CP14. o The assessors recognize that the BNB is already considering some internal redesign of the banking supervision on and offsite directorate and encourage this process. It is recommended that any such redesign ensures that the composition of inspection teams do not remain static over time. Additional quality assurance procedures are needed to ensure that the underlying practices and quality of work carried out by the different inspection teams is of sufficiently high standard. o The BNB should consider deploying horizontal reviews on key risks it has identified in the banking sector. o The BNB should re-consider the current policy of not using external experts to ensure that opportunities are taken to support supervisory analysis and insight. o It is recommended that the BNB dedicates the resources for a major upgrade to the systems available to the supervisory staff by having the BNB Information Systems Directorate prioritize its resource planning in this respect. The ability to interrogate supervisory data more effectively, and to integrate supervisory data automatically with other supervisory systems. It would be advisable if the BNB could follow the thinking of some other jurisdictions which have been seeking to develop “ne xt generation score-carding” to take account of more analytical underpinning, better integration of macro and micro prudential data, and by integrating the various information sources, assist the supervisory teams in adopting more of a “through the cycle” view of an institution and updating and adapting the supervisory program of activities if emerging information suggests it is warranted. Because the BNB already takes a “through the cycle” view of banks (ie setting a “supervisory cycle” 81 BULGARIA only as a backstop check for frequency of supervisory activity) this approach would be consistent with existing thinking. Please see CP2. o It is recommended that the BNB establish a unit or committee mandated to review of supervisory processes and practices. It would be particularly beneficial if such an exercise could be carried out in tandem with an upgrade of the IT/data system. Please see CP2. o BNB should require banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including – and not limited to - breach of legal or prudential requirements Principle 10 Supervisory reporting. The supervisor collects, reviews and analyses prudential reports and statistical returns33 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts. Essential criteria EC1 The supervisor has the power34 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk. Description The LCI provides strong information gathering powers to the BNB, in particular under Article 80(1), and findings (2) and (3). re EC1 Further, banks and banking groups must submit financial statements to the BNB on both a solo and consolidated basis (Art 75(2)). Any bank that is a subsidiary in a banking group, a financial holding company, mixed financial holding company or mixed holding company must submit consolidated financial statements of the group or the holding company of which they are a part (Art 80 (1)LCI). Harmonised EU supervisory reporting covers solvency (capital adequacy), financial information, large exposures, leverage ratio, liquidity, asset encumbrance and supervisory benchmarking (ie use of benchmark portfolios for institutions approved to use internal models). The final implementing regulations for some of these areas of reporting have not yet been adopted by the European Commission and are not therefore all in force, e.g., leverage and LCR. All banks are obliged to prepare and submit information on their financial position and risk level. The major reports are financial reports (FINREP) and capital adequacy reports (COREP) under the ITS on supervisory reporting and Regulation (EU) 575/2013. Those reports provide information on such matters as capital adequacy, liquidity, Pillar 1 risks, balance sheet and P&L, off-balance sheet items, large exposures, asset quality, related party transactions, etc. The data are reported on both a solo and consolidated basis as required in the EU Implementing 33 In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27. 34 Please refer to Principle 2. 82 BULGARIA Technical Standard (ITS) on reporting. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0680&from=EN The BNB requires banks to submit some of the FINREP IFRS templates on a solo level with monthly frequency (LCI, Article 80 (1)). The requirements for supervisory reporting are consistent across all banks in applying the reporting thresholds determined in ITS on reporting. In addition, the BNB requires ad-hoc data on particular issues related to the risk profile of respective banks as well as to capture trends in the banking system, which might affect the stability of individual banks or group of banks. EC2 The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. Description Under the Accountancy Act (Article 22a(2)), all banks in the Republic of Bulgaria prepare and present and findings their annual financial statements on the basis of IFRS. According to the CRR (Article 99(2)), FINREP re EC2 reporting templates for supervisory purposes have to be based on the IFRS. Hence all banks’ regulatory reporting is based on IFRS. Reporting instructions are provided by the ITS for the EU harmonized reporting and by the BNB for supplementary reporting in support of macro prudential purposes. EC3 The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. Description The LCI (notably Arts 73 and 76) and the a number of Ordinances, notably 7 on organization and risk and findings management (based on CRD IV) and 10 on internal controls, provide a sound basis for the BNB to re EC3 require sound governance and control of internal methodologies and on valuations. For example: Under Article 73(1) of LCI the BNB shall make recommendations and prescriptions for improving corporate governance in accordance with the best internationally recognized practices and monitor their implementation. Under Ordinance No7 on organization and risk management (based on CRD IV) the bank’s managing body shall be actively involved in and ensure that adequate resources are allocated to the management of all material risks in the valuation of assets, and the use of external credit ratings and internal models relating to these risks. Ordinance 10 (Art7) each bank shall maintain an adequate system of risk control which shall include monitoring and periodical assessment of consistency between the internal rules for risk management, market conditions and prudential banking. Under Article 76(7) of LCI the external auditors shall render an opinion whether the bank’s property and financial position, and its financial result have been truly presented. The auditor shall also review and express an opinion on the reliability of internal control systems. The external auditors express 83 BULGARIA opinion about validation framework for the purpose of public annual financial reports of the banks. The measurement of fair values and valuation rules are also determined on the grounds of IFRS requirements (IAS 39, IFRS 13). More specifically, should the BNB not be satisfied with an internal model for market risk, it has powers under the LCI (Art 103(2)(5)) to require a bank to increase the level of its capital should (under Art 103(1)(11)) there be evidence that an internal model for market risk is not sufficiently accurate. The assessment of valuation for prudential purposes is carried out in the context of on-site inspection. This is an important issue in Bulgaria, as noted elsewhere, there are issues surrounding legal days, realization of collateral and a lack of an active market. EC4 The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. Description Collection and analysis of supervisory information is carried out with the same frequency for all and findings banks in Bulgaria. As noted above much of the supervisory reporting in Bulgaria is now subject to EU re EC4 harmonization except for data in response to macro prudential issues. Frequency of reporting and monitoring can be intensified to reflect a system wide or institution specific vulnerability. For example, the BNB can and, during the recent period of liquidity stress did, require additional information such as data collection relating to the European sovereign debt crisis. At this time subsidiaries of Greek banks in Bulgaria were subject to additional reporting requirements. Daily liquidity reporting, including intra-day, followed the liquidity stress in the banking system at the time of the KTB crisis. EC5 In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). Description Much prudential data is obtained through the use of the standardised FINREP and COREP templates. and findings The reporting timeframe, the dates and periods do not differ among the banks. re EC5 The supervisory reporting can be described as falling into either one of the following two categories: 1) Regulatory reports (ITS, etc…); 2) Statistical information for supervisory purposes (more volatile with respect to scope, details and period of reporting); Based on these reports, a number of analytical outputs are available (a set of analytical indicators with varying scope is used). EC6 The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information. Description The BNB has strong information gathering powers, both in relation to a solo institution and to its and findings wider group. re EC6 For example, under the LCI (Art 69) banks must submit reports in the format, content and time limits 84 BULGARIA established by the BNB. As noted above, the LCI also provides the right to require banks and when applicable financial holding companies, mixed financial holding companies and their shareholders or partners to submit to it all the relevant documents and information on their activities, as well as conferring the right to conduct on-site inspections (Art 80). This same article also provides: (2)“For the consolidated supervision performance, the BNB may require parent companies and banks’ subsidiaries to provide all the relevant documents and information…” EC7 The supervisor has the power to access35 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required. Description Again the LCI (Article 80(3)(1), (2), (6) and (7)) provide a sound basis for information access for the and findings BNB. re EC7 Pursuant to para 1, article 80 from the Law on credit institutions, the BNB has the power to request from the banks to provide all necessary accounting or other documentation and information on their activities, as well as to conduct on-site visits by inspectors from the Banking supervision department or other authorized persons and to collect evidence in order to identify violations of the supervisory regulations. Extensive rights of access to information are set out in Art 80(3). Inspectors are entitled to have free access to the business premises and the information systems of the bank, as well as to require documentation and collect information as related to the implementation of its supervisory activity and assignments. In the context of normal supervisory practice those powers are used when the BNB issues an official letter ahead of an on-site inspection requiring detailed information such as list of specified documents, MIS data, risk management, internal audit and other reports, internal rules, policies and procedures, registers, minutes from meetings of competent management bodies and committees, etc. is being requested. The assessors saw a number of examples of carefully specified and highly detailed information request letters. In addition, the provisions of point 6, of Art 80(3) LCI provide the BNB with the authority to attend the meetings of the management and supervisory bodies within the banks, as well as to express opinions that are being recorded in the minutes of the meetings. There are no specific limitations or restrictions in terms of communication with the bank’s Board, management and staff. EC8 The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. Description When a bank, financial holding company or mixed financial holding company is in violation of the and findings banking laws, such as the LCI, the CRR, or Regulation (EU) No 1031/2010 (regarding energy re EC8 derivatives), the BNB may apply a financial penalty from BGN 50,000 to BGN 200,000, and in case of repeated violation – from BGN 200,000 to BGN 500,000 (Art. 152, para. 2 LCI). There is no history of 35 Please refer to Principle 1, Essential Criterion 5. 85 BULGARIA penalties having been applied for non-observance of reporting requirements. The BNB noted that the time period for reporting had extended from 15 days to 45 days with the introduction of the EU supervisory reporting regime. Lateness of returns has not been an issue. Currently, the BNB was still fielding many queries on how to comply with the new instructions but it is not permissible for the supervisory authority to interpret the ITS. In practice the BNB consults with the EBA, although this is not an immediate process as the EBA has its own procedures to fulfill before being able to post a response on its official website. It is possible therefore that there may be some issues concerning accuracy of reporting stemming from the learning curve presented by the new regime. The BNB supervisory department responds to all questions lodged by the banks, raised in relation to the CRR, ITSs and RTSs. In terms of consistency of the answers the BNB has put in place an internal Q&A platform which is organized by topic and provides cross references to the staff involved in responding and the contact/institution that lodged the question. The Supervisory Policy Derectoriate is responsible for maintaining this platform as well as being engaged in the responses. EC9 The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a programme for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts. 36 Description The BNB applies – as it is required to do – a careful validation process on returns that are received to and findings ensure the consistency and integrity of the data. The on-site examinations inspect the preparation of re EC9 the supervisory reporting of the bank, and may also check the internal audit of the bank in this regard. The on-site process will also sample loan files and reconcile data back to the supervisory reports. There are additional checks to reconcile financial reporting validated by the external auditors with supervisory reports. EC10 The supervisor clearly defines and documents the roles and responsibilities of external experts, 37 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. Description The LCI (Art 80(4, 5)) permits the appointment of external experts by the BNB. and findings At the time of the assessment, the BNB had not exercised this power although it might do so in the re EC10 future. EC11 The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. Description The law requires external auditors to inform the BNB immediately about any circumstances that have and findings become known to them during the audit and which are breaches of the law, might affect the bank or 36 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 37 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts. 86 BULGARIA re EC11 lead it to be unable to fulfill its obligations (etc): (Art 77(1) LCI). The law does not impose a similar obligation on an external expert engaged by the BNB to undertake a task with a supervisory purpose. EC12 The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. Description For the purposes of macroprudential supervision and financial stability (since June 2014) a review of and findings the adequacy of collected information is carried out regularly with respect to its format, content and re EC12 frequency. As noted above, the BNB has been engaged in a careful process of assessing its data needs for its overall supervisory purposes. Assessment Compliant re Principle 10 Comments The requirements associated with supervisory reporting are now predominantly governed by a harmonized EU regime. In this context, it is noted that the reporting regime is going through a transitional phase, placing heavy demands on the supervisors and the banks alike. However, the harmonized reporting reflects the fact that Bulgarian data plays a role in EU wide analysis. It is also important to recognize the strong – and valid – emphasis that the BNB puts on the quality and intensity of its analytical work. Therefore, in view of the EU and national significance, it is essential to ensure that the data that is being reported has integrity and can be relied upon. The supervisory teams of the BNB are fully aware of this importance, and place emphasis on this issue in the on-site inspections as well as through the technical validation of data (eg the formal, logical checks for internal consistency and coherence). However, the experience with the bank failure in 2014, indicates that more resources need to be dedicated to this task. While supervisors cannot be expected to detect fraud, an increased assurance on the validity of the data being received is particularly important in the post crisis period. Although the BNB does not, currently, make use of any external experts for supervisory purposes, it is important that laws or regulations are amended to ensure that external experts must bring to the BNB’s attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. Principle 11 Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. Essential criteria EC1 The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely m anner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. 87 BULGARIA Description Тhere is a constant dialogue between teams of CISD (Credit Institutions Supervision Directorate) and and findings representatives of the different hierarchy levels of every bank. The intensity of this dialogue depends re EC1 on the risk profile, size and systematic importance of the different credit institutions. BNB raises its supervisory concerns with the Bank’s management at an early stage. This can take place during or at the end of the on-site visit, as well as in an official letter in the cases when the deficiency is ascertained during the off-site analysis. According to the BNB‘s Banking Supervision Process Manual, a wrap up meeting is held at the bank`s premises with appropriate bank`s officials to present the on-site inspection findings and proposed corrective actions. Then the BNB`s team prepares a report which contains the main findings, areas of weaknesses and problems that warrant particular attention. The bank is given a 7 working days period for reply, objections and explanations, based on the conclusion of the report. These meetings provide an opportunity to discuss possible remedial measures, even before the inspection is finalized. It is noteworthy that BNB inspectors can receive technical support from their colleagues of the BNB legal department (Legal Services and Administration Directorate-LSA) during their on-site inspection. On the basis of a request submitted by the CISD Directorate, the LSA director will appoint a lawyer who will receive all inquiries from the inspection team. If necessary, particularly when the inspectors have detected possible violations, the lawyer will review any relevant documentation in the inspected bank before providing general legal opinion. The time limit for finalizing the inspection report is 10 working days from the date of the final meeting with the bank’s management. The responsibility for delivering these reports lies with team leaders. Each report shall be approved by the CISD director. Depending on the severity of findings, the director of the directorate may decide that the report also needs to be approved by the deputy governor. Once approved by the latter, the report containing corrective actions shall be handed over to the Bank’s executive directors. Thereupon, the bank’s management is given a short period of time to express its opinion and possible objection to the findings. In cases of serious deficiencies or breaches detected during the on-site visit, the Director of the CISD will prepare and communicate a Memo to the Deputy Governor, along with a copy of the inspection report. This Memo will describe the violations, qualify the facts and suggest possible action to be taken against the bank. Then, the Deputy Governor will make a final determination. In case the DG decides to pursue, depending on the severity of the deficiency/breach, either an official letter (written warning) signed by the latter is sent to the management board outlining the facts that led to the breach, or a written order (an individual administrative act subject to appeal) is issued. In principle, in both cases the bank may be required to respond to the concerns expressed by the BNB within a specific timeframe defined by the BNB and undertake a commitment to take the necessary remedial actions. In case of an official letter, if the deficiency is not addressed, , the BNB may decide to issue a written order after determining which supervisory instrument, as set out in LCI art.103, para.2 is appropriate to redress the situation. In that regard, the BNB has set up a follow up mechanism to ensure bank's performance against corrective measures. The monitoring of the fulfillment of remedial measures is ensured through regular written progress reports from the bank. Besides, every quarter, a report will be prepared by the CISD on each bank subject to scrutiny providing details on the status of measures being taken by management. These quarterly reports are sent to the DG for information. It should be noted that in each inspection report, violations with the regulation even minor, are systemically discussed. 88 BULGARIA EC2 The supervisor has available38 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. Description The Bulgarian enforcement regime for banks is governed by the LCI, art. 103 (1) and (2). The BNB is and findings empowered to impose measures (discussed right below) when a bank or any of its administrators or re EC2 shareholders have committed certain offenses detailed in the law, consisting of, inter alia, violation of the banking law (the LCI) and other acts including AML law, the EU regulation (575/2013), and BNB guidelines. The same regime will apply wherever the bank is threatening depositor’s interest, providing or disclosing incomplete or inaccurate information, ignoring BNB orders or warnings, engaging in money laundering operations, and carrying out transactions outside the ambit of its license. The BNB has available a wide range of supervisory tools to address situations where banks do not comply with laws and regulations or where banks engage in unsound practices as indicated above. The relevant provisions can be found in LCI art. 103 (2) and art. 152 – 152 d. The BNB may, depending on its view of the seriousness and nature of detected shortcomings take one or more of a broad selection of supervisory measures, as deemed appropriate. These measures are of different nature and include administrative compulsory measures and administrative penalties. For example, in situations where the bank did not commit a violation per se or the violation is not material, but there are however evidences of unsafe and unsound practices, the BNB will issue a written warning to the bank. In case of serious problems, the BNB will send a written order asking the bank to cease a particular conduct or undertake “remedial actions.” In more serious scenarios, the BNB can (i) restrict or suspend any bank’s activity, including l ending activities or to prohibit certain transactions, (ii) impose additional capital, (iii) prohibit payment of dividends and request a reduction in variable remuneration, (iv) force the bank to change its internal rules and procedures, (iv) instruct the bank to dismiss one or more members of the board of directors, (v) forbid the conduct of transactions with related parties, etc. In 2011, the BNB divested of their voting rights five companies holding shares in a bank. It is worthwhile noting that the BNB can combine administrative compulsory measures and administrative penalties where needed. When a bank displays signs of possible insolvency, the BNB can place the institution under a “Special Supervision” regime for a period of 6 months. For the purpose of rehabilitating the bank, the BNB will appoint one or several conservators whose power are to be determined by the DG and the Governor.39 This Special supervision regime has been utilized in 2014 when KTB bank started to 38 Please refer to Principle 1. 39 In that context and in virtue of LCI art. 116, the BNB may resort to a series of measures that are similar to those contemplated under art. 103 (2), e.g., :(i) reduce the interest rates on the bank’s obligations down to their average market rate; (ii) suspend for a set term the full or partial payment of all or some of its obligations; (iii) restrict in part or in full the bank’s activities; (iv) force an increase of the capital, including by depriving current sharehold ers from the right to subscribe in the increase; (v) remove from office the members of the board of directors, and (vi) suspend temporarily the voting rights of shareholders holding directly or indirectly more than 10 percent of the voting shares, etc. 89 BULGARIA exhibit major problems. Pursuant to a decision made on June 20th by the BNB Governing Council, KTB and its subsidiary CB Victoria were placed under special supervision for a period of 3 months; conservators were appointed at both banks, the execution of all banks’ obligations and banks activities were suspended, members of management and supervisory boards were dismissed from the office and voting rights of the shareholders holding more than 10 per cent of banks’ shares were revoked. Last but not least, in the most extreme scenarios (when the bank is no longer viable), the BNB can withdraw a bank’s license, as permitted under the LCI via a decision to be made by the governing council of the BNB based on a joint motion submitted by the Deputy Governor heading the Banking Supervision Department and the Governor. This was the case for KTB whose license was revoked on November 2014 prior to launching an insolvency proceeding.40 As indicated above, the BNB has also at its disposal other types of sanctions consisting in “administrative penalties.” The LCI contains several provision according to which financial institutions (legal and natural persons) can be subjected to fines ranging from BGN 1000 (approx. 566 $) to BGN 10 million (approx. US 5 millions). The amount of the administrative penalty is determined by the seriousness of the offense and depends on whether the breach has been committed by a legal person or an individual. In case of persistent breaches, the fine can be increased. The violations that carry the highest fines are, inter alia, actions in concert that have not been authorized by the BNB, undisclosed significant change in bank’s ownerships and provision of false information for licensing purposes. These fines seem to be deterrent enough. The vast majority of the corrective measures or sanctions are taken by the Deputy Governor alone who exercises full discretion in determining the nature, intensity and scope of the prudential response. In specific circumstances determined in the law (e.g revocation of a license and application of the special supervision regime), the decision is taken by the Governing council on a motion of the Governor and the Deputy Governor Heading the Banking Supervision Department (see also BNB law, art. 16); in all other cases, the decision belongs to the said Deputy Governor or by a BNB official authorized by him. There is therefore no “collegiality” when it comes to take any type of administrative compulsory measures and/or administrative penalties. Over the past years, the Deputies Governor’s approach fo r enforcing compliance has mainly consisted in issuing orders instructing banks to take corrective actions, even in the case of persistent offenders and one fine only (US 25K) was applied. Assessors are of the view that the DG in charge of banking supervision did not always use the full range of powers in situations that would have warranted more forceful reaction. Another feature of the Bulgarian regime is that sanctions can be made public. In consonance with the LCI, art. 152d, the BNB can publish on its official website without undue delay an information on all administrative penalty acts imposed for infringement of the banking law and other key regulations, including information on the type and nature of the breach and the identity of the natural or legal person on whom the penalty was imposed. However, the BNB can exercise some discretion in publishing only a summary of this information, for example if the publication is found to be disproportionate (in case of natural person) or could jeopardize the stability of the market. 40 At the time of the mission, the process was still pending. 90 BULGARIA EC3 The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. Description and findings The BNB has a wide range of options to intervene at an early stage to require the bank to take re EC3 actions allowing it to act even though a bank may fulfill minimum regulatory requirements. As indicated to the team, this is common practice for BNB to raise its supervisory concerns at an early stage with management –via on-going dialogue- and to require that these concerns will be addressed in a timely manner, following the EBA guidelines in Pillar II. In case a bank falls below established regulatory threshold requirements, the LCI provides clear power to the BNB; in particular, as laid out in art. 103 (2)[3,4,5], the BNB can issue a written order instructing the bank to hold additional capital or to improve banks’ financial position. Written o rders do not emanate solely from the results of on-site examinations. The supervisor may deem them necessary as a result of the off-site analysis or the results of bottom-up stress tests of the institution, which would suggest that, for example, a capital inadequacy issue is looming. Over the past years, the BNB has requested banks to increase their capital in several instances. Further, when a bank exhibits signs of distress, the BNB can place the bank under special supervision. This conservatorship regime is endorsed by the Governing Council based on a motion presented by the Deputy Governor, together with the Governor, after forming the view that there is a risk of insolvency (e.g., CAR below the minimum threshold, insufficient bank’s liquid assets, etc). Measures that can be taken by the conservator appointed in that occasion include, among others, capital increase, dismissal of members of the board, shareholders’ voting rights suspension, etc (see EC 3 above). EC4 The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. Description The LCI provides the BNB with a broad range of possible measures to address situations where, for and findings example, (i) a bank or its management or shareholders have breached the banking law or any re EC4 normative acts from the BNB, (ii) the conditions for getting a license are no longer met, (iii) the bank fails to comply with its AML/CFT obligations, (iv) the bank jeopardizes depositors’ interests, (v) the bank does not comply with its reporting obligations or reports erroneous data on banking prudential indicators, or (vi) the bank does not conform with remedial measures (e.g written orders). 91 BULGARIA The LCI prescribes general and specific actions the BNB may take in this regard. Broadly speaking, in accordance with Art. 103 (2) of the LCI, the BNB is empowered to impose corrective actions on a bank. Certain specific actions include restrictions or suspension of banking activity, constraining the volume of certain types of activities, restricting, prohibiting payment of dividends as described under EC2. Over the past years, the BNB has employed some of these actions, including raising prudential limits on several banks, placing two banks under special supervision and withdrawing a bank license. The BNB also applied pecuniary sanctions in one case (fine of approx. US$ 25K) against a bank which did not observe BNB instructions to increase its capital. It is worthwhile mentioning that enforcement of prudential requirements by the BNB has mainly consisted in issuing written orders. There is almost no case over the past 5 years where the BNB took sanctions to deter recurrent violations from happening again. The mission analyzed all measures handed over since 2010 by the BNB and came to the conclusion that the response against persistent offenders has not been severe enough. The BNB considers more effective to exercise moral suasion rather than resorting to coercive measures. While the LCI determines the range of fines for specific violations, the law does not stipulate explicitly the application of a particular remedial measure for a certain type of violation. Supervisory measures and administrative sanctions that are deemed necessary by the BNB are determined by the DG on the basis of the gravity of violations and deficiencies and their recurrence, at the recommendation of the LSA Directorate and after consultation with the Supervision Directorate. The DG therefore has full discretion in determining the measures to be applied. Assessors are of the view that this situation may generate risks of potential arbitrariness in decisions, inconsistent application of supervisory measures, and unequal treatment. All supervisory measures taken by the BNB, including type of measure or sanction, short description of facts and corrective measures are recorded in a Central bank register. EC5 The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. Description According to the LCI, penalties and sanctions can be imposed not only to a bank as a legal entity and findings (Article 152, paragraph 2 of the LCI), but also to bank's managers and other administrators who have re EC5 the power to represent it (Article 152, paragraph 1 of the LCI). In both cases, sanctions are issued by the Deputy Governor heading the Banking Supervision Department, or by an official authorized by him. Such sanctions however do not apply to other bank’s staff ( e.g., compliance, AML, risk management officers). EC6 The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. Description The BNB has the power to ring-fence a bank from the actions of parent companies. Art. 103 (2) par. and findings 18 stipulates that the BNB can forbid the conduct of transactions and operations with persons who re EC6 have close links with the bank or who belong to the same consolidation group as that of the bank, or 92 BULGARIA who are members of the bank’s managing bodies, or who control the bank or have a qualifying holding or take part in the management of the persons controlling the bank. In one recent occasion, the BNB asked a parent company (a Greek bank) of a subsidiary located in Bulgaria to stop certain actions that may have otherwise compromised the stability of the local branch. It was not a ring- fencing per se as the BNB did not resort to ring-fencing type of measures but issued a recommendation only; however, the mission was told that the parent company followed BNB recommendations by putting an end to its deleveraging in its Bulgarian branch. In the same vein, in light of the economic and political situation in Greece, all Greek banks operating in Bulgaria have been ring-fenced since the beginning of the crisis. The BNB instructed to banks to a) maintain highly liquid assets at 30% of attracted funds from non-credit and non-financial institutions, enterprises, and individuals, in addition to minimum reserves of 20% with the BNB, b) not to maintain excessive balances with the parent bank and its group; c) not to invest in securities of issuers with non-investment grade rating; d) ensure functional independence from the parent bank; and e) submit daily reports to the BNB. EC7 The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). Description Currently there is no local legal framework for the recovery and resolution of credit institutions. The and findings BNB can address problem banks (in case of risk of insolvency) by subjecting the bank to a special re EC7 supervision regime. The BNB Governing Council will appoint one or several conservators who will take, under the authority of the BNB, all measures to redress the bank. If the conservatorship of the bank proves to be ineffective (e.g the bank exhibits negative own funds), the BNB has legally the obligation to withdraw the license and petition to the competent court for initiation of bankruptcy proceedings. During the collapse of KTB, it has become obvious that the BNB did not have the proper tools to address the situation including, for example, the bad bank/good bank option. The initial idea of the authorities was to separate the assets which had been assessed as good as well as the liabilities of KTB, except those connected with the major shareholder41, and to transfer them to the balance sheet of CB Victoria, a solvent subsidiary acquired by KTB. This plan did not materialize due to the lack of legal basis. The difficulty to apply an orderly resolution has prompted the authorities to revisit its legal framework for the recovery and resolution of credit institutions. Such framework will be available after the implementation of the BRRD (EU Directive 2014/59/EC (Resolution and Recovery of Credit Institutions and Investment Firms)) in the Bulgarian legislation and the appointment of the resolution authority. This transposition into the national regime is in progress and it is expected to come in force by end of 2015. Additional criteria AC1 Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions. 41 Currently under criminal investigation in Bulgaria and subject to an arrest warrant issued by Interpol. 93 BULGARIA Formal and informal measures are imposed by the BNB on a timely manner in case of non- Description compliance with the laws, regulations and BNB guidelines, identified by the on-site or off- site and findings inspectors. However, there is no specific law or internal processes that provide time lines under which re AC1 a prospective corrective action must be approved by BNB authorities and imposed on a bank. AC2 When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of non-bank related financial entities of its actions and, where appropriate, coordinates its actions with them. Description According to Article 99, paragraph 1 of LCI, where BNB exercises supervision on consolidated basis of and findings banks, financial holdings or joint venture holdings, the subsidiaries of which are one or more than re AC2 one insurance undertakings or investment intermediaries whose activities are subject to licensing, BNB cooperates and exchanges information with the competent authorities for supervision of insurance undertakings and/or investment intermediaries. Assessment Materially Non-Compliant re principle 11 Comments The LCI contains a large range of tools, measures and powers to bring about timely corrective actions. In that respect, the BNB has been able to act even though the bank fulfills the regulatory capital requirements. However, the detailed analysis of the inspection outcomes and the prudential responses adopted the BNB, albeit recently enhanced, lead the assessors to conclude that enforcement of prudential regulations is not effective enough and should be strengthened going forward. Some flaws described below have been detected and would merit attention: In exercising its power, the Deputy Governor has full discretion to determine the scope, nature and type of measures to be taken. He is not obliged to apply the measures set out in art. 103 of the LCI in their consecutive order. He has the discretion to adopt the measures that is most appropriate and effective to the supervisory findings. As a result, the forcefulness of measures will very much reflect the personal approach of whoever is exercising the mandate of DG. Assessors are of the opinion that this regime has important flaws in particular as it does not guarantee a consistent approach. Bulgarian authorities should consider some mechanism to ensure more collegiality in the decision making process and provide the Governing Council with more oversight on the way enforcement is exercised. Further, there is no internal guideline that could assist the DG in determining the most adequate response in case of breach or violation. The BNB does not have in-house methods or criteria that could provide senior management minimum guidance on how to apply criteria for sanctions, particularly for setting the quantum for fines. The imposition of sanctions and determination of their amount is judged from the DG in accordance to the weight and seriousness of the violation and the whole behavior of the bank. The DG may also take into consideration certain criteria (defined in a written document) such as the desire for cooperation, honesty and commitment of the bank’s management. However, there is no link between certain violations and certain sanctions and no remedial action thresholds at which supervisory action is required. Assessors are of the opinion that 94 BULGARIA the lack of clear guidelines does not ensure proportionate response and equality of treatment among banks. Besides, it may actually allow decisions on corrective actions to be unduly delayed. Formal guidelines for supervisory enforcement should therefore be issued, linking supervisory findings to specific remedial actions and establishing procedures for appropriate exceptions. In terms of enforcement approach, the BNB has considered so far more effective to exercise moral suasion, e.g., by offering banks a certain period of time to overcome a problem rather than resorting to more coercive measures. In that regard, the mission reviewed an exhaustive collection of supervisory measures taken by the BNB since 2010 and observed that the DG response is not increased in case of persistent breaches. There are multiples cases of recurrent deficiencies in the same institution that triggered the same response from the supervisor (e.g., repetitive written orders). The DG should apply a gradual response and increase the intensity of the sanctions when banks ignore BNB’s recommendations and written orders. This could be achieved through either a combination of sanctions or through higher pecuniary fines. Yet in July 2014, the DG took formal action against a persistent offender. The mission welcomes this initiative and encourages the authorities to increase the intensity of sanctions to address repetitive failures. The power to appoint a special supervision regime as described under EC 2 is limted as it applies only to situation where a bank displays signs of possible insolvency. In assessors’ opinion, this power should be broader. It should be a regime the bank can also recover from, for example in case of management fraud, major AML problem, etc. Under these circumenances too, it may be necessary to put the bank under special supervision. An adequate framework geared towards resolving banks, including the preparation of recovery and resolution plans is still an important missing element. KTB’s collapse in 2014 demonstrated that Bulgaria's legal framework did not give the authorities adequate resolution tools. As such, timely transposition of the EU Bank Recovery and Resolution Directive (BRRD) into national law is critical to address the gaps in the resolution and crisis management toolkit, and to provide for coordinated and timely actions42 to deal with problematic banks. This process will require the designation of the resolution authority for banks and investment intermediaries as well as resolution funds and adequate resolution and recovery planning. Against this background, the authorities are encouraged to consider the following recommendations: o Set internal guidelines to assist the Deputy Governor in determining the most adequate response in case of breach or violation o Apply gradual response when a bank is not complying with BNB recommendations o Take more forceful action against persistent offenders o consider broadening the circumstances uner which a bank can be placed under Special supervision regime. 42 See also Bulgaria: IMF Concluding Statement of the 2015 Article IV Mission, March 13, 2015. http://www.imf.org/external/np/ms/2015/031315.htm 95 BULGARIA Principle 12 Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.43 Essential criteria EC1 The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system. Description Ten banking groups are operating in Bulgaria which report financial statements on a consolidated and findings basis. Each consists of one banking institution and several types of NBFIs mainly leasing companies re EC1 located in Bulgaria. Banks are the principal entity in these financial groups, representing the preponderance of total assets at present. In addition, there is one holding company with mix activity but no financial conglomerate in the country. Two Bulgarian banks have branches in the EU (Romania and Cyprus); two banks have a branch in third countries (Macedonia and Albania) and two banks have two subsidiaries in Russia and Albania. Requirements for supervision on a consolidated basis are those prescribed in the CRR and CDRIV. Relevant provisions can also be found in the LCI. As a general principle, the BNB is responsible for exercising supervision on a consolidated basis over banks, banking groups, financial holding companies, mixed financial holding companies and mixed holding companies in accordance with the terms and procedure of the LCI (art. 89). Alternative investment fund managers and management companies are also included in the scope of consolidated supervision in the same manner and to the same extent as financial institutions. The LCI also empowers the BNB to require detailed information about the ownership structure of all the companies/organizations that participate in the capital of a bank. Any plan to modify the structure or the composition of the group must be previously submitted to the BNB which assesses whether the proposed changes would permit the effective exercise of supervision on a consolidated basis (see CP5). According to Article 97 of LCI where a mixed holding company is the parent undertaking of one or more banks licensed in the Republic of Bulgaria, the BNB may require from the holding company and its subsidiaries any information that would be relevant for the purposes of the consolidated supervision of the subsidiary banks. BNB collects information on the balance sheet, profit and loss and nature of the activities involved on an annual basis. To that end, the LCI covers a large number of reporting and submission requirements that allow the supervisor to judge the structure of an organization as a whole at the group level (LCI, Art.75 and Regulation No 680/2014 on supervisory reporting). 43 Please refer to footnote 19 under Principle 1. 96 BULGARIA When it comes to cross-border supervision for consolidated purposes, the LCI also contains several provisions establishing the mechanism of cooperation between the BNB and foreign supervisors (located in the EU or in a third country) for information sharing including for banking groups. The practical conditions for such cooperation can be found in the “Multilateral Cooperation and Coordination Agreements.” From an off-site perspective, the BNB performs its due diligence using information reported by banks via prudential reporting (COREP and FINREP). Capital adequacy, liquidity, large exposures limits, lending limits are analyzed at the group level. The evaluation of the organizational structure of a banking group and especially the evaluation of activities of each member of the group as well as the activities within the group (e.g., connected lending) are an essential part of the on-site inspections conducted by the BNB. For the purposes of the supervision on consolidated basis the BNB has powers to request from the mother company and from the bank subsidiaries all the necessary documentation and information as well as right to perform counter inspections at other bank and non-bank enterprises (e.g leasing companies). The division responsible for solo supervision of a parent financial undertaking is also responsible for the consolidated supervision of the group. EC2 The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure. Description Financial groups are subject to the same prudential standards as the stand alone bank as set forth in and findings the LCI. Art. 75 requires banks and banking groups to submit to the BNB financial statements which re EC2 reflect their financial position both individually and on a consolidated basis. Moreover, groups are subject to regulations regarding capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure. Supervisory reports (FINREP and COREP) provide a wide range of information regarding on- and off- balance sheet assets and liabilities, profit and losses, capital adequacy, liquidity, large exposures, risk concentration (including by economic sector, geography and currency and towards related parties), asset quality, loan loss provisioning, interest rate risk, market risk, and also other information on the organizational structure. Intra-group transactions are also captured in the FINREP and COREP44 reporting (see ITS on supervisory reporting). For capital adequacy purposes in particular, the BNB manual on ICAAP sets the condition for application of the ICAAP by banking groups. Each credit institution shall develop and implement the ICAAP requirements individually. ICAAP also applies on a consolidated basis pursuant to the CRR/CRD. BNB Ordinance #14 on the content of the audit report for supervisory purposes stipulates in Art. 2. (1) that the auditor shall carry out an audit of the annual financial and supervisory reports of the bank and the reliability of the internal control system and then prepare a report for supervisory purposes. The report shall include a review of the bank financial position and major indicators of 44 Containing a template with information about group solvency. 97 BULGARIA bank activity on an individual and consolidated basis, as well as the organization of the internal control system. The review of the financial position of the bank shall be based on the information of the consolidated FINREP on the basis of Regulation 680/2014 on the supervisory reporting and individual FINREP on the basis of Article 75, para. 2 of the LCI. Another legal provision relevant to this CP can be found in Art. 89(5) of LCI whereby a bank licensed by the BNB is part of the banking group, a financial holding company, mixed financial holding company or mixed-activity holding company, it shall present annually to the BNB information on the structure to which it belongs, including changes made within 30 business days after the calendar year end. EC3 The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations. Description According to Article 89(3) of LCI, banking groups which are subject to consolidated supervision by and findings the BNB shall implement arrangements, processes and mechanisms required by the LCI also in their re EC3 subsidiaries, including those which are not subject to the LCI. These arrangements, processes and mechanisms shall also be consistent and well-integrated into the bank’s risk management framework and those subsidiaries above shall also be able to produce any data and information relevant to the purpose of supervision. If a bank wishes to establish foreign operations in a country outside the EU the BNB will, before the bank is given permission to start operations, ensure that the bank and the BNB can get access to all material information. The BNB will also ascertain, according to the law, that the host supervisor conducts an effective and adequate supervision of the foreign operation. For foreign operations located in the EU, there is no hindrance for the parent bank to get access to all material information from the foreign operations. Supervision of the parent bank and its foreign operations in the EU are discussed in the supervisory colleges. Bulgaria participates in 10 colleges, 9 for subsidiaries and 1 for a significant branch. As indicated under CP 3, BNB is involved in a number of bilateral MoUs with EU countries including Cyprus, Italy, Slovenia, France, Hungary, Greece, Germany, Austria, the Netherlands and third countries (Turkey, Macedonia, Albania) for the information that should be shared in order to facilitate effective consolidated supervision of financial institutions across national borders. In addition to supervisory colleges, the effectiveness of the parent company’s oversight on the whole group (including foreign operations) can be assessed via on-sites visits. After prior notice to the relevant competent authorities of the Member States, BNB staff is empowered to carry out on-site inspections in the respective country regarding the foreign activities of banks licensed in Bulgaria and performing activity on the territory of the Member State through a branch (Art. 87(11) of LCI). In practice however, this has not been the case over the past years due to limited resources (except in one occasion –in Cyprus- and with a limited scope on AML/CFT). 98 BULGARIA EC4 The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. Description As discussed above, the BNB has the power to initiate and carry out on-site visits in EU countries and findings where banks licensed on the territory of the Republic of Bulgaria are operating through a branch (LCI, re EC4 Art. 87(11)). The BNB can also request the competent authorities of the host Member State to perform an on-site inspection of the activities of a branch of a bank licensed in the Republic of Bulgaria, which carries out activities on the territory of this host Member State. The BNB under his capacity of home supervisor has not visited the foreign offices of Bulgarian banks due to limited resources and because banks’ foreign operations are not material. On-site visits in Bulgaria from home supervisors have been done in a rare occasions, the last one was in 2007 by Austria. EC5 The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. Description According to Article 97 of LCI where a mixed holding company is the parent undertaking of one or and findings more banks licensed in the Republic of Bulgaria, the BNB may require from the holding company and re EC5 its subsidiaries any information that would be relevant for the purposes of the consolidated supervision of the subsidiary banks. In practice, BNB’s oversight of the organization covers risk management framework and adequacy of internal audit functions, the organizational structure, strategic and operational risks, adequacy of management information systems, and implementation of internal processes. The BNB operates a “Special supervision” department which is competent in AML/CFT issues and in performing inspections in nonbanking business entities connected to credit institutions or the respective groups that they belong to. Indeed, for leasing and factoring companies and consumer finance companies, this constitutes a useful complements to BSD’s own inspection team. That said, there is a lack of proper consolidated supervision at Bulgarian level over these entities due to the legal structure of most of such entities (in general belonging to the bank’s parent company or another specialized group company abroad). The supervisor limits the range of activities the consolidated group may conduct and the locations in EC6 which activities can be conducted (including the closing of foreign offices) if it determines that: (a) the safety and soundness of the bank and banking group is compromised because the activities expose the bank or banking group to excessive risk and/or are not properly managed; (b) the supervision by other supervisors is not adequate relative to the risks the activities present; and/or the exercise of effective supervision on a consolidated basis is hindered Description According to Article 103 of LCI, the BNB may impose against a bank, including when a bank is a part and findings 99 BULGARIA re EC6 of a banking group, measures such as: limitation on the bank's activity; restriction in terms of volume of certain types of activities; imposition of additional requirements for the bank in connection with its activity; prohibition of transactions and operations with persons who have close links with the bank or who belong to the same consolidation group as that of the bank or who are members of the bank's managing bodies or who control the bank or have a qualified holding or take part in the management of the persons controlling the bank. EC7 In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand-alone basis and understands its relationship with other members of the group. 45 Description In consonance with the LCI, each bank is supervised on a solo and consolidated basis, which includes and findings the operations at foreign locations. In other words, the BNB supervises—on an individual basis—all re EC7 banks and financial intermediaries, regardless of the fact that they may be part of a banking group. The division responsible for solo supervision of a parent financial undertaking is also responsible for the consolidated supervision of the group. Additional criteria AC1 For countries which allow corporate ownership of banks, the supervisor has the power to establish and enforce fit and proper standards for owners and senior management of parent companies. Description There are provisions of the LCI that give the BNB substantial capacity to review owners and senior and findings management of companies, seeking to acquire a bank or FHC. However, no authority exists to do fit re AC1 and proper reviews on an ongoing basis of owners and senior management of non-financial holding companies. Assessment Largely Compliant of Principle 12 The regime for consolidated supervision was found globally adequate. Yet, three improvements must Comments be made: -Perform more frequent visits in branches and subsidiaries of Bulgarian banks located in and outside the EU -Capture leasing, factoring companies and consumer finance companies into the perimeter of consolidation in case of mix holding companies -Identify the authority to do fit and proper reviews on an ongoing basis of owners and senior management of non-financial holding companies. 45 Please refer to Principle 16, Additional Criterion 2. 100 BULGARIA Principle 13 Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. Essential criteria EC1 The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. Description The BNB is predominantly a host country supervisor. As noted in CP12, three Bulgarian banks have and findings branches in the EU (Romania and Cyprus) and two banks have subsidiaries in third countries (Russia, re EC1 Albania and Macedonia) In the context of these banking structures it has not been necessary to establish a bank-specific supervisory college for which the BNB is the home country supervisory authority. Currently the BNB is a host supervisor of 9 subsidiaries and 1 significant EU branch of EU cross- border banking groups and as a result participates in 10 supervisory colleges. EC2 Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group 46 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information. Description All the colleges in which the BNB participates in are established in the EU, which has extensive and findings legislation governing the creation of colleges and expectations for information gathering and joint re EC2 activity and decision making for banks established in the EU. In all the colleges the BNB participates in, memoranda of understanding have been established between the supervisors. When supervisory colleges are established the BNB is required under the LCI (Art 92e(4) and Art94) to sign written coordination and cooperation arrangements with the competent supervisory authorities of the respective Member States. Again, this is the national transposition of the EU framework as set out in CRDIV. Within the EU supervisory colleges all members exchange information on the assessment of the main elements of the Supervisory review and evaluation process as required by the EU legislative framework (CRDIV) and as referred to in Article 79c of the LCI. In general, in performing its supervisory functions, the BNB may conclude agreements with other central banks or supervisory authorities of third countries on cooperation and information exchange 46 See Illustrative example of information exchange in colleges of the October 2010 BCBS Good practice principles on supervisory colleges for further information on the extent of information sharing expected. 101 BULGARIA on a reciprocal basis, making the commitment to keep bank and professional secrecy. (Art 88 LCI) Information is exchanged both multilaterally and bilaterally with fellow college members. The BNB has signed 10 multilateral agreements, based on the EBA template, within the EU colleges where it participates and is also involved in bilateral MoUs with other EU member states, including Cyprus, Italy, Slovenia, France, Hungary, Greece, Austria, the Netherlands. In addition the BNB has signed MoUs with non-EU member states (“third countries”): Turkey, the FYROM, Albania. Where no formal agreements have been signed, the BNB has maintained a policy of cooperation with supervisory authorities through e-mails or letters on a best effort basis. Types of information which is customarily shared between supervisors include: • Material from the bank, e.g., capital plans, risk reports; • Proposed supervisory measures regarding the bank, provided they have been fully vetted internally; • Inspection reports; and • Internal models, assessment and documentation. The BNB has a public Policy statement that sets out its position on international supervisory home- host cooperation and this includes examples of essential information which can be exchanged between the consolidating and the host supervisory authorities. The EU framework, transposed into the LCI, provides an underpinning for the creation of colleges and exchange of information noted above. As reflected in the LCI, home state competent authorities shall provide information to the host supervisors for the banking group. Of course, as the BNB is not at present consolidating supervisor it does not, currently, need to have regard to this part of the law (EG Art 89a LCI). However, where the BNB needs information for supervising a bank controlled by an European Union parent credit institution licensed in another Member State, the EU framework (again transposed into the LCI) provides that the BNB shall contact the competent authority responsible for supervision on a consolidated basis in the respective Member State where the relevant information may already be available to that competent authority. (Art 95 (4) and (5) LCI). The BNB’s legal framework set out in the LCI, and which reflects the EU legislation, also provides that it shall cooperate and exchange information with the relevant competent authorities of the Member States where a bank licensed in the Republic of Bulgaria carries out activities through a branch in another Member State or where a bank from another Member State carries out activities through a branch in the Republic of Bulgaria. (Article 87 (1) and (2) of the LCI). EC3 Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. Description As a host authority, the BNB has regularly participated and contributed to the planning of and findings supervisory activities, the discussions and the information exchange, for the purpose of more re EC3 effective and complete risk assessments. To date the BNB has been involved in an onsite inspection with the home supervisor of one of the EU subsidiaries based in Bulgaria – and it should be noted that the subsidiaries in Bulgaria are typically regarded as peripheral to the banking groups in question . The consolidating supervisor and the members of the college, including the BNB, participate in the joint risk assessment and joint decision process on capital and liquidity, exchange all quantitative and qualitative information, on a solo and consolidated basis, necessary for developing the joint risk assessment and for reaching joint decisions. Such quantitative and qualitative information covers the following elements, taking into account the size, structure, internal organisation, nature, scope and 102 BULGARIA complexity of the group and each entity, as well as their activities:  Business model analysis, including the assessment of the viability of current business model and sustainability of institution’s forward-looking business strategy;  Internal governance arrangements and institution-wide controls, including ICAAP and ILAAP frameworks;  Individual risks to bank’s capital, covering the following elements: - assessment of inherent individual risks; - assessment of risks management and controls; - SREP capital assessment; - Advanced Measurement Approach Assessment – AMA - Internal Ratings Based Approach Assessment - IRB  Risks to bank’s liquidity and funding, covering the following elements: - assessment of liquidity risk and funding risk; - assessment of liquidity and funding risk management; - SREP liquidity assessment;  SREP results of the supervisory stress tests performed pursuant to Article 80b of the LCI;  Findings from on-site inspections and off-site monitoring that are relevant for the assessment of the risk profile of the group or any of its entities. The supervisory colleges facilitate a common and aligned work programme and coordinated supervisory decisions. Within the colleges, supervisory authorities are able to agree on voluntary entrustment of tasks and voluntary delegation of responsibility, and determine supervisory examination programmes, based on the group risk assessment report and the outcome of the capital and liquidity joint decision. (Article 92e (2) LCI). As noted in EC2, the legal basis for cooperating and coordinating supervisory activities is found in the LCI, reflecting the EU framework. EC4 The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross- border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. Description Where the BNB is part of a supervisory college, MoUs are in place which provide for the exchange of and findings information and an agreed communications strategy. The practical means of information exchanges re EC4 are decided on the basis of a flexible framework and on a case-by-case basis. Where the BNB is the home supervisor, it has an obligation under the LCI (Art92(1)) to develop a communication strategy and coordinate the gathering and dissemination of relevant and essential information in going concern and in emergency situations. In relation to the non-EU/EEA subsidiaries, the BNB has not yet established a formal communication strategy but has funcational relationships with the respective supervisors that were discussed with the assessors. 103 BULGARIA EC5 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. Description A framework for cross-border crisis cooperation and coordination is contained in MOUs between the and findings relevant supervisory authorities. re EC5 As with ECs above, the LCI provides that in the event that the BNB is the consolidating home state supervisor (EU or non-EU), it has obligations to coordinate the gathering and dissemination of relevant and essential information in going concern and in emergency situations; plan and coordinate supervisory activities in cooperation with the competent authorities involved, and where necessary, with central banks in the preparation for and during emergency situations, including adverse developments in banks or in financial markets using, where possible, existing defined channels of communication for facilitating crisis management. This also includes the preparation of joint assessments, the implementation of contingency plans and communication to the public. (Art 92(1) and (2) LCI) The Directive 2014/59/EU establishing a framework for the recovery and resolution of credit institutions (BRRD) had not been implemented at the time of the assessment. Some arrangements or analysis may need to be updated once the directive has been implemented. EC6 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. Description As indicated in EC5, these issues are dealt with in MoUs. and findings In accordance with Article 121a of the LCI the BNB shall prepare a plan for orderly resolution of each re EC6 bank, licensed in the Republic of Bulgaria, which might be applied if the bank is in financial difficulties. In most colleges group recovery and recovery plans have been shared and discussed by the members and relevant information has been exchanged. The BRRD (Directive 2014/59/EU) establishing a framework for the recovery and resolution of credit institutions had not been implemented at the time of the assessment. Some arrangements or analysis may need to be updated once the directive has been implemented. For example, until the BNB is confirmed as the relevant resolution authority it will not be able to participate in resolution colleges, nor “coordinate” with the national resolution authority although approaches have already been made to it from other EU jurisdictions. To date, the BNB has shared information to the extent feasible. EC7 The host supervisor’s national laws or regulations require that the cross -border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. Description Subsidiaries of foreign banks with banking licenses in Bulgaria must comply with the same regulatory and findings and reporting requirements as local banks. Branches, as well as subsidiaries, must comply with the 104 BULGARIA re EC7 same requirements as local banks. The BNB policy is that all banks are subject to the same prudential standards. Banks licensed in a Member State, which operate on the territory of the Republic of Bulgaria through a branch, shall be supervised by the competent supervisory authorities of the home Member State who have responsibility for prudential, inspection and regulatory reporting requirements. The BNB retains several competencies, inter alia, regarding liquidity, reporting requirements, rights of access to data, and the power to carry out on-site inspection of the activities carried out by a branch. (Art 81 LCI) In regulating the activities and in exercising its supervisory powers, the BNB may not set requirements or restrictions which lead to a preferential treatment of the branches of credit institutions with seats in a third country over the branches of banks licensed in a Member State. (Art 86 LCI). EC8 The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. Description The competent supervisory authorities of a Member State responsible for the supervision of banks and findings with branches in Bulgaria, may carry out an on-site inspection subject to prior notification to the re EC8 BNB. At the request of a competent supervisory authority of a Member State, the BNB shall verify particular information on a credit institution, financial holding company, mixed financial holding company, financial institution, ancillary services undertaking, mixed holding company or their subsidiaries, which carry out activities on the territory of the Republic of Bulgaria. The verification may be carried out by the BNB on its own, by the competent authority that requested the verification, with its participation or by an external auditor or expert. (Art 100 LCI) The BNB has experienced good cooperation with the home supervisors of EU banks with branches and subsidiaries in Bulgaria. To date inspections have been carried out with Greek and Austrian supervisors in respect of the AML/CFT compliance of banks whose parent banks are based in Greece and Austria. The process includes notification from the home authority, providing information to the home authority through questionnaires, on-site inspections through joint teams when requested by the home supervisor, drafting conclusions. There are requirements for the BNB, acting as home supervisor, to inform the host supervisor of intended visits to local branches of banks licensed on the territory of the Republic of Bulgaria but these only apply in relation to banks in Member States. (Art 87 LCI). In practice the BNB indicated that it would show the same courtesy to a non-EU host jurisdiction but given the – currently – small entities that are in non-EU countries it is not an issue that has yet arisen. EC9 The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. Description The Bulgarian legislation do not allow the establishment of booking offices and/or shell branches in and findings Bulgaria. Likewise Bulgarian banks are not allowed to set up shell branches abroad. re EC9 EC10 A supervisor that takes consequential action on the basis of information received from another 105 BULGARIA supervisor consults with that supervisor, to the extent possible, before taking such action. Description The BNB has no practical experience of a foreign regulator passing on information that would require and findings consequential action but believes that it would take such action. Where MOUs exist, a provision to re EC10 this effect is usually included. In principle and under the law (Art 95 LCI, reflecting the CRDIV) the BNB would consult with another EU/EEA Member State competent authority before taking any supervisory action. Such supervisory action would include, for example, imposition of additional capital requirements or restrictions on the use of operational or credit risk internal models for the calculation of the own funds requirements for supervisory purposes. However, in cases of urgency or where consultation may hinder or jeopardise the effectiveness of the BNB’s supervisory action, the BNB is not obliged to notify in advance, but instead must notify without delay after the action is taken. (Art 95 LCI) Parallel obligations to notify the relevant EU home state supervisor, and exemptions in the case of urgency apply to the treatment of EU branches established in Bulgaria (Arts 82 and 83 LCI). Assessment Compliant of Principle 13 Comments Due to the structure of the banking sector in Bulgaria, the BNB’s role is primarily that of a host state supervisory authority within the EU. This responsibility is taken very seriously and the BNB attends all colleges and participates in the joint decision making processes that are required under the EU framework. It was notable to the assessors that the BNB staff had established good relationships and networks of colleagues and contacts throughout the EU. While such relationships are, by definition, separate from the home-host working relationship, they are indicative of the ability to build trust and establish important connections, which is an essential foundation of supervisory colleges. The assessors, on numerous occasions, heard positive endorsement on the smoothness of supervisory coordination and decision making from counterparties who were external to the BNB. The assessors discussed the instances where the BNB is the home supervisor of a bank with small non-domestic presences and noted that contact and cooperation, including in instances where stress had emerged in the non-EU jurisdiction, had been close. It was also noted that equivalence of third country jurisdictions (with EU standards) has not been confirmed by the EU institutions for all relevant jurisdictions. Information exchange will be further facilitated when all equivalence assessments have been completed. It is noted that some arrangements, specifically coordination with the resolution authority of Bulgaria (not yet formally legislated but expected to be the BNB) may lead to revisions in terms of cross border crisis and resolution planning. This principle is marked as compliant for two reasons. Partly to avoid double counting with CP8, where deficiencies related to the late transposition of the BRRD were reflected, and also because the BNB has not, in practice impeded resolution planning but has been able to provide information and assistance to home state supervisors in the context of cross border resolution planning. B. Prudential Regulations and Requirements Principle 14 Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior 106 BULGARIA management,47 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. Essential criteria EC1 Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. Description The legal framework is derived from the LCI, the Commercial Law, the Ordinance on Organisation and findings and Risk Management of Banks (Ordinance 7), the Ordinance on Internal control in Banks (Ordinance re EC1 10) and the Ordinance on the Issuance of Approvals to the Members of the Management Board (Board of Directors) and Supervisory Board of a Credit Institution and Requirements for Performing their Duties set up the corporate arrangements in banks (Ordinance 20). This legal framework covers the requirements for internal governance introduced by the CRDIV (Directive 2013/36/EU). In addition the BNB requires from the banks to follow the Guidelines on Internal Governance (published on the website) which are translated from the EBA (formerly CEBS) Guidelines on internal governance from 27 September 2011 and the Guidelines on the assessment of the suitability of members of the management body and key function holders available on the EBA website (Article 4 (2) Ordinance 20). These guidelines are notified to the banks by letters setting out the BNB expectation that the banks must comply with the standards. The basic provision for sound corporate governance is set in the LCI, Article 73 (1), which states that the competent managing body of each bank shall adopt and regularly review in accordance with the best internationally recognised practices for corporate governance of banks the whole elements of the governance framework. The requirements for sound corporate governance are expected to comply with the following principles: 1) approve and oversee the implementation of the institution's strategic objectives, risk strategy and internal governance; see Management oversight – Article 5, 6, 8 from the Ordinance №10 2) the management body t0 ensure the integrity of the accounting and financial reporting systems - Risk control - Article 5, 6, 7, 8, 13, 14 from the Ordinance №10 3) the management body to oversee the process of disclosure and communications - Article 8 from the Ordinance №10 and Article 3 (5) of Ordinance №7 4) the management body to be responsible for providing effective oversight of senior management – Article 241, 242, 243, 244 of the Commercial Law 5) the chairman of the management body in its supervisory function of an institution must not exercise simultaneously the functions of a chief executive officer within the same institution, unless justified by the institution and authorised by competent authorities – Article 241, 244 of the Commercial Law 6) establishment of nomination committee and certain requirement according to Article 73c of the Law on credit institution and Article 12 Ordinance 20 The BNB explained that it considers the corporate governance topic as a key issue in particular 47 Please refer to footnote 27 under Principle 5. 107 BULGARIA following Basel II and the Corporate Governance Guidelines issued by the Basel Committee. Banking Supervision Department has published the Basel Committee recommendations in Corporate Governance on its official website and has recommended its application by the banks. Taking into consideration the World Bank recommendations for improving training for senior management, the banking supervision department has periodically organized high-level seminars for banks’ senior management, although the last was nearly three years ago in May 2012. The amendments to the LCI - namely Article 73 (1) were introduced in the light of the World Bank Report on Corporate Governance Policy Practice in Bulgaria. As a result of the amendment, banks have been obliged to adopt and regularly review and update their organizational structure, strategy and action plan, rules for monitoring and mitigating the risks, rules on preparing and presenting information to the management etc. In 2012 the European Bank for Reconstruction and Development (EBRD) conducted a comparative assessment of the corporate governance of banks in Bulgaria. The BNB indicated that the key weaknesses outlined in the report were addressed in the context of on-site inspections. The CRD has introduced further amendments. EC2 The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. Description The BNB reviews the availability and quality of the internal governance policies and practices during and findings on-site inspections as part of the overall assessment of the management and corporate governance re EC2 (which represents one of the component ratings of the CAMELOS risk assessment system). The corporate governance assessment reflects the opinion of the inspection team for the quality of management in the context of the mission, the overall risk profile and performance of the bank, as well as the plans for its development in the long run. The SREP process, which forms the backbone structure for most of the supervisory approach, identifies corporate governance specifically as a risk to be assessed and evaluated by the supervisor. The internal SREP Manual states, “Every institution must have adequate corporate governance and risk management procedures, including a strategy and processes aiming to achieve and sustain a capital level that is adequate to the nature of the institution’s business activities and risks.” EC3 The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members Description The LCI and Ordinances establish requirements and expectations in respect of governance structures and findings and in the need for experienced Board members. re EC3 The LCI (Arts 11 and 10(4)) set out the criteria the members of Management board (Board of directors) of the bank - whether executive or non-executive - must meet in order to be appointed. These criteria are further elaborated in Ordinance 20 on the issuance of approvals of Board members. These criteria include experience, education and suitability for the post. EBA Guidelines also cover the assessment of the suitability of members of the management body and key function holders. Part of the documentation needed for the BNB to issue the approval of a Board member is a completed questionnaire for fitness and propriety which is an annex to the Ordinance. The Deputy 108 BULGARIA Governor heading the Banking Supervision Department or persons authorised by him/her may interview the applicant or require additional documents (including letters of recommendation), where it is deemed that the submitted documents do not contain sufficient information regarding qualifications and professional experience in banking or the fitness and propriety of the person. Where the BNB makes fitness and propriety assessments, it must also consult the EBA database of administrative penalties. In terms of the governance structure of a bank, the LCI includes a number of important requirements.  A nomination committee (Art 73c LCI) must be established and composed only of non- executive board Members. Ordinance 20 (Art 12) sets out the range of requirements, including that the nominations committee must be composed of at least two individuals and meet at least annually.  An audit committee must be established in compliance with the Law on Independent Financial Audit (Art 40f). Executive management and Board members are prohibited from sitting on the audit committee but independent Supervisory Board members may – indeed should.  A risk committee, commensurate with the bank’s scale and complexity, is required under the terms of Ordinance 7 (Art 6(1) and (3)) and again this committee must be composed of non- executive members who possess appropriate skills in order to understand and monitor the risk strategy and the risk appetite of the bank.  A remuneration committee is required under Ordinance 4 (Art 6(1)). The BNB indicated that when the law was amended to introduce the requirement for banks to have a non-executive independent member on the nominations, risk, audit and remuneration committees the banks – particularly locally owned entities - had not found the adjustment to be straightforward. In the view of the BNB not all necessary changes have yet been achieved but progress has been made. The BNB provided a key note address at a seminar with the association of internal auditors to help re-enforce the message. EC4 Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty.”48 Description Article 11 of the LCI (11(2)LCI) requires that Board members shall possess the knowledge, skills, and findings experience, reliability and suitability for the position. re EC 4 The “duty of care” is addressed by the requirements for the Board Members that are articulated in Ordinance 20 (Art 13) and state that “Members of the management board (board of directors) and supervisory board shall act with honesty, integrity and independence of mind to effectively assess and challenge the decisions of the senior management, where necessary, and to effectively oversee and monitor management decision-making.” Also, “Members of the management board (board of directors) and supervisory board shall commit sufficient time to perform their duti es in the bank.” 48 The OECD (OECD glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables,” 2003, www.oecd.org/dataoecd/19/26/23742340.pdf.) defines “duty of care” as “The duty of a board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the board member to approach the affairs of the company in the same way that a ’prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” as “The duty of the board member to act in the interest of the company and shareholders. The duty of loyalty should prevent individual board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.” 109 BULGARIA The “duty of loyalty” is not clearly set out in the banking laws but Article 11(1)(9) requires that there should be no conflicts of interest for a Board member. As noted above, in EC3, the BNB carries out fitness and propriety assessments for all Board members, based on the declaration (filled by the relative nominee) which is based on the questionnaire under Ordinance 20 which relates to the criteria set out in Article 11 of the LCI. Further, the BNB may – and it is common practice to do so - also interview the applicant or require additional documents (including letters of recommendation), where it is deemed that the submitted documents do not contain sufficient information regarding qualifications and professional experience in banking or the fitness and propriety of the person. EC5 The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite49 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment. Description Strategy, risk appetite and control are addressed under the LCI (Art 73) and Ordinance 7 on risk and findings management. Under Article 73 the Board shall adopt and regularly review in accordance with the re EC5 best internationally recognised practices for corporate governance of banks: 1. the bank’s organisation structure; 2. the procedure for defining and delegating the administrators’ powers and responsibilities; 3. the bank’s strategy and action plan; 4. the strategies and policies for taking up, managing, monitoring and mitigating the risks the bank is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle; 5. the procedure for generating and the scope of the management information; 6. the operational control organisation, including rules and procedures for approving, carrying out and reporting transactions; 7. the internal rules and procedures for risk management and control systems efficiency and for reporting the established weaknesses in the organisation and work of structural units; 8. systems for prevention against the risk of money laundering. Ordinance 10 on internal controls addresses conflicts of interest. For example, the Board (competent management body) must segregate duties in any cases where a conflict of interests may occur and also requires that no individual holds more than one function related to the authorization, performance and reporting of an activity. (Art 6). The review of these requirements is done during the on-site inspections as part of the overall management and corporate governance assessment. Banking supervision inspectors follow the internal RAS Manual which guides them to review the internal documents of the bank related to its strategy, risk appetite and related documents, to discuss deficiencies (if any) with the relevant Board representatives and to stay informed about any changes approved by the Governing Council. 49 “Risk appetite” reflects the level of aggregate risk that the bank’s Board is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously. 110 BULGARIA EC6 The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them. Description The Managements and Corporate Governance review by on-site inspections includes a variety of and findings tools and techniques (outlined in the internal RAS Manual) for evaluation of the internal policies, re EC6 rules and procedures related to the performance of senior management. When on-site, inspectors review all internal documentation related to the monitoring of senior management performance, hold meetings with responsible representatives of the Bank and assess the degree of compliance with the internally set standards. This topic is part of the overall assessment of the Management and Corporate Governance, which comprises one of CAMELOS composite ratings. Under the LCI (Art 73(3)), the BNB is required to make recommendations and prescriptions for improving corporate governance in accordance with the best internationally recognised practices and monitor their implementation. The BNB indicated that contact with the boards of the bank was typically driven by the risk profile of the institution and any relevant on-site findings. The on-site team responsible for the bank meets the members of the management board and sometimes the members of the supervisory board also at least twice in each on-site visit – at the beginning and at the end. The team must report its inspection findings to the executive directors of the bank. It is also common practice to meet executive members during the course of an inspection. Staff members the assessors met with also indicated that contact with the Board was most normally at the level of the Deputy Governor. EC7 The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies. Description The compensation system of the Bank is subject to supervisory review during on-site inspections as and findings part of the Management and Corporate Governance review. The inspectors assess whether the Board re EC7 has implemented the provisions of Ordinance 4 on the Requirements for Remunerations in Banks. Inspectors also apply the CEBS (now EBA) Guidelines on good banking practices. The RAS Manual guides banking supervision inspectors in their duties related to the evaluation of remuneration policies, including whether it there is a transparent, publicly disclosed, comprehensive policy, addressing all levels of the bank’s structure and which does not encourage risk -taking that exceeds the defined risk tolerance of the bank. The RAS Manual also includes a questionnaire to be used the inspectors during on-site inspections, which aims to clarify all aspects of the Bank’s compensation system and to establish whether the provisions of Ordinance 4 of BNB, EBA’s guidelines and good banking practices are followed by the Board. Although the BNB may not directly restrict remuneration, the banks are under an obligation to explain all remuneration decisions. The BNB may enforce the provisions of Ordinance 4 (through Article 103 of the LCI) and this may have the effect of restricting remuneration, but it is not a direct power to restrict. The institution must have a methodology and supporting documentation to explain 111 BULGARIA which categories of employees are entitled to which remuneration packages. The main provisions are established by the Law on credit institutions, Article 73b which states that banks shall adopt and implement a policy for the remuneration of their employees. The remuneration policy shall promote sound risk management and shall not be conducive to risk taking that goes beyond the risk profile of bank. Policies shall be consistent with the business strategy and long-term objectives of the bank in relation to administrators and other persons, whose rights and obligations have a significant influence on the risk profile. Aside from that, remuneration policy must be built on principles ensuring compliance with the size, internal organisation of the bank and the nature, scope and complexity of activities carried out by the bank. Ordinance 4 (Art 8) requires that variable remuneration shall be related to performance through a combination of the assessments of the performance of the individual and of the business unit concerned and of the overall results of the bank. When assessing individual performance, financial and non-financial criteria shall be taken into account. This assessments must be set in a multi-year framework in order to ensure that the assessment process is based on long-term performance and that the actual payment of performance-based components of remuneration is spread over a period which takes account of the business cycle and risks taken by the bank. The measurement of performance used to calculate variable remuneration components or pools of variable remuneration components shall include an adjustment for all types of current and future risks and take into account the cost of capital and the liquidity required. EC8 The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from t he use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. Description The legal framework in respect of establishing Board and executive management responsibly for the and findings banks operational structure and risks is comprehensive. For example: re EC8 The banks are required to establish risk committees which should be composed by non-executive members. They shall have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the bank. (Art 6(3), Ordinance 7) The management board (board of directors) are required to devote sufficient time to consider risk- related issues. Members of the board shall be actively involved in and ensure that adequate resources are allocated to the management of all material risks addressed in this Ordinance and in the EU CRR, including in the valuation of assets, and the use of external credit ratings and internal models relating to these risks (Art 3 (1), Ordinance 7). Where an institution operates through special-purpose or related structures or in jurisdictions that impede transparency or do not meet international banking standards, the management body shall understand their purpose and structure and the particular risks associated with them. The management body shall only accept these activities when it has satisfied itself the risks will be appropriately managed - Paragraph 7 Non-standard or non-transparent activities, point 1 of the Guidelines on Internal Governance. The Board is required to approve and periodically review the strategies and policies, adopted under the LCI (Art 73(1)(3)) for taking up, managing, monitoring and mitigating the risks to which the bank is or might be exposed, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle. (Art 2, Ordinance 7) The bank must adopt and maintain rules and procedures for reporting to the management board 112 BULGARIA (board of directors) that cover all material risks and risk management policies and changes thereof. The supervisory board or the members of the board of directors who do not perform any executive function, as well as the risk committee shall determine the nature, the amount, the format, and the frequency of the information on the bank’s risk profile which it is to receive. The supervisory board or the members of the board of directors who do not perform any executive function and the risk committee shall have adequate access to information on the risk situation of the institution and, where necessary and appropriate, to the risk management function and to external expert advice. The management board (board of directors) and the supervisory board shall oversee the entire disclosure and communication process. (Art 3, Ordinance 7) EC9 The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. Description When there has been a direct violation of the LCI, the CRR or other acts and including BNB and findings guidelines, under Art 103(1) the BNB has the power, under the LCI (Art 103(2)) to require the re EC9 dismissal of one or more individuals authorized to manage and represent the bank, as well as members of the management board, board of directors or supervisory board. BNB guidelines include the guidelines on internal governance (Ordinance 10) and the guidelines on the assessment of the suitability of members of the management body and key function holders (Ordinance 20). The internet links to those guidelines and the letter for their application as part of supervisory review and evaluation process were sent to the banks – Guidelines on internal governance with letter ref. number 91ТБТ-0006/30.07.2012 and Guidelines on the assessment of the suitability of members of the management body and key function holders with letter ref. number 91 ТБ-0060/28.05.2013. However, the terms of Article 103(1) do not clearly encompass the weak performance of a Board member, or a failure to meet the suite of corporate governance standards as encompassed in this principle. Additional criteria AC1 Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management. Description The management of the internal audit office shall forthwith inform the BNB of “any violations found and findings out in the bank’s governance, which have resulted or may result in substantial damages for the re AC1 bank.” (Art 74 (2)) The head of the internal audit unit shall immediately notify the BNB of violations or malpractices in the bank’s management that have led or may lead to material damages. (Art 28(1), Ordinance 10). As with EC9, the provisions of the LCI do not directly address the need for a bank to notify the BNB of a material concern which may affect the fitness and propriety of a Board member or member of senior management. Assessment Materially Non Compliant of Principle 14 Comments The BNB staff demonstrate a strong awareness and familiarity with the policies and principles of corporate governance and recent developments in this field – including the work by the Basel Committee on revising its principles for corporate governance in banks. Equally, however, the 113 BULGARIA assessors were made very aware, in their meetings with banks and representatives of the professional services that support the banking sector, that corporate governance remains a work in progress in the Bulgarian market. As might be expected, the best practices are considered to be found in the local subsidiaries of major international banks. The BNB uses its inspection process for the determination of the status and effectiveness of corporate governance in the banking sector and for the oversight of Boards in individual risk areas. Therefore it is important to note that not only CP14 but individual ECs throughout the individual risk principles are affected. Necessarily, the on-site inspection timetable, due to resource constraints, is not able to maintain a fresh perspective on all of the banks and this creates a vulnerability in the field of corporate governance assessment. Moreover, and as noted in CP9, although the BNB has established relationships with the Supervisory Boards of the banks, the contact is not systematic and is not close. The assessors had the impression that senior level contact between the BNB and the Supervisory Boards might take place from time to time without the supervisory teams being aware, or having the opportunity to brief on particular issues that might need to be drawn to the attention of the Supervisory Boards. The inspection reports and off-site analysis that the assessors were able to review presented little evidence that inspectors had been able to make these determinations or had deeply pressed their investigations. It was clear from the reports, and banks confirmed, that the inspectors routinely review committee minutes and decisions and a summary assessment was routinely made for the management component of the CAMELOS rating. The on-site practices may reflect the fact that the RAS manual, which is a key tool for the inspectors, is not as developed in respect of corporate governance issues as it is in other areas. Unsurprisingly, the related areas of corporate governance, risk management, and internal controls are treated together in the RAS manual and are most well developed for internal controls and seemingly least well developed for techniques to assess corporate governance. In this sense the manual reflects the fact that supervisory standards and expectations have the longest history – internationally – in the field of internal controls and are the most recent in respect of corporate governance. The BNB is not necessarily strongly out of step with peers, but the oversight of corporate governance standards in banks requires more attention Additionally, and despite the provisions of Article 103 which permits the dismissal of a Board member, it is unclear that the BNB has adequate powers to require the change to the composition of a Board in respect of a member who in the belief of the BNB are not fulfilling their duties satisfactorily in relation to the discharge of corporate governance as set out in this principle. Obtaining clarity on this point is important so that there is no risk of the BNB being inhibited to act in relation to corporate governance issues. It is similarly unclear that banks are required – and individuals granted any appropriate legal protections – to notify the BNB should there be material issues that would affect the fitness and propriety of the Board member or member of senior management. Recommendations o Ensure the BNB has the requisite powers to require changes to the composition of a Board where an individual or individuals have failed to discharge their corporate governance responsibilities effectively. o Ensure banks are required to notify the BNB and that – as necessary – legal protections are in place to protect individuals who notify the BNB if there are material issues that would affect the fitness 114 BULGARIA and propriety of the Board member or member of senior management. o Refresh Ordinance 10 to elaborate more clearly on the BNB’s requirements and expectations in the field of corporate governance. o Institute systematic senior level contact between the BNB and the Boards of the banks, to reinforce priority messages, deepen the overall assessment of the Boards’ qu alities and capacities and as necessary to challenge the banks. This contact should make Boards aware that the primary responsibility for the safety and soundness of the institution rests with them. o Greater frequency of assessment of corporate governance is needed. In view of overarching resource constraints, this may be an appropriate topic for a horizontal review. o Deepen the RAS Manual to provide greater guidance to inspectors in testing the quality of corporate governance within firms and in how to reflect their findings in the overall analysis, ratings and supervisory actions Principle 15 Risk management process. The supervisor determines that banks50 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate 51 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.52 Essential criteria EC1 The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that: (a) a sound risk management culture is established throughout the bank; (b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite; 50 For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group. 51 To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents. 52 It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management. 115 BULGARIA (c) uncertainties attached to risk measurement are recognized; (d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and (e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite. Description Key obligations are placed on the Board of a bank with regard to risk management in Article 73 of and findings the LCI. In particular, Article 73(1) sets requirements for the Board to adopt and review, in accordance re EC1 with internationally recognized practices, the bank’s strategies and policies for taking up, managing, monitoring and mitigating the risks of the bank. Further the Board must establish the rules and procedures for risk management and reporting. Under the terms of Art 73(5) of the LCI, the Board is also required to apply, in its risk management practices, the technical criteria that are set out in Ordinance 7. Article 2 of the Ordinance reinforces the Board obligation to approve and periodically review the strategies and policies for risk management. Articles 79(1) and 79c of the LCI impose obligations on the BNB to supervise banks’ to ensure the safe and sound management of banks and the risks they are exposed to as well as reviewing the strategies and processes by which banks comply with requirements on risk management. The BNB is required to come to a determination of whether the arrangements – including their implementation – are adequate to ensure sound management and coverage of risks. In terms of the active supervision and assessments carried out, the BNB’s practices follow the RAS Manual. The RAS draws on EBA recommendations on risk management, and provides that: Depending on the size, complexity and risk profile, institutions must build a consistent culture and strong risk management, supported by appropriate policy announcement. Risk management (incl. responsibilities, risk tolerance and risk appetite) should be documented and updated (if needed), and the framework for risk management should be subject to independent review. Bank staff must be made aware of risk management requirements in a timely manner. In the context of risk appetite and risk tolerance, particular attention is paid to the establishment of appropriate risk limits and; risk management models, incl. recognition of uncertainties with regard to quantitative and qualitative risk models. During on-site inspections the supervisory team is required to verify the quality of risk management strategies, internal rules and has to insure that they are adequate to the nature, size and complexity of the bank business and its risk profile. All of these bank-internal documents are required to be available upon starting the inspection (as set in the official Letter of Required Documents, handed in advance over to the bank’s executives) and are subject to examination. Expectations for the role of the bank’s Chief Risk Officer are also set out (noting that for banks of more limited scale and complexity, this role can be combined with that of another senior person within the bank, provided there is no conflict of interest). The BNB indicated that obtaining the full package of Board documents was part of the on-site inspection process and that minutes are checked to ensure that decisions are actively taken by the Board on risk management strategy. The assessors reviewed BNB reports and was able to identify that the supervisory teams had paid attention to the confirmation by the Board of the risk management appetite of the bank. In some cases banks were criticized for failures in this regard and expected to remediate the situation. EC2 The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor 116 BULGARIA determines that these processes are adequate: (a) to provide a comprehensive “bank-wide” view of risk across all material risk types; (b) for the risk profile and systemic importance of the bank; and (c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process. Description The key obligation for banks to have comprehensive risk management policies and processes is and findings established in Article 73(1)(4) of the LCI, (see also EC1). A supplementary requirement, related to re EC2 adequacy of capital for these risks is set out in Article 73a(1). Further, Article 73a (2) requires that these strategies and processes shall be subject to regular internal review to ensure that they remain comprehensive and proportional to the nature, scale and complexity of the activities of the banks. The obligation for the BNB to conduct a supervisory review is found in Article 79c(1) and (2) in particular. The RAS points to the need for the adequacy of information systems and the risk management model to provide a bank wide view of risks. The level of risk management expertise is expected to be commensurate with the scale and complexity of the institution. The RAS states, for example, that banks should identify and manage all risks – in all business lines; on both portfolio and group base, regardless of the exposure type (balance-sheet and off-balance sheet). The BNB noted that banks are differentiated in the capacity and sophistication between those that are part of an EU group and those that are locally owned, in particular smaller banks with the latter being more limited and constrained, not necessarily having a separate full risk management function. However, even the EU subsidiaries had experienced a high turnover of staff related to risk management. There is a local skills shortage in this field. EC3 The supervisor determines that risk management strategies, policies, processes and limits are: (a) properly documented; (b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and (c) communicated within the bank The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary. Description Article 72 of the LCI requires that: (1) A bank shall submit to the BNB copies of its Statute, regula- and findings tions, instructions, and other documents containing provisions regarding the scope and procedures re EC3 for conducting operations, the capital and the internal organization of the bank, within 10 days following their adoption, or after amending or supplementing them. The expectations for the documentation and review of risk management in banks is also set out in the RAS which the supervisory teams use for the on-site inspection process and includes, among other elements the requirement, that “Risk management (including responsibilities, risk tolerance and appetite) should be documented and updated (where necessary) and the risk management framework should be subject to independent review. Depending on their place in the hierarchy, the bank’s employees must be informed on a timely basis of injunctions in relation to risk management.” The RAS further requires inspectors to check that strategy and policy information is communicated to the relevant staff within the bank (by means of written guidelines, manuals, etc.). The BNB commented that a particular issue the inspection teams needed to take into account was whether the parent entities of subsidiaries were obtaining good quality information and whether the 117 BULGARIA subsidiary was abiding by group risk management standards as well as whether local specification of group standards might be needed. EC4 The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand, the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive. Description The process of relating risk to capital and liquidity falls under Pillar 2. The BNB has issued an ICAAP and findings Manual to banks, which “aims at clarifying the statutory requirements and expectations with regard re EC4 to the development and implementation of ICAAP by credit institutions, and at solving a number of recurrent problems that arise in the banking sector in the course of the process. The manual aims at setting specific requirements for certain parts of the ICAAP, where possible.” According to the ICAAP Manual, banks shall define which risks need to be assessed and covered with internal capital (see ICAAP Manual, item 3.2). The ICAAP Manual also sets particular requirement for reporting to the management and to the supervisor. The management of the bank is required not only to approve, and sign, the ICAAP report but also keep track of any developments which should provoke strategic decisions. To be able to do this the management should receive regular reports on any changes in the risk profile, capital limits utilization etc (Item 3.6). The BNB expects that all banks to undertake a thorough analysis of the types of risks to which they are exposed (other than the Pillar 1 risks) in the context of their ICAAP. This analysis should be comprehensive and robust enough to convince the regulator that the bank’s own assessment of its risk profile is accurate. Each institution defines for itself which risk types are relevant to its business and the way it should control and assess them. Furthermore, banks must consider whether the regulatory capital requirements under Pillar I reflect the true risk profile of the bank. If Pillar I calculations are not risk-sensitive enough, the bank is expected to identify a better approach or at least define a capital buffer above the Pillar 1 requirements in order to better capture the impact of these risk types on its income. All credit institutions should determine if there is a need to hold additional capital for Pillar 2 purposes against risks, which are not completely covered by Pillar 1. Given that Pillar 2 is required to provide a holistic view of risks, the BNB uses its on- and off-site SREP processes to evaluate and test the banks’ ICAAP/ILAAP processes and documentation to determine whether the Board and senior management receive adequate and appropriate information. The quality of the ICAAP can be assessed both in targeted ICAAP inspections and in the context of standard inspections. The approach to liquidity assessment – ie review of the adequacy of the ILAAP – is still under development. The supervisory teams are directed by the RAS Manual, to assess the bank’s management process and its effectiveness, by evaluating, among other key components, the Management Information System (MIS) - i.e. evaluation of the overall MIS and how it provides the Board of Directors/Managing Board, the Supervisory Board and the administrators of the bank with the information necessary for monitoring, evaluation and control of the business situation and the risks to which the bank is exposed. The assessors were able to review a number of ICAAP submissions and assessments. While it is standard practice to review information that is submitted to the Board, and any subsequent decisions and actions, it is not always standard practice to meet the Board and test the full understanding of the capital and liquidity needs. It was noted in discussion with the BNB that a particular area of sensitivity is to test whether the local subsidiaries of wider banking groups necessarily have enough 118 BULGARIA information or understanding of how they fit into the group ICAAP and whether the internal group capital allocation is appropriate. EC5 The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. Description As noted under EC2, Article 73a(1) and (2) impose obligations on banks to have in place the and findings strategies and processes to assess the adequacy of capital for the risks to which they are or might be re EC5 exposed and that these strategies and processes should be subject to regular internal review to ensure they remain comprehensive and proportional. The BNB’s assessment of the bank’s compliance with this requirement, is carried out in the context of the Pillar 2 assessment (ie the SREP). For the SREP to be carried out the bank must undertake its own Internal Capital Adequacy Assessment Process (ICAAP) and the newly introduced Internal Liquidity Adequacy Assessment Process (ILAAP). The SREP is performed through on-and off-site activity. The SREP must be performed at least annually. In addition, the actual establishment of the internal process of overall capital and liquidity adequacy assessment with regard to bank’s risk appetite and risk profile receives particular attention during on-site inspection. The assessors were able to review ICAAP assessments that made reference to the on-site processes. EC6 Where banks use models to measure components of risk, the supervisor determines that: (a) banks comply with supervisory standards on their use; (b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and (c) banks perform regular and independent validation and testing of the models The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. Description (a) Supervisory standards and findings re EC6 Prior approval from the BNB is required, under the terms of the CRR, for any bank wishing to use internal models to measure components of credit, market and/or operational risks, official approval by the BNB should be obtained in order to use the models for capital requirements reporting purposes. The criteria for authorisation to use Internal Rating Based Approach (IRB) for credit risk and for the AMA for Operational risk, including robust risk management systems are contained in the CRR (Part Three, Title One, Chapter Three, Section I and Part Three, Title Four, Chapter Five, Sections I to V). The BNB has developed Guidelines for the IRB approach and AMA approval process, for which approval by the Governing Council is pending. At the time of the assessment two approvals had been granted for IRB and one application for AMA was being assessed. (b) Management understanding The obligation for the management board shall devote sufficient time to consider risk-related issues is set out in Ordinance 7 on organisation and risk management of banks (Art3 (1)). Members of the board are required to be actively involved in and ensure that adequate resources are allocated to the 119 BULGARIA management of all material risks addressed in both the Ordinance and in the CRR. (c) Regular validation The CRR (Art174(d)) imposes requirements concerning the cycle of model validation – which should be regular and should includes monitoring of model performance and stability; review of model specification; and testing of model outputs against outcomes. Additionally, the CRR (Art 177(2)) requires institutions to undertake regular stress testing of credit risk to test the adequacy of their capital requirements for credit risk. Prior to the coming into force of the CRR, the requirements for periodic validation and testing were set in the now repealed Ordinance 8 (Art 88(4)). Ordinance 7 also provides for annual reporting of calculation and explanation of methodologies used in respect to exposures in benchmark portfolios and these results are submitted to the EBA by the BNB to facilitate supervisory benchmarking of internal approaches within the EU. Further, the Ordinance places an obligation on the BNB (Article 22(1)) to investigate when a particular bank diverges significantly from the majority of other banks using internal approaches or where there is little commonality in an approach leading to a wide variance of results. Corrective actions are to be applied when the bank’s approach has led to an under-estimation of capital requirements that is not attributable to the underlying risks. Additionally, Article 18 stipulates that particularly significant banks in terms of size, internal organisation and nature, scale and complexity of their activities shall provide the necessary prerequisites for internal credit risk assessment capacity and internal specific risk assessment capacity and for the use of the internal ratings based approach /internal models for specific risk/ where their exposures are material in absolute terms and where they have at the same time a large number of material counterparties /material positions in debt instruments of different issuer. Following the granting of approval by the BNB, the models are subject to regular supervisory assessment as to determine whether they continue to comply with the standards and conditions for their use. This review shall be at least every three years for approaches that require approval under the CRR (Art 80c of the LCI). Moreover, the validation tests, and the senior management’s understanding of the particularities and limitations of the modes and the risks associated with them as a whole, are subject to supervisory review under specific IRB-inspections and dedicated meetings. Supervisory methods to assess the validation process, (whole or in part) may include off-site analysis and/or spot checks. The main focus is the evaluation of the nature of the calculations used by banks in determining the necessary capital (Pillar I) and capital adequacy, as well as the quality of risk management. On-site inspections focus on assessing to what extent the models are part of everyday work and risk management in the bank (“use test”), what internal controls are in place with this regard and whether appropriate measures are taken so as to mitigate the risks relating to the use of internal rating systems and models. Nevertheless, the ICAAP Manual which provides guidance to inspectors when considering the technical criteria for the adequacy of ICAAP but does not include a direct requirement for inspectors to test management’s capacity or understanding of the processes involved. The BNB has established a special supervisory team which main task is internal model approval (IRB and AMA) upon submitted requests by banks with intent that models will be used for regulatory capital purposes. The team also assesses whether the model outputs appear reasonable after an approval is granted, whether the bank continues to comply with the supervisory standards, and whether annual validations and model tests are properly performed. At the time of the BCP assessment, the models team had recently lost a key quantitative expert whose replacement was 120 BULGARIA urgently required. The BNB were proactive in identifying a possible successor, but as in other markets, this area suffers a skills shortage. EC7 The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. Description Article 67 of the LCI sets out general information obligations for banks. Its focus is on an information and findings system that provides accounting data and ensuring the effects of transactions on the banks financial re EC7 position is adequately captured. The provision includes a wider clause which states that the bank’s information system must also capture other information as required by the Law and acts adopted by the BNB. Under Ordinance 7 (Article 3(2)), the bank shall adopt and maintain rules and procedures for reporting to the management board (board of directors) that cover all material risks and risk management policies and changes thereof. Responsibility for the nature, amount, format and frequency of information on the bank’s risk profile rests with the Board and Risk Committee (Art 3(3)). Article 3 further provides that the Board and Risk Committee shall have adequate access to information on the risk situation of the institution and, where necessary and appropriate, to the risk management function and to external expert advice. The Board is also responsible for oversight of the disclosure and communication process. The determination made by the BNB is in the context of the SREP process – in particular through on- site risk-based inspections the information systems of a bank. The inspections are required to assess the bank’s information systems in terms of effectiveness and scope of risk coverage commensurate with the size, structure and activities performed by the institution. In doing such evaluation, the BNB observes whether all material risks, and in particular different types of exposures and their distribution according to various indications (products, segments, clients, grades, collaterization, etc.) are subject to regular monitoring, analysis (qualitative and quantitative), and reporting to the managing body of the bank. The assessment of the operational risk of the bank includes evaluation of the information system, the level of its security and adequacy in periods of stress. A judgment on the assessment of the bank’s management assessmen t, as part of the SREP, is taken on whether the reports to the Management body reflect the bank’s risk profile and capital and liquidity needs so as to be proper base of decision making. The RAS Manual sets out specific requirements for the assessments. Should the BNB not be satisfied with the information systems and reports, the BNB may impose additional requirements in order to improve the bank’s risk management, or pose additional liquidity and capital requirements if risks are not addressed adequately. The BNB seeks to determine whether the information flow would remain adequate in periods of stress during on-site inspections by considering the business continuity plan of the bank; protocols/reports on the tests carried out in relation to the action plan, their results and follow-up; and the contingency plan. EC8 The supervisor determines that banks have adequate policies and processes to ensure that the banks’ 121 BULGARIA Boards and senior management understand the risks inherent in new products, 53 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. Description New products and changes to existing products are topics addressed by the BNB Guidelines on and findings Internal Governance in Banks which are based on the CEBS (now EBA) Guidelines. The BNB Guidelines re EC8 have not yet been formally translated into English. However, the requirements include the need for a well documented policy for approval by the Board (management body). This policy must cover all factors to be taken into account prior to entering new markets, to work with new products, to offer a new service or to make significant changes to existing products or services. This policy also defines the main issues to be discussed before a decision is taken. These issues should include compliance with the regulatory requirements, pricing models, impact on the risk profile, capital adequacy and profitability, availability of sufficient resources for the bank's departments and adequate internal tools and experience to identify and monitor risks. When a decision is taken to start a new business the policy should require that the structural unit and individuals responsible for the new business are clearly identified. The overriding theme is that banks should undertake new activities only if there are sufficient resources available to establish and manage the corresponding risks. Hence the risk control function should also be involved in the process of approving new products or making significant changes to existing products as a comprehensive and objective assessment of the risks associated with new activities in various scenarios – as well as identifying whether there may be vulnerabilities in the bank in terms of effectively managing these new risks. The risk control unit should also have the power to require changes to existing products to undergo a formal approval of new products. Under Pillar 2 SREP guidelines, the compliance function also has the role of verifying that new products and new procedures are in compliance with the current legal environment and any known amendments to the legislation that has not yet entered into force. The EBA is currently working on updating and implementing guidelines for “Product oversight and governance” of bank products. At the time of assessment, these guidelines had been issued for public consultation and once adopted by the EBA, the BNB and will require banks to comply with them. The RAS Manual – in its risk management section – sets out the requirements for the supervisory review related to new products and services, but this is a relatively infrequent event in the local banking market at present. EC9 The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. Description The keystone requirements for the risk management function in banks are set out in Article 5 of and findings 53 New products include those developed by the bank or by a third party and purchased or distributed by the bank. 122 BULGARIA re EC9 Ordinance 7. The risk management function should, according to the principle of proportionality, establish and maintain a risk management function independent from the operational units and which has sufficient authority, statute, resources and adequate access to the supervisory board or the board of directors. Under the SREP guidelines issued to banks, there are set of additional requirements for segregation between risk control and risk taking functions. Periodic review is covered by Article 14 of Ordinance 10 on the Internal Control in Banks which provides that the internal audit function must periodically review the risk management systems, risk and capital adequacy assessment. All these requirements are subject to supervisory review and assessment, as detailed in the “Management and corporate governance. Internal control” section of the RAS Manual . The assessors reviewed a number of inspection reports and identified comments on the evolution and quality and recommendations for further improvement in relation to risk management. More broadly the BNB indicated that not all banks are sufficiently developed to have a separate risk management function, but the work of internal audit is routinely checked. BNB inspectors did not identify segregation of controls as a particular concern for the banking sector. EC10 The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Description As noted above, under Ordinance 7 (Article 5(4) and (6)) the bank shall appoint a head of the risk and findings management function who shall be an independent senior manager with clear responsibilities. Under re EC10 the principle of proportionality, however, where the nature, scale and complexity of the activities of the bank do not justify a specially appointed person, another senior person within the bank may fulfill that function, provided there is no conflict of interest. As also noted above, some of the smaller banks do not have a dedicated unit. The head of the risk management function may not be removed without prior approval of the supervisory board or members of the boards of directors who do not perform any executive function. There are no explicit provisions for public disclosure of the removal of the CRO, or that the bank should seek to contact the BNB to discuss such a decision. The RAS manual sets out the supervisory expectations for the role and function of the CRO. The Manual does not comment on the appropriate methods for removing a CRO but does confirm that the CRO should be given sufficient autonomy and powers in the decision making and risk control process, including the possibility for veto. The CRO is to be given a direct report to the executive management or, at the discretion of the CRO, to the Board and Audit Committee. The RAS also establishes that the inspectors should determine actual or expected changes in the managerial staff of the bank and consider issues of continuity. EC11 The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk. Description Requirements and criteria concerning the treatment of different risk categories are set out in and findings Ordinance 7, Chapter Three: Section I - Credit and Counterparty Risk; Section II - Interest Risk Arising re EC11 from Non-trading Book Activities, Concentration Risk, Securitisation Risk and Residual Risk; Section III - Market Risk; Section IV - Operational Risk; Section V - Risk of Excessive Leverage. 123 BULGARIA Other relevant criteria are comprised in Ordinance 8 on Bank’s Capital Buffers and Ordinance 11 on Bank Liquidity Management and Supervision. The EBA (formerly CEBS) standards and guidelines are also applied to banks as well as a number of guidelines issued by the BNB, including: Guidelines on the Application of the Supervisory Review Process; Guidelines for Internal Governance in Banks; Guidelines on the Management of Interest Rate Risk in the Banking Book; Guidelines on Stress-testing under the Supervisory Review Process; Guidelines on the Management of Concentration Risk under the Supervisory Review Process; Guidelines on the Management of Operational Risks in Market-related Activities. EC12 The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. Description Under the LCI (Article 73d), banks are required to put in place a recovery plan containing actions and and findings measures it may take for the restoration of its financial situation in the event of financial difficulties. re EC12 The plan must be submitted to the BNB, which may issue recommended changes, supported by justifications. The LCI mandates that the BNB issue an Ordinance setting out requirements for the recovery plans. Chapter Six of Ordinance 7 elaborates on these requirements. Article 25 is the critical provision. The recovery plan must analyse the impact of adverse events strongly affecting the financial performance of the bank, including crises which affect the entire financial market or the bank, the banking group and/or corporate structure to which it belongs. The plan must be approved by the Board and submitted to the BNB which may require changes to the plan if there are deficiencies or significant obstacles to its implementation. These changes may include reducing exposures to particular risks, increasing capital, changing the funding policy or governance structure. The plan must be reviewed and if necessary updated annually and the BNB may require an “extraordinary” update of the plan. In accordance with the requirements on recovery plans set in the LCI and Ordinance 7, as well as the EBA’s guidelines and assessment module (relevant to the BRRD), in mid 2014 the BNB requested from banks to submit their recovery plans by the end of 2014 for supervisory assessment. At the time of the BCP assessment the BNB was in the process of assessing the recovery plans. EC13 The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program: (a) promotes risk identification and control, on a bank-wide basis (b) adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks; 124 BULGARIA (c) benefits from the active involvement of the Board and senior management; and (d) is appropriately documented and regularly maintained and updated. The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process Description The CRR (Article 177) establishes stress testing requirements for the assessment of capital adequacy. and findings Among other conditions, the stress testing processes shall be used in the bank’s assessment of its re EC13 capital adequacy and shall be performed on a regular basis. Further, the LCI (Article 79c (1) and (2)) requires the BNB to evaluate among other issues risks revealed by stress testing taking into account the nature, scale and complexity of a bank’s activities. On the basis of the supervisory review and evaluation, the BNB shall determine whether the arrangements, strategies, processes and mechanisms implemented by banks, the manner of their implementation as well as own funds and liquidity held by them ensure a sound management and coverage of their risks. The inclusion of banks’ stress tests in the supervisory review and evaluation carried out by the BNB is also set out in Ordinance 7, Article 23. While the RAS Manual does not include a specific section dedicated to stress testing, the topic is included throughout the Manual in each risk type as well as in the overall risk management assessment. Stress tests are an integral part of the ICAAP. The evaluation of the stress-testing framework in a bank is also a main part of the ICAAP and its supervisory review, as provided also in the ICAAP Practical Guidelines (item 4.3 Stress-tests). In the Stress-testing guidelines (“Guidelines on performing stress tests within the SREP”) it is envisaged that the management body has the responsibility for the entire process of conducting stress tests of the bank and must be able to assess the impact of various adverse events on the overall risk profile of the bank. The framework for conducting stress tests is required to be an integral part of the risk management framework of the bank and must be supported by efficient infrastructure. The ICAAP stress test results must be submitted to the management authority and senior management to fully understand the essential risks to which the bank is exposed. The framework for conducting stress tests should allow for taking actions depending on the results, providing the information necessary for decision making by the appropriate management level in the bank. The process of performing stress tests is expected to include: analysis of all the risks incurred by business structures and individual components of portfolios, risk types and business activities; take account of the relationship between different types of risk; various stress tests, based on a "top- down" and a "bottom up" approach, including back-tests; flexible platform that allows current modeling of various stress tests to the various business lines and risk types; using extensive data; and adjusting the assumptions appropriately. The BNB reviews the framework for conducting stress tests of banks on a discretionary basis. The reviews examine the set of scenarios, methodologies and infrastructure surrounding the implementation of the stress tests. The BNB reviews the results of stress tests to assess the sustainability of the bank under adverse economic conditions and its ability to maintain sufficient capital and liquidity. The BNB takes into account the data of changes in equity, capital requirements, liquidity and liquidity needs arising from the adverse conditions. The BNB indicated that it has, where appropriate, questioned the scope, degree of conservatism, assumptions and risk reducing actions set out by the bank. The assessors noted that the stress 125 BULGARIA testing carried out by banks is considered in the annual assessment of the ICAAP. These reports indicated that the BNB had identified weaknesses in the process, methodology, risk coverage and usage of stress testing within some banks. EC14 The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities. Description Under Ordinance 7, Article 6(6) where prices do not properly reflect risks in accordance with the and findings business model and risk strategy, the risk committee shall present a remedy plan to the supervisory re EC14 board or the management board (board of directors). During on-site inspections the supervisors are expected to check the bank's policy on pricing of products by in order to determine how the bank is positioned with respect to imbalances of interest periods, as prescribed in the RAS Manual. The assessors noted reports submitted to banks from the inspectors which criticized pricing and performance measurement. The internal pricing process in banks usually is not part of the main focus during on-site inspections and the overall SREP. Nevertheless, the adequacy of risk inclusion in the internal pricing is assessed as integral part of components under review (business segment/product of the assets/liabilities structure) with regard to its contribution to the bank’s profit/earnings capacity. In regard to the liquidity management in particular and funds transfer process in banks, the BNB has issued Guidelines for the allocation of costs and benefits related with liquidity. The BNB’s guidelines aim at promoting adequate and comprehensive pricing mechanism at banks, which includes all material costs, benefits and risks associated with liquidity; and establishment of appropriate incentives for prudent management of liquidity risk. Significant business activities of banks are subject to supervisory review during risk-based on-site inspections, including ICAAP and recently ILAAP, and to test whether the banks appropriately account for risks, evidenced by performance measurement reports, as well as in the new product approval process (documented in the internal rules and procedures). Additional criteria AC1 The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks. Description All banks must comply with the Pillar 2 principles for the risk management organization and the Pillar and findings 2 framework requires banks to assess and address other material risks including reputational and re AC1 strategic risks. Additionally, under LCI Article 73a. (1) Banks shall have in place sound, effective and complete strate- gies and processes on an ongoing basis to assess and maintain the amount, types and distribution of internal capital that they consider adequate to cover the nature and level of all risks to which they are or might be exposed. Under the ICAAP Manual (item 4.2.10 Other risks): - Banks should identify all other risks they are exposed to. - Banks should at least consider but are not limited to the following types of risks: Strategic risk. Banks should consider the strategic risk with regard to the potential losses arising from incorrect management decisions, inappropriate implementation of decisions, or insufficient 126 BULGARIA responsiveness to changes in the business environment. Macroeconomic risk. Banks should consider their exposure to the risk arising from the possible adverse changes in the macro business environment that would impact its earnings and capital adequacy. That shall not be mistaken by the impact of external factors normally covered by credit risk, market risk, concentration risk and strategic risk. Reputational risk. Banks should also assess reputation risk from the point of view of a negative public opinion of its business practices and/or its business ties with specific clients that can be reflected in a loss of confidence in the bank’s moral integrity. Banks should assess internal capital coverage for the other risks listed above, but only if they consider that they are exposed to them. The BNB indicated that some banks attempted to analyze and allocate capital directly to reputational risk in the ICAAP process and reputational risk was a regular discussion. The assessors noted that reputational risk was included in the BNB ICAAP reviews. Also, the BNB indicated that it had, when necessary taken other actions such as directing an institution to reduce its range of products to address business/strategic risks. Assessment Largely Compliant of Principle 15 Comments The knowledge of the adequacy of risk management in the banking system, as with a number of other aspects of supervision, such as internal controls, rests significantly on the on-site inspection process. This practice, of course, mirrors the approach for many risks, including corporate governance as discussed in the previous principle. In common with the findings for CP14, it is the case that under the risk based approach and limitations of resources, the less systemic institutions will receive less frequent on site examination whilst being the very institutions who will find it hardest to attract good quality risk management professionals in a thin market place. These are also the institutions less likely to be able to establish a separate risk management unit. Another feature of the inspection process, and again echoing the findings in CP14, is that while reports and recommendations - the assessors had access to a range of the supervisory reports - comment on and address the quality of risk management including, for example, the quality of stress testing in the ICAAP process, the depth of analysis and attention paid to this dimension appears to be notably less than is paid to some individual risk areas. Consequently there is a risk that the overall risk governance culture and practice of an institution is does not receive sufficient focus from the supervisor – or potentially from the banks. Although the BNB forms a view on the quality of risk management, it was not clear to the assessors that the BNB was able to form a well founded view on the understanding and role of management and the supervisory board in the risk management and culture of the banks. In other words, although the assessors could observe that inspectors pay attention whether risk management structures are put in place and whether risk appetite, tolerance and limits are approved, the assessors did not see clear evidence that the inspectors were testing whether the substance as opposed to the form of risk management architecture and practices had been put into place. The BNB has made strides in terms of pushing banks towards developing recovery plans but at the time of the assessment, it has not yet been possible to assess the plans submitted by the banks and for the BNB to complete its analysis, building on its existing knowledge, to determine whether 127 BULGARIA contingency planning is sufficient. Recommendations o It is recommended that the BNB consider the proportion of resource dedicated to risk management – and internal control – in their on-site programs. o Again, as recommended in CP9 and CP14, horizontal reviews across the system are likely to be helpful, but in any case systematically greater attention on risk management is important, particularly given the developing state of the banking industry at present. The horizontal approach may assist both the banks and the inspectors to understand and benefit from the better practices and disseminate advice and requirements to banks as necessary. o As with CP14, and recognizing the relationship between the issues, Revise Ordinance 10 to confirm and enhance supervisory requirements in risk management. o As with CP14, and recognizing that these topics are considered together in the RAS Manual, review and refresh the Manual to provide greater guidance to inspectors in testing the quality of risk management within firms and in how to reflect their findings in the overall analysis, ratings and supervisory actions. Principle 16 Capital adequacy.54 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. Essential criteria EC 1 Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. Description and findings Bulgaria is subject to the legislative framework implementing Basel III in the EU, which was adopted re EC1 in June 2013. The package contains the Capital Requirements Regulation (CRR-regulation (EU) No 575/2013 of the European parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms), which is directly applicable to member countries, as well as the Capital Requirements Directive—CRD IV, which has been transposed into the national legislation in March 2014 and entered into force on March 25, 2014. The main domestic legal and regulatory provisions governing capital and risk management and other rules on the methods of calculation can be found in the LCI and other BNB regulations and ordinances. Banks are required to calculate and maintain at all times minimum own funds which 54 The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it. 128 BULGARIA cover: credit risk, trading book risk and operational risk, foreign-exchange risk, additional capital requirements as necessary in accordance with the LCI (qualifying participations) and requirements due to exceed of large exposure limits. Banks are obliged to have in place sound, effective and complete strategies and processes on an ongoing basis to assess and maintain the amount, types and distribution of internal capital that they consider adequate to cover the nature and level of all risks to which they are or might be exposed. (LCI, art. 73a). In addition, those strategies and processes need to be subject to regular internal review to ensure that they remain comprehensive and proportionate to the nature, scale and complexity of the activities of the institution. The norms are applicable to all banks and banking groups. Requirements on calculation of capital are set out in Article 93 section of the CRR, where general own funds shall be met at all times as follows: (a) CET1 4.5 percent; (b) Tier 1 capital ratio of 6.0 percent; and (c) Total capital ratio of 8 percent. Since Bulgaria is subject to the CRR, the qualifying components of capital can be found in the later. Article 26 defines the Common Equity Tier 1 items. The items are only recognized as Common Equity Tier 1 if they are available to the credit institution for unrestricted and immediate use to cover risks or losses as soon as these occur. Additional Tier 1 items are defined in article 51 of the same CRR. The items shall meet specific requirements laid down in article 52. Tier 2 items are defined in article 62. On average, the percentage of subordinated debt in capital in the banking system is 8.69%. It is noteworthy that capital instruments that were issued before end of 2011 and disqualified as capital instruments according to CRR can under certain conditions be grandfathered according to CRR. The approach chosen by of the BNB (and by other EU jurisdictions) is to apply the full grandfathering period available under the CRR (until 2022). It is also important to recall that the Basel Committee RCAP process on the implementation of the Basel II and III framework in the EU was found to be Largely Compliant for definition of capital, standardized approach for credit risk, securitization framework, standardized approach for market risk; Materially Non Compliant for the IRB approach for credit risk and Non Compliant for the counterparty credit risk framework. Article 103 (2), point 5 of the LCI provides BNB the ability to impose a specific Pillar 2 capital charge based on Bank’s risk profile and rating. The Pillar 2 process occurs at least annually and uses a number of inputs, including: results from supervisory activities throughout the year; ICAAP; annual accounts; report from the external auditor; results of the BNB’s stress testing; and analysis of supervisory reporting. In the context of the SREP, BNB will assess all of the inputs and will place a degree of reliance upon the ICAAP and the bank’s calculation of required capital. The bank shall monitor the levels of internal capital allocations by type of risk, and if their volume exceeds the approved limits, it is imperative to implement a clear action plan to restore the risk levels to acceptable values. In effect, in case of non-compliance with the own funds requirements, BNB is empowered to impose supervisory measures (LCI, art. 103 (1)) and apply sanctions, e.g., restricting distributions of dividends (art. 103 (2), point 12)), limiting certain activities (art. 103 (2), points 9 and 10)) as well as imposing capital increase (Article 103 (2), point 11). In practice, breaches of the regulatory minimum or situations warranting increase of capital have led the BNB to take supervisory actions as explained in CP 11. 129 BULGARIA In addition to subjecting banks to minimum capital requirements as defined by the EU Regulation abovementioned, Bulgaria has transposed into its regulatory regime (Ordinance No. 8 of 24 April 2014 on Banks’ Capital Buffers) the CRD IV which is intended to implement the Basel III agreement. As a result, the Bulgarian capital regime entails, at least in theory, a Capital conservation buffer (Section 1 of Ordinance No.8), a Countercyclical capital buffer (Section 2), a G-SIFI-buffer (Chapter 3 of Ordinance No.8) and a Systemic risk buffer (Chapter 4). As of today, only two capital buffers apply. The capital conservation buffer on the one hand which is the same for all credit institutions (2.5 % total risk exposure amount out of Common Equity Tier 1 capital55), and, on the other, a systemic risk buffer on 3% (of total risk weighted exposures located within the country out of Common Equity Tier 1 capital). This systemic buffer is not a Basel III requirement but it is the only way EU countries can require capital above the Basel minima across all banks (as opposed to, on a case by case basis, under pillar II). Unlike other EU countries, the implementation of the conservation buffer has not been phased in gradually but applied in full without regard for proposed transitional measures. The systemic risk buffer entered into force in October 2014, pursuant to the Decision №61 of the BNB Governing Council of 24 May 2014. Banks should regularly calculate the levels of these two buffers in conformity with art. 3, 12 and 13 of Regulation №8 of BNB on banks' capital buffers. These buffers are applied on an individual and consolidated basis, are to be maintained in addition to meeting the main capital requirements under the EU Reg. 575/2013 and should be calculated and presented by banks in the quarterly COREP reporting. Since none of the Bulgarian financial groups are identified as global SIFI, the G-SIFI capital buffer is not relevant for the time being. In conclusion, Banks are subject to a CAR of 13.5 % (8% minimum + 2.5% capital conservation buffer + 3% for systemic risk buffer). In practice, the total capital ratio for the whole banking system was 22.16% on September 30, 2014 with some banks exhibiting very high level (the lowest ratio was 14.57 %). Also, the actual risk-adjusted capital ratio for the whole banking system today (latest data available) is 19.47% for the CET1, 19.91% for the T1 ratio and 22.16% for the total capital ratio. It is worth noting that due to the necessity to implement the newly adopted EU Capital Requirements Directive and Capital Requirements Regulation serious changes in the LCI as well as in the relevant regulatory framework have been made. An example for such fundamental change is the dropping of Ordinance №9 that regulates the specific provisions for credit risk. EC2 At least for internationally active banks, 56 the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. Description and findings CRR/CRD rules apply to all banks and do not distinguish between internationally active banks and re EC2 non-internationally active banks. Definitions of capital, risk coverage, method of calculation and 55. The Common Equity Tier 1 capital cannot be used for meeting the own funds requirement under Article 92 of Regulation (EU) No. 575/2013 56 The Basel Capital Accord was designed to apply to internationally active banks, which must calculate and apply capital adequacy ratios on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a stand-alone basis. 130 BULGARIA thresholds for the prescribed requirements are all defined in the CRR/CRD framework and banks are subject to the same definition of own funds, the same method of calculation and the same required ratio. There is only one financial conglomerate in Bulgaria but it is placed under the surveillance of the Financial Supevision Commission.. There is no methodology available for unregulated member of a group. EC3 The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)57 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements. Description and findings Art. 103 (2), point 5 of the LCI empowers the BNB to impose a specific Pillar 2 capital charge. The re EC3 Pillar 2 process is well established in the BNB Supervisory Review and Evaluation Process Manual that provides further details on how to apply the LCI provisions. Typically the SREP is performed annually and a key input into the process is the ICAAP. Pursuant to art. 73a of the LCI, credit institutions have to perform an internal capital adequacy assessment process in order to ensure that the bank has adequate capital and has internal procedures to measure and manage the risks and on an ongoing basis assess and keep sufficient own funds to cover their risks. The BNB evaluates the ICAAPs of all credit institutions on an annual basis (art. 73c of the LCI). In addition, the ICAAP will be discussed in the course of onsite inspections. During the risk assessment process each main risk area is under consideration and the result of the credit institution's ICAAP is an integrated part of these risk assessments. The review covers the credit institution's material risk areas, risk management processes and systems of internal control. Stress-testing is part of the review process as well and is related to the credit institution's assessment of adequate capital (see EC 6 below). As stipulated in the ICAAP practical manual, BNB expects all banks, in their ICAAPs, to examine whether the regulatory capital requirements calculated under Pillar 1 reflect the true risk profile of the bank. If it turns out that calculations under Pillar 1 are insufficiently risk-sensitive, the bank shall define a better approach or at least determine a capital buffer in addition to the calculations under Pillar 1, in order to be able to better capture the impact of these risks on its earnings. Further, all credit institutions shall determine whether they need to set aside additional capital for Pillar 2 to cover risks not fully covered by Pillar 1 (e.g residual risk due to the use of credit risk mitigation (CRM) techniques, securitisation risk). As indicated in the LCI art 79 (2), the BNB is responsible for determining whether banks’ own funds and liquidity ensure a sound management and coverage of their risks. In that context, if the SREP shows weaknesses in capital adequacy or risk management, the BNB has the legal power to take appropriate action. The BNB can (i) impose a capital charge that is higher than the general own funds requirements, via a written order. In imposing the additional capital requirement, BNB staff will take into consideration several aspects, including a) the quantitative and qualitative aspects of the bank’s assessment process, b) the current adequacy of the bank’s internal rules and procedures for management and 57 Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006. 131 BULGARIA control, c) the outcome of the supervisory review. The capital “surcharge” can be imposed on a single credit institution or on a group of institutions with a similar risk profile, in order to cover a specific category of risks (LCI, article 79c (7)). (ii) The BNB can also require the credit institution to apply a specific provisioning policy or treatment of assets in terms of own funds requirements, (iii) limit particular activities, (iv) require the credit institution to improve its internal control and risk management frameworks, and oblige the bank to take appropriate actions to reduce its inherent risks, including revising their internal and risk management frameworks. In practice, the BNB has resorted to such actions several times over the past years. In the most extreme scenario, the BNB can withdraw a license under certain circumstances specified in the LCI including where the amount of bank’s own funds is negative (LCI, Article 36 (2)). Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements as prescribed by the CDR. EC4 The prescribed capital requirements reflect the risk profile and systemic importance of banks 58 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. Description and findings According to LCI, banks must have in place effective plans and procedures in order to determine on a re EC4 regular basis the amount, the composition and the distribution of capital necessary for the quantitative and qualitative coverage of all material risks from banking transactions and banking operations and to hold capital in the amount necessary. These plans and procedures must be based on the nature, scope and complexity of the banking transactions conducted. It is noteworthy that, in the EU context, the law cannot set higher overall adequacy ratio, except for the systemic risk buffers. A a result, while the BNB used to apply a minimum capital adequacy ratio of 12 percent, this requirement is now capped at 8 percent under the Capital Requirements Regulation. EC5 The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use: (a) such assessments adhere to rigorous qualifying standards; (b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor; (c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken; (d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it 58 In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (a) the potential loss absorbency of the instruments included in the bank’s capital base, (b) the appropriateness of risk weights as a proxy for the risk profile of its exposures, (c) the adequacy of provisions and reserves to cover loss expected on its exposures and (d) the quality of its risk management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses. 132 BULGARIA prudent to do so; and (e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval. Description According to the BNB manual for ICAAP, banks can choose between different methods for and findings computing the economic capital for each significant risk. As stated in the LCI, the BNB has to review re EC5 on a regular basis, and at least every 3 years, banks’ compliance with the requirements regarding approaches –subject to BNB approval- for the calculation of own funds requirements, with particular focus on changes in a bank’s business and implementation of those approaches to new products. In particular, the BNB will review and assess whether the bank uses well developed and up-to-date techniques and practices for using internal approaches. If a bank has received permission to apply internal approach but is no longer capable of meeting the requirements for applying that approach, the BNB is empowered to request the bank to: (i) demonstrate to the satisfaction of the BNB that the effect of non-compliance is immaterial; or (ii) to present a corrective plan along with a deadline for its implementation. The BNB can also require changes to that plan if it is unlikely to result in full compliance or if the deadline is inappropriate. If the bank is unlikely to be able to restore compliance with the requirements, the permission to use the internal approach can be revoked or limited to certain areas. During the interviews, the BNB indicated that BSD staff performs periodic desk review and on-site visits to assess that the bank conforms with the conditions for using internal models. There is one team within the CISD responsible for evaluating, approving and overseeing internal models. The team composed of 4 economists (a statistician just left) uses its own methods for the assessing the nature of the calculations performed by the banks in the computation of the required Pillar I capital and the capital adequacy. In Bulgaria, one bank was given BNB authorization in 2014 to use an advanced approach (AIRB) for measuring capital needs for credit risk, and another has been using the FIRB since 2010 (the bank is also waiting for getting the approval for AIRB). Two banks received the authorization (in 2011 and 2014) to use AMA for operational risk purposes. A third bank’s request to apply AMA for OR is being reviewed. None of the banks are using internal model approach for the calculation of market risk capital requirements. EC6 The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).59 The supervisor has the power to require banks: (a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and (b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank. Description and findings With regard to the application and review of ICAAP for institutions and supervisors, Bulgaria has 59 “Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyses and reverses stress testing. 133 BULGARIA re EC6 followed the principles issued by the CEBS (predecessor of EBA) in the “Guidelines on the Application of the Supervisory Review Process under Pillar 2,” published on 25 January 2006 and also applies the most recent EBA/GL/2014/13 Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP). These guidelines explain the approach to be adopted by institutions with regard to the introduction of ICAAP and identify the main components of the supervisory review process. In that context, the so-called BNB practical manual for ICAAP provides further details to banks on how to implement the ICAAP, particularly in light of specific issues applicable at local level. According to the BNB manual, (and in light of the EBA guidance abovementioned), the ICAAP should be forward looking. Bank’s ICAAP should take into account the institution’s strategic plans, for example the expected growth in lending, the dividend policy, future sources and utilisation of funds, etc. The same manual stipulates that the bank’s capital adequacy assessment process shall go hand in hand with its capital plan in terms of determining capital limits, drawing up plans to deal with differences and unexpected events (e.g., restrictions on business, looking for sources of additional capital, application of risk mitigation techniques, etc.). Stress tests are also part of the principle of the ICAAP being forward-looking. As part of the ICAAP, institutions shall comply with the BNB requirements for stress tests. As indicated in the BNB manual, capital planning plays an important role in the ICAAP as institutions shall have the capital required to cover risks not only at a certain point in time, but also in the near future. The stress-test results shall be taken into account when determining the future capital needs, and planned capital levels shall be sufficient to cope with recession. As a second step, after a review of the stress tests and the capital plan, within the supervisory review and evaluation process the institution may be required to set aside additional capital if in its ICAAP it has not taken into account the capital needs identified by stress tests and/or the capital plan, or if these procedures do not meet BNB’s expectations. The additional capital requirement shall be calculated on the basis of the results of the stress tests and the capital planning. In practice, the CISD verifies at least annually through on-site visits the quality of banks’ stress- testing. AC1 For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks. Description The BNB applies the capital rules consistently across all banks according to the CRR/CRD rules. The and findings Regulation (EU) № 575/2013 does not distinguish between internationally and non -internationally re AC1 active banks. AC2 The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.60 Description The consolidation rules are those prescribed in the CRR. and findings For financial groups, capital requirements apply at the consolidated and sub-consolidated level and re AC2 at single entity level (Articles 7 and 11 of Regulation (EU) № 575/2013). This ensures that capital is 60 Please refer to Principle 12, Essential Criterion 7. 134 BULGARIA distributed to important subsidiaries such as banks within the group to meet their regulatory minimum at solo-basis. Assessment Compliant of Principle 16 Comments Bulgaria applies the capital requirements as set forth in the EU CRR and has transposed the EU Directive (CRDIV) into its domestic regime through the LCI and Ordinance No. 8 of the BNB on Banks’ Capital Buffers. The assessors note that the Basel Committee RCAP process on the implementation of the Basel II and III framework in the EU was found to be materially non compliant. The assessors also note, however, that the elements which contributed most significantly to the RCAP findings are not strongly pertinent in the context of the Bulgarian market. On the other hand, Bulgarian banks exhibit high capital levels. It is worthwhile noting that the recent changes to the EU framework have, however, removed some flexibility from the supervisory authority. Previously the BNB applied a minimum capital adequacy ratio of 12 percent, but this requirement is now capped at 8 percent under the Capital Requirements Regulation. In response, and at a period of heightened systemic stress, the BNB has “frontloaded” capital buffers so that the capital conservation buffer and the systemic risk buffer are both currently in force. Yet there has been a case where despite multiple orders from the BNB, an institution has failed to comply with the Central Bank instructions to address capital problems. In 2004, the BNB warned that despite the capital base increase, the capital adequacy of the said bank would fall below the regulatory minimum level “under an adequate credit risk assesement” and that again, the institution needs to increase its capital. In light of this example, assessors are of the view that the BNB needs to take more forceful measures and be more persistent to ensure that the capital is increased at appropriate level.. In that particular case, moral suasion has not been proven effective (see discussion under CP 11). The mission also discussed with the authorities the irregularities found by an external comprehensive audit (commissioned by the BNB in June 2014) in the KTB’s capital adequacy in the wake of the bank’s collapse. The audit revealed, among other things, that a significant portion of the capital increase between October 2011 and March 2014 was financed through loans originating from KTB itself. The BNB pointed out that KTB management lied to the supervisor. While the national regulation in force until end-2013 did not forbid this practice, the BNB requested all banks to sign a letter confirming that the capital was not stemming from depositors money. The BNB expressed confidence about the absence of such practice elsewhere in the industry. Principle 17 Credit risk.61 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic 61 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 135 BULGARIA conditions. This includes prudent policies and processes to identify measure, evaluate, monitor, report and control or mitigate credit risk62 (including counterparty credit risk)63 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. Essential criteria EC1 Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring. Description The general framework regarding the management of credit risks (including counterparty credit risk) and findings is laid down in Ordinance 7 of the BNB and more specifically in Chapter 3, Article 7. Banks are re EC1 required to have appropriate procedures for monitoring credit risks and procedures for risk management in the field of credit risk. More specifically, credit-granting by the bank must be based on sound and well-defined criteria as the process for approving, amending, renewing, and re- financing credits is clearly established. Moreover, the bank must have internal methodologies that enable it to assess the credit risk of: 1. exposures to individual obligors; 2. securities positions; 3. securitisation exposures; and 4. credit risk at the portfolio level. Banks are also required to use effective systems for ongoing administration and monitoring of the various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments. For each exposure, the bank must maintain documentation which contains all material conditions and circumstances of the transaction, as well as information on the evaluation and establishment of the credit risk adjustment. Internal methodologies for credit risk assessment shall not rely solely or mechanically on external credit ratings. In addition, the main requirements for the risk management and governance of the banks are set in the LCI in Article 73. (1)(4-7), and detailed requirements regarding credit origination set in Art 73(4). The requirements, applying to all risk areas of a bank in Art 73(1) of LCI requires the competent managing body of each bank to adopt and regularly review “in accordance with the best internationally recognized practices for corporate governance of banks ” and include the following elements: the organizational structure, procedures for defining and delegating powers and responsibilities, the strategies and policies for taking up, managing, monitoring and mitigating the risks the bank is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle; the procedure for generating and the scope of the management information; the operational control organisation, including rules and 62 Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities. 63 Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments. 136 BULGARIA procedures for approving, carrying out and reporting transactions; the internal rules and procedures for risk management and control systems efficiency and for reporting the established weaknesses in the organization and work of structural units. The BNB refers to the Basel Principles of Corporate Governance Principles for Banks and also OECD principles in terms of establishing best practice. Under LCI Art 73 (4) Banks must have internal rules and procedures governing credit risk which includes, at a minimum: 1. information required from the credit applicant; 2. method of assessing the creditworthiness of the applicant (and his guarantors); 3. method of evaluating the offered collateral; 4. method of evaluating the efficiency of the project offered to be funded with the credit; 5. the decision making methodology for extension of a credit, in accordance with its type; 6. intended use and repayment of the credit; 7. how the bank will control the use of the credit according to the purpose for granting it, the current financial position of the borrower and any guarantors, and the adequacy of the collateral; 8. the various types of credit granted as well as sanctions and the procedure for imposing them. Technical criteria that must comply with the policy of the banks for risk management and risk control and the requirements for the managing and organizational structure of the bank are determined in an ordinance issued by the BNB. On the supervisor’s side, the core of onsite credit risk inspections is a review of extensive samples of the bank’s credit files – at the time of the assessment the BNB indicated that approximately 20 to 25 percent of the loan portfolio would be reviewed. The assessors saw pre-inspection letters requiring banks to provide extensive reports and data on the credit portfolio. Banks are required to provide additional information, including specific loan files during the course of the inspection. In the course of the inspection, the supervisors seek to assess whether the bank is compliant with the regulations and rules noted above. Samples are extensive and focused on potential problem areas for a particular bank. At onsite credit inspections the supervisors receive the ba nk’s credit policy, selected credit procedures, such as procedures for individual and collective impairment, procedures for valuation of collateral values, procedures for handling of weak exposes, procedures for risk classification etc. In connection with the review of the samples of credit files the supervisors examine the bank’s compliance with the bank’s credit policy and the procedures regarding credit risk. At onsite inspections supervisors also have meetings with the board of management, the management of the credit department, and in major banks, employees working on IRB matters (where relevant – only two banks have an IRB authorization). The bank’s risk appetite, credit procedures, changes in the credit organization is discussed at these meetings. Additionally, the internal RAS Manual provides clear guidance to the inspectors in terms of their objectives and procedures in assessing the banks’ risk management systems, internal controls and assessing the banks’ consistency with its own stated business o bjectives and procedures. As a part of the credit risk analysis and to assess the quality of control over the credit risk, inspectors are expected to focus on the strategy of the bank, the internal controls, approved competencies and limits, as well as management's ability to identify and manage risks within the bank in a timely fashion. Supervisors’ analysis should be based on a comprehensive assessment of the trends, changes and growth rates in all aspects of lending, effectiveness of the internal policies, procedures and internal control mechanisms, methods to identify potential and existing problems, inside self- assessment of credit institutions, applied provisioning policy and others. 137 BULGARIA As a part of the credit risk analysis and depending on the approach applied (ie on-site or off-site) inspectors should assess both the level of risk taken, and the quality of internal controls and management systems. The off-site analysis aims to identify in quantitative way credit risk (growth rates, trends, changes in the internal structure of assets and loan portfolio, etc.). The assessment should be supplemented by analysis of the reasons leading to significant changes. The aim of on-site inspections is to provide a qualitative assessment of the credit risk based on the development strategy, established internal controls and management's ability to identify and manage risk in a timely and effective manner. EC2 The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,64 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes. Description Ordinance 7 (Art 2), requires the Board to approve and periodically review the strategies and policies, and findings referred to under Art 73(1) of the LCI in respect of taking up, managing, monitoring and mitigating re EC2 the risks to which the bank is or might be exposed, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle. The BNB is supported in its ability to gather information as the LCI (Art 72(1)) prescribes that: A bank shall submit to the BNB copies of its Statute, regulations, instructions, and other documents containing provisions regarding the scope and procedures for conducting operations, the capital and the internal organisation of the bank, within 10 days following their adoption, or after amending or supplementing them. The adequacy of the credit risk policy and processes are verified through the on-site inspection process. The inspection reports comment heavily on the role of management in ensuring effective credit risk management and control. The assessors identified criticism of the management and supervisory boards within inspection reports in relation to this criterion. EC3 The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including: (a) a well documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments; (b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures; (c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system; (d) effective information systems for accurate and timely identification, aggregation and 64 “Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments. 138 BULGARIA reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis; (e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff; (f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and (g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits. Description The law and ordinances provide a sound framework for the approach to credit risk environment, with and findings some potential gaps. The key legal references which are the basis for the requirements are noted re EC3 below: Ordinance 7, Art 7 (1) Credit-granting of the bank shall be based on sound and well defined criteria as the process for approving, amending, renewing, and re-financing credits is clearly established. (2) The bank shall have internal methodologies that enable it to assess the credit risk of: 1. exposures to individual obligors; 2. securities positions; 3. securitisation exposures; and 4. credit risk at the portfolio level. (3) The bank shall use effective systems for ongoing administration and monitoring of the various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments. (4) For each exposure, the bank shall maintain an exhaustive documentation which contains all material conditions and circumstances of the transaction, as well as information for the evaluation and establishment of the credit risk adjustment. (5) Internal methodologies for credit risk assessment shall not rely solely or mechanically on external credit ratings. (6) Where capital requirements are based on a rating by an external credit assessment institution (ECAI) or based on the fact that an exposure is unrated, this shall not exempt the bank from additionally considering other relevant information for assessing its allocation of internal capital. (7) Diversification of credit portfolios is adequate g iven the bank’s target markets and overall credit strategy. LCI Art 73(1) 4. the strategies and policies for taking up, managing, monitoring and mitigating the risks the bank is or might be exposed to[…]; 5. the procedure for generating and the scope of the management information; 6. the operational control organization, including rules and procedures for approving, carrying out and reporting transactions; 7. the internal rules and procedures for risk management and control systems […] 139 BULGARIA LCI Art 73(4) Banks shall adopt rules for their credit activities, which shall contain at least: 1. the information required from the credit applicant; 2. the way of assessing the creditworthiness of the applicant (and his guarantors); 3. the way of evaluating the offered collateral; 4. the way of evaluating the efficiency of the project offered to be funded with the credit; 5. the procedure for making a decision on the extension of a credit, in accordance with its type; LCI Art 68 A bank shall create and keep credit files of any customer credit, containing data about the customer, the grounds for, the terms and conditions and the amount of the credit and its collateral, the decision of the competent authority for the extension of the credit and any other information in relation to the conclusion of the contract and the performance thereof. The assessors were able to review a number of inspection files, including the initial reports, and the detailed letters and submissions following the inspection to the banks. The assessors noted references, discussions and recommendations made, in these reports, to all the elements of this criterion. EC4 The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. Description The LCI supports banks in tracking the overall indebtedness of their clients as, under Article 56, the and findings BNB maintains a database of customers’ financial obligations to: re EC4 1. banks 2. persons 3. payment institutions and electronic money institutions Banks have right of access to this database. As noted in earlier CPs, the threshold for reporting a credit to the register is as low as 1000 Bulgarian leva. There are over 4 million exposures registered, providing significant coverage of the overall credit exposure in the system and the BNB checks to identify the usage of the register by the banks. Additionally the internal RAS Manual prescribes a number of questions to be posed during an on-site inspection (page 45). These questions specifically address the extent to which the bank has written detailed and updated information on the total indebtedness of the borrower; whether the credit officers familiar with the structure and repayment schedules of these obligations; whether the bank monitors the cash outflows of the borrower and his liquidity position; and whether the bank uses specific ratios to measure and limit credit risk, such as credit debt / equity of the borrower. FX risk is minimal in the Bulgarian system – primarily driven by supporting commercial import-export activity - and is addressed through risk weighting of the net open position. EC5 The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. Description The LCI devotes a chapter to the issue of conflict of interest (Chapter Six). The articles in this chapter and findings (Arts 51-54) provide that relationships and business interests (widely defined) must be disclosed to 140 BULGARIA re EC5 the bank, that persons with potential conflict of interest should be excluded from negotiations, and banks are under the obligation to ensure that the interests of the customer will take precedent over the interests of the individual with a potential conflict of interest (should this arise). Transactions which do not respect these requirements can be declared null and void. Finally, an individual who acted in violation of the law can be dismissed by the BNB, and the bank must adopt rules to establish a procedure for disclosing conflicts of interest. Also, related party lending, which is examined under CP 20, is governed by Article 45 of the LCI. The internal RAS Manual provides detail on how inspectors should examine conflicts of interest within a given bank, to assess whether the terms of Articles 51-54 of the LCI are met. In terms of checking the practice of the institution the supervisor has to make a written report, including a short comment on all cases where limits for internal or large exposures have been broken. All credit risk concentrations to customers where there are indications of informal connections have to be noted and analyzed. The BNB indicated that takes any indications of informal connections and prohibited concentrations to shareholders of the bank particularly seriously and should such practices be identified the rating for management is decreased. The BNB noted that one practice undertaken is to verify the list of administrators (a defined term under the LCI, which includes all members of the management and supervisory boards) and members of the relevant risk and management committees to look for connections. EC6 The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities. Description Where a credit exceeds 10 percent of capital, the threshold set by the CRR (Art 392 “definition of a and findings large exposure”), the LCI (Art 44) requires that approval must be obtained from the Board. In cases re EC6 where the exposure exceeds 15 percent of the capital base, this approval must be unanimous. The restrictions on exposures to related parties set out in Art 45 of the LCI also mean that any potential for such exposures must be considered by the Board. The BNB indicated that banks will typically have both absolute and relative limits for the size of credit exposure that must be decided by the board or senior management. The hierarchy of approval limits are normally set out in the credit policies. Conformity with these policies is checked during the on- site inspections. The assessors saw indications of this in the inspection files. EC7 The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. Description The LCI provides extensive information gathering powers to the BNB, which has full access to and findings information, relevant staff and the premises of the bank. LCI Article 80, is noted below. re EC7 The BNB shall have the right to require banks and, when applicable financial holding companies, mixed financial holding companies and their shareholders or partners to submit to it all the relevant accounting and other documents, and any information on their activities, and to conduct on-site inspections through the employees and other persons authorised by it, and to investigate possible breaches of those requirements. For the consolidated supervision performance, the BNB may require parent companies and banks’ subsidiaries to provide all the relevant documents and information, as well as right for free access The BNB shall have the right to: 141 BULGARIA 1. free access to the office premises and information systems of the persons conducting banking activity; 2. demand documents and collect information in relation to the performance of the task assigned; 3. appoint external independent experts (at the expense of the bank); 4. appoint an external auditor for a bank, who will carry out a financial or other type of audit (at the expense of the bank); 5. conduct counter examinations in other bank and non-bank undertakings; 6. attend the meetings of the managing and controlling bodies of banks and express opinions that are to be written down in the minutes of the meeting; 7. demand copies of documents verified by the persons under Article 10, paragraph 1 or a person authorised by them and determine the term of their submission. 8. require explanations from banks and persons referred to in paragraph 6 as well as of their agents or employees; 9. ask questions of any other person who consents to, in order to gather information related to the subject of the inspection. EC8 The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. Description The CRR (Art 177) requires all banks to have sound stress testing processes for use in the assessment and findings of capital adequacy. According to this provision, testing must involve identifying possible events or re EC8 future changes in economic conditions that could have unfavourable effects on an institution's credit exposures and assessment of the institution's ability to withstand such changes. Moreover each institution must regularly perform a credit risk stress test to assess the effect of certain specific conditions on its total capital requirements for credit risk. The test is chosen by the institution, and is subject to supervisory review. The test is required to be meaningful and consider the effects of severe, but plausible, recession scenarios. An institution must assess migration in its ratings under the stress test scenarios. Stressed portfolios must contain the vast majority of an institution's total exposure. The BNB can, and, based on the assessors’ review of inspection reports, has required banks to be more stringent in their assessment of credit risk, when calculating potential losses stemming from credit exposures , for example by issuing letters on behalf of the Deputy Governor in charge of the Banking Supervision Department. Such requirements are based on the comparison between the top- down and the bottom-up outcome of the regular stress-test exercises of the banking system. The BNB has also issued Guidelines on Stress Testing, based on GL32 issued by CEBS. According to both documents stress testing programmes should encompass all the material risks (both on and off-balance sheet) relevant for the banking group. To be effective, stress testing should consist of a multi-layered approach to capture risks at various levels in an institution. In this regard, according to the proportionality principle, the scope of stress testing could vary from simple portfolio level sensitivity analyses to comprehensive firm-wide scenario stress testing referring to the broadest perimeter. Furthermore stress scenarios should address all the material risk types of an institution (e.g., credit risk, market risk, operational risk, interest rate risk and liquidity risk). No material risk type should be left unconsidered. The various stress tests on credit risk performed by the banks are subject of on-site and off-site checks. 142 BULGARIA As a broader point, and noted in CP 9, the BNB applies macro prudential stress tests to examine vulnerabilities in the credit system in Bulgarian banks. Assessment Compliant of Principle 17 Comment It is important to bear in mind that an assessment of the principle on Credit Risk is not an assessment of the quality of credit in a jurisdiction, but rather of the quality of the supervisory oversight of credit risk. It is also important to be aware that there are particular vulnerabilities and potential weaknesses to consider, despite the compliant grade. These weaknesses are, however, addressed under the relevant Core Principles and the grades are reflected in these related CPs. Credit risk is the most significant risk factor in the Bulgarian banking sector. The framework of laws and requirements are comprehensive and the inspection teams have a very close focus on the entire credit risk function within the banks. The assessors heard frequent praise from market participants for the experience, quality and assiduousness of the BNB inspectors in their on site work assessing credit risk. The assessors were able to review inspection reports and observe the high attention to detail. The inspectors were able routinely to identify anomalies and breaches of banks’ internal policies and procedures as well as regulatory violations. The vulnerabilities relate to the quality of board engagement and oversight of the credit risk activity, the presence and potential impact of related party lending (whether connected to the bank or between the clients of the banks), and of concentrations and breaches of limits. These issues are considered under corporate governance (CP14), related parties (CP20) and concentration risk (CP19). Additionally, there is a concern that although the BNB is clearly capable of a very high standard of credit risk oversight, its practices may not be consistent across all inspection teams due to the manner in which the inspection teams are organized. This point is considered under supervisory techniques (CP9). Principle 18 Problem assets, provisions and reserves.65 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves. 66 Essential criteria EC1 Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. Description Banks in Bulgaria are required to use effective systems for ongoing administration and monitoring of and findings the various credit risk-bearing portfolios and exposures, including for identifying and managing re EC1 problem credits and for making adequate value adjustments (Ordinance 7 on organisation and risk management of banks, Art 7 (3)). 65 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 66 Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit). 143 BULGARIA The requirements for loan loss provisioning are based on the IAS/IFRS framework, which is applied on a mandatory basis for all banks under the Law on Accountancy. The BNB considers problem assets in the context of the SREP and the BNB has the power to require additional capital under Pillar 2. The legal basis for this approach is through the LCI (Article 103 (2), point 20). In assessing problem loans, the BNB also uses the criteria for non-performing exposures, stipulated in the Implementing Technical Standard (ITS) on Supervisory Reporting (Forbearance and non- performing exposures). EC2 The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with th e supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes Description Examining whether banks possess and implement adequate policies and procedures for grading and and findings classifying assets, as well as applying conservative provisioning policies are designed to be key re EC2 elements of both on-site and off-site activities of the BNB. In the process of preparing on-site inspections, standardized letters with the preliminary information that is required are sent to the examined banks. The submission banks are required to make ahead of the inspection may include: • Copy of the provisioning policy. Also a description of the procedures applied for the calculation of impairment according IAS 39 as well as collateral types and discounting rates of the collateral values used in the calculation of projected cash flows. • Information about exposures where forbearance has been exercised. The assessors were able to review a number of the data request letters and noted that a range of information on the type and quality (including migration in quality) of exposures was requested. It was not possible to determine clearly that specific information was required on exposures where forbearance had been exercised by the bank, though this may have reflected the introduction of the monthly FINREP template 19, on exposures subject to forbearance measures, which had previously been reported under the terms of Ordinance 9. The RAS Manual of the BNB requires inspectors to assess the adequacy of commercial banks’ credit processes. This includes: • Asset quality and loan portfolio. Share of NPL (overdue more than 90 days), conformity with the rating system of the assessed bank, degree of impairment of NPL (coverage ratio). Internal systems for timely identification and collection of problem assets. • Loan portfolio distribution according to the internal rating system, migration matrix, share of loans with good ratings including whether the bank maintain satisfactory levels of provisioning (impairment) for these loans. The supervisory analysis is expected to be based on a comprehensive assessment of the trends, growth rates, changes in all possible aspects of lending and asset quality, effectiveness of the internal policies, procedures and internal control mechanisms, methods to identify potential and existing problems, self-assessment, applied provisioning policy and others. During an on-site inspection the inspector must provide an opinion on the main aspects of the credit activity of the bank, including problem assets. Documentation to support this assessment includes: distribution of the loan portfolio by rating classes, portfolio quality - default rate, policy and methodology for impairment and provisioning, migration matrix, etc. The Manual also prescribes 144 BULGARIA mandatory review of the minutes of the meetings of the Credit Committee, Provisioning Committee, Risk Committee etc. If necessary, minutes of other units whose activity is related to the credit risk management (eg. ALCO.) can be reviewed. The onsite inspection will also include an assessment of the activities of all relevant units in the credit process including granting credit approvals, provisioning of risk exposures and workout units. BNB does not use external expert support in assessing banks’ internal policies and procedures. EC3 The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.67 Description For purposes of supervisory reporting, the BNB is required to adopt the EU treatment laid out in the and findings ITS on Forbearance and non-performing exposures. The draft ITS was finalized by the EBA in July re EC3 2014 and adopted by the EC in February 2015 though had been applied by the BNB since the third quarter of 2014. According to the ITS the term “exposures” used for classification and provisioning purposes includes all debt instruments (loans and advances and debt securities) and off-balance sheet exposures, except held for trading exposures. Off-balance sheet exposures comprise the following revocable and irrevocable items: loan commitments given, financial guarantees given, and other commitments given. The BNB uses onsite inspections to determine the treatment of off-balance sheet commitments. Banks are required to provide a list of all off-balance sheet commitments for review during on-site inspections. Such exposures are at a low level in the Bulgarian banking system. EC4 The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. Description The assessment of policies and processes on provisions and write-offs is carried out through on-site and findings review. re EC4 The BNB indicated that information requests sent prior to an on-site inspection, include documentation setting out rules, policies and procedures for management of lending, including the hierarchy for granting, negotiation and restructuring of loans as well as rules for evaluation and provisioning of risk exposures and collateral policy. The assessors saw some evidence of this, but more commonly it appeared that a general request on internal governance and committees was requested. The BNB and other market participants confirmed that the environment for realizing collateral is poor in Bulgaria, leading to extended legal work-out, and thus discouraging banks from acting on the problem loans. The BNB commented that it was common to challenge the banks in meetings with the chief credit risk officers in terms of timely recognition and realistic recovery values. EC5 The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a 67 It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled. 145 BULGARIA minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans). Description The RAS Manual sets out extensive documentation requirements that banks must provide to the BNB and findings for assessment and evaluation. re EC5 Inspectors using the internal RAS Manual will examine minutes from risk committees or work out units (etc) during on-site inspection. The bank is also required to make available all lending rules, policies and procedures, including the scale of competence for the granting, negotiation and restructuring of loans as well as rules for assessment and provisioning of risk exposures and collateral policy. Other documents which the supervisors require and examine during on-site inspections are: • Summary report on the activity of the unit collecting past due obligations • Plans for the activity of the workout (deteriorated assets management) and collection units for the recent year. • Information on the legal proceedings and tenders for sale of real estate. • Summary report on the distribution of internal ratings of borrowers • Information on the existing programs for renegotiation and restructuring of loans including parameters of the programs and their duration. Plans for portfolio restructuring. • Information on “performing forbearance exposures” and “non-performing forbearance exposures.” Verification of the quality of the bank’s processes is made during the on -site inspection. Banks are expected to have Risk and Provisioning Committees (or similar), workout units and other divisions dedicated to dealing with deteriorating assets. The BNB indicated that all banks have a work out unit. The BNB noted that they identified misclassification in the course of on-site work. The assessors noted follow up reports and recommendations to banks requiring misclassification to be remedied. EC6 The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels. Description In addition to the information noted in EC5, banks are obliged to submit information on asset and findings classification and provisioning: re EC6 Sinc• Since September 2014 data has been submitted according to FINREP and the ITS ( Regulation 680/2014) ie table 19 of FINREP • For a transitional period, while there is parallel run between the former BNB reporting and the new FINREP requirements banks had to submit information on their specific provisions for credit risk according to the standards set out in the now repealed Ordinance 9 of the BNB, covering the period end 2013 to end 2014. This information included description of the reasons leading to their reduction, according to banks’ individual reduction plans. • Information on the distribution of loans is by product type and exposure classification. 146 BULGARIA Supporting documentation is reviewed in the context of on-site inspections. EC7 The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. Description The internal RAS Manual prescribes steps for assessing whether assets classification and provisioning and findings are adequate for prudential purposes. re EC7 First the supervisor has to decide whether accrued impairment losses (IAS) of risk exposures are allocated in accordance with regulatory requirements. The assessment is to be based on the direct examination of a sample of credit files and positions in the loan portfolio and is focused on four main areas: • Analysis of sources of income (incl. volume of turnover and the amount of average daily balances on current accounts of customers within the bank.); • Utilization and targeted spending of the credit (tracking of the cash flow of the credit, analysis of the counterparties - recipients of the funds, availability of invoices and / or other documents for target utilization, ongoing monitoring of the implementation of investment projects, etc.); • Analysis of the financial position of the company; Availability of past due obligations • Quality of ongoing monitoring of credit transactions; Based on the findings of this analysis the supervisor may need to recommend an increase in provisioning or an adjustment to asset classification. If the bank does not consent to make the recommended changes, the supervisor must submit a written report to the DG responsible for the Banking Supervision Department, who has the right to undertake remedial measures (please see CP11). As noted above the BNB aims to review 20 to 25 percent of the loan portfolio and instances of misclassification are not uncommon. The assessors were able to review five years of formal and informal measures issued by the BNB in which it was possible to note that misclassification of assets has been regularly identified. EC8 The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions. Description Banks are subject to the requirements of the CRR, including Chapter 4 – Credit Risk mitigation and and findings the BNB examines if these requirements are met during the on-site inspections. The CRR requires, re EC8 inter alia, that there be regular checks on the valuation of credit risk mitigants (eg Art 207(4)(d) in respect of financial collateral). The assets that are eligible to be recognized in the context of funded credit risk mitigation, moreover, are limited to those assets identified in the EBA RTS pursuant to Art 194(10) of the CRR. In the course of the on-site inspections of credit files, the following documents are reviewed: • Collateral documentation (mortgage, encumbrance certificate, pledge contract, financial collateral arrangement, certificate for the record to the register, etc.); • Last appraisal of the accepted collateral and its insurance. 147 BULGARIA Real estate is the predominant form of collateral taken by banks in Bulgaria who use the services of real estate agencies or their own internal banking units for making real-estate appraisals. Guarantees are little used in the Bulgarian system, according to the BNB and are not accepted for purposes of credit risk mitigation unless they are sovereign guarantees. Where banks are approved for IRB, the inspectors carry out analysis to meet the requirements of Articles 197 -199 and 208 of the CRR. This assessment includes verification of the eligible collateral (market and realization values) that has been accepted and confirming the existence of insurance. The assessors noted that a range of information connected with the presence and valuation of collateral is required from banks prior to an inspection. The inspectors explained a number of their techniques for checking collateral valuation. EC9 Laws, regulations or the supervisor establish criteria for assets to be: (a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and (b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected). Description Identification of an asset as a problem one and criteria for its reclassification as performing are based and findings on the requirements of the Implementing Technical Standard (ITS) on forbearance and non- re EC9 performing exposures. The final draft ITS submitted to the European Commission by the EBA was adopted on 9 January 2015 and published in the Official Journal on 20 February 2015. The final text is noted below. The interim “draft” version has, however, been in use in Bulgaria alo ng with the other EU member states. The two texts are almost identical with the exception of the reference to the applicable accounting framework and Article 178 of the CRR EBA FINAL draft Implementing Technical Standards On Supervisory reporting on forbearance and non-performing exposures under article 99(4) of Regulation (EU) No 575/2013. 156. Exposures may be considered to have ceased being non-performing when all of the following conditions are met: (a) the exposure meets the exit criteria applied by the reporting institution for the discontinuation of the impairment and default classification; (b) the situation of the debtor has improved to the extent that full repayment, according to the original or when applicable the modified conditions, is likely to be made; (c) the debtor does not have any amount past-due by more than 90 days. The ITS on reclassification: Commission Implementing Regulation (EU) 2015/227of 9 January 2015 (which amends Implementing Regulation (EU) 680/2014) Exposures shall be considered to have ceased being non-performing when all of the following conditions are met: (a) the exposure meets the exit criteria applied by the reporting institution for the discontinuation of the impairment and default classification; (b) the situation of the debtor has improved to the extent that full repayment, according to the original or when applicable the modified conditions, is likely to be made; 148 BULGARIA (c) the debtor does not have any amount past-due by more than 90 days. An exposure shall remain classified as non-performing while those conditions are not met, even though the exposure has already met the discontinuation criteria applied by the reporting institution for the impairment and default classification according to the applicable accounting framework and Article 178 of CRR respectively. ITS on Non performing exposures For the purpose of template 18, non-performing exposures are those that satisfy any of the following criteria: (a) material exposures which are more than 90 days past due; (b) the debtor is assessed as unlikely to pay its credit obligations in full without realisation of collateral, regardless of the existence of any past due amount or of the number of days past due. It also may be noted that Article 178 of the CRR itself sets out when the default of an obligor is considered to have occurred. The CRR includes the concepts of the lending institution considering that the obligor is unlikely to pay and also where the obligor is past due more than 90 days on any material credit obligation to the institution, the parent undertaking or any of its subsidiaries. The CRR permits some national discretion eg in relation to residential mortgage loans, SMEs, commercial real estate and public sector entities. EC10 The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. Description As mentioned above Banks are expected to have Risk and Provisioning Committees (or similar having and findings in mind the proportionality principle) which usually include members of the bank’s Board and which re EC10 deal with the management of provisions. Extracts from the minutes of the meetings of these Boards are examined during on-site inspections. According to the internal RAS Manual the inspectors must assess the MIS (Management Information System) during on-site examinations. Among the main aspects of the MIS assessment is the information flow to the Management Board concerning credit risk, asset quality etc. EC11 The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. Description According to IAS 39 banks are required to assess whether there is objective evidence of impairments and findings on their loans. The assessment shall be made individually for all loans of significant size. According to re EC11 ITS on forbearance and non-performing exposures materiality shall be assessed in accordance with Article 178 of the CRR, which states (Art 178(2)(d)): “(d) materiality of a credit obligation past due shall be assessed against a threshold, defined by the competent authorities. This threshold shall reflect a level of risk that the competent authority considers to be reasonable;” The materiality threshold is set out in Ordinance No.7, Article 28. “Materiality threshold in relation to Article 178, paragraph 2, point (d) of Regulation (EU) No 575/2013 shall be, as follows: 149 BULGARIA 1. 5% of the installment due, but no more than BGN 100 for retail exposures; 2. 5% of the installment due, but no more than BGN 1000 for all other exposures.” On-site inspections are expected to conduct an in-depth analysis of the provisioning policies of the banks including all thresholds and provisioning rules for loans of significant size. The assessors noted that the on-site inspections had identified concerns relating to the performance and management of significant exposures in banks’ portfolios. EC12 The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. Description Credit risk is subject to top-down stress testing that has been performed by Macro-prudential and findings Supervision and Financial Stability Directorate (MPSFS) since 2002. re EC12 The techniques employed for top-down stress testing of credit risk have been updated regularly since their introduction. In 2009 for example a ST simulation was added which based on the correlation between the GDP growth rate and the dynamic of the adversely classified loans. On several occasions, credit risk stress testing was simulated using country specific stressed parameters (PDs, LGDs or LRs) provided by ECB under the scenarios for EBA EU-wide stress tests. The latest simulation of this type was organized by MPSFS in the second half of 2014. Assessment Largely Compliant of Principle 18 Comments The BNB does not have direct power to reclassify assets , other than through prudential reporting and/or increase provisions, although it may recommend that banks should do so. Nor may the BNB challenge (meaning overrule) a provisioning decision made by the bank. The BNB’s remaining powers are to reclassify assets for prudential purposes or apply higher capital, using a Pillar 2 process, which to date the BNB has not exercised although the assessors noted inspection reports that reflected concerns with under provisioning in individual banks. With the introduction of the CRR/CRDIV package and the implementation of the associated Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), the BNB has had to revoke its former Ordinance 9 which governed asset classification and provisioning for prudential purposes. The Ordinance lapsed at end 2014. The effect of the transition from the former Ordinance 9 to the IFRS approach was the release of approximately 2bn Leva in capital in the banking system. The BNB informed the banks at the end of 2013 that it did not expect the banks to make use of the uplift in their capital until the underlying problem exposures to which the provisions had previously been allocated had been fully resolved. The BNB has been and will continue to monitor the development of these loans. Although the BNB is now bound by the new reporting standards, it is retaining some data submission on the Ordinance 9 format for macro prudential purposes. The environment for valuing and realizing collateral in Bulgaria is difficult. Legal proceedings are slow and the assessors noted that there are clear incentives for banks to try to hold loans as long as 150 BULGARIA possible in the hopes that collateral values will increase. Recent rating agency comments have noted that real estate values have only recently been stabilizing following the financial crisis period and demand remains weak , so banks’ incentives are unlikely to change in the near future. In this context the BNB also noted that commercial real estate was not accepted as collateral until the introduction of the CRR. The greater limitations placed on the powers of the BNB in relation to its former practices in respect of problem assets and provisioning, coupled with the changes to data reported (FINREP on forbearance and problem assets) puts an ever greater premium on the on-site examinations of banks in order to ensure that banks are identifying, migrating and valuing assets correctly including making timely moves to foreclose on loans and execute collateral. It is clear that the BNB inspectors have identified a range of issues related to NPLs and provisioning. Misclassification, inappropriate and lack of timely valuation of collateral, and resistance to foreclosing on loans have all been identified by the inspection process. The BNB have a thorough approach to on-site inspection and are going through a period of adjustment to absorb the EU regulatory changes. So far the BNB has not applied additional capital requirement in respect of problem loans which is permitted under the CRDIV, though its current approach is a de facto informal application of a Pillar 2 process. Given the close monitoring of the behavior of loans that were formerly covered by supervisory provisioning requirements, and the instruction to banks that these provisions must not be drawn upon, this is likely to be reasonable but the BNB should consider sooner rather than later how it would operationalize its pillar 2 approach for problem loans. In over-arching terms, the issues of identifying concentrations/large exposures, related parties and the potential for inconsistency of approach between different on-site inspection teams are critical for an effective oversight and supervision of problem exposures. As already noted in the principle on credit risk (CP17) these issues are considered in the specific relevant CPs. Recommendations o Assess, and be ready to operationalize the Pillar 2 approach for banks which are demonstrating weaknesses in respect of problem exposures. o Consider the use of horizontal reviews into the state of NPL management in banks, paying particular attention to any banks whose data indicates that they are outliers in terms of performance. Principle 19 Concentration risk and large exposure limits. The supervisor determines that banks have adequate 151 BULGARIA policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.68 Essential criteria EC1 Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk. 69 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured. Description and findings Provisions on concentration risk and large exposures limits are laid out in the following norms. LCI, re EC1 art. 44 states that a decision resulting in a large exposure shall be adopted by the board of directors. Under the current regime, a bank's exposure to a counterparty or a group of connected counterparties cannot exceed 25 % of the eligible capital. As directive 2006/48 was replaced by EU regulation 575/2013, the 800% own funds aggregate limit was abolished and currently this limit does not apply to Bulgarian banks. According to the BNB, a survey showed that only one bank was close to this limit. If exposure exceeds 15 per cent of the own funds, the decision shall be taken unanimously. Banks are obliged to notify the BNB in writing within 10 days of the decisions made regarding any large exposure ((LCI, art. 71, para. 1, point 5). For exposures in the banking book, any breach of the limit should be immediately reported. The limits can be exceeded only for exposures in the trading book under certain conditions stipulated in the EU regulation 575/2013. Depending on the excess, additional capital requirements are imposed. The BNB told the mission that all Bulgarian banks apply part IV of regulation 575/2013 and the respective reporting forms from the EU Regulation 680/2914 (Annex 8 and 9). In addition to these provisions, policies and processes to be implemented by banks for concentration risks and expositions limits can be found in the BNB Guidelines on the management of concentration risk that derive from the ones published by the CEBS. According to them, institutions are expected to adequately address concentration risk in their governance and risk management frameworks, to assign clear responsibilities, and to develop policies and procedures for the identification, measurement, management, monitoring and reporting of concentration risk. The management body should understand and review how concentration risk derives from the overall business model of the institution. This should result from the existence of appropriate business strategies and risk management policies. The same guidelines indicate that in order to adequately manage concentration risk, institutions should have an integrated approach for looking at all aspects of concentration risk within and across risk categories (intra- and inter-risk concentration). Risk drivers which could be a source of 68 Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof. 69 This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity as well as off-balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies. 152 BULGARIA concentration risk should be identified. Furthermore, the risk concentration identification framework should be comprehensive enough to ensure that all risk concentrations which are significant to the institution are covered, including on and off- balance sheet positions and committed and uncommitted exposures, and extending across risk types, business lines and entities. Further, institutions should ensure that concentration risk is taken into account adequately within their ICAAP and capital planning frameworks. In particular, they should assess, where relevant, the amount of capital which they consider to be adequate to hold given the level of concentration risk in their portfolios. Similar provision can also be found on the BNB 2014 Ordinance #7 on RM in banks, art. 9 (1) stipulating that in their written policies and procedures banks are required to (i) identify cases where overall risk for the bank increases due to the increased credit concentration as a result of newly found connectedness; and (ii) impose restrictions on concentration of exposures to specific economic sectors and/or geographic region. The same article in its paragraph 2 obliges banks to analyze their exposures to collateral issuers for the presence of concentration risk in establishing concentrations exceeding 10% of the own funds. EC2 The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure70 to single counterparties or groups of connected counterparties. Description According to the Regulation on concentration risks, banks are required to have in place internal and findings policies and procedures to identify, assess, monitor and verify the exposure portfolio concentrations. re EC2 Further, concentration risk management policy has to be adequately documented. The BNB has established procedures to verify that bank’s information systems provide adequate information on risk concentration and exposures limitations. These diligences are performed at both off-site and on-site levels. Prior to commencing an on-site visit, the BNB inspection will request the bank to provide a summary report of all types of limits by economic sectors/industries, by clients and groups of connected clients, by type of products, by type of collateral, etc. in relation to the management and control of concentration risk. The bank will also be required to provide copies of tracking reports for those limits and information on any breaches of the limits. During the on-site mission (as indicated in BNB manuals), the inspection team should assess the quality of the process of identification, ongoing monitoring, risk analysis and control of different types of risks, including concentration risk. Inspectors will also determine whether accuracy, timeliness and efficiency of the management information and risk monitoring systems are appropriate for the size, the complexity of the structure and the risk profile of the bank (RASM p. 61). They will also ensure availability of internal systems for identification of large exposures and their adequacy to the limits set by the bank. 70 The measure of credit exposure, in the context of large exposures to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e. it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see “Measuring and controlling large credit exposures, January 1991). 153 BULGARIA EC3 The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflect ing the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regular ly reviewed and reported to the bank’s Board. Description Banks are required to develop and apply a framework to manage and monitor the concentration risk and findings including development of internal rules. Different limits are applied depending on bank’s credit re EC3 policies and risk appetite. In that regard, BNB Internal Guidelines on the Management of Concentration Risk has set several principles for concentration risk management whereby institutions are expected to adequately address concentration risk in their governance and risk management frameworks, to assign clear responsibilities, and to develop policies and procedures for the identification, measurement, management, monitoring and reporting of concentration risk. Further, the management body should understand and review how concentration risk derives from the overall business model of the institution. To that end, it is the duty of banks to set a practical definition of what constitutes a material concentration in line with their risk tolerance. Moreover, institutions should determine the level of concentration risk arising from the different exposures they are willing to accept (i.e. determine their concentration risk tolerance), with regard to institution’s business model, size and geographic activity. In addition to monitor concentration to single or a group of connected parties, banks are obliged to monitor sectoral concentration (including collateral and guarantees concentration). There are no limits to these kinds of concentrations; their level will be determined on a case by case basis depending on the bank’s risk appetite and business model. The assessment of conformity with these principles is mostly done on-site. In the course of on-site inspections, BNB inspectors have to review minutes of board meetings including approvals of “large operations,” check the completeness and usefulness of the management information system for the effective management of bank operations (RASM p. 59 & 60). BNB staff will also cover on-going monitoring and control of concentration risks and their effective application (RASM, p. 35). The same inspection manual instructs BNB inspectors to make sure that strategy and policy information is communicated to the relevant staff within the bank (by means of written guidelines, manuals, etc.). EC4 The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. Description Banks are subject to a series of reporting obligations including on concentration risks. Reporting and findings provide details on bank’s risk concentration, broken down by geographic locations, currency, etc. In re EC4 addition, as indicated to the mission, BNB inspections teams always require lists of all connected counterparties, by sector and currency. Before or during the on-site visit, the bank has to provide a summary of all kinds of sectoral / industry limits, groups of connected counterparties, types of products, types of collaterals, in connection with the management and control of risk concentrations. Lastly, as set forth in the Art. 71, para.1, point 5 of the LCI, banks are obliged to notify the BNB for new large exposures. The analysis of these materials is also supplemented by on-going dialogue with bank’s management teams concerning the overall diversification strategy that has an impact on the level of concentration risk in the different business lines and companies. EC5 In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected 154 BULGARIA counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis. Description For the purpose of assessing risk concentration exposures, Bulgaria refers to several sources to and findings apprehend groups of connected counterparties. The first source can be found in the EU Regulation re EC5 575/2013 whereby “close links” mean a situation in which two or more natural or legal persons are linked in any of the following ways: (a) participation in the form of ownership, direct or by way of control, of 20 % or more of the voting rights or capital of an undertaking; (b) control; (c) a permanent link of both or all of them to the same third person by a control relationship; The same regulation defines a “group of connected clients” as any of the following: (a) two or more natural or legal persons who, unless it is shown otherwise, constitute a single risk because one of them, directly or indirectly, has control over the other or others; (b) two or more natural or legal persons between whom there is no relationship of control as described in point (a) but who are to be regarded as constituting a single risk because they are so interconnected that, if one of them were to experience financial problems, in particular funding or repayment difficulties, the other or all of the others would also be likely to encounter funding or repayment difficulties. Other relevant references can be found in the LCI according to which “connected persons” are one of the following: (i) spouses, relatives and collateral relatives up to the fourth degree of consanguinity and relatives by marriage up to the third degree of affinity; (ii) partners; (iii) persons where one of them participates in the management of the other person’s undertaking or subsidiary; (iv) persons where one and the same legal or natural person is a member of their management or controlling body, including the case where the natural person is a legal person; (v) an undertaking and a person who holds more than 10 per cent of an undertaking’s stakes or voting shares; (vi) persons who jointly control a third person or its subsidiary, etc. The LCI and the Guidelines on the implementation of the revised large exposures regime provide further definition of “persons acting in concert” and persons “economically related.” The BNB can exercise discretion in applying this definition on a case by case basis. EC6 Laws, regulations or the supervisor set prudent and appropriate 71 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off-balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis. Description The BNB told the mission that regarding the large exposures regime, all Bulgarian banks apply Part and findings Four of EU Regulation 575/2013. The general principle is that a bank's exposure to a counterparty or re EC6 71 Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on large exposures is still under consideration. 155 BULGARIA a group of connected counterparties cannot exceed 25 % of own funds. For that purposes, “exposures,” means any asset or off-balance sheet item referred to in Part Three, Title II, Chapter 2 of Regulation 575/2013 abovementioned, without applying the risk weights or degrees of risk. The BNB Guidelines on the management of concentration risk prescribe that any exceptions from the policies and procedures should be properly documented and reported to the appropriate management level. Institutions are expected to have procedures for independent monitoring of any breaches of policies and procedures, including the monitoring and reporting of breaches of concentration limits. In the BNB on-site inspection methodology, there are several diligences to be followed to ascertain conformity with the principles mentioned above. Inspector should assess internal systems and rules for identifying, ongoing monitoring, assessing and controlling credit risk and concentration risk and degree of their effective implementation in practice (RASM, p.31). Attention will also be given to the management’s ability to adequately manage the credit risk within the bank – in all stages of the lending activities (RASM, p.35). EC7 The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programmes for risk management purposes. Description and findings The BNB requires banks to include the impact of significant risk concentrations into their stress re EC7 testing programs for risk management purposes. According to the BNB Guidelines on the management of concentration risk, banks must perform stress-test exercises including on the impact of significant risk concentrations. Along the same lines, supervisors should assess whether concentration risk is adequately captured in firm-wide stress testing programs. In addition, supervisors may perform or request institutions to perform additional stress tests. As pointed out by the BNB, use of stress testing as a way of identifying concentration risk does not necessarily mean that stress tests should be conducted solely for the purposes of concentration risk management. Additional criteria AC1 In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following: (a) ten per cent or more of a bank’s capital is defined as a large exposure; and (b) twenty-five per cent of a bank’s capital is the limit for an individual large exposure to a private sector non-bank counterparty or a group of connected counterparties. Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks. Description and findings The notion of large exposure can be found in the LCI, art 45 (6). While the text does not mention re AC1 Large Exposures per se, it stipulates that “a bank’s total exposure to a person [under paragraph 1], which is not a credit institution or an investment intermediary, may not exceed 10 per cent of its own funds.” Further, the same article sets aggregated limits on large exposure in the banking book whereby “the total amount of all exposures of a bank to persons under the first sentence may not exceed 20 per cent of the bank’s own funds .” 156 BULGARIA Assessment Materially non-compliant of Principle 19 Comments The Bulgarian regime governing Large Exposure Limits and concentration risks as laid out in the LCI and BNB guidelines derives from the EU Directive as well as from the main principles published by CEBS. A bank's exposure to a counterparty or a group of connected counterparties cannot exceed 25 % of the eligible capital. A decision resulting in a large exposure shall be adopted by the Board and when the exposure exceeds 15 per cent of the eligible capital, the decision has to be taken unanimously by board members. Banks are also required to set appropriate limits depending on their credit policies, risk appetite and risk tolerance. During on-site inspection, about 30% of the loan portfolio is reviewed according to the BNB, with priority given to Large Exposures and connected lending. The BNB methodology for assessing large exposure requests inspectors to perform a series of due diligence to ascertain conformity with the requirements for the formation of exposures to persons connected to the bank72 and with art. 44 of LCI according to which banks and banking groups are obliged, at any point of time, not to exceed the established ratios of LEL. Inspectors will analyse whether a concentration risk exists in the banking and trading book and at what level and whether it has been identified on a timely basis. Inspectors will also consider whether banks allocate additional capital for concentration risk in order to ensure sufficient coverage of the risk. Moreover, according to the methodology, attention will be given to cases where the restrictions for large exposures and insider loans are evaded73 and to exposures with indications of connectedness with the bank’s shareholders. Where such practices exist, the inspection report should criticise the bank’s management (including management board, supervisory board, internal control unit, risk management unit), which must be reflected in the bank’s composite rating for management .74 Potential indicators are also investigated for existence of informal economic relatedness between a bank’s borrowers. On the other hand, the BNB has a wide range of powers to address situations were banks are taking excessive concentration risk including the power to instruct the bank to mitigate the risk exposure when the concentration is deem excessive. The mission reviewed several inspection reports of banks in which inspectors did pay attention to the issue of LEL and concentration. For two banks at least, major deficiencies were detected by the BNB staff. One bank exhibited, at the time of the review, the following problems: (i) absence of analysis of informal concentrations, (ii) much of the credit portfolio being formed by loans to offshore and 72 administrators, shareholders, spouses and relatives up to third degree, as well as other connected persons. 73Existing credit risk concentrations to customers, for which the inspection team believes that there is sufficient evidence of connectedness on an informal basis. 74As part of credit risk analysis, concentration risk includes large exposures to related parties and large exposures to groups of counterparties with similar characteristics, the probability of default that depends on common factors such as: economic sector, geographic location, type of financial instruments, etc. Analysis should cover the total activities and assets of banks (incl. off-balance sheet commitments), with specific attention to be given to the timely identification of concentration risk in the banking and trading books. The capital adequacy rating of banks is determined based on the assessment of several key factors and criteria including the degree and management of concentration risk and large exposures. 157 BULGARIA companies with foreign registration or locally registered companies with owners of such registration, which hinders greatly the identification of connections and the occurrence of concentrations; (iii) flaws in control and RM of concentration risk. In another case, inspectors detected large concentrations from the expositions of credit borrowers connected to the shareholders of the Bank 75 and came to the conclusion that “concentration risk is not a priority to the Bank’s management”. Despite the efforts deployed by the BNB, there are yet some practical aspects that raise concerns about the effectiveness of the LEL regime. The developments over the summer of 2014 with the KTB collapse revealed supervisory shortcomings particularly for the supervision of concentration risk and related-party lending in the bank (see CP 20). Further, since observance by banks of the risk concentration limits is questionable, (banks using several strategies to circumvent the LEL regulation and exceed the limit of risk concentration as evidenced in BNB reports), there is a need to enhance even further BSD’s scrutiny in that area. This could be achieved in different ways, (i) through an horizontal review to ascertain that poor practices are not widespread throughout the industry, (ii) issuance of recommendations and (iii) the application of sanctions against offenders (see CP 11). The discussion with two prominent external audit firms showed that despite efforts deployed by the BNB, the issue of large exposure limits is still a matter of concern. The problem stem from the fact that the determination by the banks of relatedness between customers connected economically is difficult to make. Besides, the lack of transparency in ownership structure of companies (sometimes located overseas) undermines even further the understanding of connected lending and as a result concentration risks. It is recommended to: o Conduct an horizontal review across the industry to verify degree of conformity with LEL requirements o Instruct the industry to increase efforts in establishing cl ear understanding of customers’ ownership structure o Take forceful measures to enforce more effectively observance of risks concentration limits Principle 20 Transactions with related parties. In order to prevent abuses arising in transactions with related parties76 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties77 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. 75Total amount of the expositions of the credit borrowers connected formally and informally with the main shareholder is more than 60 % of CB. 76 Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies. 77 Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party. 158 BULGARIA Essential criteria EC1 Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties.” This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis. Description The Bulgarian regime does not define the concept of Related Parties per se. The LCI refers indirectly and findings to this concept by listing a series of persons to whom a bank can have exposure under certain re EC1 conditions defined in the law. As set forth in art.45 (1), a bank may establish exposures to the following counterparties: 1. administrators of the bank; 2. shareholders holding more than 10% of voting shares; 3. a shareholder whose representative is a member of a managing or supervisory body of the bank; 4. spouses, brothers, sisters and relatives of direct lineage up to third degree including those related to the persons listed above; 5. legal persons in which the persons under items 1 –4 are involved; 6. companies in which the bank or person under item 1-4 participate in the management or has qualified equity; 7. third persons acting on behalf of the persons under items 1 –6. The LCI (in its additional provisions) defines “administrators” as (i) a member of a supervisory or management board (board of directors) of a bank; (ii) a “procurator 78” of a bank and any person whose position includes management and control of operational units; and (iii) the management of the specialized internal control office. On the other hand, the LCI defines the concept of “economically related persons” who shall be two or more persons who are to be regarded as constituting a single risk because they are so interrelated that, if one of them were to experience financial problems, in particular in funding or repayment of obligations, the other or all other would also be likely to encounter funding or repayment difficulties. Pursuant to EU Regulation 575/2013 banks should also apply the definition of group of connected clients (art. 4, par.1, point 39). Group of connected clients has two aspects: control through ownership or similar relations and economic interconnectedness.79 These aspects are elaborated in more details in the BNB guidelines on the revised large exposure limits. Any administrator shall, upon taking office, declare in writing to the management board (board of directors) the names and addresses of the persons economically connected to him or members of his family and the business interests both the administrator and the members of his family have with the bank at the time of the declaration. Upon a change in the declared circumstances, the administrator shall file a new declaration within 7 days after such a change takes effect. The authorities told the mission that the BNB applies discretion in using the definition of related parties during on and off-site reviews. If the inspector considers that there is a contract with related parties which was misrepresented, the BNB could prescribe a corrective treatment through its 78 A “procurator” is a person acting on behalf of two executive directors under a power of attorney. 79 BNB also uses other types of relationships that may indicate connectivity: (i) a borrower who is provider of outsourced activities or is contract counterparty of the bank; (ii) borrowers with common collateral; (iii) borrowers with a common source of repayment of the debt; (iv) borrowers with a common registered office; (v) borrowers with common auditor with the bank or if they have been audited by the same auditor as the borrowers over the last three years; etc. 159 BULGARIA supervisory powers. Besides, the level of concentration with RPs is analyzed case by case for each bank separately, depending on its business and risk appetite. The BNB uses different sources of information to establish relatedness between parties. BNB staff has full access to the internal registers that banks have to maintain on RP and connected lending. External public source of information (e.g., commercial register, private providers) are also an important source of information for getting data on corporate ownership structures and possible financial linkages. Another useful document is the letter of “relatedness” signed by the borrower. These aspects are analyzed on site, including “informal relatedness” (e.g several parties sharing the same address). The Special Supervision Directorate (SSD) of BNB is also responsible for keeping a register of all the shareholders of credit and financial institution; it also performs annual assessment of the financial status and interconnectedness of key shareholders in order to establish their ability to support financially the bank. EC2 Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.80 Description and findings As stated in the LCI art. 45 (1), a bank may establish relations with affiliated parties only based upon re EC2 an “unanimous decision of the managing body.” According to para.4 of the same article, banks may not give preferential conditions to the “affiliated” persons defined in art. 45 (1). This includes, inter alia, collecting interest, fees or other payments due or accepting collaterals, which are lower than those required from other customers in similar cases. This aspect is monitored by the BNB during on- site visits. Attention will be given to the pricing of the loan, possible abuse of grace period and to any other favorable conditions. EC3 The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions. Description As stipulated by the law, exposure to related parties require an unanimous decision of bank’s and findings managing body (art. 45(1)). However, neither the law nor the BNB define the concept of exposures re EC3 that are subject to this unanimous decision or stipulate any restrictions in case of write-off. Further, under Art. 51 of LCI, para.4 any administrator who has a business interest in the conclusion of a par- ticular transaction with the bank shall not participate in the negotiations or in the discussion and decision on its conclusion. The law stipulates that in performing their functions, administrators and other employees of a bank shall be obliged to place the interests of the bank and its customers before their own interests. It is not clear however whether this restriction abovementioned “on the conclusion of a particular transaction” also applies, in the case of loans, to any decision/resolution governing the interest rate and repayment. In practice, the existence of favorable conditions are verified during on-site visits; BNB inspector will review minutes of the relevant credit committees to ascertain that people with possible conflict of 80 An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g., staff receiving credit at favorable rates). 160 BULGARIA interest were not part of the decision. EC4 The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. Description As indicated to the mission, the BNB determines that banks have policies consistent with EC4 by and findings assessing application of reliable procedures for corporate governance by the competent re EC4 management body. The BNB Risk Assessment System (RAS) Manual requires inspection staff to check whether the corporate values of the bank under review include also procedures that prohibit or strictly limit conflict of interests and preferential treatment of related parties and other privileged persons (page 66 of the manual). Transactions concluded by an administrator in violation of the provisions above are null and void. EC5 Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. Description There are specific limits for exposures to related parties. Current regulation limits to 10 percent of and findings total “own funds” the total exposure of a bank to its affiliated parties (person or en tities) which is not re EC5 a credit institution or an investment intermediary. Moreover, the total amount of all exposures of a bank to connected persons may not exceed 20 per cent of the bank’s own funds ( LCI, art. 45 (6). There are no requirements allowing the BNB to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. In BNB’s views however, in case of a non-compliance with the requirements of art. 45 of LCI and before the end of the defined compliance deadline, BNB could presumably impose supervisory measures under art. 103 of LCI, in particular para. 2, point 3 (written order to cease the violation), point 5 (require the bank to hold own funds in excess of the requirements) and point 20 (require special provisioning). It is noteworthy that the law also contains other type of limits relevant to this CP. Certain Related Parties transactions seem to be acceptable under the following conditions: -if the amount of an exposure to a person –as listed in art. 45 (1) under items 1 to 4 [e.g administrators, shareholders and their relatives]81 does not exceed its annual remuneration; -the amount of an exposure to a person –as listed in art. 45 (1) under items under items 2, 3, 5, 6, and 7 [e.g., shareholders holding more than 10% of voting shares; a shareholder whose representative is a member of a managing or supervisory body of the bank; legal persons in which a bank administrator or a shareholder is involved, etc] is less than 1 per cent of the bank’s ow n funds but not exceeding BGN 300,000 (approx. US$140 K). EC6 The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board 81 Items 1 to 4 of art. 45 (1) 161 BULGARIA also provides oversight of these transactions. Description and findings The BNB determines via on-site inspections that banks have policies and procedures to identify, re EC6 monitor and report to the board and senior management exposures to affiliated parties. This work will be carried out as part of the assessment of concentration risks and bank’s governa nce. The RASM (p.42) defines inspectors’ due diligence in that respect, particularly during the assessment of lending policies and procedures. Ahead of the mission the inspection team will require the bank to submit in an electronic form copy of the register of related parties along with all rules, policies and procedures for management of the lending activity. BNB staff will check whether there are clear defined rules and procedures for identification and ongoing tracking of connectedness (formal and informal). Special attention should also be paid to the bank’s ability to identify involvement between its customers at the level of business relationships, informal relations and any other factors, which give grounds to consider such customers as carriers of overall risk for the institution. To that end, the inspector will have to assess the management’s approach to this issue and determine whether this approach is formal -following only the hypotheses of connectedness described in the regulatory framework- or whether all significant informal interrelations and contacts between customers are studied. The inspection will also check the existence of hypotheses under which conflicts of interest may arise. Other pertinent references can be found in the BNB SREP manual in which special emphasis should be put on the ability of risk monitoring and management system to cover risks arising from the exposure of a group of connected persons; another major element is the review of concentration risk resulting from increased exposure towards one counterparty or a group of connected persons. For capital purposes it is also expected that within the ICAAP each institution shall decide where limits based on creditworthiness are appropriate for related parties. However, exposures to related parties do not seem to form part of a bank’s integral part of reviews to be performed by the internal control function and the management body. Ordinance No 10 on Internal Control and Regulation 7 on Risk management in banks are silent on related parties activities. The BNB “banking supervision process manual” does not contain any reference to RP. Any findings indicating possible circumvention of the regulation on related parties’ exposures will be highlighted in the inspection report. Particular attention will be given to the exposure -with indications of connectivity- with shareholders of the bank. In the presence of such practices, this shall be reflected as a criticism to the management of the bank in the On-site Inspection Report and also in the component rating for the bank’s management. EC7 The supervisor obtains and reviews information on aggregate exposures to related parties. Description Banks are subject to reporting obligations as set forth in the LCI. Banks are required to notify the and findings BNB, in writing within 10 days of the decisions made regarding any exposure to related party as re EC7 referred to under Article 45 (LCI art. 71 (1). Until end of 2014 quarterly reporting forms (in accordance with the repealed Ordinance No. 7 on large exposures) had to be sent to the BNB containing information on all large exposures and all exposures to related parties (as specified in Article 45 of the LCI). The Ordinance abovementioned has been repealed and banks are now required to report data on aggregated exposures to related parties using FINREP templates. In the wake of the KTB collapse, the BNB has developed new reporting templates to disclose and report broader relatedness between borrowers. These new reports provide more granularity on possible connectivity among customers (e..g. via same address or same collateral). 162 BULGARIA Assessment Materially non-compliant of Principle 20 Comments The assessment of transaction with related parties is done both onsite and offsite. The on-going surveillance is mainly performed through reporting forms. Even though provisions on affiliated/related parties in LCI art. 45 do not envisage explicit reporting, the BNB has established a notification regime for quite some time. In light of the recent regulatory changes, the BNB sent a formal letter on January 24, 2015 to the banks, putting some more details and requiring the banks to use the same level of detail as in the COREP reporting form for large exposures. Some of the main elements are: name, LEI82 code of the counterparty, residence of the counterparty, sector of the counterparty, nomenclature of economic activity (NACE) code, type of counterparty, gross exposure, net exposure after eligible credit risk mitigation, by type of exposure - direct or indirect, balance sheet or off balance sheet, etc. FINREP reporting form 31 provides further details on RP exposures (reporting is done under IAS 24 rules).83 Share size and functions held by the administrator are not part of the regular reporting. Nevertheless information about the share size is available at the register of credit institutions administered by the BNB, and the functions of the administrators are checked via the on-site inspections. During on site-inspections, the BNB inspectors pay attention to RP transactions as evidenced in the inspection reports examined by the mission. There are however a series of issues described below that explain the MNC rating attributed to this CP. The LCI does not define the types of transactions that need to be considered when evaluating exposures to related parties. In effect, Art. 45 analyzed above provides a large definition of related parties but does not specify the types of transactions that give rise to related parties exposures. It would be advisable to issue some guidelines in that respect in line with footnote 1 of the present Core Principle to include explicitly into the scope of RP transactions on-balance sheet and off- balance sheet credit exposures and claims, as well as, dealings (such as service contracts), asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The BCP team welcomes the efforts which were made by the authorities in order to improve the better management of related parties’ issues. The SSD has made important efforts over the past months to clarify transparency of ownership structures in banks and establish the identity of ultimate beneficial owners. Letters are sent every year requesting shareholders (holding more than 3% of share or voting rights) to confirm information about their business, type of investments (shares, bonds), audited financial statements. In that regard, particular concerns were expressed on transparency in a few banks, including a major one in which 3 companies with qualifying 82 Legal Entity Identifier. 83 Main breakdown of types of related parties in the reporting Form 31 are: Parent and entities with joint control or significant influence, Subsidiaries and other entities of the same group, Associates and joint ventures, Key management of the institution or its parent, Other related parties, breakdown by instruments, expenses and income information, Group structure: "entity-by-entity" and "instrument-by-instrument.” 163 BULGARIA shareholdings were located in off-shore centers with undisclosed UBO. The mission was told that the BNB managed to obtain all necessary information in relation to these companies and that they are no longer worried about transparency in these banks. It is a fact that the issue of related parties in Bulgaria has been a matter of concern over the past years; KTB’s collapse in 2014 has revealed that connected and related -party lending still represent an important risk in that regard. The comprehensive external audit of the bank commissioned in July 2014 by the Bulgarian authorities identified significant shortcomings in the detection of related-party risk.84 Among the multiple problems discovered by the auditor, related parties transactions were one of the most salient. A considerable part of that credit portfolio suggested a very large connectedness between debtors and the majority shareholder of the bank.85 The BNB itself assessed KTB right after its collapse and noted that the bank got around the law by exceeding the limits for lending to related parties over a long period of time.86 This might be an isolated case but the BNB is advised to perform a transversal inspection across the industry to ascertain that related parties exposures and interconnectedness between groups of affiliated people are well captured by banks’ risk management systems and connected lending under close scrutiny. As part of this exercise, inspection teams should pay careful attention to the cash flows between related parties, something that was missing during previous inspections at KTB. During interviews outside the BNB, assessors were told by an audit firm that the audit profession itself was facing difficulties in identifying groups of related companies, not formally related to each other but with economic inter-linkages. The challenge in identifying inter-connectedness is also mostly related to the concept of beneficial owner which does not fully cover the natural person(s) who ultimately owns or controls a customer and/or the person on whose behalf a transaction is being conducted. In its 2013 assessment report,87 Moneyval pointed out remaining difficulties in that regard. Further instructions to the Industry would be advisable. Some legal revisions should also be considered, particularly to allow external auditors to report on any “economic related person.” According to the discussions held with the Commission for Public Oversight on Statutory Auditors (CPOSA), external auditors are not obliged to assess and report on economic relationship between parties or group of connected parties. During meetings with BNB staff, the mission was told that the BNB receives a lot of questions from 84 At the end of June 2014, KTB’s related-party exposure amounted to 33.5% of its capital base, a significant increase from the 3.9% figure reported at end-2013. This was the result of auditors’ reclassification of a significant exposure to the main shareholder. .85.Lending was intermediated by SPV , holding companies and similar entities. 86 The BNB found that by using various techniques the bank had maintained artificially “high” quality of the loan portfolio (less than 2% NPL ratio). 87 Moneyval Report of Bulgaria, September 2013, Report on Fourth Assessment Visit – Executive Summary, par. 8. 164 BULGARIA the industry on how to treat certain exposures in order to determine the connections with affiliated parties. Apart from the LCI, there is no other secondary legislation; therefore the BNB may wish to consider issuing guidelines with the view to provide further clarification on issues not properly contemplated in the law such as conditions in relation to the write-off of related party transactions. In conclusion, as for related parties transactions, full effectiveness can only be reached through a series of measures that the BNB must consider as follow: o Define in a regulation or guidelines the types of transactions giving rise to related parties exposures; o Enhance surveillance of related parties transactions across the industry via a transversal inspection; o Provide recommendations to the industry to be more diligent in identifying their customers up to the ultimate owner (particularly for legal entity located overseas); Principle 21 Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk88 and transfer risk89 in their international lending and investment activities on a timely basis. Essential criteria EC1 The supervisor determines that a bank’s policies and processes give due regard to the identi fication, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. Description Bulgaria does not have a regulation on country and transfer risks; however, as a minimum, banks and findings should follow the sovereign risk requirements set in EU regulation 575/2013. Furthermore, under the re EC1 new EBA Guidelines for the SREP process (published in December 2014), the BNB has the responsibility to assess the degree of concentration within all types of exposures to country risk, including sovereign exposures, in proportion to the whole institution’s credit portfolio, the economic strength and stability of the borrower’s country and its track record in terms of punctual payment and occurrence of serious default events, the risk of other forms of sovereign intervention that can materially impair the creditworthiness of borrowers and the risk arising from the potential for an event affecting the whole country to lead to default by a large group of debtors. Pursuant to the 88 Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporate, banks or governments are covered. 89 Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics – Guide for compilers and users, 2003.) 165 BULGARIA same EBA guidelines, the BNB will have to assess also the transfer risk linked to cross-border foreign currency lending for material cross-border lending and exposures in foreign currencies. As indicated to the mission, country risk is normally assessed during regular on-site inspections as part of the credit risk due to the lack of foreign activities or as part of the ICAAP evaluation. Banks in Bulgaria usually do not have extensive cross-border activities but most subsidiaries have cross-border exposures. In that respect, the BNB has observed a significant decrease in 2015 in relation to Greek banks. It is noteworthy that the BNB has taken several measures to put all banks with exposure to Greece (branches and subsidiaries of Greek banks) under close scrutiny and under some sort of ring fencing due to the economic situation in the home country. The directions given to the interested entities by the BNB have been as follows: (i) maintain highly liquid assets at 30% of attracted funds from non-credit and non-financial institutions, enterprises, and individuals in addition to minimum reserves of 20% with the BNB; (ii) prohibition to maintain excessive balances with the parent bank and its group, and invest in securities of issuers with non-investment grade rating; (iii) ensure functional independence from the parent bank and (iv) submit daily reports to the BNB. According to a prominent external audit company interviewed by the mission, the situation of Greek banks in Bulgaria is “well monitored” by the BNB. Meetings with the biggest Greek subsidiary in Bulgaria also confirmed this point of view. Greek banks are still reporting daily to the BNB on liquidity position in particular. There is also the case of one bank with massive exposure to its Hungarian parent company that raises serious concerns at the BNB but the institution is also under close scrutiny. EC2 The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Board and that the Board oversees management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description Bulgarian legislation framework does not require explicitly that banks’ Management Board approves and findings strategies, and policies concerning country and transfer risk. However, these obligations are implicitly re EC2 covered by the requirements of Ordinance #7 (2014) for overall risk management in banks. The internal RAS Manual also refers to the obligation of bank’s management to exercise effective control over the overall activity of the institution. The mission was informed that supervisors examine the internal policies and currency limits as a part of the on-site inspections, especially for bigger banks. EC3 The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. Description and findings There is no specific provision in the Internal ICAAP Manual that deals specifically with country and re EC3 transfer risk. The latter is apprehended within the general process whereby, for each material risk identified, banks should (i) have an individual risk management processes (identification, measurement, monitoring, and management) from the point of view of the methodologies, procedures and IT support systems; (ii) have a risk management methodology for establishing appropriate limit system as well as other approaches used to mitigate risk. That system shall reflect the bank’s risk appetite and shall be comprehensive;(iii) perform a self -assessment on the extent to which those policies actually reflect the decision-making process in the field of risk management; and 166 BULGARIA (iv) submit a list of regular and ad hoc risk reports for the management body. During the on-site inspections, the mission was told that BNB determines whether banks have information systems, risk management systems and internal control systems to ensure effective monitoring and timely reporting of country risk exposures, as well as to ensure compliance with country exposure limits. EC4 There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include: (a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate. (b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate. (c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor. Description Banks are required to continuously evaluate their risks and maintain reserve funds for their coverage. and findings Under the current regulatory and accounting framework, there are no explicit requirements for re EC4 provisioning against transfer risk. Country risk is measured under provisions of Regulation 575/ 2013 in relation to exposures to Government and Central banks. Each bank should make impairments and provisions under IFRS 36, 37 and 39. In addition, BNB closely monitors the intra-group placements and transfers to other related foreign parties. In cases of significant liquidity outflows, corrective measures are undertaken. EC5 The supervisor requires banks to include appropriate scenarios into their stress testing programmes to reflect country and transfer risk analysis for risk management purposes. Description According to the ICCAP Manual, Banks should assess the impact of external factors on their capital and findings levels and exposure to the various individual risks on the basis of various stress-tests. The re EC5 management body of the institution should approve a detailed methodology of the entire framework of stress-tests. It is worth noting that the BNB has issued Guidelines on Stress testing whereby banks which conduct their activities in more than one country should perform stress testing on business unit level in each geographical region, industry sector or business line. Nevetheless, there is no concrete requirement concerning scenarios reflecting country and transfer risk in BNB’s Gu idelines on Stress testing. EC6 The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations). Description Currently, the main source of information for country risk is COREP, template 9.3. The BNB receives and findings by bank quarterly reporting information on capital requirements for country risk and the exposition 167 BULGARIA re EC6 to currency risk. These reports contain detailed information for on- and off-balance-sheet exposure by type of obligor (government, banking, other), country, currency, etc. The BNB regularly checks the accuracy and analyze these reports for levels of significant variations and trends. Assessment Materially Non Compliant of Principle 21 Comments The assessors found several flaws in the regime for country and transfer risks. Bulgaria does not have a regulation on country and transfer risks; banks should follow the sovereign risk requirements set in EU regulation 575/2013 but this is not enough in assessor’s views. As indicated above, the BNB has issued Guidelines on Stress testing whereby banks which conduct their activities in more than one country should perform stress testing on business unit level in each geographical region, industry sector or business line. In assessors’ opinion, this is not enough. Banks should stress country risk beyond running a stress test by location and also stress transfer risk as such. It also appears that the EBA Guidelines for the SREP process, according to which the supervisory authorities should assess the degree of concentration within all types of exposures to country risks are yet to be implemented. A revision of the BNB’s internal manual for the SREP process is envisaged but has not been finalized. According to the authorities, the country risk is discussed mainly on a group level during the supervisory colleges meetings. Lastly, the Bulgarian legislation framework does n ot require explicitly that banks’ Management Board approves strategies, and policies concerning country and transfer risk, even though these obligations are covered by the requirements for overall risk management in banks. Recommendation:  Adopt a regulation on country and transfer risks;  Include country and transfer risk in bank’s stress testing  Implement the EBA guidelines for the SREP process to ensure proper and timely country risk coverage Principle 22 Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. Essential criteria EC1 Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor 168 BULGARIA determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk. Description Market risk standards and requirements for the banks are set out in the Ordinance 7 of BNB on and findings organization and risk management of banks. This Ordinance lays down, inter alia, the requirements re EC1 on the organisation and risk management of banks; criteria to be met in relation to the banks ’ policies for risk management and risk control and processes to maintain internal capital that is adequate to cover those risks. Under Ordinance 7 (Chapter III, Section III Market risk) banks shall implement policies and processes for the identification, measurement and management of all material sources and effects of market risks. Also banks shall have adequate internal capital to cover material market risks that are not subject to capital requirements under Article 92 of Regulation (EU) No 575/2013. In article 13, paragraph 2 and 3 are set additional requirements concerning position risk and internal capital against the risk of loss which exists between the time of the initial commitment and the following working day. Chapter IV of Ordinance 7 is for Internal Approaches for Calculating Capital Requirements for Credit and Market Risk. Currently in Bulgaria no bank uses internal approach for market risk. As noted above in CP17 for Credit Risk, the main requirements for the banks in relation to their governance of risks, are set in the LCI Article 73 (1), items 4-7, Article 73a. (1) and (2). The LCI requires the competent managing body of each bank to adopt and regularly review in accordance with the best internationally recognized practices for corporate governance of banks: the strategies and policies for taking up, managing, monitoring and mitigating the risks the bank is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle; the procedure for generating and the scope of the management information; the operational control organisation, including rules and procedures for approving, carrying out and reporting transactions; the internal rules and procedures for risk management and control systems efficiency and for reporting the established weaknesses in the organization and work of structural units. Under the LCI banks must have in place sound, effective and complete strategies and processes on an ongoing basis to assess and maintain the amount, types and distribution of internal capital that they consider adequate to cover the nature and level of all risks to which they are or might be exposed. The strategies and processes shall be subject to regular internal review to ensure that they remain comprehensive and proportional to the nature, scale and complexity of the activities of the banks. Where the short position falls due before the long position, banks shall take measures against the risk of a shortage of liquidity. The BNB has issued local guidelines for the management of interest rate risk in the banking book based on the respective CEBS (EBA) guidelines. With respect to FX risk, it should be noted that Bulgaria is under Currency board agreement whereby the Bulgarian Lev is legally pegged to the Euro (1.95583 BGL is equal to 1 EURO). For the credit institutions operating in Bulgaria the risks of foreign currency transactions arises from exposures denominated in currencies other than euro. As a whole the capital requirements for covering market risks represent a relatively low percentage of the total amount of capital requirements for the banks in Bulgaria. Banks’ exposure towards market risk is low or low-medium depending on the size and activities of the bank. The main instruments used by the banks in Bulgaria include: interest rate products, capital instruments, government bonds 169 BULGARIA and FX deals. As a rule, bank’s internal risk management and control systems are reviewed and evaluated during on-site inspections. EC2 The supervisor determines that bank’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description Under Section III (Market risk), of Ordinance 7 (Art 12) banks are required to implement policies and and findings processes for identification, measurement and management of all material sources and effects of re EC2 market risks. Based on bank’s risk strategy and plans for development the onsite inspection is informed for bank’s goals in the market risk area. Onsite inspections conducted are the main too l to verify that the Board has approved the market risk policy and to assess whether the policies and processes have been implemented in line with the policy. Onsite inspections examine whether the bank has an internal organization and adequate reporting system that enables the senior management and the Board to monitor the bank’s risk, results and positions; evaluate bank’s risk profile and make sure that the written guidelines for risk taking are being followed. During onsite inspections the BNB examines whether the bank’s risk and positions, results (gains or losses) as well as the values of the financial instruments are reported regularly to the respective risk committee and to the Board. The onsite inspection for market risk involves a review of the policy and the guidelines for risk management, an assessment of existing risk positions and exposure, the organization in the bank including the segregation of duties, internal controls and valuations. The onsite inspection team is expected to meet with a member of Board responsible for the market risk area, the internal auditors, front office, back office, treasury department, and risk management. Onsite inspections also examine the control system for market limits set for the instruments, positions, deals and possible bridges of the limits. The inspection team examines whether limits (either internal or imposed by the supervisor) have been adhered to. An onsite inspection also may involve an examination and assessment of the bank’s ICAAP in regard to the market risks. Bank’s allocation of positions to the trading book and the banking book is also discussed in connection with the examination of the ICAAP on the market risk area – although it should be noted that there is only one bank that is above the de minimis limit for having a trading book. Although the BNB does not have the resources for a dedicated market risk specialist, each inspection team has one member that is more specialized in market risk. EC3 The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including: (a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management; (b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff; (c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary; (d) effective controls around the use of models to identify and measure market risk, and set 170 BULGARIA limits; and (e) sound policies and processes for allocation of exposures to the trading book. Description The main approach for evaluating banks’ policies processes and control of the market risk and findings environment is through the onsite inspection, including review of the banks’ Board minutes and re EC3 relevant committee’s minutes. The inspectors are expected to review banks’ current reports for market risk exposures, financial results from trading and market valuation, operations, in terms of frequency and accuracy and reporting not only to the Board and senior management but also to the parent company. The bank should be able to explain abnormal daily profits or losses given the size of their positions. In the processes of reviewing a bank’s Board minutes attention is paid not only to the accuracy of the information but whether and what decisions taken as a result of this information in both normal and adverse market circumstances. During onsite inspection the limits are assessed for their appropriateness in line with the bank’s operations, risk profile and capital level. In case of breaches of the established limits inspectors are expected to require additional information. In some cases the documentation for the transactions and operations are required from the back office and treasury department. As noted above, allocation between trading and banking book is only relevant in the case of one bank. Nevertheless, the relevant inspectorate team will be required to evaluate the bank’s policies and procedures for allocating positions to the trading book and ensuring that these policies are met by the bank in practice and that the bank meets the allocation standards set out in the CRR (Arts102- 106). Exchange rate risk, commodity risk and all other market risks in the trading book are monitored through the capital requirements as set out in the CRR so that the BNB can identify whether the scale of these risks is increasing and whether closer supervision is warrented. At the time of the assessment these forms of market risk – as noted above - were at a very low level. Please see also EC 1 and EC 2 EC4 The supervisor determines that there are systems and controls to ensure that banks’ marked -to- market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. Description The BNB requires that the banks establish detailed rules and procedures for overall management of and findings their market related activities. This includes: systems and controls, methods and models for re EC4 evaluation, etc. The quality of the systems and controls is verified by the inspectors who will deliver, when necessary, appropriate requirements and recommendations. Risk management systems are required to cover all material risk for the credit institutions and shall meet the set of qualitative standards, including establishing of specialized risk control unit, that is independent from the business trading unit; the management body should be actively involved in the risk control process by reviewing the daily reports, prepared by the risk control units; the internal audit unit conducts a review of risk management system; etc. Onsite inspections are the main tool used by the BNB to verify bank’s policies and processes for valuation adjustments on less liquid positions as well as marked to market positions. The BNB 171 BULGARIA reviews bank’s written procedures and discusses them with the responsible staff in order to assess whether they ensure prudent and reliable valuation estimates to use in both the reporting to the Board and the financial reports. BNB also takes into account any comments that the internal or external auditors have given in the audit reports. At the time of the assessment, banks operating in Bulgaria were not very active in trading operations and the predominant element of their portfolios consisted of Bulgarian government bonds. Derivatives are usually limited and only used for hedging purposes. Generally, the market risks in the banks consist mainly of interest rate risk. Equity risk and currency risk are low, commodity risk is negligible. The BNB observed that frequency of re-valuation is a challenge for the banks as trading volumes are low on the stock exchange, so daily prices are not always available and Bulgarian government debt is not in fact traded on exchange. It is typical for the subsidiaries of EU parents to make use of parental models (eg value at risk models) and in these instances, it is also common for the banks to seek the BNB’s supervisory view although these models are not – as indicated above – used for regulatory capital calculation as no bank has internal models recognition for market risk capital calculations . For its part the BNB’s policy is to ensure that the parental model is being used actively and meaningfully in the local business. It is also important for the BNB to ascertain that the subsidiary is not simply using the parent’s model as a “black box.” EC5 The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. Description The Ordinance 7 (Art 13(1)) requires banks to hold adequate internal capital to cover market risks and findings that are not subject to capital requirements under Article 92 of the Regulation. re EC5 Accordingly, during onsite inspection BNB examines the ICAAP annually to assess whether the bank allocates appropriate levels of capital against unexpected market risk losses and makes appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. Onsite inspections of market risk area are usually conducted every 2-3 years in line with the risk based approach. EC6 The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. Description Banks’ stress tests are reviewed by the BNB under the SREP. The BNB assesses risks revealed by stress and findings testing taking into account the nature, scale and complexity of a bank’s activities. (LCI Art 79c (1)(3) re EC6 and Ordinance 7 Art 23(2) and (4)). On the principle of proportionality, therefore, market risk must be included in a bank’s stress testing if it is a material risk. Furthermore BNB has adopted EBA guidelines on Stress-testing. The guidelines on Stress-testing under the SREP define the scope of stress-testing, the calibration, the frequency, the quality of data and information system, the role of the management body of the bank, the reporting channel of the outcomes and review, update of the stress-testing methodology and others. Again the BNB uses its on-site inspection practices to confirm that the approaches are integrated into risk management policies and processes, and results are taken into account by the management of the bank in the bank's risk-taking strategy. Assessment Compliant of Principle 172 BULGARIA 22 Comments Market risk is not a major factor in the risk profile of the banking system. However, it is important not to underestimate the significance of this risk element. For example, while only one bank has a sufficiently sizeable trading portfolio to be required to use the market risk requirements for capital, and no bank is approved for an internal model for market risk for capital adequacy purposes, there are models that are being used for internal business and risk management purposes and it is important for the BNB to be able to engaged actively with the banks and challenge the design, specification, governance and use of such models. At present, the level of skill and familiarity with market risk in the BNB staff is likely to be sufficient for current needs. However, the BNB does not have the resources for a dedicated market risk specialist and should the market develop, even if only through one bank pressing for an internal modeling approach, such specialization will be necessary. Principle 23 Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk90 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. Essential criteria EC1 Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. Description The BNB has issued a Guideline on Management of Interest Rate Risk in the banking book, based on and findings the CEBS (now EBA) Guidelines on Technical Aspects of the Management of interest rate risk. The re EC1 paper sets out technical instructions applicable to the measurement and management of interest rate risk in banking book. The document puts the emphasis on high-level guidance, some of which is addressed to institutions (both credit institutions and also investment firms) and some to supervisors. It is not meant to provide detailed guidance on whether and how quantitative tools and models should be used or developed. Under principles IRRBB 4 from the Guidelines on the Management of Interest Rate Risk in the Banking Book, (adopted by BNB), banks should have a well-reasoned, robust and documented policy to address all issues that are important to their individual circumstances. Under principle 1, Annex 1, IRRBB Guideline: The board of directors in a bank should approve strategies and policies with respect to interest rate risk management and ensure that senior management takes the steps necessary to monitor and control these risks consistent with the approved strategies and policies. The board of directors should be informed regularly of the interest rate risk exposure of the bank in order to assess the monitoring and controlling of such risk against the board's guidance on the levels of risk that are acceptable to the bank. As part of the ICAAP 90 Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22. 173 BULGARIA process, the board should periodically review also the policies and processes for interest rate risk management in the banking book. (IG 6, Guideline on SREP). The general framework concerning the interest rate risk in the banking book is based on the BNB’s “Guidance on the management of interest rate risk arising from non -trading activities“ under Pillar 2. The BNB has also developed an additional practical ICAAP Guidelines setting out detailed requirements regarding interest rate risk in the banking book, for example:  Banks should maintain clearly defined rules and procedures for the active management of the interest rate risk in the banking book.  Banks may choose between two options for the assessment of internal capital needs for interest rate risk in the banking book:  The assessment of internal capital needs for interest rate risk on the basis of calculation of the potential loss caused by a parallel shift of 200 basis points in the yield curve. The calculation procedure is described in details in the BNB’s “Guidance on the management of interest rate risk arising from non-trading activities.”  The use of a bank-own methodology for the assessment of internal capital needs for interest rate risk (such as VaR or PV). Banks should provide argumentation that this suits the nature and needs of the management of interest rate risk. The compliance with the above mentioned Guidelines is monitored on a regular basis mainly by conducting on-site inspections and partially by off-site analysis of the required information and data. As in many areas of the risk profile, there is a general distinction to be made between the subsidiaries of the EU banks and the locally owned banks. The latter tend to use a relatively simple gapping approach, while the subsidiaries may make use of more sophisticated techniques driven by group policies. EC2 The supervisor determines that a bank’s strategy, policies and processes for the man agement of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. Description The Guidelines – please see EC1 - stipulate that the bank’s management must approve the interest and findings rate risk policy includes key strategy, policies and processes. Senior management is required to re EC2 develop and implement detailed strategy, policies and processes assessed by the supervisory authority during the regular on-site inspections. The determination of practice takes place through the on-site inspection process. EC3 The supervisor determines that banks’ policies and processes esta blish an appropriate and properly controlled interest rate risk environment including: (a) comprehensive and appropriate interest rate risk measurement systems; (b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions); (c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff; (d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and (e) effective information systems for accurate and timely identification, aggregation, monitoring 174 BULGARIA and reporting of interest rate risk exposure to the banks’ Boards and senior management. Description As noted in EC1 and EC2, the BNB’s “Guidance on the manage ment of interest rate risk arising from and findings non-trading activities“ under Pillar 2 and the Practical ICAAP Guidelines provide a comprehensive re EC3 and detailed set of requirements regarding interest rate risks. A bank is expected, in its risk measurement system to:  record all essential interest rate risks of a bank arising from assets, liabilities, and off-balance-sheet positions;  include parameters and assumptions that are substantiated, appropriately documented, and periodically reviewed as to their appropriateness;  depict interest rate risks in the form of fluctuations both in interest income and in the present value of equity;  record all essential types of interest rate risks;  cover all of a bank’s interest rate-sensitive positions; Senior management is required to provide and implement a system of limits and monitor exceptions. The goal of risk management is to keep a bank’s interest rate risk within certain parameters established by the bank itself in the event of a number of possible changes in interest rates. This requires a system of limits to enable senior management to control the risk exposure and to measure the risks actually incurred based on tolerances that have been established by the Management, reporting to the Boards and the senior management. EC4 The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. Description Interest rate risk in the banking book is treated under the ICAAP/SREP framework. As with other Pillar and findings 2 risks, BNB’s Ordinance 7 on organization and risk management of banks requires that: a bank shall re EC4 implement systems to evaluate and manage the risk arising from potential changes in interest rates as they affect a bank’s non-trading activities (Art 8(1)). Banks shall have in place sound, effective and complete strategies and processes to assess and maintain on an on-going basis the amounts, types and distribution of internal capital that they consider adequate to cover the nature and level of the risks to which they are or might be exposed (Article 73a of the LCI); Under Ordinance 7 (Art 8(2) banks whose economic values decline by more than 20% of their own funds as a result of a sudden and unexpected change in interest rates of 200 basis points or other change, determined under applicable guidelines established by the EBA, should take immediate corrective action and must notify the BNB within a reasonable time-frame. In some cases credit institutions may have to consider movements and changes in the shape of their yield curves in their scenario analysis, as a non-parallel shift in the curve can entail additional declines in both the net interest income and the economic value of an institution. The complexity of interest rate risk varies from institution to institution with regard to the sophistication of the financial instruments used. Where less complex financial instruments are employed, the effect of a shock can be calculated by the institution using sensitivity analysis (without identification of the origin of the shock, and by means of the simple application of the shock to the portfolio). Where an institution uses more complex financial instruments on which the shock has multiple and indirect effects, it should use more advanced approaches with specific definition of the adverse (stress) situations. 175 BULGARIA Additional criteria AC1 The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book. Description The BNB assesses the results of the bank`s interest rate measurement systems on a regular basis and findings using both the on and off-site techniques. The standardized interest rate shock is applied through re AC1 the annual ICAAP process and data is not submitted on a more frequent basis. AC2 The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book. Description The assessment of the Bank`s internal capital measurement system is based on the following and findings information required by the supervisory authority: re AC2  Internal model documentation and methodology  Validation process and results  Reporting  Monitoring system  Bank`s internal audit assessments etc.  Other relevant documents and data if needed; Assessment Compliant of Principle 23 Comments The BNB regard interest rate risk in the banking book as an extremely significant risk and welcome current Basel Committee work that might lead to a Pillar 1 capital charge. At present analysis of IRRBB is only annual, during the course of the annual ICAAP assessment, and the BNB, on the grounds of currently high levels of capital in the system, has not yet applied any Pillar 2 add-on in respect of IRRBB. Given that the BNB does not have the resources to assess the treatment of this risk on-site on an annual basis, and some of the smaller, potentially less skillful, institutions could have extended periods between inspections, greater attention to this risk in the off-site processes may be merited. It is, of course, acknowledged, that any refreshing and update to the policies, strategies and procedures by the banks has to be notified to the BNB when it happens, so the BNB always has the capacity to consider whether, for example, banks are failing to take into consideration a changed interest rate environment. Recommendation o In this context, while it is considered that this risk is adequately covered at present, it is recommended that the BNB place more emphasis on developing – on a more consistent basis – the quality of the off-site analysis. Principle 24 Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and 176 BULGARIA processes, consistent with the bank’s risk appetite, to identify, m easure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. Essential criteria EC1 Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. Description The EU liquidity framework is set out in the CRR and delegated acts by the Commission. The CRR and and findings the delegated acts are binding and directly applicable in Member States, and do not require a re EC1 national transposition process. The scheduled implementation for the LCR in the EU is as follows:  60% from 1 October 2015  70% from 1 January 2016  80% from 1 January 2017, and  100% from 1 January 2018. Therefore, LCR implementation for EU Member States will start on a mandatory basis from October 2015, which is 10 months behind the Basel timetable, but will achieve full implementation of the LCR one year sooner than required by the Basel standard. Member States have the option to move ahead of the timetable established by the CRR and the Commission Delegated Act but Bulgaria has not done so and is opting to maintain the framework set out in Ordinance 11 of the BNB. This BNB state that this framework will be maintained until the liquidity coverage requirements are applied in full in the EU. This is expected to happen in late 2018. Some qualitative liquidity requirements which are part of CRD IV (namely part of internal governance) are transposed into Ordinance 11. Nevertheless, the ICAAP Manual which provides guidance to inspectors when considering the technical criteria for the adequacy of ICAAP does not include a direct requirement for inspectors to test management’s capacity or understanding of the processes involved. Failure by a bank to adhere to the levels of liquidity set out in Ordinance 11 triggers the BNB’s enforcement powers (Arts 8 and 12). These powers include setting of minimum liquidity asset ratios for a limited time frame and imposing administrative measures and sanctions under the LCI (Art 103(2)). In practice the BNB issued letters to banks requiring additional and more frequent liquidity reporting. The Ordinance sets various criteria for the effective management of liquidity risk as well as setting out the supervisory process that applies to the banks. The Ordinance addresses the internal liquidity management system, MIS, the composition of the maturity ladder, reporting to the supervisory authority, on- and offsite supervisory assessment, supervisory measures and sanctions. Also, the Ordinance 11 defines two liquidity ratio for which the BNB has set thresholds:  Liquid assets ratio - the ratio of the bank’s liquid assets to its deposits and other liabilities (liquid assets are defined in article 8 paragraph 1 of the Ordinance). The recommended minimum ratio set by the BNB through an official letter issued each financial year to all banks is 20%.  Maturity ladder – setting liquidity ratios by maturity time bands - the ratio of the amount of 177 BULGARIA assets (cash inflow) for the relevant maturity time band plus the excess of the net cash flow from the preceding time band to deposits and other bank’s liabilities (cash outflow) for the same maturity time band (related to the maturity ladder defined in article 6). The liquidity of a bank shall be deemed acceptable if the liquidity ratios by maturity time bands are not under 1 at least for the first two maturity time bands The BNB has also published guidelines related to liquidity buffers and survival periods (based on CEBS’s (now EBA) “Guidelines on liquidity buffers & survival periods” from 2009) and guidelines on the liquidity costs and benefits allocation (Ordinance 11(1)(5)(2)). The “Macro-prudential Supervision and Financial Stability” directorate conducts, at least once a year, stress test simulations for all institutions within the banking system, with a focus on liquidity risks. The BNB’s internal RAS Manual follows the liquidity management practices set out in the Basel standards. These practices include requirements for the liquidity management structure of banks, evaluation and monitoring of the core liquidity, market access management, contingency plans, currency liquidity management, internal control of the liquidity management, market discipline and its role for enhancement of the liquidity management, supervisory assessment and analysis. The BNB noted that their existing (pre CRR) supervisory reporting had been a significant benefit during the KTB crisis in 2014 as the supervisors had daily (and also intra-day) data available to assess the entirety of their system as well as interconnected funding between banks. This information was valuable in the context of the negotiation on providing State Aid for liquidity with the European Commission. EC2 The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off- balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. Description Liquidity requirements are set out in Ordinance 11 and the CRR, which both require on and off and findings balance sheet risks to be assessed. Supervisors, in their assessment of banks are specifically required re EC2 to have regard to the structure of the balance sheet and the presence of any significant off-balance sheet commitments. In addition to the liquidity requirements set out in Ordinance 11 which banks are required to meet on a continuous basis, the BNB can also impose special requirements targeted at particular bank or a group of credit institutions, reflecting the their risk profile or the macroeconomic environment in which they operate. The BNB discussed details of special requirements that had been imposed on banks during the previous twelve moths, which included emphasis on availability of liquidity in a contingency and particular regard to flows in group funding. EC3 The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance Description Requirements for liquidity risk management, including stress testing, are set out in Ordinance 11. The and findings requirement for liquidity management systems is in Article 2 and the requirement for the bank to re EC3 establish its internal liquidity management policies, plans and processes is in Article 3. The Board is 178 BULGARIA expected to set a liquidity risk tolerance, position limits and buffers which must be reviewed periodically. The internal liquidity management framework of banks is assessed by the supervisory authority both on- and offsite. When onsite the responsible for liquidity risk assessment inspector follows the comprehensive guidelines of the RAS Manual, which provides practical guidance on the analysis and assessment of liquidity risk in banks including information on how to conduct a review of the internal liquidity management framework of credit institutions, contingency planning, assessment of the conducted by the bank stress-tests etc. The liquidity assessment is based on detailed inquiries on attracted and allocated funds, cost of funding, meeting minutes of the ALCO, internal legal framework of the bank and ongoing meetings with those responsible for liquidity management. The RAS Manual also provides guidance on the techniques for offsite assessment of banks’ liquidity risk exposure and liquidity risk assessment which includes sources of information, reports submitted for offsite purposes, assessment of the maturity ladder, analysis of the main funding sources, main criteria for defining the quality of liquidity management. EC4 The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including: (a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards; (b) sound day-to-day, and where appropriate intraday, liquidity risk management practices; (c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide; (d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and (e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate. Description The elements of this EC are imposed on the banks through Ordinance 11 as follows: and findings re EC4 (a) Board approval of clear articulation of overall liquidity risk appetite: Art 1(5) and Art 2(2)(3) (b) Sound liquidity risk management practice: Art 1(5) and Art 2(2) (c) Sound information systems: Arts 2, 3 and 5. (d) Adequate Board oversight: is covered by Art 2(1) and also Ordinance 10 (for the more general provision on oversight). (e) Regular Board review: Art 2(2)(7), Art 3(2)(2), Art 4(5) and also Ordinance 10 (for the more general provision on oversight). Requirements with respect to intra-day liquidity management are not stipulated explicitly. The assessment and the determination by the supervisor takes place through both on and off-site supervisory processes. In essence, the requirements that are found in the Ordinance are extensively reiterated and reinforced – frequently with greater detail – through the internal Risk Assessment System Manual and the internal Risk Assessment System Manual in order to focus the attention and 179 BULGARIA determinations made by the supervisors. (a) Board governance of overall liquidity risk appetite Assessment of risk appetite appropriateness of banks is conducted mainly onsite, when assessing the annual ICAAP or at targeted ICAAP onsite inspections. In addition to an expectation of a clear documentation of the risk appetite, the internal Risk Assessment System Manual guides inspectors to consider whether the overall risk appetite is commensurate with the bank’s business strategy and its position in the financial system. The liquidity risk appetite (i.e. the ability and willingness of banks to take liquidity risk) must be described in detail in the internal banking documentation and the relationship between risk exposures and expected income should be clearly defined. Moreover, consideration should be given to the potential for an extended period of instability and not only normal conditions. The internal SREP manual further reminds the supervisor to check that the internal rules on liquidity should have been approved by the bank’s governing body. (b) Sound liquidity risk management practice Internal manuals again direct the supervisors and inspectors to check on the quality of risk management practices. For example cash flows – incoming and outgoing – should be monitored on a daily basis. The internal limit structures – and whether appropriate to the business lines – the quality of internal control mechanisms, such as dual controls, adequacy of the liquidity management unit (eg ALCO); quality of work performed by internal audit functions. (c) Sound information systems The internal Risk Assessment System Manual and the SREP manual reiterate the need for the supervisors to check the adequacy of information systems for measuring, monitoring, control and reporting of liquidity risk to senior management (MIS)” and ensuring that a bank bank-wide identification, monitoring and control of risks is taking place. Further, the supervisors are expected to review the risk strategy, risk appetite and responsibilities are communicated within the organization and in what form (rules and process of communication) and whether everyone is aware of his/her responsibilities regarding the identification and reporting of risks. (d) and (e) Adequate Board oversight and review The internal Risk Assessment System Manual reminds supervisors that the Bank's management is responsible and should ensure the effective management of assets and liabilities through the creation of a strategy and comprehensive framework for liquidity management. Supervisors are expected to test that the liquidity risk policy is subject to – at least – an annual review and is updated as necessary. EC5 The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include: (a) an analysis of funding requirements under alternative scenarios; (b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress; (c) diversification in the sources (including counterparties, instruments, currencies and markets) 180 BULGARIA and tenor of funding, and regular review of concentration limits; (d) regular efforts to establish and maintain relationships with liability holders; and (e) regular assessment of the capacity to sell assets. Description (a) Scenario analysis of funding requirements: and findings re EC5 Ordinance 11 requires banks to establish“…the methodology for identification, measurement, management and monitoring of funding positions, which shall include the current and projected material cash flows in and arising from assets, liabilities, off-balance-sheet items, including contingent liabilities and the possible impact of reputational risk” (Art 3(1)(5) Ord 11) This article also requires banks to have liquidity management systems for normal operations under a ‘going concern’ scenario as well as contingency plans and a ‘liquidity crisis’ scenario outlining the measures, actions and relevant responsibilities to be activated in the event of the bank experiencing a liquidity crisis; The Ordinance also requires banks to conduct periodic stress tests, scenario analyses and liquidity assessment under adverse circumstances by using alternative scenarios on liquidity positions and on risk mitigants; the alternative scenarios shall address, in particular, off-balance sheet items and other contingent liabilities, including those of Securitisation Special Purpose Entities (SSPE) or other special purpose entities, in relation to which the bank acts as a sponsor or provides material liquidity support. The results of the stress tests are to be used in determining the level and composition of the liquidity buffers under adverse environment as well as for updating contingency action plans The supervisory assessment of liquidity is supported by mandatory monthly reporting form. The scope and the design of the liquidity report form have been updated several times in recent years to allow: - better monitoring on micro level (each individual institution over time and comparing to peers); - observation on macro-level (banking sector) of patterns of funding and dynamics of liquid assets by types of counterparty, (incl. resident structure). Moreover, since November 2011 banks have had to report outflows by maturity using two approaches – Conservative approach as well as Behavioral approach (the estimation of outflows based on statistic by type of funds). The conservative scenario requires all borrowings without a fixed maturity to be reported in the shortest maturity horizon – “On demand- up to 7 days..” Liabilities with a set agreed maturity are allocated to the maturity brackets according to their residual maturity how about break clauses?. A similar approach applies to off-balance sheet items – the undrawn commitments such as overdrafts or credit cards are treated as an immediate outflow (up to 7 days). Thus the Conservative approach approximates the 'liquidity crisis' and brings additional view to the supervisory analysis allowing the calibration of recommendations and measures addressed to credit institutions. In evaluating the banks, the RAS Manual sets out the methods for offsite analysis and evaluation of liquidity risk in terms of funding management and expects the supervisors to review the main sources and structure of borrowed funds - financial, non-financial sector, bond issues, capital support, financial results, availability of sufficient support from the parent institution (for banks that are part of international financial groups). Analysis of the volume, structure and trends in the bank's liabilities including retention of deposits is also required. The RAS Manual also provides guidance on the evaluation of funding management for the onsite inspections. It is stressed that the supervisors need access to sufficient information on the bank’s sources of funds including those which are not reflected in its balance sheet such as agreed credit 181 BULGARIA lines, commitments from the parent company or wider group to provide sufficient liquidity in a timely manner, planned bond or equity issuance, deposit products with attractive interest rate and others.” (b) Cushion of liquid assets: Ordinance 11 (Art 8 (1)) prescribes the assets which shall be considered as Liquid, the calculation of the liquid asset ratio and liquidity ratios by maturity time bands. Article 8 (3) states that the liquidity of a bank shall be deemed acceptable if the liquidity ratios by maturity time bands are not under 1 at least for the first two maturity time bands. The sovereign crisis in Europe in 2011, caused the BNB to enhance and intensify its emphasis on the need for banks to build and sustain liquidity buffers (along with the capital buffers) and be prepared to weather hypothetical outflows. To this end, the BNB issued a sequence of letters between October 2011 and February 2014 making stipulations addressing maturity mismatches, ensuring the holding of additional tradable assets (to complement the Liquid assets defined by BNB ) testing scenarios, etc. The BNB attributes the recommendation from late 2011 in placing the banks well to ensure they were able to report liquidity on a daily basis in 2014. Banks were able to identify and mobilize liquid assets and inflows from supplementary sources as well as having the systems to provide timely data. The BNB noted that it regularly reviews the banks’ asset structure through offsite supervision and in particular ratio of liquid assets to total assets and growth rate compared to borrowings. However it was also noted that in some cases in the current climate “maintaining high liquidity could be a consequence of the inability of the bank to ensure timely funding from external sources.” (c) Diversification of funding: Ordinance 11 outlines that “each bank shall maintain the required degree of diversification of liabilities ensuring liquid funds for their repayment in conformity with their maturity structure and market conditions” (Art3(1)(6)). The supervisor may not, under the terms of the RAS Manual consider a bank’s liquidity position as adequate unless the liabilities structure is well diversified and the tenor of the assets ensure an adequate flow of funds. In terms of inspection, the on-site team expect to receive comprehensive information on the existence of deposit concentrations (by counterparties, term, maturity, interest rate, etc.). Furthermore Ordinance 11 confirms that BNB shall take remedial action if it considers concentration of funding may lead to instability of an individual bank or of the system as a whole. (d) Relationships with liability holders. At present there is no requirement for banks to test and maintain their relationship with their liability holders. (e) Testing capacity to sell assets to raise funding. Again there is no specific requirement imposed on banks in this regard but the issue is addressed, however, as part of the supervisory questionnaire for onsite inspections. When inspecting the liquidity risk banking supervision inspectors review internal documentation (policies, strategies, rules and procedures) and assess their quality. This rule applies not only for the evaluation of liquidity risk but for all risks inherent to the banks’ activities. EC6 The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies. 182 BULGARIA Description Contingency funding planning forms an important component in Ordinance 11. Article 3 establishes and findings that: “The internal liquidity management rules shall specify contingency plans and a ‘liquidity crisis’ re EC6 scenario outlining the measures, actions and relevant responsibilities to be activated in the event of the bank experiencing a liquidity crisis; these plans shall be subject to a periodic review, updating based on the results of applying alternative scenarios, reporting and approval by the competent managing body and shall lead to appropriate changes in internal policies and proc esses” The sovereign crisis in Europe in 2011, caused the BNB to enhance and intensify its emphasis on the need for banks to build and sustain liquidity buffers (along with the capital buffers) and be prepared to weather hypothetical outflows. To this end, the BNB issued a sequence of letters between October 2011 and February 2014 making stipulations addressing maturity mismatches, ensuring the holding of additional tradable assets (to complement the Liquid assets defined by BNB ) testing scenarios, etc. As noted under EC5, the BNB considered that the experience of 2011 stood the banking system in good stead for 2014. In addition there are articles setting requirements for Liquidity management system (Article 2), Liquidity management by the firm (governance) (Article 4), and banks have clarity on the expectations from On-site inspections (Article 10) and the Supervisory Review Process and Evaluation of the Liquidity Management System (Article 11) which confirm that the BNB will assess the adequacy of the bank’s survival strategy in addition to a range of aspects of liquidity which also includes the level, quality and composition of liquidity buffers and effectiveness of contingency plans. The BNB assesses contingency funding plans both offsite and at the onsite inspections as a part of the liquidity risk assessment in particular reviewing the assumptions developed by the bank stress tests and plans for action in a "liquidity crisis” scenario. The assessors saw some evidence of this in BNB records. In terms of inspection arrangements, inspectors are expected to form a reasonable supervisory assessment of the adequacy of internal rules and procedures, MIS. They also perform analysis of the methods for assets and liabilities management, of the liquidity and interest rate risk in the bank and of the need for additional capital for liquidity risk under Pillar 2. Again, the assessors were able to view inspection reports. The inspection of contingency arrangements is informed by the supervisory expectations set out in the RAS Manual which follows the principles for sound liquidity management set out by the Basel Committee. For example, “Banks should adopt a contingency plan with developed strategies for action in case of liquidity crisis, with the necessary measures, actions and responsibilities, and procedures for dealing with cash shortages in terms of contingency. This plan should include detailed information and define events, the occurrence of which would lead to its implementation; description of potential sources of funding; operating procedures (incl. to attract the necessary funds - at the right volume, maturity and currency); clear allocation of responsibilities and process for ensuring timely exchange of information; procedure for maintaining relationships with external parties and etc.“ Along with the mandatory requirements in Ordinance 11 for contingency funding plans of banks, the BNB has issued recommendations in recent years to ensure sustainable liquidity levels despite volatility. Among the Recommendations of the Deputy Governor responsible for Banking supervision department addressed to all or to a peer group of banks included: - LA/Core funding Ratio of 20 per cent (at times 25per cent); - Readiness to supply more frequent, even daily, liquidity reporting; - Updating of contingency plans to reflect latest developments; 183 BULGARIA In a few cases banks were prompted to reconsider their investments in certain financial instruments having regard to the increased uncertainties and potential for volatility. In terms of liquidity crisis management planning, the BNB indicated that there were three key sources for banks to obtain liquidity under stress – parental funding/ shareholder support, sale of liquid (or eligible) assets or sale of loan portfolios. In practice the holding of liquid securities in the banking system is small as the market for securities is not yet well developed and Bulgaria is a jurisdiction with a scarcity of Government debt (and will therefore have insufficient Level 1 assets to meet the LCR). Sale of loan book assets is also problematic in a crisis and with an undeveloped market for loan sale or securitization. Hence, shareholder support through issuance or direct funding is critical in the context of the Bulgarian market. Lender of Last Resort – which banks are not permitted to include in liquidity contingency plans in any case – is in fact circumscribed in Bulgaria due to the Currency Board. EC7 The supervisor requires banks to include a variety of short-term and protracted bank-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans. Description As noted above (EC 5), Ordinance 11 requires banks to conduct periodic stress tests (eg Art 2(3)(6)). and findings While the Ordinance at several places indicates the need for a range of scenarios to be taken into re EC7 consideration, including stressed scenarios, there is no specific reference to a variety of short term and protracted idiosyncratic and market wide scenarios. When onsite banking supervision inspectors assess stress tests conducted by the banks. The RAS Manual sets the supervisory expectations: “Banks periodically plan their cash flows assuming different scenarios, which take into account varying degrees of liquidity need (based on external and internal factors). In assessing the impact of these scenarios on cash flows, banks should make reasonable assumptions and to review them periodically. These assumptions can be developed by taking into account the historical experience of the Bank or the experience of other institutions (e.g., in the presence of established common database). Banks should have appropriate action plans for exceptional circumstances, which should be implemented in the event of a liquidity crisis (local or global). Through onsite inspections inspectors should make an analysis and evaluation of the quality of the Bank's stress tests, including frequency, completeness of the assumptions and realistic scenarios, predictive reliability, results of back-testing and more.” The liquidity stress tests are reviewed during the on-site inspections as part of the overall assessment of liquidity systems and controls and recommendations made when deemed necessary. The assessors noted that the inspectors commented consistently on quality and the use of stress tests in their inspection reports. In addition, and in parallel to the requirements imposed on banks and assessed by the inspectors, the Macro-prudential supervision department of the BNB uses quarterly reports to perform an in- house stress test of liquidity of all banks. There are two forms of the test - as a 5-day shock, and as a measurement of a sufficiency of liquid assets of the bank to cover a substantial outflow of funds. The aggregated result support the quarterly analyses of the risks and vulnerabilities of the banking sector presented to BNB Governing Council. The individual credit institutions’ results associated with the uniform in-house liquidity stress test are shared with the relevant supervisory teams to assist in 184 BULGARIA their program of work. EC8 The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. Description There is limited reference to foreign currency issues in Ordinance 11, but Art 3 (5) and (6) require and findings banks to take operational measures to ensure liquidity recovery plans can be implemented re EC8 immediately, including holding foreign currency assets corresponding to the currency and maturity structure of the bank’s funding. Monthly reporting to the BNB (mandated by Art 9(1) Ord 11) ensures that the BNB receives information on the position of foreign currency assets and liabilities. The BNB noted that the future requirement to report the LCR and NSFR on a currency basis will be difficult for banks to meet. Overall fx exposure is low, because most non-domestic currency is in Euro, to which the Leva is pegged. Outside the Euro, the most significant currency is the dollar, and as noted elsewhere, banks hold capital as a risk weighted amount of their net open position. The assessors noted that the BNB inspectors paid close attention to FX limits and risks in their reports. Additional criteria AC1 The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long -term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks. Description Under Ordinance 11 (Art 3(3)) banks are required to distinguish between pledged and and findings unencumbered assets that are available at all times, in particular during emergency situations. Banks re AC1 must also take into account the legal entity in which assets reside, the country where assets are legally recorded an account, as well as their eligibility. Banks must also monitor how assets can be mobilised in a timely manner. EBA reporting on encumbered assets entered into force in January 2015. Broadly it is the smaller local banks with encumbrance. The BNB was able to confirm to the ESRB work on the risks of encumbered assets that this is not a systemic issue but could affect individual institutions. Assessment Compliant of Principle 24 Comments The BNB’s understanding and oversight of liquidity risk was tested in 2014 when deposit runs on a number of banks took place. Based on the frequency and quality of prudential data, the BNB was well placed to identify systemic linkages and this information was important in the context of negotiating state aid for the liquidity support of one domestic bank. The BNB has a good understanding of liquidity risk – the assessors noted careful consideration and identification of a range of liquidity risk elements in the inspection reports – and was an early adopter of the Basel 2008 standards on liquidity risk management. Banks have been subject to 185 BULGARIA enhanced liquidity reporting since the EU sovereign crisis of 2011 and have been subject to daily reporting since the liquidity stress of 2014. Banks in Bulgaria are required to report data based on EBA templates for the LCR, but the final templates are not yet available and the LCR will not be in place in the EU until October 2015, starting at a 60 percent level of required compliance. However, the EU framework permits the Member States to maintain their existing reporting and liquidity requirement metrics until the LCR is fully in place (Art 412(5) CRR). Data on the NSFR is also being reported, using EBA reporting templates. The BNB is maintaining the liquidity requirements and reporting under Ordinance 11 until the LCR is fully in force. The BNB has carried out periodic simulations to assess the LCR and NSFR for individual banks and the system. Principle 25 Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk 91 on a timely basis. Essential criteria EC1 Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervis or determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). Description and findings The regulatory regime governing Operational Risk (OR) management can be found in the BNB re EC1 Ordinance #7 on Risk Management Function and Risk Committee. Pursuant to Art 15 (1), banks are required to implement policies and processes in order to evaluate and manage the exposure to operational risk, including model risk, and to cover low-frequency high-severity events. For that purpose, banks shall determine risk factors and events related to operational risk. In addition, art. 16 stipulates the need for banks to have in place contingency and business continuity plans in order to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. Moreover, BNB Ordinance No 10 on internal control in banks requires the specialised internal control unit to review RM systems and establish whether banks have adequate staffing in specialized areas including one IT and OR expert. In order to determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance and other requirements, the BNB has established processes at both the off-site and on-site levels. At the off-site level, OR is captured through the CAMELOS / CAEL Risk Assessment System. The full-scope CAMELOS rating is annual, and is based on qualitative analysis of banks’ activities and risk profile. The rating is also based on the conclusions from the on-going quantitative financial analysis of credit institutions made using the off-site supervision tools. The CAMELOS rating covers several key components – including operational risk. Reporting obligations 91 The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk. 186 BULGARIA on OR also exist; the BNB told the mission that these reporting are reviewed quarterly and help complement the analysis of CAMELOS. Further, the Supervisory Macro Analyses and Strategies Directorate of the BNB shall draw up a number of analytical products on a quarterly basis and submit them to the Governing Council of the BNB, upon consultations with the management of the Banking Supervision Department, including results from ongoing stress tests measuring the sensitivity of banks and the banking system to changes in their operational risks. For assessing OR in the fields, the BNB has designed a methodology (the Risk Assessment System Manual- RASM dated August 2014) that provides practical guidance for measuring and assessing OR during on-site visits. As indicated in this manual, major instruments for assessing OR risk include the statements and internal documentation presented by the bank, as well as regular meetings with the management and the persons responsible for operational risk management. The OR analysis involves evaluating bank’s sensitivity to external and internal events and management quality, including internal control mechanisms for guaranteeing safety of bank internal processes, transactions and data transfers. For assessing bank sensitivity to operational risk, the examiners should take into consideration several criteria including, (i) the size and complexity of the organizational structure, (ii) the number and complexity of products and services offered by the bank, as well as transactions it performs, (iii) the scale and frequency of changes in the bank, including organizational changes, and (iv) the number, quality, security, efficiency of IT systems and their capacity to recover in critical situations. For evaluating bank operational risk management, BNB examiners must look at the (i) adequacy of policies and internal regulations and procedures, together with quality of bank security policy and (ii) quality of internal processes and systems, including, inter alia, process of planning organizational changes and modifying IT systems, IT security management system and authorization and the strategic business plan as well as contingency plan. The outcomes of the analysis of both Risk Sensitivity and OR management quality are reflected into a specific OR rating as shown in the matrix below: 187 BULGARIA Lastly, it is noteworthy that the methodology mentioned above contains a series of detailed questionnaires to be used during on-site visits that help BNB examiners apprehend all relevant aspects of OR such as sensitivity, OR management, internal control, security policies, IT infrastructure, IT management, electronic banking, outsourcing, business continuity and emergency plans. LCI supervisory sanctions and measures taken by the BNB in accordance with this Law, including the imposition of additional capital requirements or restrictions on the use of operational risk internal models for the calculation of the own funds requirements for supervisory purposes. EC2 The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Board. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively. Description and findings As stipulated in the LCI art. 73, the competent management body of each bank should adopt and re EC2 periodically review bank’s business and risk management strategies and policies, part of which is the operational risk policy. In the same vein, BNB ordinance #7 on RM in banks require (art.2), the board of directors to approve and periodically review the strategies and policies, adopted under Article 73 abovementioned for taking up, managing, monitoring and mitigating the risks to which the bank is or might be exposed. The same ordinance (art.3) stipulates that the board of directors shall devote sufficient time to consider risk-related issues (including OR). Members of the board are also required to be actively involved in and ensure that adequate resources are allocated to the management of all material risks addressed in Ordinance #7 and in Regulation (EU) No 575/2013. Lastly, there is an obligation for banks to adopt and maintain rules and procedures for reporting to the Board that cover all material risks and risk management policies and changes thereof. 188 BULGARIA EC3 The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process. Description and findings The assessment of compliance with these requirements is mostly done during on-site inspections. re EC3 The RASM contains questionnaires to be used by examiners to ascertain that the bank’s board is responsible for setting bank’s strategies policies and processes for OR purposes. Several questions have to be addressed as follows: Is there a member of the Management Board / Board of Directors who is in charge of OR management? Does the internal control unit regularly review the ORM system? Does the management information system provide information about OR, and what is its input to the bank’s decision-making process? Does the Board regularly receive information about the issues with OR and its management? Has the Board approved the ORM principles set out in the written policy? Is the Supervisory Board regularly informed about ORM issues? For the purpose of determining the implementation of approved strategy by management, the following documents are captured and analysed by on-site inspectors Copies of the operational risk management policy and strategy, including operational risk management rules and instructions per structural units. Copies of the Internal Operational Risk Level Self-Assessment Rules of individual units in the bank, analyses of self-assessment results and actions taken. Copies of rules or instructions attached to them on setting up and maintaining a database of operational events. Copy of the register of operational events containing data as at [date]. Copy of the Rules of Distribution of Operational Events by business lines. Copies of reports, analyses and stress tests specifying the assumptions related to the identification, measurement and control of operational risk in [date] both for the needs of the unit engaged in managing, assessing and controlling this risk and for the bank’s management. Report on the bank’s defined Key Risk Indicators and their limit values. Copies of minutes of meetings of the competent bodies engaged in managing operational risk in [date]. Copy of the complaints register as at [date] (electronically), and copies of reports or analyses prepared in this context containing information on the recurrence of causes for complaints, the ratio of justified/unjustified complaints and actions taken by the bank to reduce the number of complaints. Copy of the bank’s operational uninterruptibility plan; prot ocols/reports from tests of the plan, test results and follow-up actions; copy of the emergency plan EC4 The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. Description and findings Art. 16 of the BNB Ordinance #7 stipulates the need for banks to have in place contingency and 189 BULGARIA re EC4 business continuity plans (BCP) in order to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. For assessing conformity with this requirement, BNB inspectors use a detailed questionnaire during on-site visits covering all aspect of business continuity and emergency plans. Examiners check whether the bank has a documented BCP and whether this document has been approved by the Board and examined by the internal control. Similar diligence will be performed on the Emergency plans (EP). Examiners also ascertain whether the EP includes actions in case of natural disaster, a power supply failure, a main server problem or a telecommunication problem. Further, questions are asked during the on-site visits about staff training on BCP and annual testing of the plans. With regard the later, the mission was told that BNB staff inquires about the outcomes of stress tests and whether any problem has been addressed. Other investigations will be done in the course of the on-site visit to verify the content of the EP for IT systems and the existence of back-up warehouse. In that respect, the BNB made recently a recommendation to banks about the need to have premises for housing contingency and backup systems outside Sofia. EC5 The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. Description and findings The BNB RASM contains several references in relation to IT policies and Information Security re EC5 Management System. These aspects are captured during on-site visits through a detailed questionnaires covering IT infrastructure and IT management. On the first aspect, issues to be examined by BNB inspectors are as follows: (i) Physical security of the main resource, (ii) logical security, (iii) logical security-end users, (iv) antivirus protection, (v) banking applications, (vi) backup procedures and human factors including appropriate qualifications of the personal supporting and operating the systems, appropriate staffing for IT activities. In relation to IT management, BNB inspectors focus on the following areas. In the area of organization, consideration will be given as to whether the IT unit is independent, the segregation of responsibilities is clearly defined in the organizational structure and proper training programs are in place. BNB will also cover planning issues such as business plans for IT systems and emergency action plans. Attention has also to be paid to internal control mechanisms to ensure for example that the bank has internal control regulations regarding IT systems and that audit recommendations are implemented. Specific requests are also made at the on-set of each on-site inspection by BNB for collecting information on IT systems: they include, inter alia, report on IT-related units and committees reporting directly to the management, copy of the bank’s IT development strategy (if any), copy of the security policy, mechanisms for (physical and logical) protection of IT resources from unauthorised access, etc. EC6 The supervisor determines that banks have appropriate and effective information systems to: (a) monitor operational risk; (b) compile and analyze operational risk data; and 190 BULGARIA (c) facilitate appropriate reporting mechanisms at the banks’ Board, senior management and business line levels that support proactive management of operational risk. Description As indicated to the mission, the BNB has not set an explicit requirement for gathering information and findings about occurred incidents. However for complex banks that are using the AMA for computing capital re EC6 requirements for OR, there is an explicit requirement to maintain an appropriate system for incidents information gathering. Besides, the BNB will perform a series of due diligence and will analyze and assess, as part of the supervisory assessment process, several key parameters including data base of incurred losses from operational events and data of the measures pursued by the bank to prevent such events in the future. The Management Information System (MIS) is also assessed by the inspectors mainly during onsite visits through the analysis of reports, minutes from management board meetings, minutes from relevant committee meetings etc. The RASM also contains several check point in relation to the MIS, particularly for ensuring a regular flow of timely and necessary information to management. The minimum necessary information (of different reporting frequency), which the management information system deliver, should cover, inter alia, reports on bank’s operational risk. EC7 The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. Description Credit institutions are obliged to report quarterly on operational risk for Pillar I purposes (through and findings the COREP templates) and annually for Pillar II (in their ICAAP report). Banks using AMA for re EC7 computing capital charges for OR are also required to inform/ask for permission from the supervisor in case of major/significant changes in their AMA framework. There is no explicit requirement for notification of the supervisory authority in case of major operational risk event. However the BNB expects from banks to inform the responsible inspectors in case of significant failure in operations, long-term power outages, significant IT disruptions or external attacks, new major fraud schemes, considerable damage from severe weather, robberies resulting in significant losses etc. EC8 The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management programme covers: (a) conducting appropriate due diligence for selecting potential service providers; (b) structuring the outsourcing arrangement; (c) managing and monitoring the risks associated with the outsourcing arrangement; (d) ensuring an effective control environment; and (e) establishing viable contingency planning. Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. Description There is no specific provision in the Bulgarian legislation in relation to outsourced activities. The BNB and findings has published on its website guidelines on outs ourcing that derive from the CEBS’s (current EBA) re EC8 guidelines. Guideline 6.1 for example stipulates that “ the outsourcing institution should have a policy on its approach to outsourcing, including contingency plans and exit strategies .” Further, guideline 6.2 191 BULGARIA point 6 stipulates that “the policy should consider the main phases that make up the life cycle of an institution’s outsourcing arrangements” including “due diligence checks on the outsourcing service provider,” and recommends the drafting of a written outsourcing contract and service level agreement. The bank’s management should also exercise vigilance through the monitoring of risks associated with the outsourcing arrangement, in particular to take corrective measures in case of changes in the service provider’s organization structure and ownership structure. The same guideline states that outsourcing institutions should plan and implement arrangements to maintain the continuity of their business in the event that the provision of services by an outsourcing service provider fails or deteriorates to an unacceptable degree, or the firm experiences other changes. This policy should include contingency planning and a clearly defined exit strategy. To ensure that a bank conforms to these guidelines, the RASM contains a questionnaire to be used by examiners for assessing outsourcing activities. In particular, the examiner will focus on the management decisions on outsourcing including whether the Board has approved rules of outsourcing and whether the bank has analyzed supplier’s financial position, competency and professionalism before signing an outsourcing contract. Attention of the BNB inspector will also be given to the outsourcing contract itself (scope, terms and conditions, costs, confidentiality requirements, oversight of the outsourcing institution, etc.). Additional criteria AC1 The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities). Description and findings Based on the information collected from the sector, the BNB regularly reviews the vulnerability of re AC1 credit institutions to common operational risks in order to prevent occurrence of systemic risk. The BNB analyzes information on outsourced IT services to common providers, sensitivity towards failure of settlement services provided by common firms and other operational risks, which may have impact on more than a single credit institution. Assessment Largely compliant of Principle 25 Comments The BNB’s operational risk requirements are based on EU rules and regulations. Compliance with these rules and regulations is achieved mainly through the ICAAP regime and on-site examination. There are a couple of recommendations that could be considered: BNB told the mission that OR has always been under scrutiny. Most of the banks have been assessed on-site for OR purposes over the past years. However, the inclusion of OR is not systematic in routine on-site visits unlike other risks; the criteria for inclusion depends very much on the scope of the inspection. BNB’s attention is rising but it would be advisable to increase the frequenc y at which OR is monitored since it is the second major risk calculated by pillar 1 as pointed out by the BSD directorate. This would also permit BNB staff to get more exposure to OR management in banks and build more expertise overtime; currently, there is no staff specialized in this field, especially with IT skills; some inspectors are more often assigned to this area than others. Establishing a stand-alone 192 BULGARIA onsite examination program for operational risk to achieve a comprehensive view of risk bank-wide would also be useful. While BNB expects banks to notify significant events to the Central bank, there is no legal or regulatory obligation subjecting banks to have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk. The BNB requires banks –but only AMA banks- to have enough data and statistics allowing them to understand and gauge their degree of exposures to OR. In addition, during on-site visits (as described above), the inspection team requires banks to submit a detailed list of information about OR related events, broken down by type of events (e.g., IT disruption, fraud, external factors causing losses, legal risks, etc). The authorities may wish to consider establishing formal and mandatory mechanisms to allow the BNB to remain apprised of developments at a bank. It is recommended to: -Make Operational Risk on-site surveillance more systematic and issue a regulation subjecting banks to have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk -Increase the level of expertise of BSD staff, especially in the area of IT -Require banks to notify the supervisor in case of major operational risk event Principle 26 Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent92 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. Essential criteria EC1 Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address: (a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance); (b) accounting policies and processes: reconciliation of accounts, control lists, information for 92 In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee. 193 BULGARIA management; (c) checks and balances (or “four eyes principle”): segregation of duties, cross -checking, dual control of assets, double signatures; and (d) safeguarding assets and investments: including physical control and computer access. Description The framework for internal controls within banks is established and articulated through the LCI, and findings Ordinance 10 and Guidelines for internal controls in banks. The key provisions of the LCI are Articles re EC1 74(3) which envisages that banks shall adopt rules for the organization and activities of the internal control and shall set up control systems covering the volume of operations, the variety of transactions and the types of risk arising from them, in compliance with an ordinance of the BNB (ie Ordinance 10). The LCI, Article 73(1) establishes that banks shall establish internal controls and that the Board has clear responsibility for certain aspects, such as the organization of the bank and the delegation of authority and powers. The Board shall adopt and regularly review, inter alia (items 6 and 7), the operational control organization, including rules and procedures for approving, carrying out and reporting transactions; the internal rules and procedures for risk management and control systems efficiency and for reporting the established weaknesses in the organization and work of structural units. The definition of internal control is provided in Ordinance 10 on the Internal Control in Banks, (issued originally in 2003 but subsequently updated in 2006). Internal controls are defined under Article 2(1) which states that “Internal control is a permanent process implemented by management bodies and by the persons performing internal control functions.” As clarified in the second paragraph of the article the internal control shall be considered as a combination of control systems which seek to ensure: achievement of the aims and purposes; efficient and effective use of the funds; an adequate control over various risks; safeguarding the assets; reliable and sufficient financial and management information; and compliance of the operations with applicable law and ordinances, observance of policy, plans, internal rules and procedures. The LCI and Ordinance are further supplemented by the Guidelines on Internal Control. In respect of EC1, the obligations placed on banks and their Boards are at a relatively high level and the elements specified in this criterion is not always found explicitly. (a) organizational structure: The scope of Internal control is set by Article 4 of the Ordinance and shall consist of management oversight, risk control, reporting and information and internal audit. Review and oversight by the (“management body”) is established under Article 5 which requires the Board to approve and review organizational structure and the procedure for determining and delegating powers and responsibilities. Segregation of critical functions is mandated by Article 6 which requires that the management body shall segregate duties where a conflict of interest may occur and ensure that no individual hold more than one functions in relation to authorization, performance and reporting the operations. Missing elements, with respect to this criterion relate to the clarity of delegation and the requirement to establish decision-making policies and processes. (b) accounting policies and processes: Reporting and information requirements are covered under Article 8 of the Ordinance. The obligation is directed at the bank as opposed to the management body but includes the requirement that the management should have full relevant information. Accounting policies and reconciliation of 194 BULGARIA accounts or control lists are not mentioned. (c) checks and balances (or “four eyes principle”): Segregation of duties is addressed under Article 6 as noted above but dual controls or cross checking is not covered specifically in the laws and regulations. Nevertheless, the internal RAS Manual which sets the requirements for assessment by the supervisory teams, cites the need for segregation and dual controls to be assessed in particular with respect to credit and market risk operations. (d) safeguarding assets and investments Safeguarding assets is addressed at a high level in Article 2(1)(5) of the Ordinance and there is some reference to IT controls in Article 12(1)(3) of the Ordinance whereby the management body must adopt internal policies that limit fraud and irregular access to information. This is also reflected in the obligations of the Internal Audit function set out in Article 14. EC2 The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units. Description While there are no specific legal requirements for back office and control functions relative to and findings business origination, high level requirements are in place. For example, Article 3(2) requires that the re EC2 effectiveness of internal control must be “assured by organizing it in a prudent and sufficient manner.”Articles 5 and 6 place the responsibility of the Managing Board and senior management for ensuring a strong control environment. Under Article 5(9) of Ordinance 10, the Board is required to ensure appropriate training, appraisal and promotion for the staff in charge of control functions and Article 6 creates the obligation to segregate duties as appropriate. Taken cumulatively the law and Ordinance provide a framework to ensure the balance of skills as required by this criterion but the expectation is not explicit. In terms of a supervisory determination the supervisory teams have regard to Guidelines on the Supervisory Review and Evaluation Process and Risk Assessment System (RAS) Manual through their on-site inspection activities and interaction with the bank’s representatives. The SREP requires the BNB to carry out detailed analysis of its activities on significant business units or processes level, based on real and perceived risks and the adopted control mechanisms. The RAS Manual segregates the assessment of internal controls by different risk types (eg credit, market) and requires the supervisory teams to carry-out an assessment of the internal control system, as set out in the section on: “Management and corporate governance. Internal control” section. While there is no explicit reference to balancing the skills of personnel in the control functions with those in the business origination units, the Management Board is expected to stimulate “high ethical and professional standards and internal control culture, which would help reduce risks.” Equally, in the context of assessing human resource management (section under Internal Control) the RAS manual notes that “the employees’ professional level and the result - oriented performance of their duties and of the bank’s goals are the first line of defence against problems” which reflects an awareness of the significance of the balance of skills in the respective departments of the bank. Furthermore, samples of questionnaires in the manual reinforce the concept (with respect to informing supervisory judgment on whether the bank has ensured proper selection, remuneration, training and professional development of staff). 195 BULGARIA EC3 The supervisor determines that banks have an adequately staffed, permanent and independent compliance function93 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function is suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. Description Banks’ compliance with law and ordinances, observance of policy, plans, internal rules and and findings procedures is required to be part of the overall control framework in a bank, as set out in Ordinance re EC3 10 (Art 2(2)(6)). The requirements that the compliance function should meet are set out in section 27 of the Guidelines on Internal Management in Banks. As prescribed in the guidelines, and proportionate to the size and complexity of the bank's activities, each bank is expected to create a compliance function but this function can be combined with other departments such as the department for risk control. Reporting is to be made to the Board, and as appropriate, the department responsible for risk control. Normally, the compliance function will be assessed by the supervisor as an integral part of the whole risk management and organizational process in a bank via the SREP and the Guidelines on the Supervisory Review Process, includes a clear definition of a compliance function and expresses the expectation that the BNB supervisory team engagement with the compliance function will form a key aspect of the supervisory review. This process covers all aspects of business risks and internal governance (including risk control, compliance and internal control functions). During on-site inspections a Summary Report of activities performed in previous years by the Compliance function unit, as well as Action plan for the current year is required by the supervisors. EC4 The supervisor determines that banks have an independent, permanent and effective internal audit function94 charged with: (a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and (b) ensuring that policies and processes are complied with. Description Under the LCI, Article 74(1), banks are required to establish an internal audit function, and its and findings management shall be appointed and dismissed by the Shareholders’ General Meeting. re EC4 While high level requirements relating to reporting violations to the Board are contained in the LCI, the Guidelines on Internal Controls are more specific and confirm, in item 28, that the internal audit shall evaluate the effectiveness and efficiency of the internal control framework. Employees performing internal audit function, evaluate the adequacy of existing policies and procedures and 93 The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance who should be independent from business lines. 94 The term “internal audit function” does not necessarily denote an organizational unit. Some countries allow small banks to implement a system of independent reviews, e.g., conducted by external experts, of key internal controls as an alternative. 196 BULGARIA whether they meet the legal and statutory requirements. Also, chapter three of Ordinance 10 is dedicated to the Internal Audit function. Article 14 sets out the functions of the Internal Audit Unit. This comprises the examination and evaluation of the reporting and information system, usefulness of the analyses prepared, IT systems and data accuracy; compliance of operations with law, observance of internal rules and procedures, and whether objectives set by the management have been met; internal controls in conducting transactions; efficiency and effectiveness of the overall activity; the risk management systems, risk and capital adequacy assessment; reliability and timely submission of supervisory returns; whether the bank’s assets are properly safeguarded from ownerless treatment and fraud; adherence to contracts and commitments; and staff recruitment and training, as well as consistency of job descriptions with duties. The RAS Manual, part 6, “Management and corporate governance. Internal control” provides detailed expectations for the supervisory process and the on-site inspections are required to look at numerous elements in order to discern the effectiveness and efficiency of the internal audit function and its adequacy in relation to the bank’s business. An over-arching requirement for the assessment of the internal controls is that the inspection be forward looking in terms of how the bank might develop and not merely a retrospective analysis. EC5 The supervisor determines that the internal audit function: (a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing; (b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations; (c) is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes; (d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties; (e) employs a methodology that identifies the material risks run by the bank; (f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and (g) has the authority to assess any outsourced functions. Description (a) Resources and expertise and findings re EC5 Under Article 15 (1) of Ordinance 10, the internal auditors shall have: professional skills in applying the standards for the professional practice of internal auditing, procedures and techniques of auditing; knowledge and experience in applying accounting standards; knowledge of management principles and prudential banking. Furthermore, Article 16 establishes the requirements for the head of the internal audit unit. (b) Independence and status As set out in Article 13(1) of Ordinance 10, internal auditing shall be an independent appraisal function established within a bank to examine and evaluate its transactions, operations and control systems which shall be carried out by the internal audit unit. Its role (Art 13(2)) is to assist the Board and management in making decisions and conducting reviews. Article 14(3) explicitly confirms that the internal audit function shall be independent from and may not involve in other duties 197 BULGARIA (c) Kept informed The internal rule making provisions for internal audit, set out in Article 18 of the Ordinance (and stemming from the LCI, Article 74(3)) require that the internal auditors shall not only have unimpeded access to the assets and information but also direct contact of the head of the internal audit unit with management bodies. Article 14(2) requires that the internal audit function shall be empowered with unimpeded access to the decisions of the bank’s management bodies and other officials. (d) Full access As stipulated in Art 14 (2) of the Ordinance, and confirmed in the internal rule making requirements of Article 18, internal auditors, in carrying out their activities shall be empowered: 1. with unimpeded access to the bank’s premises and assets; the decisions of the bank’s management bodies and other officials; accountancy and information systems; 2. to require and collect statements and other documents, undertake inquiries in relation to the assigned tasks. Article 18 explicitly refers to right of direct contact with the management bodies (Board and executive management). The BNB Guidelines on Internal Controls, section 28(2) further reiterates that employees involved in internal audit shall have unlimited access to relevant documents and information in all structural and control units. (e) Appropriate methodology Under Ordinance 10, Article 19 (2) All subjects to control shall be covered within a control period of up to two years. The frequency of control actions concerning individual subjects and control systems shall be determined according to their significance and potential risk for the bank. (f) Audit plan Article 17 of Ordinance 10 requires the annual audit plan to be approved by the management body and the head of the internal audit function, under Article 19(1), must estimate the resources and approve detailed programs of execution with a view to implementing the audit plan. Article 24 provides that an annual report on the activities of the internal audit function and the execution of its audit plan must be made to the management body (board and executive management) and also to the shareholders’ general assembly. (g) Outsourced functions Under the Guidelines on Outsourcing issued by the BNB and based on the CEBS guidelines, all outsourcing contracts must require the provider of the outsourced activities to allow the internal audit and compliance units of the bank (as well as the external auditor of the credit institution) full access to its database, complete and unrestricted rights to review and verify these data. Furthermore, the contract must permit corresponding access to the outsource provider’s premises and database by the supervisory authority (ie the BNB). As noted above, the RAS Manual includes a specific chapter on Governance, corporate management and internal control in banks and an assessment of a bank’s internal controls is one of the main elements of the risk assessment – CAMELOS. Banks are required to provide extensive information to the BNB ahead of an on-site inspection to facilitate the assessment. In turn the supervisory team check on control mechanisms and audit. The information requirements and scope of the assessment are noted below: Information requirements the bank must supply to the BNB:  Summary report on the activities of the Internal Audit;  Annual work plan of the Internal Audit Unit for the previous couple of years and listing of the checks carried out in those years. Rules and procedures for the operation of the unit. (During the inspection some of these reports of checks carried out by the unit might be required). 198 BULGARIA  A copy of the internal audit report of the last cash operations and cash balances check in the bank’s headquarters, authenticated by the signatures of the representatives.  Information on the number of employees with IT qualification in the specialized unit of Internal Audit.  Reports and findings of the operational risk and IT-risk internal audits. Ad-hoc inspections of the Internal Audit Unit in the event of incurred damages and losses for the bank.  Under SREP Guidelines on requirements for assessing the nature and scope of internal audit activities, the assessment is expected to establish the following:  Quality and comprehensiveness of the internal rules governing the activities of the Audit Department;  Degree of independence of the unit (incl. of individual employee);  Sufficiency of staffing - such as number of employees and specialized expertise (incl. at least one IT specialist, operational risk specialist, market risk, etc.).  Quality of reports, the reporting hierarchy and order to address the identified violations;  To what extent the checks of the unit are risk-oriented and/or focused on the daily activities of the bank;  The Audit Plan of the current reporting period and the level of performance/execution of this plan;  Annual report - completed checks from the previous reporting period: key findings (review of cross- checks in connection with the most important recommendations);  Major violations – for a period at the discretion of the inspection;  Whether the requirements on the frequency of audit checks, as stipulated in Ordinance 10, have been met.  Is the participation of the Head of Audit Unit allowed in the operational work of the bank, and how – for example, in the preparation of internal legal framework, participation in some committees/councils, etc. Assessment Largely Compliant of Principle 26 Comments The key regulatory framework for the internal control and audit function is contained in Ordinance 10, most of which dates from 2003. This framework is based on sound principles, though mostly at a relatively high level. The supervisory practice of the BNB is supplemented by reference to CEBS/EBA guidelines and is substantively articulated in the RAS Manual. As with other risk and control areas, establishing whether banks have adequate and effective internal controls is an important function of the on-site inspection process. The BNB has been able to track the development of the state of internal controls across the banking system and has witnessed improvements, as well as evidence that internal audit reports are increasingly being used to inform decision making processes. There has been some growth in specialist resources also – including IT specialists within banks. However, the limitation on the frequency of inspections and the relatively light degree of commentary and analysis reflected in reports the assessors reviewed, and the concern identified in CP9 that the baning supervision and special supervision departments might not have a fully integrated assessment of a firm, indicates that while the significance of internal controls is fully recognized by the BNB and is incorporated into the composite risk assessment of the banks, the quality of work in this area is starting to lag. Although the internal manual makes relevant reference to EBA guidelines, and is not out of date per se, it is recommended that the BNB consider refreshing internal guidelines to ensure current good practices are fully reflected. As with CPs 14 and 15, Ordinance 10 warrants a revision to articulate the supervisor’s expectations and requirements. Recommendations 199 BULGARIA o Revise Ordinance 10 to confirm and enhance supervisory requirements in internal controls o Refresh the RAS Manual in respect of internal controls Principle 27 Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. Essential criteria EC1 The supervisor95 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data. Description Under Article 75 of the LCI banks shall prepare their financial statements based on the Law on and findings Accountancy, and in compliance with the requirements of the BNB. re EC1 According to the Law on Accountancy (Article 24) the management bodies of the undertaking shall be responsible for the drawing up, timely preparation, contents and publishing of the financial reports and the annual activity reports thereto. According to the Law on Accountancy all banks operating on the territory of the Republic of Bulgaria must prepare their public financial statements on the basis of IAS/IFRS, adopted with Regulation (EC) No 1606/2002 of the European Parliament and of the Council on the application of international accounting standards. Banks and banking groups must submit to the BNB financial statements which reflect their financial position both individually and on a consolidated basis. Banks that are subsidiaries in a banking group, financial holding company, mixed financial holding company or mixed holding company shall submit to the BNB consolidated financial statements of the group or the holding company they are part of. Rules and requirements for information systems are reflected in Article 67 of the LCI and requirements for recordkeeping are prescribed by the Law on Accountancy (Chapter Six – Storing of the accounting information). EC2 The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. Description According to the requirements set in Article 76 (1) of LCI the annual financial statements of each and findings bank and the supervisory reports as determined by the BNB shall be audited and certified by a re EC2 specialized auditing company which is a registered auditor under the Law on the Independent 95 In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors. 200 BULGARIA Financial Audit (LIFA). According to Article 38 of Law on Accountancy the annual financial reports of the banks are subject to independent financial audit. The audit of the public financial reports is conducted in accordance with internationally accepted auditing practices and standards and related procedures determined by International Auditing Standards (Article 2 of the LIFA). EC3 The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. Description The EU regulation 1606/2002 applied international accounting standards to all listed companies in and findings the European Union. re EC3 Under Article 75(1) of the LCI, banks are obliged to prepare their financial statements based on the Law on Accountancy and with the requirements of the BNB. Under Article 22a(1) and (2), and in connection with Article 38(1)(3) of the Law on Accountancy, banks must prepare and submit their annual financial statements using IFRS and IAS. The valuation rules also are based on the IFRS and IAS. All banks in Bulgaria report their financial, and prudential statements using IFRS. As a starting point the same valuations are used for financial reporting purposes and for regulatory purposes. However, for regulatory purposes different haircuts are used when assessing the need for impairments and for solvency needs. Under Article 103(2)(20) of the LCI, the BNB may require special provisioning policy or treatment of assets through capital requirements, although at present this is not the case – see CP18. There are requirements related to uncertainty of the fair values. According to Article 34 of CRR banks have to apply the requirements of Article 105 to all assets measured at Fair value deduct (from CET1) any additional valuation adjustments for purposes of regulatory capital calculations. CRR Article 105 relates to requriements for prudential valuation. The European Banking Authority (EBA) published in January 2014 iits final draft Regulatory Technical Standards (RTS) laying out the requirements related to prudent valuation adjustments of fair valued positions. The objective of the draft RTS is to determine prudent values that can achieve an appropriate degree of certainty while taking into account the dynamic nature of trading book positions (noting that there is only one bank with a trading book). On 23 January 2015 the European Banking Authority (EBA) published an amended version (EBA/RTS/2016/06/rev1) of its final draft Regulatory Technical Standards (RTS) on Prudent Valuation. Nevertheless, the provisions of the CRR do not fully meet the criterion. There is no explicit requirement for fair value estimates to be subject to independent verification and validation, though inspectors are directed to assess and consider valuation techniques that are in use. EC4 Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit. Description The BNB does not have the power to establish the scope of external audits of banks and the and findings standards to be followed in performing such audits. The external auditors follow IAS. re EC4 201 BULGARIA In some circumstances, Article 80(4) of the LCI, permits the BNB, in exercising its supervisory powers, to appoint independent experts to evaluate the bank's assets and may require that the bank reflect the results of this evaluation in its financial statements or supervisory reports. EC5 Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. Description Under Article 11 of the LIFA, the scope of the audit must be compliant with prevailing legislation and and findings the International Auditing Standards and which cover the elements of this criterion. See also EC 4 re EC5 above. EC6 The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. Description The BNB has the power to object to the appointment of an auditor. Under Art 76(4) of the LCI banks and findings are required to consult with the BNB in advance of appointing an auditor. Under Art 76(5) of the LCI re EC6 an auditor must not have been in breach of the LCI or its implementing regulations during the previous three years. The bank shall be notified in writing of the BNB’s objection under the requirement for advance coordination within 14 days from the date of the request for coordination. If within this 14-day period the BNB does not make any objection, the proposal shall be considered approved by the BNB. (Article 76 (6) LCI). EC7 The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. Description The BNB does not have the power to require the rotation of the external auditors. Under the Law of and findings the Independent Financial Audit (Article 40m) there is a mandatory rotation of the senior partner re EC7 after 5 years. Following rotation, the relevant partner may return to the audit of the bank after a further two years. EC8 The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. Description The BNB conducts ad-hoc meetings with external auditors on particular issues of common interest and findings and in the course of soliciting views when making amendments to the supervisory legal framework. re EC8 There is no framework for regular dialogue between the BNB and the external audit profession, either in a general fora or on a bilateral or trilateral basis (with the relevant bank also present). When communication takes place with the external auditor, the Director of CISD and the Deputy Governor are normally involved, together with the inspection team, if relevant. EC9 The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in 202 BULGARIA good faith cannot be held liable for breach of a duty of confidentiality. Description Under Article 77 (1) of the LCI: The auditors shall forthwith and in writing inform the BNB about any and findings circumstances that have become known to them during the audit and which: re EC9 1. are breaches of the laws, by-laws and the BNB’s acts which regulate banking activities; 2. affect or might affect the bank’s normal operation; 3. lead or might lead to a situation where the bank is unable to fulfil its monetary obligations; 4. make the auditor refuse to certify the financial statements or express his dissent upon certifying the financial statements; 5. are related to actions of the bank’s administrator that cause or might cause substantial damages to the bank or its customers; 6. are related to untrue or incomplete data in the statements and reports that banks regularly present to the BNB. Auditors bear no responsibility for the breach of any legal or contractual provisions on confidentiality in the cases where they have in good faith submitted information to the BNB in accordance with this Law (Article 77 (4) LCI). Additional criteria AC1 The supervisor has the power to access external auditors’ working papers, where necessary. Description The only documentation to which the BNB has access is the annual audit report and any reports and findings which are presented to the Audit Committee. re AC1 Under Article 77(2) of the LCI the auditors upon the BNB’s written request, submit to the BNB the relevant documentation and any other information or documents obtained during the audit in relation to issues covered in Article 77(1) such as breaches of the law, issues which might affect the bank or cause substantial losses to the bank or its customers, the risk that the bank will not be able to fulfill its obligations and in relation to the risk that the auditor would have to refuse to certify the financial statements. In other words, the BNB’s powers are only triggered in the event of breaches of Article 77(1). Assessment Materially Non Compliant of Principle 27 Comments The BNB has some powers and authority with respect to external auditors but there are important deficiencies. The BNB has no access to the auditor working papers, including the management letter submitted to the audited bank. There is the possibility of greater powers to supervisory authorities being provided through legislative changes in the EU, but the outcome of proposals and timing is likewise uncertain. The BNB has no authority to insist on the rotation of an auditor (either of the firm or the senior partner) although the law provides a backstop rotation requirement for the senior partner. While the law provides a minimum compliance with the relevant criterion, in the context of a concentrated market where one firm alone is responsible for the audit of over half the banking system, this issue is a significant concern. Finally, although the LCI (Article 76 (5) together with the provisions of 76 (4) and (6)) give the BNB the right to refuse a reappointment of the auditor there is some uncertainty in terms of the circumstances under which this power could be used (e.g., systemic breaches or failure to perform 203 BULGARIA rigorous analysis on bank’s financial statement, professional negligence, misleading statements provided to the banks, etc.). In other words, while the LCI provides a form of power of dismissal of an auditor, the legal provision is not clearly specified and in practice would be likely to discourage the BNB from exercising this power except in the most obviously egregious circumstances. In terms of supervisory practices, the BNB has to date had a somewhat remote relationship with the external audit community. It is important for the supervisory and audit community to have a strong understanding of each others’ perspectives and responsibilities and it is unclear from a number of the assessors’ discussions that this mutual und erstanding is as deep as it needs to be. To date it has not been common practice to meet with the auditors of the banks, whether on a bilateral or trilateral basis. Nor, although there occasional exceptions, such as when major Ordinances have been repealed, has it been the regular practice of the BNB to meet with the external auditors collectively. On a related point, the LCI (Article 76 (7) and (8)) gives the BNB the right to require external auditors to provide a report addressing reliability of a bank’s internal control systems and compliance of the bank’s supervisory reports. The obligation for a report on banks supervisory reports has fallen away with the introduction of the CRR (it was enforced through an Ordinance that was revoked due to the CRR) and the BNB is awaiting submission of reports on internal controls. The BNB has not yet felt that these reports have been of strong utility and this may reflect, in part, a general weakness in mutual understanding between the auditors and the BNB. Several commentators indicated to the assessors that the depth of understanding of IFRS throughout the BNB supervisory staff may be not be as strong as needed. This concern is not unique to the BNB, of course, as it is a common challenge for supervisors to experience, but it must be noted that challenges will increase in the near future with the introduction of IFRS 9. While the assessors also note that the BNB has access to high quality external advice on IFRS advice, it also needs internal resources. One of the supervisory practices is for the BNB to include matters for the attention of the external auditor in its inspection report to the bank. The auditor is not independently notified whether an inspection has taken place and/or whether it has led to matters for the external auditor’s notice. At present some banks appear to be uncertain whether they are permitted to share the inspection reports, and auditors not necessarily aware that an inspection has taken place or of the existence of a report that may have specific findings for them to note. A straightforward notification procedure would suffice to ensure clarity. Recommendations o It is recommended that the competent authorities in Bulgaria consider relevant domestic amendments where this is legally allowable within the wider EU framework to address the deficiencies including providing the BNB with the clear ability to insist on a change of auditor in the wake of poor quality audit or other supervisory concerns, the right to insist on the rotation of the audit firm and of the senior partner, and right of access to audit working papers and the management letter. o It is recommended that the BNB establish a framework for a regular dialogue, both at a collective level and in respect of individual institution level. In view of the forthcoming challenges of implementing IFRS 9 this dialogue will be particularly valuable. o It is recommended that the BNB include an analysis of IFRS experience and understanding in its skills mapping and needs assessment and take steps to ensure investment in training and recruitment as required. o It is also recommended that the BNB put in place an administrative practice to ensure that when it prepares on-site inspection reports which contain recommendations addressed to 204 BULGARIA external auditors, that the external auditor is notified and is aware of this. It would be common practice to contact the auditor directly. o In respect of more technical issues, and in the light of the importance of valuing the balance sheet reliably, it is recommended that the BNB issue its own requirement to ensure that banks are aware that they must put in place independent verification and validation for fair value estimates. It is clear from the RAS manual the BNB is aware of the importance of this issue, but it would send an important signal from the supervisors, not least in relation to the importance of the reliability of supervisory data, if this requirement were emphasized by the BNB Ordinances. Principle 28 Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. Essential criteria EC1 Laws, regulations or the supervisor require periodic public disclosures 96 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. Description The LCI confirms a number of disclosure requirements. Under the LCI (Art 75) banks must prepare and findings their financial statements according to the Law on Accountancy, and in compliance with the re EC1 requirements of the BNB. Article 40 of the Law on Accountancy stipulates that a bank shall publish its annual financial statement and consolidated financial statement, the annual management report and the annual consolidated management report, adopted by the general meeting of the shareholders. Further, under Article 70 of the LCI banks must publish their balance sheet and profit and loss account every 6 months in at least one central daily newspaper. In their audit reports, registered auditors who carry out independent financial audit of financial statements must express also an opinion on the correspondence between the annual management report and the annual financial statements (for the same reporting period) and/or on the correspondence between the annual consolidated management report and the consolidated financial statements. The annual financial statement must be audited and certified by a specialized auditing company which is a registered auditor under the Law on the Independent Financial Audit. The Basel equivalent Pillar 3 disclosure regime is governed by the CRR, under Part Eight. Disclosure on a consolidated basis is carried out once a year in six months term after the end of the period to which it relates. When a Bulgarian bank is also a subsidiary of a wider banking group, disclosures are also made at the Bulgarian level and not only at the level of the ultimate parent entity. The CRR, Article 433, also requires banks to assess whether more frequent disclosure – full or partial basis – is necessary in the light of the relevant characteristics of their business such as scale of operations, range of activities, presence in different countries, involvement in different financial 96 For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor. 205 BULGARIA sectors, and participation in international financial markets and payment, settlement and clearing systems. Within 6 months of the BCP assessment being carried out, the BNB intends to implement the EBA Guidelines on materiality, proprietary and confidentiality and on disclosure frequency under Articles 432(1), 432(2) and 433 of CRR. To the degree feasible the disclosures must be provided through the official website of the bank and in at least one medium or location. There are also disclosure requirements stemming from the issuance of securities by publicly listed companies, including the EU Prospectus and Transparency legislation, including Directive 2010/73/EU amending Directives 2003/71/EC (prospectus) and Directive 2004/109/EC on the harmonizing transparency requirements. These directives have created a common basis for the periodic disclosure of information, and including major shareholding notifications. The Financial Supervision Commission (FSC) is the responsible competent authority for implementing this legislation. EC2 The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. Description The CRR, Part Eight, Title II contains extensive technical criteria on the disclosure of own funds, and findings capital requirements, capital buffers, risk management objectives and policies, exposure to re EC2 counterparty credit risk, credit risk adjustments, exposure to market risk, operational risk, exposure to interest rate risk on positions not included in the trading book, exposure to securitisation positions, governance arrangements, remuneration policy, etc. The disclosure of own funds requirements is also set out in Commission Implementing Regulation (EU) No 1423/2013. Disclosures are both qualitative and quantitative in nature. Under Article 70(2) of the LCI each bank must disclose on its official website information about compliance with the requirements of the LCI and related acts in the field of corporate governance and remuneration. Article 436 of CRR requires banks to disclose information regarding the scope of application of the requirements of the CRR in accordance with CRDIV – ie differences in the basis of consolidation for accounting and prudential purposes, with a brief description of the entities therein. Under Article 70, paragraph 5 of the LCI parent companies must publish annually – in fully or by reference to equivalent information – description of the legal structure and managing and organisational structure of the group, including persons with whom they have close links. Close links is a defined term under EU legislation. In accordance with Article 431 of the CRR, banks must adopt a formal policy to comply with the disclosure requirements laid down in Part Eight of CRR, and have policies for assessing the appropriateness of their disclosures, including their verification and frequency. As noted in EC1, banks must assess the need to disclose more frequently than annually and must have policies for estimating whether their disclosures convey their risk profile comprehensively to market participants. The BNB has common requirements for all banks and may require public disclosure of additional information. (Article 103, paragraph 2, point 19 of the LCI). In addition to the supervisory requirements for disclosure, there are also disclosures related to accounting policy, basic business and management, which have to be made in accordance to IFRS 7 ‘Financial instruments: Disclosures’ and every particular standard. The disclosures of aggregate 206 BULGARIA exposures to related parties, transactions with related parties are also prescribed in the IFRS. See also EC1. In practice the BNB commented that banks’ approach to disclosure had been varied. Some had been ready to make meaningful qualitative disclosures, covering such issues as strategy and risk appetite while other banks had wanted to make very limited disclosures on qualitative issues, concerned that they were at risk of disclosing sensitive information to competitors. Some standardised templates for disclosure of certain topics – for example own funds, encumbered assets, leverage ratio are available and some will be in place for the first time for 2014 disclosures. In the view of the BNB banks’ practices had improved since “Pillar 3” issues were first disclosed. EC3 Laws, regulations or the supervisor require banks to disclose all material entities in the group structure. Description Each bank shall disclose annually the information in accordance with the LCI (Art 70(6)) on a and findings consolidated basis separately for the Republic of Bulgaria, for other member states and for third re EC3 countries in which the bank has subsidiaries or branches established. This information is subject to an independent financial audit and must be published as an annex to the annual financial statements on a solo, or when applicable, on a consolidated basis. The BNB indicated that they were satisfied by the quality of banks’ disclosures in relation to their group structures. EC4 The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. Description Disclosures contained in banks’ annual financial statements are reviewed by external auditors, as and findings required by the LCI, Article 76 (7). Not only must the auditors provide an opinion on whether the re EC4 bank’s financial position has been presented truly the auditor must also review and express an opinion on the compliance of the bank’s annual financial statements and supervisory reports with the requirements of the LCI and the ordinances for its implementation. The results of the audit of the annual financial statements must be presented in a separate report for supervisory purposes, prepared as required by an ordinance of the BNB and submitted to the BNB. EC5 The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). Description The BNB Banking Supervision Department regularly (on monthly and quarterly basis) publishes and findings aggregate information for the banking system, as well as data for the individual commercial banks. re EC5 The dataset is comprehensive and contains information on financial statements, liquidity, capital adequacy, loans and advances, securities, attracted funds, etc. This information comes in addition to other published statistical information, collected by the BNB for the purposes of monetary statistics reports. Level of presentation of the data o Banking system aggregate o Distribution of banks by groups: banks are assigned to one of three groups, based on their 207 BULGARIA asset size and the group is reviewed and amended as necessary at the end of each reporting period. The first group consist of the five largest banks, the second group comprises all of the remaining banks, and the third group comprises the branches of foreign banks in Bulgaria. o Individual banks Type of information o Balance sheet and income statement of the banking system and by groups of banks (ie the 3 groupings of banks in Bulgaria). o Detailed structure of the securities, loans and advances and funding of the banking system and by bank groups: o The securities’ template presents the investment portfolio of the banks in terms of capital and debt instruments as well as investments in associated companies, subsidiaries and joint ventures. o The loans and advances’ template comprises the structure of loan portfolio which encompasses loans to credit and non-credit institutions, loans to governments, to corporates and retail exposures (residential mortgage loans to individuals and consumer loans). This template also contains information on the FX structure of the credit exposures, the interest income, and impairments. o The template on funding contains information on the funding sources of the banking system, the FX structure of funds and the cost of funding. o Credit quality and impairments: This template comprises data related to gross and net values of credit exposures, the amount of impairments (according to IAS 39) and detailed structure of the performing and non-performing loans. Non-performing loans are presented in three categories, namely past due 30-90 days, past due 90-180 days and past due over 180 days. o Liquidity position and liquidity buffers of Bulgarian banking system in accordance with ordinance № 11 on liquidity management and supervision on banks: The template contains information on the amount of liquid assets and liquidity ratio for different maturity intervals. o Capital ratios according to the new regulatory framework. Type of publications related to the supervisory data on the banking system The Bulgarian National Bank through its Banking Supervision Department publishes a monthly Press release on the condition of the banking system, on a quarterly basis, a bulletin on Banks in Bulgaria. In addition the Banking Supervision Department, based on an informal agreement, issues additional information, such as reports based on surveys on the economic environment and its impact on the banking system. Such information is based on the data, received through the annual survey on aspects of banking activity as well as on the survey of quarterly credit activity. Additional criteria AC1 The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period. Description Under the LCI (Art 70 (6) and (7)) banks must disclose annually the following information on a and findings consolidated basis separately for the Republic of Bulgaria, for other Member States and for third re AC1 countries in which the bank has subsidiaries or branches established: - name, description of activities and geographical location; - size of the turnover; - equivalent number of full-time employees; 208 BULGARIA - financial result before tax; - taxation; - return on assets obtained as the ratio of net profit to total assets; - government subsidies received. This information is subject of an independent financial audit and must be published as an annex to the annual financial statements on an individual basis or, when applicable, on a consolidated basis. Assessment Compliant of Principle 28 Comments The BNB, as a supervisory authority, provides public access to a wide range of data, including bank by bank breakdown. Several market participants commented on the utility of this disclosure. The quarterly bulletin on the condition of the banks in Bulgaria was also frequently praised. Principle 29 Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.97 Essential criteria EC1 Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and reg ulations regarding criminal activities. Description The Bulgarian regime against money laundering is governed by the Law on Measures against Money and findings Laundering (LMML) and the Regulation on the Implementation of AML Act (RILMML). The last re EC1 revision of the act was made in 2014. A separate law on Measures against the Financing of Terrorism (LMFT) was passed in 2003. Both acts implement the 40 FATF Recommendations and transpose the requirements of the Third European AML Directive. In terms of compliance with AML/CFT requirements in banks, the Bulgarian regime consists of a dual and parallel mechanism of supervision. Both the BNB (whose powers have already been discussed under CP1) and the Financial Intelligence Unit are competent for monitoring conformity with the AML/CFT obligations in credit institutions. However, legally, the primary responsibility for the supervision of AML/CFT measures for all subject entities rests with the Financial Intelligence Unit (FID-SANS). A memorandum of understanding has been signed between the two bodies that govern the mechanism for cooperation and information sharing in 2003. This MoU is under revision. 1-The role of the Central Bank. Art.3a of the LMML and art.9a of the LMFT impose obligations for the supervisors, i.e. BNB to perform inspections in banks for compliance with the AML/CFT 97 The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 , and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle. 209 BULGARIA legislation. To that end, the BNB has established the Special Supervision Directorate (SSD). The SSD, established within the Banking Supervision Department (BSD) is however separate from the directorate performing on-site prudential surveillance. SSD has its own team of inspectors to carry out its duties and determines its own inspection planning; it can also perform on-site visits at the request of the FIU. The Unit has no authority over other institutions such as money changers or money transfer services. In case of non-compliance or any suspicion related to ML/FT that has not been reported, the BNB is obliged to inform in a timely manner the FID. Additionally, the BNB can take enforcement measures (including pecuniary sanctions) under art. 103 of the LCI. The SSD also coordinates the BNB relationships with the FIU, the law enforcement authorities and the Prosecutor’s office . It also takes part in the AML-expert groups at the national and the EU-level. 2-The role of the Financial Intelligence Unit. The Bulgarian State Agency for National Security (SANS) that was established in 2008 by the Law on State Agency for National Security 98, incorporates within its structure a specialized administrative directorate for financial intelligence called the Financial Intelligence Directorate (FID). The later collects, stores, investigates, analyzes and discloses financial intelligence information under the terms and procedures as laid down in the LMML and the LMFT. The FIU is also empowered by the law to oversee AML/CFT compliance in the banking industry by performing on-site visits, either on a stand-alone basis or jointly with the BNB. In fact, supervision of the implementation of the AML/CFT in banks is the primary responsibility of the FID but it is obvious that the FIU cannot undertake alone the entire supervisory activity for all the reporting entities, therefore it is supported in its supervision duties by the BNB for all aspects relating to banks. There are mechanisms in place to ensure effective cooperation between the two bodies, especially in terms of inspection planning. Both the FIU and the BNB hold annual meetings to decide areas to inspect based on their respective sources of information (e.g STRs). These meetings allow to decide which banks to assess either jointly or separately. Also, there are on-going interactions between the IU and the BNB even during separate on-sit visits. In several cases, the BNB alerted the FIu on suspicious operations that were not reported by the bank. Information exchange also applies after the on-site missions; the BNB shares its inspection report with the FIU and conversely, the FIU shares with the BNB its general conclusion should a major problem arises. The two bodies also cooperate on training matters; the BNB. As for enforcement of AML compliance, the BNB resorted mainly to written order while the FIU has applied, in rare occasions though, pecuniary sanctions. While cooperation has proven effective in multiple key areas, there is no coordination when it comes to enforce the law and apply sanctions for AML breaches. EC2 The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. Description and findings Supervisory expectations with regard to the existence of policies and processes to guard against re EC2 criminal activities are contained in the LMML and the LMFT and subsequent guidelines issued by the BNB, in particular the one issued in 2012 for creating uniform practices tailored to the size and type of the bank’s services. These guidelines define, inter alia, the condition for applying CDD measures in 98 The main responsibilities of the State Agency include activities regarding the National security (territory integrity and sovereignty, economic and financial security). It is responsible before the Council of Ministers and is an independent administrative entity, with its own budget. 210 BULGARIA normal, low risk or high risk cases. The LMML and the LMFT contain provisions on customer due diligence requiring banks to adopt, develop and implement control mechanisms to prevent and detect activities related to ML/TF. To that effect, banks are required to (i) establish proper due-diligence policies and methods regarding the clients, including KYC (art.9), (ii) set up internal control mechanisms to detect unusual activities, (iii) refuse the opening of anonymous accounts or accounts under a fictitious name, (iv) have enhanced scrutiny with respect to high risk customers 99 (e.g., PEPs, correspondent accounts, foundations, Trusts, customers residing in off-shore centers) (v) establish procedures to report suspicions to the FIU, and (vi) appoint an AML officer in charge of communicating these transactions to the FID. The LCI also obliges the banks to create compliance systems in accordance with the best practices. In particular, Art. 73 (1) of the LCI requires that the competent managing body of each bank shall adopt and regularly review in accordance with the best internationally recognized practices for corporate governance of banks, the systems for prevention against the risk of money laundering. The verification that banks have adequate policies and processes to prevent them from being used for criminal activities is mainly done on-site by the BNB and the FIU, separately or jointly. To that end, the BNB has established a very detailed methodology (initially with the technical assistance of the US and the UK100) offering BNB inspectors guidance every step of the way. Before starting an on-site visit, the SSD will send a letter to the bank requesting a comprehensive set of materials that can be grouped by areas of control. For risk assessment for example, the bank will have to submit the following documents: list of high- risk account; the KYC and CDD program; list of all accounts held by customers whose files do not contain legally required information and documents; list of all credit and banks where the "reliance on third party" principle is applied by the bank, etc. Another set of documents to be required ahead of the mission relates to STRs and includes: copy of STRs files and the accompanying documentation sent to the FID; analysis, documentation and position on suspicious cases that have not been reported to the FID; description of the monitoring procedures applied to high-risk accounts; description of the bank’s surveillance systems101; and copies of correspondences exchanged between the bank, the FID and the law enforcement and judicial authorities. Once in the field, SSD’s inspectors follow a detailed methodology of about 150 pages–constantly revised and updated- to evaluate the way banks identify and monitor their risks, detect suspicious activities and train their staff accordingly. SSD staff also uses detailed questionnaire for running their interviews with bank’s key personnel (Compliance Officers, person in charge of cash transfers, head of currency transactions services, staff responsible for account opening, etc). In addition to the review of materials mentioned above, the scope of BNB work encompass, inter alia, the following areas: (i) an analysis of the customer base, (ii) the bank’s c ategorization of customer base per risk profile, (iii) the identification and KYC procedures, (iv) measures for establishing the origin of funds subject to operations or transactions, (v) analysis –via transaction 99 For high risks customers, banks have to review customer files every month. 100After the accession of Bulgaria to the EU the Manual was updated based on the policy and documents adopted at the FATF and EU level including the papers drafted by the EBA. 101 When the system is purchased from an external company, the bank should provide information on this company, the date of program implementation in the bank and a description of the algorithm used. 211 BULGARIA samplings- of payments per type of operations made by the customer. The inspection will also evaluate the bank’s overall organization of work in relation to AML, including the respective roles of the AML officer and the internal audit; and (vi) staff training. Regarding STRs obligation in particular, BCP assessors were also told that, in several occasions, the BNB reported to the FID suspicious operations that banks did not detect and should have been reported. It is important to note that for 2014, the BNB led 16 AML inspections in banks and 18 for 2013. These inspections were full scope in nature. For off-site supervision purposes, and in particular for determining a risk-based approach for inspection planning, the SSD has developed a reporting mechanisms to collect data from banks on annual basis on PEPs, establishment of correspondent relationship outside the EU, number and amount of STRs, number of customers broken down by types, locations, volume of cash payment, etc. As indicated above, the FID also plays an essential role in assessing compliance with AML/CFT standards. The LMML sets out broad responsibilities for the supervisory activities of the FID over banks and other financial institutions. The FID is entitled to conduct both off-site and on-site inspections on the reporting entities. The regulation and supervision activities of the FIU focuses around the surveillance over the organization of the reporting entities' internal control mechanisms and inspections over compliance with AML/CTF measures. To that purpose, the Unit has developed a comprehensive supervision methodology consisting mainly in a risk assessment analysis. The risk assessment is prepared considering: the number of the STRs received from different subject entities; the findings of the inspections performed by supervisory authorities (the BNB); the number and amount of cash transactions according to the register under the Art. 11, Para 2 of the LMML. On the basis of this analysis, all subject entities are grouped in three categories: ”low–risk,” “medium–risk” and high-risk.” The risk analysis is taken into consideration in the process of inspection planning. Having said that, such risk assessments should also take into account: (i) the ML/FT risks that the bank is exposed to, which are inherent to the customer base it serves and the products/services it offers; and (ii) the quality of the bank’s systems/measures in place to manage the risks. According to the methodology, the FID shall carry three types of inspections: incidental inspection (conducted on the basis of a motivated request in writing from another SANS directorate, supervisory authority or other state authority which requires taking of urgent and timely actions), planned inspection (carried out on the grounds of a preliminary prepared and approved three-month plan) and thematic inspection (checking the implementation of certain requirements under LMML related to the use of the financial system for money laundering and financing of terrorism purposes). The table below provides data on the FID inspection program since 2011. Year Number of banks Type of inspection 2011 4 2 thematic and 2 full- scope 2012 8 1 joint with BNB and 7 thematic 2013 8 4 thematic, 3 joint with BNB, 1 planned 2014 5 1 thematic, 3 joint with BNB, 1 full-scope Source: FID. 212 BULGARIA EC3 In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank. 102 Description and findings There is no such requirement in the Bulgarian regime. BNB has not received any report for cases that re EC3 may cause material damages to the safety and soundness of a bank. In 2014, the BNB was informed by a bank about a fraud scheme and consecutive attempt for ML. The information was disseminated by the BNB to the banking system as an alert for avoiding similar attempts in other banks. EC4 If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. Description According to Art. 3a (1) (2) of the LMML, the BNB shall provide information to the FIU when, in the and findings course of its duties, the supervisor has discovered operations or transactions suspected to stem from re EC4 money laundering activities. The mission was informed that such reports have been made in the recent past. EC5 The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management programme, on a group-wide basis, has as its essential elements: (a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks; (b) a customer identification, verification and due diligence programme on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant; (c) policies and processes to monitor and recognize unusual or potentially suspicious transactions; (d) enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk); (e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships 102Consistent with international standards, banks are to report suspicious activities involving cases of potential money laundering and the financing of terrorism to the relevant national centre, established either as an independent governmental authority or within an existing authority or authorities that serves as an FIU. 213 BULGARIA with these persons); and (f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five year retention period. Description and findings The requirements for customer identification are laid out in the LMML and the LMFT. Customer Due re EC5 Diligence and KYC requirements are generally comprehensive when it comes to banks. KYC requirements encompass: customer identification including the beneficial owner 103, verification and due diligence program particularly in relation to high-risk customers. In the case of legal entities and individuals which carry out entrepreneurship activities, banks shall obtain the following information: full name of the company, legal form, address of headquarter, UIC (Unified identification code), original or a notarized copy of the official statement of good standing, certified copy of the article of association, etc. The BNB guidelines also require the bank to perform certain due diligence in relation to UBO. As a part of review and verification of a customer who is a legal person, the bank is obliged, besides the identification, to confirm the beneficial owner of that legal person. The bank implements the measures in order to gather information about the person who is the beneficial owner. When it comes to a high-risk customer, the bank must confirm the given data, if they were not received from a reliable and independent104source of information. In practice however, banks are still struggling in collecting data on beneficial ownership. A reputable external audit company told the mission that there are still a significant number of companies (borrowing funds or having accounts in banks’ books) located overseas, sometimes in off -shore centers and whose ultimate beneficial ownership has not been clearly established. The audit firm recommended that banks should strengthen their KYC procedures and establish more robust processes to trace back ownership up to the very end of the chain. In terms of record keeping, rules have been set up on what records must be kept on customer identification and individual transactions. The law stipulates that banks should implement procedures for storing all data about their customers, including information on customer identification and individual transactions. All information and documentation must be kept for a period of not less than five years. However, there is no legal basis for keeping transactions records and identification data for longer than 5 years if necessary, when properly required by a competent authority. In addition, banks are required to adopt policies and processes to monitor, identify and report suspicious transactions. The law also provides for internal control mechanisms to monitor identity and report unusual transactions to the FIU. Further, the law requires banks’ internal AML/CFT procedures to be reviewed and approved by the chairman of the FID, something relatively uncommon. For Politically Exposed Persons (PEPs), the law requires banks to adopt procedures for mitigating risks arising from PEPs. Banks are obliged to elaborate effective internal systems to determine if a 103The 2013 MER notes that the definition of beneficial owners is not fully compliant with the FATF standard (See the table of “Ratings of Compliance with FATF Recommendations,” 1st and 4th bullets under Recommendation 5). 104for example if the only source of data during establishing the identity of a customer was a written statement of the legal representative; in that case the bank must verify the data up to that extent until it gains understanding about the ownership of the legal person and the structure of its control, in order to identify all beneficial owners of the customer. 214 BULGARIA client is a PEP or a related person to a PEP. Such systems can be based on different sources of information: information gathered through the application of enhanced due diligence measures; written declaration required from the customer with the purpose of determining whether the person falls within the categories of PEPs and information received through the use of internal and external databases. It seems that banks are not required to identify beneficial owners who are PEPs and apply enhanced scrutiny. As part of its on-site work, the BNB verifies compliance with CDD/KYC stipulations and other requirements as mentioned above. From their discussions with SSD staff, BCP assessors are of the opinion that inspectors are giving particular attention to these topics. In the inspection reports reviewed by the mission, there were several observations or comments in relation to the lack of proper documentation, as well as weaknesses in the way unusual transactions are determined and monitored. The mechanisms for reporting suspicious activities to the FID are also examined during on-site visits and the BNB found several cases that would have warranted a report to the FID. It is also noteworthy that banks are obliged to pay special attention to any money laundering threats that may arise from new or developing technologies (e.g e-banking) that might favor anonymity, and take measures, if needed, to prevent their use in money laundering schemes – art. 5c LMML and art. 8b RILMML. EC6 The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include: (a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and (b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks. Description The LMML (Art. 3b and Art. 5 b) requires banks to apply enhanced CDD measures in relation to cross and findings border banking (it is noteworthy that such requirements apply only to relationships with FIs from re EC6 non-EU jurisdictions105). Banks should undertake the following actions. Upon entering into correspondent relationship with a credit institution from a third country, credit institutions shall: (i) collect sufficient information about the respondent credit institution to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the institution and the quality of supervision; (ii) assess the internal control mechanisms against ML/TF implemented by the respondent institution; (iii) organize the process in such a way so as to obtain approval from senior management of the credit institution before establishing new correspondent banking relationships; (iv) document the respective responsibilities of each correspondent institution with regard to the measures against ML/TF. Where third parties -customers of the respondent institution-, have access to the correspondent account, the credit institution must be satisfied that the respondent credit institution has performed identification, verified the identity and conducted ongoing monitoring of the customers having direct 105 2013 MER: See the table of “Ratings of Compliance with FATF Recommendations ,,” 3rd bullet under Recommendation 7 215 BULGARIA access to its account and that it is able, upon request, to provide relevant customer identification and other data to the correspondent in stitution. The same law prohibits banks from entering into correspondent banking relationships with banks incorporated in a jurisdiction in which they have no physical presence and which are unaffiliated with a regulated financial group. The same prohibition also applies to correspondent banking relationships with banks abroad that are known to permit their accounts to be used by banks incorporated in a jurisdiction in which they have no physical presence and which are unaffiliated with a regulated financial group. EC7 The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. Description and findings In order to confirm that banks have sufficient controls and systems in place for AML purposes, the re EC7 BNB has set up within the Department for Banking Supervision a Unit (the Special Supervision Directorate) made of 14 staff. However, since this directorate is also responsible for covering other issues (e.g transparency of products and monitoring of consumer trends), only 8 staff are operational for AML/CFT oversight. About 50 per cent of the banking sector is subject to an AML inspection every year from the BNB. In 2013, 18 banks were inspected and 16 in 2014. These inspections that can span 4 to 5 weeks depending on the size of the bank have led to the identification of a series of violations. The SSD staff consists of experts who have been working in the SSD for 14 years. The SSD staff involved in the AML/CFT supervision has relevant expertise to supervise the banks and relevant financial institutions for compliance with the AML/CFT regulations. All banks interviewed by BCP assessors confirmed the thoroughness of BNB inspections on AML and the professionalism of SSD inspectors. This is also consistent with the outcome of the 2013 Moneyval assessment. EC8 The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. Description and findings Two key authorities are legally empowered to take action against banks for failure to comply with re EC8 their AML/CFT obligations, the FID on the one hand, the BNB on the other. The range of sanctions for infringements of provisions of the LMML that are available to the FID include, inter alia, fines (with a cap of 50,000 BGN (€25,000)), written warnings and the power to compel the bank to undertake corrective actions. Although the maximum level of fine does not appear sufficiently dissuasive, the Bulgarian authorities informed the BCP assessors that in practice every violation of the LMML or LMFT carries a separate sanction and that the total level of fines might be much higher in case of multiple breaches. As shown in the table below, the FID has applied pecuniary measures for sanctioning particular breach over the past years. However, the FID has not exercised other powers at its disposal except in very few instances (3 written warnings in 8 years). In that respect, the FID prefers to exercise its “moral suasion” to reach greater conformity instead of resorting to more severe measures. The rationale is motivated by the desire to avoid any disruption in the market. 216 BULGARIA Year Number of banks Number of fines 2011 2 5 2012 5 11 2013 3 7 2014 3 8 Source: FID These fines have been motivated by the following breaches: no declaration of the origin of funds; incomplete identification or no declaration for the origin of funds; failure in record keeping; failure to report suspicion on a timely basis and cash threshold transactions not reported. The BNB also enjoys a wide range of powers discussed in detailed under CP 11, including administrative compulsory measures and administrative penalties. EC9 The supervisor determines that banks have: (a) requirements for internal audit and/or external experts 106 to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports; (b) established policies and processes to designate compl iance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported; (c) adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and (d) ongoing training programmes for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities. Description a) Ordinance No. 10 on the Internal Control in Banks subjects banks to the obligation of establishing and findings an organization and procedures for internal control purposes as a permanent process implemented re EC9 by management bodies and by the persons performing internal control functions. The internal control shall consist of management oversight; risk control (including AML/CFT), reporting and information and internal audit. The existence and effectiveness of compliance with these requirements is assessed on-site by the SSD. External audit companies also cover the quality of internal controls in banks as part of their mandate. b) the mission was told by the BNB –and verified during interviews with several banks- that credit institutions have set up dedicated AML units (sometimes comprising up to 15 people) and appointed AML officers, in addition to compliance officers. These officers establish the connection between the bank and the BNB, the FID, law enforcement authorities, the Prosecutor and other institutions involved in AML/CFT. The head of the specialized AML unit is responsible for timely reporting of suspicious transactions to the FID. Anti-money laundering software is used in 90% of the licensed banks and foreign banks’ branches in the Republic of Bulgaria to meet the legal requirements for 106These could be external auditors or other qualified parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 217 BULGARIA banks to prevent or report ML/TF activities. c) The LCI and Ordinance No10 contain provisions regarding technical and professional requirements for particular job position in addition to the standard due diligence to be followed for hiring, including checks on absence of previous convictions. Also, according to the BNB AML Guidelines, banks must have adequate mechanisms for assessing newly hired employees in order to prevent criminal elements to use the resources of the bank. d) BNB AML Guidelines refer also to training of bank employees. Banks have to provide adequate training to their staff. Information about training activities (including training materials, program participants, evaluations) are stored in the bank and submitted to the supervisory authority upon request. The requirements under a), b), c) and d) are checked and evaluated during on-site inspections. EC10 The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Board, management and the dedicated officers with timely and appropriate information on such activities. Description and findings The LMML requires that the programs on preventing and combating ML/TF should provide re EC10 procedures for internal and external reporting regarding suspicious activities and transactions. Especially, the reporting mechanism about suspicious activities should have clear procedures that are known by all personnel. As stipulated in art. 11, where money laundering has been suspected, the bank should notify the FID immediately prior to the completion of the transaction or deal while delaying its execution and in case a delay in the transaction is objectively impossible, the FID shall be notified immediately after its completion. During on-site visits, the BNB verifies compliance with these requirements. EC11 Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. Description Art. 15 of the LMML legal protection to bank’s staff who reports suspicious activity in good faith and findings either internally or directly to the relevant authority. re EC11 EC12 The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. Description and findings As discussed under CP 3, the practical collaboration and cooperation between the FID-SANS and the re EC12 BNB are regulated through “Instructions for cooperation and information exchange” and governed by an MoU. However, this MoU is no longer valid. The Financial Intelligence Agency (FIA) was initially established as an administrative-type FIU within the Minister of Finance. In 2008, the FIU was transformed into the Financial Intelligence Directorate (FID) within the State Agency for National Security (SANS) pursuant to the Law on State Agency for National Security (LSANS). Yet, the MoU signed in 2003 with the then FIA has not been revised after the establishment of the new authority. A 218 BULGARIA revised draft version has been in the making for three years and the authorities are encouraged to finalize it. There is other efficient cooperation mechanism between BNB and the enforcement authorities – prosecutor’s office, national investigative authorities, special units for investigation, police authorities. BNB is involved in providing expert assistance and analysis in complex and important cases for embezzlement with EU funds, money laundering, financial fraud, cross border complex financial transactions. With a view to the powers of the FSC (Financial Supervision Commission) to exercise control only over the non-banking financial sector, in order to broaden and improve the efficiency of the control over the financial market, a Memorandum on Cooperation and Interaction with the Bulgarian National Bank was also concluded. EC13 Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. Description The BNB has established the Special Supervision Directorate (SSD) for the supervision of banks for and findings compliance with the LMML and the LMFT. SSD staff consists of experts who have been working in the re EC13 SSD for more than a decade. The SSD staff involved in the AML/CFT supervision has relevant expertise to supervise the banks and relevant financial institutions for compliance with the AML/CFT regulations. In addition, there are strict rules for the appointment of any new staff of SSD. All personnel of SSD are required to have the highest level of professional standards and to abide strictly by the Code of Ethics of BNB. All employees (excluding purely administrative staff) are required to have the relevant university degrees in law, economics or international relations. Staff is also trained to keep appraised of the last developments. BNB staff has taken part in annual seminars and workshops organised by the IMF, Joint Vienna Institute, Banque de France, Deutsche Bundesbank and De Nederlandsche Bank. During these training sessions the participants were informed about the new trends of ML/FT and the best practices for ML prevention. BNB conducts annual trainings to the benefit of banks’staff, especially for compliance officers. The emphasis of these courses is on the risk-based approach, changes in legislation including at the EU level, major deficiencies encountered during on-site inspections. Assessment Largely compliant of Principle 29 Comments Bulgarian legislation provides adequate supervisory power for the supervisory bodies to monitor and to ensure compliance of regulated entities with AML/CFT requirements. The inspection process of the SSD is supported by a detailed AML/CFT methodology providing helpful tools and techniques, including for sample testing. All banks have established AML units comprising between 2 to 15 people and appointed AML compliance officers. The FID, which is the primary authority for AML/CFT surveillance is also equipped with proper methodologies and processes and also relies on the work done by other supervisors, particularly the BNB. There is also a good cooperation between the FID and the BNB, particularly for inspection planning. BNB’s inspectors have the expertise an d conduct their inspections diligently and are equipped with state-of-the-art methodology. All things considered, the assessors are of the opinion that the oversight of AML/CFT compliance in banks meets most of the requirement under CP 29. 219 BULGARIA Below are certain aspects that would warrant further considerations from the authorities. The SSD’s wide scope of activities beyond AML does not seen to be aligned with its current staffing. Originally, the directorate was established for AML/CFT supervision only but progressively, as the BNB mandate expanded, the directorate was assigned additional activities including transparency of products107 related issues and compliance with deposit insurance rules to be performed together with AML. As a result, the same inspection report will address the entire spectrum of activities, including those not related to AML, something rather unusual in assessors’ opinion. It is also important to note that the employees of SSD are frequently asked to assist the law enforcement authorities and Bulgarian Courts in investigations of ML cases. The SSD also carries out specific thematic inspections including on-site checks in companies that could perform unauthorized banking activities. Against this background, the assessors come to the conclusion that these activities should continue to be addressed efficicently either by ensuring additional staff to be employed at SSD. Another option would be to consider assigning these non-AML related activities to other directorates, perhaps outside the BSD. Another aspect worth mentioning is the separation existing between the oversight of AML and the overall prudential supervision of banking risks. The SSD is indeed separate from the directorate performing on-site prudential supervision.. Currently, in the report analyzing bank performance and processes, all types of risks are analyzed except ML/TF risks, even for Operational Risks analysis. For example, assessors could not find any reference to AML/CFT in the quarterly off-site reports, CAMELOS analysis, and annual rating reports. In general, AML/CFT problems reflect deficiencies in internal control, corporate governance, information systems, risk management and in assessors’ opinion, they should be taken into consideration as well by CISD staff in its supervisory review and evaluation process. One way to achieve that is to hold formal regular meetings between the two directorates and share AML inspection reports with the CISD. In 2014, at the initiative of the Deputy Governor in charge of banking supervision, more communication has been established between the SDD and the other directorates of BSD; the assessors welcome this major improvement. It is indeed important to promote, on a systematic way, more information sharing between the AML inspectors and the “prudential” inspectors (of the CISD) so that AML/CFT issues become part of the overall risk analysis of the Credit Institution Supervision Directorate Concerns still remain with respect to the identification of customers and beneficial owner. This aspect has been confirmed by an external audit firm met by the mission as well as by the FID. The mission also reviewed a collection of inspection reports in which BNB staff observed important weaknesses. In a bank for example, much of the credit portfolio is formed by loans to off-shore entities and companies with foreign registration “which (…) exposes the bank to high risk”; in another bank with an important part of the corporate loan portfolio concentrated on borrowers with off-shore owners, the credit files contain “almost no information about the owners of the offshore companies .” As already 107 E.g., transparency of banking products and monitoring existing complaints’ handling procedures. 220 BULGARIA discussed under CP 19 and 20, this issue warrants further attention. Most banks rely on the declaration of customers on relatedness and UBO and also on public registers but do not seem to be persistent enough to get all full information on the ultimate owner. The detection of problems shows that the BNB is mindful of the situation; however, it would be desirable to provide clear instructions to the banking industry for increasing their diligence in relation to KYC, especially for legal entity located overseas.108 It would also make sense to suggest banks to share the BNB AML inspection reports with their external auditors. Sanctions applied so far do not seem dissuasive and deterrent. The maximum amount of fine as stipulated in the LMML is 50,000 BGN (€25,000) which seems to be very low. Further, while the FID has imposed fines, the number of penalties appears limited and amount of fines relatively low. The FID has not utilized the other powers at its disposal either. The BNB on the other hand has not used so far its wide power of art. 103 of the LCI for enforcing AML measures. All things considered, the assessors come to the conclusion that enforcement of AML/CFT regulations is not deterrent enough (see also CP 11 for more details). Lastly, the MoU between the BNB and the FIU is no longer valid and a new one has been in the making for about 3 years. It would be important to finalize this process, especially with the view to encourage coordination particularly in areas where cooperation can be improved (e.g., exchange of reports and formulation of enforcement strategy). It is recommended to:  Refocus the Special Supervision Directorate on its core AML mandate by assigning non- AML related activities to other relevant BNB departments;  Integrate AML/CFT into overall risk analysis of the Credit Institution Supervision Directorate.  Improve the legal framewok regarding CDD  Enhance cooperation and information exchange between the Special Supervision Directorate and the Credit Institution Supervision Directorate, including sharing AML reports with the CISD staff and discuss enfocement approaches to maximize effectiveness  Increase sanctions in case of recurrent violations of AML/CFT regulation by the same institution; and in severe cases, sanctions on directors and senior management may be considered.  Instruct the industry to establish more robust mechanisms to ascertain the true identity of their customers, especially for legal entities located overseas with undisclosed UBO  Recommend banks to share the BNB AML inspection reports with their external auditors (if permitted by law);  Finalize the revision of the MoU with the FID. 108Moneyval pointed out remaining difficulties in that regard. In its 2013 mutual evaluation report of Bulgaria, the assessors made the following observation: “some difficulties still remain, mostly related to the concept of beneficial owner which does not fully cover the natural person(s) who ultimately owns or controls a customer and/or the person on whose behalf a transaction is being conducted .” 221 BULGARIA SUMMARY COMPLIANCE WITH THE BASEL CORE PRINCIPLES Core Principle Grade Comments 1. Responsibilities, objectives and LC Within the Banking supervision Department, the Special powers Supervision Directorate (SSD) has been assigned multiple activities (e.g.,, inter alia, transparency of products and monitoring of consumer trends) that go beyond its primary objective of ensuring integrity in the banking sector. These non-supervisory activities do not permit an adequate allocation of resources for supervision purposes and distract SSD staff from its core objectives. The BNB is not empowered to require a bank to change its internal organization or structure. The power to dismiss senior management does not seem to apply to other staff, particularly to risk officers and other relevant staff holding important functions in a bank (Compliance, Risk Management, AML and Credit Officers). The current legal regime provides the authorities insufficient scope to manage a crisis fully effectively. As evidenced during the KTB collapse, the BNB does not have sufficient options in order to cooperate and collaborate to achieve the orderly resolution of a bank. 222 BULGARIA Core Principle Grade Comments 2. Independence, accountability, MNC The internal governance procedures of the BNB with resourcing and legal protection for respect to banking supervision place weight on a single supervisors individual – the Deputy Governor for Supervision. The internal governance procedures do not ensure clarity of communication and escalation of issues when problems emerge and do not ensure transparency and appropriate checks and balances in the overall decision making process. The legal structure of the governance arrangements provides no options for the effective delegation of supervisory powers if the Deputy Governor for Supervision becomes unavailable or incapacitated for whatever reason. The supervisory staff of the BNB enjoys a high, and in the view of the assessors, a deserved reputation for their professional skills and dedication. Nevertheless there are a number of factors that will undermine this valuable reputation. Resources are insufficient for the range and nature of the tasks the BNB must carry out for effective supervision. This insufficiency adversely affects the numbers of staff as well as their continued training and the IT capabilities that are available to them. There are some specialist skills, notably IT and also quantitative, that are in too short supply. There is currently no mapping of the skills that are needed in the evolving supervisory processes and assessing the skills of the staff against these needs and ensuring that a strategy is in place to remedy any such gaps. While legal protections are in place the BNB is not obliged to cover the legal costs faced by a staff member should a lawsuit be brought. 3. Cooperation and collaboration LC There is no formal mechanism of cooperation between the BNB and the MoF particularly for bank resolution. For AML/CFT related issues, the current MoU governing cooperation and information exchange between the BNB and the Financial Intelligence Directorate (FID) is no longer valid. The MoU signed in 2003 with the then Financial Intelligence Agency has not been revised after the establishment of the new authority (FID). The current mechanism for cooperation and information sharing between the BNB and Bulgarian Deposit Insurance Fund signed in November 2009 is now outdated. In the area of external audit, there is no MoU between the BNB and the Commission for Public Oversight on Statutory Auditors (COPSA). 4. Permissible activities C 223 BULGARIA Core Principle Grade Comments 5. Licensing criteria LC Regarding the concepts of indirect holding and beneficial ownership, the Law on Credit Institutions (LCI) does not provide a specific definition of Ultimate Beneficial Ownership (UBO). There is no provision in the LCI requesting the BNB to determine, where appropriate, that legal, managerial, operational and ownership structures of a bank will not hinder effective implementation of corrective measures in the future. For assessing the "propriety" of prospective administrators, the BNB form does not require information about administrator’s income and assets. The types of supporting information that the applicant should provide to establish the legitimacy of funds are not specified in the law or the ordinance. There is no further due diligence to ascertain the reputable source of funds, beyond the analysis of financial statements and the terms of the written declaration. Individual Board members or the Board collectively are not required to have a sound knowledge of the material activities that the bank intends to pursue, and the associated risks. There is no formal mechanism for interviewing applicants after the application if formally submitted to the BNB. A “preliminary consultation” is possible during the preparation of the file but not mandatory. BNB has not put in place a specific mechanism by which the BNB staff monitors the progress of new entrants in meeting their business and strategic goals. 6. Transfer of significant ownership MNC BNB’s powers appeared limited over shareholders who no longer meet the requirement for holding equity in banks. The LCI does not contain a provision requiring banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. 224 BULGARIA Core Principle Grade Comments 7. Major acquisitions LC Acquisitions of banks in non-financial companies do not require notification –even ex post- to the BNB and thus are not subject to supervisory approval. The BNB has not established any particular protocol or procedures in relation to major acquisition of banks in non-financial companies. As a result, the BNB seems to lack the ability to (i) assess compliance with the limits (established by art. 89 of the EU Regulation (EU) No. 575/2013), (ii) determine whether an investment in or a major acquisition of a non-banking company does not pose a risk to the group and (iii) ascertain that the bank has the ability to manage the risk. There is no explicit provision whereby the supervisor determines, where appropriate, that new acquisitions and investments will not hinder effective implementation of corrective measures in the future. 8. Supervisory approach LC The BNB employs sound methodologies for the analysis and assessment of individual banks and banking groups. This work is strongly enriched by the efforts of the macro-prudential and financial stability directorate. The work on resolution is lagging due to late transposition of the BRRD as the tasks around resolution planning cannot be completed until the law is in place. It is noted that the BNB has not waited for the BRRD and had already commenced its work. 9. Supervisory techniques and LC The supervisory approach in the BNB relies to a very tools significant, though not inappropriate, extent on determinations and verifications performed by the on- site inspections. It is important for the BNB to maximize the effectiveness of its risk based approach to supervision and consider the use of tools and techniques it has not taken advantage of in the past. While communication with banks is broadly satisfactory there is scope for enhancement. There is particular scope for improvements in the internal organization and processes of the banking supervision function to ensure consistency and quality control as well as internal communication. As also considered under CP2 it is questionable that there are sufficient resources available to conduct a fully effective supervisory program, not least given the greater demands of supervisors stemming from the international regulatory reform agenda and the continuing attention needed to post- crisis events in Bulgaria. Lack of sufficient personnel makes the case for a stronger IT capability even more relevant and potentially urgent. 225 BULGARIA Core Principle Grade Comments 10. Supervisory reporting C The requirements associated with supervisory reporting are now predominantly governed by a harmonized EU regime. In this context, it is noted that the reporting regime is going through a transitional phase. There are some gaps which are reflected in the associated risk principles. 11. Corrective and sanctioning MNC Enforcement of prudential regulations is not effective powers of supervisors enough. BNB approach has mainly consisted in issuing written orders. The BNB response is not increased when a bank ignores repeatedly BNB’s recommendations and written orders. There is almost no cases over the past five years where the BNB took sanctions to deter recurrent violations and persistent offenders. The BNB does not have in-house methods or criteria that could provide senior management minimum guidance on how to apply criteria for sanctions, particularly for setting the quantum for fines. The imposition of sanctions and determination of their amount is judged from the Deputy Governor in accordance to the weight and seriousness of the violation and the whole behavior of the bank. However, there is no link between certain violations and certain sanctions and no remedial action thresholds at which supervisory action is required. This does not guarantee a consistent approach and equality of treatment. An adequate framework geared towards resolving banks, including the preparation of recovery and resolution plans is still an important missing element. As a result, the BNB is not in a position to cooperate and collaborate with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank. 12. Consolidated supervision LC In case of mix holding companies, the leasing, factoring and consumer finance companies are not captured into the perimeter of consolidation. The BNB under his capacity of home supervisor has not visited the foreign offices of Bulgarian banks located abroad. There is no authority assigned to do fit and proper reviews on an ongoing basis of owners and senior management of non-financial holding companies. 13. Home-host relationships C The BNB’s role is primarily that of a host state supervisory authority within the EU and the supervisor enjoys good relationships with its peer authorities. Industry representatives commented favourably on the quality of coordination and decision making between the BNB and other supervisory authorities. 226 BULGARIA Core Principle Grade Comments 14. Corporate governance MNC Despite the quality of the BNB’s policy awareness of corporate governance in banks, corporate governance practices in the banking sector are still in the process of transition and require closer attention and possibly deepening of the skillset by the BNB. This vulnerability affects not only this CP but elements of all the risk focused CPs. As observed in CP2, the BNB does not yet have a policy of systematic Board level contact which is advocated by most advanced jurisdictions. 15. Risk management process LC As with corporate governance, risk management is in a state of evolution. The BNB has done much to ensure that risk management architecture is being put into place but needs an enhanced focus to ensure that the risk management processes are being fully embedded and effective. The BNB has not yet been able to finalize its work on contingency planning and recovery plans with the banks. 16. Capital adequacy C There has been a case where despite multiple orders from the BNB, an institution has failed to comply with the Central Bank instructions. In 2004, the BNB warned that despite the capital base increase, the capital adequacy of the said bank would fall below the regulatory minimum level “under an adequate credit risk assesement” and that again, the institution needs to increase its capital. . 17. Credit risk C The BNB demonstrates and enjoys a high reputation in the market for the quality of its oversight of credit risk which is the central risk of the banking sector. There are a number of vulnerabilities to bear in mind but these are addressed in the relevant associated CPs, namely corporate governance (14), concentration risk (19), related parties (20) and supervisory techniques (9). 18. Problem assets, provisions, and LC The BNB can no longer require banks to hold supervisory reserves provisions against problem exposures. Nevertheless, the BNB is closely monitoring the behavior of banks’ portfolios against which (system wide) BGN 2bn had been held. The BNB has not yet adopted the formal use of pillar 2 powers in respect of problem exposures to require banks to hold more capital against problem assets. The vulnerabilities noted in CP 17 for credit risk apply here too and are also addressed in the relevant associated CPs, namely corporate governance (14), concentration risk (19), related parties (20) and supervisory techniques (9). 227 BULGARIA Core Principle Grade Comments 19. Concentration risk and large MNC The KTB collapse revealed supervisory shortcomings exposure limits particularly for the supervision of concentration risk and related-party lending in the bank. Effectiveness of the LEL regime is still compromised by local practices (e.g banks using several strategies to circumvent the LEL regulation). Determination by banks of relatedness between customers connected economically is not optimal. Besides, the lack of transparency in ownership structure of companies (sometimes located overseas, including in off-shore centers) undermines even further the understanding of connectedness and as a result of concentration risks. 20. Transactions with related MNC The law on credit institutions does not specify the types parties of transactions that give rise to related parties exposures. Banks are not diligent enough in identifying their customers up to the ultimate beneficial owner (particularly for legal entity located overseas); as a result, connectedness between parties or group of affiliates is seriously handicapped. The LCI is not clear enough about (i) the conditions to be applied to write-off of related party transactions or (ii) the inclusion of key risk takers such as credit officers, their direct and related interests in the list of related persons. It is not clear in the law whether prohibition for any administrator “who has a business interest in the conclusion of a particular transaction” to participate in the decision also applies to any decision/resolution governing the interest rate and repayment of a loan. In addition, the fact that transactions with related parties must not be undertaken on more favorable terms than corresponding transactions with non-related counterparties is not as explicitly laid out in the law as it should be. 228 BULGARIA Core Principle Grade Comments 21. Country and transfer risks MNC Bulgaria does not have a regulation on country and transfer risks; Banks should stress country risk beyond running a stress test by location and also stress transfer risk as such EBA Guidelines for the SREP process are yet to be implemented. A revision of the BNB’s internal manual for the SREP process is envisaged but has not been finalized. The legislation framework does not require explicitly that banks’ Management Board approves strategies, and policies concerning country and transfer risk. 22. Market risk C Market risk represents a very small element of the risk profile of the banking system. At present the skill set of BNB staff is adequate to assess the prudential risks but it is important for BNB to monitor the need for additional skills in this field very closely. 23. Interest rate risk in the banking C The BNB regard interest rate risk in the banking book as book an extremely significant risk and welcome current Basel Committee work that might lead to a Pillar 1 capital charge. 24. Liquidity risk C The BNB has a good understanding of liquidity risk and was an early adopter of the Basel 2008 standards on liquidity risk management. Banks have been subject to enhanced liquidity reporting since the EU sovereign crisis in 2011 and daily reporting since the liquidity stress of 2014. The LCR and NSFR are due to come into force according to the timetables set out in the CRR. 229 BULGARIA Core Principle Grade Comments 25. Operational risk LC The Special Supervision Directorate (SSD) originally set up for AML/CFT oversight has been assigned too many activities not related to supervision (including transparency of products). This does not ensure proper allocations of resources and distract the SSD from its core mandate. There is limited cooperation and information exchange between the Supervision of Credit Institutions Directorate and the SSD. AML/CFT issues are not integrated into the overall supervisory review and evaluation process. No sanctions have been applied by the BNB for AML matters and very few by the FID. Bank’s practices to establish the true identity of their customers, especially for legal entities located overseas with undisclosed UBO, are questionable. 26. Internal control and audit LC The significance of internal controls is fully recognized by the BNB and is incorporated into the composite risk assessment of the banks, but the quality of work in this area notably lacks the depth of attention of other risk areas, and is at risk of lagging peers and potentially missing emerging weaknesses in some banks. 27. Financial reporting and external MNC The BNB has some powers and authority with respect to audit external auditors but there are important deficiencies. The BNB has no authority to insist on the rotation of an auditor (either of the firm or the senior partner). Also, the BNB has no access to the auditor working papers, including the management letter submitted to the audited bank. In terms of supervisory practices, the BNB has to date had a somewhat remote relationship with the external audit community. The depth of understanding of IFRS throughout the BNB supervisory staff may be not be as strong as needed. 28. Disclosure and transparency C The BNB, as a supervisory authority, provides a wide range of data on the condition of the banking sector, including bank by bank breakdown. The quality and utility of the BNB disclosure practices was praised by a number of market participants. 29. Abuse of financial services LC The Special Supervision Directorate (SSD) originally set up for AML/CFT oversight has been assigned too many activities not related to supervision (including transparency of products). This does not ensure proper allocations of resources and distract the SSD from its core mandate. There is limited cooperation and information exchange between the Supervision of Credit Institutions Directorate and the SSD. AML/CFT issues are not integrated into the overall supervisory review and evaluation process. No sanctions have been applied by 230 BULGARIA Core Principle Grade Comments the BNB for AML matters and very few by the FID. Bank’s practices to establish the true identity of their customers, especially for legal entities located overseas with undisclosed UBO, are questionable. 231 BULGARIA RECOMMENDED ACTIONS AND AUTHORITIES’ COMMENTS A. Recommended Actions Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks Reference Principle Recommended Action Principle 1 Refocus the activity of the Special Supervision Directorate (SSD) on its core mandate of financial integrity; this can be achieved by assigning non-supervisory activities (e.g., transparency of products, monitoring of contribution to the Deposit Insurance Fund) to other Directorates, preferably outside the Banking Supervision Department. Empower the BNB to require banks to change their internal organization or structure and to dismiss staff (other than senior management) such as risk officers and other relevant staff holding important functions in a bank (Compliance, Risk Management, AML and Credit Officers). Principle 2 Independence, Revise the internal governance design of the BNB for banking supervision, accountability, resources through legal amendment as necessary, to ensure that significant powers are not vested in a single individual. Ensure that there are clear checks and balances in decision making processes, including transparency and challenge processes. Ensure that the absence or unavailability of any one individual will not prevent the full and effective use of all of the BNB’s supervisory powers. Ensure that the Governing Council is supplied with timely information in respect of major developing supervisory issues including advance information on any changes of control or corrective actions, so that it is well placed if becomes necessary to make major decisions at critical junctures – including licensing, revocation, conservatorship and issuance of prudential regulation. Increase resource allocation to banking supervision to: - Ensure sufficient skilled personnel available to conduct a full program of on-site inspections. - Ensure sufficient representation of skill-sets, including IT, quantitative and models analysis and IFRS. Training and recruitment will both be needed. - Upgrade the IT capability available to supervisory staff so that they can effectively and efficiently make use of the range of data and information that is submitted to the BNB. This upgrade should be wider than replacing functionality that was lost due to the regulatory changes. Carry out a mapping of the skills that are needed in its supervisory 232 BULGARIA process, taking into account the fact that the nature and volume of demands required in supervision are continuing to increase and evolve, not least as a result of the international regulatory reform agenda. Identify a clear current and projected assessment of any skills gaps and put in place a strategy to address such gaps. Ensure that the BNB will cover the legal costs faced by a staff member should a lawsuit be brought against the staff member. Establish mechanisms for cooperation between the BNB, the MoF and Principle 3 other financial institution regulators to undertake recovery and resolution planning. Speed up the revision of the MOU with the Bulgarian Deposit Insurance Fund. Finalize the new MoU between the BNB and the Financial Intelligence Unit. Explore the possibility to sign an MoU with the Commission for Public Oversight on Statutory Auditors (CPOSA). Include in the LCI a clear definition of UBO in consonance with the Principle 5 definition provided by the AML law. Enhance BNB due diligence with respect to the origin of funds used for disbursement of capital (including liaising with the FIU and the Police (criminal records registry, Interpol office). Establish formal mechanism for interviewing applicants after the application if formally submitted to the BNB. The content and objective of these interviews should also be specified and made mandatory. Establish formal procedures to subject the newly established bank to follow up on-site inspection to ascertain that the bank is performing according to the terms and conditions of the license. Include in the relevant regulation a provision requiring the individual Board members or the Board collectively to have a sound knowledge of the material activities that the bank intends to pursue, and the associated risks. Principle 6 Provide BNB more powers over shareholders who no longer meet the requirement for holding equity in banks. Include in the law a provision requiring banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Subject any major acquisition to a formal follow up mechanism to Principle 7 ascertain that the new activities acquired do not expose the bank to undue risks. Subject major acquisitions in non-financial companies to enhanced BNB scrutiny, in particular with respect to the compliance with limits. BNB also needs to know that (i) the structure will not bring additional risks and (ii) 233 BULGARIA actions can be taken to mitigate riks. Explore the possibility to set restrictions for major acquisitions in non- financial sectors deem to pose particular concern. Establish an explicit provision by which the supervisor determines, where appropriate, that new acquisitions and investments will not hinder effective implementation of corrective measures in the future. Complete resolution assessments once the BRRD has been transposed. Principle 8 Refresh internal crisis management handling framework ensuring any lessons learned from the events of 2014 have been reflected. Improve the system for information sharing between the BNB banking Principle 9 supervision directorates, not limited to contact between the directors, but also based on a stock-take and review of common issues and information needs, so that all relevant information is shared in a timely manner and can inform the wider supervisory process. Initiate a more intensive program of communication with the supervisory and management boards of the banks. Please see CP14. Ensures that the composition of inspection teams in the credit institution supervision directorate, and special supervision directorate, do not remain static over time. Introduce quality assurance procedures to ensure that the underlying practices and quality of work carried out by the different inspection teams is of sufficiently high standard. Carry out horizontal reviews on key risks identified in the banking sector. Ensure key findings are communicated back to the banks as necessary. Consider the use of external experts to ensure that opportunities are taken where possible to support supervisory analysis and insight. Dedicate the resources for a major upgrade to the systems available to the supervisory staff to ensure staff have the ability to interrogate supervisory data more effectively, and to integrate supervisory data automatically with other supervisory systems. Please see CP2. Establish a unit or committee mandated to review of supervisory processes and practices. Such an exercise should be carried out in tandem with an upgrade of the IT/data system. Please see CP2 Require banks to notify the BNB in advance, not retrospectively, of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including – and not limited to - breach of legal or prudential requirements. Carry out a review to ensure whether current efforts to determine the Principle 10 validity and integrity of supervisory information are sufficient. 
 234 BULGARIA Set internal guidelines to assist the Deputy Governor in determining the Principle 11 most adequate response in case of breach or violation of the laws or regulations. Apply gradual response when a bank is not complying with BNB recommendations. Take more forceful actions against persistent offenders. consider broadening the circumstances uner which a bank can be placed under Special supervision regime. Perform more frequent visits in branches and subsidiaries of Bulgarian Principle 12 banks located in and outside the EU. Capture leasing, factoring companies and consumer finance companies into the perimeter of consolidation in case of mix holding companies. Identify the authority to do fit and proper reviews on an ongoing basis of owners and senior management of non-financial holding companies. When the BRRD is transposed, complete any outstanding processes Principle 13 necessary to support cross border resolution planning acting in the capacity of the host state supervisor. It is acknowledged that the BNB is likely to be the new resolution authority for banks, but remarks addressed to the resolution authority are beyond the remit of a BCP assessment. Ensure the BNB has the requisite powers to require changes to the Principle 14 composition of a Board where an individual or individuals have failed to discharge their corporate governance responsibilities effectively. Ensure banks are required to notify the BNB and that – as necessary – legal protections are in place to protect individuals who notify the BNB if there are material issues that would affect the fitness and propriety of the Board member or member of senior management. Refresh Ordinance 10 to elaborate more clearly on the BNB’s requirements and expectations in the field of corporate governance. Institute systematic senior level contact between the BNB and the Boards of the banks, to reinforce priority messages, deepen the overall assessment of the Boards’ qualities and capacities and as necessary to challenge the banks. Greater frequency of assessment of corporate governance is needed. In view of overarching resource constraints, this may be an appropriate topic for a horizontal review. Deepen the RAS Manual to provide greater guidance to inspectors in testing the quality of corporate governance within firms and in how to reflect their findings in the overall analysis, ratings and supervisory actions. Principle 15 Review the proportion of resource dedicated to risk management – and internal control – in their on-site programs. Consider the use of horizontal reviews into the state of risk management in the banking sector. 235 BULGARIA Revise Ordinance 10 to confirm and enhance supervisory requirements in risk management. Review the RAS Manual to provide greater guidance to inspectors in testing the quality of risk management within firms and in how to reflect their findings in the overall analysis, ratings and supervisory actions. Take proper action over a particular institution to ensure that capital is Principle 16 increased at appropriate level. Principle 18 Assess, and be ready to operationalize the Pillar 2 approach for banks which are demonstrating weaknesses in respect of problem exposures. Consider the use of horizontal reviews into the state of NPL management in banks, paying particular attention to any banks whose data indicates that they are outliers in terms of performance. Conduct an horizontal review across the industry to verify degree of Principle 19 conformity with LEL requirements. Instruct the industry to increase efforts in establishing clear understanding of customers’ ownership structure, especially for companies located abroad. Take forceful measures against banks to promote effective observance of risks concentration limits. Principle 20 Define in a regulation or guidelines the types of transactions giving rise to related parties exposures. Enhance surveillance of related parties’ transactions across the industry via a transversal inspection. Provide recommendations to the industry to be more diligent in identifying their customers up to the ultimate owner (particularly for legal entity located overseas, including in off-shore centers). Adopt a regulation on country and transfer risks; Principle 21 Include country and transfer risk in bank’s stress testing Implement the EBA guidelines for the SREP process to ensure proper and timely country risks coverage Review on an annual basis, at a minimum, whether a market risk specialist Principle 22 is required to augment the inspection and analytical capabilities in respect of the major banks who are using internal market risk models, albeit not for regulatory purposes. Place more emphasis on ensuring the consistency in the quality of off-site Principle 23 analysis. Principle 24 In due course implement the LCR and NSFR. Make Operational Risk on-site surveillance more systematic Principle 25 Issue a regulation subjecting banks to have appropriate reporting 236 BULGARIA mechanisms to keep the supervisor apprised of developments affecting operational risk. Increase the level of expertise of BSD staff, especially in the area of IT. Require banks to notify the BNB in case of major operational risk event. Principle 26 Revise Ordinance 10 to confirm and enhance supervisory requirements in internal controls Refresh the RAS Manual in respect of internal controls Principle 27 To the extent consistent with the EU framework, ensure the BNB has the clear ability to insist on a change of auditor in the wake of poor quality audit or other supervisory concerns, the right to insist on the rotation of the audit firm and of the senior partner, and right of access to audit working papers and the audit letter to the management. Establish a framework for a regular dialogue, both at a collective level and in respect of individual institution level. In view of the forthcoming challenges of implementing IFRS 9 this dialogue will be particularly valuable. Perform a skills mapping and needs assessment for BNB staff in respect of understanding of IFRS and take steps to ensure investment in training and recruitment as required, not least in view of the forthcoming IFRS9. Principle 29 Refocus the Special Supervision Directorate on its core AML mandate by assigning non-AML related activities to other relevant BNB departments. Enhance cooperation and information exchange between the Special Supervision Directorate and the Credit Institution Supervision Directorate, including sharing AML reports with the CISD staff and discuss enfocement approaches to maximize effectiveness Integrate AML/CFT into the overall risk analysis of the Credit Institution Supervision Directorate. Increase sanctions in case of recurrent violations of AML/CFT regulation by the same institution, and in severe cases, sanctions on directors and senior management may be considered. Instruct the industry to establish more robust mechanisms to ascertain the true identity of their customers, especially for legal entities located overseas with undisclosed UBO. Recommend banks to share the BNB AML inspection reports with their external auditors (if permitted by law). Finalize the revision of the MoU with the FID. 237 BULGARIA B. Authorities’ Response to the Assessment109 The Governing Council of the Bulgarian national bank appreciates highly the technical support provided by the representatives of the IMF and World Bank in relation to the fulfillment of the Basel core principles for effective banking supervision (the BCP assessment). It must be noted that all of the discussions, meetings, inputs, analysis and comments made during every stage of the process (i.e. the self-assessment, the on-site visit and the peer review) brought forward essential added value to the effectiveness of the supervisory process and the collective knowledge of BNB staff in the field of banking supervision. Therefore, the Governing Council of the BNB has taken into account and carefully considered every single recommendation drafted by the staff of the IMF and WB, and as a result we have prepared an indicative list of immediate action points or future arrangements towards increasing compliance with the Basel Core principles for effective banking supervision. We believe that outlining and prioritizing the necessary steps for future actions or improvement will foster the increase in the quality, timeliness, accuracy and reliability of the effective supervision process. The Governing Council of the BNB notes that increased transparency and disclosure of the work of the central bank is of crucial importance for the effective functioning of the financial sector and raising the general awareness of the public. Therefore, the Governing Council approves the publication of the full version of the report – i.e. Detailed assessment report (DAR), which includes the BNB’s self-assessment and the assessment and recommendations of the IMF and World Bank, and the compliance grades on the principles (the ratings). The Governing Council considers that the assessment of IMF and World Bank provide an impartial justification of the essential compliance with the internationally accepted standards in the field of banking supervision, as well as evidences the nature, scale and intensity of the daily efforts which the staff of the Banking supervision department brings in the process of safeguarding financial stability. General remarks 1. The 2012 update of the Basel core principles for effective banking supervision introduced important enhancements into the individual Core Principles, particularly in those areas that are necessary to strengthen supervisory practices, risk management, corporate governance, public disclosure and transparency. The newly introduced requirements represent essential challenge to supervisors worldwide and require adopting a long-term approach, towards gradually reaching compliance, spanning outside a horizon of 4-5 years. Still there is relatively scarce data on best practices around the world or comparison between supervisory approaches, in order to foster the development of appropriate benchmarks for judging 109 If no such response is provided within a reasonable time frame, the assessors should note this explicitly and provide a brief summary of the authorities’ initial response provided during the discussion between the authorities and the assessors at the end of the assessment mission (“wrap-up meeting”). 238 BULGARIA efficiency and compliance of supervisory regimes. In that regard, it will be of valuable importance that the IMF and World Bank continue to analyze different supervisory approaches and disclose the results from those assessments, in order to build larger sample of practices, representative enough to outline the main tendencies or tools for reaching convergence with the Core principles. 2. The Bulgarian national bank is a competent authority located in an EU member state. As such, it is bound to comply with all relevant and applicable EU legislation in the field of banking services referring to capital requirements, risk management, bank recovery and resolution, depositor protection, etc. In that regard, the BNB strongly respects the concepts of the Single rulebook and the harmonization of supervisory practices across EU, which accelerated recently by the introduction of the new regulatory packages according to CRD4/CRR, BRRD, DGS and all related Commission binding technical standards. Those acts build the core of the local supervisory model and provide high-level guidance on the best practices and approaches which should be followed in order to achieve full supervisory convergence. Despite the fact that during the years the EU framework tries to closely follow the work of the Basel Committee, there have always been differences in certain areas (e.g., minimum capital requirements, quality of elements of capital, frequency of reporting, liquidity management, exposures to related parties), stemming from the nature of the integrated EU market and the specificities of the regulatory process in the EU. Therefore, for some areas or recommended improvements it is difficult or even impossible to impose stricter requirements, compared to the applicable EU framework, since every case of gold platting of the Single rulebook is being put under scrutiny examination by other EU institutions/bodies. In that regard, the BNB strives to maintain an appropriate balance between full compliance with EU framework and the improvement of the effectiveness of the supervisory approach in deficient areas. 3. Reaching maximum convergence with the Basel core principles is an important, but also time-consuming and resource-demanding task. Some of the principles require rigorous changes not only in the supervisory model, but also influence significantly the banking sector and the currently utilized banks’ business models, most of which are predetermined by foreign parent-entities. Therefore the degree of compliance with BCP is also dependent on external factors, some of which are outside the immediate direct control of the supervisor - the nature of the business models in the banking system, ownership structure, current economic conditions, the effectiveness of the judicial system, the intensity of cross-border flow of capital and the phase of the business cycle. The removal of such limitations requires persistent successful efforts and focused actions in several key areas spread over longer time scale. Those efforts must however take into account the significant disproportion of the capacity and resources of the supervisors compared to the capacity and resources of the banking system. 4. During the process of the BCP assessment the Bulgarian state, in cooperation with the BNB, speeded up the process of adoption of key sectoral legislation in the field of Deposit 239 BULGARIA protection and Bank recovery and resolution, which regulatory packages address some of the diagnosed deficiencies in the IMF/WB analysis. As of 30-Jul-2015 the implementing acts or those regulatory packages were voted and adopted by the National Parliament and will effectively enter into force as of the beginning of August, 2015. 5. During the process of the assessment the BNB has also initiated several important supervisory initiatives, the effect of which is expected to materialize in a mid-term. In that regard, further compliance with the Basel core principles in the area of risk management, corporate governance and transparency is expected to be achieved after the results and findings from those supervisory initiatives are being enforced or taken into account. More specifically, in 2015-2016 the BNB is going to carry out comprehensive analysis of the asset quality in the banking system (AQR exercise) and will perform stress tests in order to make thorough analysis of adequacy of the bank`s approaches for valuation of assets and collaterals as well as the reliability of the accounting impairments. As a result of the analysis, certain measures for capitalization of the banking system are going to be identified, if necessary. Specific remarks and comments 1. Institutional setting of the Bulgarian national bank and the banking supervision function – powers and functions, independence and accountability, resources, cooperation and collaboration (Principles 1 - 3)  The Bulgarian National Bank (BNB) will review the current role and responsibilities of the "Banking Supervision Department" in the light of the significantly changed supervisory and regulatory environment after the financial crisis and the consequent increase of work and responsibilities and will take immediate actions to change the resource allocation, including the appointment of narrow specialists in specific areas.  The BNB accepts the findings related to the perceived need to strengthen the supervisory capacity by attracting additional staff and developing technical tools. The BNB assumes that these actions stem not only from the deficiencies discovered during the assessment, but are of key importance for supervisory activities in those areas which, although awarded estimates LC/C, are with serious deficiency in staffing. The progressively increasing processes of EU regulatory harmonization, complexity of tasks, information flows and the sophistication of the supervisory process require sufficient number of staff. There is an increasing need for implementation of advanced approaches and expertise related to inspection process, risk modeling, simulations, strategic regulatory analysis, impact assessment of new regulations, maintaining communication with external institutions, macro-prudential and financial stability analysis and combating money-laundering. Currently, all those areas are covered by a very few, although highly qualified, experts.  The BNB will undertake structural changes in the "Banking Supervision Department,” in particular the separation of the functions of offsite and on-site supervision. Thus inspectors will focus on on-site examinations, and accordingly the employees who perform offsite analysis will 240 BULGARIA have enough time to focus on the performance of monthly and quarterly analyses of good quality, also aimed at early identification of risks and structural problems in the balance sheets and business models of credit institutions.  The BNB will review the role of the Governing Council of BNB in the process of developing policies and control of the supervisory activity, as well as its knowledge of the main findings and results of the ongoing supervisory review process.  In connection with the entry into force in 2015 of the Law on Recovery and Resolution of Credit Institutions, the BNB will create and organize a new functionally separate unit, which will be delegated the functions of a designated resolution authority in accordance with Directive 2014/59/ EU.  The memorandum of cooperation and understanding with the Bulgarian Bank Deposit Guarantee Fund is going to be updated. 2. Permissible activities, licensing criteria, major acquisitions and transfer of significant ownership (Principles 4 - 7)  The BNB is going to review the legal basis in order to introduce further improvements in relation to examination of the origin of funds.  BNB will take into account the recommendations on the creation of a legal possibility to use a single definition of "ultimate owner" in Law on Credit Institutions (LCI) and Law on the Measures against Money Laundering (LMML), on the introduction of a procedure for conducting interviews with candidates for the Board of Directors or the Supervisory Board, and on the monitoring of the activities of newly licensed banks in relation to compliance with the conditions under which the license was issued.  BNB will takes into account the recommendations to introduce a provisional requirement shareholders to qualify for subscription of shares in banks at any time after a bank is licensed, and a provisional requirement banks to notify the supervisory authority as soon as they have been aware of material information related to a large shareholder or a person exercising control which could have negative implications.  The supervisory review processes regarding any larger acquisitions or mergers in the banking sector will be enhanced.  In terms of quality assurance of the management bodies of banks, BNB will comply with the upcoming Guidelines of the EBA, which will be adopted in accordance with the mandate of Article 91, paragraph 12 of Directive 2013/36/EC, on appropriate knowledge, skills and experience of the management body as a whole. 3. Supervisory process and corrective and sanctioning powers of supervisors (Principles 8, 9 and 11)  The BNB is foreseeing developing an administrative capacity related to the functions of early intervention, recovery and coordination of the restructuring measures, including stricter sanctions on banks for non-compliance with regulatory requirements.  Steps for updating of internal procedures related to exchange of information between directorates in “Banking Supervision Department” has already been taken. A priority will be deepening the dialogue between “Banking Supervision Department” and senior management 241 BULGARIA of banks by providing both mandatory annual meetings, as well as more frequent thematic meetings.  Rules for the rotation of members of the teams for on-site inspections and off-site supervision will be developed, as well as a change to the approach for the establishment of supervisory teams will take place.  The BNB is committed to reviewing, updating and harmonizing of current internal manuals (Manual for the banking supervision process, Manual for supervisory review and evaluation, Manual for risk assessment system and Manual for internal analysis of capital adequacy).  The BNB is considering intensifying usage of external experts/persons to perform appraisals and assessment of the values of assets and collaterals, immovable property, impairments, perform IT audit or for other purposes during on-site inspections. Cost coverage for these services can be transferred to the bank under examination, as is the practice in many European countries.  The BNB will reconsider the allocation of information resources in the “Banking Supervision Department” and will prepare a proposal for streamlining the process of introducing new systems, maintenance, storage and use of information by the different units of the Department.  Implementing enhanced monitoring of the obligation for notification by banks of substantial changes in business model, organizational and management structure, risk profile, composition of assets and liabilities, change in strategy and etc., as well as undertaking corrective actions and sanctions if this doesn’t happen.  The Bulgarian National Bank will hold a thorough discussion of the options for ensuring to the Deputy Governor heading "Banking Supervision" a guidance on selecting the most appropriate compulsory administrative measures and administrative penalties. It is envisaged to implement an approach for escalation with regard to the imposition of administrative compulsory measures.  The regime of special supervision, set out in the LCI, will be clarified in order to adequately cover all these cases outside of the implementation of the resolution measures under the new law on recovery and resolution of credit institutions and investment firms. 4. Consolidated supervision and home-host relationships (Principles 12-13)  The supervisory process will be extended towards additional and ancillary banking services or activities to enable the strengthening of the BNB in terms of supervision on a consolidated basis. 5. Enhancing Corporate governance (Principle 14)  The BNB is going to take the initiative to extend its powers for imposing requirements on banks related to changes in their internal organizational structure, as well as power to remove and change members of supervisory and management board in banks in case that they don`t meet the suitability requirements.  The risk assessment manual and BNB Ordinance № 10 on the internal control in banks are going to be updated. Providing of legal protection to the head of internal audit who has found significant problem that would affect the assessment of the suitability of the members of management body (board of directors, supervisory board, management board). 242 BULGARIA  More attention will be dedicated to internal management controls, and as a result the dialogue between the senior management of the BNB and the management or supervisory Boards of the banks would be intensified. Onsite examination manual will be accordingly updated. 6. Capital adequacy and risk management process (Principles 15-16)  Update of the Internal analysis of adequacy of capital (ICAAP) manual.  BNB is planning to update its SREP handbook, based to a large extend on the EBA and SSM guidelines. Emphasis will be put on imposing additional capital requirements for the risks under Pillar 2, especially in terms of additional capital requirements for problem exposures and the requirements for management of the liquidity position.  Develop a procedure for prior approval and approval of the common equity Tier 1 capital instruments, additional Tier 1 and Tier 2 capital instruments, based on the sample models of EBA for best practices in issuing such instruments, respectively with specific written clauses which must be contained in the contracts/prospectus.  Updating and maintenance of a register with all issued capital instruments. 7. Management of risks – credit risk and problem assets, market risk, operational risk, liquidity risk, interest rate risk in the banking book (Principles 17-18, 21-25)  The on-site inspections plans will consider thorough review of the risk management, credit concentrations and connected parties by including detailed procedures for review of the internal risk management in banks and internal audit.  Strengthening and improving the qualifications of the employees of the “Banking Supervision Department” regarding the management and assessment of risks.  The BNB will strengthen and improve the qualification of employees of the “Banking supervision department” in the area of operational risk, in particular in the IT field. BNB is envisaging an additional oversight tools for monitoring of operational risk, as well as will require from banks in due time to notify the “Banking Supervision Department” in the event of the occurrence of significant operational events.  The BNB will explore the opportunities for active partnership with supervisors participating in the SSM, in order to ensure access to the best practices applied in the field of banking supervision in the EU, as well as exchange of experience, expertise and technical assistance.  The BNB is envisaging drafting more detailed requirements regarding the management of exposures and instruments, drivers of sovereign risk. 8. Credit concentrations and large exposures (Principles 19-20)  BNB will undertake necessary steps to introduce the possibility of imposing additional capital requirements under the following areas: suspicion of exceeding the limits on large exposures; identified excess over the limits; identified material deficiencies as part of the process of investigation of interconnectedness among partners. An introduction of similar provisions concerning qualifying holdings in a non-financial sector companies is also envisaged.  BNB will analyze the possibilities for expansion of the scope of Article 45 of the LCI on the control of exposures to related parties of a bank, both in terms of counterparties and in terms 243 BULGARIA of the types of transactions, implementation of methodological guidelines, and communication with banks with the aim to avoid the possibility to circumvent the regulation through the implementation of schemes of ownership and control.  Update of the Manual on risk assessment system with the aim of developing a procedure for cross-checks on the identification of connectivity between parties and thus providing the possibility for inclusion of these cross-inspections in the supervisory examination plan. 9. Internal and external controls/audit, financial reporting and transparency (Principles 26- 28)  Implement measures for mandatory rotation of the external auditor of a bank.  Development of additional validation rules for formalized control over the inputs, connected with the additional supervisory reporting.  Improvement of Banking Supervision staff qualification with respect to international accounting standards. 10. Abuse of financial services (Principle 29)  With regard to the functions of the "Special Supervision Directorate,” structural changes will be introduced aimed at strengthening the administrative capacity. The sanctions regime will be modified, after the transposition into national law of Directive (EC) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. The rules set out in the banking supervision manual will be updated in order to enhance the exchange of information between the “Special Supervision Directorate” and the “Credit Institutions Supervision Directorate,” and the findings of the AML / CFT supervision will be reported in the assessment of the overall risk profiles of the banks.  With regard to the functions for anti-money laundering, measures against terrorism financing, transparency of products and monitoring of consumer trends, the BNB will examine the possibilities to refine and operationalize the powers and duties of the structural unit, responsible for these functions.  Finalization of the project "Instructions for interaction between the Bulgarian National Bank and the State Agency for National Security" and its submission for approval by the Governing Council of the BNB in September 2015. 244