PERU DETAILED ASSESSMENT OF OBSERVANCE May 15, 2018 BASEL CORE PRINCIPLES FOR EFFECTIVE BANKING SUPERVISION Prepared By This report was prepared in the context of a Monetary and Capital Markets joint IMF-World Bank Group Financial Sector Department, IMF, and Finance, Assessment Program (FSAP) mission in Peru Competitiveness and Innovation during October 2016, led by Ananthakrishnan Global Practice, World Bank Group Prasad, IMF and Luisa Zanforlin, World Bank Group, and overseen by the Monetary and Capital Markets Department, IMF, and the Finance, Competitiveness and Innovation Global Practice, World Bank Group. Further information on the FSAP program can be found at http://www.imf.org/external/np/fsap/fssa.aspx, and www.worldbank.org/fsap. INTERNATIONAL MONETARY FUND THE WORLD BANK GROUP PERU Contents GLOSSARY _______________________________________________________________________________________ 3 SUMMARY AND MAIN FINDINGS ______________________________________________________________ 4 A. Summary_______________ ________________________________________________________________________ 4 B. Main Findings __________________________________________________________________________________ 5 INTRODUCTION AND METHODOLOGY ______________________________________________________ 10 A. Introduction ___________________________________________________________________________________10 B. Information and Methodology Used for Assessment __________________________________________10 INSTITUTIONAL AND MARKET STRUCTURE—OVERVIEW ___________________________________ 13 A. Institutional Overview _________________________________________________________________________13 B. Market Structure ______________________________________________________________________________14 PRECONDITIONS FOR EFFECTIVE BANKING SUPERVISION _________________________________ 16 A. Sustainable Macroeconomic Policies __________________________________________________________16 B. Framework for the Formulation of Financial Stability Policies _________________________________16 C. Public Infrastructure ___________________________________________________________________________17 D. Framework for Crisis Management, Recovery and Resolution _________________________________18 E. Market Discipline ______________________________________________________________________________18 DETAILED ASSESSMENT _______________________________________________________________________ 19 A. Supervisory Powers, Responsibilities and Functions ___________________________________________19 B. Prudential Regulations and Requirements _____________________________________________________97 SUMMARY COMPLIANCE WITH THE BASEL CORE PRINCIPLES ____________________________ 243 RECOMMENDED ACTIONS AND AUTHORITIES’ COMMENTS ______________________________ 256 A. Recommended Actions______________________________________________________________________ 256 B. Authorities’ Response to Assessment ________________________________________________________ 259 FIGURE 1. Organogram SBS __________________________________________________________________________ 13 TABLE 1. Financial Sector Structure _________________________________________________________________ 15 2 PERU GLOSSARY AC Additional Criterion BCP Basel Core Principles for Effective Banking Supervision BCRP Central Bank of the Republic of Peru BSD Banking Supervision Department CEO Chief Executive Officer COOPAC Savings and Loans Cooperative CP Core Principle D-SIB Domestic Systemically Important Bank EC Essential Criterion ELA Emergency Liquidity Assistance FENACREP Federation of Savings and Loans Cooperatives FSAP Financial Sector Assessment Program FSD Fondo de Seguro de Depositos FI Financial (Deposit Taking) Institution FX Foreign Exchange GDP Gross Domestic Product GIR Comprehensive Risk Management Regulation G-SIB Global Systemically Important Bank HQLA High Quality Liquid Assets ICAAP Internal Capital Adequacy Assessment Process IFAC International Federation of Accountants IFRS International Financial Reporting Standards LA Liquid Assets LCR Liquidity Coverage Ratio LGS General Company Law (Ley General de Sociedades) LGSF General Financial System Law (Ley General del Sistema Financiero) LTV Loan to Value (Ratio) MEF Ministry of Economy and Finance MFI Microfinance Institution NSFR Net Stable Funding Ratio SABM Superintendence of Banking and Microfinance Institutions SAEE Superintendence of Economic Studies SAR Superintendence of Specialized Risks SBS Superintendence of Banks, Insurers and Private Pension Funds SI Supervised Institution SMV Securities Markets Regulator SREP Supervisory Review and Evaluation Process WB World Bank 3 PERU SUMMARY AND MAIN FINDINGS1 A. Summary 1. The overall quality of Peru’s supervisory approach and regulation of the banking sector is strong. Some areas for enhancement remain. A key area that needs strengthening relates to the powers and regulatory framework for consolidated and cross-border supervision. 2. The FSAP undertook a full graded Basel Core Principles (BCP) assessment of the essential criteria.2 The 2011 BCP update assessment found that bank regulation and supervision was of high quality and no principles were scored non-compliant or materially non-compliant. The current assessment shows that the SBS has maintained and further enhanced its regulatory and supervisory framework. 3. The SBS followed up on most of the recommendations made in 2011 BCP assessment. It expanded its resources and specialized units (e.g. information technology supervision), strengthened consolidated supervision, established continuous monitoring of beneficial ownership, and implemented Pillar 2. Additionally, the supervision of more qualitative elements such as governance, management and internal controls has been improved. The SBS also made progress on the implementation of consolidated supervision, however the current framework is not yet up to international standards and needs further enhancements. One of the few recommendations that has remained outstanding is related to the improvement of the legal protection of the SBS staff, for which the General Financial System Law (LGSF) would need to be amended. 4. Since 2011, the SBS has made significant progress on the implementation of the Basel regulatory reform agenda. While the implemented methodology for the capital conservation buffer, counter-cyclical buffer, and the buffer and framework for domestic-systemically important banks (D-SIBs) is different than that of the Basel framework, the developed approach, tailored to the local characteristics of the financial system, aims to achieve the same objectives. A remaining substantive difference is the use of the Basel II capital definition, which is embedded in the LGSF. The SBS also implemented the Liquidity Coverage Ratio (LCR), is in process of the implementation (tailored to the local characteristics) of the Net Stable Funding Ratio (NSFR), and incorporated in its regulatory framework the Basel guidelines for corporate governance. 5. Notwithstanding the progress made, some areas for enhancement remain. These relate amongst others to the SBS’s internal governance, control and accountability framework, which could be strengthened amongst others by enhancing the position of the internal audit department and 1This Detailed Assessment Report has been prepared by Dirk Jan Grolleman, IMF and Valeria Salomao Garcia, World Bank. 2The assessment is being undertaken jointly by the IMF and the World Bank. The 2011 FSAP was also a full graded assessment, however, only assessed 19 of the then 25 principles were assessed in depth, while for the other 6 principles only the high-level developments since 2005 were reviewed. Also, considering the revisions to the Basel Core Principles (issued 2012) and the changes to the Basel standards since 2011, it was decided to undertake a full graded BCP assessment. 4 PERU setting up an Audit Committee, and its engagement with the Board of Directors of supervised institutions. 6. Although the SBS made progress on the implementation of consolidated supervision, the current supervisory powers and approach fall short of the international standards. Two of the four systemic banks are part of Peruvian (in terms of management and location of main activities) internationally active conglomerates. The SBS does not have the power to regulate holding companies and other entities of the wider conglomerate, two of which are companies incorporated in The Bahamas and Bermuda. The SBS, in assuming its role as home supervisor, is currently working through the supervised subsidiaries in Peru and using its powers to put limitations on the supervised institutions in Peru if it observes weaknesses on a conglomerate level. Finally, while ownership and group structures are transparent and the SBS has a sound supervisory approach towards related party and intra-group lending, the supervisory approach used to assess financial group’s governance, capital, and overall risk management and liquidity risk management needs enhancement. B. Main Findings Responsibilities, Objectives, Powers, Independence, and Accountabilities (CPs 1–2) 7. SBS responsibilities, objectives and powers are clearly defined albeit impaired by legal limitations regarding consolidated supervision. SBS is the banking supervision authority in Peru and it has all the necessary powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. A significant shortcoming, nevertheless, is that its supervisory powers are limited with regard to direct access to parents and affiliates, including non-financial subsidiaries and other affiliates of the parent, all being outside of the direct supervisory perimeter. To redress the absence of this power, the SBS is working through the licensed subsidiaries in Peru and using its powers to put limitations on the licensed institutions if it observes weaknesses on a group level. However, the regulations imposed through this approach on financial groups, for which the SBS has assumed the role of home supervisor, are not as comprehensive (in particular regarding corporate governance and risk management) as the regulations for the licensed entities. These observed weaknesses in the regulatory framework for the supervision of Peruvian financial groups have as a root cause the absence of adequate powers to include holding companies and affiliates in the scope of supervision. 8. SBS has operational independence and no budget constraints, however, further enhancements in terms of legal protection and accountability would be beneficial. Legal protection should be enhanced as current provisions extend only to the Superintendent and Deputy Superintendents and even in those cases covering only the first five years after they have left office. Governance and accountability arrangements have further room for improvement, particularly regarding the assessment of the effectiveness of supervisory activities and further disclosure to the general public. This will require enhanced transparency of supervisory actions beyond the issuance of annual reports. Allocation of resources within banking supervision does take into account the risk profile and systemic importance of individual banks, although the proportion of staff allocated to 5 PERU banks and banking groups, in comparison to the microfinance institutions might need to be reevaluated. Cooperation, Consolidated Supervision and Home-Host Relationships (CPs 3, 12, and 13) 9. Cooperation and collaboration arrangements with local and foreign authorities are in place. Arrangements currently in place in Peru provide a framework for cooperation and collaboration with relevant domestic and foreign supervisors and do reflect the need to protect confidential information. SBS seems to be actively engaged in cross-border cooperation, including exchanges of information and cooperation on examinations, even beyond its supervisory powers. Particularly regarding domestic authorities, SBS does not seem to feel the need to exchange much information in order to perform its supervisory duties, although providing information as requested. 10. Consolidated Supervision is a priority for SBS, albeit impaired by gaps in the legal framework. Given the legal limitations, SBS has done a remarkable job over recent years in terms of gathering information on the conglomerates, monitoring their activities and requiring, by enforcing through the supervised entities and moral suasion, prudential requirements and controls, and, to a certain extent, also acting as “the facto” home supervisor. The lack of legal enforceability of supervisory requirements directly to the holding company and the existence of non-negligible cross- border operations (and taking into account that one of the financial groups has the strategy to look for expansion opportunities abroad), outside the direct supervisory perimeter are issues of concern. The fact that the holding company can have all types of investments in non-financial entities and its risk management and controls are not under the formal scrutiny of the SBS are also reasons for concern, even if the investments are deducted from the regulatory capital at the financial group level. Moreover, its supervisory approach to the group-level assessment of governance, risk management, capital adequacy and liquidity risk management needs enhancement. Permissible activities, Licensing, Transfer of Ownership and Major Acquisitions (CPs 4–7) 11. SBS has a thorough authorizations regime, which would benefit from a few enhancements. Market entry is highly controlled and SBS does overall perform a thorough job in reviewing information provided for authorizations purposes. SBS has the power to review, reject and impose prudential conditions on proposals for transfer of significant ownership or controlling interest above 10 percent held directly or indirectly in existing banks to other parties. The legal and regulatory framework falls short in using the concept of significant influence as a qualitative indicator for significant ownership, which would encompass situations where in practice there is significant influence on the management or policies of the bank, even in situations of stakes below 10 percent. The SBS has the power to approve or reject major acquisitions or investments by a bank including establishment of cross-border operations. The limit established for investments in publicly traded companies (no more than 50 percent of the invested company, up to 10 percent of regulatory capital), nevertheless, might result in banks having high stakes and controlling interest/influence in non-financial companies. 6 PERU Ongoing Supervision (CPs 8–10) 12. The SBS has a robust supervisory approach, moving towards a more risk-based framework. The Supervisory approach is supported by a rating methodology that encompasses a forward-looking perspective, assessing and addressing risk emanating from banks and the banking system. Elements related to the conglomerate of which a licensed institution is part are taken into account for overriding purposes, but are not embedded into the rating. SBS seems to have a deep knowledge of the operations and risk profile of the major banks operating in Peru, making effective use of a broad range of information sources. Interactions with senior management and board have been enhanced but there is still room for further improvement. Resolvability of banks is a topic yet to be tackled by SBS. 13. A broad range of techniques and tools, supported by a broad set of information and prudential reports, enable the implementation of the supervisory approach. The integration of its on and off-site activities has been beneficial and the split between a specialized risk Deputy Superintendence (SAR) and another one (SABM) in charge of individual banks seems to be working well. In addition to the on-site examinations, SBS produces an array of reports produced by both Superintendences, sometimes with overlap between them. Off-site surveillance is yet to acquire a platform similar as for the on-site activities, facilitating analysis and monitoring of follow up activities. Corrective and Sanctioning Powers (CP 11) 14. Early action and moral suasion play an important role in SBS effectiveness. The broad powers granted by the legal framework, paired with a moral suasion culture have enabled SBS to successfully tackle supervisory concerns, acting at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. SBS has experienced senior staff that ensure consistency in the application of the corrective actions. SBS would benefit, nevertheless, from written procedures operationalizing its broad legal powers into a range of supervisory tools to be systematically applied depending on the severity of the situation. Corporate Governance and Risk Management (CPs14–15) 15. The SBS issued in 2017 a new Corporate Governance and Risk Management Regulation incorporating the main elements of the Basel Corporate Governance Principles for Banks . In its regulatory and supervisory framework, the SBS puts significant emphasis on risk management and corporate governance of the licensed institutions and sets clear expectations regarding the role and responsibilities of the Board and the structure of its committees. However, the actual engagement with the Board and individual Board members could be intensified as it is currently mainly limited to an annual meeting with one of the independent Board members. 16. The essential criteria for the evaluation of corporate governance apply explicitly to banks and banking groups. SBS’ governance and risk management regulation does not apply on a group-level for institutions for which the SBS is the home supervisor. As a result, the individual group Board members are not subject to a formal fit and propriety review by the SBS, group Board 7 PERU members are not required to sign-off on their responsibilities as required for Board members of supervised institutions, and the supervisory approach to corporate governance on a group-level is less developed. As mentioned, the root cause of the indirect supervision and less comprehensive regulatory framework for financial groups for which the SBS is the home supervisor, results from its limited powers in this regard. 17. The Consolidated Supervision Regulation to a certain extent redresses the fact that the risk management regulations do not apply on a group-wide basis. The Consolidated Supervision Regulation requires the licensed institution to assure that the group has adequate risk management frameworks in place. This indirect form of regulation and supervision seems currently to work, because the main activities of the Peruvian conglomerates are still taking place in Peru. However, this approach is not optimal and might become ineffective when the cross-border activities of these groups increase. Capital Adequacy (CP 16) 18. The SBS has made significant progress on the implementation of the Basel III regulatory reform agenda. Although there are differences in the implementation, in particular regarding the different capital buffers, the implemented approaches aim to achieve the same objectives and broadly equivalent overall capital levels. Apart from introducing the Basel III capital definition and formally incorporating the supervisory review of the Internal Capital Adequacy Assessment Process (ICAAP) into account in SBS’ internal rating methodology, there are other elements that could be improved. For example, the countercyclical buffer is activated if GDP growth is above 5 percent, which may be not effective in situations where there is excessive credit growth when GDP growth is still below 5 percent. In addition, the systemic risk and single name risk buffers need to be reviewed as they are currently not commensurate with the risk they are supposed to cover. These issues have already been identified by the SBS and are part of the review of the Additional Capital Requirements Regulation that is currently taking place. 19. The supervisory group capital adequacy assessment needs enhancement. The group capital adequacy assessment could be further enhanced by also taking into account: i) the capital adequacy of the holding on a solo level (in order to determine if the excess capital is available on a holding level); ii) the location of capital within the conglomerate, including the risk of ringfencing/non-transferability of capital allocated to entities supervised by authorities abroad; iii) the extent to which excess capital at a group level can be completely allocated to support the financial activities of the conglomerate. The assessment of the consolidated capital adequacy does not take adequately into account the necessary adjustments to account for the change in accounting standards; solo financials based on SBS accounting standards, while consolidated financials might be based on IFRS (which could impact the provisioning levels and therefore the available capital on a consolidated basis). 8 PERU Prudential Regulations and Requirements (CP17–CP25) 20. The regulatory and supervisory approach and practices regarding the other prudential regulations and requirements are in general sound. As observed in the 2011 BCP assessment, the market risk regulation is outdated. The SBS has recently issued a revised regulation for consultation to the industry, which when issued should bring this regulation again in line with international standards.3 In practice the outdated regulation has not constrained the SBS in conducting effective supervision. With regard to liquidity, the SBS has implemented the LCR (tailored to the local circumstances) and is in the process of implementing the NSFR. With the revised liquidity risk management regulation as issued in 2012, the SBS also requires groups for which it is the home supervisor, to have liquidity contingency plans on a group level. While the regulation requiring liquidity contingency plans on a group level has been issued in 2012, the actual development of these plans are still in their initial phase. Internal Control, Internal and External Audit, Financial Reporting and Disclosures (CP26–28) 21. The regulatory and supervisory frameworks for internal control, audit and financial reporting and disclosures are adequate. Regarding disclosures, the SBS could further improve the qualitative disclosures by implementing the recommendations of Enhanced Disclosure Task Force of the Financial Stability Board and/or the implementation of Pillar 3. The SBS could also improve its engagement with the external auditors. In addition, it could assess more in depth whether the current provisioning requirements are adequate when compared with the new IFRS9 standard, while also considering possible issues as a result of the widening gap in accounting standards between supervised institutions (SBS standards) and consolidated financial groups (might be based on IFRS standards). Overall the frameworks covering these principles are considered adequate taking into account the current state of development and complexity of the financial markets and banking system. Abuse of Financial Services (CP 29) 22. SBS has a robust AML/CFT framework, but the limited sanctions can potentially curb its effectiveness. The regulatory and supervisory framework has been strengthened in recent years with the issuance of the AML/CFT risk management regulation and continuous enhancements in supervisory procedures. An important limitation in the current framework is the fact that sanctioning for banks is confined to fines up to USD 250,000, not enough to curb behavior. 3After the completion of the assessment (November 1, 2017) the SBS issued the revised market risk regulation (Resolution SBS No. 4906-2017) on December 20, 2017. 9 PERU INTRODUCTION AND METHODOLOGY A. Introduction 23. This assessment of the current state of the implementation of the Basel Core Principles for Effective Banking Supervision in Peru has been completed as a part of the Financial Sector Assessment Program (FSAP) mission undertaken by the International Monetary Fund (IMF) and World Bank during October of 2017 at the request of the Peruvian authorities. It reflects the regulatory and supervisory framework in place as of the date of the completion of the assessment (November 1, 2017). It is not intended to represent an analysis of the state of the banking sector or crisis management framework, which are addressed in other parts of the FSAP. 24. An assessment of the effectiveness of banking supervision requires a review of the legal framework, and detailed examination of the policies and practices of the institutions responsible for banking regulation and supervision. In line with the BCP methodology, the assessment focused on the Superintendence of Banks, Insurers and Private Pension Funds (SBS) in their role of supervisor of the banking system, and did not cover the specificities of regulation and supervision of other financial intermediaries. It is important to note, however, that to the extent that SBS is a unified supervisor responsible for other entities of the financial sector, the assessment of banking supervision in Peru may provide a useful picture of current supervisory processes applicable to other deposit taking financial institutions supervised by it.4 B. Information and Methodology Used for Assessment 25. Peru has been assessed against the Revised Core Principles Methodology issued by the BCBS (Basel Committee of Banking Supervision) in September 2012.5 The current assessment was thus performed according to a revised content and methodological basis as compared with the previous BCP assessment carried out in 2011. It is important to note that the two assessments will not be directly comparable, as the revised BCP have a heightened focus on corporate governance and risk management and its practice by supervised institutions and its assessment by the supervisory authority, raising the bar to measure the effectiveness of a supervisory framework (see box for more information on the Revised BCP). 26. The Peruvian authorities chose to be assessed and rated on the Essential Criteria (EC), and therefore the Additional Criteria were not considered in the final rating. To assess compliance, the BCP Methodology uses a set of essential and additional assessment criteria for each principle. The EC were usually the only elements on which to gauge full compliance with a Core Principle (CP). The additional criteria (AC) are recommended best practices against which the authorities of some more complex financial systems may agree to be assessed and rated. The 4The general corporate governance and risk management framework is applicable to all supervised institutions. 5BCBS, Core Principles for effective banking supervision (September 2012). Available via: https://www.bis.org/publ/bcbs230.htm 10 PERU assessment of compliance with each principle is made on a qualitative basis. A four-part grading system is used: compliant; largely compliant; materially noncompliant; and noncompliant. This is explained below in the detailed assessment section. The assessment of compliance with each CP is made on a qualitative basis to allow a judgment on whether the criteria are fulfilled in practice. Effective application of relevant laws and regulations is essential to provide indication that the criteria are met. 27. The assessment team reviewed the framework of laws, rules, and guidance and held extensive meetings with officials of the SBS, and additional meetings with auditing firms and banking sector participants. The SBS provided a comprehensive self-assessment of the CPs and facilitated access to all the relevant supervisory documents and files, staff, and systems. 28. The team appreciated the very high quality of cooperation received from the SBS. The team extends its thanks to the SBS staff who provided excellent cooperation, including extensive provision of documentation and access and for facilitating meetings with other stakeholders. In particular, the team would like to thank the SBS staff who responded to the extensive and detailed requests promptly and accurately during the assessment. 29. The standards were evaluated in the context of the Peruvian financial system’s structure and complexity. The CPs must be capable of application to a wide range of jurisdictions whose banking sectors will inevitably include a broad spectrum of banks. To accommodate this breadth of application, a proportionate approach is adopted within the CP, both in terms of the expectations on supervisors for the discharge of their own functions and in terms of the standards that supervisors impose on banks. An assessment of a country against the CPs must, therefore, recognize that its supervisory practices should be commensurate with the complexity, interconnectedness, size, and risk profile and cross-border operation of the banks being supervised. In other words, the assessment must consider the context in which the supervisory practices are applied. The concept of proportionality underpins all assessment criteria. For these reasons, an assessment of one jurisdiction will not be directly comparable to that of another. 30. An assessment of compliance with the BCPs is not, and is not intended to be, an exact science. Reaching conclusions required judgments by the assessment team. The assessment of the current legal and regulatory framework and supervisory practices against a common, agreed methodology should, however, provide the supervisors of Peruvian banks with an internationally consistent measure of the quality of its banking supervision in relation to the CPs, which are internationally acknowledged as minimum standards, and point the way forward. 31. To determine the observation of each principle, the assessment has made use of five categories: compliant, largely compliant, materially noncompliant, noncompliant, and non- applicable. An assessment of “compliant” is given when all ECs are met without any significant deficiencies, including instances where the principle has been achieved by other means. A “largely compliant” assessment is given when there are only minor shortcomings, which do not raise serious concerns about the authorities’ ability to achieve the objective of the principle and there is clear intent to achieve full compliance with the principle within a prescribed period (for instance, the 11 PERU regulatory framework is agreed but has not yet been fully implemented). A principle is considered to be “materially noncompliant” in case of severe shortcomings, despite the existence of formal rules and procedures and there is evidence that supervision has clearly not been effective, the practical implementation is weak or that the shortcomings are sufficient to raise doubts about the authorities’ ability to achieve compliance. A principle is assessed “noncompliant” if it is not substantially implemented, several ECs and ACs are not complied with, or supervision is manifestly ineffective. Finally, a category of “non-applicable” is reserved for those cases that the criteria would not relate the country’s circumstances. Box 1. Peru: The 2012 Revised Core Principles The revised BCPs reflect market and regulatory developments since the last revision, taking account of the lessons learned from the financial crisis in 2008/2009. These have also been informed by the experiences gained from FSAP assessments as well as recommendations issued by the G-20 and FSB, and take into account the importance now attached to: (i) greater supervisory intensity and allocation of adequate resources to deal effectively with systemically important banks; (ii) application of a system-wide, macro perspective to the microprudential supervision of banks to assist in identifying, analyzing and taking pre-emptive action to address systemic risk; (iii) the increasing focus on effective crisis preparation and management, recovery and resolution measures for reducing both the probability and impact of a bank failure; and (iv) fostering robust market discipline through sound supervisory practices in the areas of corporate governance, disclosure and transparency. The revised BCPs strengthen the requirements for supervisors, the approaches to supervision and supervisors’ expectations of banks. The supervisors are now required to assess the risk profile of the banks not only in terms of the risks they run and the efficacy of their risk management, but also the risks they pose to the banking and the financial systems. In addition, supervisors need to consider how the macroeconomic environment, business trends, and the build-up and concentration of risk inside and outside the banking sector may affect the risk to which individual banks are exposed. While the BCP set out the powers that supervisors should have to address safety and soundness concerns, there is a heightened focus on the actual use of the powers, in a forward-looking approach through early intervention. The number of principles has increased from 25 to 29. The number of essential criteria has expanded from 196 to 231. This includes the amalgamation of previous criteria (which means the contents are the same), and the introduction of 35 new essential criteria. In addition, for countries that may choose to be assessed against the additional criteria, there are 16 additional criteria. While raising the bar for banking supervision, the CPs must be capable of application to a wide range of jurisdictions. The new methodology reinforces the concept of proportionality, both in terms of the expectations on supervisors and in terms of the standards that supervisors impose on banks. The proportionate approach allows assessments of banking supervision that are commensurate with the risk profile and systemic importance of a wide range of banks and banking systems. 12 PERU INSTITUTIONAL AND MARKET STRUCTURE— OVERVIEW A. Institutional Overview 32. Peru’s General Financial System Law (“Ley General del Sistema Financiero, or LGSF) assigns responsibility for the approval and supervision of banks and other nonbank financial intermediaries to the SBS. The law provides the SBS with the powers necessary for licensing entry, approving permissible activities, enacting regulations, and supervising compliance with laws and regulations, including its enforcement and to resolve failing institutions. The LGSF together with the regulations (Resolutions) issued by the SBS provides a comprehensive legal and normative framework for banking supervision in Peru. Under the Law, the SBS has no supervisory board, but is on certain aspects accountable to the General Controller of the Republic. Figure 1: Peru: Organogram SBS Source: SBS. 33. The SBS is a large organization, with seven deputy superintendents in charge of supervising financial institutions. The Superintendeces for Private Pension Funds Administrators, Banking Sector (incl. microfinance companies) (herein further SABM) and Insurance are in charge of the day-to-day supervision of the supervised financial institutions. The three Superintendences responsible for the day-to-day supervision are supported by four advising Superintendences: Legal Advice; Economic Studies (SAEE); Financial Risks (SAR), and; Market Conduct and Financial Inclusion. 34. The SABM has two General Intendance; one for Banking Supervision (BSD) and one for the supervision of microfinance institutions over which the staff are about evenly distributed. The nine different specialized departments of the SAR support the supervision of financial risks of the 13 PERU three-line Superintendences, however about 55 percent of its resources are spent on bank supervision, which combined with the BSD staff implies that about 130 staff are involved on a day- to-day basis in prudential supervision of the twenty (sixteen commercial and four state-owned) licensed banks. Both SABM and SAR conduct a mix of onsite and offsite activities governed by the internal rating assigned to each institution. Among several others, two standing committees, notably on Internal Classification of Financial Institutions (Rating Committee) and on Consolidated Supervision, coordinate the relevant supervisory actions. In addition, there is a Supervision Policies Committee, which reviews and approves the policies, and supervisory tools and more recently the SBS has set up an internal Financial Stability Committee. 35. SAEE provides input on stress-testing, conducts biannually a top-down stress test for the banking system and prepares a quarterly (internal) financial stability report that highlights macro financial risks. Apart from legal advice on policy development, the Superintendence for Legal Advice also has a Department for the Supervision of Contracts of Financial Services, which supports the evaluation of the management of losses due to disputes, trails, breaches of contracts, the compliance officer function and contracts of regulated entities. B. Market Structure6 36. The financial system is relatively small, with total assets of 95 percent of GDP, and displays uneven levels of development across subsectors. The largest sub-sectors are comprised of banks (sixteen commercial and four state-owned) and private pension funds and the banking sector is quite concentrated, with the four largest banks accounting for more than 83 percent of commercial banks assets (Table 1). There are two large Peruvian (in terms of main shareholders, activities and management) conglomerates with foreign holding companies for which the SBS is operating de facto as the home supervisor. There is a substantial presence of foreign banking groups: eleven of the sixteen banks are foreign-owned, including two of the top four banks, and they account for about 48 percent of commercial bank assets. Banks have generated high levels of profits with system return on equity (ROE) at around 19 percent in 2016. The insurance sector is small and penetration is low. 37. A wide range of microfinance institutions (MFIs) also offer financial services, often in rural areas and for the lower income urban population. These MFIs include: finance companies (empresas financieras), savings and loans (cajas municipales and cajas rurales de ahorro y crédito), and traditional microfinance (entidades de desarrollo de la pequeña y microempresa). The system also includes financial cooperatives (cooperativas de ahorro y crédito - COOPAC) on which little information is available. Currently a three-tier regulatory framework is being contemplated in which the supervision of the top 8-10 COOPACs will go to the SBS, Tier 2 institutions will be supervised by FENACREP (as per current model) and Tier 3 COOPACs will be registered and receive basic monitoring. Although the different MFIs only represent about 6 percent of the total financial sector 6 This section draws from other documents produced for the FSAP, some of which at the time of this assessment were not yet finalized. A complete analysis of the macro-economic framework and financial sounds indicators is contained in Article IV reports. 14 PERU assets (but in rural areas important from a financial inclusion perspective), the SBS has allocated significant supervisory resources to these institutions given their level of risk management and corporate governance practices. Table 1. Peru: Financial Sector Structure Total Assets Number of Institutions Percent of Total System Millions of Soles in Percent of GDP Assets 2011 2017 2011 2017 2011 2017 2011 2017 Banks 224,639 425,375 48.3% 62.6% 63.9% 63.5% 19 21 Commercial 193,056 371,303 41.5% 54.7% 54.9% 55.5% 15 16 -Four Largest 160,820 309,539 34.6% 45.6% 45.8% 46.2% 4 4 -Foreign-Owned 92,212 181,998 19.8% 26.8% 26.2% 27.2% 11 12 Public sector 31,583 53,865 6.8% 7.9% 9.0% 8.0% 4 4 Non-Banks Pension Funds 81,881 156,247 17.6% 23.0% 23.3% 23.3% 4 4 Insurers 19,786 45,146 4.3% 6.6% 5.6% 6.7% 14 21 Non-bank MFIs 16,345 28,218 3.5% 4.2% 4.7% 4.2% 35 28 Finance companies 7,735 13,328 1.7% 2.0% 2.2% 2.0% 10 11 Others 954 1,162 0.2% 0.2% 0.3% 0.2% 19 18 Total 351,340 669,476 75.6% 98.6% 100.0% 100.0% 101 103 Source: SBS. 15 PERU PRECONDITIONS FOR EFFECTIVE BANKING SUPERVISION7 A. Sustainable Macroeconomic Policies 38. Peru has been one of the top performing Latin American economies over the past decade, and prospects remain sound. Despite a challenging external environment, Peru’s average GDP growth exceeded 5 percent during the period 2008-2016, while inflation remained subdued, averaging 3.25 percent. GDP growth slowed down in early 2017, largely due to the impact of the El Niño flooding and uncertainty caused by the Odebrecht scandal, and is estimated to finish the year at 2.7 percent. In the coming years, however, Peru is expected to grow near potential (3.75 percent), driven by increasing investment, with inflation staying below 3 percent. The robust growth, along with a conservative fiscal management, has led to a reduction of public debt to about 24.4 percent of GDP in 2016, from 32 percent at end-2007. 39. High financial dollarization continues to be a source of vulnerability. Although financial dollarization has declined substantially from its peak level of around 80 percent in the early 2000s, the current levels of credit and deposit dollarization—around 29 and 40 percent, respectively—are still a source of risk for the private sector balance sheets. The strong exchange rate depreciation between May 2013 and February 2016 led to some reversal of the dedollarization of deposits. During this period, BCRP and the SBS implemented policies to disincentivize lending in foreign currency, such as dedollarization repos, FX credit reduction targets, and additional capital surcharges on dollar lending, which contributed to a sustained decline in credit dollarization. B. Framework for the Formulation of Financial Stability Policies 40. Peru’s macroprudential framework is less formal than in many other countries, although it has been working effectively so far. There is no designated macroprudential authority. However, the SBS Superintendent attends the quarterly BCRP Board of Directors meetings, and high- level staff of the MEF, BCRP, and SBS meet on a regular informal basis to discuss financial sector developments and policy issues. Systemic risk analysis is fragmented among the BCRP, SBS and Superintendencia del Mercado de Valores (SMV), but information gaps exist. The BCRP and SBS prepare regular Financial Stability Reports; only BCRP publishes its report semiannually. 41. The bulk of the macroprudential tools are with the SBS. These include capital surcharges for systemically important financial institutions, capital conservation buffers, countercyclical capital requirements, dynamic provisioning, liquidity requirements, and capital surcharges for a range of risks. The BCRP uses reserve requirements and repo operations both as monetary policy and 7 This section draws from other documents produced for the FSAP. 16 PERU macroprudential tools. In recent years, a large focus has been on reducing the dollarization levels of the economy, particularly on household borrowing. C. Public Infrastructure 42. Corporate legislation includes the following laws. • General Law on Societies (GLS), Law 26887, that provides for corporate matters related to legal entities for profit. It includes the different types of societies. • General Financial System Law, Law 26702 (LGSF), including corporate matters that must be complied with by institutions under SBS supervision in addition to the ones provided by the GLS. • Consumer Defense Code, Law 29571, protects consumers’ access to products and services and benefit from rights and mechanisms for their protection, reducing information asymmetry, correcting, preventing, and eliminating behaviors and practices that affect their legitimate interests. 43. The SBS issues the accounting rules and establishes the structure of the financial statements that financial institutions must submit to the SBS and disclose to the public. The supervisor also provides guidance on valuation standards and detailed instructions for submitting reports with rules on loans and provisions, investments, derivatives, etc. Accounting standards are based on the International Financial Reporting Standards (IFRS), establishing guidelines that are the most prudential for systems such as the Peruvian system. 44. The SBS establishes external audit requirements and standards for supervised institutions. Audit firms will conduct their reviews in accordance with the International Standards on Auditing and Related Services issued by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC), as approved by the Council of Deans of the Association of Public Accountants of Peru, and with the provisions established by the SBS. 45. The Stock Market Superintendence (SMV) is the government entity in charge of regulating and supervising securities market. Likewise, in accordance with Law 29440, the Central Bank is the body that regulates payment systems, and the SMV does the same with security settlement systems. The National Institute for the Protection of Competition and Copyright (INDECOPI) is responsible for protecting the rights of consumers and ensuring the adequacy of financial services based on the information provided, amongst other functions. 46. The SBS, as established by the LGSF, manages the Risk Registry. The Risk Registry is an integrated system for registering financial, credit, commercial and insurance risk, containing information on debtors of the supervised institutions. Although the SBS Risk Registry can provide global and systematised information to third parties, such as the commercial credit registries (thus becoming one of the sources of information of these registries), and individually to information owners, its main purpose is for bank supervision. Its existence permits an internal analysis of credit risk evolution, the rating of debtors and provisions, the verification of individual credit limits; and supports credit management by the supervised entities themselves. These services are inherent to 17 PERU the oversight function of the SBS, which seeks to protect the creditworthiness of financial entities and thus protect the savings of the public with whom such entities operate. D. Framework for Crisis Management, Recovery and Resolution8 47. The resolution legal framework is an administrative process with the potential for judicial review. The LGSF states that the SBS has the power to put a troubled financial institution under surveillance and/or in an intervention regime, culminating either in the institution’s recovery or—if applicable—with its dissolution and liquidation. Currently, the SBS uses the surveillance regime—which is limited to 45 days but renewable for another 45 days under certain circumstances—to prepare for intervention. In the surveillance regime, the SBS does not take control but permanently positions SBS personnel in the entity. In the intervention stage, the SBS takes control and the operations of the entity cease by law. 48. The resolution authority is the SBS, which triggers the resolution process and decides the tools to be used. The Fondo de Seguro de Depositos (FSD) is not involved in the resolution decision or in the process for deciding which tools to use. It only provides the financial support for the resolution tool selected by the SBS. The BCRP can provide Emergency Liquidity Assistance (ELA). 49. Peru’s deposit insurance system, administered by the FSD, is a “paybox plus” arrangement. Articles 144 through 157 of the LGSF govern the FSD and, inter alia, establish it as a special private legal entity but also provides that the SBS shall supply to FSD the personnel, premises, equipment, and installations that it will require. 50. All deposit-taking financial institutions authorized by the SBS are compulsory members of the FSD. Currently, there are 44 institutions that are members: 16 banks, 10 financial companies, 12 municipal savings and loan institutions, and 6 rural savings and loan institutions. The deposit insurance premium the institutions have to pay is determined on their external rating (the LGSF requires these institutions to have at least two external ratings). E. Market Discipline 51. The SBS establishes the information disclosure standards to be applied by the supervised institutions. The Accounting Manual published by the SBS establishes the periodicity with which the information of supervised companies must be disclosed. At the same time the LGSF requires all banks to be listed in the stock exchange. As a result, all commercial banks are also subject to the disclosure requirements of the SMV. The qualitative and quantitative disclosures required by the SMV are available per institution on its website. In addition, the SBS publishes extensive quantitative information of the banks and banking system on its website. 8As part of the FSAP a separate technical note is prepared which reviews and advises on the Financial Safety Net, Crisis Preparedness and Management. 18 PERU DETAILED ASSESSMENT A. Supervisory Powers, Responsibilities and Functions Principle 1 Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.9 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. 10 EC1 The responsibilities and objectives of each of the authorities involved in banking supervision11 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. Description and The Banking and Insurance Superintendence (Superintendencia de Banca Y Seguros - findings re EC1 SBS) is the banking supervision authority in Peru. SBS responsibilities and objectives are clearly defined through Law 26702, the General Law of the Financial and Insurance Systems and Organic Law of the Superintendence (General Law), in additional to an overall statement presented at the Political Constitution of Peru. The Political Constitution of Peru (Article 87) establishes that the Superintendence will exercise supervisory controls over banks, insurance companies, private pension funds, all remaining deposit takers and others that, as established by the legal framework, perform related or similar activities. The General Law, Article 345, details the matter, stating that SBS objective is to protect the public interest in what is related to the financial and insurance system, reinforcing that SBS role is to exercise supervision and control within the scope of its powers. Article 347 - SBS purpose - reinstates that it is SBS’ responsibility to defend the public interest, safeguarding the economic and financial soundness of the institutions under its purview, ensuring compliance with the legal, regulatory and statutory rules that govern them and exercising overall monitoring and control of business and activities. Also, as per Article 347, it is among SBS responsibilities to file criminal charges against unauthorized individuals and corporations practicing 9 Inthis document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation. 10 The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles. 11 Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification. 19 PERU banking related activities and to request the dissolution and liquidation of those operations. The General Law provides either the Superintendent (which can delegate powers as appropriate) or SBS with regulatory, inspection and control powers, as well as sanctioning powers as established in articles 349 to 362. In addition to the General Law provisions, financial entities are also governed by regulations issued by the SBS through Resolutions and Circulars, in accordance with the powers spelled out in Article 349. The SBS website provides information on SBS mission, philosophy regarding regulation and supervision among others, as well as a link to Law 26702 http://www.sbs.gob.pe/principal/categoria/sistema-financiero/2588/c-2588. SBS carries out its functions in coordination with: a) the Central Reserve Bank of Peru (BCRP), which aims at preserving monetary stability, regulating the currency and credit of the financial system, administering international reserves, issuing notes and coins, among others; b) the Superintendence of the Securities Market (SMV), charged with ensuring the protection of investors, the efficiency and transparency of the markets under their supervision; and c) the National Institute for the Defense of Competition and Protection of Intellectual Property (INDECOPI), which functions include to protect the rights of consumers, ensuring the suitability of services based on the information provided. EC2 The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. Description and SBS has responsibilities related to prudential regulation and supervision, as well as findings re EC2 consumer protection and AML/CFT issues. As mentioned in EC1, the General Law (Article 345) states that SBS objective is to protect the public interest in what is related to the financial and insurance system, with Article 347 stating that it is the SBS responsibility to defend the public interest, safeguarding the economic and financial soundness of the institutions under its purview. It is the assessors’ view that SBS practices evidence a clear prioritization of the safeguard of the economic and financial soundness of financial institutions. Specifically, on AML/CFT, Article 3 of Law No. 27693, as amended by Legislative Decree No. 1106, Legislative Decree of Effective Fight against Money Laundering and Other Crimes related to Illegal Mining and Organized Crime (AML Law), establishes that SBS has the function and power to regulate the general and specific guidelines, 20 PERU requirements, precisions, sanctions and other aspects related to AML/CFT prevention systems. In addition, the Consumer Protection Code (Law 29571), through Article 81, establishes that matters related to consumer protection in the case of financial service providers under SBS supervision, are regulated by the Consumer Protection Code, as well as Law 28587 (Consumer Protection Law), in addition to regulations. Article 81 also states that the regulation and supervision of the financial system, products and services is governed by the principle of regulatory specialty through Law 26702. In practice, that allows for the SBS objectives safeguarding the economic and financial soundness of the institutions under its purview is assured. EC3 Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile12 and systemic importance.13 Description and The General Law and the regulations issued by SBS provide a framework of minimum findings re EC3 prudential standards that banks and, to a certain extent, banking groups are required to meet. The General Law (Articles 184 to 220) set prudential limits in relation to capital requirements, related party lending, as well as penalties for violating such limits. Article 349 (9) includes among the SBS Superintendent responsibilities the issuance the necessary regulations for the application of the law as well as for the practice of financial and operations (and complementary services). Art. 349(19) empowers the Superintendent to perform all acts necessary to safeguard the interests of the public in the context of the functions assigned to it by the Constitution of Peru, granting the SBS broad and strong enforcement powers. The legal and regulatory framework encompasses requirements regarding licensing, capital components, capital requirements, provisioning, liquidity, concentration risk, related party lending, risk management, corporate governance, AML/CFT, prudential requirements, among others, on a consolidated basis, from the bank downwards. Supervisory powers, as established under the General Law do not encompass banks’ parents or holding companies and their affiliates. General Law provisions relative to consolidated supervision are established under Article 138, which encompass the requirement of all the necessary financial information on the conglomerate through the supervised entity on an individual and consolidated basis. It further elaborates stating that based on consolidated supervision the SBS can require prudential measures from supervised entities. 12In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a bank. 13In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement, November 2011. 21 PERU Notwithstanding, Resolution SBS No. 11823-2010 - Regulation for Consolidated Supervision of Financial and Mixed Conglomerates (Consolidated Supervision Regulation) and its amendments, establishes, through articles 5th to 8th capital requirements for the conglomerate. Articles 9 to 11 establish capital requirements for the financial group. Articles 13 and 14 establish related party and concentration limits for the conglomerate and financial group. These requirements are however only indirectly applicable to the financial group, and in case of non-compliance the SBS can only undertake supervisory measures regarding the licensed entity. Financial groups are not subject to the corporate governance and risk management regulation requirements but are expected to take the necessary measures so that the financial group implement mechanisms that enable an adequate risk management. Mandatory capital buffers, which are applied to the supervised entities take into account risk profile and systemic risk (please refer to CP 16 for further details). Since 2010 banks are required to submit an ICAAP report on an annual basis. EC4 Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. Description and SBS have been updating the regulatory framework as it deems necessary to ensure findings re EC4 their effectiveness and relevance. Highlights include subordinated debt (2016) regulatory capital requirements to credit risk (2012), the introduction of the LCR (2012), and additional capital buffers (2011), as well as the enhancement of the Comprehensive Risk Management Regulation with of corporate governance requirements (2017). Not surprisingly, amendments to the legal law are more complex and less usual. A significant amendment occurred in 2008 incorporating the Basel II framework, nevertheless. The authorities do not envision further changes to the legal framework any time soon. The 32nd Final and Supplementary Provision of the General Law states that the SBS, to the extent practicable, will publish in advance any proposed regulations of general application relating to matters pertaining to the General Law including information on its purpose. It will also offer time for comments, taking the relevant ones into consideration when issuing the regulations. In addition, Article 14 of Supreme Decree No. 001-2009-JUS states that public entities shall release draft general regulations which fall within its competence in the official gazette El Peruano, on their electronic portals or by any other means, at least thirty (30) days before the scheduled date for its entry into force, except in exceptional cases, allowing interested persons make comments on the proposed measures. Exchanges with the industry confirmed such practice. EC5 The supervisor has the power to: a) have full access to banks’ and banking groups’ Boards, management, staff and records in order to review compliance with internal rules and limits as well as external laws and regulations; b) review the overall activities of a banking group, both domestic and cross-border; and 22 PERU c) Supervise the activities of foreign banks incorporated in its jurisdiction. Description and The legal framework empowers the SBS to have full access to banks and banking findings re EC5 groups (from the bank downwards)’ Boards, management, staff and records in order to review compliance with internal rules and limits. Article 39 states that all General Law provisions apply to foreign banks incorporated in Peru. Article 349 of the General Law establishes, among others, the following powers of the Superintendent: to exercise integral supervision of financial entities (item 3); examine under oath any person whose testimony may be useful for the clarification of the facts that are studied during the inspections and investigations (item 5); and, in general, perform all acts necessary to safeguard the interests of the public in accordance with the Law (item19). Likewise, Article 350 of the General Law establishes that the Superintendent may examine, by such means as deemed necessary, books, accounts, archives, documents, correspondence and in general any other information necessary for the performance of their duties. For such purposes, entities are required, to provide to examiners all the facilities that may be required. The refusal, resistance or non-observance (provided that it is duly accredited), results in sanctions. Article 350 also empowers the superintendent to request all the background deemed necessary about its financial situation, resources, administration or management, action of its representatives, degree of security and prudence with which the investments are made, and in general of any other matter that, in his view, should be clarified. In addition, Article 77 specifies that the Superintendent is entitled to attend, in person or through the delegate he appoints, any session of the General Meeting of Shareholders of the supervised companies. Article 356 of the General Law states that the Superintendent is entitled to have one or more representatives of the companies appear when he considers that there are indications related to their instability or when they have incurred in any of the faults established in the same article. While the General Law grants powers for unrestricted access to the Board, and records of supervised companies, to verify compliance with internal rules and limits, it is not empowered to do so directly in the case of unsupervised companies that make financial or mixed conglomerates, including the holding company. More specifically, Article 138 empowers the SBS to require through its supervised entities the necessary financial information to perform consolidated supervision. In practice, SBS does have access to board and senior management, as well as board minutes from holding companies, as well as cross-border financial entities that form part of the conglomerate. EC6 When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have 23 PERU the potential to jeopardize the bank or the banking system, the supervisor has the power to: a) take (and/or require a bank to take) timely corrective action; b) impose a range of sanctions; c) revoke the bank’s license; and d) cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate. Description and As already mentioned, the General Law, Article 349 (19) empowers the SBS to take all findings re EC6 the necessary action to protect the public interest. Based on those powers SBS requires banks to take a range of corrective actions as necessary, including requiring capitalization, limit growth, requiring board members to step down, among others, which have been exercised. Article 355 (on profit distribution and entities with financial stability and management deficiencies) empowers the SBS in case of entities with financial instability or management deficiency, to require capital adjustments, as necessary, to reflect actual capital ratios, as well as request cash capital increases. In addition, the SBS is also empowered to forbid entities from performing one or more of the following (for six months, renewable for six months more): a) to take additional risks of any kind with any related party; b) to renew for over 180 days, any operation that implies any risk; c) to execute operations that generate new market risk; d) to purchase, sell or encumber fixtures or real property corresponding to their fixed assets or to their permanent financial investments; e) to transfer financial instruments from their credit portfolio; f) to grant credits without collateral; and g) to grant Powers of Attorney for the execution of the operations set forth in the preceding points. The General Law characterize infractions (Article 356), including legal or regulatory breaches, all subject to sanctions. Art. 361 grants the SBS with powers to impose the following sanctions depending on the severity of infractions (in addition to further provisions on sanctions in regulations), as listed below. 1. admonition; 2. fine in an amount not less of ten UITs14 or larger than two hundred, unless the present law indicates in a specific way, a different amount 3. fine director or staff, not less than five points UIT or bigger than one hundred. 4. suspension of the director (board member) or staff in charge, for a term not less than three days or larger than fifteen, and removal in case of relapse. 5. Destitution. 6. Ineligibility of the director or staff in the case they were responsible of the intervention or liquidation of the institution under their charge. 7. prohibition of distributing dividends. 14 One UTI is currently 4,000 soles 24 PERU 8. Intervention. 9. Suspension or cancelling of the operations authorization. 10. Dissolution and liquidation. SBS also has established a Sanctions Regulation (Resolution 816/2005) and has further provisions on fines. The General Law (Article 95) also empowers the SBS to put banks under a “surveillance regime” in circumstances such as: failure to meet capital requirements for over three months; grant loans to its own shareholders in order for them to capitalize the bank; incurring notorious or repeated violations of the General Law, as well as other serious reasons. Under such regime, SBS has ample powers to require a recovery plan and to require immediate recapitalization, among others. Articles 104 to 107 deal with intervention, which can be triggered based on failure to complete a recovery plan established under the surveillance regime, reduction in 50 percent of its regulatory capital, among others. Finally, Article 381 of the General Law establishes among the powers of the SBS, the power to deny, suspend or cancel the operating license of financial entities. EC7 The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. Description and SBS does not have the explicit power to review the activities of parent companies and findings re EC7 of companies affiliated with parent companies (including its subsidiaries) to determine the impact on the bank and the banking group. Article 138 of the General Law elaborates on consolidated supervision relying on the supervised entities to provide the necessary information for supervisory purposes. There is no explicit reference to holding/parent companies. Specifically, on affiliates of parent companies, Article 138 elaborates on mixed conglomerates, stating that information requirements will aim at determining the impacts that those companies might have on the supervised entities, laying with the supervised entities the obligation to provide the necessary information. In practice, the SBS does have access to parent companies balance sheets, board and senior management. Information on non-financial affiliates, nevertheless, depend on requiring them through the supervised entities. SBS has the power to assess the impact of the activities of companies that are directly under its supervisory perimeter but has no explicit full powers to monitor the activities of the parent company. However, as noted in the essential criterion 5, SBS has established various mechanisms that minimize the impact of such legal constraints on the ability of SBS to assess the risk profile of the company and the conglomerate to which it belongs. 25 PERU Article 138 of the General Law establishes that SBS in the exercise of consolidated supervision over financial and mixed conglomerates requires from the entities subject to its supervision, the presentation of balance sheets and other relevant financial information in a consolidated and individual basis. It also states that, in the case of companies established in Peru and supervised by SBS that make up a financial conglomerate, SBS may request complementary information in a consolidated or individual form. In the case of non-supervised entities, it may request information from them through the supervised entities, as well as obtain such information through inspection visits and other on-site procedures (to supervised entities). Paragraph b) mentions that in the case of companies not domiciled in Peru that form a financial conglomerate whose main activities are carried out in Peru, it is the responsibility of the supervised entities to provide SBS with all the necessary information for the development of its supervisory functions, including general information on the banking group Article 11 of the Special Rules on related parties and economic groups, approved by Resolution SBS No. 5780-2015 (Related Parties Special Rules), establishes the legal persons and / or legal entities that can integrate a financial conglomerate, which includes the holding company. It also defines as legal entity the autonomous assets managed by third parties, who lack legal personality, the association between two or more persons who have a right or common interest to carry out a particular activity, as well as investment in mutual funds, investment in securities, trust funds and consortiums, among others. Assessment of Materially Non-Compliant Principle 1 Comments SBS responsibilities and powers are clearly defined in the legal framework. Overall, SBS has the powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. A significant shortcoming, nevertheless, in the Peruvian legal framework is that its supervisory powers are limited regarding direct access to parents and affiliates, including their subsidiaries and other affiliates, all being outside of the direct supervisory perimeter. Such legal limitation is particularly of concern since two Peruvian (in terms of main shareholders, activities and management) conglomerates with foreign holding companies, for which the SBS is operating de facto as the home supervisor, are systemic. Although the SBS has done a remarkable job over the recent years in terms of gathering information on the conglomerates, monitoring their activities and requiring (by enforcing through the supervised entities and moral suasion) prudential requirements and controls, these legal limitations impair SBS’ ability to effectively regulate and supervise these conglomerates on a consolidated basis. 26 PERU In addition, while the General Law grants powers for unrestricted access to the Board, it is not empowered to do so in the case of unsupervised companies part of financial or mixed conglomerates, including the holding company. SBS does not have the explicit power to review the activities of parent companies and of companies affiliated with parent companies (including their subsidiaries) to determine the impact on the bank and the banking group. In the case of affiliates, the law makes states that information has to be gathered through the supervised entity. The law does not make reference to holding companies. The authorities are recommended to: • Amend the legal framework to grant SBS powers to exercise full consolidated supervision. Principle 2 Independence, accountability, resourcing and legal protection for supervisors . The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. EC1 The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. Description and Article 87 of the Political Constitution of Peru states that the organization and findings re EC1 functional autonomy of SBS is to be established under the law. Article 345 of the General Law establishes that the nature of the SBS corresponds to that of a constitutionally independent institution public entity, whose purpose is to protect the interests of the public in the field of financial and insurance systems. The same article notes that the SBS holds within its powers control and supervision of the financial system and insurance system entities and other natural and legal persons incorporated by the General Law or by special laws. According to the legal framework solely the Superintendent, together with staff to which responsibilities are delegated, bears the responsibility for decisions taken. Articles 363 of the General Law establishes the Superintendent as the highest-ranking official at the SBS. The Rules of Organization and Functions (ROF) establishes how the SBS operates, containing the nature, purpose and goals of the SBS, functions and responsibilities, their organizational structure as well as the organization and functions of the functional units that form the SBS. The ROF is available at the SBS website The SBS is required to issue and make available at its website an annual report (Article 353 of the General Law). The 2016 annual report included, specifically related to banks, information such as number of on-site examinations, general information 27 PERU on the financial system including loan volumes, financial indicators, as well as a summary of the actions taken by SBS, including supervisory enhancements, new regulations, as well as special themes. There was also a detailed section on initiatives related to AML/CFT. The annual report also included general comments on budget actions and training. In addition, all public administration entities (Articles 5 and 25 of Supreme Decree No. 043-2003-PCM, the Consolidated Text of the Law of Transparency and Access to Public Information), are required to disseminate through its website information about how it is organized, its procedures, the legal framework to which it is subject, budget information and other information that the entity deems appropriate. That information is currently available at SBS website. As detailed in the ECs below, the Superintendent has a fixed mandate, SBS has ample resources (through fees payed by the supervised institutions) and the executive branch has no participation in the decision processes within the SBS. EC2 The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. Description and The process of appointment and term of the Superintendent are expressly defined in findings re EC2 the Constitution and the General Law. In addition, the removal of the Superintendent can only be realized through the grounds explicitly listed in the General Law. SBS does not have an executive board. Article 87 of the Political Constitution states that it is the Executive branch who appoints the SBS Superintendent for the period corresponding to its constitutional term of office and the Congress ratifies it. Article 363 also states that its appointment belongs to the Executive Power and is ratified by the Congress of the Republic. SBS reports that there has never been a case where Congress hasn’t ratified it. Article 363 also states that the Superintendent holds office for the constitutional term of the government and may be appointed for one or more successive periods and will continue to hold the office while his successor is not appointed. Article 366 of the General Law establishes the grounds and procedures for the removal of the Superintendent. The removal of the Superintendent is done by Congress, on its own initiative or at the request of the Executive branch in the following circumstances: (1) when in exercising its duties has incurred serious misconduct, which has been duly verified and substantiated or (2) when a definitive order of detention is issued against him. As per the same article, it constitutes serious misconduct: a) not to take the necessary measures to punish those who, without proper authorization, conduct regulated activities; 28 PERU b) violate any impediment to being named Superintendent; c) not to apply the sanctions referred to in Article 361 ° of the General Law, in cases where the information that clearly established the offense is duly verified. Although the General Law does not require the reason(s) for removal of the Superintendent to be publicly disclosed, in practice, given that Congress procedures are conducted through the Permanent Commission, which are public, with the exception of when it relates to issues that may affect the national security and internal order, in which case those will be private hearings. It is SBS understanding that it wouldn’t be the case for the dismissal of a Superintendent. There haven’t been any cases of removal over the last twenty years. EC3 The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives. 15 Description and The SBS has a framework in place to systematically assess and enhance how it fulfills findings re EC3 its functions by establishing a Strategic Plan for a specific period and developing an action plan, of which the implementation is later assessed through an annual compliance report. Criteria for preparing, monitoring, evaluating and updating the action plan is formally set out through an internal directive. SBS website contain: a) the General Law and regulations issued by SBS; b) the institutional vision and mission of SBS; c) the action plan’s quarterly compliance report (with a summary of number of actions), d) the annual report; e) the ROF (detailed in EC1). f) accountability report that is sent to the Comptroller every time a Superintendent leaves office. The annual report presents a general view of the main supervisory goals, recent changes in regulations and procedures. The accountability report is detailed and comprehensive but issued only when a Superintendent leaves office, which usually will happen only with change in government, every 5 years. EC4 The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. Description and The SBS has established the Rules of Organization and Function (ROF) that details the findings re EC4 structure and functions and responsibilities of each area within the SBS. The SBS also has established the Organization and Functions Manual (Manual de Organizacion y 15 Please refer to Principle 1, Essential Criterion 1. 29 PERU Funciones, MOF), which details the functions and responsibilities of hierarchical positions within SBS. As already mentioned, Article 363 of the General Law establish the Superintendent as the highest-ranking official within the SBS. There is no executive Board. Major decisions are concentrated at the Superintendent and Deputy Superintendent level and there seems to be a very active flow of communication from staff to senior management enabling timely decisions to be made in case of an emergency. SBS has established a series of Senior Committees as follows: a) Senior Management Committee - consultative body composed by the Superintendent and Deputy Superintendents. This committee is responsible for issuing opinions, providing recommendations and advice, at the request of the Superintendent, on aspects related to SBS strategic and administrative management as well as others, as requested. More specifically, topics include the following: Strategic Plan of the institution, institutional budget (if it is increased by at least 5 percent over the previous year), remuneration policy, domestic interagency and international institutional relationship policies, international organizations membership and representations connected with SBS duties, career development and talent retention policies, as well as modifications to the organizational structure as of the third organizational level; b) Supervisory Policies - proposes new supervision policies and coordinate projects to enhance supervision, authorization and sanctioning processes. c) Information Technology – policies and prioritization of IT projects In addition, a Financial Stability Committee and an International Standards Committee have been recently created and are yet to have their first meeting scheduled. The Financial Stability Committee was created in September 2017, to be comprised by the Superintendent (chair) and the Deputy Superintendents of Banks and Microfinance, Economic Studies (secretariat), Risks and Legal. Fit and proper criteria for qualifying to be a Superintendent encompass avoiding conflicts of interest. Article 364 of the General Law includes among the criteria to be a Superintendent, to have an irreproachable conduct and recognized solvency and moral suitability. Impediments for being a Superintendent (Art. 365): i) have a direct or indirect equity share of any company subject to the supervision of the SBS and ii) hold the capacity as director, advisor, officer or employee of entities subject to the control of SBS. Those impediments are intended to avoid potential conflicts of interest between the Superintendent and supervised companies. SBS also has established a Code of Ethics further detailed at EC 5. In addition, rules governing the organization and processes within the SBS have established mechanisms that are intended to avoid potential conflicts of interest and 30 PERU ensure decision-making in line with the level of importance of the issues through the participation of the pertinent areas. Mechanisms include the following: a) Creation of the Senior Management Committee; b) Rules for treatment of written documents (Directive SBS No. SBS-DIR-SGE- 175-05) establishes the officials responsible for signing official documents/correspondence to be issued by SBS. Decisions on matters related to the approval, authorization, sanction or equivalent can be signed by the Superintendent, the Deputy Superintendent of Banks and Microfinance, the General Intendent or Head of Department, as appropriate. Similarly, official documents containing any provision or that are related to clarification of the interpretation of a regulation, those containing opinion on proposed laws or similar topics, those related to results of inspection visits and aimed at public authorities with rank equal to or greater than the Superintendent, must be signed by the Superintendent, except when expressly delegated to another official of the SBS. c) Structured process for issuance of new regulations (established through Resolution 4922-2-12) determining that the Deputy Superintendent of Legal Counsel is responsible for proposing, developing and updating, as appropriate, the necessary regulations; while areas involved in those specific matters are responsible for proposing and/or expressing opinions and to endorse the final versions of draft legislation related to their respective functional areas. SBS currently does not have a full-fledged Internal Audit function. SBS acknowledges the need to strengthen the Internal Audit function. EC5 The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. Description and Article 371 of the General Law states that the rights and obligations of staff shall be findings re EC5 fixed in the Internal rules approved by the Superintendent. Those rules establish prohibitions for staff, which encompass requirements in order to avoid conflicts of interest and the appropriate use of information obtained through work. The SBS Code of Ethics (Administrative Resolution SBS No. 4343-2012), mandatory for all SBS employees, indicates that workers must render their services taking into consideration the general ethical prohibitions established by Law No. 27815, as well as the specific prohibitions established in the General Law, the Internal Regulations of Work and others issued by the competent authority. The following prohibitions stand out: a) inform, publish, comment or disclose in any way to third parties, the works of supervision and control of the SBS, as well as any provisions adopted by SBS, without proper authorization. b) be a shareholder, equity holder, adviser, director, official, employee or any type of binding/related party relationship with supervised entities; 31 PERU c) receive and/or solicit, directly or indirectly from any supervised entity, its employees, external advisers, or external consultants any benefit, gift or attention that affects the independence and objectivity of its work within the SBS. The Internal Working Rules (Resolution SBS No. 5769-2013) also establishes the following prohibitions: a) Provide advisory or consultancy to entities controlled directly or indirectly by a supervised entity. b) Request, without prior written authorization from the SBS, loans from supervised entities; c) Receive sums of money, gifts, hospitality or presents from supervised entities or owners, directors, managers or employees of these; d) Misuse of office to achieve personal benefits from supervised entities. e) Have transactions with SBS service providers, customers or suppliers in order to obtain personal gain or to favor third parties, even if they are not necessarily harmful or conflict with the interests of the SBS. Regarding confidentiality of information, Article 372 of the General Law states that any employee, representative, agent or person under any title that provides services to SBS is forbidden to disclose any details of the reports to be issued, or provide any information obtained given its capacity at the SBS to any external party to the SBS. Article 360 of the General Law states that the breach of duty of confidentiality is considered a serious and punishable offense under Article 165 of the Penal Code (violation of professional secrecy), punishable by fines and incarceration up to two years. Law 27588 establishes prohibitions and incompatibilities of public officials (including the Superintendent, Deputy Superintendents and supervisors) with respect to companies that fall within the specific scope of their public function. The impediments, amongst others, comprise: to provide services in these under any modality; be part of the board; acquire directly or indirectly shares or participations of these, of its subsidiaries or those that could have economic connection; celebrate civil or commercial contracts with them. These impediments extend until a year after leaving the SBS, whether by resignation, dismissal, removal or expiration of the term of the contract. EC6 The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes: a) a budget that provides for staff in sufficient numbers and with skills commensurate with the risk profile and systemic importance of the banks and banking groups supervised; b) salary scales that allow it to attract and retain qualified staff; 32 PERU c) the ability to commission external experts with the necessary professional skills and independence, and subject to necessary confidentiality restrictions to conduct supervisory tasks; d) a budget and program for the regular training of staff; e) a technology budget sufficient to equip its staff with the tools needed to supervise the banking industry and assess individual banks and banking groups; and f) a travel budget that allows appropriate on-site work, effective cross-border cooperation and participation in domestic and international meetings of significant relevance (e.g., supervisory colleges). Description and The legal framework grants SBS financial and budgetary autonomy and in practice findings re EC6 SBS does not seem to have any issues or concerns regarding the availability of adequate resources to support its supervisory functions. The fees raised from the industry have been more than enough to support SBS budget and provide adequate reserves. Articles 367 and 373 of the General Law empower the Superintendent to program, develop, adopt, implement, expand, modify and control the annual budget of the Superintendence. Furthermore, Articles 373 and 374 indicate that the budget will be funded through fees paid by supervised entities, which shall be determined quarterly by the Superintendent (in the case of deposit taking institutions based on average assets without exceeding one fifth of one percent). Only in exceptional cases the SBS may increase such contributions. The budget of SBS is reported to controlling public bodies, such as the Committee on Budget and General Account of the Republic, the Comptroller General of the Republic and National Public Budget, but only for statistical purposes, monitoring, control and inclusion in the General Account of the Republic, without implying interference or disruption of its autonomy. Article 367 (8) of the General Law grants the Superintendent power to appoint, hire, suspend, remove or dismiss staff, as well as to set staff salaries. In addition, Article 371 establishes that SBS staff is subject to private sector labor regime which allows flexibility for salaries, promotions and training. SBS technical staff's wage bands (including heads wages) are currently based on an opportunity cost analysis performed by a consulting firm, using staff compensation of the Peruvian financial system as benchmark conducted in 2015 which reported in no major differences with the market. Wage bands' design consider higher percentiles of the salary distribution at the beginning of the professional career and a convergence to the average in the highest categories. SBS reports not having difficulties retaining staff, with turnover rates that have been around four percent in the last few years. The number of staff has grown with over 10 percent over the last two years in order to adapt to further demands. Overall, SBS considers having adequate staff to fulfill all its responsibilities. Article 357 (Inspections) of the General Law allows for the use of audit firms to conduct examinations but SBS reports that it has never been done with banks. SBS 33 PERU can also hire individual consultants/firms to support supervisory activities. Article 372 establishes that any person who performs services under any title to the SBS is prohibited to disclose any details of the reports it has issued or to give information on any event, business or situation which they have come across performing supervisory activities. Thus far, SBS has not made use of external experts for banking supervision purposes with the exception of Technical Assistances provided by multilateral organisms or trust funds such as SECO for capacity building. The training Department assesses the training requirements of employees on an annual basis to prepare the Annual Training Plan. Most training activities take place at the SBS “Centro de Formación” and in 2016 the average training time per worker in the supervision areas was 78 hours on average. The SBS also provides training through e-learning platforms (FSI Connect) provided by the Financial Stability Institute (FSI) of the Bank for International Settlements. Currently, 250 SBS employees are FSI Connect users; approximately, over half of them from financial supervision and regulation areas. The Training Department prepares quarterly reports about the performance of each employee on the FSI Connect. These reports are taken into consideration in the biannual performance evaluation, which is one of the key elements in professional’s promotions and salary increases. Additionally, the SBS supports staff to take a master degree in Peru, US and Europe, mainly. The applicant’s selection process for this support is done by the Training Committee formed by officials from different areas. In this regard, since 2012, 45 SBS employees have received financial support to study a master degree in Peru and 42 people received a leave of absence to study a master degree abroad. In addition, as a hiring tool, SBS organizes an Outreach Program, a 14-week program for young professionals selected from universities all over Peru. The selection process targets candidates with careers in Administration, Accounting, Economics, Statistics or Engineering who have had an outstanding academic performance. Trainees are selected taking into account academic excellence and professional experience and receive a specialized training on risk management supervision and regulation of financial system, insurance and pension. The top students of the Program are hired by SBS. There seems to be no shortage of equipment, which are systematically updated, according to internal policies. SBS systematically perform inspections abroad and reports no budget constraints to do so. EC7 As part of their annual resource planning exercise, over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified. 34 PERU Description and On an annual basis, within the budgeting process, assessment of number of staff findings re EC7 needed are performed. As already mentioned, SBS has established a policy of recruiting staff having previously passed through the Outreach Program. Deputy Superintendents, in conjunction with the Training Department assess and plan training needs of professionals in their respective areas. The only functional area that hires on an ad hoc basis is Legal. EC8 In determining supervisory programs and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. Description and The Deputy Superintendence of Banks and Microfinance (SABM: in charge of findings re EC8 individual institutions) has 173 staff, half of it dedicated to banks while the Deputy Superintendence of Risks (SAR; in charge of monitoring individual risks) has 86 which are roughly 60 percent of the time allocated to Banks. SAR covers Banks, Microfinance, Insurance and Pensions. Within SABM, half of the staff is dedicated to banks and other financial institutions (General Intendance of Banks) and the other half to Microfinance institutions (General Intendance of Microfinance). Source: SBS. Within the General Intendance of Banks, each of the four systemic banks is under a dedicated unit that has also some other small financial institutions. Other banks are under a separate unit. Examinations for the systemic banks are longer and with a higher number of staff. SBS has an internal rating system (for further details please refer to CP 8) which is the basis for determining supervisory programs and allocating resources, taking into account the risk profile and systemic importance of individual banks and banking groups. EC9 Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The 35 PERU supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. Description and The legal framework does not provide adequate protection to the supervisory staff findings re EC9 against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The General Law establishes in its article 366 that any criminal complaint made against the Superintendent or Deputy Superintendents must be filed directly with the National Prosecutor, who will be the sole owner of the criminal action against those. In case the complaint is awarded, the Prosecutor of the Nation will present it before the Specialized Chamber of the Superior Court of Lima, which will hear the matter in the first instance. The judgment may be appealed to the Supreme Court of Justice of the Republic, which will act as reviewing and final instance. Such procedure is also applicable to former Superintendents and former Deputy Superintendents who are criminally denounced for the alleged commission of crimes in the exercise of their functions and up to five years after they have ceased to hold office. SBS reported that there have been some criminal complaints against officers of the SBS but none successful. Prior a civil lawsuit to be initiated against SBS staff, SBS itself has to be found guilty in a civil court.The Twenty-ninth Final and Complementary Disposition of the General Law establishes that precautionary measures for future enforced execution over SBS employees assets for acts or omissions made in the exercise of their regulatory and supervisory functions according to the General Law, only proceed if, through judgment, has been declared to be the civil liability of the SBS for acts or omissions made by the employee or officials whose assets are the object of the application for affectation. SBS Resolution No. 629-1994 expressly states that legal expenses and professional fees arising from the judicial defense of SBS officials and employees in respect of legal actions initiated by third parties as a result of decisions taken in a professional capacity are to be paid by the SBS, even in circumstances where the above- mentioned SBS staff have ceased to provide services in the SBS. There have never been any banking supervisors declared personally liable by courts. Assessment of Largely Compliant Principle 2 Comments SBS has operational independence, accountability and governance arrangements in place and publicly disclosed. It has also no budget constraints. Allocation of resources take into account the risk profile and systemic importance of individual banks, although the proportion of staff allocated to banks and banking groups, in comparison to the microfinance institutions, seems too low. Legal protection should be enhanced, nonetheless. Current provisions do provide certain level of protection but SBS and SBS staff liability are not shielded by a “good faith” test. In addition, current provisions extend only to the Superintendent and 36 PERU Deputy Superintendents and even in those cases covering only after five years they have left office. Governance arrangements have further room for improvement, particularly regarding the assessment of the effectiveness of supervisory activities. In addition, the fact that the Superintendent mandate coincides with the constitutional term of the government may potentially undermine his/her personal autonomy. Authorities are recommended to: • Amend the legal framework to further protect all SBS staff for acts or omissions in good faith including current and former staff (including senior management) even after leaving the SBS, irrespectively of the number of years of being out of the SBS; • Amend the legal framework so the Superintendence tenure does not coincide with the constitutional term of the government; • Review the allocation of resources to entities in relation to their systemic relevance and risk to ensure optimization of resources; • Enhance the Internal Audit Function, including the establishment of an Internal Audit Committee; • Operationalize the Financial Stability Committee; • Consider further elaborating on the discharge of supervision responsibilities relative to the objectives through the Annual Report. Principle 3 Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.16 EC1 Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary. Description and The legal framework lays out the basis for cooperation arrangements with domestic findings re EC1 authorities. The General Law, Article 349, on the Superintendent attributions, item 15, grants the Superintendent powers to establish cooperation agreements with domestic supervisors in order to better exercise its functions. First Provision Final and Complementary from the General Law states that the BCRP and SBS are required to coordinate in order to fulfill the obligations established by the constitution. It also requires the Superintendent to quarterly attend BCRP board meetings aiming at exchanging information relevant to the functions of each organism. Second Final and Complementary provision provides that the SBS and the Superintendence of Securities Market (SMV) must make the relevant arrangements in order to comply 16 Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29). 37 PERU with the purposes of supervision assigned to them by their respective laws. It also establishes that the SBS Superintendent to quarterly attend SMV board meetings. Article 32 of the Consolidated Supervision Regulation notes that SBS may establish coordination agreements with domestic authorities responsible for overseeing the companies that constitute financial groups, subject to the corresponding confidentiality of information. Such agreements may include, inter alia, the exchange of information and performing coordinated in situ inspections, as appropriate. In practice, the following domestic cooperation agreements are currently in place: 1. Coordination agreement with the BCRP - August 2007 – it covers several aspects related to the relationship between the BCRP and SBS, including reinforcing the commitment to share all the necessary information for the fulfillment of their objectives. There are no specific provisions for the operationalization of those exchanges. The only information systematically shared by SBS with BCRP are prudential ratios. BCRP shares on a semi-annual basis macro scenarios for SBS stress testing. Other than that, information is shared upon request. 2. Cooperation agreement with SMV - March 2012 – aims to facilitate the coordination for the fulfilment of their respective functions. The agreement makes explicit reference to exchange of data bases and other supervisory information. The agreement also makes reference to joint examinations, and coordination on consistency of regulations, in addition to exchanging information on ultimate beneficiary ownership. Currently there is no systematic sharing between SMV and SBS. 3. Agreement with the Superintendencia Nacional de Administration Tributaria - April 2012 and February 2017, through which information on AML/CFT is shared. The Superintendent attend BCRP board meetings periodically, making presentations or discussing topics of common interest. A senior SBS representative seats at SMV Board, appointed by the Executive Branch, at the request of SBS. Currently, the Deputy Superintendent General Counsel of SBS plays that role. Coordination mechanisms with other local institutions are reported to be activated as appropriate. At a technical level, exchanges with the BCRP happen on an ad hoc basis. Topics that were subject of those meetings include over-indebtedness, stress-testing and dollarization. Exchanges with SMV have happened at SMV request, including discussions on regulations and oral reports from SMV on their findings. Information sharing within SBS between the SABM, SAS, SAAFP (banking, insurance, pensions) and SAR is exchanged during quarterly meetings of the Consolidated Supervision Committee. The committee focuses on the monitoring of compliance with prudential limits and consolidated balance sheets but issues pertaining to the conglomerates are discussed there. EC2 Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. 38 PERU Description and The legal framework lays out the basis for cooperation arrangements with foreign findings re EC2 supervisory authorities. As per Article 349, on Superintendent attributions, item 14 of the General Law, the Superintendent has the authority to enter into cooperation agreements with foreign supervisors and related entities in other countries in order to better exercise consolidated supervision. Article 367 on the Superintendent abilities, item 10, further empowers the Superintendent to enter agreements with foreign government bodies or other supervisors for purposes of training and exchange of information in matter of supervision. Article 32 of the Consolidated Supervision Regulation notes that SBS may establish coordination agreements with foreign supervisory authorities responsible for overseeing the companies that constitute financial groups, subject to the corresponding confidentiality of information. Such agreements may include, inter alia, the exchange of information and performing coordinated in situ inspections, as appropriate. The SBS has celebrated several cooperation agreements with foreign supervisors, including Colombia, Ecuador, Venezuela, Spain, El Salvador, Bolivia, Guatemala, Italy, Mexico, Nicaragua, Bahamas, Panama, Canada, Brazil, China. In addition to MoUs, SBS reports to have informal coordination mechanisms in place through emails, phone calls and official letters, both for purposes of exchange of information, as well as for performing on-site supervision in the scope of consolidated supervision. Written exchanges made available to the assessors confirmed such practice. SBS also participates in supervisory colleges including Banco Santander, BBVA and Scotiabank, and has recently organized its first supervisory college for Credicorp. Plans are to hold yearly colleges for both Credicorp and Intercorp, the latter starting in 2018. EC3 The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party. Description and Article 140 of the General Law expressly prohibits SBS staff to share information on findings re EC3 banks client’s assets (i.e. deposits etc.). Article 359, on reports, establishes that examination reports are confidential but can be shared with the BCRP in the contexts of the fulfilment of its objectives. Cooperation Agreements signed by SBS and made available to the assessors contained confidentiality clauses establishing that the information exchanged is to be used only to develop their supervisory functions. In addition, the confidentiality provisions of those agreements require that confidential information received will be used only for lawful supervisory purposes and will not be disclosed except as necessary to carry out their legal responsibilities for supervision, which shall be notified immediately to the supervisor that originated the information, stating the reasons for which he was forced to reveal it. 39 PERU The exchange of information between local supervisors is subject to the legal applicable provisions, as per Article 16 of the Transparency Law, establishing that requests for information delivery under the framework agreements may be denied on grounds of public interest, national security or when disclosure would interfere with any ongoing investigation. Directive 510-02, on classification and guidelines for the treatment of information, establishes principles for the classification, treatment and protection of information and defines the information classified as " confidential” encompassing on and off-site reports produced by SBS, which are effectively not shared with other domestic authority or foreign supervisor. In practice SBS reports never have been denied or have denied information thus far based on such provisions, sharing summary of the reports. Files made available to the assessors confirmed those statements. EC4 The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. Description and Article 360 of the General Law states that every employee, representative, agent or findings re EC4 person providing services to the SBS is prohibited to disclose to third parties information obtained in the exercise of their functions. Anyone who violates the prohibition is guilty of serious misconduct and crime under article 165 of the Penal Code (violation of professional secrecy). Furthermore, Article 372 of that law states that any employee, representative, agent or person providing services to the SBS is forbidden to disclose any details of the reports it has issued, or give to persons outside, any information obtained through in the exercise of his office. Article 143 allows for information on client’s assets with banks (i.e. deposits etc.) to be shared only with the written permission of the client or when required by certain authorities in the exercise of their duties, such as judges and courts, the Attorney General, the President of a Commission of Inquiry of Congress, among others. Moreover, Article 97 of the Political Constitution provides the power of Congress to initiate investigations on any matter of public interest. In that sense, it establishes the obligation of those involved in the investigation to appear before the committees responsible for such investigations; it also gives these committees the power to access any information, including the lifting of bank secrecy and tax reserve. Therefore, the SBS cannot deny information requested by the President of a Commission of Inquiry of Congress under that authority. 40 PERU MoUs with foreign entities made available to the assessors contained clauses that required authorities to notify the originating supervisor in case of circumstances that required the release of supervisory information. EC5 Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions. Description and The SBS is the resolution authority in Peru and therefore in charge of undertaking findings re EC5 recovery and resolution planning and actions. The deposit insurance (Fondo de Seguro de Depositos – FSD), as per Articles 144 and 151 of the General Law, should provide deposit insurance (payoff) and, under exceptional circumstances, provide support to its members executing the measures dictated by the SBS (with favorable opinion from the BCRP and MEF). For further details on the FSD please refer to the Technical Note on Crisis Management. Assessment of Compliant Principle 3 Comments Arrangements currently in place in Peru provide a framework for cooperation and collaboration with relevant domestic and foreign supervisors and do reflect the need to protect confidential information. Particularly regarding domestic authorities, SBS does not seem to feel the need to exchange much information in order to perform its supervisory duties, although providing information when requested. Principle 4 Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. EC1 The term “bank” is clearly defined in laws or regulations. Description and Article 282 of the General Law defines a banking company as the one whose main findings re EC1 business is to receive money from the public as deposits or under any other contractual modality and to use it together with its capital and other sources of financing for the granting of credits in the various modalities or apply them to transactions subject to market risks. Article 282 also presents the definitions of the other types of multiple-transaction companies that make up the financial system. Financial companies, rural loans and savings institutions, municipal savings and loans institutions, savings and loans cooperatives and micro and small enterprise development companies (Edpyme) make up the multi-enterprise group; all except the Edpyme are authorized to collect deposits from the public. In addition, Article 289 allows certain savings and loans cooperatives to take deposits from the public. EC2 The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations. Description and The General Law lays down the operations that can be performed by banks. findings re EC2 Articles 283 to 289 of the General Law establish the operations that each type of financial system entity is authorized to perform. In the case of banking entities, Art. 41 PERU 283 establishes that they may carry out all the transactions indicated in article 221, except for commodity transactions and derivative financial products (forwards, futures, swaps, options, credit derivatives or other instruments or derivatives contracts), for which they must have a separate authorization from the SBS. Article 221 of the General Law establishes the operations and services that can be performed by the financial system entities. Articles 223 and 224, specify those operations that require the entity to constitute a separate department and those that must be carried out through subsidiaries. EC3 The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. Description and The General Law limits the use of the word "bank" to companies that have such findings re EC3 nature and are supervised and authorized by the SBS. Article 11 of the General Law establishes that prior authorization is required to engage in financial system activities, including deposit taking, granting loans, etc. It also prohibits the use of terms in its name or any other medium which suggest that its activities involves operations that can only be done with permission from the SBS and under its supervision. In case of identifying a company that does not comply with the above, this article states that the SBS is required to arrange the intervention of the premises in which the activities of the supervised companies are being performed. In addition, Article 15 of the General Law establishes that authorized entities are required to include in its name, a specific reference to the activity for which it is constituted, reflecting their nature, even if using apocope, an acronym or foreign language. As part of the oversight and control process of the SBS, it is verified that supervised companies use their respective social denominations appropriately, in their advertising and forms, in such a way that the public understands the type of license to which the company belongs. The SBS Department of Contentious Affairs is responsible for conducting the work of control to combat the financial informality. EC4 The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.17 Description and As described in EC3, Article 11 of the General Law require prior authorization to findings re EC4 engage in deposit taking. In addition to banks, financial companies, rural loans and savings institutions and municipal savings and loans institutions, can also take deposits from the public. Savings and loans cooperatives take deposits only from members – in order to take deposits from the public they would require a license 17The Committee recognizes the presence in some countries of non-banking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system. 42 PERU from the SBS. Non-bank deposit taking institutions represent approximately 11 percent of the system. Meanwhile, Article 351 ° of the General Law states that the Superintendent shall order the immediate closure of the premises in which operations are conducted unauthorized under the General Law, with the intervention of the Public Ministry, and the seizure of documentation that is in them, for which it is entitled to demand the support of the public force directly. EC5 The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. Description and SBS website makes available a list of licensed banks findings re EC5 http://www.sbs.gob.pe/usuarios/informacion-financiera/informalidad-financiera/relacion- de-entidades-autorizadas-a-recibir-depositos-del-publico/relacion-de-entidades-autorizadas- a-captar-depositos At present there are no branches of foreign banks operating in Peru. Assessment of Compliant Principle 4 Comments The permissible activities of institutions that are licensed and subject to supervision as banks operating in Peru are clearly defined and the use of the word “bank” in names is controlled. Principle 5 Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)18 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. EC1 The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The 18 This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction. 43 PERU supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. Description and The General Law (Article 12) established that in order to initiate operations entities findings re EC1 must obtain authorization from SBS. In addition, Article 19 grants powers to the SBS to authorize the organization and operation of the companies included in Articles 16° and 17 (which encompass banks). Particularly in the case of banks (and also some other types of entities), prior opinion of the BCRP is required. BCRP opinion is factored in during the licensing process but it is no reason for denial. SBS reports that no cases have happened thus far of conflicting opinions within the licensing process. Article 349 (on the Superintendent attributions) of the General Law lists, among its powers, the authorization of the organization and operation of entities engaging in activities encompassed by the General Law. Moreover, Article 381 (on the faculties of SBS) provides that the SBS is empowered to grant, deny, suspend or cancel the authorization of financial system entities, among other powers. Licenses are provided for universal banking, without room for limitations. Regulations have no provisions regarding prudential conditions for licensing a bank. Notwithstanding, the SBS licensing process encompass visiting the premises, reviewing policies and procedures, as well as systems and controls in order to license a bank. In such context, SBS has imposed certain conditions on minor issues related to operational aspects requiring enhancements, usually over a short period. Although the requirements are established in the regulations, in practice, the SBS may establish conditions or limitations prior to authorization requiring shareholders to put more capital than the minimum and / or include details in the Bylaw on products and activities that will be developed by the company. It should be noted that any change in Bylaw subsequently requires SBS approval. EC2 Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. Description and Overall, the General Law, the regulations issued by the SBS and internal procedures findings re EC2 clearly state the criteria for licensing. The legal framework empowers SBS to refuse requests that do not meet the requirements and criteria laid down in the regulations and to revoke the license that has been granted based on false information. Title I of the General Law – Financial and Insurance System Companies Constitution ((Articles 12, 13, 15, 16, 19, 20, 21, 22, 23, 24, 25 and 27 set certain requirements for applications for authorizations. Article 12, in particular, has a broad statement that entities are required to receive prior authorization to operate, following procedures established by SBS. In addition, Art. 21 establishes that new entities licensing applications should include the information and requirements and follow the procedures established by the SBS through regulations. 44 PERU General Law requirements pertain to the requirement for the entity to be established as a limited company, requirements on articles of incorporation, amendments to the bylaws, the entity’s name, minimum capital (to be applied throughout the life of a bank), company organizers (those that will establish the entity, requiring them to be fit and proper, also laying down characteristics that would unqualify them). Organizers are usually expected to be part of the senior management of the bank. The General Law allows for organizers to be legal persons but SBS states that in practice that does not occur. Resolution SBS 10440/2008 on the establishment and reorganization of financial entities and their representatives (Licensing Regulation) set/details requirements and criteria for licensing including feasibility studies, fit and proper criteria for organizers, shareholders and senior management. Single Text of Administrative Procedures (TUPAs) SBS contains the administrative procedure followed by the SBS at each stage of the process. Requirements also include information on the financial strength of shareholders, economic group, scope of consolidated supervision, corporate governance, risk management systems, internal controls, capitalization and dividend policies, among others. The licensing process is comprised of two phases, authorization and operation. During the authorization phase, all documentation provided to the SBS is analyzed. If SBS finds no reasons for rejecting the request, the entity is authorized to establish operations, which are subject later on to an on-site examination. During the operation phase, policies and procedures are assessed taking into account the proposed business model assessing the adequacy of resources and tools to adequately manage risks. It also includes assessment of IT and accounting systems including business continuity. Once the license is approved the entity has three months to start operations. Files reviewed by the assessors confirmed such practices. Article 21 of the General Law states that after reviewing the application, SBS will issue a resolution authorizing or rejecting the request. In case of rejection the SBS is required to provide the reasons for such rejection. In addition, Article 28 of the General Law establishes that the SBS can withdraw a license due to very serious infractions and Resolution SBS 816/2005 lists dissolution and liquidation as one of the potential measures to be taken in cases of providing false information. The Administrative Law (Law 27444), Article 32.3 also provides for the nullity of administrative acts which were based on misrepresentation or fraud. EC3 The criteria for issuing licenses are consistent with those applied in ongoing supervision. Description and Criteria used for licensing are consistent with those applied in ongoing supervision findings re EC3 including fit and proper criteria for shareholders, board and management. As already mentioned in EC2, the SBS also validates the existence of policies, corporate governance and risk management procedures and infrastructure, as well as personnel commensurate with the size and nature of future business operations. The licensing process encompass an on-site initial examination prior granting the license, which reviews risk management, policies and procedures, AML and the existing of adequate 45 PERU personal, accounting and IT systems, including business continuity to start running the business. Files reviewed by the assessors and exchanges with SBS confirmed such practices. On-site examination procedures might result in requiring enhancements, as necessary, which become binding conditions to grant a license, as already mentioned in EC1. Criteria for issuing a license do not make reference to prudential requirements. Nevertheless, the General Law and regulations do not distinguish between just established banks from ongoing banks, i.e. as of the moment of initiating operations banks are expected to meet prudential requirements. EC4 The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.19 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. Description and The Licensing Regulation (Article 6) require shareholders to submit information in findings re EC4 order to ascertain their moral integrity and financial solvency, for which they must submit certain information. Such information includes related parties, persons and companies, direct and indirect following the concept of economic group, which includes information on the ultimate beneficiary shareholder (please refer to CP 20 for further details). In addition, information requirements laid out in Annex 1 of the Licensing Regulation include corporate governance, organization and operational structure of the bank, as well as personnel policies. It also includes submitting information on the economic group and related parties, its organizational and governance structure, including a list of shareholders, board members and senior management. Article 33 of the Regulation for Consolidated Supervision of Financial and Mixed Conglomerates, approved by Resolution SBS No. 11823-2010 and its amendments (Consolidated Supervision Regulation), states that SBS may consider as impediments to authorize the establishment of companies in the following cases : 1. When the legal and administrative structure of the conglomerate prevents or hinders effective consolidated supervision; 2. When the conglomerate is not subject to effective consolidated supervision due, inter alia, to the fact that the parent company or a parent company is located in countries where effective consolidated supervision is not performed; or in the country of origin of such companies or in the country in which the main financial and / or insurance activities of that conglomerate are carried out, there is no consolidated supervision; or when in the country of origin the minimum international standards for effective consolidated supervision are not applied. In practice, SBS has authorized a couple of cases where the Home Supervisor does not perform consolidated supervision, in which case they set up information 19 Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003.) 46 PERU requirements in order to monitor the group, also keeping close contact with the home supervisor. Files reviewed by the assessor confirmed the request and analysis of such information. EC5 The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. Description and Articles 19 °, 20 °, 22 ° and 52 °, of the General Law establish requirements and findings re EC5 constraints of the organizers and shareholders. Likewise, Article 4 of the Licensing regulation, requires the organizers to have recognized moral integrity and financial solvency to the satisfaction of the SBS and are required to submit together with the application organization, their resume or annual report, as appropriate, an affidavit stating that the organizers do not fall within the constraints laid down in Article 20 of the General Law and another about the existence or not of legal proceedings not concluded where the organizer is an interested party. Article 6 of the Licensing Regulation states that the proposed shareholders must show moral integrity and financial solvency. They are required to submit, among other information, a list of their assets indicating, if applicable if they are subject to some form of encumbrance or limitation for their free availability, as well as a list of all related parties, including natural persons and economic group as per SBS regulations (please refer to CP 20 for further details). It must include the ownership structure and management of the group and the list of shareholders, directors, managers and senior officials; Likewise, they are required to submit the detailed list of shareholders of legal entities participating in the group and companies related up to the level ultimate beneficiary. In addition, shareholders which are legal entities are required to provide: (i) Annual Report and audited financial statements for the last 2 years of the legal which is a shareholder and all companies which form the economic group and where applicable, the consolidated financial statements of the conglomerate to which it belongs; (Ii) Information on the shareholder equity; and if the shareholder is a legal person incorporated abroad, it should include a renowned rating agency report, details on its investments and annual report for the last 2 years, in case it is the parent. It also states that SBS can require further information on shareholders owning over 4 percent up to the ultimate beneficial shareholder. The Significant Ownership Regulation (Resolution SBS 6420-2015) further elaborate on the matter of ultimate beneficial ownership, requiring an annual affidavit from shareholders in which it is established that, having taken reasonable measures are convinced of the identity of its ultimate beneficiaries and that they meet criteria of moral integrity and financial solvency, and that if appropriate, such final beneficiaries 47 PERU are able to make cash contributions necessary to cover any deficiency in assets that the company may encounter. In practice, the SBS also makes use of its credit registry and international data bases to gather further information on shareholders during the authorization process EC6 A minimum initial capital amount is stipulated for all banks. Description and Article 16 of the General Law establishes the minimum amount of capital, to be findings re EC6 contributed in cash, required for the operation of listed financial companies and their subsidiaries. Overall, the minimum capital depends on the type of company (commercial banks, microcredit institutions, investment banks, insurance companies and complementary and related services companies). The minimum capital amount is updated quarterly, according to the Wholesale Price Index (Article 18 of the General Law). In the case of commercial banks, the minimum capital stock for the period July - September 2017 is S/26,609,326. As already mentioned, the licensing process encompass a feasibility study encompassing financial projections. SBS takes that into account when analyzing how much capital the entity is planning to hold upon licensing, beyond the minimum requirement. EC7 The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank. 20 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. Description and Article 79 of the General Law require banks to have five board members, at minimum, findings re EC7 deemed fit and proper, to be elected by the General Shareholders Assembly. Article 81 reinforce the need for board members to be fit and proper and lays out criteria to be considered otherwise, including those applied to organizers (Article 20) and shareholders (Article 52) and more, such as to be insolvent, to be an employee of the institution (except for the CEO), any staff from any other bank (and its subsidiaries), any person, including shareholders which (directly or indirectly or through exercising influence in a company) holds past dues over 120 days or executed loans, as well as former board members and senior management that have been deemed responsible for acts that have resulted in sanctions. Article 7 of the Licensing Regulation require as part of the licensing process that the legal person interested in applying for a license to submit a series of information on the initial Board and CEO, as well as organizers, including a resume; affidavit of not having penal or police antecedents in the country and/or abroad, the residents and 20 Please refer to Principle 14, Essential Criterion 8. 48 PERU non-residents; an affidavit of the existence or not of non-concluded judicial processes in which they are involved; affidavit stating they are not under any of the impediments referred in article 20 and 81 of the General Law; affidavit of their assets, indicating if those are subject to any type of obligation or limitation for their availability. Article 4 of the recently issued regulation on Risk Management and Corporate Governance (Resolution 272/2017) require the board of directors to be composed of a sufficient number of members for effective and participatory performance, making it possible to form the board committees established by the Regulations. It is also expected to be made up of people with specialties and competencies that facilitate a plurality of approaches and opinions, and who have the skills and knowledge regarding the activity that the company develops in order to fulfill its functions. Discussions with the authorities indicated that in practice the assessment process does encompass verifying the adequacy of proposed senior managers or individual board members’ skills, knowledge and experience in relation to the expected tasks to be performed, requiring replacements, as needed. The evaluation process of suitability of Board Members and senior management does not systematically encompass interviews. The SBS argues that, to a certain extent, all the necessary meetings and the on-site examination prior authorization enables sufficient interaction in order to assess their suitability for the position. Up to now, analysis regarding the board members have not encompassed the determination whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue and the associated risks. Any changes to board members or senior management are not subject to prior assessment by the SBS, being subject to ex-post evaluations. EC8 The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank. 21 Description and The Licensing Regulation (Annex I) lays down the minimum content of the viability findings re EC8 study to be presented to the SBS, which includes: a) Strategic planning: economic group background and corporate philosophy, the objectives of requiring a license, the mission, objectives, strategies of differentiation operations and services of the company as well as the overall marketing strategy and sales. Detailed plans for product development are also required, as well the initial expectation in terms of branches that they plan to operate in the first year. 21 Please refer to Principle 29. 49 PERU b) Organization: corporate governance framework, organizational and administrative structure and staffing requirements. c) General policies and procedures including: risk management (credit risk, market, operational and liquidity, as well as risks related to be part of a conglomerate, where appropriate); internal control and auditing; operations and services; AML/CFT; related parties, shareholders, directors and principal officers; among others. Outsourced functions are subject to a separate authorizing process, upon license or throughout the life of the supervised entity. The assessment process includes an initial analysis of written materials submitted, as well as, later on, once the operations are established and prior granting the license, an on-site examination. Files reviewed by the assessors confirmed that the SBS does review the proposed strategic and operation plans of the bank. SABM, with the support of SAR performs the assessment, taking as basis their experience with the banks they supervise. EC9 The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. Description and The Licensing Regulation (Annex I) lays down the minimum content of the viability findings re EC9 study to be presented to the SBS. Financial related requirements include: a) Capital – initial capital, opening balance sheet, budget and financing structure, characteristics and conditions of financing, indicating any links with the company. b) Financial projections of the balance sheet, income statement, cash flow, breakeven and of all aspects that help to demonstrate the viability and permanence of the project. Additionally, the projection of financial indicators includes benchmarking, VAN and TIR and sensitivity analysis of such projections. c) Projections assumptions: at minimum, should refer to the macro variables (exchange rate, economic growth rate, sector, etc.), determining prices for products and/or services, average size of transactions, number of customers, financial expenses and administrative expenses. It should also contain the projection of the loan portfolio according to the situation and risk category of the debtor, and the projected capital ratio with detailed calculation of risk- weighted assets and regulatory capital. While SABM leads the licensing process, the Superintendence of Economic Studies performs the analysis of the financial projections/scenarios. As already mentioned, article 6 of the Licensing Regulation state that the proposed shareholders must submit a list of their assets and, if applicable, indicate whether these they are subject to some form of encumbrance or limitation. In case of “independent” (not employees of any company) natural persons, regulation also 50 PERU require financial statements from the last two years from his/her companies, as well as personal affidavit from the SUNAT and from the companies. If “dependent”, a cover letter and employer supporting their income must be attached. For non- residents, a document of the relevant tax authority on its status as a taxpayer must be submitted. In the case of corporate shareholders, a copy of the public deed of social constitution and its amendments, audited financial statements for the last two years, information on their respective capital required, financial statements of other companies comprising its economic group, consolidated financial statements of the conglomerate to which they belong (if any), among others. For foreign legal persons, it is further required, a study by a renowned rating agency, detail investment and annual report for the last 2 years or, if applicable, its parent. Directive SBS No. SBS-DIR-SBS-578-01 establishes general guiding principles for evaluating applications for authorization of the received licensing requests for organization and operation. The guidance encompasses the need for evaluation of the feasibility study, business model and financial strength of potential shareholders, among others. EC10 In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. Description and Article 18(7) of the Licensing Regulation requires the presentation of a certificate findings re EC10 from the home supervisor with a statement that the parent is authorized to establish operations abroad and that the parent is subject to consolidated supervision. Article 6(8-f) of the Licensing Regulation requires that if a potential shareholder is a foreign financial entity, it is required to present a statement of no-objection from the home supervisor and a list of all administrative sanctions applied over the last three years. If the consolidated supervisor of the parent is not under the same supervisor, information should be provided on the scope of consolidated supervision exercised. Article 39 of the General Law states that foreign entities that wish to establish a local branch must request authorization from the Superintendence and shall comply with provisions of the Act, stating that they are subject to the same rights and obligations that local entities of same nature. Article 42 specifically state that minimum capital allocated to such companies must be placed in Peru and be equivalent to entities that perform the same activity in the country. Article 33 of the Consolidated Supervision Regulation (Resolution 11823-2010) state that the SBS may consider as impediments for authorization: (i) the legal and administrative structure of the conglomerate prevents or hinders effective consolidated supervision; or (ii) the conglomerate is not found subject to effective consolidated supervision due, inter alia, that the parent company or any controller is located in countries where no consolidated supervision is carried out effectively; or if in the country of origin of those companies or in the country where they develop the 51 PERU main activities of the conglomerate no consolidated supervision is carried out; or when in the country of origin no minimum international standards are applied for effective consolidated supervision. For this purpose, consolidated supervision is effective if it meets minimum international standards on the matter, including, inter alia, the analysis of risk management at the consolidated level, regulatory capital and capital requirements, related party and concentration limits and analysis of the consolidated financial statements, to the satisfaction of the Superintendence. SBS liaisons with the home supervisor and procedures include the submission of a questionnaire for acquiring further information regarding consolidated supervision and the overall supervisory approach. SBS has authorized cases where it deemed that the home supervisor didn’t perform consolidated supervision. In those cases, the monitoring process of the local entity encompass additional requirements of information regarding the parent and ultimate beneficial shareholders. EC11 The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. Description and There are no policies and processes in place specifically to monitor the progress of findings re EC11 new entrants in meeting their business and strategic goals. Nevertheless, according to Article 94 of the General Law, CEOs are required to submit to the board (at least) quarterly reports on the economic progress of the entity, comparing the performance with the previous quarter and the original projections. Circular B-1899-92, number 2 requires those reports to be sent to the SBS. In addition, as already mentioned, all supervised entities are subject to on site examinations at least once a year and to the ongoing off-site monitoring. In cases of supervisory requirements, as a result of the verification of the readiness for initiation of operations, in general entities are granted a 12-month period for implementation (and required to open business up to three months after being granted a license). Those requirements are followed up as regular examinations, taking into account the agreed time framework for completion. Assessment of Compliant Principle 5 Comments SBS has a sound and comprehensive licensing process in place, encompassing the assessment of the ownership structure and governance, strategic and operating plans, internal controls, risk management and projected financial conditions. A non- objection is required in cases where the parent is a foreign bank. 52 PERU Principle 6 Transfer of significant ownership. The supervisor22 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. EC1 Laws or regulations contain clear definitions of “significant ownership” and “controlling interest”. Description and The General law does not explicitly define “significant ownership” and “controlling findings re EC1 interest”. Nevertheless, Article 57 require that transfers of ownership (direct or indirect) of over 10 percent (or that would result in holdings over 10 percent as a result of the transfer) of a supervised entity (directly or through third parties) requires prior authorization. Article 2(j) of the Rules of Acquisition of Holdings in Supervised Entities and Significant Ownership (Resolution SBS 6420-2015 – Significant Ownership Regulation) further clarifies it, defining significant owner as the person or legal entity that directly or through third parties, through any means of acquiring capital, has a stake above ten percent (10 percent) of capital. The same regulation, Article 2(b), defines control referring to Article 9 of the Special Rules on Economic Groups and Related Parties (Resolution 5780-2015 – Related Parties Regulation) which defines control as the preponderant and continuous influence in the decision-making of the governing bodies of a legal entity. The control can be direct or indirect. Control is considered direct when a person or legal entity exercises more than half of the voting powers at the general meeting of shareholders or partners or equivalent. Control is indirect when a person or legal entity has the power to appoint, remove or veto the majority of board members to exercise the majority of votes at meetings of the board in order to: approve financial and/or operational decisions, as well dividend payouts or any type of profit distribution; to appoint remove or veto the CEO. In addition, Article 2(d) defines significant influence as, while not having control, the power to intervene in policy or operation decisions through representation at the board, participations in decisions for establishing policies including for dividends and other distributions, participating in appointing the CEO and other senior management. The definition of “control” in the SBS regulation is based on the “preponderant and continuous influence” in the decision-making of the governing bodies of a legal entity, and this is supported with a quantitative indicator (holding the majority of voting rights) and also qualitative indicators (e.g., the ability to appoint, remove or veto the majority of board members). This definition appears to be broadly in line with international good practices, and it allows qualifying a person as “controlling” the bank regardless of the percentage of his/her voting rights. The definition of “significant owner”, however, is based on a quantitative threshold (10 percent of the capital), and therefore it does not cover the cases where a person 22 Whilethe term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority. 53 PERU can exercise “significant influence” on the management or policies of the bank if his/her holding is below 10 percent of the capital. As a result, while the definition of “control” is generally appropriate, there is a weakness in the definition of “significant influence” in relation to significant ownership in the regulatory framework. EC2 There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. Description and The General Law requires supervisory approval for changes that would result in findings re EC2 changes in direct or indirect ownership over ten percent. The Rules of Acquisition of Holdings in Supervised Entities and Significant Ownership, issued in 2015, strengthened SBS framework, establishing effective requirements for supervisory approval to be obtain in cases of change in ownership up to the ultimate beneficiary. As described in EC1, Article 57 of the General Law require that transfers of ownership of over 10 percent (or that would result in holdings over 10 percent as a result of the transfer) of a supervised entity (directly or through third parties) requires prior authorization. In addition, Article 50 of the General Law states that every natural or legal person who acquires shares in a company, directly or through third parties of one percent of capital in the course of twelve (12) months, or that those purchases reach three percent or more, are required to provide SBS all information it might require in order to identify the main economic activities and structure of their assets. This includes providing the name of shareholders in the case of companies issuing bearer shares. Article 57 provisions also establish that in cases where a legal person domiciliated in Peru holds over ten percent of a supervised entity, its shareholders must obtain prior authorization from the SBS to transfer shares over 10 percent or more of such company. If the shareholder is legal person not domiciled in Peru, it is required to inform the SBS of changes in the ownership structure of the company exceeding ten percent, indicating the names of the shareholders. It is the supervised entity responsibility to inform SBS when it becomes aware that a portion of its shares has been acquired by a foreign company, informing the shareholders names of such company. Article 2(j) of the Significant Ownership Regulation defines significant ownership as direct or indirect ownership over 10 percent. Article 2(h) defines indirect holdings encompassing related parties. Article 3 lays down the information to be presented to SBS in case of transfer of significant ownership. In those cases, legal entities are required to provide, among others, information regarding their significant owners and ultimate beneficiaries. There are also no general provisions that apply to circumstances of controlling influence. EC3 The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in 54 PERU significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership. Description and The General Law requires prior authorization for transfers that would result in findings re EC3 holdings above 10 percent and have specific provisions related to rejecting transfers of ownership requiring shareholders to meet criteria comparable to licensing. Reasons for rejecting include failure to meet fit and proper and financial soundness criteria. Failure to comply with requirements of “moral suitability and economic solvency” result in fines and a requirement to sell the holdings within 30 days which doubles if it exceeds that threshold. In addition, in the case of a shareholder becoming a significant owner without SBS authorization, the SBS may suspend the exercise of their voting rights and for receiving dividends and the shares it acquired are not taken into account for determining quorum and majority required for the General Shareholders' Meetings. In the opinion of the SBS these powers are in practice sufficient to realize a modification or change in the unauthorized significant ownership. The Significant Ownership Regulation requires information on financial soundness for the authorization of transfer of ownership. Article 58 of the General Law – Rejection of Transfer of Ownership empowers the SBS to reject the application for transfer of significant ownership if the person who intends to acquire holdings or, in case of a legal person, the shareholders, directors or employees fall within the impediments established under the combination of Articles 20 and 52 and the restrictions laid down on Articles 53, 54 and 55. Those impediments and restrictions are the same applied to the licensing process. Article 20 lays down a series of impediments related to propriety. Article 54 forbids public servants and their spouses to hold over five percent in a supervised entity and the SMV and SBS Superintendents, staff and spouses of any holdings if acquired after assuming their posts. Article 55 forbids controlling shareholders of supervised entities of holding over five percent in another entity of the same nature. Article 53 prohibits financial system entities from being shareholders of another financial system entity of the same nature established in Peru, with the exception of investments with the intention to perform a merger. In such circumstances the entity has six months to perform the merger, after which is required to sell those holdings. In cases of investments in financial system entities of a different nature, the provisions related to transfer of ownership (see details on CP 6) apply. Article 59 of the General Law states that in the case of acquired shares with violation of the provisions of Articles 52 °, 53 °, 54 ° and 55 °, the buyer is sanctioned with a fine of an amount equivalent to the value of the shares had been transferred to him. Notwithstanding this, it is required to sell its holdings thirty (30) days and if such period expires without the situation has been corrected, the fine is doubled. In addition, the acquirer that infringed the provisions of Articles 54 and 55 will have their voting rights suspended. 55 PERU Article 381 (b) of the General Law empowers the SBS to take the necessary measures to prevent and/or avoid any unsuitable person controlling or participating directly or indirectly in the management (executive and non-executive) and operation of a financial system entity. Article 3 of the Significant Ownership Regulation require, in cases of transfer of ownership, the submission of financial information equivalent to licensing. EC4 The supervisor obtains from banks, through periodic reporting or on-site examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. Description and The SBS requires the annual submission of the names of all significant shareholders findings re EC4 including those exerting controlling influence. Article 6 of the Significant Ownership Regulation states that all significant owners must annually submit an affidavit in which it is established that, having taken reasonable measures of verification, they are convinced of the identity of its ultimate beneficiaries (which include those that exert influence over them), listing all of them and stating that they comply with criteria of moral integrity and financial solvency, and that they are able to make cash contributions necessary to cover any equity deficiency in the supervised entity. In cases where the significant owner is a natural person they are required to submit themselves the same affidavit. The affidavit was further clarified by the General Letter 15047-2017 requiring the significant owners to take into account for calculating the percentages situations other than property and situations where they are acting as a group. The requirement enabled SBS to effectively obtain a much better view and understanding of groups operating in Peru. The affidavit falls short in the sense that the requirement applies to significant owners, which does not take into account economic group/related parties and controlling influence to determine significant ownership in the first place. Nevertheless, particularly in one case, a significant percentage of shares correspond to the trading in NYSE, where it is not possible to identify the ultimate beneficiary, due to the rules of NYSE’s disclosure. Only holdings above 5 percent through a single entity are required to be notified to the SEC and it is unclear that those encompass related parties/economic group considerations. EC5 The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor. Description and Article 59 of the General Law states that in the case of acquired shares with violation findings re EC5 of the provisions of Article 57 (which requires authorization for transfers over 10 percent), the SBS may suspend the exercise of their voting rights, dividends and other profit distributions. Those holdings will also not be taken into account for determining quorum and majority required for the General Shareholders' Meetings. 56 PERU In addition, as already mentioned, Article 381 (b) of the General Law empowers the SBS to take the necessary measures to prevent and/or avoid any unsuitable person controlling or participating directly or indirectly in the management (executive and non-executive) and operation of a financial system entity. Article 356 of the General Law states that the SBS can impose sanctions due to the violation of legal rules, regulations or orders that SBS had issued. The sanctions regulation encompasses situations of transfers of ownership over 10 percent. EC6 Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Description and Articles 87 ° and 92 ° of the General Law deem the Board and senior management findings re EC6 responsible for failing to provide information to the SBS on events or transactions that might affect the entity safety and soundness. Circular G-152-2010 (Article 2) on suitability of shareholders, board members and senior management requires the CEO and the Head of Internal Audit to inform the SBS within five business days of learning of its occurrence, any fact that might affect allegedly negatively the moral fitness and / or economic solvency of the shareholders who own directly or indirectly 3 percent or more of the bank’s capital. The CEO and Head of Internal Audit are also required to report within five business days of learning of its occurrence any fact that might affect allegedly negatively the moral fitness and / or economic solvency of its board members and senior management. Assessment of Largely Compliant principle 6 Comments SBS has the power to review, reject and impose prudential conditions on proposals to transfer significant ownership or controlling interest above 10 percent held directly or indirectly in existing banks to other parties. The legal and regulatory framework falls short with regard to significant influence, which would encompass situations where in practice there is influence on the management and policies of the bank even in situations with holdings below 10 percent. The authorities are recommended to amend the legal/regulatory framework in order to: • Adequately incorporate significant influence as a qualitative indicator for significant ownership in the regulatory framework. Aspects related to the lack of legal powers regarding to the holding company, and therefore, SBS legal limitations in authorizing or impeding transfers of ownership through the holding company have been factored in the rating of CP 1 and 12. Principle 7 Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to 57 PERU determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. EC1 Laws or regulations clearly define: a) what types and amounts (absolute and/or in relation to a bank’s capital) of acquisitions and investments need prior supervisory approval; and b) cases for which notification after the acquisition or investment is sufficient. Such cases are primarily activities closely related to banking and where the investment is small relative to the bank’s capital. Description and The establishment of subsidiaries (locally and abroad) and certain investments above findings re EC1 a certain threshold in foreign entities require prior authorization form the SBS. Acquisitions of local subsidiaries are subject to the provisions discussed under CP 6 – Transfer of Ownership. The legal framework limits the scope in which financial system subsidiaries can operate. Article 34 of the General Law states that entities can establish subsidiaries as per Article 224, which in its turn require certain activities, understood as complementary to financial services, to be conducted through subsidiaries only. Article 35 of the General Law requires prior authorization from the SBS for the establishment of subsidiaries (brand new or in the case of mergers). In case of securities brokerage firms mutual and investments funds, as well as to act as trustees in trusts, those also need to be licensed by SMV. Article 36 establishes that the total investments in subsidiaries cannot be higher than 40 percent of capital and also states that the investment in a subsidiary cannot be less than three-fifths of its share capital. Article 221 – Operations and Services - lists all activities and transactions that banks are allowed to perform include: a) buy, hold and sell shares of banks and other foreign financial intermediaries and securities market entities or that are auxiliary in order to have an international outreach. In cases where acquisitions are over 3 percent (of the company to be invested in) SBS prior authorization is required. b) buy, hold and sell shares negotiated in a centralized negotiation mechanism and instruments that represent private debt, in accordance with the regulations issued by the SBS. c) buy, hold and sell, as participants, certificates of participation in mutual funds and investment funds; d) buy, hold and sell securities representing public debt, internal and external, as well as obligations of the Central Bank; e) buy, hold and sell bonds and other securities issued by multilateral credit agencies of which the country is a member; f) buy, hold and sell debt securities of foreign governments according to the rules issued by SBS. Article 200 of the General Law establishes a limit (as a percentage of regulatory capital) for the total holdings of market-traded shares, participations in mutual funds and participation certificates in investment funds in 40 percent, all subject to a 58 PERU concentration limit by counterparty of 10 percent (Art. 206) Fixed assets and moveable property (for use) are subject (jointly) to a limit of 75 percent. In addition, in those cases of investments in publicly traded shares the limit is not higher than 50 percent (control) by counterparty. There are no provisions regarding significant holdings or influence. Article 53 prohibits financial system entities from being shareholders of another financial system entity of the same nature in Peru, with the exception of investments with the intention to perform a merger. In such circumstances the entity has six months to perform the merger, after which is required to sell those holdings. Cases of investments in supervised entities of a different nature are subject to the provisions detailed on CP6, i.e. transfers of ownership over 10 percent require authorization and notifications of changes over one percent through a monthly report submitted monthly to the SBS by the supervised entity. In addition, Article 50 of the General Law states that every natural or legal person who acquires shares in a company, directly or through third parties of one percent of capital in the course of twelve (12) months, or when those purchases reach three percent or more, are required to provide SBS all information it might require in order to identify the main economic activities and structure of their assets. This includes providing the name of shareholders in the case of companies issuing bearer shares. The SBS does not have a system of notifications per se, apart from issues pertaining to transfer of ownership, discussed. Nevertheless, its wide range of prudential returns, encompass all investments, locally or abroad (Annex 1 – Investments). EC2 Laws or regulations provide criteria by which to judge individual proposals. Description and In case of establishing a new subsidiary, the Licensing Regulation (Art. 17) require the findings re EC2 same procedures established for licensing a new organization described under CP 5. In case of mergers, Article 28 of the Licensing Regulation presents a general requirement for entities to submit all information SBS deems necessary to attest the legal and technical viability of the merger, in addition to a plan of for capital strengthening. Investments in cross border financial operations over 3 percent are not covered by the Licensing Regulation. In addition to the Licensing regulation, the SBS has established what is called “Single Text for Administrative Procedures (Texto Único de Procedimientos Administrativos – TUPA), which is comprised of tables containing the documents requirements for all authorizations subject to SBS approval. TUPA 86, which is applied solely for investments on financial institutions abroad over 3 percent require the submission of reasons for the investment, and also, regarding the entity to be acquired, information on overall financials, the last two audited financial statements, external rating agency rating, impact on operational limits, indication on who is the foreign supervisor and their authorization for the investment/acquisition, 59 PERU as well as other information that the SBS deems necessary to assess the consequences of the investment. Local acquisitions by supervised entities are subject to the provisions discussed under CP 6, transfer of significant ownership. Article 3 of the Significant Ownership Regulation require, in cases of transfer of ownership, the submission of financial information equivalent to licensing. EC3 Consistent with the licensing requirements, among the objective criteria that the supervisor uses, is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.23 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. Description and SBS procedures encompass the assessment of the impact of those investments on the findings re EC3 entity risk profile and the conglomerate to which they belong. There are no objective criteria within the SBS framework requiring to ensure that acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. In practice, nevertheless investments in subsidiaries encompass the assessment of their overall capacity to properly supervise those subsidiaries, in case of cross-border investments, including the effectiveness of supervision in the host country. SBS ability to comply with this criterion is constrained by their limited powers on consolidated supervision, which do not encompass banks’ holding companies (please refer to CP 1 and CP 12). Notwithstanding, examples provided by the authorities encompassed cases where they curbed initiatives of cross-border investments through the holding companies by means of moral suasion. EC4 The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. Description and Information required encompass reasons for acquisition. In case of establishing findings re EC4 subsidiaries, as mentioned in EC2, the SBS uses the same criteria used for licensing, which encompass checking, from the outset, if adequate managerial and organizational resources are in place to properly handle the acquisition/investment. Overall, the SBS knowledge regarding the acquiring entity is taken into account within the authorizing process. In addition, specific aspects and challenges related to the acquired company are also verified. Supervisory documentation of an acquisition made available by the authorities evidenced that SBS verified that the bank had, from 23In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank. 60 PERU the onset, adequate financial managerial and organizational resources to handle the acquisition. EC5 The supervisor is aware of the risks that non-banking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in non-banking activities. Description and As described in EC 1, the legal framework does not allow for acquisitions or findings re EC5 establishment of subsidiaries outside of the scope of financial and insurance services or what is deemed to be complementary. In addition, the legal framework establishes a set of limits for total investments in subsidiaries and overall publicly traded companies. Assessment of Largely Compliant Principle 7 Comments The SBS has the power to approve or reject on major acquisitions or investments by a bank including establishment of cross-border operations. The limit established for investments in publicly traded companies (not higher than 50 percent of the invested company) might result in banks having high stakes and controlling interest/influence in non-financial companies. The authorities are recommended to lower the maximum percentage allowed to be held in a non-financial company ensuring there is no controlling interest/influence. Aspects related to the lack of legal powers regarding to the holding, and therefore, SBS legal limitations in authorizing or impeding acquisitions or investment through the holding have been factored in the rating of CP 1. Principle 8 Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. EC1 The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks: a) which banks or banking groups are exposed to, including risks posed by entities in the wider group; and b) which banks or banking groups present to the safety and soundness of the banking system. The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. 61 PERU Description and In Peru, the legal framework requires SBS to have a rating system and conduct findings re EC1 examinations every year. Article 136 of the General Law requires the SBS to have a methodology to classify banks encompassing technical analysis and risk weights taking into account banks’ risk management systems, loan portfolio and trading book quality, capital strength, profitability, liquidity, among others. In addition, article 357 require examinations to be conducted at minimum once a year. In such background, the SBS supervisory process encompasses rating system, an inspection plan with annual examinations to all banks and a comprehensive off-site framework, with daily liquidity reports, industry monthly reports, individual entities quarterly reports, an early warning system, ICAAP assessment, system wide stress testing, among others, which aim at keeping the understanding of banks risk profile up to date and enabling taking timely corrective actions. Those processes are defined and formalized through various manuals and internal directives. As part of the process of understanding banks’ risk profile, SBS has been increasing its interaction with senior management in recent years although with room for further improvement, particularly in what refers to interactions with the board. The core tool currently used by SBS for determining and assessing on an ongoing basis the nature, impact and scope of risks which banks and banking groups are exposed is the rating. The rating methodology takes into account the following elements: solvency, credit risk, liquidity risk, market risk, operational risk, profitability and efficiency, and management and control. This last component includes aspects of strategic business management, management and corporate governance, internal audit, AML/CFT, customer service, and transparency of information and regulatory compliance. Each component takes into account qualitative and quantitative elements and together determine the overall comprehensive rating. The rating is approved and updated every year by a Rating Committee through the discussion of the bank’s main characteristics and the risks to which it is exposed. The formal operating system for the Committee is majority but in practice authorities report that they operate with consensus. At the Rating Committee, a supervisory strategy is also approved, encompassing areas to be covered during the next examination and actions to be taken. In its approach the SBS has implemented in practice, for a few years, a supervisory cycle, focusing at each examination on certain areas. That practice is expected to be fully incorporated in the new version of the rating system. In case of banks belonging to a financial conglomerate, the final rating (through override) takes into account group wide characteristics/concerns such as overall risk management and solvency, as well as the group consolidation process. In circumstances where it is deemed that the risk of the group can increase the risk of the individual entity, it’s overall classification is adjusted downwards . There is no rating for the conglomerate, nevertheless. Resolvability of banks is yet to be addressed by SBS. 62 PERU EC2 The supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. Description and As described in EC1, the rating components per se do not aim at establishing a findings re EC2 forward-looking view of banks’ risk profile. In practice, nevertheless, SBS has incorporated, over the years, some forward looking elements in order to establish a more forward-looking view of banks profiles. The ICAAP, Probability of Default (PDs) analysis and vintage analysis (Please refer to CP 16 and 17 for further details) are both used for overriding the rating. In addition, the SBS has recently introduced an “outlook” to the rating, stable, negative or positive, which aims at reflecting their expectations for the rating for the next 12 months. The SBS has been working on an enhanced methodology incorporating those elements directly into the rating system. As detailed in EC1, the rating process encompasses a discussion at the rating committee, where based on the risk profile, particular supervisory concerns, and market trends a supervisory strategy is established which determines the focus of the supervisory work. Although yet to be formalized, in recent years SBS has established a policy of supervisory cycles (determined by the risk profile) in order to, over time, cover the key risk drivers within a particular bank. EC3 The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. Description and The General Law explicitly establish as one of the Superintendent functions (Article findings re EC3 349(2)) to ensure entities’ compliance with laws and regulations. Compliance with prudential regulations and other requirements is verified through off-site monitoring and on-site examinations. Off-site procedures encompass periodic review of prudential returns pertaining to prudential limits (including leverage, market, credit and liquidity), as well as provisions and capital. During examinations, compliance with various prudential regulations is verified, according to the scope/target of that particular case and can include risk management standards, legal limits, regulatory reports and others. Particular emphasis is given to the assessment of the adequate loan loss provision and capital requirements. Moreover, the SBS performs, on occasion, assessments of banks’ IT systems, with the aim to ensure the reliability of data provided to the SBS. EC4 The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators. Description and The SBS is in charge of supervision of banks, insurance, pensions, cooperatives, findings re EC4 leasing, factoring, mortgage companies, general warehouses and others. Cross- sectoral elements are taken into account when performing the risk assessment of banks in discussions about the conglomerates during the rating committee and more 63 PERU recently through the conglomerates committee where, beyond a discussion on capital and limits for the conglomerate, insurance and banking supervisors exchange views on their respective segments, as needed. The Deputy Superintendence for Economic Studies (SAEE) produces a quarterly financial stability report which includes stress tests with different scenarios applied to the national and international environment. SAEE also produces ad hoc sectoral reports on occasion, based on upcoming risks e.g. agricultural, real estate. Those reports trigger meetings with entities and further follow ups, as necessary. In cases where adverse conditions have been identified that may increase the risks faced by supervised companies, in-depth analyses of a market segment have been carried out, coordinating with entities and/or requiring specific information in order to understand their risk assessment and/or actions taken. Examples include: i) in 2011-2012 a study was carried out to investigate the extent to which the increase in housing prices could be creating a housing bubble that had an impact on the portfolio of entities; ii) a study was conducted in 2014-2015 to investigate the growth of the observed balances in the credit card product and whether this was causing an over-indebtedness of the consumer debtors; iii) in 2016 the concerns were centered, in the measures that were taking against a possible El Niño Phenomenon that could be of severe magnitude; (iv) in the same year, it was assessed how they were financing the growing gaps between the balance of loans and the balance of deposits; and, v) for 2017, the impact of natural disasters in the north of the country was evaluated. The macroeconomic environment has also been taken into account through the provisioning and capital regulations, requiring additional provisioning and capital in the expansive phase of the cycle (when the rule, associated with the behavior of the GDP, is activated), so that buffers that accumulate in times of economic expansion can be depleted in the recessive stage of the cycle (please refer to CP 16 and 18 for further details). EC5 The supervisor, in conjunction with other relevant authorities, identifies monitors and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem a ssets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. Description and As mentioned in EC4, the SAEE prepares a quarterly Financial Stability Report, which findings re EC5 analyzes four main items: global and local macroeconomic risks on the Peruvian economy, the systemic risk of financial entities measured through the indicator, analysis of the level of indebtedness of debtors per segments and stress tests of credit risk to the financial system (based on macro projections provided by BCRP). In addition, the capital buffers (please refer to CP 16 for further details) include a 64 PERU requirement related to systemic relevance, which links banks’ size to economic activity trough assets over GDP. Also, ad-hoc studies have been conducted and measures taken, as necessary. The recently created financial stability committee is expected to enable a more structured process in terms of discussions and decision process as to if and when to act based on those findings. The Superintendent (or a representative) attends Board meetings at the BCRP quarterly where trends and build up risks are also discussed. Other ad-hoc technical meetings among SBS, BCRP, MEF and SMV occur to discuss and exchange views issues related, for instance, to the provision of liquidity against an adverse international scenario, mechanisms to curb appreciation of the exchange rate and credit risk trends. EC6 Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. Description and Resolvability concerns are yet to be part of SBS supervisory approach. Peru has no findings re EC6 procedures in place to assess banks’ resolvability. Banks are not required to develop recovery plans and there is no resolution planning for the Peruvian systemic banks. EC7 The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. Description and The legal framework grants the SBS powers to handle banks in times of stress, findings re EC7 including putting them under surveillance regime, as well as intervention (please refer to CP 1 and CP 11 for further details), including Article 349(19) with general powers to address any issues related to safety and soundness concerns. The SBS has recently updated (August 2017) an “Action Manual for Problem Entities” which contains the criteria, guidelines and actions to be applied in each circumstance, including the surveillance regime, intervention, and dissolution/liquidation. For an in- depth discussion of the resolution tools available in Peru please refer to the Crisis Management Technical Note. Regarding preventing and corrective actions, the rating system does not have any automatic triggers based on ratings but in practice supervisory concerns are communicated expeditiously and enforced, as necessary. (please refer to CP 11 for further details). EC8 Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to 65 PERU draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. Description and As detailed in CP 4, in case of unauthorized activities the Superintendent must findings re EC8 arrange for the immediate cease of activities and closure of premises. The SBS has the Department of Contentious Affairs of (SAAJ) that is responsible for identifying, investigating and intervening those natural or legal persons, who without authorization from the SBS, carry out activities that are specific to the entities supervised and regulated by the SBS. SAAJ uses various sources of information to detect cases of banking activities, such as receiving emails with complaints, written communications from individuals, legal entities, Congress, General Prosecutor, the press and advertisements, among others. In case the intervention proceeds, it is coordinated with the Prosecutor's Office. In practice, actions taken by the SBS against activities being performed outside the regulatory perimeter have include illicit direct deposit taking and also pyramid-like schemes. SBS is the supervisor of banks, insurance companies and pensions, which, to a certain extent, diminishes the possibilities of regulatory arbitrage. On the other hand, the legal limitations of direct access to parents and affiliates (please refer to CP 1 and CP 12 for further details) could potentially be used by banks to avoid the regulatory perimeter, which the SBS would try to deter through the use of their indirect powers, moral suasion and close cooperation with foreign supervisors. Assessment of Largely Compliant Principle 8 Comments The SBS has a sound and comprehensive supervisory approach, moving towards a more risk-based framework. It is supported by a rating methodology and encompasses a forward-looking perspective, assessing and addressing risk emanating from banks and the banking system. Elements related to the conglomerate are taken into account for overriding purposes but are not embedded into the supervisory rating methodology. SBS seems to have a deep knowledge of the operations and risk profile of the major banks operating in Peru, making effective use of a broad range of information sources. Interactions with senior management and board have been enhanced but there is still room for further improvement. Resolvability of banks is a topic yet to be tackled by SBS. The authorities are recommended to: • Establish a process for assessing resolvability of systemic banks; • Consider establishing a rating for conglomerates, and establishing a lead supervisor for the conglomerate, responsible for the overall view of operations and risks; • Further enhance interactions with senior management and particularly the Board of supervised entities, within the process of understanding strategy, operations, controls and risks. 66 PERU Issues related to EC8 and the legal limitations regarding consolidated supervision and the supervisory perimeter have been factored into the ratings of CP 1. Principle 9 Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. EC1 The supervisor employs an appropriate mix of on-site24 and off-site25 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between on-site and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed. Description and SBS uses a mix of on and off-site activities to monitor and evaluate the condition of findings re EC1 banks and banking groups, risk profile and internal control environment. Off-site surveillance encompasses the monitoring and analysis of financial and non-financial information, which is supplemented by on-site examinations to establish the risk profile of banks and banking groups. Off-site activities include daily liquidity reports, industry monthly reports, individual entities quarterly reports, an early warning system, ICAAP assessment, system wide stress testing, among others, performed by SABM and SAR. On-site examinations are performed every year, according with the annual plan and the supervisory strategy for each bank. The rating system is a core supervisory tool used by SBS to perform its supervisory functions banks. The rating is achieved using information gathered through on-site examinations and off-site surveillance. There is no clear segregation between on and off-site supervision and both Deputy Superintendences, SABM and SAR perform a mix of on and off-site activities, SAR focused on the individual risks and SABM in charge of the banks, the rating and the overall supervisory strategy. On site examinations are performed by a lead inspector and its team, coming out of SABM and specialists, as needed, from SAR (examinations of major banks include specialists for each risk, a conglomerates specialist, a legal specialist and also a specialist on market conduct). The teams perform planned examinations, established based on an annual plan of inspections, which contains the scope of each visit. The plan is produced by the SABM in coordination with SAR. 24 On-site work is used as a tool to provide independent verification that adequate policies, procedures and controls exist at banks, determine that information reported by banks is reliable, obtain additional information on the bank and its related companies needed for the assessment of the condition of the bank, monitor the bank’s follow-up on supervisory concerns, etc. 25 Off-site work is used as a tool to regularly review and analyze the financial condition of banks, follow up on matters requiring further attention, identify and evaluate developing risks and help identify the priorities, scope of further off- site and on-site work, etc. 67 PERU As already mentioned, the ratings determine the supervisory strategy and actions to be performed both on and off-site. Results of the examinations, on its turn, are key drivers in establishing the risk profile and the ratings. SBS does not have a formal process in place as such to regularly assess the quality, effectiveness, and integration of its on and off-site functions. Nevertheless, it reports to have, in practice, a continuous enhancement process, which is reflected in the SBS strategic plan, resulting, for instance, on the enhancement of the on-site examination procedures manual, the decision to design of a new platform for off-site surveillance (which has not yet a timeline for implementation), the decision to integrate on-site and off-site functions within SABM, as well as incorporating new monitoring elements. Another recent enhancement has been to prioritize the recommendations generated during the inspection visits. The SBS has a set of manuals, including the Manual of Organization and Functions (MOF) of the units involved in supervision as well as specific technical manuals. Technical Manuals include On-site Supervision Manual, On-site Procedures Manual (both together referred here as Supervision Manual). The functioning of the rating committee is established through an internal regulation. The SBS also has established a series of guidelines for off-site supervision, including for the rating methodology, The manuals do not encompass procedures for consolidated supervision, but an internal directive (Directive No. SBS-SBS DIR-SBS-342-01) governing consolidated financial and mixed conglomerates supervision, states that consolidated supervision is mainly carried out by analyzing the information obtained in inspection visits; extra situ analysis of the information submitted by the companies; analysis of the information submitted by other supervisory bodies; verification of compliance with consolidated capital requirements and limits, as appropriate, which are performed by a dedicated unit within SAR. EC2 The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and off-site functions. Description and The process for planning and executing on- and off-site activities is bound by the findings re EC2 requirement (Art. 357 of the General Law, please refer to CP 1) to perform at least one examination a year. The SBS has established a systematic process for planning and executing on and off- site activities. The on-site manuals provide for detailed guidance aiming at insuring a thorough and consistent work, establishing responsibilities, objectives and outputs. The manual also details the necessary procedures for planning visits. Off-site activities encompass the production of a series of reports, both by SAR and SABM. As already mentioned, both Deputy Superintendencies perform on and off-site activities. 68 PERU The annual examination plan is prepared by SABM in coordination with SAR and also SAAJ (regarding particular legal aspects that might need support), as well as the Committee on Consolidated Supervision, which also provides inputs to the annual plan of visits (and the actual plan for each visit) in the case of companies that are part of a conglomerate for which the SBS has assumed the responsibility of home supervisor. The planning of each visit includes detailing the visit scope, team members (i.e. number and specialists needed), distribution of workload, expected number of days needed, and the collection of all the necessary information on the entity to perform the examination. As previously mentioned, examination teams are composed by members of the unit in charge of the bank (including the chief examiner), as well as specialists from SAR, as needed. The rating process is supported by detailed guidance through an internal regulation. Guidelines are also in place for the preparation of the quarterly reports and for capital assessment (please refer to CP 16 for details on the capital assessment process). EC3 The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable26 and obtains, as necessary, additional information on the banks and their related entities. Description and The SBS require banks to submit a broad range of information in addition to monthly findings re EC3 financial statements, including: • Capital (total capital requirement and per individual risks), regulatory capital buffers and capital instruments, monthly, in addition to annual reports on ICAAP. • Credit risk – classification and provisioning (monthly); debtors credit report – credit registry (monthly); • Market risk – information on investments, derivatives, exposures subject to FX risk and interest rate risk (local and FX), monthly • Liquidity risk – daily liquidity positions, treasury report and liquidity coverage ratio; monthly liquidity position and liquidity maturities; stress tests and contingency plans, quarterly; • Operational risk – business continuity risk indicators (monthly); significant disruption events report (day after the occurrence); operational risk management report (annually); quarterly loss event reports for banks under the ASA. • Integrated risk management – new products (10 days after its release); major changes in the business environment 10 business days following committee presented risk or specialized committee that assessed this matter). 26 Please refer to Principle 10. 69 PERU • Economic group and related parties: related party exposures (quarterly) report on the economic group and report on legal persons composing the economic group; (semi-annually) The teams in charge of individual banks under SABM receive specialized reports including early warning indicators from the various units within SAR (Market, Liquidity and Investments, as well the Credit Risk Unit) which, together with public information and other analysis can result in follow ups with entities, also feeding into their (SABM) quarterly reports on banks. SAR also produces certain reports for their own consumption, as also does SABM, some of them covering the same aspects/analysis. The Conglomerates Unit under SAR also produces quarterly reports on each of the existing conglomerates focused on analysis of consolidated capital and consolidated limits. Those also feed into the quarterly reports on banks. The SBS has various systems that gather and process information, including: SUCAVE and the Supervised Portal (through which entities submit information), DATAMART, SISCOR, REDOC, Supervision Platform, ISOC (on AML/CFT), among others. In terms of validation of information, the SUCAVE performs automatic validations of consistency; risk management and other information are in a way validated through examinations and day to day monitoring by the units in charge of banks as those activities can point out to inconsistencies. In addition, the SAR IT unit is in charge of supervising information systems and in the course of its work prepare reports related to a reliability and integrity of the information that supervised companies submit to the SBS. For further details please refer to CP 10. EC4 The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as: a) analysis of financial statements and accounts; b) business model analysis; c) horizontal peer reviews; d) review of the outcome of stress tests undertaken by the bank; and e) analysis of corporate governance, including risk management and internal control systems. The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow- up work required, if any. Description and As already detailed, banks’ ratings are reviewed annually, and encompass updates on findings re EC4 asset quality, risk management, corporate governance and internal controls, business strategy and compliance, among others. Financial statements and accounts are reviewed quarterly. A set of reports and on financial and risk indicators (including individual as well as horizontal peer reviews), are quarterly produced by SABM, SAR and SAEE. Certain accounts are also subject to review during examinations if there is reason for concern, including sudden or significant variations or identified weaknesses in controls. 70 PERU The analysis for the rating and the quarterly report contemplate certain aspects of business model but there is no explicit supervisory guidance (internal or external on the matter. Risk management practices and corporate Governance are assessed through on-site examinations and banks are required to fulfill a corporate governance good practices questionnaire (please refer to CP 14 and 15 for further details). The review of the outcome of stress tests undertaken by the banks is performed in the context of the yearly ICAAP report assessment (please refer to CP 16 for further details). On site examinations encompass a closing meeting with the CEO and board members where main findings, recommendations and conclusions are communicated. The inspection report is also submitted to the bank’s board. Actions required from banks , as a result of off-site examinations, are also submitted to the banks through a formal letter to the board. EC5 The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. Description and SBS supervisory tools result in an ongoing assessment aiming at identifying, assessing findings re EC5 and mitigating emerging risks affecting banks. SAR, in particular the units in charge of market, liquidity risk and investments, as well as the credit risk unit analyze current and emerging risks, producing “warning reports” related to individual entities, groups or for the financial system as a whole. As necessary, findings are communicated to the individual entity, conglomerate or the industry for actions to be taken. The semi-annually credit risk stress tests performed by SAEE aim to assess the impact of macroeconomic scenarios (gathered from BCRP) on each institution's solvency and stability of the financial system. Estimates are performed by loan type, by economic sector and according to the characteristics of the portfolio of each entity; projections for the main variables of financial statements (income, expenses provisions, growth in loans, bad debt ratio, capital ratio, etc.) are estimated for up to two years including capital levels on an individual and system wide basis. The scenarios used by SBS are also provided to entities, to be taken into account into their annually ICAAP exercise. In addition, supervisors contrast the results obtained by the entities with supervisory stress-tests. Results of SBS stress testing are not usually shared with entities. Since 2016, SBS has also been requiring entities to conduct a sensitivity analysis (as part of the ICAAP) in which Probabilities of Default developed by SAEE are incorporated for each of the entities supervised into stress testing. Based on the results entities are asked to inform actions that would be taken in case those 71 PERU situations materialized. Additionally, SAEE periodically produces sector analysis, to identify potential sources of risks affecting the system which are presented to the examiners to support loan files reviews. SBS has also been developing actions so that banks develop sectoral strategies to tackle potential operational crises that may affect the system as a whole. In this regard, in 2014, the First Sectorial Exercise Business Continuity was conducted, assuming an earthquake of Grade 8 off the coast of the city of Lima, with the participation of nine (09) banks and three (03) authorities (SBS, MEF and BCRP). From the lessons learned from this exercise, action plans both led by financial institutions and the authorities were designed, which are being monitored by a permanent task force. In August 2017, the Second Sectorial exercise in which a similar scenario (8-8.5 degrees earthquakes in the city of Lima) was tested and was attended by 23 participants including banks and insurance companies. EC6 The supervisor evaluates the work of the bank’s internal audit fun ction, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. Description and The Internal Audit Regulations ((SBS 11699/2008) establish the minimum findings re EC6 requirements for the Internal Audit work plan, which has to be approved by the board and submitted to the SBS. The regulation also requires reports to be submitted to the SBS including the annual plan and quarterly reports. The SBS has developed an IT tool under the “Supervised Portal” through which entities submit the work plan, progress reports and the Internal Audit Unit Management Report (please refer to CP 26 for further details). As part of the off-site activities, SBS evaluates those documents and requires, if deemed necessary, additional information on the examinations carried out. Those procedures enable the SBS to have an up to date understanding of the risk faced by entities, to define areas for on-site examination, as well as to evaluate the quality of the internal audit function. On site examinations encompass the assessment of the internal audit function independence, as well as its effectiveness in enhancing the entity’s ove rall risk management framework. EC7 The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, non-executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models. Description and On-site examinations encompass meetings with senior management when initiating findings re EC7 an examination, which, in case of larger entities, in recent years has started to encompass a presentation on strategy during the first trimester of the year. All examinations include an exit meeting, where results of examinations are communicated. In case of entities in relation to which there are concerns, meetings 72 PERU happen more often, focusing on particular topics. Meetings with Board members (executive and non-executive) happen on occasion. In case of entities with particular weaknesses SBS may attend board meetings as observer. SBS relies on board meeting minutes and on-site examinations to review and understand banks’ business strategy and concerns are raised, as necessary through the inspection report. EC8 The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. Description and The legal framework (Article 359 of the General Law) establishes that inspections are findings re EC8 to result in written reports to be submitted to the supervised entity, referring to the need of the involvement of the board in order to ensure that corrective measures are taken in an effectively and timely fashion. In addition, Article 90 states that all communications as a result of an inspection or investigation or containing recommendations on their business operations should be informed to the Board, during its next meeting, under the responsibility of the Chairman of the Board or equivalent. The On-Site Examination Report details the procedures related to the notification of the findings resulted from an examination through an observation memorandum and inspection report. As already mentioned, all full-scope examinations are followed by a closing meeting with the CEO where the main findings are presented. The inspection report is submitted to the chairman of the board, to be shared with the full board. Correspondence might also be submitted to banks requiring further information/clarification on particular topics or as a result of off-site surveillance or the rating process requiring correction measures to be taken. SBS, in some cases, participate as an observer in board meetings of FIs (but so far not in banks’ Board meetings) and also, normally once a year, meets with independent Board Members (please refer to CP 14 for further details). Off-site monitoring encompasses close contact with the institution for clarifications, as necessary. In case of more significant issue on-site visits can be triggered and/or meetings with senior management depending on the type/severity of the issue. EC9 The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner. Description and On and off-site procedures encompass the monitoring and follow up of findings re EC9 implementation of recommendation, observations and corrective measures to be 73 PERU taken. Files made available to the assessors confirmed that the SBS systematically follows up to check that banks have addressed supervisory concerns and implemented requirements communicated to them. SBS uses a tool, TeamMate, for on-site examinations which enables the systematic use of electronic working papers by risk, observations, the impact of the observations on the bank, the inspection report, as well as following up and tracking of observations, and report inspection visit. Off- site follow ups are monitored through spreadsheets. SBS requires banks (CEO and/or Chairman of the board) to submit a written document on the results of the regular monitoring of the implementation of corrective actions. Files made available to the assessors confirmed such practice. In addition, the Internal Audit Regulation establish, among the Internal Audit functions, the assessment of the timely and proper implementation of the required actions and measures to address SBS, external audit and internal audit recommendations and observations. EC10 The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. Description and Article 87 of the General Law establishes that the responsibility to ensure that findings re EC10 information that might affect the safety and soundness of a bank is communicated to the SBS lays with the board. It also states that these violations will be sanctioned by the SBS, according to their seriousness, without prejudice to any civil or criminal actions. Article 92 effectively expands those responsibilities (and consequences) to senior management. In addition, Article 9 of the Sanctions Regulation (Resolution 816-2005) establishes as an aggravating criterion the action to try to prevent the SBS to know about the infringement, either withholding information or procrastinating its delivery, hindering control actions or otherwise. Furthermore, Article 13 of the Regulations of Internal Audit (Resolution 11699-2008) establishes the responsibility of the Head of Internal Audit to report immediately and directly to the SBS and the Audit Committee the occurrence of significant adverse events, defined as those facts that can have significant impact on the bank’s financial situation, or the achievement of its objectives. Circular G-152-2010 (Article 2) on suitability of shareholders, board members and senior management requires the CEO and the Head of Internal Audit to inform the SBS within five business days of taking knowledge of its occurrence, any fact that might affect allegedly negatively the moral fitness and / or economic solvency of the shareholders who own directly or indirectly 3 percent or more of the bank’s capital. The Related Parties Regulation (SBS Resolution No. 5780 -2015) points out in its article 17 that any modification to the composition of economic group, must be 74 PERU communicated to the SBS in no more than 15 calendar days following the month in which such change occurred. SBS Resolution 1913-2004 requires supervised companies to inform the SBS on the election of directors and the appointment of its managers and internal auditors, and the respective vacancies, within one (1) business day. CVs of directors and senior managers are required to be updated by electronic submission through an electronic system, REDIR. In addition, Circular G-165-2012, establishes the obligation of entities to submit to the SBS significant changes in the business environment, the operating system or computing environment. The deadline for submission of these reports is ten business days after it has been presented to the Risk Committee or specialized committee. Circular G-164-2012 requires entities to inform the SBS the occurrence of events of significant disruption of operations up to 10 business days after the occurrence of the event. In addition, it is noted that the companies that are listed on the stock exchange are obliged to inform the SMV and the stock exchange, and right after the public, of relevant facts, as per Article 28 of the Securities Market Law. Information should be provided and disclosed as soon as the event occurs or the issuer becomes aware of it, as the case. EC11 The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. Description and Article 134 of the General Law enables the SBS to make use of previously qualified findings re EC11 and registered external audit firms to exercise its functions, which is coupled with Article 357 on inspections, requiring the SBS to perform annual examinations, directly or through the use of authorized external auditors, determining the content and scope of those inspections. SBS reports not to make use of external consultants to perform supervisory work. EC12 The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. Description and The SBS has several complementary tools that facilitate the processing, monitoring findings re EC12 and analysis of prudential information. Follow ups of on-site examinations are monitored through a supervisory tool. The SBS sets the accounting standards for supervised entities. In such context, it has established uniformed accounting criteria which facilitates the submission and analysis of accounting and prudential information. 75 PERU The SUCAVE is the system used for submission of financials and statistic information to the SBS, which performs a pre-validation of reports at the entities, prior submission. The Corporate System (SISCOR), enables SBS staff to create and generate personalized reports based on all accounting and financial information available, as well as access the credit registry to obtain further individual information on loan portfolios. The DATAMART allows to explore current and historical details (since 2001) of credit portfolios of supervised companies (sent through Annex No. 6 "Debtors Credit Report") including also an “alignment module” which enables the SBS to verify discrepancies in asset classification among banks. In addition, Oracle Business Intelligence is used to exploit annual reports and operational risk management reports as well as management reports and progress of internal audit plans. Entities also send further information on management through the Supervised Portal. On-site examinations are supported by TeamMate, with electronic working papers by types of risk, inspection reports, observations and the impact of those observations, also encompassing following up on observations. Further follow up of observations is carried out with the web module TeamCentral. On site examinations also count with IDEA (Stata for statistical analysis) and @Risk for simulations which are used to validate accounting records, asset classification etc.). Off-site surveillance follow ups are currently performed through the use of a spreadsheet but planned enhancements for off-site surveillance include the development of a platform to encompass all off-site analysis and also follow up. Assessment of Compliant Principle 9 Comments SBS has a broad range of techniques and tools to implement its supervisory approach. The integration of its on and off-site activities has been beneficial and the split between a specialized risk Deputy Superintendence and a Superintendence in charge of the general supervision of individual banks seems to be working well. In addition to the on-site examinations, SBS has an array of reports produced by both Superintendences, sometimes with overlap between them. Off-site surveillance is yet to establish a platform similar as for on-site activities, facilitating analysis and monitoring of follow up activities. Authorities are recommended to: • Streamline off-site surveillance report through further coordination between SAR and SABM; • Speed up the process of establishing an off-site surveillance IT platform. Principle 10 Supervisory reporting. The supervisor collects, reviews and analyses prudential reports and statistical returns27 from banks on both a solo and a consolidated basis, 27In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27. 76 PERU and independently verifies these reports through either on-site examinations or use of external experts. EC1 The supervisor has the power28 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk. Description and Article 138 of the General law empowers the SBS to require supervised entities to findings re EC1 present balance sheets and other relevant financial information on an individual and consolidated basis as it deems appropriate. Article 350 grants the Superintendent ample powers to require all the necessary information in order to be informed about the entity’s financial condition and any other aspect necessary. Article 349 (13) of the General Law empowers the SBS to set regulations for the elaboration and presentation and disclosure of financial statements and complementary information, as well as consolidation criteria, based on general accepted accounting principles. In that context, the Financial System Accounting Manual homogenizes the presentation of accounting and complementary information as follows: a) Financial statements: Form A: Statement of Financial Position (monthly); Form B-1: Income Statement (monthly); Form B-2: Income Statement (quarterly); Form C: cash flow statement (annual); Form D: Statement of Changes in Equity (semi-annual); Form F: Checking Balance (monthly). b) Capital Sufficiency: Report 2-D: Capital requirements for Credit Risk, Market, and Operational and Calculation of Global Limit (monthly); Report 3: Regulatory Capital (monthly); Report 4: Capital buffers; per individual, sector and regional credit concentration; and interest rate risk in the banking book; and a summary of additional regulatory capital requirement (monthly); Appendix 12-I: Control of Capital Instruments (monthly); Appendix 12-I I: Control of subordinated debt (monthly). c) Credit Risk: Report 2 A: Risk-weighted assets for Credit Risk (monthly); Annex 5: Debtors classification and Provisions Report (monthly); Annex 6: Credit Debtors Report (monthly). d) Market Risk: Annex 1: Investment (monthly); Annex 8: Positions on Derivative Financial Instruments (weekly); Annex 9: positions subject to FX Risk(monthly); Report 2-B: Capital Requirement components for Market Risk (monthly); Appendix 7: Interest Rate Risk Measurements - local and foreign currencies (monthly). e) Liquidity Risk: Annex 15-A: Treasurer 's Report and Daily Liquidity Position(daily); Annex 15-B: Liquidity Coverage Ratio(daily); Annex 15-C: Monthly Liquidity Position(monthly); Annex 16-A: Liquidity maturity table(monthly); Annex 16-B: Stress Test and Contingency Plan(quarterly). 28 Please refer to Principle 2. 77 PERU f) Operational Risk: Report 2-C: Capital Requirements Calculation (monthly). g) Economic Group and Related Parties: Report 19-I and 19-II: Information on the economic group (semi - annual); Report 19-A: Information on legal entities that compose the economic group (semi-annual); Report 21: related party lending (quarterly). h) Limits: Report 13: Control of Global and Individual Limits Applicable to Financial System Companies(monthly), including large exposures. Since 2010, banks are required to provide an ICAAP report on an annual basis. Information on economic sector and geography are collected periodically by the Economic Department, which forward reports and make presentations to the Supervision Department. EC2 The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. Description and As mentioned in EC1, Article 349 (13) of the General Law empowers the SBS to set findings re EC2 regulations for the elaboration, presentation and disclosure of financial statements and complementary information, as well as consolidation criteria, based on general accepted accounting principles. Articles 354 further elaborates on the matter, authorizing the SBS to: require the establishment of provisions and reserves for off-balance sheet items that bear credit or market risk; require that investments and other exposure subject to market risk are marked to market according to a methodology to be established; require that fixed and other assets are adjusted to their market value according to a methodology to be established; to forbid entities to pay dividends or distribute profits in any form until they comply with the previous stated requirements; require the amount of provisions it deems necessary in cases where there is not enough information to properly value it. The Accounting Manual, as mentioned in EC1, provides reporting instructions and formats. The Manual has been prepared in accordance with International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board(IASB), which have been established in Peru by the Accounting Standards Board. EC3 The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. 78 PERU Description and As detailed in EC2, SBS has explicit powers to establish valuation criteria. findings re EC3 The Regulation for Trading and Accounting of Derivatives (SBS Resolution 1737-2006) broadly encompasses aspects of IAS No. 39 on accounting for derivative financial products. Article 8 establishes that the initial measurement of a trading derivative will be made at fair value. Thereafter, any change in the fair value of the derivative will affect the bank’s income statement. To this end, they must be used more conservative valuation price points (bid, ask) depending on whether the position is long (active) or short (passive), except in the case of positions that offset market risks together, in which case they may use average market prices as a basis for fair values. The Regulation for the Classification and Valuation of Investments (Resolution 7033- 2012), establishes a standard methodology for identifying the impairment of financial instruments, in accordance with international standards. The Accounting Manual, based on international accounting practices elaborates on fair value and requires entities to have valuation methodologies periodically tested and calibrated. In case of intangibles such as goodwill, it is required an annual valuation which is available to the SBS. The SBS also requires banks, on occasion to provide a special report by independent professionals in case of complex products. The Asset Classification and Provisioning Regulation (Resolution 11356-2008) lays down criteria for calculation of loan exposures taking into account valuation of collateral and provisioning. As for Interest Rate Risk and the reporting of Annex 7 – Interest Rate Risk Measurement, Circular B-2087-2001 establish that validation of the calculations of interest rate risk is to be performed independently. On-site examinations on credit risk encompass the assessment of policies and procedures related to valuation of collateral. IFRS has been implemented in Peru with some minor deviations (see CP 27) and annual external audits encompass the validation of valuations. EC4 The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. Description and SBS collects information on a daily, monthly, quarterly and yearly basis (see details on findings re EC4 EC1) depending on the nature of information. The SBS collects a wide range of information, both quantitative and qualitative. While ad-hoc requests vary and are usually more frequent for systemic banks, periodic information collected is mostly homogeneous for all banks. ICAAP reports are different in the case of the local systemic banks. The yearly Corporate Governance Questionnaire is also further tailored in case of systemic banks. Depending on the concerns related to a particular bank certain reports might be requested to be submitted in shorter intervals or earlier (e.g. liquidity). 79 PERU Data collected is systematically used producing daily, monthly and quarterly reports, as well as for ongoing monitoring. EC5 In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). Description and SBS collects data, as detailed in EC1, on a periodic basis from all supervised entities findings re EC5 and also certain information from holding companies and financial affiliates. The Accounting Manual, Annexes and Reports, detailed in EC1, apply to all core financial sector entities with different levels of requirement, depending of the nature of the company. Insurance firms are subject to a different Accounting Manual and require the submission of information on a daily, monthly and yearly basis. Financial conglomerates are required to provide on consolidated basis (Article 20 of the Consolidated Supervision Regulation) balance sheets/income statements (quarterly), cash flow statement (annually), statement of changes in equity (quarterly), financial eliminations (quarterly), regulatory capital (quarterly) capital ratio calculations (quarterly), global risk management report (annually), as well as information on related and connected parties (quarterly). EC6 The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information. Description and Article 350 of the General Law states that the Superintendent may examine, by findings re EC6 whatever means it deems necessary, books, accounts, records, documents, correspondence and any other information necessary for the performance of their duties. It may also require all records it deems necessary to inquire about the financial situation of the company, resources, administration or management, performance of their representatives, degree of safety and prudence with which investments are made and generally any other matter which in his opinion should be clarified. Also, the SBS can receive testimony from third parties and request the display of books and documents. Regarding mixed conglomerates, the SBS does not have direct access to information but has the powers to indirectly require them. Article 138(2) of the General Law states that the SBS is entitled to request information in order to determine the effects of the financial situation of non-financial entities on the financial situation of supervised entities. The supervised entities are the ones required to provide such information. 80 PERU EC7 The supervisor has the power to access29 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required. Description and SBS seems not to have difficulties in accessing records, bank’s Board, management findings re EC7 and staff when required. There is a legal limitation, nevertheless, in having access to records of a cross-border bank due to secrecy issues. In those situations, SBS has been coordinating with local authorities, requiring specific reviews of the information protected by secrecy law. EC8 The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. Description and The SBS has an automated system, SUCAVE, for banks submitting prudential returns. findings re EC8 Article 87 and 92 of the General Law deems Board members and senior management responsible in case any information requested is not submitted to the SBS and failing to do so is considered an infraction. Such provisions are reflected in the regulation related to the need for submission of information through SUCAVE and the Accounting Manual. The Sanctions Regulation (Resolution 816-2005) considers it an infraction not to follow the requirements related to the accounting manual including its Annexes and Reports. The regulation also considers it an infraction not to submit the periodic information requested by SBS. SBS reports that failure to submit information and delays are rare. Quality is overall good, apart from when new information is requested. In these cases, depending on the type of information, it can take some time for full implementation. In case of systematic delays or the need to require banks to resubmit information, SBS can submit a written request and depending on the situation ask for a correction plan. EC9 The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a program for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.30 Description and Work performed by external auditors, together with software validations and on-site findings re EC9 examinations complement each other to determine the validity and integrity of supervisory information. As part of the external audit work, a review is required of compliance with prudential ratios and limits, calculations of risk weights and regulatory capital. 29Please refer to Principle 1, Essential Criterion 5. 30Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 81 PERU The External Audit Regulation (Resolution 17026-2010) Article 6, combined with Annex I require External Audits to review the compliance with prudential ratios, as well as the review of all prudential returns reconciling them with trial balance and ensuring that such information has been approved at the appropriate level and presented to the SBS as per regulatory requirements. The SUCAVE (software for submission of financial returns) has an internal validation process of most information (against trial balances) which prevents the information form being sent until the inconsistencies are corrected. Examinations also include direct validations of some of the information periodically submitted to the SBS, focusing particularly on the risk-weights calculation for credit risk, and provisioning. Those are conducted on an as-needed basis. In addition, since 2016 on-site examinations encompass IT modules, audit style, focused on the evaluation of the generation processes of prudential returns, particularly focused on the reports considered more relevant, related to capital adequacy, provisions and liquidity. SBS hasn’t’ made use of external expert thus far. EC10 The supervisor clearly defines and documents the roles and responsibilities of external experts,31 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. Description and SBS does not make use of external experts for performing supervisory work. On findings re EC10 occasion, it has hired experts with the support of SECO for capacity building purposes including liquidity stress testing, internal models for credit risk, as well as risk data aggregation. EC11 The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. Description and SBS does not make use of external experts for performing supervisory work. findings re EC11 EC12 The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. Description and The SBS collects a broad range of information from banks on a periodic basis and findings re EC12 changes in regulations are reflected in changes in submissions, as needed. In recent 31 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts. 82 PERU years, enhancements have included the liquidity funding gap and yearly information on individual’s income, to monitor over indebtedness. Major reviews are performed less often but do occur. A few years ago, there was a major review on the information submitted related to credit risk and currently a task force has been established to perform an overall review of information received, aiming at eliminating overlaps. Assessment re Compliant Principle 10 Comments The SBS has an adequate approach for collecting, reviewing and analyzing prudential reports and statistical returns from banks on both a solo and a consolidated basis, and independently verifies these reports through on-site examinations. Principle 11 Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. EC1 The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. Description and The legal and regulatory framework enables the SBS to raise supervisory concerns findings re EC1 with banks’ management and board at an early stage to require concerns to be addressed in a timely manner. Article 90 of the General Law requires that every communication from SBS related to an on-site examination or investigation or that contains recommendations regarding its business to be submitted to the Board at its next meeting under the responsibility of the Chairman of the Board. The law further reinforces such statement, requiring the SBS to inform findings from its on-site examinations through a written report to the supervised entities so that with the intervention of the Board, corrective measures, within an appropriate time frame are adopted (Article 359 of the General Law). In practice, on-site examinations encompass an exit meeting with the CEO where initial findings are presented. Those findings are submitted in written form and the bank has five days to react. After that, a final inspection report is submitted to the Chairman of the Board encompassing findings and recommendations (corrective actions). In terms of follow ups, according to the Internal Audit Regulation (Resolution 11699- 2008), banks’ internal audit is required to assess the timely and proper implementation of the recommendations and measures to perform corrective actions required by the SBS. Article 18 requires the Internal Audit to submit the SBS quarterly reports (20 days after the end of the quarter) on the implementation of the 83 PERU recommendations, indicating stage of implementation and other comments deemed relevant. Those reports are closely monitored by SBS. All communications, including supervisory concerns are delivered to the banks through SABM. The vast majority of supervisory concerns are raised through the inspection report delivered after yearly on-site examinations. Other ad-hoc situations of concern, depending on the seriousness of the issue can result in a meeting with senior management led by the Deputy Superintendent, followed by a written request for actions to be taken. The team in charge of the bank, under SABM, is responsible for monitoring follow ups. SBS has a web-based tool that consolidates all follow ups from on-site examinations. Issues to be addressed, stemming from off-site surveillance are monitored separately. Cases made available to the assessors indicated that SBS does systematically communicate its supervisory concerns to banks, mostly stemming from on-site examinations. The number of observations presented at the inspection reports are significant, encompassing major issues, as well as non-compliance with any regulatory requirement, which can pose difficulties in ensuring the major issues are properly addressed. In 2017, the SBS adopted an approach to prioritize observations, ranked in high, mid and low priority, which has been reported by banks to have been helpful in planning how to address the observations. On the cases made available to the assessors, banks seem to take measures to address supervisory concerns in a timely fashion. IT enhancements related issues are the ones that seem to take more time to be tackled by banks, and a request for an extended time of implementation is not unusual. In addition to the written progress reports and checks that corrective actions are completed satisfactorily, the yearly examinations include the on-site verification of the effectiveness of major measures taken. Files made available to the assessors confirmed such practice. EC2 The supervisor has available32 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. Description and Article 349 (19) of the General Law empowers SBS to perform all acts necessary to findings re EC2 safeguard the interests of the public. Based on those powers SBS requires banks to take a range of corrective actions as necessary, including requiring capitalization, limit growth, requiring board members to step down, among others, which have been exercised. Nevertheless, up to now, the SBS has not operationalized those powers 32 Please refer to Principle 1. 84 PERU into a regulation or procedures comprising a range of supervisory tools to be used depending on the severity of the situation. Article 355 (on profit distribution and entities with financial instability or management deficiencies) empowers the SBS in case of entities with financial instability or management deficiency, to require capital adjustments, as necessary, to reflect actual capital ratios, as well as request cash capital increases. In addition, the SBS is also empowered to forbid entities from performing one or more of the following (for six months, renewable for six months more): a) to take additional risks of any kind with any related party; b) to renew for over 180 days, any operation that implies any risk; c) to execute operations that generate new market risk; d) to purchase, sell or encumber fixtures or real property corresponding to their fixed assets or to their permanent financial investments; e) to transfer financial instruments from their credit portfolio; f) to grant credits without collateral; and g) to grant Powers of Attorney for the execution of the operations set forth in the preceding points. The General Law characterize infractions (Article 356), including legal or regulatory breaches, all subject to sanctions. Art. 361 grants the SBS with powers to impose the following sanctions depending on the severity of infractions (in addition to further provisions on sanctions in regulations), as listed below. 1. admonition; 2. fine in an amount not less of ten UITs33 or larger than two hundred, unless the present law indicates in a specific way, a different amount; 3. fine director or staff, not less than five points UIT or bigger than one hundred; 4. suspension of the director (board member) or staff in charge, for a term not less than three days or larger than fifteen, and removal in case of relapse; 5. destitution; 6. ineligibility of the director or staff in the case they were responsible of the intervention or liquidation of the institution under their charge; 7. prohibition of distributing dividends; 8. intervention; 9. suspension or cancelling of the operations authorization; 10. dissolution and liquidation. SBS also has established a Sanctions Regulation (Resolution 816/2005) and have further provisions on fines. The General Law (Article 95) also empowers the SBS to put banks under a “surveillance regime” in circumstances such as: failure to meet capital requirements for over three months; grant loans to its own shareholders in order for them to capitalize the bank; incurring notorious or repeated violations of the General Law, as One UIT is currently 4,000 soles. 33 85 PERU well as other serious reasons. Under such regime, SBS has ample powers to require a recovery plan and to require immediate recapitalization, among others. Articles 104 to 107 deal with intervention, which can be triggered based on failure to complete a recovery plan established under the surveillance regime, reduction in 50 percent of its regulatory capital, among others. Finally, Article 381 of the General Law establishes among the powers of the SBS, the power to deny, suspend or cancel the operating license of financial entities. In practice, aspects related to safety and soundness are tackled by initially requesting banks to submit an action plan. Overall, SBS heavily relies on moral suasion and files made available to the assessors indicate that it has been successful thus far. Banks’ files and recent years developments didn’t encompass situations such as those described in EC2. The authorities presented to the assessors, nevertheless, several examples related to other deposit taking institutions where actions were taken. Examples reviewed by the assessors included limiting asset growth, requiring Tier 1 capitalization, request for replacement of the CFO and denial of authorizations. EC3 The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. Description and As mentioned in the previous EC, the SBS has the general power to take all necessary findings re EC3 measures to safeguard public interest, as well as with specific powers to address breaches of regulatory ratios and measurements. In practice, files made available to the assessors indicate that the authorities effectively act through moral suasion, at an early stage, particularly regarding to capital requirements, successfully taking action to prevent it from reaching the minimum requirement or breaches. It also evidenced the effectiveness of SBS moral suasion in relation to matters related to risk management. In case of breaches to the minimum regulatory capital ratio (10 percent) for three consecutive months or five alternate months within a year, banks are put under the surveillance regime (Art. 95(2g)). A decrease in 40 percent of regulatory capital 9Art. 95(2h) also results in the bank being under the surveillance regime while a 50 percent decrease triggers intervention (Article 104). In addition, Article 63 of the General Law requires that any deficit of the minimum capital needs to be addressed within the next trimester, which can be extended twice if it is deemed that the bank is envisioning reasonable efforts to address the issue. Resolution 8425-2011 on capital buffers (Article 16) establishes that any reduction on capital below the supervisory buffer requires SBS authorization and a recapitalization plan. Failure to comply with the recapitalization plan will result in sanctions. In practice, as mentioned in EC2, cases of no compliance are dealt either through moral 86 PERU suasion or by making use of Article 349. Examples provided by the authorities confirmed such practice. Breaches to the consolidated capital requirements for the group trigger the presentation of a capitalization plan and other measures (Article 12 of the Consolidated Supervision Regulation). In addition, breaches of a series of limits (Articles 200 to 211 of the General Law) related to concentration risk and others for which breaches are considered infractions, as per Article 219. In practice, SBS has made use of moral suasion and to tackle negative trends in consolidated capital ratios, consolidated capital breaches or other breaches EC4 The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. Description and The broad powers laid down in Article 349 (19), enabling SBS to perform all acts findings re EC4 necessary to safeguard the interests of the public, are the ones mostly used to effectively address, at an early stage, situations of unsafe and unsound practices, risks to the bank or the banking system or when interest of depositors are otherwise threatened. In addition, Article 355 (on profit distribution and entities with financial instability or management deficiencies) empowers the SBS in case of entities with financial instability or management deficiency, to require capital adjustments, as necessary, to reflect actual capital ratios, as well as cash capital increases. In addition, the SBS is also empowered to suspend for six months (renewable for another six months) entities from performing one or more of the following: a) to take additional risks of any kind with any related party; b) to renew for over 180 days, any operation that implies any risk; c) to execute operations that generate new market risk; d) to purchase, sell or encumber fixtures or real property corresponding to their fixed assets or to their permanent financial investments; e) to transfer financial instruments from their credit portfolio; f) to grant credits without collateral; and g) to grant Powers of Attorney for the execution of the operations set forth in the preceding points. 87 PERU The General Law (Article 95) also empowers the SBS to put banks under a “surveillance regime” in circumstances such as: fail to meet capital requirements for over three months; grant loans to its own shareholders in order for them to capitalize the bank; incurring notorious or repeated violations of the General Law, as well as other serious reasons. Under such regime, SBS has ample powers to require a recovery plan and to require immediate recapitalization, among others. Articles 104 to 107 deal with intervention, which can be triggered based on failure to complete a recovery plan established under the surveillance regime, reduction in 50 percent of its capital ratio, among others. SBS does not count with a framework that operationalizes all legal powers granted to SBS thorough a range of measures to be applied in accordance with the gravity of the situation although in practice, has been able to successfully tackle those issues thus far. EC5 The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. Description and The General Law characterized infractions (Article 356), including legal or regulatory findings re EC5 breaches, are all subject to sanctions. Art. 361 grants the SBS with powers to impose sanctions depending on the severity of infractions (in addition to further provisions on sanctions in regulations), encompassing board members and staff. Sanctions include: 1. fine director or staff, not less than five points UIT or bigger than one hundred. 2. suspension of the director (board member) or staff in charge, for a term not less than three days or larger than fifteen, and removal in case of relapse. 3. destitution. 4. ineligibility of the board member or staff in the case they are deemed responsible for the events leading to intervention or liquidation. SBS has applied a few of those types of sanctions over the last several years. EC6 The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. Description and Article 349 (19) of the General Law gives the SBS ample powers to take the necessary findings re EC6 actions to ensure the safety and soundness of the system. More specifically, Article 134 establishes as one of SBS attributions to perform consolidated supervision of financial and mixed conglomerates. Article 138 ° of the General Law states that as a result of consolidated supervision, the SBS can require supervised entities to adopt prudential measures to mitigate inappropriate risks related to transactions with other entities of the group including situations resulting from lack of information where risks cannot be properly assessed. 88 PERU The Consolidated Supervision Regulation (Resolution 11823-2010) establishes capital requirements and limits applicable to conglomerates. EC7 The supervisor cooperates and collaborates with relevant authorities in deciding when and how to affect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). Description and SBS is the resolution authority in Peru. findings re EC7 Assessment re Largely Compliant principle 11 Comments SBS does effectively act at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The broad powers granted by the legal framework, paired with a moral suasion culture have enabled SBS to successfully tackle supervisory concerns. SBS has experienced senior staff that ensure consistency in the application of the corrective actions. Nonetheless, SBS would benefit from documenting the in practice used operational procedures and framework for corrective action, to provide further assurance on its consistent application. Authorities are recommended to: • Operationalize legal powers into a regulation or procedures comprising a range of supervisory tools to be used depending on the severity of the situation, encompassing its full range of powers including withdrawing a license. Principle 12 Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide. 34 EC1 The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system. Description and Peru has two systemic domestic conglomerates, both holding a sizeable percentage findings re EC1 of total assets abroad and diversified non-banking activities. The legal framework in Peru empowers SBS to exercise full consolidated supervision only from the bank downwards and to gather information, through the supervised institution groupwide. SBS seems to have a broad understanding of the banking groups under its purview. Particularly in recent years, SBS managed to gather an array of information on wider group, domestic and cross border. Albeit the limited powers regarding consolidated 34 Please refer to footnote 19 under Principle 1. 89 PERU supervision described in CP 1, SBS effectively collects information on affiliates (banking and non-banking), domestic and cross border. SBS has been able thus far to take action, through moral suasion, when risks arising from other entities in the wider group have been object of concerns. The legal limitations, nevertheless, of having actual access to the parent and business interests and affiliates to shareholders and the parent, might jeopardize consolidated supervision in the future. EC2 The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, and exposures to related parties, lending limits and group structure. Description and Despite the legal limitations regarding the holding and its affiliates (which are outside findings re EC2 the supervisory perimeter), SBS does impose prudential standards on a consolidated basis, including capital requirements, as well as prudential limits (related party exposures and concentration risk) through its Consolidated Supervision Regulation. There are no liquidity requirements on a consolidated basis. Corporate governance and risk management framework are also not applied at the holding level. The Consolidated Supervision Regulation also establishes that in case of shortcomings in capital requirements on a consolidated basis an action plan is requested. Deficits of less than 20 percent of the consolidated capital requirement results in supervised entities to have to ask for authorization for distributing dividends. Shortcomings of more than 20 percent of the requirement result in suspension of dividends. In case of breaches of concentration or related party limits supervised entities are required to ask for authorization prior dividends distributions. Article 20 of the Consolidated Supervision Regulation requires supervised entities to submit information for consolidated supervision purposes, including financials, capital requirement calculations, related party transactions and concentration limits on a consolidated basis. A special unit within SAR is in charge of compiling and monitoring such information, which is submitted to the Consolidated Supervision Committee for discussion, which includes the participation of the insurance and pension funds supervisors. The Committee is a forum for further discussions of aspects pertaining to the groups. EC3 The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of 90 PERU supervision conducted in the host countries in which its banks have material operations. Description and SBS reviews the oversight of foreign operations of Peruvian banking groups. findings re EC3 Cross border operations of domestic conglomerates are part of the overall supervisory approach. SBS relies on reviews of board meetings and also discussion with senior management for those assessments. It also performs on-site examinations every year, notwithstanding the fact that those operations are affiliates to the domestic entities (through the holding, which is not a supervised entity) and, therefore, from a legal perspective, outside the supervisory perimeter. Effectiveness of supervision conducted in the host countries is taken into account in establishing SBS supervisory approach and depth of examinations. EC4 The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. Description and As mentioned in EC3, SBS does perform examinations on a systematic basis abroad findings re EC4 albeit those entities being, from a legal perspective, outside the supervisory perimeter. They do meet the local supervisors. Examinations are conducted every year, as with supervised entities. EC5 The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. Description and Over the years SBS has managed to gather and update a significant amount of findings re EC5 information on parents and companies affiliated with the parent companies that can have an impact on the safety and soundness of the bank and the banking group. Information has been gathered through information requests, meetings with the holding companies and also through public information, which are followed up as appropriate. Supervisory actions taken are limited by the legal and regulatory framework (please refer to CP 1). There seems to be no critical review of the strategy and other considerations regarding non-financial entities within one of the groups. Actions have been mainly focused on ensuring that consolidated capital levels are met. EC6 The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that: 91 PERU a) the safety and soundness of the bank and banking group is compromised because the activities expose the bank or banking group to excessive risk and/or are not properly managed; b) the supervision by other supervisors is not adequate relative to the risks the activities present; and/or c) the exercise of effective supervision on a consolidated basis is hindered. Description and SBS does not have the power to limit the range of activities that the consolidated findings re EC6 group may conduct and which activities can be conducted as its supervisory perimeter encompasses the entity (bank) downwards only. SBS understands though that, in case of need, it would be able to limit those through moral suasion. EC7 In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand-alone basis and understands its relationship with other members of the group.35 Description and SBS supervisory framework encompassing supervising individual banks in the group. findings re EC7 Extensive information, as detailed in CP 10 is requested on an individual level. Relationships with other members of the group are examined through review of contracts among entities of the group, as well as discussed in meetings. Assessment of Largely Compliant Principle 12 Comments Peru has two systemic conglomerates, holding on a gross basis 23 and 21.8 percent and on a net basis 6.3 and 13 percent respectively of total assets abroad. The legal framework in Peru empowers SBS to exercise full consolidated supervision only from the bank downwards. Holding companies of banks are not formally regulated or supervised. The vast majority of foreign exposures are, nevertheless, held through the holding companies. In recent years SBS has been able to gather information on the conglomerates, monitoring their activities and requiring, by enforcing through the supervised entities and moral suasion, prudential requirements and controls. To a certain extent SBS acts “de facto” as the home supervisor, systematically conducts examinations of financial subsidiaries of the holding (in relation to which it has no supervisory powers). Notwithstanding these efforts, the lack of legal enforceability of supervisory requirements directly to the holding company and the existence of not-insignificant operations cross-border, outside the direct supervisory perimeter are issues of concern (also taking into account that one of the financial groups has the strategy to look for expansion opportunities abroad). The fact that the holding company can have all types of investments in non-financial entities and its risk management and controls are not under the formal scrutiny or regulatory requirements of the SBS are also reasons for concern. Moreover, its approach, particularly regarding governance, liquidity, risk management and risk management overall needs enhancement (please refer to CPs 14, 15, 16 and 24 for further details). 35 Please refer to Principle 16, Additional Criterion 2. 92 PERU Authorities are recommended to amend the legal framework in order to be able to exercise consolidated supervision fully. Authorities are also recommended to enhance their consolidated supervision approach to governance, overall risk management, capital and liquidity risk management, as detailed in CPs 14, 15, 16 and 24. The rating reflects the fact that the key shortcomings for the fulfillment of this CP result from legal limitations, which were factored in the rating of CP 1. Principle 13 Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. EC1 The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. Description and Cross-border operations conducted are concentrated in the two systemic findings re EC1 conglomerates and represent almost on a net basis 11 and on a gross basis 22 percent of total assets. Operations include, in addition to banks (around 9 percent of total assets) a series of financial institutions in one of the cases, the other a mix of financial and non-financial entities, which are controlled by the holding company. Although from a legal perspective the vast majority of those operations are outside the supervisory perimeter (investments through the holding), SBS acts de facto as the home supervisor. None of those operations are material from a host supervisor perspective. For one of the financial conglomerates, for which the SBS has assumed the responsibilities of home supervisor, SBS conducted its first supervisory college in June 2017, attended by representatives of SBS, SMV, FED, Cayman Islands, Panama, Colombia and Chile. The college encompassed presentations on banking, insurance, pensions and securities, the latter conducted by SMV. All participants signed a confidentiality agreement. EC2 Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group36 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such 36See Illustrative example of information exchange in colleges of the October 2010 BCBS Good practice principles on supervisory colleges for further information on the extent of information sharing expected. 93 PERU as memoranda of understanding) are in place to enable the exchange of confidential information. Description and Through MoUs and informal arrangements, Peru has established lines of findings re EC2 communication with home and host supervisors. As mentioned in CP3, MoUs in place include Canada, Colombia, Ecuador, Spain, Mexico, Panama, Bahamas, China, El Salvador, Venezuela, Bolivia, Guatemala, Italia, Nicaragua and Brazil. There are no formal arrangements with the US, Chile, Panama, Cayman Islands. The SBS informs, nevertheless, that there are no impediments for exchanges, with informal arrangements working at their satisfaction, including the submission of written requirements with requests for authorizations to conduct cross-border examinations, the conduction of joint examinations as well as regarding information requests. SBS systematically participates in the colleges of Scotiabank and BBV, the two foreign-owned systemic banks. As a home supervisor, SBS conducts frequently joint examination of foreign operations, particularly in those cases where there are legal impediments for full examination/ secrecy issues, including Panama, sharing the summary of its inspection report with the host supervisor. In addition, as mentioned in EC1, SBS has conducted its first supervisory college sharing its view on BCP and Mibanco. During the College there were also presentations by SMV, Insurance, Pensions and from the supervisors of Panama, SVS from Chile, FED Miami and Colombia. EC3 Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. Description and The SBS has had as common practice to conduct joint examinations both from a findings re EC3 home and host perspective. Particularly as a home supervisor, examinations conducted abroad are frequently joint examinations. Cross border visits encompass branches, subsidiaries and affiliates of Peruvian banks in other countries and are initiated by a communication in which no objection by the host supervisor is requested regarding the dates and scope of the visit. A preliminary meeting is conducted with host supervisors prior the beginning of the examination visit. Usually, examinations are carried out with the support of host supervisor due to legal restrictions for total access to information, followed by a final meeting where the preliminary results are discussed. The inspection report with recommendations is later submitted to the entity and a copy of the summary shared with the host authority. As a host supervisor, SBS report that examinations from the home supervisor are rare, but have happened on occasion. Home supervisors coordinate with SBS, including meetings for exchange of supervisory views. Information made available to the assessors confirmed SBS practice of collaborative work when performing cross- border examinations. SBS also reaches out to other supervisors to discuss supervisory practices and the regulatory framework of those countries, both in order to satisfy its 94 PERU needs in terms of consolidated supervision, as well as to inform decisions regarding changes to the regulatory framework. EC4 The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. Description and As described in previous ECs, SBS communication strategy is anchored on its cross- findings re EC4 border examinations, which are performed almost every year. Examinations (always with participation of the local supervisor) are conducted and summary of findings are shared between the supervisors. Communication of views to banks are done separately. The first college on CrediCorp was conducted in 2017. EC5 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. Description and SBS is yet to develop a framework for cross-border crisis cooperation and findings re EC5 coordination. The last couple of MoUs signed already included clauses related to crisis management. SBS reported to have plans to incorporate those clauses into other MoUs. EC6 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. Description and SBS is yet to develop group resolution plans for its two systemic domestic findings re EC6 conglomerates. EC7 The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. Description and Foreign banks operation in Peru are subject to the same legal and regulatory findings re EC7 framework as domestic banks. There are currently no cross-border operations of foreign banks operation in Peru. Article 6 of the General law forbids the SBS to issue regulations that provide different treatment for companies of same nature. EC8 The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and 95 PERU soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. Description and SBS reports not to have any impediments to the access to local offices and findings re EC8 subsidiaries relative to home supervisors’ visits and examinations. Documents made available to the assessors confirmed that home supervisors have visited Peru and coordinated with SBS under the scope of MoUs or agreements reached with senior management. EC9 The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. Description and The legal and regulatory framework does not allow for the establishment of booking findings re EC9 offices or shell banks. Banks and branches to be established in Peru require authorization from the SBS and are subject to a single process (Licensing Regulation – Resolution 10440-2008), which encompass a feasibility study, financial strength of shareholders, fit and propriety, as well as the establishment of policies, procedures, hiring of senior management, risk management staff, existence of IT systems in place and all the elements that are required for a full operation to be established. The feasibility study, encompassing market, financial and management components is expected to contain, among others, the description of the main operations and services to be conducted, information on the premises and facilities, the geographical area of the country in which it will carry out its activities as well as its organization and administrative structure. EC10 A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. Description and SBS report to coordinate with domestic and foreign supervisors, to the extent findings re EC10 possible before taking consequential action on the basis of information received from another supervisor. An example includes exchanges with BCRP, where based on information provided by BCRP, SBS has taken corrective actions. Cross-border, where visits have been carried out with the support of the inspectors of local supervisory bodies to avoid violating legal constrains such as bank secrecy, if they had observations or aspects that they must be corrected as a result of this review, those are included in the inspection reports for corrective action, after coordination with the host supervisor. Assessment of Compliant Principle 13 Comments SBS actively cooperates with home and host supervisors. Cross-border operations are concentrated in the two systemic conglomerates and on a net basis 11 and on a gross basis 22 percent of total assets. Although from a legal perspective the vast majority of those operations are outside the supervisory perimeter (investments through the holding), SBS acts de facto as the home supervisor. None of the foreign 96 PERU operations are material from a host supervisor perspective. Aspects related to resolvability and handling crisis situations have been factored into the rating of CP 8. Authorities are recommended to establish Crisis Management Groups for the two systemic conglomerates. B. Prudential Regulations and Requirements Principle 14 Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management, 37 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. EC1 Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. Description and Peruvian companies have a two-tier governance structure in which the Supervisory findings re EC1 Board (“Board”) exercises the oversight over Executive Management. The Chair of the Board can perform executive functions, and of senior management only the CEO can be a part of the Board. As a result, the CEO can also be the Chair of the Management Board (and vice versa), which from an effective oversight perspective would not be an optimal situation. Although this seems not to be common (in practice only observed as a temporary situation in special circumstance, e.g. in cases where the CEO resigned and needs to be replaced), when the case, the SBS requests banks to explain which mechanisms it has in place to avoid potential conflicts of interest as a result of combining these responsibilities. The LGSF (Article 87, 90, 93 and 94) establishes the basic responsibilities of the Board and the CEO, and requires them more generally to comply with the regulations as issued by the SBS. The LGSF (art. 84) requires the Board to meet on a monthly basis. The CEO is required to inform the Board at least on a quarterly basis on the general business developments, and in every normal (monthly) session on the development of the credit and investment portfolio, as well as any violations of limits established by the SBS. More detailed risk management and governance regulations are provided by the SBS through the Comprehensive Risk Management Regulation (GIR - Resolution SBS No. 37-2008), which applies to all Supervised Institutions (SIs). This regulation, considering proportionality, details from a sound integrated risk management perspective the responsibilities of the Board (article 8) and senior management (article 10), including the establishment of Board Committees (articles 11 and 12), in 37 Please refer to footnote 27 under Principle 5. 97 PERU specific the Board Risk Committee (articles 13 and 14) and Board Audit Committee (articles 15 and 16), and the responsibilities of the financial institution’s risk unit and Chief Risk Officer (CRO - articles 17, 18 and 19). It establishes the Board and senior management’s responsibilities regarding outsourcing (article 21) and the role of Internal and External Audit (article 22 and 23). In addition, it provides details on SBS’ expectations and requirements regarding whistleblowing (article 6), the relation between risk management and internal control (article 7), and the compliance function (article 7-A). Article 8 of the GIR establishes the following Board responsibilities: a) Approve the general policies that guide the activities of the company in the management of the various risks it faces. b) Select managerial staff with technical and moral suitability, who act in a prudent and appropriate manner in the development of the businesses and operations of the company, as well as in the fulfillment of their responsibilities. c) Approve the necessary resources for the adequate development of comprehensive risk management, assuring appropriate infrastructure, methodology and personnel. d) Establish a system of incentives that encourages the proper functioning of a comprehensive risk management that does not favor inappropriate risk taking. e) Approve the organization and function manuals, policies and procedures and other company manuals. f) Approve general policies for the responsibilities of the company, including: f.1 The prudent administration, in line with established agreements and the applicable regulation, of the deposit and assets in custody, administered or invested on behalf of clients and third parties, avoiding conflicts of interest. f.2 Reasonably ensure that its investment or similar advice is presented with the appropriate information, considering the client’s risk tolerance and return expectations. g) Establish business objectives, evaluate and approve their business plans considering the associated risks. h) Know the main risks faced by the entity establishing, when possible, adequate levels of tolerance and appetite for risk. i) Establish an adequate system of delegation of powers and segregation of functions throughout the entire organization. j) Reasonably ensure that the capital of the company is sufficient to face the risks to which it is exposed, for which it must know the capital needs and establish management policies that support the needs of the company, complying with the regulatory requirements appropriately. k) Obtain reasonable assurance that the company is effectively managing the risks it is exposed to, and that the main risks are under control within the limits the Board has established. Article 9 of the GIR requires the Board members to individually declare and sign-off on the compliance with the regulation, confirming that the institution has an adequate risk management and that they have taken note of all the information 98 PERU provided by senior management, the Board Committees and External Audit and that all needed corrective actions have been taken. Possible deficiencies and planned actions to address these, need to be included in the declaration. Using the 2015 issued Basel Corporate Governance Principles for Banks as a basis, the SBS has issued in February 2017 an updated version, called the Corporative Governance and Comprehensive Risk Management Regulations (Corporate Governance & GIR - Resolution SBS No. 272-2017). The revised regulation will come into effect and replace the existing regulation per April 2018. The regulation enhances the requirements for independent Board members, provides more details on the composition of Board Committees, introduces the Remuneration Committee (considering the size and complexity of the financial institution), succession planning, and sets the expectation of a Board effectiveness self-assessment. The material differences with the Basel Corporate Governance Principles are limited. For example, the regulation does not require the disclosure of the firing of the CRO or the Internal Auditor. However, all banks and insurance companies are required to be listed (article 29 of the LGSF) and are therefore subject to the disclosure requirements set by the SMV, and under their regulations, the firing of the CRO or Head of Internal Audit would be a significant event that needs to be disclosed. The proportionality principle (considering the nature, size and complexity of the business and the wider group) included in both regulations is relevant as the regulations do not only apply to banks, but to all deposit taking institutions (“FIs”), insurance companies, pension funds as well as related complementary service companies (all together “supervised institutions” of “SIs”). The SBS has been creating awareness on its expectations regarding the implementation by the banks of the Basel Principles on Corporate Governance, by including these since 2013, initially using the consultation paper as a basis, in the corporate governance self-assessment questionnaire (Self-assessment Questionnaire of Good Corporate Governance Practices for Financial System), which is sent as a standard procedure to FIs in preparation of the on-site examination. Although the regulation will only come into force per April 2018, because of the proactive approach of the SBS the supervised banks, in particular the top four commercial banks, already have a high compliance level with the new regulation and are expected to be fully compliant by April 2018. Given the attention the SBS already has given to the implementation of this regulation, which was evidenced by reviewed supervisory documentation, the regulation and its status of implementation have been taken into account for the purpose of the assessment. The GIR and its replacement the Corporate Governance & GIR do not apply to the holding or the financial group of conglomerates for which the SBS is the home supervisor. The SBS has issued a separate Consolidated Supervision Regulation (Resolution SBS 11823), which has less detailed requirements (although also making some reference to the GIR), but more broadly requires (in article 26) the supervised entity, part of a conglomerate for which the SBS is the home supervisor, to take the 99 PERU necessary measures to assure that the financial group implements mechanisms that allow an adequate comprehensive management of the group-wide risks. SBS’ guidance and regulations on group-wide corporate governance is less developed. EC2 The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. Description and The SBS uses a rating methodology consisting of 7 building blocks: i) Solvency; ii) findings re EC2 Credit risk; iii) Liquidity risk; iv) Market risk; v) Operational risk; vi) Profitability and efficiency; and, vii) Management and control. The governance elements are on the one hand assessed per risk type (credit, liquidity, market and operational risk), but also overall under the block “Management and control”. For establishing the rating for the institution’s overall management and control, the SBS assesses the following elements: a) Strategic management of the institution b) Suitability of the Board and senior management and the overall corporate governance c) Quality of internal audit d) Quality of the AML/CFT system e) Transparency f) Compliance function As mentioned under EC1, two months in advance of the annual on-site examination, the SBS sends the banks the Self-assessment Questionnaire of Good Corporate Governance Practices for Financial System Companies, which the banks need to be complete one month in advance of the on-site examination. The results of the self- assessment and the accompanying underlying documentation are used as an input for the on-site examination. The assessment of the corporate governance and risk management of banks is a standard part of the annual examinations. For each element, the SBS has defined detailed assessment criteria, which are described in the on-site supervision manual No. B.1.PS – GC01. Meetings and interviews with senior management and a review of the minutes of the meetings of the Board and its different Committees are important elements of the corporate governance and risk management review. As a part of this evaluation process, the interaction with the Board of commercial banks has so far mostly been limited to an annual meeting with one of the independent Board members. The internal rating methodology and supervisory manuals focus on the licensed entity, while the corporate governance of groups (for which the SBS is the home 100 PERU supervisor) is not explicitly covered. However, the SBS is in the process of gradually requiring good corporate governance practices at the group level (for which the SBS is the home supervisor), incorporating in the self-assessment questionnaire since 2017 also some aspects related to the group. In addition, during on-site inspections to the supervised entities, the holding companies’ Board minutes are reviewed, and during overseas on-site inspection to financial subsidiaries and affiliates, Board and Board committee minutes are also required, as well as the detailed mechanisms and documents issued for assuring the adequate communication among these companies and the holding, and vice versa. EC3 The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members. Description and Article 79 of the LGSF requires financial institutions to have at least 5 Board members findings re EC3 which are suitable, while the impediments (as determined in the General Company Law – “LGS”) and minimum legal requirements (moral and technical suitability) are provided in article 81. Article 5 of the Corporate Governance & GIR (coming into effect April 2018) establishes the requirement for Board regulations (not part of the existing GIR), while article 6 provides the requirements for independent Board members (at a minimum 1 in case of 5 Board members and at least 2 in case of 6 or more Board members), while articles 9 to 16 provide the requirements for the Boards Committee structure (Audit, Risk and Remuneration) and composition. The regulation only requires the Audit Committee to be chaired by an independent Board member. There is no such requirement for the Risk Committee or other Board Committees, nor does the regulation require that the Risk Committee includes a majority of independent members. In this respect the requirements deviate from the Basel Corporate Governance Principles. However, the regulation requires the inclusion of experienced non-executive Board members in the Audit, Risk and Remuneration committee as required by this CP. Per article 5, the Board must approve the regulations that contain the policies and guidelines for the performance of its duties, unless the articles of incorporation reserve that power to the general meeting of shareholders. The Board regulations need to be available to the SBS and must contain, at least, the following: a) The job descriptions and responsibilities of the Chair of the Board and its Members; b) Guidelines for the development of work plans by Members of the Board that contribute to the performance of the Board; c) Policies and procedures to prevent, detect, manage and disclose conflicts of interests of Board members; 101 PERU d) Board succession plan that must contain, at least: i) the causes of vacancy established in the LGS or those additional established in the articles of incorporation; ii) the criteria and procedure for removal of Board members and their appointment; and iii) the policy and procedures for communicating a vacancy, removal and/or election of Board members with the SBS, in accordance with the provisions of the LGSF; e) Policies and procedures to inform the Board about the communications of the SBS with the SI; f) Procedures for taking leave of absence; g) Criteria of technical and moral suitability for the selection of senior management; h) If permitted by the SIs articles of incorporation, policies and guidelines for conducting non-contact meeting sessions through media that allow the adoption of agreements and guarantee their authenticity; i) In case the Board has agreed to a self-evaluation of its performance, the criteria used for such a self-evaluation. Of the FIs, the banks are expected to apply the international best practices regarding corporate governance and in practice already largely comply with the new regulations regarding the independent Board members and committee structure. Although the Corporate Governance & GIR only comes into force per April 2018, the review of its content is already part of the on-site examination procedures used by the SBS. As part of its on-site examination manual (In situ N° B.1.PS – GC01; Procedure 2.7: Designation and Succession of the Board) the SBS assesses whether the banks have policies and procedures that set minimum requirements for the selection of new and the ratification of existing Board members, and a succession plan. The manual also provides guidance on the evaluation of the different Board Committees (In situ N° B.1.PS – GC01; Procedures 2.14-2.16 and 4.2). As mentioned in EC1 the GIR and its successor the Corporate Governance & GIR do not apply on a group-wide level to financial groups/conglomerates for which the SBS is the home supervisor (only to the institutions licensed by the SBS). Consequently, the procedures for nominating and appointing Board members on a group level are not reviewed by the SBS. EC4 Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.38 Description and The LGS (article 171) contains the general duty of care and duty of loyalty findings re EC4 requirements for Board members. In addition, Article 81 of the LGSF requires that 38 The OECD (OECD glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables”, 2003, www.oecd.org/dataoecd/19/26/23742340.pdf.) defines “duty of care” as “The duty of a board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the board member to approach the affairs of the company in the same way that a ’prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” a s “The duty of the board member to act in the interest of the company and shareholders. The duty of loy alty should prevent individual board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.” 102 PERU members of the Board are suitable (have technical and moral suitability) and not subject to the legal impediments imposed by the LGS. Per Article 82 of the LGSF, any election of Board members, as well as vacancies, must be brought to the attention of the SBS within one business day after appointment, by means of a certified copy of the minutes of the session in which the appointment decision was taken, issued by the secretary of the Board. In addition, in accordance with the Supplementary Rules for the election of Board members, senior managers and Internal Auditors (Resolution SBS No. 1913-2004), SIs must inform the SBS of the election of their Board members and the appointment of the senior managers and Internal Auditors, together with the curriculum vitae of said officials and an affidavit of not being subject to the impediments established in the LGSF. Both appointments and vacancies must be communicated with the SBS within one business day. This reporting is done through an online registry called Registry of Directors, Managers and Main Officials (“REDIR"), whose purpose is to collect in a standardized way the required information. Article 4 of the Corporate & GIR (coming into effect per April 2018) establishes that the Board consists of persons with specialisms and competencies that facilitate plurality of views and opinions, and that have the ability and knowledge with respect to the activities of the SI in order to be able to fulfil its responsibilities. The regulation establishes that an independent Board member at a group level can also be an independent Board member on a subsidiary level and does not take into account that, in specific circumstances, this could result in divided loyalties. Board Members and senior management of entities part of a financial groups and conglomerates for which the SBS is the home supervisor, but which are not licensed by the SBS, are not in the scope of Article 81 and 82 of the LGSF, or the Supplementary Rules for the election of Board members, senior managers and Internal Auditors (Resolution SBS No. 1913-2004). The information received via REDIR system is reviewed off-site. In this review the SBS evaluates whether the officials have the knowledge and the experience to carry out their functions and comply with the suitability requirements provided in the LGSF. Apart from the qualifications the SBS also reviews the credit risk classification of directors, managers, and main officials reported in the REDIR and cross-checks are carried out with external sources (Public Prosecutor, Judicial Branch, Worldcheck, among others). In case of the appointment of Board members and senior managers who previously worked for supervised institutions abroad, the SBS does not as a standard procedure inquires with the foreign supervisors whether it has any adverse information or objection against the appointee. An interview of proposed Board members or of key Board members (Chair of the Board, Chair of the different Board Committees) of systemically important SIs or of SIs with a higher risk profile, is not part of the suitability review process. 103 PERU Discussions with staff and the review of documents indicated that the SBS is putting more emphasis on the engagement with independent Board members, but it is still mainly limited to a meeting with one of the independent Board members once a year. Although the SBS has the power to attend Board or Board Committees meetings, this is so far more common (as a result of supervisory priorities) in the supervision of smaller deposit taking institutions than in the supervision of banks. EC5 The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite 39 and strategy, and related policies, establishes and communicates corporate culture and values (e.g. through a code of conduct), and establishes conflicts of interest policies and a strong control environment. Description and In the Self-assessment Questionnaire of Good Corporate Governance Practices for findings re EC5 Financial System Companies, banks have to self-assess (in section 1.1 – Board responsibilities) whether: • The functions and responsibilities of the Board are in line with the responsibilities as defined in article 8 of the GIR; • The responsibilities have been formalized in the regulations of the institution; • The Board complies with it functions and responsibilities as established in article 8 of the GIR (article 7 of the Corporate Governance & GIR); • The Board members has signed-off on the compliance with the GIR as required by article 9 of the GIR. In addition, the sections 1.2.a and 1.3 contain respectively self-assessment questions on the Board oversight on the consistency of the performance of senior management in line with the established strategy, and Board approval of modifications to policies and the strategy of the institution. Section 2 contains self-assessment questions on the establishment of corporate values and a Code of Ethics and Conduct, while section 5.2 contains self-assessment questions on the establishment of a mechanism for dealing with conflicts of interest. The corporate governance on-site examination manual provides procedures for the evaluation of the Board’s compliance with its responsibilities and functions (as defined in article 8 of the GIR) in procedure 2.2, while procedure 2.4 evaluates the Board’s involvement in the approval of the strategy and related policies. In addition, procedure 2.5 evaluates whether the Board has approved and is promoting the compliance with a Code of Ethics and Conduct and procedure 2.12 evaluates the institution’s mechanisms for dealing with conflicts of interest. Review of the minutes of the Board and its main Committees plays an important role in the evaluation of these procedures. The results of this assessment feed into the used rating methodology. 39 “Risk appetite” reflects the level of aggregate risk that the bank’s Boar d is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously. 104 PERU The new elements of the Corporate Governance & GIR are already considered in the self-assessment questionnaire and the on-site examination manual (In situ No. B.1.PS – GC01) as a way of creating awareness and already stimulating compliance with the new regulation in anticipation of its effective implementation per April 1, 2018. A review of supervisory documentation disclosed the use of the above self- assessment questionnaire, the on-site examination procedures and supervisory actions undertaken by the SBS to address their findings, in particular with regard to dealing with potential conflicts of interest of Board members. EC6 The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards establis hed for them. Description and The GIR (article 8) establishes that it is the responsibility of the Board to select senior findings re EC6 management with technical and moral suitability, acting prudently and appropriately in the development of its business and operations, as well as in the fulfillment of its responsibilities. In addition, it establishes that the Board must obtain reasonable assurance that the SI has an effective management of the risks to which it is exposed, and that the main risks are under control within the limits the Board has established. In addition, the new Corporate Governance & GIR (effective per April 2018) includes more specifically the Board’s responsibilities regarding succession planning. The Self-evaluation Questionnaire of Good Corporate Governance Practices for Financial System Companies contains in section 7 self-assessment questions regarding the establishment of suitability standards for the selection of senior management and succession planning. In addition, sections 1.2.a and 1.3 contain self-assessment questions on the Board’s oversight on the performance of senior management in line with the established strategy, and Board approval of modifications to policies and the strategy of the institution. Regarding senior management, article 93 and 94 of the LGSF, require the CEO to inform the Board, on a monthly basis on the credit and investment risk developments as well as at least on a quarterly basis on the general development of the business. The GIR (article 10) and with more detail in the new Corporate Governance & GIR (article 17) establish the reporting responsibilities of senior management. The corporate governance on-site examination manual (In situ No. B.1.PS – GC01) provides in section 2 procedures for the evaluation of the existence and substance of criteria for moral and technical suitability of senior management (procedure 2.20), succession planning (procedure 2.20), Board oversight on the monitoring and evaluation of the performance of senior management in relation to the institutions strategy and long term objectives (procedure 2.3) and performance evaluation (procedure 2.3). 105 PERU EC7 The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies. Description and The new Corporate Governance & GIR provides more detailed provisions regarding findings re EC7 the establishment of a Remuneration Committee and the financial institution’s remuneration system. The Self-assessment Questionnaire of Good Corporate Governance Practices for Financial System Companies contains a separate chapter on the design of the institution’s remuneration system and the role of the Board in this regard. The sections of the chapter on remuneration include sections on: • The overall design of the remuneration system; • The design of remuneration and incentives systems for control functions; • Remuneration and incentives in relation to risk taking; • Remuneration and incentives in relation to performance; • Remuneration and incentives’ sensitivity to the materialization of risks ; • Composition of remuneration and incentives. As mentioned in EC1 the GIR and its successor the Corporate Governance & GIR do not apply the consolidated group for which the SBS is the home supervisor (only to the institutions licensed by the SBS). In line with the expectations set in the self-evaluation questionnaire, also the corporate governance on-site inspection manual (In situ No. B.1.PS – GC01) contains separate procedures (section 4, procedures 4.1 to 4.7) to evaluate the Board Remuneration Committee and the financial institution’s remuneration system. EC8 The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g. special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. Description and The Self-assessment Questionnaire of Good Corporate Governance Practices for findings re EC8 Financial System Companies (performed by the SI) contains a separate chapter, which was added in 2017, on the “Complexity and Transpar ency of the Organizational Structure of the Company and its Economic Group”. This chapter contains self - assessment questions regarding: • The organizational and group structure (up to the ultimate beneficiary owners) of which the licensed entity is part; • Responsibilities and practices regarding the corporate governance of the group; • Evaluation of transparency and non-standard activities of the group. In line with the expectations set in the self-evaluation questionnaire, also the corporate governance on-site inspection manual (In situ No. B.1.PS – GC01) contains 106 PERU separate procedures (section 5, procedures 5.1 to 5.10) to evaluate the group’s structure, corporate governance and its transparency. A review of supervisory documentation evidenced that the SBS has in general a good overview of the organizational and ownership structures of the SIs. EC9 The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. Description and Article 381 of the LGSF provides the SBS the power to take the necessary measures to findings re EC9 prevent and/or avoid that any person that is not qualified controls or participates, directly or indirectly in the Board, management and operation of SIs. Currently the supervisory practice is mainly focused on reviewing that appointed Board members are not subject to the impediments as defined in the LGSF. Different cases were discussed and documents reviewed in which the SBS required formally the removal of Board members. The reviewed cases related to removals because of the impediments provided in the LGSF, and not to qualifications and the exercise of the duty of care and loyalty. However, for other deposit taking institutions, the SBS provided examples of realized changes to the Board through the use of informal communication. Assessment of Largely Compliant Principle 14 Comments This CP applies explicitly to banks and banking groups (see also footnote 9), however, deficiencies regarding the regulatory framework for banking groups have been incorporated in the scoring of CP 1. SBS’ governance requirements do not apply on a group-level for institutions for which the SBS acts as home supervisor. As a result, the individual group Board members are not subject to a formal fit and propriety review by the SBS, group Board members are not required (GIR, article 9) to sign-off on their responsibilities as required for Board members of supervised institutions, and the supervisory approach to corporate governance on a group-level is less developed. This relevant as two of the four systemically important commercial banks are part of groups for which the SBS is the home supervisor. In its regulatory and supervisory framework, the SBS puts significant emphasis on corporate governance of the licensed institutions and sets clear expectations regarding the role and responsibilities of the Board and the structure of its committees. However, the actual engagement with the Board and individual Board members could be further enhanced as it is currently not commensurate with the emphasis placed on it by the regulation and SBS’ governance expectations. In addition, the requirements regarding the composition of the committees (number of independent Board members and having an independent Board member as Chair) 107 PERU could be further aligned with the Basel Corporate Governance Principles issued in July 2015. The new Corporate Governance & GIR sets the expectation of a periodic Board effectiveness self-assessment. However, the SBS has not yet developed a clear expectation with regard to the standards of such an assessment, an internal framework for assessing the collective suitability and effectiveness of the Board, and assessment criteria, in terms of expected seniority and experience, for key Board positions. Intensified engagement will also help to develop a more comprehensive view of the composition and the effectiveness of the Board (currently mainly based on the review of Board and Committee minutes). One way to intensify the engagement would be to invite new Board members (or at least key Board members or Board members of systemically important institutions) for a meeting/interview upon appointment. This would give the SBS the opportunity to convey its expectations and at the same time allow to gauge the Board member’s experience and maintain SBS’ view on the collective suitability up to date. The assessors note that per the regulation independent Board members at a group level, can also act as independent Board members at a subsidiary level. This dual position could in certain situations, however, result in divided loyalties. Recommendations: • Apply at a group-level, for groups for which the SBS acts as home supervisor, the same governance and fit and propriety requirements as applied to licensed institutions; • Enhance the requirements regarding the composition of the Board committees (number of independent Board members and having an independent Board member as Chair); • Board engagement needs to be further intensified; • The SBS should develop a framework for assessing the collective suitability of the Board and assessment criteria in terms of expected seniority and experience for key Board positions (e.g. Chair, Chair of the Risk Committee, Chair of the Audit Committee). Principle 15 Risk management process. The supervisor determines that banks40 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate41 all material risks on a timely basis and to assess the adequacy of their 40 For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risk s posed to the bank or members of the banking group through other entities in the wider group. 41 To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents. 108 PERU capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank. 42 EC1 The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that: a) a sound risk management culture is established throughout the bank; b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite; c) uncertainties attached to risk measurement are recognized; d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite. Description and Article 134 of the LGSF directs the SBS to supervise that a SI is properly organized, findings re EC1 complies with regulatory limits and managed by qualified officers. Article 199 requires institutions to have a process for evaluating the adequacy of capital considering the institution’s risk profile. It also requires the Board to maintain effective capital above the minimum required level anticipating the potential negative effect of the business cycle, whilst considering the risk profile of its operations. The overarching integrated risk management standards are set by the Comprehensive Risk Management Regulations (“GIR” - SBS Resolution No. 37-2008). The GIR requires supervised institutions to have comprehensive risk management processes and Board approved policies and procedures to identify, measure, monitor, control and report risks. This regulation will be replaced per April 2018 by Corporate Governance & GIR (SBS Resolution No. 272-2017), which establishes more detailed corporate governance requirements and was issued in February 2017. The GIR establishes (article 8 sub a) that the Board is responsible for the approval of the general policies that guide the institutions activities and the management of the different risks it faces. Its successor the Corporate Governance & GIR uses wording that is more aligned with the Basel Principles for Sound Corporate Governance and establishes that the Board is responsible for the establishment of the principal objectives and goals of the SI and its strategy (article 7 sub a) as well as the approval of its risk appetite system article 7 sub h). should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk 42 It management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management. 109 PERU The GIR in article 8, defined the responsibilities of senior management from a risk management perspective, while the Corporate Governance & GIR takes a more broader perspective and establishes (article 17 sub a) amongst others that it is senior management’s responsibility to assure that the activities of the SI are consistent with the strategy, the risk appetite, the corporate culture and values, adequate market conduct and the policies approved by the Board, as well as periodically informing the Board on the status of this alignment. In addition to the overarching risk management regulation, the SBS has issued, for the risks it considers material, the following specific risk management regulations: • SBS No. 3780-2011 on Credit Risk Management • SBS No. 041-2005 on the Administration of Foreign Exchange Induced Credit Risk • SBS No. 6941-2008 on the Administration of Over-Indebted Retail Clients • SBS No. 7932-2015 on Country Risk Management • SBS No. 0509-98 on Market Risk Management • SBS No. 1455-2003 on the Administration of Foreign Exchange Risk • Circular B 2087-2001 on Interest Rate Risk Management • Resolution SBS No. 9075-2012 on Liquidity Risk Management • SBS No. 2116-2009 on Operational Risk Management • Circular SBS No. 139-2009 on Business Continuity Management • Circular SBS No. 140-2009 on Information Security Management • Resolution SBS No. 2660-2015 on AML/CFT Risk Management • SBS No. 11823-2010 Consolidated Supervision Regulation These regulations contain requirements for: the organization and responsibilities of the risk management function, Board oversight, risk identification, evaluation, mitigation, control, and monitoring, as well as the reporting requirements set by the SBS. The regulations apply to the licensed/supervised institutions and not on a group- wide basis. The Consolidated Supervision Regulation requires (article 26) the supervised institution to assure that also the financial group of which it is part implements adequate risk management strategies and policies and refers in this context in article 27 to the GIR. All the above risk management regulations predate the Corporate Governance & GIR and their terminology may need some further standardization to be consistent with this regulation, however, in practice this does not seem to affect their effectiveness. The SBS uses a rating methodology consisting of 7 building blocks: Solvency, Credit risk, Liquidity risk, Market risk (incl. IRRBB), Operational risk, Profitability and efficiency, and Management and control. The overarching risk management requirements are part of the assessment of management and control. However, the credit, market, liquidity and operational risk rating methodology also require the assessment of Board oversight and risk management in relation to the specific risk. Management and control (including the review of the minutes and underlying 110 PERU documents of Board and Board Committees meetings), credit risk and profitability and efficiency are on a standard basis included in the scope of the on-site examination, while for the liquidity, market and operational risk a risk based approach and cycle is followed. In addition, capital is annually reviewed as part of the supervisory review of the ICAAP. The SBS sends (see also CP 14) in advance of the annual on-site examination a self- assessment (Self-assessment Questionnaire of Good Corporate Governance Practices for Financial System Companies) to the SIs, and requires banks to finalize the self- assessment one month before the on-site inspection. The self-assessment includes questions relating to Board oversight, senior management responsibilities and risk management and control. The self-assessment is an input for the on-site inspection, which uses the examination procedures as laid down in GC01 Evaluation of Good Practices of Corporate Governance of the Financial System. Section 2 of the manual contains procedures for the evaluation of the Board regarding integrated risk management, while section 3 contains procedures for the evaluations of the organization and risk culture of the risk management unit. In addition, each of the detailed risk management regulations corresponds with other on-site examination manuals and procedures that review the Board oversight and the management of control of each material risk. Assessors reviewed supervisory documents illustrating the application of the on-site examination procedures for risk management policies and limits as approved by the Board including a review of the adequacy of the risk management report provided by senior management to the Board. EC2 The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate: a) to provide a comprehensive “bank-wide” view of risk across all material risk types; b) for the risk profile and systemic importance of the bank; and c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process. Description and Using its powers (article 199 of the LGSF and article 8 of the GIR) the SBS requires findings re EC2 banks, to submit an ICAAP through an Office Multiple (a letter which has the same regulatory status as a regulation) since 2010. Over the years, the ICAAP has become a more important and developed process for which the SBS provides the banks detailed annually updated guidance. The guidance is amongst others updated regarding the prescribed standard stress test parameters all banks are required to use for ICAAP. As such the ICAAP approach is a mix of a bank’s internal process and a 111 PERU regulated standardized approach to ensure consistency and comparability across the banks. The SBS requires that at a minimum, while providing more detailed guidance per element, the following elements are covered in the ICAAP report: 1. Capital planning and monitoring process 2. Capital adequacy level of the institution a) Base scenario b) Calculation of capital requirements for all material risks (1) Credit risk (2) Market risk (3) Operational risk (4) Additional capital buffers (by regulation) (a) Countercyclical buffer (b) Credit concentration risk (c) D-SIB buffer (see also CP 16) (d) Interest Rate Risk in the Banking Book (e) Propensity to risk (comparing general provisions with average historic impairment losses) (5) Other material risks c) Projections of indicators d) Aggregation of capital requirements e) Access to capital and quality of capital f) Determination of internal capital target g) Projection of available capital 3. Stress-testing a) Description of assumptions and methodology b) Evaluation of results 4. Sensitivity analysis 5. Conclusions 6. Evaluation of the previous ICAAP The evaluation procedures for the supervisory review, which largely takes place off- site (unless pertinent issues arise in the review that need immediate follow-up), of the ICAAP are detailed in a separate manual. The ICAAP needs to be signed off by the CRO and the Head of the Unit responsible for the preparation and approved by the Board. In the supervisory review, the SBS compares the results of the ICAAP against results of the top-down stress-test performed by the SAEE and the risk profile and SBS’ internal risk rating of the institution. The SBS monitors the banks actual regulatory capital ratio against the bank’s internal target in its quarterly off-site report (evidenced by a sample of quarterly reports reviewed by the assessors). In addition, during the on-site examination the SBS evaluates whether the Board on a continuous basis is receiving adequate information from the CRO and senior management to monitor the risk profile of the bank. In 112 PERU addition, where needed a more detailed review is performed of elements of the ICAAP during the on-site examination. EC3 The supervisor determines that risk management strategies, policies, processes and limits are: (a) properly documented; (b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and (c) communicated within the bank The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary. Description and All Board members are required (article 9 of the GIR, article 8 of the Corporate findings re EC3 Governance & GIR) to sign-off on the compliance with their responsibilities as established in the GIR. The responsibilities include the approval of the risk appetite and the accompanying policies and procedures for all material risks as well as their limits. The responsibilities do not include explicit requirements (but these are understood to be part of effective strategies, policies, processes and limits) for communication within the bank, periodically updating of strategies, processes, policies and limits and exception reporting, however, these requirements are incorporated in the different underlying and more detailed risk management regulations. The SBS, through the application of the procedures detailed in the on-site examination manuals, verifies that the institution has established and documented policies and procedures for all material risks as required by the different risk management regulations issued by the SBS, and that these are regularly updated and communicated within the bank. The review of Board minutes and underlying documentation is a standard part of the on-site review. In this review the SBS assesses amongst others whether the different risk management regulations required polices are regularly updated, reviewed and approved by the Board. In its on-site examination of the different risk types, the SBS verifies the actual implementation of the policies and limits approved by the Board. The assessors reviewed documentation of on-site examinations, which substantiated the actual use of the on-site examination procedures. EC4 The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand, the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive. 113 PERU Description and As mentioned in the previous criteria, the SBS verifies through the review of the findings re EC4 minutes, including the supporting documentation, of the Board and its main committees, that the business and risk management functions of the institution provide the Board, in a timely, adequate and permanent manner, with sufficient information about the institution's exposure to the various risks, and that, based on such information, the Board and/or its Committees, where appropriate, take decisions and make recommendations. In its on-site examination of the different (credit, liquidity, market and operational) risks the SBS verifies the actual implementation of the policies and limits approved by the Board. Regulations or procedures do not provide an expectation that the Board or senior management regularly review the implications and limitations of risk management information. EC5 The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. Description and A comprehensive evaluation of the consistency and adequacy of the institution’s findings re EC5 policies and procedures for risk taking with the risk management strategy and risk appetite is realized through the supervisory review of the bank’s ICAAPs. The SBS requires the banks since 2010 to submit annually an ICAAP. The supervisor is providing the banks with detailed and annually updated guidance on its expectations regarding the ICAAP (see also EC2). The procedures for the supervisory review of the ICAAP are detailed in a separately documented manual. The assessors reviewed a sample of banks ICAAPs, the corresponding supervisory review reports, as well as letters containing the formal communication with the banks on the results of the supervisory review. The results of the ICAAP review are not yet part of the existing rating methodology, but feed more qualitatively into the assessment of management and control as well as in the review of a bank’s solvency. Although not formally included, relevant findings relating the ICAAP review could result (if not possible to cover in the other rating elements) in a rating override and downgrade of the supervisory rating, which would have to be substantiated by the supervisor and approved by the internal rating committee. The inclusion of ICAAP is foreseen in the next version of the rating methodology, which is in the process of development and expected to be implemented in 2019. There is no Internal Liquidity Adequacy Assessment Process (ILAAP) requirement. For the assessment of the liquidity adequacy and funding strategy the SBS relies on the on-site liquidity risk supervision manual, which provides procedures for evaluating the internal methodologies and processes used by the supervised institutions to manage liquidity risk, including contingency planning (see CP 24). In addition, banks must report their liquidity positions and ratios daily to the SBS. On a quarterly basis 114 PERU banks are required to submit the result of a standardized stress-test and their liquidity contingency plan. The results of the off-site liquidity monitoring and on-site assessment of the liquidity risk management feed into the rating for liquidity risk, which is one of the 7 components of the rating methodology in use. EC6 Where banks use models to measure components of risk, the supervisor determines that: (a) banks comply with supervisory standards on their use; (b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and (c) banks perform regular and independent validation and testing of the models The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. Description and The SBS allows for the use of internal models for credit, market and operational risk findings re EC6 and has set, in line with the Basel framework, standards for their use; for credit risk in Resolution SBS 14354-2009, for market risk in Resolution SBS No. 6328-2009 and for operational risk in Resolution SBS No. 2115-2009. However, currently none of the banks are using advanced models and the SBS has at the moment no application in process. Apart from models for advanced approaches for capital purposes, there are also other models that require SBS approval. For example, the SBS has set provisioning requirements for country risk and allows banks to use their own rating methodology for the classification of the countries in the different risk categories (see C21). Apart from internal models for capital and provisioning, there is an expectation that banks, use more advanced internal credit scoring methodologies and rating models. In addition, banks are using a (regulatory) VaR model to assess their Foreign Exchange (FX) risk as well as regulatory methodologies to assess liquidity and Interest Rate Risk in the Banking Book (IRRBB). The SAR has specialized units, and specific on- site examination procedures, for the review and use of these models. The GIR or the Corporate Governance & GIR do not provide an expectation that the Board or senior management regularly review the limitations and uncertainties relating to the output of the models and the risk inherent in their use. Clarifying this expectation in addition to improving the model governance requirements for internal models (other than those used for regulatory capital purpose) would enhance the regulatory risk management framework. EC7 The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also 115 PERU determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. Description and For off-site supervision, the SBS requires SIs to periodically send a set of standardized findings re EC7 prudential reports and annexes. SI's information systems need to be able to support this requirement. The reports aim to determine the degree of exposure that the SI has in relation to material risks, as well as the adequacy of regulatory capital to cover those risks. The institution’s management is responsible for the quality and timely submission of information to the SBS. Using the information provided by SIs through the Debtors Credit Overview Report (“RCD” Annex 6 – which after validation feeds into the Credit Registry), in which banks have to report on a standardized basis information on all their borrowers with exposures above PEN 1.00 , the SBS applies various controls to assess the validity and consistency of the credit risk and asset quality reports provided by the SIs and provide a first supervisory view on the quality of the information and reporting of the SIs. Furthermore, the reported information is selectively reviewed by the SBS during the annual on-site examination to ensure that it meets the criteria established by the SBS. An important component of on-site supervision is to verify that the business, risk and control areas of the SI provide senior management and the Board and its Committees with timely, adequate and sufficient information about the institution's exposure to the various risks it faces. This is amongst others, verified through the review of the minutes and supporting documentation of the Board Risk Committee. In addition, SBS has a specialized unit (Department of Information Systems and Technologies Supervision) for the supervision of information and technology. As part of on-site examinations these specialists evaluate the reliability and integrity of the information sent to the SBS under normal conditions (normal examination visits) and stress (prior to an intervention regime). The SBS indicated that the data quality of the prudential reports received from the banks is relatively high, and that required corrections of misreporting have the past few years not resulted in material changes of the initial positions reported by the banks. EC8 The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,43 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the 43 New products include those developed by the bank or by a third party and purchased or distributed by the bank. 116 PERU undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. Description and Article 18 of the GIR (Article 25 of its successor the Corporate Governance & GIR) findings re EC8 indicates among the responsibilities of the risk unit, to inform the Risk Committee about the risks associated with the launch of new products, and important changes in the business environment, the operational or computer environment, prior to its launch or execution, as well as the proposed or implemented mitigation and control measures. In addition, Circular No. G-165-2012 requires the SIs to report to the SBS its assessment of the risks of new products or important changes in the business, operational or computer environment and all other important changes, and establishes the minimum content that the report must contain. Article 3 of the Circular states that this report must incorporate the types of associated risks, covering at a minimum the risks indicated in Article 5 of the GIR (credit, ML/FT, liquidity, market, technical (insurance), reassurance, strategic and operational risks) as well as the results of the evaluation carried out and the mitigation and control measures implemented or proposed to manage the risks. As part of its off-site supervision, the SABM as well as the SAR evaluate the risk reports for new products or important changes in the business, operational or IT environment that companies submit and, depending on each case, the corresponding corrective measures proposed/taken by the institution. In on-site supervision, through the review of the records and minutes of the Board and the Risk Committee, the SBS verifies the approval of the risk reports associated with new products and the important changes in the environment of business. As part of the on-site supervision of operational risk (see also CP 25), SBS’ specialized risk unit selectively verifies more in depth the compliance with the regulatory requirements of the risk assessment process for the launch of new products. Regarding ML/FT risks, both through on-site and off-site procedures, a specialized risk unit of the SAR evaluates whether the compliance officer has assessed the ML/FT risks to which the new products might be exposed, as well as management measures to reduce that exposure. This assessment is included in the compliance officer report submitted semiannually to the chairman of the board. EC9 The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. 117 PERU Description and Article 3 of the GIR (article 20 of the Corporate Governance & GIR) requires FIs to findings re EC9 have a comprehensive risk management that identifies all risks that can affect the institution, and assure that these are managed within the institution’s risk appetite. The GIR and its successor the Corporate Governance & GIR requires banks to have a Board Risk Committee, an independent centralized/integrated risk unit, and a CRO that reports directly to the Board Risk Committee. The Internal Audit Regulation, approved by Resolution SBS No. 11699-2008, requires the internal audit function to review the risk management function. The minimum requirements regarding this review are contained in the Annex of the regulation. The SBS sends 2 months in advance a self-assessment (Self-evaluation Questionnaire of Good Corporate Governance Practices for Financial System Companies – see also CP 14), and requires banks to finalize the self-assessment one month before the on- site inspection. The Self-assessment Questionnaire of Good Corporate Governance Practices for Financial System Companies contains self-evaluation questions regarding the establishment of a Board Risk Committee (section 6.3), the risk management unit, whether it reports directly to the Board Risk Committee and whether its manager is of a sufficient senior level (section 8). The SBS examines the provided answers of the self-assessment in more detail using the on-site examination procedures as laid down in GC01 Evaluation of Good Practices of Corporate Governance of the Financial System. Section 2 of the manual contains procedures for the evaluation of the Board regarding integrated risk management, while section 3 contains procedures for the evaluations of the organization and risk culture of the risk management unit). The on-site examination results feed into the assessment of management and control as part of SBS’ internal rating methodology. In addition, Board oversight, and the implementation of approved policies and limits is assessed also as part of all the individual risks (credit, liquidity, market (incl. IRRBB) and operational risk) that are part of the rating methodology. A review of supervisory documents evidenced that the SBS when needed requires banks to address deficiencies in their risk governance or the necessary resources for the risk management function. EC10 The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Description and In line with the expectations set in the GIR (and its successor the Corporate findings re EC10 Governance & GIR), all banks are required to have a dedicated risk management unit overseen by a CRO. 118 PERU Article 187 of the LGS (Law No. 26887) establishes that senior management (which includes the CRO) may be removed (only) by the Board or by the general meeting of shareholders, whichever the body that appointed them. Finally, Article 187 of the LGS also states that a provision of the articles of incorporation, agreement of the general meeting of shareholder, or Board decision that would establish the irrevocability of the position of a manager or that imposes a majority greater than the absolute majority for removal is void. Regarding the communication to the SBS, the "Supplementary Rules for the Election of Directors, Managers and Internal Auditors" approved by Resolution SBS No. 1913- 2004, establishes that supervised institutions must inform the SBS of the election of Board members, the appointment of senior managers and Internal Auditors, as well as the respective vacancies, within a period of no more than one day. Accordingly, the SBS requires the FIs to send a certified copy by the Board Secretary, of the relevant part of the minutes that confirm the election of Board members, the appointment of senior managers and Internal Auditors, as well as the respective vacancies. Although SBS regulations do not contain disclosure requirements in this regard, all banks are required to be listed and therefore must meet the disclosure requirements as contained in the Regulation of Facts of Importance and Reserved Information (Resolution SMV No. 005-2014-SMV / 01) as issued SMV. This regulation establishes the requirements for the communication and disclosure of material events in accordance with Securities Market Law, indicating among them, the appointment, removal and changes in the members of the Board and senior management. EC11 The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk. Description and In addition to the GIR, the SBS has provided per material risk type the more detailed findings re EC11 risk management regulations (see EC1). In addition, the SBS has issued capital requirements for credit, operational and market risk, as well as additional capital requirements for individual (large exposures), sectoral and geographical concentration risk, interest rate risk in the banking book and propensity to risk (a methodology that requires higher capital in case over the past 5 years the annual specific provisions have been higher than 75 percent of regulatory capital – see CP 16). EC12 The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that consider the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including 119 PERU reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. Description and In the ICAAP banks provide an overview of their capital planning process as well as findings re EC12 the contingency capital plan. As part of the supervisory review of the ICAAP, the SBS reviews the results of the stress scenario (for which the SBS prescribes the stress parameters), evaluates the reasonableness of the assumptions that banks have made, as well as its capital quality and possible additional sources and requires, if necessary, actions to strengthen their level of capital and/or improve their risk profile. In other regulations, the SBS also requires FIs to have contingency plans for operational, business continuity and liquidity risk. These contingency plans are evaluated in off-site and on-site supervision. Relevant on-site examination procedures are detailed in the on-site examination manuals. The SBS established in 2012 a working group for market-wide business continuity stress testing. In the first exercise in 2014, which simulated an earth quake, 12 banks participated. In 2017 a second market-wide stress-test was performed in which 23 institutions (including the SBS, Central Bank and the Ministry of Finance) participated. In terms of liquidity, companies must submit quarterly to the SBS the results of their liquidity stress-testing and the accompanying contingency plan (Annex No. 16-B). A specialized unit of the SBS verifies that the assumptions used by the banks are reasonable and that the proposed strategy for dealing with a possible systemic liquidity crisis, is consistent with the sources of funding and available resources of the bank. This strategy, sources of funding, and associated costs have to be included in the quarterly report submitted to the SBS. When the risk profile of a bank so deserves, FIs are required to submit an action plan to redress capital or other deficiencies. The reasonableness of the plan and its follow- up are aspects that are evaluated both at in- and off-site. There are currently no formal requirements for recovery plans as described in the Key Attributes for Effective Resolution Regimes (FSB, October 2014). EC13 The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program: (a) promotes risk identification and control, on a bank-wide basis 120 PERU (b) adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks; (c) benefits from the active involvement of the Board and senior management; and (d) is appropriately documented and regularly maintained and updated. The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process Description and Although the GIR and its successor Corporate Governance & GIR do not contain findings re EC13 explicit stress-testing requirements, banks are required (using Article 349 of the LGSF and article 8 of the GIR) to perform a comprehensive (severe) stress test, for which the SBS prescribes the parameters, and sensitivity stress test as part of ICAAP. In the supervisory review the SBS compares the banks’ results with the stress testing results performed by the SAEE. For specific risks (such as credit, FX induced credit risk, country, market, IRRBB and liquidity risks) the regulations require FIs to undertake specific risk assessments and stress tests, of which the results are also reported to the SBS, while the assumptions and methodologies used are reviewed during the on-site examination. In its on-site supervision, the SBS reviews whether the results of the stress tests are reported and discussed in the Board and/or its Risk Committee and where needed recommendations are made or corrective actions are taken. EC14 The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities. Description and Within the framework of on-site supervision, there are manuals by business lines; findings re EC14 among other aspects, they have a specific section for the evaluation of pricing, which includes the evaluation of the methodology, procedures, granting preferential rates, tools for calculating prices and profitability. Circular G-165-2012 (see CP 25) indicates that SIs must prepare reports of risks associated with the launch of new products and major changes in the business, operating or computing environment. These reports must also be sent to the SBS, within established deadlines, subject to approval by the Risk Committee or specialized committee. This risk report must include all applicable types of risks, including operational risk, the exposure of which may increase during the product launch period or while the changes are implemented. Assessment of Largely Compliant Principle 15 Comments The regulatory framework for risk management is tailored to the specific economic circumstances in Peru, and sets clear risk management expectations for material risks to which the banking sector is exposed. 121 PERU Although the Consolidated Supervision Regulation to a certain extent redresses the fact that the risk management regulations (GIR and its successor Corporate Governance & GIR) do not apply on a group-wide basis, the resulting indirect form of regulation is not optimal. The fact that the GIR and its successor do not apply on a group level has been factored in to the scoring of CP 1. The SBS in practice reviews models (country risk, internal rating and credit scoring models and methodologies, etc.) used by FIs, however, its regulatory framework could be further enhanced by providing model governance guidelines and expectations. The SBS is currently working on proposal to establish guidelines for model governance. This regulation will include guidelines related to: i) relationship between model management and risk appetite; ii) responsibilities in model management; iii) development, validation, approval and monitoring processes; iv) supporting documentation; and, v) processes of outsourcing and system support. This regulation would further enhance the regulatory risk governance framework. There are currently no formal requirements for recovery and resolution plans for D- SIBs; however, FIs are required to have capital and liquidity contingency plans, taking into account their stress-testing results. These contingency plans provide the D-SIBs with a good starting point for developing recovery and resolutions plans. Recommendations: • Develop and issue guidelines for model governance including the expectation for the Board and senior management to review the limitations and uncertainties relating to the output of the models and the risk inherent in their use; • Implement requirements for recovery and resolution planning for D-SIBs. Principle 16 Capital adequacy.44 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. EC1 Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. Description and The minimum capital requirement is 10 percent and is based on the Basel II definition findings re EC1 for capital and the Basel II risk weights (with some conservative amendments to the 44The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it. 122 PERU local situation) for credit (Resolution SBS No. 14354-2009), market (Resolution SBS N° 6328-2009) and operational risk (Resolution SBS No. 2115-2009). Article 16.A of the LGSF establishes the minimum entry capital required for deposit taking institutions. Article 199 of the LGSF establishes that the capital adequacy ratio must be always equal to or greater than 10 percent of the sum of: (1) capital requirements for market risk multiplied by ten; (2) capital requirements for operational risk multiplied by ten; and (3) risk-weighted assets for credit risk including off-balance sheet items. In addition, Article 199 establishes the Board’s responsibility to ensure that financial institutions have enough buffers above the minimum requirements to absorb fluctuations because of the economic cycle and considering the financial institution’s risk profile. Article 184 of the LGSF provides the capital definition (Basel II based and includes Tier 3 capital) and Article 185 of the law provides the relevant (Basel II based) limits for Tier 2 capital, subordinated debt and Tier 3 capital. SBS Resolution N. 975-2016 provides criteria for subordinated debt to qualify as Tier 1 (perpetuity and loss absorption), but also introduces, to already move to a certain extent towards the Basel III capital definition, a risk weight of 1000 percent for Deferred Tax Assets (when more than 10 percent of available capital) and intangible assets (excluding goodwill, which is deducted from regulatory capital). The regulation has a transitional period from 2017 to 2026 in which the risk weights gradually increase from their current Basel II risk weight to 1000 percent. The Additional Capital Requirements Regulation (Resolution SBS No. 8425-2011, using Article 199 of the LGSF as its basis) requires banks to hold non-cyclical and counter-cyclical capital buffers. The methodology for calculating these buffers differs from the Basel capital conservation buffer, counter-cyclical buffer and buffer for Domestic-Systemically Important Banks (D-SIBs), but in essence the SBS aims to achieve the same objectives as Basel III with these buffers. Instead of the 2.5 percent Capital Conservation Buffer (CCB) outlined in Basel III, the SBS has implemented a CCB that consists of requirements for five specific risks. As a result of this approach, the actual buffer varies depending on the balance sheet composition and risk profile of the institution. The CCB comprises the following elements: • Single name concentration risk maximum add-on of 0.4 percentage points (of RWAs); • Sector concentration risk maximum add-on of 1.6 percentage points; • Geographical concentration risk maximum add-on of 0.4 percentage points; • Interest Rate Risk in the Banking Book (IRRBB) add-on required if the Economic Value of Equity changes by more than 15 percent after a prescribed interest rate shock; • Propensity to risk buffer for banks with high historic specific provisions. 123 PERU The approaches for single name, sectoral and geographical concentration and IRRBB are described in more detail in CP 19 and CP 23. For D-SIBs the SBS has issued a methodology requiring banks with assets larger than three percent of GDP to hold an additional buffer. This buffer is calculated as a function of the bank’s: i) external rating; ii) assets to GDP, and; iii) assets to total assets of deposit taking institutions. In practice the resulting buffer varies from 0.1 to 0.6 percentage points for the 4 dominant commercial banks. The implemented Counter-Cyclical Buffer (CCyB) is a function of per asset class differentiated additional credit risk weights varying from zero for governments exposures to 55 percent for revolving consumer loans. Thus, and unlike the Basel III CCyB, the buffer varies across institutions depending on their balance sheet composition. Capital Requirements Peru Compared to the Basel III framework Peru -All Banks Peru - D-SIBs Basel III Jun-2017 Min Max Min. Max. Min Max. Min. Req. 10.0% 10.0% 10.0% 10.0% 8.0% 8.0% CCB 0.8% 4.3% 1.0% 1.1% 2.5% 2.5% CCyB* 0.7% 5.0% 1.7% 2.0% 0.0% 2.5% D/G-SIB 0.0% 0.6% 0.1% 0.6% 0.0% 2.5% Total** 11.8% 16.6% 13.0% 13.3% 10.5% 15.5% Source: SBS * Considers the numbers of CCyB if the cyclical rule was activated. ** Corresponds to the total required capital considering as the cyclical rule was activated The countercyclical buffer is activated if the moving average of the annual GDP growth over a period of 30 months is higher than 5 percent. FIs must comply with the requirement within 12 months after the buffer is activated. After the deactivation of the buffer, banks are only allowed to use the buffer after they have used their countercyclical provisions (see CP 18), after which they can use 60 percent of the buffer. For using the remaining 40 percent, a capital plan and the approval of the SBS is needed. The Additional Capital Requirements Regulation provides the SBS the power to not release the countercyclical buffer when deactivated in case of observed weaknesses in governance and risk management. In practice, the SBS expects the banks to establish in their ICAAP internal capital targets above the additional required buffers, including the countercyclical buffer, even while currently deactivated. 124 PERU Regarding the supervisory measures associated with capital thresholds, article 349 of the LGSF establishes that the SBS is empowered to perform all acts necessary to safeguard the solvency of the financial system and the savings of the public. Article 355 of the LGSF states that in case a SIs is financially instable or is poorly managed, the SBS may determine the real value of the assets and, if necessary, require regulatory capital adjustments, as appropriate, from reserves and social capital. Likewise, it may request the shareholders to immediately provide cash capital contributions. The grounds for submitting a FI to the special supervisory regime are as follows defined in article 95 of the LGSF: a) Failure to comply with the reserve requirements for three consecutive periods, or in more than 5 months over a period of 12; b) The need to resort to the financing of its obligations that, in the opinion of the SBS, indicates a structural financial insufficiency for the fulfillment of the reserve; c) The need to resort to liquidity support from the Central Bank for more than 90 (ninety) days in the last 180 (one hundred and eighty) days; d) A breach of the different large exposure limits established in articles 206, 207, 208 and 209 for a period of 3 months over a 12-month period; e) Infringement of other individual or global limits with a frequency or magnitude that, in the opinion of the SBS, reveals inadequate business conduct by the FI, together with the omission in the approval and execution of corrective measures; f) Repeated failure to comply with the customer service requirements referred to in Article 139; g) When available regulatory capital is lower than established in the first paragraph of article 199 (10 percent) for a period of 3 consecutive months or 5 alternate months in a period of one year: h) Loss or reduction of more than 40 percent (forty percent) of available regulatory capital (over a period of one year). The above applies to the licensed FIs. The consolidated capital requirements for financial groups for which the SBS is the home supervisor are established in the Consolidated Supervision Regulation (SBS Resolution No. 11823-2010). This regulation uses a building block approach; the consolidated capital requirement of the financial group is basically determined (in article 9) by adding all the capital requirements of the supervised entities and comparing this against the available capital (using the same definition for capital as for FIs) on a consolidated level. Where relevant the SBS can set a proxy capital requirement; for example, for the unsupervised holding if it has any other assets than cash and investments in subsidiaries. Regarding thresholds for intervention, article 12 of the Consolidated Supervision Regulation states that in case: i) a consolidated group has a deficit, the supervised entity needs to submit to the SBS a capital restoration plan; ii) in case a consolidated group has a deficit of less or equal than 20 percent of the required regulatory capital, 125 PERU all the supervised companies belonging to the financial group shall submit dividend proposals for prior authorization to the SBS; iii) if such a deficit exceeds the 20 percent threshold, supervised companies belonging to the financial group must allocate all net profits to regulatory capital to overcome the deficit. EC2 At least for internationally active banks, 45 the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. Description and The risk coverage is, because of the methodology used for establishing the additional findings re EC2 capital requirements, broader than the Basel standards. The overall capital requirement including those set by the Additional Capital Requirements Regulation appear to be broadly in line with the overall (incl. conservation, countercyclical and G-SIB buffers) Basel III standards (see EC1). Although the overall capital requirements are broadly in line with the applicable Basel standards, the D-SIB capital buffer and the additional capital requirement for single name concentration risk need further calibration as the current methodologies results in very limited additional capital requirements. The SBS has recognized this and is in the process of reviewing the methodology for the calculation of both the D-SIB buffer and the additional capital requirement for single name concentration risk. Main difference, in terms of total capital requirements, is not the total percentage, but the definition of capital which is still based on Basel II. However, in practice and because of SBS supervision, the average Common Equity Tier 1 ratio of the banking system is more than 10 percent. In addition, as mentioned before, SBS Resolution N. 975-2016 provides criteria for subordinated debt to qualify as Tier 1 (perpetuity and loss absorption), but also introduces, to already move to a certain extent towards the Basel III capital definition, a risk weight of 1000 percent (more than 10 percent of available capital) for Deferred Tax Assets and intangible assets. Taking into account the new Basel III capital definition, the SBS also reviews the quality of capital in the SREP. In case of (non-operating) holding companies, the minimum capital requirements, are only indirectly (through the subsidiary) applicable to the financial group for which the SBS is the home supervisor. The assessment of the capital adequacy of the conglomerate is done on a consolidated basis. The supervisory group capital adequacy assessment could be improved by also taking into account: i) the capital adequacy of the holding on a solo level (in order to determine if the excess capital is available on a holding level); ii) the 45 TheBasel Capital Accord was designed to apply to internationally active banks, which must calculate and apply capital adequacy ratios on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a stand-alone basis. 126 PERU location of capital within the conglomerate, including the risk of ringfencing/non- transferability of capital allocated to entities supervised by authorities abroad; iii) the extent to which excess capital at a group level can be completely allocated to support the financial activities of the conglomerate. The assessment of the consolidated capital adequacy does not take adequately into account the necessary adjustments to account for the change in accounting standards; solo financials based on SBS accounting standards, while consolidated financials might be based on IFRS (for groups which holding’s financial statements are prepared in accordance with the IFRS), which could impact the provisioning levels and therefore the available capital on a consolidated basis. The necessary information to make this analysis is reported by the supervised institutions and available to the SBS. EC3 The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g. securitization transactions)46 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements. Description and Article 186 of the LGSF provides the SBS the power to provide the procedure and risk findings re EC3 weights for calculating the risk weighted assets for credit, market and operational risk. Using this power, the SBS has established in SBS Resolution 14354-2009, much higher risk weights for certain mortgages and consumer loans than the Basel II standards. The risk weighting is described in more detail in CP 17. Also, and as mentioned under EC1, Article 199 of the LGSF establishes the Board’s responsibility to ensure that the supervised institution has enough buffers above the minimum requirements to absorb fluctuations because of the economic cycle considering the financial institution’s risk profile. Using this power, it has established requirements for countercyclical and non-cyclical (including for systemic risk) buffers. Finally, article 349 of the LGSF allows the SBS to require individual FIs to have a minimum capital ratio above the minimum requirement if warranted given their risk profile. A review of supervisory document evidenced that the SBS, when needed, uses this power to assure that banks have adequate capital in relation to their risk profile. EC4 The prescribed capital requirements reflect the risk profile and systemic importance of banks47 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws 46 Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006. 47 In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (a) the potential loss absorbency of the instruments included in the bank’s capital base, (b) the appropriateness of risk weights as a proxy for the risk profile of its exposures, (c) the adequacy of provisions and reserves to cover loss expected on its exposures and (d) the quality of its risk management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses. 127 PERU and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. Description and The Additional Capital Requirements Regulation contains a methodology for findings re EC4 determining additional capital requirements for Domestic-Systemically Important Banks. The methodology differs from the Basel standard. All banks with total assets more than 3 percent of GDP attract an additional capital charge in function of their external rating (the LGSF, article 136, requires all banks to have at least 2 external ratings), total assets divided by GDP, and total assets divided by the total assets of the financial system. Using this methodology currently 5 banks attract a capital charge for systemic risk. The top 4 commercial banks (accounting for approx. 75 percent of the assets of deposit taking institutions) attract an addition capital charge of well below 1 percentage point. Although the methodology captures the systemic banks, the SBS recognizes that the methodology needs to be reviewed or recalibrated as the current capital charges for systemic risk are perceived as too low. The non-cyclical (see EC3) and countercyclical buffer consider the risk profile of the bank and the macro economic environment (see EC1). The minimum capital requirement for deposit taking institutions is with 10 percent higher than the Basel standard of 8 percent. The requirements set by Additional Capital Requirements Regulation are set in terms of total capital and not in terms of Common Equity Tier 1. Although the capital requirements are still based on the Basel II capital definition, the SBS considers the quality of capital in the ICAAP review. A review of supervisory document evidenced that the SBS has required institutions to increase the amount of high quality capital, even while the FI was complying with the minimum and additional capital requirements. EC5 The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use: a) such assessments adhere to rigorous qualifying standards; b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor; c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonabl e reflection of the risks undertaken; d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval. 128 PERU Description and Article 186 of the LGSF provides the SBS the power to withdraw the approval for the findings re EC5 use of internal models for credit risk or market risk, as well as for the alternative standard approach (ASA) or advanced methods for operational risk and require banks to use again the standardized approaches. This power is also provided for in the respective regulations for credit (Resolution SBS No. 14354-2009), market (Resolution SBS No. 6328-2009) and operational (Resolution SBS No. 2115-2009) risk including the detailed minimum requirements for the use of advanced approaches. Although the regulation allows banks to apply for the use of advanced approaches, all banks are using the standardized approaches. There are no applications in progress. EC6 The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).48 The supervisor has the power to require banks: a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank. Description and In its internal rating methodology, the SBS considers solvency (capital adequacy) as a findings re EC6 separate element. The score considers available regulatory capital and a stressed capital position. In assessing the available capital, the SBS assesses whether the FI is above the minimum requirement, whether it complies with the additional buffer requirements, and whether it has an additional capital cushion above the additional capital buffer requirement. The stressed capital calculation includes: i) the alignment of the borrowers with the worst classification and accompanying provisions made by FIs having 10 percent of the exposure of the borrower in the financial system; ii) full provisioning of the adverse classified exposures (the highest of i and ii will be deducted from capital); and iii) a correction for adverse occurred events that may have a future impact (e.g. litigation), but are not fully provisioned for yet. The ICAAP review is not formally integrated in the internal rating process yet, but if needed is included by making an override on the rating of the banks. During the assessment documents were shared that provided examples of such overrides. A low rating will result in supervisory actions, which amongst other could include higher capital requirements. Using Article 199 of the LGSF and article 8 of the GIR (and article 7 of the new Corporate Governance & GIR), which requires the Board to assure that the financial institution has sufficient capital to cover its risks on an ongoing basis, the SBS 48 “Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyses and reverses stress testing. 129 PERU requires since 2010 all banks to submit annually an ICAAP. The request is accompanied with guidelines (Guia de Autoevaluacion de Suficiencia de Capital 2017-2019) that clarify the minimum standards the ICAAP must comply with as well as the, annually updated, parameters for a standardized comprehensive stress- scenario. The ICAAP needs to be linked to the strategy and the capital planning on a 3-year horizon. Since 2015, the ICAAP also needs to include a sensitivity analysis of the credit risk of the loan portfolio. In the supervisory review of the ICAAP the SBS considers the nature, size and complexity of the bank. Reviewed documentation and discussions with staff evidenced that large institutions are expected to have more sophisticated risk management frameworks, policies, procedures and methodologies in place. The specialized risk units of the SAR are not on a standard basis part of the ICAAP review process. If as a result of the supervisory review the SBS determines that the current / projected levels of capital of the FI are not consistent with the regulatory requirements and with its risk profile, the FI is required (using article 349 sub 19 as a basis, although mostly informally) to adopt corrective actions, such as: the application of conservative policies for provisioning, reinvestment of profits, capital contributions, establishment of reasonable goals of growth, strengthening of the business model and risk management systems and controls. In the 2017 ICAAP submission, the banks for which the SBS is the home supervisor, where for the first time required to also include a section on the group; including the group structure, risk appetite, risk management, a 2-year (base line) projection, the ability to generate additional capital, quality of capital, and describe the group’s approach towards stress-testing. A review of documentation and correspondence with banks evidenced that the SBS has a clear expectation that banks manage their capital levels well above the minimum and additional capital buffer requirement and considers the capital quality as well as the individual risk profile of FIs. Liquidity contingency planning and stress testing is required by the Liquidity Risk Management Regulation (Resolution SBS No. 9075-2012). The results of the regulatory stress test and the liquidity contingency plan need to be submitted on a quarterly basis to the SBS and are reviewed during on-site examinations. Assessment of Largely compliant Principle 16 Comments The SBS has made significant progress on the implementation of the Basel III regulatory reform agenda. Although there are differences in the implementation, in particular regarding the different capital buffers, the implemented approaches aim to achieve the same objectives and broadly equivalent overall capital levels. ICAAP and its supervisory review are not yet integrated in SBS’ rating methodology, but if needed taken into account as an override on the internal rating. A revised 130 PERU rating methodology which will include the results of the SREP is planned to be rolled- out in 2019. The activation trigger of countercyclical buffer is based only on GDP growth and may be not effective in situations where there is excessive credit growth when GDP growth is below 5 percent. The systemic risk and single name risk buffers need to be reviewed as they are currently not commensurate with the risk they are supposed to cover. These issues have already been identified by the SBS and are part of the review of the Additional Capital Requirements Regulation that is currently taking place. The supervisory group capital adequacy assessment could be improved by also taking into account: i) the capital adequacy of the holding on a solo level (in order to determine if the excess capital is available on a holding level); ii) the location of capital within the conglomerate, including the risk of ringfencing/non-transferability of capital allocated to entities supervised by authorities abroad; iii) the extent to which excess capital at a group level can be completely allocated to support the financial activities of the conglomerate. The assessment of the consolidated capital adequacy does not take adequately into account the necessary adjustments to account for the change in accounting standards; solo financials based on SBS accounting standards, while consolidated financials might be based on IFRS (for groups which holding’s financial statements are prepared in accordance with the IFRS), which could impact the provisioning levels and therefore the available capital on a consolidated basis. Finally, the SBS could consider involving the expertise of the SAR in the supervisory review of banks’ ICAAP. Recommendations: • Incorporate as planned ICAAP and the related supervisory review in the revised supervisory rating methodology; • Finalize the review of the current methodology for the calculation of the additional capital requirements as planned, taking into account the observations above; • Enhance the group capital adequacy assessment by extending the current approach with the analysis of: i) the capital adequacy of the holding on a solo level (in order to determine if the excess capital is available on a holding level); ii) the location of capital within the conglomerate, including the risk of ringfencing/non-transferability of capital allocated to entities supervised by authorities abroad, and; iii) the extent to which excess capital at a group level can be completely allocated to support the financial activities of the conglomerate; • Review and revise the current group capital assessment methodology to assure that the necessary adjustments to account for difference in accounting standards between a solo and a consolidated level are properly taken into account. 131 PERU Principle 17 Credit risk.49 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk50 (including counterparty credit risk)51 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. EC1 Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring. Description and Article 290 of the LGSF requires institutions to operate with adequate internal findings re EC1 controls in performing their operations. The LGSF does not include further explicit risk governance responsibilities. More detailed risk governance requirements are developed by the SBS through Resolutions. The GIR sets the overarching governance and risk management requirements, while the Credit Risk Management Regulation (SBS Resolution No. 3780-2011) set specific requirements for credit risk management. Article 8 of the GIR establishes that the Board is responsible for approving: policies, limits, processes, procedures, roles and responsibilities that guide management of the various risks, assuring that the risk management is effective, and that the main risks are under control within the limits that have been set. Article 2 of the Credit Risk Management Regulation requires FIs to have an adequate credit risk management considering the size and complexity of the institution. It requires the Board to approve and periodically review the strategy, objectives, guidelines and credit risk management procedures as well as establishing and reviewing the organizational structure for the management of credit risk. Article 3 requires senior management to implement the decisions of the Board and to assure that the strategy and operations of the FI are aligned with the risk appetite and tolerance levels as set by the Board. Article 35 of the regulation requires FIs to perform, at least annually, a credit risk stress-test to evaluate the ability to withstand adverse scenarios. These scenarios need to consider events in the macro- and micro- economic environment that could affect the credit quality. 49 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 50 Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities. 51 Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments. 132 PERU In addition, the SBS has issued specific regulations for the management of Foreign Exchange Induced Credit Risk (relevant given the dollarization of the economy) and over-indebtedness of retail borrowers, which regulates how to deal with retail clients with no or limited formal income (relevant given the size of the informal economy). The Foreign Exchange Induced Credit Risk Management Regulation (Resolution SBS No. 041-2005), requires FIs to establish explicit internal procedures to qualify, grant and monitor loans in foreign currency. To do this, companies must identify debtors exposed to credit risk arising from the mismatch of currencies between their income and their obligations, using an internal methodology. They must also measure the effect of a foreign exchange rate shock on the payment capacity of their debtor portfolio, at least annually. The exchange shock scenarios should, at least, assume two depreciation scenarios; one with 10 and another with 20 percent depreciation of the local currency. FIs are required to take corrective actions on the credit classification (e.g. downgrading from Standard to Watch for provisioning purposes) or credit conditions when they identify debtors whose payment capacity is substantially impacted because of a foreign exchange rate shock. The Retail Over-Indebtedness Risk Management Regulation (Resolution SBS No. 6941-2008), establishes that FIs must adopt a risk management system for over- indebtedness that allows reducing this risk before and after granting the credit and to permanently monitor the portfolio with the purpose of identifying over-indebted debtors, which includes periodic evaluation of the control mechanisms used, as well as the corrective actions or improvements required. if a FI does not comply with the requirements included in the regulation, it is required to establish additional general provisions of 1 percentage point over its exposures classified as Standard. Finally, there are regulations that regulate specific aspects related to credit risk management, including the following: • Classification of Borrowers and Provisioning Regulation (Resolution SBS No. 11356-2008); • Credit Risk Capital Requirements (Resolution SBS No. 14354-2009); • Supplementary Provisions for the Administration of Foreign Exchange Induced Credit Risk (Circular B-2145-2005); • Minimum Required Information for Originating, Monitoring, Control, Evaluation and Classification of Credit Risk Exposures (Circular B-2184-2010); • Country Risk Management Regulation (Resolution SBS No. 7932-2015); • Special Rules on Connected Parties and Economic Groups (Resolution SBS No. 5780-2015); • Prudential Standards for Transactions with Companies of the Financial System (Resolution SBS No. 472-2006); • Application of Operating Limits Referred to in Articles 201 to 212 of the LGSF (Circular B-2148-2008). The bank-wide view on all material risks, including credit risk, and relating it to the strategy, risk appetite and capital adequacy on a three-year horizon is part of the 133 PERU ICAAP. The ICAAP also includes a comprehensive regulatory stress-test and credit risk sensitivity analysis. The procedures for the supervisory review of the ICAAP are detailed in a separate, annually updated, manual. The SBS uses a rating methodology consisting of 7 building blocks: i) Solvency; ii) Credit risk; iii) Liquidity risk; iv) Market risk (incl. IRRBB); v) Operational risk; vi) Profitability and efficiency; and, vii) Management and control. Specific procedures, used to determine the score for credit risk in the internal rating methodology, for the review of the credit risk management are detailed in several manuals. The “RC.01: On-Site Manual on Credit Risk Management of FIs” provides detailed procedures for evaluating the following main elements: • Credit risk strategy in relation to risk appetite and tolerance; • Organizational structure and resources to manage credit risk; • Credit risk policies and procedures; • Technology infrastructure and operational systems; • Compliance with regulations. In addition, the Internal Audit Regulation (Resolution SBS No. 11699-2008) requires the internal audit function to perform a risk-based audit with the necessary scope and depth regarding, inter alia: (a) the effectiveness of credit risk management processes; (b) their appropriateness and design suitability; and (c) the adequacy of risk responses, resulting in a risk level that is within the tolerance levels approved by the Board. The internal audit function must submit a report to the SBS every four months on progress made on the Audit Plan, including the review of operations subject to credit risk. EC2 The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,52 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes. Description and Board involvement, approval and regular review of credit risk management strategy, findings re EC2 policies and procedures as well as the regular reporting by senior management is reviewed as part of the procedures detailed in “GC.01: On-site Examination Manual for Corporate Governance”. The review of the minutes and underlying documents and reports, prepared by senior management, of the Board and Risk Committee meetings is an important part of the on-site examination, through which the SBS gauges the Board involvement. 52“Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments. 134 PERU In addition, and as mentioned in EC1 the “RC.01: On -Site Manual on Credit Risk Management of FIs” contains procedures to evaluate the credit risk strategy (in terms of products, clients, sectors and geography) in relation to risk appetite and tolerance, but also for evaluating credit risk policies and procedures; existence and content of significant policy and procedure manuals, as well as their actual implementation, amongst others by reviewing a sample of loan files. EC3 The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including: (a) a well-documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments; (b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures; (c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system; (d) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis; (e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff; (f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and (g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits. Description and The SABM has developed a supervisory cycle methodology, ready to be approved, findings re EC3 which considers the overall risk and the size of the financial institution in order to define the supervisory credit risk priorities and “length” of the supervisory cycle. The business lines (small business, microenterprises, consumer and mortgage loans (all retail), and corporate and large and medium size companies (non-retail)) to be reviewed in each on-site inspection will depend on the significance and risk grade to be obtained on the revised rating methodology. 135 PERU Although this methodology has not been approved yet, SABM has been applying in practice a supervisory cycle according to the systemic importance of FIs and significance of credit business lines. The cycle for business line(s) to be reviewed in an on-site inspection is(are) selected depending on its(their) importance (contribution of the business line in earnings or total assets), growth and performance (e.g. probability of default, vintage analysis). The “RC.01: On-Site Manual on Credit Risk Management of FIs” (covering: credit risk strategy in relation to risk appetite and tolerance; organizational structure and resources to manage credit risk; credit risk policies and procedures; technology infrastructure and operational systems; and compliance with regulations) has two annexes that provide more detail for the evaluation of credit risk management per business line: • Annex I: Credit risk of the retail portfolio • Annex II: Credit risk of the SME/Corporate portfolio These annexes contain detailed procedures to evaluate existence, adequacy and the degree of compliance with the internal credit policies and procedures related to: a) Pricing; b) Approval; c) Administration; d) Monitoring; e) Recovery; and f) Review of the work of the internal audit function on the internal credit risk management processes. The manual and annexes contain detailed procedures to evaluate each of the above- mentioned elements and include amongst others the following: • Constitution of Committees for the approval of credits and of recoveries; observing its regulation and approval by the Board, which should specify amongst others its: responsibilities, limits of autonomy, exception operations, periodicity of sessions, appointment of its members, alternates, and secretary. • Determine if the Board has established policies that regulate the processes of overdue loans, pre-judicial collections, refinancing and the judicial collection of loans. • Determine if the Board has established amongst others: degrees of tolerance regarding the concentration of credits by economic groups, geographical areas, economic sectors, and socioeconomic levels. • Verify if Credit Policies and / or Credit Risk Manuals include procedures to identify, quantify, monitor and control exposures of individual risk, economic groups, connected parties and counterparty risk. • Determine if the Board has established policies to develop its business per business segment and by type of credit. • Determine the reasonableness of the organizational structure of the areas involved in the credit process (business, risk, portfolio monitoring), observing compliance with regulations regarding functional independence in the 136 PERU management and control of credit risk per size and nature of operations; as well as the process of receiving and administering collateral. • Determine if the Board or Risk Committee has established responsibilities on the part of the Risk Management regarding reports related to the credit development and deterioration thereof, concentration reports, write-off report, follow-up report for refinanced and restructured operations, recovery reports and classification reports of the loan portfolio and calculation of provisions. • Verify if Credit Policies and / or Manual of Credit Risk, include guidelines or restrictions to manage among others high risk assets, commercial loans without guarantees and overdrafts in current account. • Determine if the Board has approved a credit rating system to evaluate credit proposals for corporate and business companies. • Determine if the area in charge of the disbursements controls that the credit operations in favor of its clientele and related parties have been approved by the corresponding committees and that these are in line with regulatory limits, that the approved credit conditions comply and that the documentation is complete (powers, collateral, signatures, approval levels) to manage disbursements. • Verify if the entity has updated policies and regulations, approved by the Board, to receive, value, register, manage, release and maintain an adequate control of collateral received to cover credits granted; as well as aspects related to the contracting of insurance policies. • Determine if the Credit Policies and / or Credit Risk Manual, establish analytical tasks prior to the approval of credit operations, and if these include inspection visits to the debtor's company and verification of the assets offered as collateral. EC4 The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. Description and As mentioned in EC1, the SBS has issued specific regulations for the management of findings re EC4 Foreign Exchange Induced Credit Risk (Resolution SBS N° 41-2005; relevant given the dollarization of the economy) and over-indebtedness of retail borrowers (Resolution SBS N° 14354-2009), which regulates how to deal with retail clients with no or limited formal income (relevant given the size of the informal economy). In case the SBS establishes that an FI does not have an adequate risk management framework for FX induced credit risk the SBS can require higher general provisions for loans exposed to FX induced credit risk. In addition, Resolution SBS No. 41-2005 and Circular B-2145-2005 require FIs to subject the repayment capacity of non-retail borrowers to a stress-test (depreciation of respectively 10 and 20 percent) and to take corrective actions on the credit classification (e.g. downgrading from standard to watch) when they identify debtors whose payment capacity is significantly impacted (significantly is defined in the Circular), resulting in higher provisioning requirements. 137 PERU The risk management regulation for over-indebtedness of retail borrowers establishes 22 criteria for evaluating sound risk management. Banks with significant retail exposure need to comply with 75 percent of the criteria, and other banks with 60 percent of the criteria. In case FIs do not meet these thresholds the credit conversion factors for unused credit lines will be increased from 0 to 20 percent and the general provisioning requirement will be increased with 1 percentage point. The on-site examination procedures for FX induced credit risk management and over-indebtedness Risk Management of FIs are detailed in two separate on-site examination manuals (respectively in RC.04 and RC.05). EC5 The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. Description and Article 21 of the Credit Risk Management Regulation determines that staff with findings re EC5 conflicts of interest should not participate in the credit decision process and that decisions regarding related party exposures require the approval of the Board or the highest organ responsible for credit risk, while Board members with a conflict of interest should not participate in the decision-making process. Article 4 of the Credit Risk Management Regulation requires: • The establishment of an organizational structure and decision process that avoids conflicts of interests; • An adequate segregation of functions and responsibilities of the different units involved in credit risk management. Going forward, the requirement to have policies for dealing with conflicts of interest has also been embedded in the overarching Corporate Governance & GIR (coming officially into effect per April 2018). Article 18 of this regulation requires financial institutions to identify potential conflicts of interest that could arise in its organs or management and requires financial institutions to implement policies and procedures for dealing with and controlling conflicts of interests. The “RC.01: On-Site Manual on Credit Risk Management of FIs” contains procedures for reviewing whether FIs have adequate policies and procedures (existence and implementation) for dealing with conflicts of interest. EC6 The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities. Description and Article 93 of the LGSF establishes that all exposures above a threshold to be set by findings re EC6 the SBS need to be reported by the Chief Executive Officer to the Board. In this context, Circular B-1900-92 prescribes that all exposures above a threshold of 0.5 percent of available regulatory capital need to be reported to the Board. 138 PERU More specifically, article 21 of the Credit Risk Management Regulation requires that all exposures that affect the risk profile need to be approved by the Chief Executive Officer or the Credit Risk Committee. Article 26 of the Credit Risk Management Regulation determines that FIs need to establish criteria for the identification of clients with an elevated credit risk and define actions to monitor these exposures. For this kind of exposures, the institution is required to implement a risk management approach that differs from the normal approach. Effectively this article requires institutions to set up a specialized unit for this kind of exposures. The “RC.01: On-Site Manual on Credit Risk Management of FIs” contains procedures for reviewing whether FIs have adequate policies and procedures (existence and implementation) for dealing major credit risk exposures. As part of the procedures established in “GC.01: On -site Examination Manual for Corporate Governance” the SBS also review whether the reports provided to the Board by senior management are adequate (provide information on relevant topics and in sufficient detail) and whether senior management requests Board approval for exceeding internal limits that are beyond their decision-making autonomy (as pre- determined by the Board). EC7 The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. Description and Article 350 of the LGSF establishes that for its supervision the SBS has the right to findings re EC7 access all types of information of the supervised institution and can examine all information that is needed for the realization of its responsibilities. FIs are required to cooperate in this respect. Resistance or non-cooperation will result in sanctions as described in article 361 of the LGSF. In addition, Article 349 (sub 5) of the LGSF allows the SBS to interrogate also third parties (non-supervised entities) if this is deemed useful in the context of the examination of a SI. The SBS is authorized to order the cooperation of third parties under the Civil Code. To illustrate the extent to which the SBS uses its powers, as a standard procedure, the FIs must submit their entire loan data base (Base de Datos) to the SBS in preparation of the on-site examination. This data is used amongst others to review the asset classification and the adequacy of loan loss provisioning. EC8 The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. Description and The Credit Risk Management Regulation, FX Induced Credit Risk Management findings re EC8 Regulation and Retail Over-Indebtedness Risk Management Regulation all contain specific requirements for stress-testing for risk management purposes. In the case of 139 PERU the regulations for FX induced credit risk and over-indebtedness the results of the stress-testing might immediately affect the provisioning requirements. In addition, the assessment of all material risks (including credit risk), in relation to the strategy, risk appetite and capital planning, taking into account a three-year horizon are part of SBS’ ICAAP requirements. The ICAAP requirement also includes a comprehensive regulatory stress test as well as credit risk sensitivity testing (see CP 16). Assessment of Compliant Principle17 Comments The SBS has an adequate regulatory and supervisory framework for credit risk. The Credit Risk Management Regulation issued in 2011 and the Credit Risk Capital Requirements Regulation (Resolution SBS No. 8548-2012) address the comments made in the 2011 BCP assessment. Recommendations: • The developed risk-based supervisory cycle for assessing credit risk should be formalized and as planned incorporated in the revised rating methodology and supervisory approach which is expected to be rolled-out in 2019. Principle 18 Problem assets, provisions and reserves.53 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves. 54 EC1 Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. Description and The LGSF and regulations issued by the SBS provide a detailed framework for the findings re EC1 identification and management of problem assets, asset classification, provisioning and write-offs. Article 354 establishes that the SBS has the power to require supervised entities to make provisions and reserves for assets and off-balance sheet items for credit or market risk in line with the requirements set by the SBS. The Credit Risk Management Regulation (SBS Resolution No. 3780-2011 provides the main risk management requirements in terms of policies, procedures and organization and governance of the credit risk management function, including for the monitoring of problem assets (see CP 17). 53Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 54Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit). 140 PERU The Classification of Borrowers and Provisioning Regulation (SBS Resolution No. 11356-2008) regulates the evaluation of borrowers, their classification and provisioning and write-offs. The regulation sets criteria for classifying borrowers in five categories: Standard; Watch; Substandard; Doubtful; and Loss, and sets minimum provisioning rates per category. For retail borrowers (micro and small enterprises, consumers, and mortgage loans), the classification is based on the number of days past due. For non-retail borrowers, the primary consideration for the asset classification is the debt service capacity based on the borrower’s cash flow. Specific Provisioning Rates Without With With preferred Asset categories Collateral preferred highly quality collateral collateral Watch 5.00% 2.50% 1.25% Substandard 25.00% 12.50% 6.25% Doubtful 60.00% 30.00% 15.00% Loss 100.00% 60.00% 30.00% Source: SBS If exposures have preferred self-liquidating guarantees (for example a cash deposit), the FI has to establish specific provisions for the covered portion of 1 percent, for all other types of collateral the above table applies. The different categories of collateral are discussed in more detail in EC8. The Credit Risk Management Regulation establishes in Article 14 that the Credit Risk Unit (or another unit independent from the business units) has among its functions, the regulatory classification of the borrowers, and the calculation of the required provisions. In relation to the write-off policy, numeral 6 of chapter IV of Classification of Borrowers and Provisioning Regulation and article 30 of the Credit Risk Management Regulation, indicate that the Board must write-off a fully provisioned exposure in the Loss category, when there is real and verifiable evidence of its non-recoverability, which must be supported by a legal report, or when the amount of the exposure does not justify initiating legal action or arbitration. As a backstop, if an exposure has been classified as a loss loan for more than 24 months (or for 36 months as doubtful), the collateral no longer can be considered for provisioning purposes and the total exposure needs to be provisioned for 100 percent. Article 15 of the Credit Risk Management Regulations establishes that credit policies and procedures must incorporate procedures for managing risky assets, including their early identification, monitoring and recovery as well as the constitution of additional provisions. 141 PERU EC2 The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes Description and The review of the asset quality of FIs plays an important role in the supervisory findings re EC2 approach of the SBS to which in every annual examination substantial resources are dedicated. The risk management unit of the FIs are responsible for the classification and adequate provisioning levels. FIs must report monthly the classification and provisioning of their loan portfolio through Annex 5 (Classification and Provisions Report). In addition to the analysis of the information obtained from the borrower, the FI can also look for information in the SBS Credit Registry, which contains the credit risk classification of every borrower across all FIs. The Credit Registry is based on the information provided by the FIs in the Annex 6 “Credit Report of Debt ors (RCD)", through which FIs report their granted loans (above PEN 1.00) detailing type of credit and modality, currency, borrower credit risk classification, collaterals, as well as provisions made, among other information. The Classification of Borrowers and Provisioning Regulation (SBS Resolution No. 11356-2008) requires FIs to review the Credit Registry and if necessary align the classification of its client with the classification as determined by other FIs (in case the client has exposure with multiple FIs). The classification of the borrower needs to be aligned with the highest risk category that has been assigned by any FIs whose credit represent a minimum of twenty percent (20 percent) of total exposure of this client to all FIs of the system. Only one category difference is allowed. For retail debtors, the alignment only needs to be made when the classification in another FI whose credit represent a minimum of twenty percent in the system is Doubtful or Loss. In addition, the Internal Audit Unit (IAU) and the External Auditor need to review the implementation of internal policies and procedures for grading and classifying assets and establishing adequate provisioning levels. The Internal Audit Regulation (Resolution SBS No. 11699-2008) establishes that the evaluation of credit risk management must be part of the Work Plan of the IAU. It further establishes that this includes the review of the asset classification through the review of a representative sample of the non-retail portfolio on at a minimum a 4- monthly basis. The criteria for determining the sample need to take amongst others into account: i) large exposures; ii) borrowers subject to certain credit alerts; iii) borrowers with occasional past due payments; iv) borrowers that were upgraded during the past year; v) refinanced and restructured borrowers; vi) related parties; vi) and borrowers reclassified by the financial institution or the SBS. For the review of the retail borrowers, permanent controls need to be implemented; in addition, integrity 142 PERU analysis of data and representative samples, such as review procedures, are required at least once a year. The External Audit Regulation (Resolution SBS No. 17026-2010) also requires the external auditor to review the asset classification and to report the observed discrepancies, the reasons for the discrepancies and the impact of not realizing corrections. Finally, the SBS reviews the work of the internal and external auditor, but also itself reviews as part of its supervisory approach the asset quality, classification and adequacy of provisioning. As a standard procedure, FIs need to send in advance of the on-site examination the database of their entire loan portfolio (Base de Datos). Using Audit Command Language (ACL), IDEA and STATA software the SBS reviews the asset classification and adequacy of provisions of the entire retail portfolio. Further analysis of risk, and forward-looking performance estimates by vintage and of underwriting standards is also possible. Examples of vintage analyses were shared with the assessors. For non-retail loans the SBS reviews a sample of loan files. The review of each file is supported by an excel template (FECD). In this template the SBS collects and analyses the relevant information for determining the classification of the borrower. The analysis considers the credit performance of the borrower with the FI, the performance of the borrower on exposures with other FIs, the financial statements (to be received by the FIs semi-annually) and the provided collateral for the exposure. The assessors reviewed a sample of supervisory documents and examination reports, which evidenced an intensive supervisory approach, and adequate supervisory actions (e.g. requiring reclassification of borrowers, and improvement in risk management) because of observed deficiencies and weaknesses. EC3 The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.55 Description and Chapter III, Subsection 3 of the Classification of Borrowers and Provisioning findings re EC3 Regulation requires FIs to make general and specific provisions for direct exposures and the exposure equivalent of off-balance sheet items. Chapter I, Subsection 3 of the Classification of Borrowers and Provisioning Regulation establishes the above Credit Conversion Factors (CCF) for the calculation of the equivalent exposure of off-balance sheet items: The review of the adequate classification of off-balance items part of the review by Internal and External Audit and the SBS’ on-site examinations (see EC2). 55 It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled. 143 PERU Credit Conversion Factors for Provisioning Purposes a) Irrevocable letter of credit confirmations with a maturity of up to a 20% year, when the issuing financial institution is part of a first level foreign financing system b) Letters of guarantee that guarantee the performance of a customer 50% c) Endorsements, letters of credit and guarantees not included in the “b)”, 100% and confirmed letters of credit not included in “a)”, as well as banker acceptances d) Undisbursed granted credits and unused lines of credit 0% e) All other items 100% Source: SBS The CCF for undisbursed granted credits and unused lines of credit deviates from the factors used for the credit risk capital requirements (Resolution SBS No. 14354-2009), which are aligned with the Basel II framework. The Basel II framework establishes that commitments with an original maturity up to one year and commitments with an original maturity over one year will receive a CCF of 20 percent and 50 percent, respectively. Only commitments that are unconditionally cancellable at any time by the bank without prior notice, or that effectively provide for automatic cancellation due to deterioration in a borrower’s creditworthiness, will receive a 0 percent CCF. The current blanket approach, assigning a 0 percent CCF to all undisbursed and unused lines of credit is considered to underestimate the exposure at default and the general provisioning requirements for this type of off-balance items. This comment was also made in the 2011 BCP assessment. EC4 The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. Description and The classification of retail borrowers is based on the number of days past due. findings re EC4 The Classification of Borrowers and Provisioning Regulation requires banks to assess non-retail borrowers based on their repayment capacity, including the assessment of the total indebtedness of the borrower, including to other FIs in Peru as well as abroad, and its compliance with its obligations on those exposures. For this purpose, the financial institution needs also to consider the possible risks related to foreign currency, maturity of exposures, interest rates and derivative exposures that can impact the borrower’s repayment capacity. The repayment capacity needs to be evaluated considering possible variation in the economic and regulatory environment, as well as the vulnerability to changes in the contractual relationships and composition of the client and supplier portfolio of the borrower. In determining the final classification, the days past due and the classification of the borrower by other financial institutions (available in the Credit Registry) needs also to 144 PERU be considered. For non-retail borrowers, the adequacy of this assessment is reviewed by the SBS on a sample basis during on-site examinations (see EC2). An exposure needs to be written off when it has been classified as a Loss loan and has been provisioned for 100 percent, and when evidence exists that the exposure has become non-recoupable or when the exposure is too small to justify the initiation of legal or arbitration procedures. As a backstop, the SBS has determined that if an exposure has been classified as a loss loan for more than 24 months (or for 36 months as doubtful), the collateral no longer can be considered for provisioning purposes and the exposure needs to be provisioned for 100 percent. All write-offs need to be approved by the Board. Only in case it exceeds 3 tax units (PEN 4,050), it also need to be approved by the SBS (SBS approval is needed for tax deduction purposes). EC5 The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g. 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g. rescheduling, refinancing or reclassification of loans). Description and As mentioned above, the classification of retail borrowers is determined on days past findings re EC5 due. Using ACL, IDEA and STAT software, the SBS reviews the adequacy of the classification and provisioning levels for the entire retail portfolio, while for the non- retail portfolio a sampling approach is used. In its on-site examinations, the SBS (using its on-site examination credit risk manuals) evaluates amongst others: • That the credit policies and / or credit risk manuals clearly establish the credit evaluation and approval process. • If the organizational structure establishes the functional independence of the area or department responsible for the evaluation and classification of the portfolio of non-retail loans, with respect to the business area (evaluation) and the operating unit (disbursement). • If the area responsible for the classification of the loan portfolio has sufficient and adequate computer tools to fulfill its functions. • If the officials responsible for the evaluation and classification of the loan portfolio have a high workload or perform other types of work, which does not allow them to properly fulfill their main task. The SBS verifies that the classification of the non-retail portfolio is permanent, and FIs are required to have an internal sample selection methodology to evaluate the adequacy of the classification. As evidence of this process, the SBS reviews during the on-site examination the FI’s own evaluation files. 145 PERU In case of refinancing, the Classification of Borrowers and Provisioning Regulation establishes that the borrower’s asset classification at the time of the signing of the refinancing contract or approval of the rescheduling of payments, must be maintained, except for borrowers classified as Standard, which need to be reclassified to Watch. Only after 6 months of full compliance with the new terms and conditions the loan can be reclassified (1 category). In case of grace periods, the six-month period only starts counting after the end of the grace period. The review of refinanced and restructured loans is part of the on-site loan classification review process. EC6 The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels. Description and The SBS receives extensive off-site information on the loan classification and loan- findings re EC6 loss provisioning. The following prudential returns must be submitted monthly by the FIs: • Annex 5: “Report on Classification of Borrowers and Provisions” • Annex 5-A: “Summary of Procyclical Provisions”; • Annex 5- B: “Loan Portfolio Transfers,” and; • Annex 6, the “Borrowers’ Credit Report – RCD.” Annex 6 contains the information of the complete loan portfolio and is the data source for the Credit Registry. Article 15 of the Credit Risk Management Regulation requires amongst others that all the information necessary for the compliance with the regulation (including for classifying and loan-loss provisioning) needs to be available to the SBS physically as well as per magnetic media. Finally, not submitting the required periodic reports is considered a grave infraction and subject to sanctioning as detailed in the Resolution SBS No. 816-2005 – Sanctions Regulation. The SBS indicated that also in practice it has full access to the necessary information. EC7 The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g. if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. Description and Chapter IV, Subsection 4 of the Classification of Borrowers and Provisioning findings re EC7 Regulation explains that the SBS will regularly review the adequacy of the 146 PERU classification of the loan portfolio, and establishes that the SBS as a result of this review can require the reclassification of exposures and or higher provisions. FIs are required to immediately reclassify the exposures after receiving the instruction of the SBS. In the case the institution does not comply, the SBS will immediately deduct the required additional provisions from the institutions regulatory Tier 1 capital. In addition, as explained in EC4 of CP 17, the SBS requires banks to make additional provisions for retail clients if the risk management requirements of the Retail Over- Indebtedness Risk Management Regulations are not met. For non-retail exposures, the FX Induced Credit Risk Management Regulation establishes that FIs need to reclassify the exposures if the repayment capacity is significantly affected as a result of a currency depreciation shock (which needs to be assessed using two supervisory prescribed stress test scenarios). Article 132 of the LGSF establishes that provisions are one of the instruments to mitigate the risks for depositors. The SBS has used this provision to implement pro- cyclical provisioning requirements as part of the Classification of Borrowers and Provisioning Regulation. The pro-cyclical provisions have the same activation trigger as the countercyclical capital buffer (see CP 16), however, instead of 12 months FIs need to comply with the pro-cyclical provisioning requirements within 6 months after the requirement is activated. Loans classified as Standard attract under this provision an additional general provisioning requirement, which differs per asset class (varying from 0.4 percent for corporate exposures to 1.5 percent for revolving consumer loans – while the regular general provisions vary from 0.7 to 1.0 percent depending on business line). The aim is to realize an additional general provisioning buffer in benign economic circumstances that can be used to buffer losses on when the quality of the loan portfolio deteriorates. Reviewed on-site examination reports evidenced that the SBS requires FIs to reclassify loans (and as a result increase provisioning), if deemed necessary as a result of the review of the loan portfolio. EC8 The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions. Description and As indicated in EC1 the Classification of Borrowers and Provisioning Regulation findings re EC8 distinguishes for provisioning purposes; Preferred collateral; Liquid preferred collateral, and; Self-liquidating collateral. Section 3 of Chapter IV of the Classification of Borrowers and Provisioning Regulation establishes regarding the valuation of collateral the following: • The valuation of collateral needs to be based on the net realization value, which must appropriately reflect its sale value in the market minus the additional expenses incurred for that purpose. 147 PERU • Net realizable value in the market is understood to be the net value that the FI expects to recover because of an eventual sale or execution of the asset in its current state and location. Therefore, this value should amongst others consider the penalties and charges for taxes, commissions, freights, and losses. This value should be based on a commercial reference value, calculated from reliable information. In no case should the commercial value be estimated based on mere expectations of price improvement in the market, or financial assumptions related to potential customers, but a strictly conservative criterion should be followed, based on current market conditions. • The goods given as collateral will be valued by an appropriate professional duly registered in the Registry of Appraisers (REPEV) of the SBS. • In the case of mortgages and movable property, it must be verified if they have been effectively registered in the corresponding registers and that they have insurance covering the loss of the property, duly endorsed in favor of the FI. Otherwise, they cannot be considered as preferred [for provisioning purposes] collateral. • In the case of real estate and personal property registered in the Legal Registry of Assets, the valuation must be made through a commercial appraisal that has sufficient backup records referring to the prices used. Preferably, recent sales of similar goods will be considered as sources for the calculations of these prices. The considerations that served as the basis for determining the final value of the assessed good must remain in files available to the SBS. • When the collateral relates to securities, or financial instruments in general, they need to be pledged in favor of the company, observing the laws on the matter. The valuation of these instruments will be carried out according to internal models developed by the company, subject to review by the SBS. Said models must be consistent with the valuation models used in accordance with the provisions of the Regulation of Classification, Valuation and Provisions of the Investments of the Companies of the Financial System, and the resulting prices must be equal for the valuation of collateral and investments. • Preferred collateral are those that meet all of the following requirements: (a) money or assets that allow conversion into money without significant costs; (b) have adequate legal documentation; (c) they do not present any prior obligations that could diminish their value or prevent the creditor company from acquiring a clear title; and (d) its value is permanently updated. In order to keep the value of preferred collateral permanently updated, FIs may use value updating systems based on market performance indicators, built on reliable commercial, economic and statistical reference information. The value of the preferred collateral must be updated by valuation performed by an expert registered in the REPEV, when applicable and when there is a change that could have a significant impact on the valuation of the asset. The regulation provides further details on the type of collateral that is accepted for provisioning purposes: • Preferred collateral (o.a. first mortgages); 148 PERU • Preferred liquid collateral (o.a. financial instruments issued by the Government or Central Bank); • Self-liquidating collateral (a.o. cash deposits). The review of collateral is generally carried out on the borrowers of the selected sample of the loan portfolio and its purpose is to determine whether the collateral meets the criteria established by the SBS to be considered for credit risk mitigation purposes. If, because of the examination of credit files, adjustments are established in collateral values, the FI is obliged to make these adjustments and to establish additional provisions, if necessary. EC9 Laws, regulations or the supervisor establish criteria for assets to be: (a) identified as a problem asset (e.g. a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and (b) reclassified as performing (e.g. a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected). Description and Retail borrowers and mortgage loans are assessed based on days past due. findings re EC9 The Classification of Borrowers and Provisioning Regulation requires banks to assess non-retail borrowers based on their repayment capacity, including the assessment of the total indebtedness of the borrower including to other lenders in Peru as well as abroad, and its compliance with its obligations on those exposures. For this purpose, the financial institution needs also to consider the possible risks related to foreign currency, maturity of exposures, interest rates and derivative exposures that can impact the borrower’s repayment capacity. The repayment capacity needs to be evaluated considering possible variation in the economic and regulatory environment, as well as the vulnerability to changes in the contractual relationships and composition of the client and supplier portfolio of the borrower. In determining the final classification also, the days past due and the classification of the borrower by other financial institutions (available in the Credit Registry) needs to be taken into account. In addition, FIs must maintain a permanent record of all refinanced and restructured exposures that have been reclassified as current. These exposures can be reclassified as performing (Normal or Watch) if they comply with all the following conditions: • As a result of the satisfactory evaluation of their repayment capacity; 149 PERU • The conditions of the exposure have not been changed more than once as a result of repayment capacity issues; • The borrower has repaid at least 20 percent of the refinanced or restructured exposure; • The borrower has demonstrated its repayment capacity for at least two consecutive quarters; • If the refinanced or restructured exposure contains a grace period, the above conditions need to be complied with from the date the grace period ends. As a standard practice, refinanced and restructured loans or borrowers that have exposures which exhibit characteristics of refinancing are included in the sample of credit files to be reviewed for their compliance with the Classification of Borrowers and Provisioning regulation during the on-site examination. EC10 The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. Description and The “On-site Credit Risk Management Supervision Manual” contains procedures for findings re EC10 the review of the (by regulation required) quarterly report on the asset classification and provisioning to the Board (or its Risk Committee) as prepared by the Risk Unit of the FI. The manual In-Situ SABM No. GC-01-2010 Evaluation of Good Corporate Governance Practices in Companies of the Financial System contains a procedure to review whether the reports prepared by the Risk Unit are complete, comprehensive, easy to interpret and sufficient for the CEO and the Board (or its Risk Committee) to understand the risk profile. In addition, the manual contains procedures to review the adequacy of the system for the different risk reports to the Board. This is also part of the governance self-assessment (see also CP 14) that is sent 2 months in advance of the on-site examination and which needs to be submitted by the FI one month ahead of the on-site inspection. EC11 The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. Description and The Classification of Borrowers and Provisioning Regulation requires that all findings re EC11 borrowers are assessed and classified individually. For the classification of retail borrowers, days past due can be used as criterion. The regulation has higher requirements for non-retail borrowers. Clients with total loans in the financial system (so across all FIs – which can be verified in the Credit Registry) of less than PEN 300,000 in the past 6 months qualify as retail borrowers. Mortgages loans for housing 150 PERU are also considered to be part of the retail portfolio. All other exposures are considered non-retail borrowers. EC12 The supervisor regularly assesses any trends and concentrations in risk and risk build- up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. Description and The Credit Risk Management Regulation requires FIs to set concentration limits for findings re EC12 large exposures, geography, economic sectors, asset classification category, internal classification category, exposure to foreign exchange induced credit risk, retail clients exposed to the over-indebtedness risk, and country risk. In case of losses, the FI needs to compare and analyze the estimated losses with the realized losses and review whether corrective actions are possible (article 18, 34). The Credit Risk Management Regulation, Retail Over-indebtedness Risk Management Regulation and the Foreign Exchange Induced Credit Risk Regulation require financial institutions to assess their risk capacity and ability to absorb adverse events using stress-testing. The Credit Risk Supervision Unit of the SAR prepares standard periodic reports on the credit risk trends, including a Sectoral Credit Risk Report which analyzes the sectoral concentration risk per bank and on a system level. For individual, sectoral and geographical concentration risk and institution specific credit risk the SBS has implemented additional capital requirements and accompanying prudential reporting (see CP 16). In addition, SAEE conducts two times per year (taking into account the macro- economic and structural developments of the banking system) a stress-test, of which the results are presented to the SABM and the SAR. In this context, the SAEE has worked the past few years on a possible asset bubble in mortgages (2011-2012), the expansion credit card and consumer loans (2014-2015) and the impact of El Nino on the FIs with mayor exposures in potentially affected regions. Also, the assessment of all material risks (including credit risk), in relation to the strategy, risk appetite and capital planning, considering a three-year horizon are part of SBS’ ICAAP requirements. The ICAAP requirement also includes a comprehensive regulatory stress test as well as credit risk sensitivity testing (see CP 16). The results of the stress-testing performed by the SAEE are used as a benchmark in the analysis of the stress-testing results reported by the FIs in their ICAAP. Assessment of Compliant Principle 18 Comments The LGSF and regulations issued by the SBS provide a detailed framework for the identification and management of problem assets, the asset classification, provisioning and write-offs. The corresponding supervisory approach and practices to 151 PERU assure adequate policies and practices by FIs are sound. Reviewed documentation evidenced that in case the SBS observes deficiencies or weaknesses, supervisory action is undertaken. The CCF, as used for provisioning purposes, for undisbursed granted credits and unused lines of credit deviates from the factors used for the credit risk capital requirements (Resolution SBS No. 14354-2009, which incorporates CCFs based on the Basel II capital requirements for credit risk). The Basel II framework establishes that commitments with an original maturity up to one year and commitments with an original maturity over one year will receive a CCF of 20 percent and 50 percent, respectively. Only commitments that are unconditionally cancellable at any time by the bank without prior notice, or that effectively provide for automatic cancellation due to deterioration in a borrower’s creditworthiness, will receive a 0 percent credit conversion factor. The current blanket approach, assigning a 0 percent CCF to all undisbursed and unused lines of credit is from a provisioning point of view less conservative. Considering the overall framework for credit risk, provisioning and capital requirements (including the additional capital requirements, in particular the risk propensity buffer) this is assessed as a minor issue and therefore this criterion has overall been assessed as Compliant. Recommendations: • Review the CCFs applied (for provisioning purposes) to undisbursed and unused credit lines. Principle 19 Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.56 EC1 Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.57 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured. Description and In addition to the general risk management framework, the SBS has issued specific findings re EC1 regulations and requirements for concentration risks that are relevant for the banking system. This includes regulations to address single name, sectoral, geographical, FX induced credit and country concentration risk. The SBS also monitors and has also established funding concentration risk requirements. 56 Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof. 57 This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity as well as off-balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies. 152 PERU The responsibility of the Board for the approval and review of concentration risk policies, procedures and limits in line with the risk appetite and risk capacity of the financial institution is laid down in the GIR and its successor the Corporate Governance & GIR (see also CP 14 and 15). More specifically, Article 17 of the Credit Risk Management Regulation (Resolution SBS No. 3780-2011), establishes that SIs must define within their credit policies and procedures acceptance criteria of risk to ensure that exposures at the individual level and at the portfolio level are consistent with their business strategy. Also (article 1), the potential loss of all credit risk exposures, on- and off-balance sheet, needs to be considered for credit risk management purposes. Furthermore, article 18 establishes that SI must include in its policies and procedures at least the following internal credit risk concentration limits: • Limits per counterparty, at the individual level and by economic group, considering the linkage by single risk; • Limits by economic sectors, by geographical location and other common risk factors that impact the total of credit risk exposures. The limits established by the SI must be consistent with the prudential regulations and any exception to internal limits must be approved by the Board. Single name, sector and geographical credit concentration risk are part of the Additional Capital Requirements Regulation (Resolution SBS No. 8425-2011). FIs have to report monthly, Reports No. 4 B-1, 4 B-2 and 4 B-3, respectively their top-20 exposures, total credit exposures per economic sector (19 sectors) and per region (8 macro regions), as well as the calculation of the corresponding capital charge, as part of the CCB, for each of these concentrations (see CP 16). Regarding the limits for exposures subject to market risk (see CP 22), Article 200 of the LGSF establishes that holdings of shares as well as certificates of participation in mutual funds and certificates of participation in investment funds are not allowed to exceed in total 40 percent of available regulatory capital, without prejudice to the large exposure limits established in articles 203 to 211 of the LGSF. In addition, article 3 of Market Risk Management Regulation (Resolution SBS No. 509-1998), establishes that it is the responsibility of the Board or equivalent body to establish and ensure compliance with policies and procedures for market risk. Article 13 states that the Risk Committee of SIs must establish internal limits for market risk exposures in all kinds of temporary or negotiable financial investments, including derivative financial instruments. In addition, the SBS has also established regulatory requirements and prudential reports for FX induced credit risk, country risk (see CP 21) and funding concentration risk (see CP 24). 153 PERU Under ICAAP, FIs must assess all their material risks and at a minimum must include single name, sectoral and geographical concentration risk and the capital needed to cover these risks. EC2 The supervisor determines that a bank’s information systems identify and aggrega te on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure58 to single counterparties or groups of connected counterparties. Description and The SBS uses a rating methodology consisting of 7 building blocks: i) Solvency; ii) findings re EC2 Credit risk; iii) Liquidity risk; iv) Market risk (incl. IRRBB); v) Operational risk; vi) Profitability and efficiency; and, vii) Management and control. Credit concentration risk (single name, sectoral, geographical and country risk) is scored as part of credit risk. As part of the application of the on-site supervision manual “No. CI-03, Global and Individual Limits”, during the on-site examination the SBS reviews the systems available to the FI and whether the actual concentrations as reported (see EC4) have been determined and calculated adequately. During on-site examination, the SBS also evaluates the institution’s monitoring system and framework for compliance with the regulatory and internally set operating limits, including the management information systems used and the reports generated; verifying that these are available to the business, and the relevant risk management and compliance officials. The SBS reviews whether the monitoring system contains preventive alerts that would indicate possible excesses of these limits when originating credits; and it reviews the reports on the compliance with operational limits presented to the Risk Management, senior management, the Board as well as their periodicity. EC3 The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board. Description and The overarching relevant principles (responsibilities of the Board and senior findings re EC3 management with regard to strategy, risk appetite, policies, procedures and operating limits) are set by the GIR and its successor the Corporate Governance & GIR. 58 The measure of credit exposure, in the context of large exposures to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e. it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see “Measuring and controlling large credit exposures, January 1991). 154 PERU These regulations require FIs to establish in addition to the regulatory limits, internal limits, which should be part of their credit policies and procedures manuals. In its on- and off-site supervision, the SBS evaluates whether these limits guarantee adequate diversification by single name, sector, geographical area considering the size and nature of the loan portfolio and the risk appetite as set by the FI. The SABM on-site supervision manual “No. GC01, Evaluation of Good Corporate Governance Practices in Companies of the Financial System" contains procedures to review whether the responsibilities of the Board and senior management are well defined and aligned with the strategy and risk profile of the company; and whether the Board has established the risk management policies of the FI. Reviewing the minutes of the Board and its Committees is an important part of these procedures. In addition, the on-site examination manual for credit risk also includes procedures to review per business line whether: (i) there is an effective and adequate monitoring of internal limits (formal definition of procedures and responsible areas), (ii) the limits are consistent with the strategy and goals established by the company, (iii) the results of the monitoring of such limits are reported to the Risk Committee and / or Board, and (iv) the necessary actions have been defined and adopted in the event of breaches of internal limits. EC4 The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. Description and The Accounting Manual for Companies of the Financial System contains the set of findings re EC4 information and formats that companies must submit to the SBS, as well as the periodicity for their submission. The trial balance allows obtaining information on exposures in domestic and foreign currency by type of credit. Similarly, Annex 3 "Credit Flow by Type of Credit and Economic Sector" presents credit balances by type and main economic sectors; while Annex 10 "Deposits, Loans and Personnel by Offices", provides information on the balance of the portfolio of total loans and per currency per geographical area at the district level. These reports are sent monthly. Annex 6 "Credit Report of Borrowers (RCD)", which is also sent monthly and in which all loans above PEN 1.00 are included, shows the borrowers' main economic activity, the office where the disbursement was made, the borrowers' credit risk classification and the detailed balances by currency, accounting status, type of credit, among other information. This information allows the generation of ad hoc reports, such as balances by type of credit, economic sectors, geographical area and currencies. Annex No. 01 (monthly) contains information on investments by instrument and issuer. 155 PERU In Report No. 20 and the Report No. 20-A FIs must identify groups of debtors that are part of economic groups or connected (these reports need at least to cover the top 200 exposures). Report No. 23 "Exposure to Country Risk" provides information on all exposures (assets, contingent loans and derivatives) resulting from operations affected by country risk In addition, FIs needs to report monthly their large exposures and compliance with the regulatory large limits (Report 13), and their top-20, sector and geographical concentrations (Reports 4 B-1, 4 B-2 and 4 B-3). Using these reports, the SAR prepares different monthly and quarterly management reports on the different risks, including concentration risk, per bank and for the banking system. The assessors reviewed the Annexes and Reports, and the assessed the information provided through these reports as well as the internal SBS management reporting on the received information as comprehensive. EC5 In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis. Description and Article 203 of the LGSF establishes that, for the purpose of the different regulatory findings re EC5 concentration limits, exposures are considered to be a single counterparty exposure (group of connected counterparties), if: (i) there is direct or indirect common control, (ii) it is possible that financial problems of one party extend and affect others due to common ownership, control or administration, reciprocal guarantees or direct business dependence which cannot be replaced in the short term; (iii) exposures granted to one party are presumed to be used for the benefit of others; and (iv) the nature of the relationship between various parties is such that they can be considered a single economic unit. The article further establishes that the definitions for an economic group, connected parties and conglomerates will be detailed by the SBS considering the specifics defined in article 203. In the Connected Parties and Economic Groups Regulation (Resolution SBS 5780-2015) the SBS has provided these definitions. This regulation was issued in 2015 and introduced stricter criteria for determining a linkage and adopts international standards for defining an economic group. Article 8 of the Connected Parties and Economic Groups Regulation provides the following definition for an economic group: “An economic group is understood to comprise all legal persons and/or legal entities, national or foreign, made up of at least two members, of which one exercises control over the other or others, or when 156 PERU the control over legal persons and/or legal entities is exercised by one or more natural persons acting jointly.” In addition, article 3 defines connected parties as follows: “Two or more persons and / or legal entities are considered connected when the financial or economic situation of one affects the other or others, so that, when one of them has financial or economic problems, the other or others might find it difficult to meet their obligations. Legal persons and/or legal entities belonging to the same economic group and, between them and natural persons exercising control of said economic group, in accordance with articles 8 and 9 are connected. Likewise, it is presumed that there is a single risk link between the spouses of connected persons and between the persons and/or legal entities that have an ownership and/or management relationship in accordance with the provisions of articles 4 and 5, unless proven otherwise.” Article 4 defines, amongst others, a relationship of ownership as a situation in which the shares or voting shares held directly or indirectly (through third parties) by a person or legal entity represent 4 percent or more of the shares or voting shares of a legal person or legal entity. Article 5 provides detailed guidance on when a management relationship is assumed to exist. Finally, article 10 determines that the SBS may, for prudential reasons, apply additional presumptions to determine whether an entity is to be considered a part of an economic group for prudential purposes. The supervised companies must submit semiannually Report No. 20 "Information of Clients Representing Single Risk"(Resolution No. 5780-2015). In this report FIs must consider, at least, their top-200 exposures to economic groups and/or connected clients. In addition, FIs must provide through the submission of Report No. 20-A "Information on the Individuals and Legal Entities Representing the Unique Risk of Clients", greater detail of the connected persons and legal entities included in the Report No. 20, including specifying the type of linkage, be it by direct ownership, indirect ownership and / or management. The definitions and the provided guidance are comprehensive and the definition of ownership (4 percent or more held directly or indirectly) for determining connectedness is conservative. EC6 Laws, regulations or the supervisor set prudent and appropriate 59 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on- balance sheet as well as off-balance sheet. The supervisor determines that senior 59 Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on large exposures is still under consideration. 157 PERU management monitors these limits and that they are not exceeded on a solo or consolidated basis. Description and Article 198 to 216 of the LGSF provide the different regulatory concentration limits findings re EC6 for: i) investments in equities; ii) Board members and employees; iii) related party transactions; iv) large exposures; v) domestic FIs; vi) foreign FIs; vii) natural of legal persons residing abroad. More detailed guidance on the requirements is provided in Circular B-2148-2005. Circular B-2148-2005 determines that to calculate the exposure, FIs must consider the limits granted to the counterparty, direct credit exposures (drawn/disbursed amounts), accounts receivables, financial leases, investments, and the credit equivalent of derivatives and contingent exposures, except for unused and undisbursed credit lines, which can be terminated or canceled unilaterally by the financial institution at any time. The LGSF (article 206) establishes a large exposure limit of 10 percent. Depending on the quality of the collateral received the limit can be exceeded up to 15 (article 207) or 20 percent (article 208). The limit can be exceeded up to 30 percent (article 209) if the collateral consists of deposits held at the same financial institution or financial instruments issued by the Central Bank. Resolution SBS No. 11823-2010 on supervision of financial conglomerates establishes that the limits also need to be applied on a consolidated basis by financial or mixed conglomerates. As with the other regulations, this regulation applies on a financial group-wide level. In case of non-compliance the supervised entity needs to submit its proposal for dividend distribution to the SBS. Through the received prudential returns and its on-site examinations the SBS determines that the FI has an adequate monitoring framework, senior management reports on the compliance with regulatory and internal limits to the Board, and complies with the regulatory limits. The large exposure limit, which includes on- as well as the credit equivalent (using the Basel II CCFs) of off-balance exposures, of 10 percent for uncollateralized exposures is conservative when compared to international standards. EC7 The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes. Description and Single name, sector and geographical credit concentrations are part of the Additional findings re EC7 Capital Requirements Regulation as issued by the SBS. Under ICAAP the FIs must assess whether the required additional capital is sufficient. These exposures also need to be considered in the regulatory stress-test as part of ICAAP. In its internal stress-testing, performed by the SAEE, the SBS also takes these exposures into account. For example, in 2017 the SBS performed a stress-test to 158 PERU estimate the impact of el Nino, for which the geographical loan portfolio distribution of the FIs was taken as an input. Assessment of Compliant Principle 19 Comments The SBS issued new rules on related parties and economic groups in 2015 (Resolution SBS N° 5780-2015). The new regulation establishes stricter criteria for determining a linkage and adopts international standards for defining an economic group. The regulations do not consider a combined limit for large exposures, however, the large exposure limit (at a maximum 10 percent for uncollateralized exposures) is conservative compared to international standards. In addition, the SBS requires under the Additional Capital Requirements Regulation additional capital for single name concentration risk considering the top 20 exposures. This additional capital charge may not be significant, but has resulted in explicit attention to this risk in FIs’ risk management and ICAAPs. The SBS is currently reviewing the Additional Capital Requirements Regulation including the adequacy of the capital charge for single name concentration risk (see also CP 16). Principle 20 Transactions with related parties. In order to prevent abuses arising in transactions with related parties60 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties61 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. EC1 Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis. Description and The LGSF establishes the limits for related party exposures, while the regulation findings re EC1 provides further detail on the definition of related parties. Related party exposures are subject to a limit of 30 percent (see CP 19). In addition, the LGSF establishes a limit of 7 percent for loans to Board members and employees. Exposures to Board members and employees (Article 201 of the LGSF) are subject to the following limits: The financing granted by an enterprise to its directors and employees, as well as to the spouses and their relatives, are not allowed to exceed 60 Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies. 61 Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party. 159 PERU seven percent of its available regulatory capital. No Board member or employee may receive more than five percent (5 percent) of the overall limit. This limit, also includes the exposures to spouses and relatives. The SBS issued new rules on related parties and economic groups in 2015 (Resolution SBS N° 5780-2015). The new regulation establishes stricter criteria for determining a linkage and adopts international standards for defining an economic group (see also CP 19). In determining whether a connection exists the SBS can exercise discretion (article 10, Resolution SBS 5780-2015). EC2 Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g. in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.62 Description and Article 202 also determines that no credit to Board members or employees may be findings re EC2 granted on terms that are more advantageous than the best ones accorded to the clients of the company, except for first home mortgage loans. Article 3 of the Prudential Rules for Operations with Companies Linked to the Financial System (Resolution SBS No. 472-2006), establishes that companies must properly identify their affiliates, make an adequate evaluation of the risks involved in operations with them, grant financing on no more advantageous terms than to its other clients and permanently assure compliance with the limits and requirements established by the LGSF and other regulations issued by the SBS. The Board is responsible for the approval of policies and procedures necessary for compliance with the above and senior management for their implementation. Article 4 establishes that the policies and procedures should include, among others, procedures to assure that related party loans are not provided on better conditions (in terms of general conditions, interest rates and collateral) than similar loans provided to its best clients. EC3 The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions. Description and Article 180 of the General Company Law (LGS) establishes that Board members are findings re EC3 not allowed to adopt agreements that are not in the best interest of the company, but in their own interests or those of related third parties, nor use for their own benefit or related third parties the commercial or business opportunities of who are aware of their position, emphasizing that the Board member who in any matter has an interest contrary to that of the company must disclose it and refrain from participating in the discussion and decision making of the concerning matter. 62An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g. staff receiving credit at favorable rates). 160 PERU Article 17 of the Corporate Governance & GIR (Resolution SBS No. 272-2017), coming into effect on April 1, 2018, establishes that senior management is responsible to report to the Board transactions with related parties. Likewise, article 5 c), referring to the content of the Board Regulations, provides that policies and procedures must be established to prevent, detect, manage and disclose conflicts of interests of Board members. In addition, Article 6 of the Prudential Rules for Operations with Persons Related to Financial System Enterprises (Resolution SBS No. 472-2006), stipulates that any financing that is to be granted to a related party must have the prior approval of the Board or equivalent body. Article 4 of the Credit Risk Management Regulation states that SIs must establish an organizational structure and a decision-making process that are adapted to the strategic needs of the company and that do not generate conflicts of interest in the risk taking. Whereas article 21, referring to the principles of approval of credit exposures, indicates that personnel with a conflict of interest should be prevented from participating in the decision-making process. In particular, transactions with affiliates in accordance with article 202 of the LGSF require the approval of the Board, or in its absence of the highest credit committee, avoiding the participation of members who have a conflict of interest. Circular No. B-2185-2010 establishes that for the issuance of proof of the non- recoverability of credits and accounts receivable, companies must submit the SBS an application enclosing a certified Copy of the Agreement of the Board or equivalent body. In addition, the Credit Transfer and Acquisition Regulation (Resolution SBS N° 1308-2013) establishes that any transfer and acquisition of credit portfolio, regardless of whether it requires the authorization of the SBS, must be approved by the Board. EC4 The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. Description and The IAU and external auditor are required, as provided in Articles 9 and 10 of the findings re EC4 Prudential Rules for Operations with Persons Related to Financial System Enterprises (Resolution SBS No. 472-2006), to review the policies and procedures for avoiding conflicts of interest and their implementation. One of the main objectives of on-site examinations is to identify possible conflicts of interest in the operations, particularly when they are carried out with related persons. To ensure an adequate culture of control and avoid conflicts of interest (including for operations with related parties) SIs are required to have a "Conflict of Interest Handbook", The evaluation of the above is realized through a selective review of the FI's internal regulatory framework, review of the minutes of the Board and other principal management bodies, and a sample review of credit records (including exposures to related parties). The on-site examination manual “No. GC-01 "Evaluation of Good 161 PERU Corporate Governance Practices in Financial System Companies" provides the procedures for the review of the management of conflicts of interest. EC5 Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. Description and As mentioned in EC4, the limit for related parties is set on an aggregate level and is findings re EC5 the same as the limit for single counterparties or groups of connected counterparties. However, in addition, the total exposures to Board members and employees cannot exceed 7 percent of available regulatory capital and no Board member or employee may receive more than five percent of this overall limit. This limit also includes the exposures to spouses and relatives. Article 7 of the Prudential Rules for Transactions with Companies of the Financial System establishes that for the purposes of calculating the limit, exposures (e.g. investments) that are deducted from regulatory capital in accordance with article 184 of the LGSF do not need to be considered. Also, article 13 of the Regulation for the Consolidated Supervision of Financial and Mixed Conglomerates (Resolution SBS No. 11823-2010), establishes that the same large exposure limit applies to the consolidated group; total related party exposure is not allowed to exceed thirty percent of the available regulatory capital of the consolidated group. In addition, article 19 determines that if the counterparties of the exposures cannot be identified or when there is insufficient information about them, for legal or other reasons, contrary to the satisfaction of the SBS, these exposures are granted to persons related to the consolidated group. In case of excessive related party exposures, the SBS may also require a higher level of regulatory capital at a consolidated level. However, 7 percent limit for Board members and employees does not apply on a (consolidated) financial group level. In case of breaches of the related party exposure limit (but also in case of breaches of the concentration limits established in the LGSF), the SBS has (determined by Law, article 219) to apply a sanction of 1.5 times the average interest rate margin over the amount in excess of the limit (the average interest rate margin in local currency is currently 13.54 percent). If the breach is not remedied within a month an additional penalty will be levied, which will be increased with 50 percent each month the infraction continues. In case of a breach of the 7 percent limit on the total exposure to Board members and employees, the excess is penalized with a fine of 100 percent of the excess. EC6 The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, 162 PERU processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions. Description and FIs are expected to have mechanisms that allow them to adequately aggregate findings re EC6 exposures to related persons, which has to be reported through Report No. 13. This report needs to be signed by the General Manager and the Head of the Risk Unit, which ensures that senior management is aware of the level of compliance with the limits established in the regulations. Article 5 of the Prudential Rules for Operations with Persons Related to Financial System Enterprises (Resolution SBS No. 472-2006) requires banks to maintain a related parties database, which must be permanently updated and any exclusion must be communicated to SBS explaining the reasons that support it. The validation of the integrity of this database is done both in on-site and off-site supervision. Moreover, according to Consolidated Supervision Regulation (Resolution SBS No. 11823-2010) the related parties database of consolidated groups must be updated and available to SBS, and is also validated as part of the on-site examination. The Internal and External Audit Regulations require respectively the IAU to verify the process and adequacy of the reporting and the compliance with the operational limits and the external auditor to review the compliance with regulatory limits. Through Annex No. 10 of the Consolidated Supervision Regulation, the SBS seeks to assure that the FI establishes adequate mechanisms for the calculation and compliance with legal limits at the level of the financial or mixed conglomerate, including the limit set for related party exposures. During the on-site examinations, the SBS verifies whether FIs have adequate policies and procedures for the identification of related party exposures, as well as adequate information systems for the identification and aggregation of these exposures. The related parties database is validated as part of the on-site inspection detailed in “SC.01: On-site Examination Consolidated Supervision and Financing to Related Parties”. Also, within the evaluation of the Corporate Governance of the supervised entities, the verification of the policies and / or regulations is considered to avoid conflicts of interest between the company, the directors, the managers and the related companies; and the verification of whether the company has approval procedures for operations with related companies (Guide In-Situ SABM Nº GC-01 "Evaluation of Good Practices of Good Corporate Governance in companies of the Financial System"). Likewise, the general evaluation of the credit risk includes the evaluation of the policies and controls of exceptions in addition to the conditions for transactions with 163 PERU related parties and their follow-up (In-Situ Supervision Guidelines "Non-Retail Credit Risk" and "Retail Credit Risk"). As a result of such verifications, the SBS can establish presumptions of linkage (based on reasonable evidence), in which case the "burden of proof" is assumed by the supervised company (proof demonstrating that such linkage does not exist). EC7 The supervisor obtains and reviews information on aggregate exposures to related parties. Description and The Reports No. 19, No. 19-A, No. 21 and No. 21-A allow the SBS to monitor offsite findings re EC7 the development of related party exposures and the compliance with established limits. FIs must submit semiannually to the SBS, Reports No. 19 "Information on the Economic Group of the Company" and 19-A "Information on Members of the Economic Group of the Company ", with the list of companies that make up the economic group of the supervised entities, as well as their respective shareholders, directors, managers and senior officers. In addition, it must notify the SBS of any change in the composition of the group within a period not exceeding fifteen (15) calendar days following the close of the month in which said modification occurred. This allows the supervisor to be constantly updated on the structure of the economic group of the FI. The Regulation on Connected Parties and Economic Groups (Resolution SBS No. 5780-2015), requires (article 18) FIs to submit within fifteen calendar days after the end of each quarter, Reports No. 21 "Financing to Related Parties" and No. 21-A "Information on Legal Entities and Legal Entities Linked to the Company”. In Report No. 21, companies must record the amount for each type of exposure (direct loans, contingent loans, investments, derivative instruments, deposits, financial leases and others) for each related party (natural or legal person), the type of linkage that it has with the company (direct, indirect and/or by management), and the total related party exposure as a percentage of available regulatory capital. The Regulation for the Consolidated Supervision of Financial and Mixed Conglomerates (Resolution SBS No. 11823-2010) requires the FI that reports on behalf of the conglomerate to submit quarterly Annex 10, “Related Party Exposure Limit”, for the consolidated group. In the monthly Report No. 13 "Control of Global and Individual Limits applicable to Companies in the Financial System", FIs must report their level of compliance with all regulatory limits, including the limits for related parties, Board members and employees of the FI (in total and per counterpart) and its investments in the capital of subsidiaries. The Internal and External Audit Regulations require respectively the IAU to verify to process and adequacy of the reporting and the compliance with the operational limits and the external auditor to review the compliance with regulatory limits. 164 PERU Assessment of Compliant Principle 20 Comments The SBS issued new rules on related party and economic groups in 2015 (Resolution SBS N° 5780-2015). The new regulation establishes stricter criteria for determining a linkage and adopts international standards for defining an economic group, which also is relevant for determining related parties of FIs and financial conglomerates. Principle 21 Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk63 and transfer risk64 in their international lending and investment activities on a timely basis. EC1 The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end- borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. Description and As explained in CP 15 the GIR (Resolution SBS No. 037-2008), which will be replaced findings re EC1 per April 2018 with the Corporate Governance & GIR (Resolution SBS No. 272-2017) set the overarching requirements regarding the governance structure, responsibilities of Board and senior management, and risk management. Resolution SBS No. 7932-2015 set specific risk management and provisioning requirements for country risk. The regulation defines (article 2) country risk management as the identification, measurement, evaluation, treatment, control, information and monitoring of country risk and requires financial institutions to have a manual (article 7) that documents: the policies and procedures for managing country risk, classification methodology, internal exposure limits, stress tests, contingency plans, exit procedures, among other aspects , according to the degree of complexity and the volume of exposure to country risk. Article 8 of the Country Risk Regulation determines that financial institutions are required to apply the requirements in a similar way on a consolidated basis in line 63 Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporate, banks or governments are covered. 64 Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics – Guide for compilers and users, 2003.) 165 PERU with the provisions as provided by the Consolidated Supervision Regulation (Resolution SBS No. 11823-2010). Country risk is monitored and assessed by a special risk unit (DSRCRE) of the SAR. The exposures and country risk management are reviewed as a part of credit risk and as such included as a sub element in the rating methodology for credit risk. The methodology, in line with the overall methodology, contains specific assessment criteria for country risk management relating to: • Internal environment • Objective setting • Risk Identification • Risk assessment • Risk response • Control activities • Information and communication • Monitoring These procedures are described in the On-Site Examination Guide for Country Risk. In addition, the actual country risk exposures of the banking system are reviewed off- site and a quarterly detailed report, providing an overview of the exposures on a system and bank-by-bank level is prepared by the SAR and submitted to the SABM. Banks with exposures with expected losses higher than 1 percent of available regulatory capital are monitored more closely, while the topic is considered for inclusion (more in-depth coverage) in the scope of the on-site examination if the expected losses (i.e. required country risk provisioning – see EC 4) are more than 2 percent of available regulatory capital. The June 2017 quarterly country risk report prepared by the SAR was reviewed and assessed to be comprehensive. EC2 The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description and In addition to the elements mentioned in EC1, article 5 of the Country Risk findings re EC2 Management Regulation requires that the financial institution’s Risks Committee must establish effective communication and reporting lines to ensure that the areas involved in risk management are aware of the risks assumed. All relevant decisions adopted at its meetings should be recorded in minutes. Article 6 determines that the Risk Unit is responsible for the day-to-day management of country risk, within the established framework and needs to report to the Board of Directors, at least quarterly, on the following aspects: • Exposure to the country risk of the financial institution at an individual and, if applicable, on a consolidated level; 166 PERU • Development of the country risk of the relevant countries according to their risk analysis; • Identification of exposures in countries listed by the Financial Action Task Force (FATF).; • Business strategies to be adopted according to the risk analyzed; • Compliance with internal limits and provisions for country risk; • Results of performed stress-tests. The assessment of the Board approval of strategies, policies and processes for the management of country risk is assessed as a part of the on-site review of the objectives (see EC1). At the same time the SBS reviews whether the exposures and their compliance with the internal limits are reported and integrated in the Risk Unit’s quarterly report to the Board Risk Committee. EC3 The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. Description and The SBS, through the off-site analysis of Report No. 23, received monthly, and findings re EC3 Reports No. 23-A and No. 23-B, received quarterly, ensures that the entity has the information systems necessary to identify and consolidate their country risk exposures. In this regard, validation by cross checking Annex 1 and Appendix 6 "Debtor Credit Report (RCD)" with Report No. 23 and Reports No. 23-A and 23-B, and examines the evolution of the reported exposure, to analyze the reasonableness of the information on exposures to the country risk, and to detect possible errors of registration. Likewise, the on-site examination manual contains procedures to verify if the entity reviews at least annually the adequacy of the financial institution’s internal reporting and the application of internal limits. EC4 There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include: a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate. b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate. c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the 167 PERU appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor. Description and Article 18 of the Country Risk Management Regulations prescribes the provisioning findings re EC4 requirements for country risk per country depending on the risk category of the country with which the financial institution maintains the exposure, in accordance with the percentages in the below table: Provisioning Requirements for Country Risk Source: SBS The regulation provides the mapping of the ratings of Moody’s, S&P and Fitch to the 8 risk categories. Categories III and above are investment grade (BBB and higher). The provisions are allocated under a marginal scheme, according to the country risk exposure tranches. For this purpose, financial institutions must calculate the single rate of provision for country risk that considers the weighted marginal effect and apply it to all exposures, as follows: Where: = −1 168 PERU In this way, the applicable provisioning requirement increases gradually as the exposure level increases (so provisioning requirement depends on the risk rating as well as the size of the exposure). Article 14 states that for determining the rating, financial institutions should use the most conservative available external rating for sovereign bonds as issued by agencies of recognized international prestige. In addition, they must keep the classification up to date. When the country with which the exposure is recorded does not have a classification, it should be assigned the risk category VIII for purposes of calculating the provisioning requirement. Article 16, allows financial institutions to develop and implement their own internal rating models for determining the country risk classification (not for the provisioning requirement itself). Using the internal rating methodology for provisioning purposes is subject to authorization by the SBS, however, per end of June 2017 no authorization had been granted yet. The above determined country risk provisioning requirement needs to be compared with the credit and investment risk provisioning requirement and the highest of the two needs to be applied for general provisioning purposes. Article 9 details that exposure related to persons/entities residing abroad also need to be considered including exposures guaranteed by persons/entities residing abroad. However, the following exposures are exempted from the provisions for country risk provisioning purposes: • Foreign trade operations with a residual term of less than one year; • Investments abroad that are valued at market price and whose valuation is carried out at least once a month; • Exposures that are deducted in the computation of available regulatory capital of the SI; • Transactions with derivatives that are carried out by CCPs that require daily margining, to the satisfaction of the SBS; • Transactions with derivatives that have a negative market value; • The exposures with the multilateral development banks listed in Article 16 of the Credit Risk Capital Regulation; • Other exposures determined by the SBS. EC5 The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. Description and Article 20 of the Country Risk Management Regulations states that companies that findings re EC5 register levels of exposure with countries that exceed ten percent (10 percent) of their available regulatory capital, after deducting operations exempt from provisions, must carry out at least annually a stress-test. 169 PERU Stress-tests need to be performed based the FI’s own methodology. FIs have to simulate different scenarios, including, among others: • Deviation of the main assumptions about the performance of a country. • The exacerbation of the contagion effect between countries. • Restrictions on the liquidity of capital markets and financial systems. • Changes in the relationship between market and credit risks. It should be noted that according to Article 6 the Risk Unit should report to the Board on the results of the scenario simulation and the stress tests. The financial institution needs to document and consider the results of the stress test when reviewing country risk management policies, procedures, and limits. EC6 The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g. in crisis situations). Description and Article 21 of the Country Risk Management Regulations requires companies to findings re EC6 submit monthly to the SBS, Report No. 23 "Exposure to Country Risk", in which exposures are recorded with natural and legal persons residing abroad, aggregated by country, considering the classification of the risk of each country, the permissible coverage of guarantees, the operations exempt from provisions for country risk and the net (after deducting provisions) exposure to the risk. Also, in order to validate the information presented periodically, companies must submit quarterly to the SBS: Report No. 23-A "Country risk exposure with foreign residents" and Report No. 23-B "Detail of exposure to country risk by personal guarantee of residents abroad". The head of the Risk Unit is responsible for the preparation and submission of Reports No. 23, No. 23-A and No. 23-B to the SBS. Article 350 of the LGSF establishes that the Superintendent has the power to request all the information he or she deems necessary on the financial institution’s financial situation, resources, administration or management, performance of its representatives, degree of safety and prudence with which investments are made, and in general, of any other matter which, in his opinion, should be clarified. The assessors reviewed the reporting templates and the June 2017 quarterly country risk report as prepared the SAR and assessed them as comprehensive. Per June 2017 six banks had exposures exceeding 10 percent of available regulatory capital (and thus required to conduct internal stress tests), however, all banks were below the 1 percent monitoring threshold of expected loss (i.e. required general provisions) divided by available regulatory capital as virtually almost all exposures where classified as investment grade (grade I – III). Assessment of Compliant Principle 21 170 PERU Comments The regulatory provisioning requirements for country risk are conservative. Overall the assessors consider the regulatory framework and supervisory approach and practices to country risk adequate. Principle 22 Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. EC1 Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk. Description and Article 178 of the LGSF states that SIs must establish an adequate process of findings re EC1 managing assets and liabilities. This process must include the identification, measurement, control and reporting of the risks to which they are exposed, such as liquidity risk, market risk and operational risk. The Integrated Risk Management Regulation (“GIR” – Resolution SBS 37-2008) and its successor Corporate Governance and Integrated Risk Management Regulation (Corporate Governance & GIR – Resolution SBS No. 272-2017), coming into effect per April 2018, provide, as discussed in CP 14 and CP 15, the overarching risk governance and integrated risk management requirements. Resolution SBS No. 0509-98 provides requirements for Market Risk Management, while Resolution SBS No. 6328-2009 provides the Market Risk Capital Requirements including the definition of the trading book. It should be noted Peruvian AFS sovereign bonds are also covered by the market risk capital requirements (interest rate risk in the trading book). To give an indication of the materiality of market risk; the average capital requirement for banks’ market risk exposures is per mid-2017 less than 1 percentage point of banks’ regulatory capital ratio and is mainly driven by the open currency position and interest rate risk in the trading book. Banks current trading activities are limited. To clarify the valuation of securities (trading and banking book) the SBS issued Resolution SBS No. 7033-2012, and to address its concerns regarding FX risk (dollarization, although declining, is a material risk), the SBS issued Resolution SBS No. 1455-2003 providing Guidelines for Foreign Exchange Risk Management. The Guidelines for Foreign Exchange Risk Management establish the following regulatory limits: • Net FX position limits (daily): Long Open Position: 50 percent of regulatory capital Short Open position: 10 percent of regulatory capital 171 PERU • Net FX derivatives position limits (daily): Long position: Max (40 percent of regulatory capital, PEN 600 MM) Short Position: Max (20 percent of regulatory capital, PEN 300 MM) Article 3 of the Market Risk Management Regulation establishes that it is the responsibility of the Board (or equivalent body) to establish and oversee compliance with policies and procedures to properly identify and manage the market risk. Article 4 establishes the minimum requirements that SIs must meet to identify, manage and allocate capital to market risk; and article 5 indicates that SIs must establish the organization, as well as define and delimit the functions and responsibilities of the areas involved in operations exposed to market risk. The market risk regulation was issued in 1998 and needs updating, also to align it with the new Corporate Governance & GIR. In this context, the SBS has issued for consultation a revised Draft Market Risk Management Regulation in July 2017. The Draft Market Risk Management Regulation establishes more specifically in article 4 that SIs must adequately manage their market risk, taking into account the size and complexity of its operations and services, appetite and risk capacity, its risk profile, its capital strength, its systemic importance, the macroeconomic situation and the risk of a substantial deterioration of liquidity of the market. Likewise, the regulation establishes more clearly the role of the Board and Market Risk Committee in relation to setting the market risk appetite, policies, procedures and limits. Although the updated Market Risk Management Regulation will more clearly set out SBS’ expectations and requirements regarding the governance and management of market risk, the existing regulation does not appear to have been a limitation for the SBS to conduct its supervision and convey its expectations regarding risk management (which more broadly are also included in the GIR and its successor the Corporate Governance & GIR). The Market Risk Management Regulation and the Guidelines for Foreign Exchange Risk Management are not applicable on a financial group-wide level. The SBS has a specialized unit that is responsible for the supervision of market risk of SIs; the Department of Market Risk, Liquidity and Investments (“DSRMLI”), which is part of the Superintendence of Risks (“SAR”). DSRMLI has 12 staff which dedicate about two thirds of their time to banks. The DSRMLI monitors (off-site) daily market risk indicators, and prepares a monthly report on the development of market risk per bank and of the banking system. The DSRMLI is also responsible, as part of the on- site examination team led by the SABM, for on-site examinations of market risk and the scoring of this risk type in the rating methodology used by the SBS. The methodology for the scoring of market is split in investment risks (for the trading and AFS securities portfolio) and FX risk, and contains specific assessment criteria for relating to; • Internal environment 172 PERU • Objective setting • Risk Identification • Risk assessment • Risk response • Control activities • Information and communication • Monitoring The on-site procedures for rating these elements are covered in 4 separate manuals: • Foreign exchange risk management (Market Risk Manual 1) • Investment risk management - trading as well as AFS (Market Risk Manual 2) • Treasury – derivatives (Market Risk Manual 5) • Independence of functions (Market Risk Manual 6) The on-site procedures relating to the scoring of the internal environment and objective setting cover amongst others: the strategic objectives; alignment of the objectives with the mission and vision of the SI; the establishment of limits in line with the risk appetite and tolerance (objective setting) and the internal organization of the risk management function (internal environment). During on-site examinations, DSRMLI verifies that the Board is informed in a timely manner of the level of risk the entity is taking. Likewise, DSRMLI staff, through the review of the minutes of the Risk Committee, evaluate whether the Risk Committee fulfills the functions assigned to it, including the approval of policies and procedures for the management and identification of market risk, the establishment of exposure limits and the establishment of communication and reporting lines. EC2 The supervisor determines that banks’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description and During the inspection visit, the DSRMLI staff verify that the policies and procedures findings re EC2 for the management of market risk are documented and approved by the Board. Likewise, it is verified that the Board is informed in a timely manner of the level of risk that the entity is taking, whether through reports or presentations and that the Risk Committee fulfills the functions assigned to it, among which the design and establishment of policies and procedures for the management and identification of market risks, the establishment of exposure limits, and the establishment of the necessary communication and reporting lines. • The procedures for reviewing the Board’s involvement and management oversight are covered in the above mentioned four manuals related to market risk. A review of documents evidenced the use of the procedures. 173 PERU EC3 The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including: a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management; b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff; c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary; d) effective controls around the use of models to identify and measure market risk, and set limits; and e) sound policies and processes for allocation of exposures to the trading book. Description and Regarding information systems, the existing Market Risk Management Regulation findings re EC3 (Resolution 509-98) states in article 14 that SIs must have adequate computer systems for the identification and management of the market risks, as well as appropriate security mechanisms. Senior management, risk management and compliance’s reporting requirements are established in the LGSF and the GIR (see CP 14 and 15). Regarding market risk limits, Article 13 of the Market Risk Management Regulation (Res 509-98) states that the Risk Committee should establish internal limits for exposures to market risk of positions in all kinds of temporary or negotiable financial investments, including derivatives. These limits need to be established by type of financial instrument and by type of market risk and must consider, among other factors, accumulated losses. The Market Risk Unit is responsible for the ongoing evaluation of compliance with internal and regulatory limits. In addition, it shall report (exceptions are understood to be part of this report) to the Risk Committee. During the on-site examination, DSRMLI staff verify that FIs comply with the limits established by the regulation and with the internal limits; in addition, it is verified that these have been approved by the Board and are consistent with their policies, size and complexity. The supervisory manuals relevant for market risk include procedures for verifying the existence, suitability, compliance and updating of internal limits, policy and procedures manuals. Also, the assumptions and parameters of market risk models are verified to assess if the model is suitable for the operations complexity and volume. EC4 The supervisor determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market 174 PERU prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. Description and Paragraph 2 of article 354 of the LGSF establishes that the SBS has the power to findings re EC4 require that investments and other positions assigned to market risk be adjusted to their market value, according to the methodology established by the SBS. Article 11 of the Market Risk Management Regulation states that companies must record, daily and at market value, their positions in all types of temporary or negotiable financial investments, in derivative financial instruments and other instruments affected by market risk factors. In the event that a position cannot be recorded at its market value for a given period of time, an approximate market value should be used. These records must be properly documented and available to this SBS. Article 12 of the same Regulation states that the Risk Unit must use appropriate methods to measure and value the positions assigned to market risks that the SI faces. The aforementioned unit should also include, in the risk measurements, the respective retrospective analysis and the worst future scenario to evaluate the adjustment and forecasts of the internal models. In terms of fair value accounting, the issued SBS accounting standards are aligned with IFRS (for more details see CP 27). Article 3 of the Regulation for Classification and Valuation of Investments of SIs (Resolution SBS No. 7033-2012), states that supervised companies must maintain, inter alia, the following information, which will be available to the SBS: Models, assumptions, formulas and others used for the determination of the fair value and operational records of the valuation at market value of the investments. Likewise, Article 11 indicates that fair value is associated with the value observed in market transactions under "normal" situations and with mutual independence. In this regard, the general criteria for determining fair value are as follows: • When the instruments are quoted in active markets, the fair value is determined by the price observed in those markets. It should be noted that a financial instrument is considered as quoted in an active market if quoted prices are easily and regularly available through a centralized trading mechanism and these prices reflect current market transactions that occur regularly between parties acting in a situation of mutual independence. • If the price quotation observed on prices in an active market does not refer to the financial instrument in its entirety, but there is an active market for its components, the fair value shall be determined based on the relevant market prices of those components. • In the case of instruments traded on non-active markets, fair value is determined using a valuation technique or models, which must make the most use of market 175 PERU data. It should be noted that a market is considered non-active as it does not have sufficient quotations from freely available price sources for a period of not less than thirty (30) calendar days. • In the case of unlisted instruments, the fair value will be determined using valuation techniques or models. In this context, SIs must have adequate valuation methodologies and techniques to obtain the fair value of these instruments, which must incorporate all the factors that market participants would consider establishing a market price and be consistent with the accepted economic methodologies for the pricing of investment instruments. In addition, SIs should periodically calibrate their valuation models and examine their validity using current market observable market prices for the same instrument. These methodologies and models must follow the guidelines that are issued by the SBS through rules of general application. The changes incorporated in the models must be validated and documented. For those instruments not quoted in active markets, but included in the Price Vector, this source of information may be considered, in accordance with the provisions of the Vector Price Regulation approved by Resolution SBS No. 945-2006 and amendments. When the fair value is determined using techniques or valuation models other than the Price Vector, the SBS may request adjustments to the models that, in its opinion, do not meet minimum technical robustness requirements or are based on insufficient market information. Article 4 of the Regulations for the Negotiation and Accounting of Financial Derivative Products in Financial System Companies, approved by Resolution SBS No. 1737-2006 and its amendments, establishes that companies should not contract derivative financial products whose reasonable value cannot be determined reliably. Article 8 states that the initial measurement of a derivative financial product for trading will be carried out at its fair value. Subsequently, any change in the fair value of such derivative will affect the results for the year. To this end, the most conservative bid (ask) prices should be used in their valuation depending on whether the position is long (active) or short (passive), except in the case of positions that compensate market risks with each other, in which case average (mid) market prices may be used as a basis for establishing fair values. The Standards for Investment in Instruments Traded through Non-Centralized Trading Mechanisms, approved by Resolution SBS No. 964-2002 and its amendments, states in Article 2 that companies may acquire, hold and sell securities representing private debt, including securitization instruments, as well as certificates of participation in mutual funds and investment funds, through non-centralized trading mechanisms, provided that, in the case of issues abroad, the prices are observable through the electronic information services Bloomberg, Reuters or another of similar characteristics. 176 PERU During the on-site examinations, compliance with current regulations is verified. There are specific manuals relating to market risk management, which are used to verify the use of market sources and valuation methodologies for the different positions of the portfolio of investments and derivatives. The manuals contain procedures for the review of the market sources used to obtain the closing prices of liquid investments, market sources and methodologies for valuing investments without a market price (including derivatives traded outside centralized mechanisms) and the algorithms and formulas used for the valuation of derivative investment products. Likewise, a valuation of the investment portfolio is carried out to obtain the deficit of provisions and a valuation of the portfolio of derivatives to verify differences with respect to the value reported. Finally, it is verified that the recording and accounting adjustments of the investments and derivative financial instruments are in conformity with the SBS Accounting Manual for the Companies of the Financial System. The relevant procedures for this criterion are contained in the manuals relating to: • Investment risk management (trading and AFS portfolio) • Treasury – Derivatives EC5 The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. Description and According to the Market Risk Capital Requirements Regulation (Resolution SBS No. findings re EC5 6328-2009), companies must allocate capital to cover the market risk they face. Article 3 defines market risk as the possibility of losses of on- and off-balance sheet positions arising from fluctuations in market prices. The regulation is based on the Basel II framework and covers the following risks: interest rate (covering the trading book and domestic AFS sovereign bonds), price, foreign exchange and commodity risk. For interest rate risk in the banking book only the duration based method is allowed as standardized approach. The capital requirements as calculated under the standardized approach are based on a capital charge of 10 percent, compared to 8 percent under the Basel framework. Although banks can apply to use the Internal Model Method, it should be noted that none of the banks currently uses this method for capital calculation purposes. As mentioned in EC4, Article 12 of the Regulation for Classification and Valuation of Investments of SIs (Resolution SBS No. 7033-2012) establishes criteria for the evaluation of the evidence of impairment. This article indicates that SIs need to evaluate, at the date of preparation of quarterly financial statements, whether there is evidence that an instrument has a deterioration in value. A deterioration in value is considered to exist if there is objective evidence of impairment because of an event that occurred after the initial registration of the investment instrument and the event causing the loss has an impact on the future cash flows of the investment that can be reliably estimated. 177 PERU FIs must summit on their market risk capital requirements Report No. 2-B1, which contains the following annexes: • Annex 1-A: Specific interest rate risk; • Annex 1-B: General interest rate risk, and; • Annex 1-C: Summary of 1-A and 1-B; • Annex 2: Price risk • Annex 3: Foreign exchange rate risk, and; • Annex 4: Commodity risk. The reported information is reviewed off-site by the DSRMLI. On a quarterly basis, the DSRMLI prepares an internal report for management and the SABM covering the developments per bank and the system as a whole. This report covers: • An overview of the compliance with the regulatory (open position and open position in derivatives – see EC1); • Overview of the development of market risk indicators; • Investment and derivative positions; • IRRBB and FX risk • Capital requirements • Income from trading, and FX and derivative services to clients • Overview of the market risk rating as incorporated in the internal rating methodology. The prudential reports as well as the internal quarterly report as prepared by the SAR provide a comprehensive overview of the positions and market risk exposures of the banks and the banking system. EC6 The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. Description and In accordance with article 12 of the Market Risk Management Regulation, the Risk findings re EC6 Unit of the SI must use appropriate methods to measure and value the positions assigned to market risk. The methods and measurement should also include the retrospective analysis and the worst future scenario to evaluate the adjustment and forecasts of the internal models. The Risk Committee shall establish policies and measures for the results of both the retrospective analysis and the worst-case scenario. The retrospective analysis consists of comparing, for a given period, the losses estimated as a result of market risk with the results generated. On the other hand, the analysis of the worst future scenario is to choose the most adverse daily price movement, within a selected period, and to apply this set of prices to the current positions. The SBS also expects the Risk Unit to periodically simulate stress tests of market risk factors and perform retrospective tests, as well as recommend, based on the results of stress tests, corrective actions and prepare a market risk management report to 178 PERU the Risk Committee, containing at least the summary of the results of stress tests and retrospective test. The updated Draft Market Risk Management Regulation contains more detailed requirements regarding stress-testing and stress testing governance. Article 10 of the Exchange Risk Management Regulations states that FIs should simulate different scenarios and conduct stress tests relevant to the management of foreign exchange rate risk, including non-compliance with the main assumptions and variations in the parameters used in the elaboration of internal models. The results obtained should be considered in order to establish and review the policies and procedures for the management of foreign exchange risk and should be available to the SBS. At the inspection visits, on-site examination manuals are used that include procedures to verify the execution of stress analysis and analysis of scenarios and back testing tests, as well as to analyze the assumptions and methodology. Specifically, the assumptions and methodologies used for stress testing and scenario analysis of market risk measurement models are evaluated and verified that these tests are performed periodically. Likewise, the methodology used for the back-testing and the fit and forecasts of the internal models are evaluated. Finally, it is verified that the supervised companies establish policies and contingency plans if the results of the retrospective analysis and stress-tests show losses that significantly affect the regulatory capital. Assessment of Largely compliant Principle 22 Comments Considering the characteristics of the banking system (very limited trading activities), the current regulatory and supervisory framework is broadly adequate. As observed in the 2011 BCP Assessment, the existing Market Risk Management Regulation is outdated (1998). A revised and updated Market Risk Management Regulation has been issued to the industry for consultation. The assessors did not perform an in-depth review of the revised regulation. The Basel Committee is in the process of reviewing whether it will issue a simplified Basel III standard approach for market risk. The SBS should evaluate to what extent the current capital requirements would need to be recalibrated to bring them in line with the Basel III standard and whether the Basel III (simplified) standardized approach should be adopted. Recommendations: • Issue the revised and updated Market Risk Management Regulation; 65 65 The regulation (SBS Resolution No. 4906-2017) has been issued after the assessment and will come into force June 1, 2018. 179 PERU • The SBS should evaluate to what extent the current capital requirements would need to be recalibrated to bring them in line with the Basel III standard and whether the Basel III (simplified) standardized approach should be adopted. Principle 23 Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk66 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. EC1 Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. Description and The overarching risk management framework is set by the GIR and its successor findings re EC1 Corporate Governance & GIR, which will come in to effect per April 2018. More specifically, Circular B 2087-2001 on Interest Rate Risk in the Banking Book (IRRBB) sets specific requirements for risk management and monitoring of this risk. It sets also a regulatory limit, requiring banks to manage their IRRBB in such a way that the Earning at Risk (EaR) do not exceed available regulatory capital by more than 5 percent. In addition, the Additional Capital Requirements Regulation requires banks to hold an additional capital buffer for IRRBB above the minimum requirement if the change in Economic Value of Equity (“EVE”) after applying a prescribed (as incorporated as Annex 7 of the Accounting Manual) interest rate shock exceeds 15 percent of regulatory capital (using the so-called outlier criterion). The prescribed methodology for FIs to calculate the capital is based on the methodology provided in the Basel Principles for the Management of IRRBB (July 2004). Paragraph 3 of Circular B-2087-2001, referring to the presentation of Annex 7, points out that banks must identify, measure, control and report adequately the level of interest rate risk they face. Likewise, the Board is responsible for approving the policies and procedures for the management of said risk and for ensuring that senior management adopts the necessary measures to monitor and control this risk (paragraph 2 of Circular F-464-2003 establishes the same guidelines for non-bank companies). 66Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22. 180 PERU Paragraph 4 of the Circular, establishes that FIs must designate the persons and Committees responsible for managing the interest rate risk. They shall also ensure that there is an adequate separation of functions and responsibilities in the areas related to the risk management process, the business area and finance, to avoid potential conflicts of interest. Finally, article 18 of the Circular establishes that the SBS on a consolidated basis may require banks to apply the provisions of this regulation with respect to its economic group or part thereof, in accordance with the provisions of Article 14 of the Consolidated Supervision Regulation (Resolution SBS No. 11823-2010). The SAR has a risk unit, DSRMLI, that is responsible for supervising the IRRBB, market and liquidity risk of SIs. DSRMLI has 12 staff which dedicate about two thirds of their time to banks. IRRBB is scored in SBS’ rating methodology as part of market risk. DSRMLI is responsible for determining the rating. During on-site inspections, DSRMLI staff verify that the Board is informed in a timely manner of the level of interest rate risk that the entity is taking, whether through reports or presentations. Likewise, they verify by reviewing the minutes that the Risk Committee fulfills the functions assigned to it, including the approval of the design and establishment of policies and procedures for the administration and identification of interest rate risk, the establishment of exposure limits, and the establishment of communication and reporting lines. These procedures are contained: • IRRBB Manual G4 • Organizational Structure G6 EC2 The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. Description and The GIR and its successor, coming into effect per April 2018, the Corporate findings re EC2 Governance & GIR establish the overarching responsibilities of the Board and senior management (see CP 14 and CP 15). In addition, paragraph 3 of Circular B-2087-2001 establishes that the Board is responsible for approving the policies and procedures for managing interest rate risk and for ensuring that senior management takes the necessary measures to monitor and control this risk. Article 9 of the GIR and article 8 of the Corporate Governance & GIR establish that the Board members must annually sign a declaration of compliance that includes, among other things, that it has required management to have policies, processes and controls, which are consistent with the SI's strategy, as well as with appetite levels and risk limits. The statement should indicate that the Board members have taken 181 PERU note of management information and of the decisions and reports of the Risks Committee, which may, by delegation of the Board, approve the policies and organization for the integral management of risks, to propose limits of risk, as well as to propose improvements in the integral management of risks. Article 17 of the Corporate Governance & GIR establishes that senior management has among its responsibilities to ensure that the activities of the SI are consistent with the business strategy, the risk appetite system and the policies approved by the Board of Directors; as well as to implement a comprehensive risk management in accordance with the provisions of the Board of Directors. It should be noted that the current GIR (SBS Resolution No. 37-2008) already incorporates similar provisions in Article 10. Finally, paragraph 11 of Circular B-2087-2001 establishes that, at least monthly, the Chief of the Risk Unit should prepare a report on the management of interest rate risk to be presented to the Board of Directors. The report should contain, among other points, the degree of compliance with policies, procedures and exposure limits, and an analysis of the adequacy of interest rate risk measurement systems and the policies and procedures implemented. Paragraph 19 of the circular requires that a copy of this report should be sent to SBS. At the inspection visit, DSRMLI staff verify that the Board or its Risk Committee has approved the policies and procedures for the management of interest rate risk, and that these are reviewed annually. During the on-site examination, DSRMLI staff also verify by means of the review of the minutes of the Board, the minutes and reports of the Risks Committee and of the Assets and Liabilities Committee, that the strategies, policies and procedures are in line with what is established by the Board and that any deviation is communicated in due time to the Board by the corresponding Committee. These procedures are contained: • IRRBB Manual G4 • Organizational Structure G6 EC3 The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including: a) comprehensive and appropriate interest rate risk measurement systems; b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions); c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and a re understood by, and regularly communicated to, relevant staff; 182 PERU d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management. Description and Circular No. B-2087-2001 is intended to ensure that companies carry out an findings re EC3 adequate management of positions affected by interest rate risk. In this regard, the following points are covered: Systems and models Paragraph 9 indicates that banks must have systems and models for measuring interest rate risk that are in line with the degree of complexity of their operations and the level of risks faced. The models should capture all the material sources of this risk and evaluate the effect of it consistently throughout all activities, identifying and measuring the impact of changes in the interest rate on profits and equity value. This analysis must be performed for all assets, liabilities and contingents of the bank. In addition, banks should consider the following: 9.1 The assumptions required for the elaboration of measurement systems and models should be clearly understood by the Chief in charge of the Risk Unit and by the Board or Committee. 9.2 The initial validation of the systems and models of measurement of the interest rate risk as well as the subsequent modifications that they require, must be carried out by an area independent of the area that develops or employs them. 9.3 When the bank develops new internal models or makes modifications to them, it must immediately notify the SBS, attaching a brief report evaluating the impact of these changes on the bank's risk analysis. Limits Paragraph 15 of the Circular indicates that banks must establish operating limits of exposure to interest rate risk that must be fulfilled as part of their internal control system. The limits should focus on the impact of likely changes in interest rates on profits, at least through the financial margin, and on the equity value of the bank, both under normal market conditions and in situations of stress. The EaR indicator (on a 12-month horizon) is regulated, which allows estimating the impact on the annual financial margin produced by specific changes in interest rates. Per paragraph 15 of Circular, banks must maintain an indicator less than 5 percent of the regulatory capital. Also, companies should report the EVE indicator, which measures the change in EVE of a bank produced by changes in interest rates. Pursuant to Article 33 of the Additional Capital Requirements Regulation (Resolution SBS No. 8425-2011), if the change in EVE is more than 15 percent of regulatory capital, the entity must hold additional capital equivalent to the excess of this threshold. The calculation of the EVE is regulated and based on the guidelines established by the Basel Principles for 183 PERU the Management of IRRBB (July 2004). In the meantime, the Basel Committee for Banking Supervision issued in 2016 standards for IRRBB. Monitoring and Information Systems The SBS monitors the banks IRR by means of the prudential reports contained in annexes No. 7-A: Measurement of Interest Rate Risk - Gain on Risk, and; No. 7-B Measurement of Interest Rate Risk - Risk Value, which are used to estimate the impact of changes in interest rates on the financial margin (EaR) and the equity value at risk (EVE), for both domestic and foreign currency positions. Paragraph 11 establishes that, at least monthly, the Chief of the Risk Unit should prepare a report on the management of interest rate risk that must be presented to the Board. This report contains, among other points, the degree of compliance with policies, procedures and exposure limits, and the report on the adequacy of interest rate risk measurement systems, policies and procedures. A copy of this report should be sent to this SBS, as indicated in paragraph 19. The DSRMLI analyzes these reports off-site. In addition, during the on-site examination, the adequacy of the systems used to measure interest rate risk, independent validation of internal models of interest rate risk, the establishment of appetite-dependent limits and risk profile of the entity, the timely identification and communication by the Risk Unit of any exceptions that might arise, the internal reporting lines established to communicate the degree of exposure to interest rate risk, and the scope and sufficiency of the review of the internal and external auditors to the management of the risk of interest rate. These procedures are contained in the following manuals: • IRRBB Manual G4 • Organizational Structure G6 Assessors reviewed the prudential report as contained in Annex 7 of the Accounting Manual issued by the SBS. The prudential reports for IRRBB and the guidelines provided for the calculation of EaR and EVE, including how for example behavioral aspects need to be considered (like for non-term deposits and optionality for early repayment of mortgages), are considered comprehensive. In the meetings and discussions, the DSRMLI staff demonstrated a good knowledge of IRRBB, the used regulatory approach and banks’ internal approaches towar ds the management of this risk. EC4 The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. Description and Circular No. B-2087-2001 establishes in paragraph 10 that banks should simulate findings re EC4 different scenarios and perform stress tests relevant to the management of interest rate risk, including non-compliance with the main assumptions and variations in parameters used in the preparation of Annexes No. 7-A and 7-B and in the internal 184 PERU models referred to in paragraph 9 of the Circular. The results should be considered to establish and revise policies, procedures and limits for exposures to interest rate risk. Each month, the DSRMLI receives and analyzes the report prepared by the Bank's Risk Unit, which reports the results of stress tests of interest rate risk, among others. During the inspection visits, the DSRMLI verifies that the stress tests and scenarios considered are relevant and sufficient given the business strategies, that the models of stress of interest rate are robust and that they have the respective validation of an independent area. Finally, it is verified the results of such tests are communicated to the Risk Committee, Board and areas involved in management. The prescribed scenario contained in the ICAAP also contains an interest rate shock. DSRMLI is, however, not directly involved in the review of the results of the ICAAP stress test. Assessment of Compliant Principle 23 Comments The overall regulatory and supervisory approach and practices are adequate. Apart from the risk management requirements, IRRBB is also included in the Additional Capital Requirements Regulation; requiring an additional capital buffer if the change in EVE is more than 15 percent of regulatory capital when applying a per maturity bucket a prescribed interest rate shock. Recommendations: • The Basel Committee for Banking Supervision issued in 2016 standards for IRRBB. The SBS should review and consider the implementation of the Basel III standards for IRRBB. Principle 24 Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. EC1 Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. 185 PERU Description and The SBS revised its liquidity regulation in 2012 to include and introduce the Basel III findings re EC1 Liquidity Coverage Ratio (LCR). The revised Regulation for Liquidity Risk Management (Resolution SBS No. 9075-2012), establishes in article 30 that companies must comply with the following limits: a) Liquidity Ratio in Local Currency (LC): Liquid Assets / Short Term Liabilities in LC ≥ 8 percent. This limit is increased to 10 percent when the concentration of liabilities (of the 20 principal depositors with respect to the total deposits) in the previous month is higher than 25 percent b) Liquidity ratio in Foreign Currency (FC): Liquid Assets / Short Term Liabilities in FC ≥ 20 percent. This limit is increased to 25 percent when the concentration in the previous month is higher than 25 percent c) Liquidity Securities Ratio ≥ 5 percent of Liquid Assets d) Ratio of liquidity coverage: LCR LC ≥ 100 percent and LCR FC ≥ 100 percent (per January 2019). Per the adjustment schedule, the requirement is 80 percent for 2017 and 90 percent in 2018. Compliance with limits a), b) and c) is evaluated on the basis of the monthly average of the daily balances, while the LCR needs to be complied with on a daily basis. The ratios in a), b) and c) were already in place before the introduction of the LCR. The liquid assets definition in these two ratios differs from High Quality Liquid Assets (HQLA) as used for the calculation of the LCR. One of the main difference is the inclusion of balances with financial institutions as liquid assets. The Liquidity Securities Ratio is meant to assure that FIs (in particular the non-bank deposit takers) at least have a certain portion of their liquid assets available in the form of high quality uncollateralized securities that are accepted at the discount window of the BCRP. It should be noted that the limits c) and d) do not apply to companies in the financial system that have less than two years of operation; or that have public deposits / total liabilities ratio of less than 15 percent, unless their assets represent more than 1 percent of the total assets of the financial system. Currently only one bank does not have to comply, but is however monitored against these ratios. For the other banks the supervisory approach is primarily build around the LCR, which is calibrated more conservatively than the Basel III LCR (see EC2). The SBS is in the process of implementing the Net Stable Funding Ratio (NSFR) and is already monitoring the banks against this ratio. The SBS has implemented supervisory tools to monitor the contractual maturity mismatch; concentration of funding (see EC5); available unencumbered assets; the LCR is required for significant currencies (in Peru PEN and USD); and market related monitoring tools, which are also contained in its internal monthly liquidity report. 186 PERU In the event of non-compliance with regulatory limits a) and b) monetary penalties (fine) are applied; and in the event of failure to comply with the ratios c) and d), the entity is required to send to the SBS a Liquidity Restoration Plan (within a day after the breach – and the breach should not last longer than 30 days) that should contain the actions to be taken and necessary time frames to restore the minimum levels of liquidity required by regulation. If the plan is inadequate or the situation deteriorates the SBS has its sanction and intervention tools at its disposal. The companies must present to the SBS the following reports by which the compliance with the regulatory limits of the liquidity ratios is verified: • Annex No. 15-A: Report of treasury and daily position of liquidity (daily report); • Annex No. 15-B: Liquidity coverage ratio (daily report); • Annex No. 15-C: Monthly liquidity position (monthly report). In addition, banks need to submit: • Annex 16-A: Contractual liquidity maturity ladder and concentration indicators (monthly report); • Annex 16-B: Liquidity stress-test and liquidity contingency plan (quarterly report). EC2 The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. Description and The liquidity requirements reflect the risk profile of the companies and the context of findings re EC2 the Peruvian market. For example: • The minimum requirements for the liquidity ratio and LCR are applied separately for domestic currency and for foreign currency (USD), since the market is bi- monetary as 40 percent of deposits are in dollars; • In the case of LCR, the exchange of liquidity from one currency to another is accepted, but with a haircut of 5 percent, a percentage that reflects the volatility of the PEN - Dollar exchange rate; • The minimum requirements of the liquidity ratio in both currencies are increased for companies with a high concentration of liabilities (if 20 main depositors represent more than 25 percent of total deposits); • The run-off rates of the LCR considers the volatility of funding sources in the Peruvian financial system (e.g. stable (insured) deposit 7.5 percent and non- stable deposits 15 percent); • Twenty-five percent of the minimum reserve requirement is deducted from high quality liquid assets (HQLA) because the reserve is an instrument of monetary policy that in normal circumstances needs to be complied with; • For the calculation of the LCR, also corporate bonds issued by private companies in the non-financial sector are considered as HQLA, if they qualify for access to securities repo operations (rated AA- or higher) with the Central Bank; • The LCR calculation includes off-balance sheet accounts (unused lines of credit and non-disbursed loans) as part of the 30-day outflow with a 5 percent weighting. This weighting was established because of a statistical analysis considering data from the financial system; 187 PERU • The LCR and the Liquidity Securities Ratio apply to entities that have a ratio of public deposits over liabilities of 15 percent or more and / or assets that represent more than 1 percent of the total of the financial system. The calibrations are more conservative than the ratios used in the Basel III LCR framework. In addition, given the observed increase of the loan-to-deposit ratio of the system as a whole, the SBS required FIs, as of August 2015, to establish and implement internal loan-to-deposit limits. The approach for the LCR, but also the established requirement for internal loan-to-deposit ratios, evidences that the SBS takes into account in its regulatory and supervisory approach the markets and macroeconomic conditions. EC3 The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance . Description and The SBS has a specialized area that is responsible for the supervision of market risk of findings re EC3 SIs; the Department of Market Risk, Liquidity and Investments (“DSRMLI”), which is part of the Superintendence of Risks (“SAR”). DSRMLI has 12 staff which dedicate about two thirds of their time to banks. As part of off-site supervision, the DSRMLI reviews the different prudential liquidity reports and produces a Daily Liquidity Report and a Monthly Liquidity Report that allow monitoring of the compliance with regulatory limits and the developments on a bank-by-bank and banking system level. The DSRMLI is also responsible, as part of the on-site examination team led by the SABM, for on-site examinations of liquidity risk and the scoring of this risk type in the rating methodology used by the SBS. During the on-site examination, DSRMLI staff (as part of the SABM let on-site examination team) verify, amongst others, that the policies and procedures for liquidity risk management are documented and approved by the Board. DSRMLI staff also verify whether FIs have a framework that guarantees enough liquidity, including a buffer of high quality liquid assets to withstand a stress scenario; that they have approved strategies, policies, procedures and manuals for the management of liquidity risk, per their size, complexity of their operations and services, level of risk and systemic importance and that these are reviewed periodically, but at least annually. The on-site examination supervision procedures for liquidity risk are detailed in a separate manual (Guia de Supervision In-Situ de Liquidez). EC4 The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including: 188 PERU a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards; b) sound day-to-day, and where appropriate intraday, liquidity risk management practices; c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide; d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate. Description and Regarding item (a) findings re EC4 Article 3 of the regulation specifies, among the responsibilities of the Board, to approve the levels of tolerance to liquidity risk, set of risk limits, per business objectives, direction, strategy and appetite for liquidity risk. Risk limits should ensure that the entity performs sound liquidity management under normal and stressful conditions. Article 12 of the Liquidity Risk Management Regulation states that the Board or the Risk Committee is responsible for establishing a structure of internal liquidity risk limits, based on the appetite for defined risk. These limits should be consistent with the size, level of concentration of liabilities, and complexity of the operations and services of the FI. Regarding item (b) Article 4 of the Liquidity Risk Management Regulation states that the strategy developed by management, previously approved by the Board, should include specific liquidity management policies, such as: composition and term of asset maturity and liabilities; diversity and stability of funding sources; approach to liquidity management in different currencies and business lines; intraday liquidity management approach; management approach regarding off-balance sheet items, differentiating between restricted and unrestricted assets; and assumptions about the liquidity of assets and their ability to be traded in the market. The strategy should also take into account liquidity needs under normal conditions and in periods of stress. Regarding compliance with regulatory limits, Article 30 states that the liquidity coverage ratio (LCR) needs to be complied with daily, while compliance with the liquidity ratio and liquidity securities ratio is monthly (taking the average of daily balances). Notwithstanding the foregoing, FIs must perform the calculation and report all these indicators on a daily basis to the SBS. 189 PERU Regarding item (c) Article 26 states that the FI must have information systems and support tools to allow adequate liquidity risk management, as well as appropriate information security mechanisms. The FI must document the automated processes or reports. Regarding item (d) Article 3 of the Liquidity Risk Management Regulation, establishes amongst others that the Board needs to assure that senior management effectively implements policies and procedures for the management of liquidity risk, in accordance with the FI's risk appetite; and ensure compliance with the provisions contained in the same standard. Article 9 of the regulation establishes, among other functions, that the Risk Unit must ensure adequate liquidity risk management, promoting the alignment of the risk management measures of the FI with the levels of risk tolerance and to permanently evaluate compliance with the policies and procedures established by the FI for the management of liquidity risk. Regarding item (e) Article 3 of the Liquidity Risk Management Regulation establishes that the (Board) Risk Committee is responsible for approving and periodically revising, at least annually, the strategies, policies and procedures for the management of liquidity risk, in accordance with changes in the risk profile of the FI, and external events that affect the macroeconomic situation and the markets in which it operates. The Committee should also define the frequency with which the structure of internal limits should be reviewed (Article 12). The policies and procedures of the liquidity contingency plan must be updated at least annually (Article 24). During the on-site examination of liquidity risk DSRMLI staff verifies amongst others that: • The Board approved liquidity risk tolerance levels based on business objectives, direction, strategy and appetite for liquidity risk; • The FI has internal methodologies, models and indicators for liquidity risk management in addition to regulatory ones, covering both operational (short- term) and structural liquidity; • The FI's computer systems are suitable for the management of liquidity risk, per the size and complexity of operations; • The Board and the Risk Committee monitor that policies and processes for liquidity risk management are effectively applied in accordance with the entity's appetite for liquidity risk. In this sense, it is verified that the Board takes cognizance of the liquidity risk the FI is exposed to, as well as the evolution of the risk, including of the liquidity risk profiles of the consolidated group of the FI, 190 PERU if applicable. Likewise, it is verified that the Risk Committee is informed and aware of the management and level of liquidity risk of the FI; and in case of deviations from the established levels of liquidity risk tolerance, to approve mechanisms for the implementation of corrective actions proposed by the Risk Unit. • The Board approves and periodically reviews, at least annually, the strategies, policies, procedures and manuals for the management of liquidity risk, in function of changes in the FI's risk profile, and the events that affect the macroeconomic situation and the markets where it operates. Regarding the computer support and procedures followed for reports of liquidity that FIs submit to the SBS, the off-site manual ("Reliability of the Process of Generation of Attachments and Reports") of the specialized IT risk unit (DSSIT) of the SAR is used, which evaluates the data architecture, the traceability of the generation process, the existence of a test plan, among other aspects. This manual is of general application for the annexes and reports received by the SBS including the annexes for liquidity. EC5 The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g. credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include: a) an analysis of funding requirements under alternative scenarios; b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress; c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits; d) regular efforts to establish and maintain relationships with liability holders; and e) regular assessment of the capacity to sell assets. Description and Regarding item (a) findings re EC5 Article 9 states that the Risks Unit has among its functions to develop the methodology for the quantification of liquidity risk, in normal and stress scenarios. Also, article 15 states that the entity should simulate three different scenarios: normal scenario (liquidity by maturity), systemic stress scenario and company-specific stress scenario; however, the entity, per the size and complexity of its operations, should simulate additional stress scenarios. With respect to item (b) Article 3 states that it is the Board's responsibility to establish a robust liquidity management framework that guarantees sufficient liquidity in the FI, including a high-quality liquid assets buffer for times of stress. Likewise, Article 30 establishes the minimum liquidity requirements that entities must meet to withstand stressful situations. High quality liquid assets that are part of the LCR are defined as those 191 PERU assets that can be easily and immediately converted into cash with little or no loss of value. Regarding item (c) Regarding the diversification of sources and deadlines, article 22 states that the Risk Unit should identify the counterparties, currencies, markets and the most important types of instruments on which the firm's funding rests. It should also identify the main factors affecting the FI's ability to raise funds, closely monitoring them to ensure that the assumptions used in estimating the ability to obtain financing are in place. The FI must establish an anchoring strategy to ensure an appropriate diversification of sources of financing through access to resources from different suppliers; and should periodically verify their ability to obtain resources from such suppliers. In addition, the FI must establish indicators, with their respective internal limits, to control the concentration of liabilities. The internal limits established for the concentration of liabilities should be in function of the potential impact of the sudden loss of financing of the counterparties or types of instruments. It should be noted that companies are required to submit to the SBS monthly the following concentration indicators (contained in Annex 16A - Indicators): • Debt with 10 major creditors / Total creditors • Debt with 20 major creditors / Total creditors • Debt with 10 main depositors / Total deposits • Debt with 20 main depositors / Total deposits • Public sector deposits / Total deposits • Obligations from abroad with a maturity ≤ 360 days / Total liabilities Finally, a higher requirement of liquidity is established for those FIs where the funding from the 20 main depositors exceeds 25 percent of the total deposits. Regarding point (d) Referring to the contact with the depositors and creditors, article 22 states that the FI must establish a funding strategy that allows to guarantee an appropriate diversification of financing sources, through access to resources from different providers of funds; must periodically verify their ability to obtain resources from such providers. Article 24, regarding the plan of action of the contingency plan, indicates that the FI must maintain a continuous presence in the chosen financing markets and close relations with the providers of funds, to promote an effective diversification of funding sources. Likewise, it must periodically evaluate its capacity to obtain with certainty funds from each identified source. Regarding point (e) Referring to the ability to sell assets, article 24 refers to the identification of sources of financing of the contingency plan, that these sources consist mainly of assets that could be used to obtain liquidity (e.g., sovereign bonds and global bonds, BCRP 192 PERU deposit certificates, among others) and in committed liquidity lines. The assets and liabilities management strategies of the contingency plan should also include the sale of investment instruments or their use in repurchase agreements. FIs submit quarterly to the SBS Annex No. 16-B "Simulation of Stress Scenarios and Contingency Plan" with the results of a simulation of a SBS prescribed scenario of systemic stress, and are required to keep at the disposal of the SBS the simulation of an institution specific stress scenario. The stress scenario in Annex No. 16-B, assumes a discount of 10 percent for debt securities issued by the Central Government; a discount of 15 percent for representative debt securities issued by foreign governments; a discount of 30 percent for corporate bonds with an A or lower risk rating and for equity instruments; and a 40 percent discount for other debt securities. Likewise, an additional haircut is applied on the entity's adverse classified loan portfolio for each maturity band, to incorporate the impact of market and credit risks on the liquidity of the FI. To assess the concentration of liabilities, monthly concentration ratios are monitored through Annex 16A - Indicators, as well as through Annex No. 15-A, in which FIs report daily balance of deposits of large creditors, distinguishing those that come from the State, AFPs, mutual funds and investment funds; insurance companies; stock broker companies; and other depositors. In its off-site supervision, the SBS monitors and verifies the information sent by the FIs, which includes various indicators of concentration, as well as the maintenance of a buffer of high quality liquid assets and the detail of the debts from abroad by creditor, bank and term (Annex No. 14). Through on-site examination (on-site procedures are contained in the Guia de Supervision In-Situ de Liquidez) DSRMLI staff verify whether: • The FI has defined specific and/or additional stress scenarios per the size and complexity of operations and periodically performs the analysis of liquidity maturity gaps in normal and stress scenarios. • The FI has liquid instruments as a liquidity management policy and has established strategies for the diversification of liquid assets. • The FI has strategies to diversify its funding and reviews the structure of funding of the FI, what corresponds to stable and less stable funding (evaluation whether the funding relates to natural persons, legal entities, AFP, among others). • The FI has established indicators to control the concentration of liabilities. • The FI has permanently identified and monitors the most important counterparts, currencies, markets and types of instruments in its funding. • The FI has established strategies for the management of assets and liabilities including the sale of assets or the conduct of repo operations. EC6 The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets 193 PERU out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies. Description and As mentioned Article 24 of the Liquidity Risk Management Regulation requires FIs to findings re EC6 have Board approved liquidity contingency plans. The regulation also establishes that the policies and procedures of the liquidity contingency plan should be updated at least annually, while the simulation of the regulatory stress scenario (reported in Annex 16-B) and the action plan will be updated quarterly. The action plan must be signed by the managers of the Risk Unit and the business area and submitted to the SBS on a quarterly basis. DSRMLI reviews and monitors off-site the Liquidity Contingency Plan that is submitted to the SBS. During on-site examinations, the Liquidity Contingency Plan is verified through the application of the procedures described in the on-site supervision manual. In case of a deficiency or non-compliance with what is required by the regulation, the observation and a recommendation will be included in the on- site examination report, requiring the FI to take the necessary corrective action within a certain period. In its on-site supervision, the SBS reviewed since 2012 liquidity risk in 35 FIs, within which 25 recommendations were made regarding FIs’ Liquidity Contingency Plans. The Liquidity Risk Management Regulation does not apply to financial groups (only to licensed FIs under direct supervision of the SBS) for which the SBS is the home supervisor, however, it contains some specific requirements on consolidated supervision which are directed to the supervised entity. As such, for FIs that are part of financial or mixed conglomerates for which the SBS is the home supervisor it is required (article 3 of the Liquidity Risk Management Regulation) that the Board of the FI understands the liquidity risk profile of the financial group on a consolidated level. In addition, article 25 establishes that if the FI belongs to a financial group or conglomerate, the Risk Unit must simulate biannual stress scenarios every six months and prepare a contingency plan at a consolidated level, considering the limits that may exist for the transfer or liquidity support between entities that make up the financial group or conglomerate. The indirect supervision of financial groups is not ideal, but at this moment appears to work because the main entities of the financial groups for which the SBS is the home supervisor are located in Peru, as well as the management of these groups. The liquidity contingency plans of these financial groups are at its initial phase and the SBS only recently has started to push for more progress in this area. 194 PERU EC7 The supervisor requires banks to include a variety of short-term and protracted bank- specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans. Description and FIs must send quarterly to the SBS the Annex No. 16-B "Simulation of Stress findings re EC7 Scenarios and Contingency Plan" with the simulation of scenario of systemic stress. FIs should indicate in detail the strategy they will adopt to deal with a possible crisis of systemic liquidity, recording in each temporary band the estimated cash inflows to cover marginal mismatches up to the six-month band. Likewise, FIs must include in the Liquidity Contingency Plan the results of the simulation of their specific stress scenario, as well as the details of the sources of financing and the strategies they will adopt to deal with this scenario. Companies should keep at the disposal of the SBS the methodologies used for the simulation of the specific stress scenario. During the on-site examination, the SBS reviews whether FIs periodically performs stress tests and the methodologies of specific stress scenarios. In addition, DSRMLI staff also verify whether the results of the stress scenarios and the Liquidity Contingency Plan are considered to propose modifications to the asset and liability management strategies. EC8 The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. Description and The Liquidity Risk Management Regulation requires FIs to calculate and comply with findings re EC8 the minimum liquidity requirements in USD and PEN. The USD ratios are calibrated more conservatively. Liquidity risk emanating from foreign currency funding also needs to be taken into account in stress-testing. There are currently no other currencies in which FIs have material activities. Assessment of Largely Compliant Principle 24 Comments The SBS has a well-established regulatory and supervisory framework for liquidity risk. With the inclusion of the LCR in 2012 the framework has been aligned with the Basel III framework. The SBS is currently working on the implementation of the NSFR and is already monitoring the banks on this ratio. 195 PERU Apart from performing semi-annual stress-testing and developing a liquidity contingency plan, there are no group level liquidity requirements. Like for capital, the group requirement is indirectly enforced via the licensed institution in Peru. This indirect form of regulation is not optimal. This aspect has been factored in to the scoring of CP 1. The adoption of group liquidity contingency plans by the two groups for which the SBS acts as home supervisor is in its initial phase and the SBS only recently has started to push for more progress in this area. The limited progress in this area (regulation was issued in 2012) has been taken into account in the scoring of this principle. Recommendations: • The approach towards liquidity risk supervision of financial groups should be intensified; • The SBS should continue its work on the implementation of the Basel III NSFR (tailored to the local circumstances) as planned. Principle 25 Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk67 on a timely basis. EC1 Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’ s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). Description and The overarching framework for governance and risk management is set by the GIR findings re EC1 (approved by Resolution SBS No. 37-2008 and amendments), which will be replaced as of April 1, 2018, by the Corporate Governance & GIR, approved by Resolution SBS No. 272-2017 (see CP 14 and 15). For operational risk specifically, the SBS has issued the following regulation and circulars, which are applicable to all SIs: • Operational Risk Management Regulation, approved by Resolution SBS No. 2116-2009; • Operational Risk Capital Requirements Regulation, approved by Resolution SBS N ° 2115-2009; 67The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk. 196 PERU • Circular G-191-2017, referring to the criteria for recording loss events; • Circular G-139-2009, referring to the management of business continuity; • Circular G-140-2009, referring to the management of information security; • Circulars G-164-2012 and G-180-2015, referring to the report of significant; interruptions in operations and key indicators of business continuity. Article 3 of the Operational Risk Management Regulation establishes that SIs must carry out and adequately manage the operational risk they face. Article 6 also states that the Board has the responsibility to define the general policy for operational risk management, to approve the operational risk management manual and to know the main operational risks faced by the entity, establishing where possible, adequate levels of tolerance and risk appetite. Article 4 describes the factors that give rise to operational risk: • Internal processes: risks related to improper design of processes or to inadequate or non-existent policies and procedures that may result in deficient development of operations and services or the suspension thereof; • Personnel: risks related to inadequate training, negligence, human error, sabotage, fraud, theft, appropriation of sensitive information, among others; • Information technology: risks related to failures in the security and operational continuity of computer systems, errors in the development and implementation of such systems and the compatibility and integration thereof, problems of information quality, inadequate investment in technology, among other aspects; • External events: risks outside the control of the SI, related for example to failures in public services, the occurrence of natural disasters, attacks and criminal acts, among other factors. Article 11 states that the methodology for operational risk management must be implemented throughout the SI in a consistent, properly documented way and be integrated with the SI's risk management processes. Likewise, it indicates that the following components of operational risk management should be considered; i.e.: internal environment, objectives setting, risk identification, risk assessment, risk response, control activities, information and communication, and monitoring (in line with the 8 categories of the COSO framework). Finally, Circular G-165-2012 indicates that SIs must prepare reports of risks associated with the launch of new products and major changes in the business, operating or computing environment. These reports must also be sent to the SBS, within established deadlines, subject to approval by the Risk Committee or specialized committee. This risk report must include all applicable types of risks, including operational risk, the exposure of which may increase during the product launch period or while the changes are implemented. The SAR has specialized units for operational risk (DSRO) and IT risk (DSSIT) that are responsible for the supervision of operational risk management and related IT risks. The DSRO and DSSIT have respectively 14 and 9 staff, which dedicate about half of 197 PERU their time to banks. Given the changing operating environment, the importance of systems and increasing concerns regarding cyber risk, the IT risk unit is foreseen to expand to 14 staff. DSRO is responsible for scoring operational risk in the rating methodology used by the SBS. As part of off-site supervision, DSRO staff review the: Annual reports on the operational risk management that SIs are required to submit (Article 15° of Resolution SBS N° 2116-2009); Risk reports on the launch of new products and major changes in the business, operational or IT environment, as well as; Reports of significant interruption of operations and of business continuity indicators. In addition, in coordination with the SABM, the on-site examinations include regular and targeted examinations as well as examinations related to the authorization for the use of the Alternative Standardized Method (ASA), for which there are on-site supervision manuals with procedures for the evaluation of the various aspects related to operational risk management. In the examinations DSRO staff also assess whether the SI has defined levels of appetite and risk tolerance, and whether these are consistently considered in the internal policies and procedures. DSRO is responsible for the scoring of operational risk as part of SBS’ internal rating methodology. EC2 The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively. Description and Article 6 of the Operational Risk Management Regulation indicates the specific findings re EC2 responsibilities of the Board of Directors regarding the management of this risk, among which the following should be highlighted: • Define the general policy for operational risk management; • Allocate the necessary resources for adequate operational risk management, to have the appropriate infrastructure, methodology and personnel; • Approve the operational risk management manual, which should contain the functions, responsibilities, policies, methodologies and procedures defined by the SI for the management of this risk; • Know the main operational risks faced by the entity, establishing where possible, adequate levels of tolerance and appetite for risk; • Obtain reasonable assurance that the SI has an effective management of operational risk and that the main risks identified are under control within the limits that have been established. In addition, article 17 of the Operational Risk Management Regulation states that the Internal Audit Unit (IAU) shall evaluate compliance with the procedures used for the management of operational risk. In turn, the Internal Audit Regulation, approved by SBS Resolution No. 11699-2008, indicates that, as part of the annual internal audit work plan, SIs should consider at least the assessment of operational risk 198 PERU management and compliance with the procedures used to manage this risk. Likewise, the reports made by the internal auditor must submitted to the Audit Committee and / or the Board of Directors. Article 18 of the Operational Risk Management Regulation states that external audit companies should include in their report comments on the internal control system, indicating whether the entity has policies and procedures for the management of operational risk in line with the provisions of the Operational Risk Management Regulation. As part of the on-site examination DSRO staff verify that the Board approves the policies and procedures for operational risk management. During the on-site examinations, the DSRO staff also reviews the minutes of the Board, Risk Committee and / or other specialized committees, including the supporting documents, to verify that the execution of the approved policies for operational risk management are monitored. In addition, DSRO staff verify that IAU has performed an annual evaluation of compliance with the procedures used for operational risk management, that it monitors the implementation of the identified weaknesses, and that the results of that evaluation are presented to the Board. These aspects are included in the on-site supervision manual called "Operational Risk Management". EC3 The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process. Description and The Operational Risk Management Regulation establishes in Article 7 that senior findings re EC3 management has the responsibility to implement operational risk management in accordance with the provisions of the Board. It also establishes that the managers of the business or support organizational units have the responsibility to manage operational risk within their scope of action, within the established policies, limits and procedures. Article 9 sets out the specific responsibilities of the Business Risk Unit in relation to operational risk management. Article 11 (c) of the regulation states that the application of the methodology defined by the SI for operational risk management must be integrated with the SI's risk management processes. The characteristics of the operational risk management methodology used by the SI and the results of its application are reported through the submission of their Annual Operational Risk Management Report. In its on-site supervision, the SBS reviews the effective implementation of the policies and processes for the management of operational risk. EC4 The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor 199 PERU determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. Description and Article 4 of the Operational Risk Management Regulation states that SIs must findings re EC4 manage the risks associated with external events outside the control of the company, related, for example, to failures in public services, the occurrence of natural disasters, attacks and acts crimes, among other factors. In this sense, article 13 establishes that, as part of an adequate management of operational risk, SIs must implement a business continuity management system that aims to establish effective responses to events that can create an interruption or instability in its operation, allowing the SI to continue the operation of the business. SBS Circular No. G-139-2009 is the specialized standard on Business Continuity Management, which establishes provisions that refer to international standards such as BS-25999. Article 3 states that business continuity management is a process, carried out by the Board, management and staff, which implements effective responses so that the operation of the business of the company continues in a reasonable manner, in order to safeguard the interests of its main interest groups in case of events that may create an interruption or instability in the operations. SIs must conduct business continuity management appropriate to their size and the complexity of their operations and services. Article 4 of the circular states that the Board is responsible for approving a general policy that guides the management of business continuity and the resources necessary for its proper development, as well as to obtain reasonable assurance of effective management. In addition, Articles 5 and 6 define that senior management has the responsibility to implement such management in accordance with the provisions of the Board, and that the Risk Unit must ensure that this is consistent with the policies and procedures applied for the management of risks. Article 8 of the Circular establishes the elements of the continuity management that SIs must develop as a minimum: an understanding the organization, selecting the continuity strategy, developing and implementing the continuity strategy, testing and updating, and integrating the management of business continuity in the organizational culture. Regarding continuity strategies and response plans, paragraph 8.3 states that SIs should implement two types of plans, as well as the minimum scope to be considered in each case: • Crisis Management Plan: to prepare the SI to face the acute phase of an event of interruption of operations, even of those not expected; • Business Continuity Plan(s): to provide the SI with the ability to maintain, or if applicable, recover the main business processes within the previously established parameters. 200 PERU • In addition, specific plans should be developed considering at least one Emergency Plan to safeguard the physical integrity of staff and a Recovery Plan for information technology services. DSRO staff evaluate that companies have implemented a business continuity management system that allows them to ensure the continuity of their operations in case of interruption events. This evaluation is carried out through off- and on-site supervisory activities. The Annual Operational Risk Management Report, to be submitted by Sis, includes the scope of the continuity plans developed and the tests carried out. This information allows for sectoral analysis and defining the specific topics to be reviewed during on-site examinations. On-site examinations guide by the examination manual "Business Continuity Management", which reviews compliance with the regulatory requirements outlined above and the implementation of an adequate continuity management of the business. In 2013, the "Sectorial Business Continuity Exercises" program was initiated, with the objective of improving the level of preparedness of the financial system to face operational interruption events with systemic impact, such as earthquakes, which would affect all SIs, its suppliers and associations, as well as the authorities and the public. The aim of the exercise is to identify common factors of exposure to operational risk and implement risk mitigation plans that strengthen the financial system. The means of coordination used is an inter-institutional forum called "Business Continuity Work Team", which meets periodically since 2013; having held the 28th meeting at the close of July 2017. The Sectoral Exercises are being executed every three years. The first one took place in 2014 and involved 12 institutions of the financial system; those authorized to use the alternative standard method (ASA) to calculate the capital requirement for operational risk; which represent more than 90 percent of the financial sector in terms of assets. From this exercise, opportunities for improvement were identified that gave rise to action plans that are being implemented by financial companies and the SBS itself (e.g. acquisition of resilient means of communication, establishment of public service hubs to take advantage of economies of scale, alternative strategies for provision and transportation of cash, definition of first SBS measures in the face a systemic event). The second exercise was executed in August 2017; and it had 23 participants, from both FIs and the insurance system, but also the SBS, BCRP and the Ministry of Finance and Economics. The scenario that was tested was related to the occurrence of a large magnitude earthquake (between 8 and 8.5 degrees Richter) that affected the city of Lima, where the main offices and the data processing centers of the SIs are concentrated. It should be noted that in these Sectoral Exercises, only SIs are participating that have 201 PERU a reasonably mature business continuity management. This allows the SBS to compare the best practices. This information is used for two main purposes: (1) in the case of SIs, as a reference to improve their business continuity management; and, (2) in the case of the SBS, to identify new practices that might be good to incorporate into regulation or supervision. The approach to identify common points of exposure and assess the impact in an industry-wide stress-test exercise is extremely valuable. However, the assessors also note that the SBS itself still needs to implement an important recommendation (obtaining satellite radio communication devices to facilitate communication during the crisis) that was made as a result of the first exercise. EC5 The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. Description and Article 4 of the Operational Risk Management Regulation states that SIs must findings re EC5 manage the risks associated with information technology, related to failures in the security and operational continuity of computer systems, errors in the development and implementation of said systems and the compatibility and integration of them, as well as problems of information quality, inadequate investment in technology, among other aspects. In this sense, Article 13 of the regulation establishes that, as part of an adequate management of operational risk, companies must have an information security management system aimed at guaranteeing the integrity, confidentiality and availability of information. SBS Circular G-140-2009 on Information Security Management establishes provisions that refer to international standards such as ISO 17799 and ISO 27001. Article 3 of the Circular indicates that SIs must establish, maintain and document an information security management system which includes at least the following: • Definition of an information security policy approved by the Board; • Definition and implementation of a risk management methodology that is consistent with the operational risk management of the SI; • Maintenance of adequate records to verify compliance with the standards, policies and procedures defined by the company, as well as to maintain adequate audit trail. Article 5, referring to information security controls, states that as part of its information security management system, SIs should consider, as a minimum, the implementation of the following general controls: • Logical, personal, physical and environmental security; • Inventory of assets and classification of information; • Administration of operations and communications; 202 PERU • Acquisition, development and maintenance of computer systems; • Backup procedures; • Management of information security incidents. In addition, Circular No. G-165-2012 referred to the "Report of risks for new products or important changes in the business, operational or computer environment", indicates that SIs must submit to the SBS a report with a brief description of important changes, indicating the objective that the SI seeks to achieve. It should also include an assessment of the associated risks and the risk response measures identified to manage those risks, including related to information technology and security. The specialized unit DSSIT of the SAR is responsible for the supervision of the use and implementation of information technology, information security, and reliability of information. The inputs for annual planning for on-site supervision includes: • Size, (level of assets of the companies); • Complexity, (number of information systems in use for business); • Information security scoring, which is an input for the scoring of operational risk as part of SBS’ internal rating methodology. Additionally, the lead supervision departments (SABM in case of banks) can ask for participation in on-site examination. The procedures for on-site examinations are incorporated in the the on-site supervision manual "Information Security Management". DSSIT evaluates also ASA authorizations on information security aspects. In addition, DSSIT supervises the reliability of reported information through two guidelines: • “Supervision of reporting practices”, which includes responsibilities, data definitions, validations and documentations for regulatory reports; • “Data quality assessment”, which includes granular data extraction and tests for regulatory reports. Supervision on reliability of information is prioritized on: • Credit risk weighted assets – standard approach; • Liquidity risk reports; • Deposit insurance reports. EC6 The supervisor determines that banks have appropriate and effective information systems to: a) monitor operational risk; b) compile and analyze operational risk data; and c) facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk. 203 PERU Description and Article 9 of the Operational Risk Management Regulation establishes that it is the findings re EC6 function of the Risk Unit to consolidate and develop reports on operational risk management by process or by business and support units. It is also pointed out that, depending on the volume and complexity of the company's operations, the SBS may require the creation of a specialized operational risk management unit. Article 12 of the Regulation requires SIs, to implement a database to register all operation risk events, of at least PEN 3,000, experienced throughout the FI. FIs should also design the capture policies and procedures, train the personnel involved in the process, and define and document objective criteria for assigning loss events to the type of loss event and business lines of the entity. In addition, Circular No. G-191-2017, establishes additional criteria for the recording, valuation and classification of the operational risk loss events; as well as guidelines for cases in which there are connections with other types of risk, such as credit, market, strategic, reputational risk. DSRO staff are responsible to review the infrastructure and information systems used by SIs for operational risk management. DSRO staff evaluate the existence of periodic operational risk reports directed to the Board, senior management, and the business and support units. It should be noted that several SIs are authorized to use the alternative standard method (ASA) to calculate the operational risk capital requirements. These SIs are also required to have specialized computer systems to support the operational risk management of the SI. DSRO staff evaluate whether the SI has implemented a loss event database and that it performs periodic analysis based on the recorded information. These aspects are also included in the Annual Operational Risk Management Report and which are an input for determining the scope of the on-site examination. EC7 The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. Description and Per article 15 of the Operational Risk Management Regulation, SIs must submit an findings re EC7 Annual Operational Risk Management Report. This report needs to contain the organizational structure and methodology used by the SI to manage operational risk, the main operational risks identified and the measures taken to mitigate these risks, as well as aspects related to the management of information security and business continuity. The Corporate Governance & GIR states in article 19 (but also already part of the GIR) that, if significant events related to illegal or fraudulent activities are detected, they should be reported to the SBS through the IAU. Article 25 also states that the Risk Unit must carry out an evaluation report on the risks associated with the launching of new products and in the face of important changes in the business environment, operating environment or computing environment. Circular G-165-2012 and 204 PERU amendments, referring to the Risk Report for new products or important changes in the business, operational or computer environment, establishes that these reports need to be submitted to SBS within ten business days after their launch (new products) or after being presented to the Risk Committee (important changes). Circular G-164-2012 stipulates that companies should report to the SBS, as soon as they become aware, the occurrence of a significant disruption event. The Circular includes a non-limiting list of events of interruption that the companies are obliged to report. An event of significant interruption of operations is defined as: • Any event involving the suspension of service to the public for a time greater than the target recovery time defined by the SI or four hours of interruption, whichever is less; Any event involving invoking the Crisis Management Plan referred to in Circular G-139-2009 on Business Continuity Management. Circular G-180-2015 states that companies must submit quarterly information on key indicators of business continuity; which are associated with interruptions and activation of continuity plans (Report RO-1 and RO-2), while semi-annually information on main suppliers, continuity plans and business continuity tests needs to be submitted (Report RO-3 and RO-4). The Internal Audit Regulation states in article 13 that it is the responsibility of the Chief Internal Audit to report to the SBS regarding "significant events" occurred in the SI within 2 business days following the conclusion of the corresponding investigations and issue of the respective report. This standard defines as significant events those events that may have a significant impact on the financial situation of the SI or on the achievement of its objectives. Through the authorization processes established by the current regulation, timely knowledge about changes in the company's risk profile is gathered. These processes include authorizations for expansion of operations, opening of new service channels, outsourcing of computer processing abroad, and mergers amongst others. Finally, SIs that are authorized to use the ASA method must submit quarterly detailed information on their loss events to the Central Database managed by the SBS, which verifies their correct registration and classification, and provides the corresponding feedback of the results obtained to strengthen risk management. All the above information is analyzed in off-site and is used as an input for determining the priority and scope of on-site operational risk and IT security supervision. If needed immediate follow-up is made by the DSRO and/or DSSIT staff on the reported information. EC8 The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers: a) conducting appropriate due diligence for selecting potential service providers; b) structuring the outsourcing arrangement; 205 PERU c) managing and monitoring the risks associated with the outsourcing arrangement; d) ensuring an effective control environment; and e) establishing viable contingency planning. Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. Description and Article 14 of the Regulations for Operational Risk Management states that, in order to findings re EC8 manage the operational risks associated with subcontracting, companies should establish appropriate policies and procedures to evaluate, manage and monitor subcontracted processes. Such policies and procedures should consider: • The process of selecting the service provider; • The preparation of the subcontracting agreement; • The management and monitoring of the risks associated with the subcontracting agreement; • The implementation of an effective control environment; • Establishment of continuity plans. It is further indicated that subcontracting agreements should be formalized through signed contracts, which should include service level agreements, as well as clearly define the responsibilities of the supplier and the SI. In addition, the Corporate Governance & GIR establish various guidelines regarding subcontracting and management of associated risks (also part of the existing GIR Resolution SBS 37-2008): • Article 35 of the Corporate Governance & GIR establishes that SIs assume full responsibility for the results of subcontracted processes with third parties, and may be penalized for non-compliance; • Article 36 defines significant subcontracting as that which, in the event of a failure or suspension of service, may put the SI at significant risk by affecting its revenues, solvency or operational continuity; • In any significant subcontracting, a formal analysis of the associated risks must be carried out, which must be reported to the Board for approval; • In addition, it is indicated that in cases of significant subcontracting, the contracts signed with the corresponding suppliers include clauses that facilitate an adequate review of the respective provision of services, by the companies, the IAU, the External Audit Company, as well as by the SBS or its designee; • Finally, Article 37 states that for outsourcing of the internal audit service and external data processing, among others that may be indicated by the SBS, companies must require prior authorization from the SBS. SBS Circular No. G-140-2009 on Information Security Management states that SIs are responsible for ensuring that confidentiality, integrity and availability of information are maintained, even when certain functions or processes have been subcontracted, and in case a SI wishes to perform a significant subcontracting of its computer processing, so that it is carried out abroad, it needs to require prior and express 206 PERU authorization from the SBS. For this, the SI must ensure proper compliance with the Circular. Likewise, according to paragraph 8.4 of SBS Circular G-139-2009, referring to Business Continuity Management, companies should ensure that their main service providers have continuity plans, that they are tested periodically and kept up to date. The supervision of the compliance with these regulations is conducted by the specialized units of the SAR; DSRO and DSSIT. The on-site "Operational Risk Management" manual incorporates procedures associated with subcontracting and its associated risk management. In addition, a specific monitoring guide is available to evaluate these issues and is applied in on-site examination focusing on this topic. In some cases, the SBS has visited suppliers who are responsible for outsourced processes, such as the main computer processing. In these cases, DSSRO and DSSIT staff verify that the subcontracted service fulfills the same requirements as established for the SI that carry out the process themselves. Finally, SIs must include in their Annual Operational Risk Management Report a list of significant subcontracts. This information is considered in determining the scope of the on-site examination. Assessment of Compliant Principle 25 Comments The SBS has a sound regulatory and supervisory approach towards operational risk, which is performed by two specialized departments of the SAR. Recommendations: • The SBS should follow up on the recommendations (and lead by example) of the industry-wide business continuity stress-test. Principle 26 Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent 68 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. EC1 Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the 68 In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee. 207 PERU responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address: (a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g. clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g. business origination, payments, reconciliation, risk management, accounting, audit and compliance); (b) accounting policies and processes: reconciliation of accounts, control lists, information for management; (c) checks and balances (or “four eyes principle”): segregation of duties, cross - checking, dual control of assets, double signatures; and (d) safeguarding assets and investments: including physical control and computer access. Description and Article 3 of the GIR (Resolution SBS No. 37-2008) states that integral risk findings re EC1 management is a process carried out by the Board, senior management and staff, applied throughout the company and in the definition of its strategy, designed to identify potential events that may affect it, manage it according to its appetite for risk and provide reasonable security in achieving its objectives. It also points out that companies must carry out this process according to their size and the complexity of their operations and services. Article 7 states that comprehensive risk management includes, expands and develops, with a greater emphasis on risk, the concepts of internal control, whose objective is mainly related to the reliability of the financial statements. Article 9 establishes that the Board is responsible for establishing a comprehensive risk management and for fostering an internal environment that facilitates its adequate development. In addition, it includes among its specific responsibilities: (i) to establish an adequate system of delegation of powers and segregation of functions throughout the organization; (ii) obtain reasonable assurance that the company has an effective management of the risks to which it is exposed, and that the main risks are under control within the limits they have established. For its part, article 16 establishes among the main functions of the audit committee to monitor the proper functioning of the internal control system. The Corporate Governance & GIR (SBS Resolution No. 272-2017, which will come into force in April 2018), incorporates and reinforces the definitions of SBS Resolution No. 37-2008. In Article 2, it defines as internal control the process carried out by the Board, senior management and personnel, designed to provide a reasonable assurance of the achievement of objectives related to the effectiveness and efficiency of operations, reliability of financial information, and compliance with applicable laws and regulations. Likewise, Article 3 (i) states that SIs must have a corporate governance framework that, among others, considers a solid internal control, as well as an effective performance of the internal audit and compliance functions. 208 PERU Article 7 establishes the general responsibilities of the Board, including approving management roles and responsibilities, risk management, internal control and compliance; and to approve the organization and function manuals, establish an adequate system of delegation of powers and segregation of functions and treatment of potential conflicts of interest throughout the organization. Likewise, article 9 states that the Board may establish such committees as it deems necessary in order to comply with the provisions of the Corporate Governance & GIR in the case of FIs, the establishment of an Audit Committee, a Risk Committee and a Compensation Committee are mandatory. According to article 14, the main purpose of the Audit Committee is to ensure that accounting and financial reporting processes are appropriate, as well as to evaluate the activities performed by internal and external auditors. Among other functions, it must inform the Board of the existence of limitations in the reliability of accounting and financial processes. It must also keep it informed of compliance with internal policies and procedures and the detection of problems of internal control and administration. In addition, Article 19 states that SIs should establish appropriate internal systems to facilitate the timely reporting and investigation of unauthorized, unlawful, fraudulent and other questionable practices, which must be reported to the IAU, and maintaining the confidentiality of the whistleblower. In the case of significant adverse events, the Internal Audit Unit must notify the SBS, in accordance with the Internal Audit Regulation. In addition, the SBS has issued rules for management of specific risks (credit risk, market risk, liquidity risk, operational risk, money laundering and terrorist financing risks, information, among others), which establish the minimum risk management requirements associated with the organizational structure, segregation of functions, delegation of powers, controls and monitoring of business activities. EC2 The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective che ck and balance to the business origination units. Description and The SBS, through the application of the manuals for on-site supervision, carries out findings re EC2 the necessary verifications aimed at checking that there is adequate separation of roles (back office, front office and independent monitoring) and functions among the various units of the SI. When applying the on-site examination manuals, the SBS verifies that the SI has established policies and procedures for carrying out the activities of each of its 209 PERU organizational units, including those corresponding to risk management, which is performed through procedures included in the “Organization and Functions Manual”, “Corporate Policies and Procedures Manual”, and includes interviews with officia ls in various positions. It is further evaluated that the policies, standards, limits and procedures for the treatment of risks are appropriately taken and / or executed. Special emphasis is placed on verifying that the main control bodies (Risk Unit, Compliance Officer, IAU, Risk Committee and Internal Audit Committee) have adequate independence and the necessary resources to carry out their functions properly. If a weakness is identified, the SI is requested to take corrective actions, such as increasing the number of members of a given unit, improving the training received, improving the infrastructure or its tools, modifying the hierarchical reporting. Supervisory documentation of such examples was made available to the assessors during the assessment. As part of the internal rating process of FIs, specific evaluation criteria associated with the aspects of this criterion are considered for each risk (credit, liquidity, market, IRRBB, and AML/CFT). For example, for the assessment of credit risk management, the SBS assesses: (i) whether the entity has an organizational and functional structure that favors an independence of functions in the management and control of credit risk, according to its size and nature of operations; if there is an area specialized in identifying and evaluating credit risks, with autonomy to make independent decisions and veto in approval; (ii) if the entity has adequate procedures and levels of autonomy for the approval, modification, renewal and refinancing of credits, and if these are consistently met; (iii) if it has a business origination function, a risk analysis function, and an approval function, and if these three functions are independent, and there is a risk veto capacity; (iv) whether the area in charge of the borrower classification has adequate functional independence and sources of information from business areas. In terms of control functions, specific aspects are also evaluated, such as: (i) the Regulatory Compliance Officer is properly trained and assumes its functions exclusively as required by current regulations; (iii) the number of members of the IAU is sufficient for the size of the company, and economic group, if applicable, and has personnel trained and specialized in each risk; (iv) has adequate technological support tools that facilitate the evaluation, monitoring and follow-up of observations; amongst others. EC3 The supervisor determines that banks have an adequately staffed, permanent and independent compliance function69 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function are suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The 69 The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance who should be independent from business lines. 210 PERU supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. Description and The GIR (Resolution SBS No. 37-2008) establishes in Article 7-A the requirement for a findings re EC3 Compliance Function and holds the Board responsible for its implementation. The regulation also requires a direct reporting line to the Board (independence) and managerial level (authority). The Compliance Function should be implemented according to the size and complexity of the operations (resource endowment), and the SBS may require the establishment of organizational units exclusively dedicated to this function. The Regulatory Compliance Officer must be independent of the business units and have a solid knowledge of the regulations applicable to the company. There is a minimum periodicity for reporting to the Board and the obligation to keep it informed on a continuous and timely basis on the compliance level, gaps and proposals for corrective measures. The Corporate Governance and GIR (Resolution SBS No. 272-2017, coming into force per April 2018) establish more detailed guidelines for the development of the Compliance Function, expanding the contents of the previous standard. Article 7 states among the responsibilities of the Board: approve management roles and responsibilities, risk management, internal control and compliance. Article 29, introduces the responsibilities and functions of the Regulatory Compliance Officer, the main ones being the following: a) To propose to the Board the policies, procedures and methodologies appropriate for the fulfillment of the regulatory requirements of the company; b) To inform the Board and senior management in a timely and continuous manner with respect to the necessary actions for an adequate compliance and the possible existing breaches; c) To guide and train personnel regarding the importance of compliance and the responsibilities that arise in case of non-compliance; d) Provide reasonable assurance to the Board and senior management that policies and procedures related to compliance ensure that the SI complies with regulatory requirements; e) Propose to the Board corrective measures in the event of compliance deficiencies. Article 30 states that the company's Board must approve compliance policies and procedures in a formal document that establishes a permanent and effective Compliance Function in the company. This document should contain the criteria to be followed by management and staff and explain the main processes that will prevent, identify and mitigate the possibility of non-compliance at all levels of the organization. Article 28 states that activities carried out within the framework of the Compliance Function should be subject to periodic review by the IAU, which is not subject to monitoring and evaluation of the compliance function. Similarly, the Internal Audit Regulation establishes that the annual audit work plan should consider conducting examinations aimed at evaluating the performance of the Compliance Function. 211 PERU Both the on-site manuals for the “Evaluation of Legal Procedures Management” and the “Evaluation of Good Corporate Governance Practices in Companies of the Financial System” incorporate the evaluation of the management of the Compliance Function implemented by the SI (organization, reporting, independence, policies and procedures, annual program, work methodology, reports, IAU assessment of compliance function). In its off-site supervision, the SBS assesses whether the appointed officer complies with the regulatory requirements and the required experience. As part of the internal rating process of FIs, the SBS evaluates the qualitative indicators related to the compliance function (as part of Management and Control), which includes the following three evaluation criteria: (i) the compliance function has a formal status in the company, is independent, and there is a responsible official; the management is adequately assisted and the company's compliance risks are controlled: legal, regulatory, market conventions, industry codes and internal codes of ethics; (ii) the FI presents full compliance with the laws and regulations in force; it has not received fines or penalties in the last year, and complies well with the limits established in the LGSF and complementary regulations; and (iii) recommendations or observations of the IAU, external auditors, and SBS, evaluated at the date of the last on-site examination, have been implemented for 90 percent or more. EC4 The supervisor determines that banks have an independent, permanent and effective internal audit function70 charged with: (a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and (b) ensuring that policies and processes are complied with. Description and Article 22 of the GIR (SBS Resolution No. 37-2008) establishes that the Internal Audit findings re EC4 plays an independent role, which monitors the adequacy of comprehensive risk management, and is subject to specific provisions that regulate their activity (the Internal Audit Regulation; Resolution SBS No. 11699-2008). The Internal Audit Regulation establishes in Article 5 that companies must have an Internal Audit Unit (IAU) that will inform the Audit Committee, and to whom it will present its reports, unless in the opinion of the auditor they must be submitted also to the Board. To that end, the IAU must have (i) sufficient independence to perform its functions effectively, efficiently and in a timely manner, with all the powers and mechanisms to achieve its objectives; (ii) access to the information required for the fulfillment of its functions and for conducting its examinations, without limitations 70 The term “internal audit function” does not necessarily denote an organizational unit. Some countries allow small banks to implement a system of independent reviews, e.g. conducted by external experts, of key internal controls as an alternative. 212 PERU that might affect its conclusions, including that derived from minutes of the Board and its Committees, management or other administrative functions. In accordance with the provisions of Article 6 of the Internal Audit Regulation, the IAU has, among others the responsibility to: • Evaluate the design, scope and operation of internal control; • Design the Audit Plan and submit it to the Board for approval; • Continuously evaluate the quality and adequacy of the computer systems and the mechanisms established by the company to guarantee the security of the information; • Continuously evaluate compliance with the policies and procedures manuals and other internal rules of the company, as well as propose modifications to them; • Evaluate the timely and adequate implementation of the recommendations and measures to overcome the observations and recommendations formulated by the SBS, the external auditors, as well as those of the IAU itself; • Verify compliance with the system for the prevention of money laundering and financing of terrorism. In order to ensure the quality of the performance of the internal audit function, Circular No. G-161- 2012, establishes that SIs must have a program for assurance and improvement of the quality of the internal audit function. This program should include internal (annual) and external (at least every 5 years) evaluations. During the on-site examinations, the SBS reviews the minutes and underlying documents of the Audit Committee, not only to verify the reporting line and the adequacy of reporting, but also to verify the effective use of the internal audit function. In the conduct of its banking supervision the assessors however noted that an interview with the Chair of the Audit Committee or the participation (as an observer) in the Committee meeting is unusual. The SBS maintains however, regular contacts with banks’ Head of the IAU throughout the year. The SBS verifies the effectiveness of the IAU in its on-site supervision by reviewing the quality of the IAU’s work. For this purpose, the SBS reviews the audits conduc ted by the IAU in terms of scope, periodicity, methodology, results issued and corrective measures adopted, with special emphasis on the most relevant risks and processes in the entity. As part of its examination procedures the SBS reviews the internal audit manuals, as well as the reports issued and supporting working papers. In SBS’ internal risk rating methodology for FIs, a qualitative indicator called "Quality of the IAU" is evaluated as part of the evaluation of Management and Control, which includes aspects associated to the internal environment, resources, annual work plan, reports issued, working papers and observation monitoring. The assessors note that the Internal Audit Regulation does not apply on a consolidated level. However, article 29 of the Consolidated Supervision Regulation (Resolution SBS No. 11823-2010) requires the IAU of the supervised entity to assess 213 PERU the mechanisms for group risk management and the accounting policies of the group as well as the compliance with other regulatory requirements. The indirect supervision of financial groups is not ideal, but at this moment seems to work because the main entities and activities of the financial groups for which the SBS is the home supervisor are still located in Peru. EC5 The supervisor determines that the internal audit function: (a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing; (b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations; (c) is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes; (d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties; (e) employs a methodology that identifies the material risks run by the bank; (f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and (g) has the authority to assess any outsourced functions. Description and Regarding the resources and training of the audit function, article 7 of the Internal findings re EC5 Audit Regulation states that the IAU must gather or obtain the knowledge, technical skills and other competencies required to fulfill its responsibilities, according to the complexity and size of the company. In addition, it establishes that every IAU must have an information systems audit service, with competent personnel and specific experience in systems auditing, appropriate in terms of the complexity and size of the operations carried out by the SI, which may be also subcontracted. The experience and specialization required for the professional practice of internal auditing can be accredited, among others, through internationally recognized professional certifications such as the Certified Internal Auditor (CIA), issued by the Institute of Internal Auditors (IIA) and the Certified Information Systems Auditor (CISA), issued by the Association of Auditors in Information Systems (ISACA). Article 8 of the Internal Audit Regulation states that the Head of IAU and other auditors should receive permanent training in matters related to their duties, for which the Head of the IAU must present a training plan, indicating the main areas of training and the number of hours required annually. Regarding independence and communication, Article 5 of the Internal Audit Regulation states that the IAU must have sufficient independence to perform its functions effectively, efficiently and in a timely manner, and must have all the powers 214 PERU and mechanisms for attainment of its objectives. Article 3 of the regulation establishes that the reports of the IAU are presented to the Audit Committee. Also, in accordance with the provisions of article 14 of the Corporate Governance & GIR, the Audit Committee has among its functions, to monitor and keep the Board informed on compliance with internal policies and procedures and on the detection of problems regarding internal control and administration, as well as corrective measures implemented based on the evaluations carried out by the IAU, external auditors and the SBS. Regarding access to information, Article 5 of the Internal Audit Regulation states that the IAU must have access to the information required for the fulfillment of its functions and the conduct of its examinations, without limitation that may affect its conclusions, including that which is derived from minutes of the Board and its Committees, and from management and any other internal administrative body. Regarding the methodology for significant risks and the Audit Plan, the Internal Audit Regulation establishes the minimum examinations that must be carried out by the IAU, which includes the evaluation of the management of the main risks to which the SIs are exposed. In addition, Article 9 of the regulation establishes that, insofar as it does not conflict with the provisions of the regulations of the SBS, the International Standards for the Professional Practice of Internal Audit, as well as the Code of Ethics issued by The Institute of Internal Auditors (IIA), which, among others, establishes standards on the planning of audit work applies. In the case of system auditors, the audit guidelines provided by the Information Systems Audit and Control Association (ISACA) shall be taken into account. Regarding the evaluation of subcontracted functions, Article 21 of the Risk Management Regulation (as well as Article 36 of the Corporate Governance & GIR, coming into force per April 2018), states that companies must ensure that in cases of significant subcontracting, the contracts signed with the relevant suppliers include clauses that facilitate an adequate revision of the respective provision by the SIs, the internal audit unit, the external auditor, as well as by the SBS or the persons designated by it. Significant subcontracting means that, in case of failure or suspension of the service, can put the SI at significant risk, by affecting its income, solvency, or operational continuity. Likewise, the subcontracting of one or more risk management functions will be considered significant. The Internal Audit Supervision Manual aims to analyze whether the IAU has the adequate infrastructure to perform its functions, mainly human, technical and logistical resources, related to the magnitude and complexity of the operations of the company. Through the Internal Audit Reporting System (SIRAI) the IAU sends information to the SBS. Based on this information the SBS is able to evaluate off-site: whether the IAU is formally independent, reports to the Audit Committee, its staff numbers, staff 215 PERU profiles, the execution of the Audit Plan as well as the number and time period of outstanding recommendations made by the SBS, external auditor, and the IAU itself. In addition, the SBS verifies whether the IAU has the necessary independence to achieve its objectives. For this, the lines of reporting and responsibility established within the organizational chart of the company, the infrastructure conditions and assigned equipment are evaluated. In accordance with established standards, the internal audit function must be directly accountable to the Board. Likewise, the SBS verifies that the special assignments that are assigned to the IAU have the conformity of the Audit Committee and / or Board, and that such orders are compatible with their monitoring and control functions. Also, the SBS reviews whether the internal auditor has unrestricted access to all information related to the activity and business of the company. With regard to the Work Plan, which is also sent through SIRAI, the SBS verifies whether the Work Plan complies with the minimum activities established by current regulations, as well as its level of progress through the quarterly reports send through SIRAI. In the evaluation of reports, the scope and frequency of the audit work, the appropriate documentation of the work done, the content of the audit program and conclusions contained in the audit reports, its ability to detect weaknesses or opportunities for improvement are taken into account, and its effective use is determined through actions taken by the Board and the management with respect to the recommendations made by the IAU. In addition, the SBS may request additional activities to be performed by the IAU, according to identified risks, with predefined scope and procedures. In the framework of operational risk supervision, the SBS reviews whether significant subcontracts have been subject to risk assessments and that clauses have been agreed with the companies to facilitate an adequate review by the Internal Audit, External Audit and SBS. The results of these on-site assessments are incorporated into the internal rating methodology (qualitative indicator referring to UAI quality), and are taken into consideration when determining the SI’s risk profile and corrective measures, if needed. Assessment of Compliant Principle 26 Comments The regulatory framework and supervisory approach and practices for internal control and audit are consistent with the scale and nature of the financial system. Principle 27 Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The 216 PERU supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. EC1 The supervisor71 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by record keeping systems in order to produce adequate and reliable data. Description and Article 87 (sub 6) of the LGSF establishes that it is the Board’s responsibility to adopt findings re EC1 measures conducive to ensuring the timely completion of internal and external audits, while article 92 in addition also holds senior management responsible. The LGSF establishes that the SBS is the accounting standard setter for financial institutions. This power is established in paragraph 13 of article 349. This article provides the SBS the power to dictate the general rules to specify the preparation, presentation and publication of the financial statements, and any other complementary information, reflecting the real economic and financial situation of the companies, as well as the rules on consolidation of financial statements in accordance with the generally accepted accounting principles. The accounting standards, as contained in the Accounting Manual issued by the SBS, are based on and aligned with IFRS. There are however three main differences: • The provisioning requirements are those of the Classification of Borrowers and Provisioning Regulation (Resolution SBS Nº 11356-2008); • The revaluation of fixed assets for own use is not allowed; • Income of paid fees (closing commission) for loans are not recognized as part of effective interest rate, but they are amortized over the maturity of the loan. However, the conglomerates for which the SBS is the home supervisor, seem to prepare their Financial Statements on IFRS. Currently the differences are limited, however, with the implementation of IFRS9 the difference in accounting standards between the supervised entity and the conglomerate is expected to increase. The financial statements must be prepared and presented in accordance with the accounting criteria established in Accounting Manual and other provisions established by the SBS. The Accounting Manual contains a provision that in case the accounting standard is not specified by SBS regulations, the provisions of the International Financial Reporting Standards (IFRS) as set by the International Accounting Standards Board (IASB) and made official in the country by the Accounting Standards Board (Consejo Normativo de Contabilidad) apply. 71 In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors. 217 PERU The SBS does for the moment not have plans to make the transition towards IFRS9. For the non-financial sector, the Peruvian account standards setter has adopted IFRS in 2011 and IFRS9 will be implemented by the non-financial sector in 2018. Financial sector stakeholders indicated in meetings during the assessment their preference for the application of IFRS9 in order not to increase the gap with the international community. EC2 The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. Description and Article 180 of the LGSF states that the SBS will establish requirements and standards findings re EC2 for internal and external audit for FIs and insurers. In addition, it requires financial institutions to submit their financial statements, prepared in line with the accounting standards set by the SBS, for review to the external auditor, who must give its opinion on the financial statements. Article 5 of the External Audit Regulation (Resolution SBS No. 17026-2010) states that the Board, or the Audit Committee when it exists, and management are directly responsible for providing the contracted audit firm with the necessary information and facilities to enable it to perform its work in an adequate, independent and timely manner. Likewise, it is the responsibility of said bodies to ensure compliance with the provisions established in this regulation, and management must report (as sworn declaration) to the Audit Committee that information access has not been limited. Article 15 states that the audit carried out by the auditing companies must be carried out by applying the International Standards on Auditing and Related Services issued by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC) and approved by the Board of Deans of the Association of Public Accountants of Peru, as well as the provisions established by the SBS. Article 19 of the External Audit Regulation states that the financial statements must contain the opinion of the audit firm on the reasonableness of the financial statements, in accordance with the provisions issued by the SBS, and in case of situations not foreseen in those rules, by the provisions of the International Financial Reporting Standards. EC3 The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. 218 PERU Description and There is no difference in the accounting standards banks are required to use for findings re EC3 accounting standards and the standards banks need to use for prudential reporting. Regarding fair value, the Accounting Manual (Section E of Chapter I) indicates that financial instruments measured at fair value must follow guidelines for the determination of fair value; the value observed in market transactions under "normal" situations and mutual independence and will take into account the credit quality of the instrument. The Regulation for Classification and Valuation of Investments of Companies in the Financial System, approved by Resolution SBS No. 7033-2012, establishes guidelines for the classification of investments and the rules of valuation and accounting recognition of profits and losses. The provisions of the regulation are in accordance with the criteria contained in IAS 32 "Financial Instruments: Presentation", IAS 39 "Financial Instruments: Recognition and Measurement" and its Guide to Application, IAS 21 " Effects of Changes in Foreign Currency Rates, "IAS 28" Investments in Associates ", IAS 31" Investments in Joint Ventures ", IAS 36" Impairment of Assets ", IFRS 3" Combined Business "and IFRS 7" Financial Instruments: Disclosures ". The Regulation for Trading and Accounting of Financial Derivative Products in Financial System Companies, approved by Resolution SBS No. 1737-2006, establishes the guidelines for the accounting recording of derivative financial instruments for trading and hedging purposes. EC4 Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit. Description and Article 367 (sub 7) of the LGSF provides the SBS the power to issue provisions that findings re EC4 aim at an efficient coordination of the work of the SBS with that of the internal and external auditors. Article 6 of the External Audit Regulation establishes scope of external audits. The article requires FIs to contract external audit companies for the following examinations: a) the reasonableness of the financial statements and the evaluation of the aspects indicated in Annex I (supplementary reports); b) evaluation of the internal control system in the field of external audit; and (c) evaluation of the money laundering and prevention of terrorism prevention system (which must be performed by a team independent from the financial audit team). Article 7, which applies to conglomerates, also states that where the audited company comprises a conglomerate, the following shall apply in addition: a) The annual review on the reasonableness of the consolidated financial statements of the conglomerate, prepared in accordance with the rules established by the Securities Market Regulator (SMV). To that end, the conglomerate must consolidate its financial statements in accordance with the 219 PERU International Accounting Standard 27 "Consolidated and Separate Financial Statements", taking into account the accounting standards established by the SBS for financial institutions under its supervision; b) The evaluation of compliance with the regulatory capital requirements, as well as the overall and concentration limits established in the Consolidated Supervision Regulation at a group level. In addition, article 8 establishes that the SBS may arrange the contracting of a different audit company or expand the scope of the audit performed, as well as the opportunity for the examinations, at the companies' expense, when: a) The results of the audit examinations carried out do not comply with the provisions of the External Audit Regulation, or are not satisfactory at the discretion of the SBS; b) The SBS, at its discretion, requires the performance of complementary audits to those established in these regulations. EC5 Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. Description and Article 6 of the External Audit Regulation states that companies must contract findings re EC5 external audit companies for the following examinations: a) the reasonableness of the financial statements and the evaluation of the aspects indicated in Annex I of said regulation (supplementary reports); b) evaluation of the internal control system; and (c) evaluation of the money laundering and terrorism prevention system. Annex I of the Regulations states that external audit companies will review all that has been involved in the preparation of financial statements, including accounting records, policies, procedures, systems used and supplementary information associated with the main risks faced by the company, based on sampling criteria, as appropriate and in accordance with applicable auditing standards. Notwithstanding this, the external auditor shall also prepare specifically for the SBS supplementary reports covering the following topics: • Review of the loan portfolio, considering the classification of debtors, constitution of required provisions, restructuring, refinancing or reprogramming of credits, as well as the criteria considered for the determination of the sample of the borrowers; • Review of compliance with global and individual limits; • Review of liquidity management; • Review of balance sheet and off-balance sheet risk management; • Review of the risk management of the interest rate in the trading book and banking book; • Review of operational risk management; • Review of the investment portfolio (on a sample basis); 220 PERU • Review of existing controls in the enterprise, the security and reliability of computer systems that produce financial statements. The SBS also verifies in its on-site examination the items covered by the required supplementary reports and does only to a limited extent take into account the assurance work conducted by the external auditor. EC6 The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. Description and Article 18 of the External Audit Regulation determines that SIs need to inform the SBS findings re EC6 every year before May 31 of the external auditor company that has been preselected, indicating their registration with the Register of External Auditors of the SBS and the Register of the Colegios de Contadores Públicos Departamentales de la República. Within 15 days after receiving the information the SBS has to inform the SI of any observations it deems pertinent. In addition, article 8 establishes that the SBS may arrange the contracting of a different audit company or expand the scope of the audit performed, as well as the opportunity for the examinations, at the companies' expense, when: a) The results of the audit examinations carried out do not comply with the provisions of the External Audit Regulation, or are not satisfactory at the discretion of the SBS; b) The SBS at its discretion requires the performance of complementary audits to those established in these regulations. EC7 The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. Description and Article 12 of the External Audit Regulation establishes that the audit firm must rotate findings re EC7 the partners responsible for issuing opinions on the reasonableness of the financial statements after five consecutive annual financial years of having performed of audit in the same company. Once said maximum period has expired, a period of at least two years must elapse before any such person can re-audit the company. In the case of the report on the evaluation of the system for the prevention of money laundering and financing of terrorism, it must be carried out by a different auditing company or a completely different team from the one that issued the opinion on the reasonableness of the financial statements. The rotation required for the audit of financial statements is also applicable to the auditing company and the team preparing the report on the evaluation of the money laundering and terrorism financing prevention system. The audit work performed for the audited company is cumulative and also applies to the auditor if he or she switches from audit firm. 221 PERU As part of the off-site supervisory procedures, the SBS verifies that the contracts signed by the financial institutions with the external audit companies comply with the rotation requirements, as established in article 12 of the External Audit Regulation. When non-compliance issues are identified in this regard, the SBS formally communicates to the FIs and will require them to take appropriate corrective action. As part of the supervisory actions, the SBS has required occasionally (Official letters) the rotation of the individuals within the external audit firm. EC8 The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. Description and The different teams within the SABM meet when needed with the external auditors of findings re EC8 the banks they supervise. These are bilateral meetings; there is no standard practice of organizing trilateral meetings to discuss the management letter prepared by the external auditor, also not for the systemic important institutions or institutions with a higher risk profile. Formal meetings with external auditors on broader financial sector issues of common interest are not regularly scheduled. EC9 The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality. Description and Article 4 (e) of the External Audit Regulation stipulates that audit firms must include findings re EC9 in the contract their obligation to make available to the SBS the working papers and other supporting documentation of the reports they issue and, if applicable, to support the report at the request of the SBS. Sub (g) indicates that the contract must also contain a clause stating that the audit firm is obliged to disclose situations that demonstrate a lack of solvency, insufficient equity and/or accentuated financial or economic weakness of the audited company, and disclose any act or event that violates any provision which the SIs are required to comply with. Article 13 of the External Audit Regulations states that audit firms are required to notify the SBS in writing within ten working days of their knowledge of the significant adverse events they detect in the audit process, without prejudice to include them in the corresponding reports. Article 14 states that, in the event of problems that do not allow for adequate audits, the auditor must immediately notify the SBS and indicate in the respective reports the reasons. Assessment of Largely Compliant Principle 27 222 PERU Comments The regulatory and supervisory framework are broadly adequate. However, the SBS could improve its engagement with the external auditors. In addition, it could assess more in depth whether the current provisioning requirements are adequate when compared with the new IFRS9 standard, while also considering possible issues related to the resulting differences in accounting standards (as a result of not implementing IFRS9) between supervised institutions (using SBS standards) and consolidated financial groups (which may use IFRS standards). Recommendations: • Assess more in depth the potential impact of implementation of IFRS9 on FIs provisioning requirements, in particular to determine whether the current provisioning requirements are sufficiently prudent; • The SBS should discuss and engage with the different stakeholders on the implementation strategy of IFRS9; • The SBS should consider developing a structured (risk-based) approach for conducting trilateral meetings with the external auditor and the FIs to discuss the management letter; • Strengthen the engagement with the external auditor and the audit profession, as part of SBS’ supervisory approach. Principle 28 Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. EC1 Laws, regulations or the supervisor require periodic public disclosures 72 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. Description and Article 135 of the LGSF states that FIs must keep their clients informed about the findings re EC1 development of their economic and financial situation. For this purpose, notwithstanding the annual reports that they must disclose, they are obliged to publish the financial statements in the Official Gazette and in a newspaper of extensive national circulation, at least four times a year in a prescribed format. In this regard, Chapter II of the Accounting Manual establishes that SIs must quarterly publish their Statement of Financial Position and, Statement of Comprehensive Income in comparison with the previous year. In addition, they are required to publish their capital requirement and the calculation of their capital ratio as well as disclosing assets granted as collateral in support of financing received. A similar requirement is applicable to financial groups for which the SBS is the home supervisor. 72 For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor. 223 PERU Article 137 of the LGSF states that the SBS shall disseminate, at least quarterly, information on the main indicators of the situation of FIs. It may order the companies subject to its supervision to publish any other additional information that it deems necessary for the public. As such, the SBS publishes extensive quantitative information of FIs on its website. As all banks are required by Law to be listed they are also subject to the disclosure regulations of the SMV. In accordance with the regulations of the Securities Market Law, issuers must submit to the SMV (which publishes the information on its website) the following information: 1. Individual information: quarterly financial statements approved by the Board are disclosed, including notes; as well as the annual financial statements audited and approved by the General Meeting of Shareholders, the day after having been approved, with deadline of 15 April. 2. The companies supervised by the SBS must prepare their financial statements observing regulations of the SBS. 3. Consolidated information of the conglomerate whose scope of consolidation should be established in accordance with IFRS. The quarterly financial statements should be disclosed, including the notes to the financial statements and the audited annual financial statements approved by the corresponding corporate body, 4. Annual report, which should be presented in conjunction with the annual financial statements. The body responsible for approving the Annual Report is the General Shareholders' Meeting or a body that acts as a proxy. The Principles of Good Corporate Governance and the Corporate Sustainability Report should be appended to the report. Material Events. According to the Material Events Regulation (Resolution SMV No. 005-2014-SMV / 01), the issuer must disclose the material event as soon as such an event occurs or the issuer becomes aware of it, and in no case beyond of the day on which it has occurred or has been known. This information must be communicated to the SMV before any other person, entity or means of dissemination, and simultaneously when it corresponds to the Stock Exchange or to the managing entity of the respective centralized trading mechanism. EC2 The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. Description and As mentioned in EC1 SIs must quarterly publish their Statement of Financial Position findings re EC2 and, Statement of Comprehensive Income and the corresponding to year end must be in comparison with the previous year. In addition, they are required to publish their capital requirement and the calculation of their capital ratio. A similar 224 PERU requirement is applicable to financial groups for which the SBS is the home supervisor. The Accounting Manual in chapter I states that the Annual Report (which is published on the website of the SMV) should contain at least the following: a) The year-end financial statements (including notes to the financial statements); b) The report of the External Audit Company on the financial statements of the company; c) When applicable, the consolidated financial statements of the conglomerate, prepared in accordance with the standards established by the SMV. To that end, the conglomerate must consolidate its financial statements in accordance with IAS 27 "Consolidated and Separate Financial Statements”; d) The report of the External Audit Company on the consolidated financial statements of the conglomerate; e) A state of the economic and financial situation of the company, including financial projections, as well as a summary evaluation of each of the most important events occurring in the period and subsequent events; f) Information on compliance with the Code of Good Corporate Governance; g) General description of the main characteristics of the entity's risk management; h) Other information required in specific regulations by this SBS. The annual financial statements should contain notes to the financial statements. The notes to the year-end financial statements, which must be audited, must be prepared in line with the guidelines of IAS1 “Presentation of Financial Statements”. IAS1 covers information on the financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, business and management, and governance and remuneration. Pillar 3 has not been implemented yet, and the SBS has so far not given any consideration the recommendations made by the Enhanced Disclosure Task Force of the Financial Stability Board. EC3 Laws, regulations or the supervisor require banks to disclose all material entities in the group structure. Description and For its part, Article 21 of the Consolidated Supervision Regulation states that the full findings re EC3 and timely presentation of the information corresponding to the unsupervised companies that are part of the conglomerate, will be the responsibility of the company supervised by the SBS. When there is more than one supervised entity in the financial group, the entity responsible for the submission is the one with the largest share of the assets of the financial group. In cases in which it cannot be determined, the SBS will determine the responsible company. Article 22 indicates that the entity responsible for the submission of information, as established in article 21, shall publish annually the Consolidated Financial Statements of the Financial Group as well as the amount of surplus or equity deficit, in a 225 PERU newspaper of extensive national circulation. These financial statements must correspond to the end of each year. Likewise, article 23 establishes that the consolidated financial statements for the fourth quarter of the financial group, should include as general notes, inter alia, the following: (i) the identification of the financial group, as well as the companies included in the consolidation and, if applicable, the list of companies not included in the consolidation and the reasons for their exclusion; (ii) changes in the composition of the consolidated group. In addition, the consolidated financial statements of the financial group for the fourth quarter should include, as specific notes, the detail of each item of the financial statements. Chapter I of the Accounting Manual states that, where appropriate, the company's financial statements should include the consolidated financial statements of the conglomerate, prepared in accordance with the standards established by the SMV. The financial statements must also contain the report of the External Auditor on the consolidated financial statements of the conglomerate. EC4 The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. Description and SBS’ supervisory approach is focused on assuring the quantitative quality of the findings re EC4 financial statements. Only the quarterly disclosure requirements (which are mainly quantitative) are in scope of its supervisory approach. The annual disclosures are covered by the regulations of the SMV. The assessors reviewed the information on the website of the SMV. The information is easily accessible and appeared complete. The assessors did however not have meetings with the SMV and did not assess the depth of their evaluation of the qualitative disclosures. EC5 The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). Description and Article 137 of the LGSF states that the SBS must disseminate, at least quarterly, findings re EC5 information on the main indicators of the situation of companies in the financial system, linked to their credit and marketable portfolios, investments and other assets thereof, their classification and evaluation according to their degree of recoverability and their level of equity and provisions. It may order supervised institutions to publish any other additional information that it deems necessary for the public. Article 353 states that the SBS should periodically disseminate information on the main indicators of the situation of the SIs subject to its supervision, and may order them to publish any other information that in its judgement is necessary for the public. 226 PERU SBS publishes periodically in its Web Portal (www.sbs.gob.pe) statistical and financial information for both the system as a whole, by group of entities, and by financial system entity. Monthly information is published containing: financial statements, risk- weighted assets, regulatory capital, the main financial indicators and statistics of the main operations of the institutions, structure of assets and liabilities, and variables and indicators that reflect the main risks to which institutions are exposed. On a quarterly basis, it publishes the evolution that contains a description about the behavior of the main variables and indicators by group of companies; while the Financial Inclusion Indicators Report, containing information on the depth, access and use of financial services, is published every six months. In addition, statistical information on the exchange rate and information of market interest rates is published. The following Internal Directives are used in the calculation and publication of statistical information: • SBS Directive No. SBS-DIR-EEC-170-01, Rules for the preparation, publication and distribution of statistical information bulletins; • SBS Directive No. SBS-DIR-EEC-113-05, Rules for calculating and disseminating average interest rates; • SBS Directive No. SBS-DIR-EEC-142-04, Rules for calculating and disseminating the exchange rate. Finally, the SBS Annual Report includes a section on the evolution of the main variables and indicators of companies in the financial system. Assessment of Compliant Principle 28 Comments The regulatory and supervisory approach and practices for disclosures and transparency is adequate for the level of development of the financial system. The regulatory framework assures that the required disclosures are easily accessible on the website of the SMV. The required annual disclosures are based on IAS1. These disclosures are complemented by quarterly disclosures as required by the SBS. In addition, the SBS publishes detailed quantitative financial information of the supervised entities and the financial markets on its website. Recommendations: • Consider implementing the recommendations of the Enhanced Disclosure Task Force of the FSB and Pillar 3 of the Basel framework. Principle 29 Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.73 73The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations 227 PERU EC1 Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities. Description and The General Law, as discussed in CP 1, grant the SBS with a broad range of powers to findings re EC1 perform its supervisory duties. Specifically, on AML/CFT, the fifth section of the General Law is dedicated to suspicious activities, the responsibilities pertaining to financial entities and the SBS powers as a banking supervisor regarding the verification and monitoring of the effective compliance with the obligations and programs requiring mandatory compliance. The SBS, as per Article 381 (under the fifth section), is empowered to examine, monitoring and control financial system entities, regulating and monitoring effective compliance with obligations regarding recording and reporting on suspicious financial transactions. More specifically, Article 381 states that SBS is empowered to: a) grant, deny, suspend or cancel licenses of financial entities; b) to take the necessary measures to prevent any person not suitable to control or participate, directly or indirectly, in the board, management and operations of a financial entity; c) examine, control and supervise financial entities and regulate and monitor the effective fulfillment of registration and notification obligations established in previous articles (previous articles refer to overall suspicious transactions); d) verify, through regular reviews, that financial entities have established and properly implemented the programs for mandatory compliance; e) provide other competent authorities with information obtained from financial entities in accordance with articles 375 and subsequent (overall regarding suspicious transactions) including those resulting from SBS own examinations; f) issue instructions and recommendations that can help financial entities to detect suspicious patterns in their clients’ conduct. Those shoul d be developed taking into account modern and safe techniques for asset management, and serve as an educational element for financial entities staff; g) to cooperate and provide technical assistance to other competent authorities within the framework of investigations and prosecutions relating to the offenses of illicit drug trafficking or related offenses. In this regard, within its role as banking supervisor, the SBS is in charge of the oversight of the risk management systems related to AML/CFT, in accordance with the provisions of the FIU Law and according to their supervisory mandate. EC2 The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle. 228 PERU used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. Description and Supervisory requirements related to the existence of adequate policies related to findings re EC2 AML/CFT are laid down through the General Law and Resolution 2660-2015, the AML Risk Management Regulation. Article 380 of the General Law states that financial entities must adopt, develop and implement programs, policies, procedures and internal controls to prevent and detect crimes as established by Article 296-B of the Penal Code. 74 It requires those programs to include at least: a) the establishment of procedures to ensure a high-level of staff integrity and a system for evaluating the personal, employment and financial history of staff; b) the existence of permanent training programs such as know your client and also instruct staff as for the responsibilities laid down in articles 375 to 378, related to client identification and record keeping; availability of records; records and notification of cash transactions; and communication of suspicious transactions; c) an independent audit mechanism to verify compliance with the programs. The AML/CTF Risk Management Regulation sets up expectations and detailed requirements related to policies and processes to be established in order to ensure effectiveness in AML/CFT. Requirements include the existence of procedures and controls, lays down responsibilities of Board and senior management, Compliance Officer, require the existence of an AML/CFT Manual (and minimum content for it), the need for a Code of Conduct, an AML/CFT Risk Management Committee, among others. More specifically, article 3 of the AML/CFT Regulation, on AML/CFT System, require entities to implement a AML/CFT System comprising components on compliance and risk management. The compliance component encompasses entities policies and procedures related to legal and regulatory requirements, as well as the measures to ensure the duty of confidentiality of information related to AML/CFT systems. The risk management component includes, among other procedures and controls detailed in the regulation, those related to the early detection and reporting of suspicious transactions, in order to avoid being used for purposes related to money laundering and terrorism financing. The regulation also encompasses responsibilities of the Board regarding the implementation of an AML/CFT framework, fostering an internal environment that facilitates its development (Article 5), as well as senior management, together with the board having the responsibility to comply with the measures related to controls 74 Such article was modified in 2015 and replaced by the Legislative Decree 1106 (on “Effective Fight against Money Laundering and other crimes related to illegal mining and organized crime”) 229 PERU of ML/TF risks, in accordance with defined policies and procedures, supporting the compliance officers in carrying out their work (Article 6). The Internal Audit, External Audit and Corporate Governance and Risk Management Regulations also make reference to AML/CFT. The Internal Audit Regulation establishes the role of internal audit in verifying the compliance of the AML/CFT framework, requiring that a report to be submitted to SBS annually with the conclusions of such assessment. External Audits are also required to assess AML/CFT systems and submit annually a report to the SBS. The Corporate Governance and Risk Management Regulation requires entities to establish adequate internal systems to facilitate timely reporting and investigation of non-authorized, illicit, fraudulent and other questionable practices identified by any staff or person that interact with staff. Those are to be reported to the IAU or equivalent, ensuring confidentiality. Significant events are to be communicated to the SBS. SBS Supervision Manuals encompass procedures for the assessment of the AML/CFT aim at enhancing SBS understanding of entities policies and procedures regarding ethical standards and prevention and detection of criminal activities, which have been updated in 2011 (full review), 2012 (correspondent banking, 2013 (transfer of funds and risk assessment) and are about to update the Manuals in order to cover the new requirements set through the AML Risks Management Regulation issued in 2015 and 2017 . It encompasses assessing, among others: a) the AML/CFT Manual, Code of Conduct and other internal regulations against the minimum criteria established by the SBS; b) If the Compliance Officer complies with the legal and regulatory requirements and that the organizational structure has the resources to perform its functions and is in accordance with the entity’s nat ure and characteristics; c) the procedures and tools implemented by the supervised company for the knowledge of the client, market and personnel; d) diligence and knowledge in Correspondent Banking and correspondent relations in fund transfer operations. Off-site supervision makes use of compliance office reports, internal audit and external audit, as well as questionnaires for the assessment of the exposure to money laundry and terrorist financing risks, as well as entities management of those risks. The results of such assessment inform the on-site examinations, both planning and aspects to be further examined. Examinations usually comprise two people. On-site examinations also encompass targeted visits, focused on aspects such as due diligence in KYC, correspondent banking and international transfers, among others. Likewise, special visits may be initiated for actions proposed by the FIU as a result of the financial intelligence analysis carried out. 230 PERU SBS requires banks to have procedures in place to ensure the integrity and ethics of its directors, managers and employees, as well as compliance with the Code of Conduct and the AML Manual. Banks are required to establish adequate internal systems to facilitate timely reporting and investigation of unauthorized, illegal fraudulent activities, and other questionable practices. As part of the supervision process, it is verified that the companies have all the elements in place necessary to the prevention of the use of the bank for criminal purposes. EC3 In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.75 Description and Article 8 of the FIU Law requires financial entities to report suspicious activities to the findings re EC3 FIU, which is a specialized unit of the SBS, as perArticle 1° of Law N° 29038. Article 378 of the General Law, on communication of financial suspicious transactions, also requires the submission of suspicious transactions to the FIU. There are no specific requirements for banks to report to banking supervision suspicious activities when such activities/incidents are material to the safety, soundness or reputation of the bank. The Chief Internal Auditor is required to report material events in general to the SBS two days after the evaluation and evaluations are conducted and an inform is produced. If deemed appropriate, it can be informed, on a preliminary basis prior concluding the necessary assessment. (Art. 13 of the Internal Audit Regulations). It hasn’t been the case thus far. EC4 If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. Description and Specifically, on AML/CFT, article 381 of the General Law enables the SBS to provide findings re EC4 other competent authorities suspicious transactions but there is no explicit obligation to do so. The only explicit requirement in the General Law refers to the need to inform the attorney general criminal acts detected during examinations (therefore not encompassing suspicious activities). The FIU Law, nevertheless, Article 10.2.3 (on External Audit), item b, states that supervisory bodies of entities required to report suspicious activities are required to issue reports and submit to the FIU when through their supervisory functions they detect the presumption of money laundering and/or terrorist financing. In practice, 75Consistent with international standards, banks are to report suspicious activities involving cases of potential money laundering and the financing of terrorism to the relevant national centre, established either as an independent governmental authority or within an existing authority or authorities that serves as an FIU. 231 PERU each Deputy Superintendent has a compliance officer to report to the FIU, which is done electronically. SBS informs to have reported a few cases. EC5 The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and that there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements: a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks; b) a customer identification, verification and due diligence program on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant; c) policies and processes to monitor and recognize unusual or potentially suspicious transactions; d) enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk); e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five-year retention period Description and Currently in Peru, the legal and regulatory framework regarding CDD is overly findings re EC5 prescriptive without encompassing, nevertheless, overall requirements related to aspects presented in this criterion to develop their own internal policies and criteria, in addition to the detailed requirements aiming at ensuring a more effective framework. Chapter V of the AML/CFT regulation is focused on CDD. Article 27 defines customer as the natural or legal person to which financial services are provided, stating that CDD requirements apply irrespectively particular characteristic or frequency of operations, applying also to the beneficiaries, in case of fund transfers. There are no requirements that CDD management program has, as one of its essential elements, a customer acceptance policy that identifies business relationships that the bank will not accept. Article 29 (2) states that in case the entity does not have the capacity to take all necessary CDD measures it shouldn’t initiate a commercial relationship with such client, not perform any transactions and/or 232 PERU terminate the business relationship; and/or assess the possibility to report suspicious transactions in relation to such client. Article 28 requires verification of beneficial ownerships. Article 29 establishes that the CDD process encompasses the following stages: identification, verification and monitoring. Identification process includes procedures to obtain the necessary information to determine the ultimate beneficiary. Verification includes of verification procedures at the beginning of the contractual relationship with respect to the information provided by customers ensuring that they have been duly identified, which must be recorded in in their personal documentation. Monitoring is intended to ensure that the operations performed by customers are compatible with what is established in their profile. Likewise, monitoring allows reinforcing and reaffirming the knowledge that entities have about their customers, as well as obtaining more information when they have doubts about the veracity or timeliness of the data provided by customers. Entities should determine their frequency, considering the LA / FT risks they face. Articles s 30, 31 and 32 of the AML/CFT Regulation further elaborate on the CDD regime laying down three types of schemes: general, simplified and enhanced. The general system establishes the minimum information that companies must obtain from their customers, be they individuals, persons legal or legal entities; must perform verification of such information and rate money laundering and terrorism finance risks through a scoring system. Entities must keep monitoring procedures aiming at ensuring that the documents, data and information obtained as a result of the application of due diligence measures are kept up to date and are in force. The frequency of monitoring processes will depend on the risks identified. Under the simplified system entities are allowed to reduce the minimum information requirements applicable at the identification stage, when the level of risk of money laundering and terrorist financing risk so warrants, according treatment established by the SBS in its regulations or the authorization granted by to certain products and/or services. To apply the simplified regime to a particular product, the company must obtain prior authorization from the SBS. Thus far those include basic accounts and simplified e-money accounts. The enhanced regime (Art. 32) requires entities to develop and implement enhanced CDD procedures. Entities must identify and register under this regime customers that through their business transactions show a pattern that does not match their risk profile regarding money laundering and terrorist financing and customers who could be highly affected by the money laundering and terrorist financing risks. It is mandatory to several types of clients, including PEPs. Although PEPs are under the enhanced regime, there are no explicit requirements regarding the establishment the source of funds or wealth or requirements of additional information on the intended nature of business relationship. 233 PERU The AML/CFT regulation (Article 32) lists a series of measures to be applied to customers under the enhanced regime, including increasing the frequency on reviewing transactions, updating customer’s information, as well escalation of decisions regarding acceptance or maintenance of the relationship with the customer to senior management level. Article 4 of the AML/CFT regulation require entities to take into account as risk factors related to money laundering and terrorist financing, clients, products and services, as well as geographic zones (local and international), detailing aspects to be assessed as follows: a) client - entities must manage risks associated with customers, their behavior, history and activities at the beginning and throughout the business relationship, taking into account customers’ characteristics; b) products and/or services - entities must manage risks associated with products and/or services offered during the design and development stage as well as while operating them, including the risks associated with distribution channels and means of payment which they operate; c) geographical area - entities must manage risks associated with geographic areas in which they offer their products and/or services, both locally and internationally, taking into account its security features, economic and financial and socio-demographic, provisions, provisions from the competent authorities or the FATF issued with respect to these jurisdictions, among others. Annex 5 of the AML/CFT Regulation lays down a significant number of warning signs related to unusual transactions to be taken into account aiming to detect and/or prevent suspicious activities. It states that each entity should define its particular criteria related to the warning signs depending on the nature of its operations. Each entity is also required to establish procedures for evaluation of warning signs which must be found in the AML/CFT Manual or equivalent, available to the SBS. Regarding records retention period, the General Law, Article 375(6) require entities to keep records to enable the reconstruction of financial transactions above a certain amount in accordance with the provisions by the Superintendence, for at least ten years after the conclusion of the transaction. Article 54 and 55 of the AML/CFT Regulation further elaborates on the matter encompassing CDD aspects. Supervisory verification procedures include the following: a) effective implementation of the AML/CFT Manual asking for review visit reports to customers, lists of businesses and professions they consider risky; as well as listings of PEP; b) market knowledge procedures; c) establishment of customer risk profiles; d) in case staff reporting to the Compliance Officer, the reasons are reviewed. Actions adopted in the case of a client reported (closing accounts, so the business relationship is also evaluated, among others) are also reviewed; 234 PERU e) training materials used by Compliance Officers are reviewed, with a focus on CDD. Procedures applied to CDD and market knowledge include the following: a) verification of the existence of internal regulations propose to accept the risks associated with high - risk customers (PEPs, casinos, etc.); b) evaluation the existence of products procedures that enable identifying customers, understanding the activities they engage in and the business sector in which they operate, as well as updates on information and documentation of such customers. c) verification that training materials include CDD; d) Evaluation of the measures taken by in the case of high risk areas, such as correspondent banking, transfer of funds, etc.; e) sample verification of that cash transactions greater than $ 10 billion stated in the reports corresponding control. EC6 The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include: a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks. Description and Regulations establish broad requirements regarding the need to establish AML/CFT findings re EC6 policies and processes for correspondent banking, as well as some specific provisions, including a prohibition to have correspondent banking relationships with shell banks, all those detailed below. There are no specific provisions in terms of requiring entities to gather sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; nor for not establishing relationships with those that are not effectively supervised by the relevant authorities. Article 14 of the AML Law and Article 43 of the AML/CFT Regulation have a broad statement requiring entities to have policies and procedures for the prevention of money laundry and terrorism financing in corresponding banking with domestic or foreign legal entities. In addition, article 43 require that correspondent contracts should clearly define the obligations and responsibilities of each participant relative to the prevention of money laundering and terrorist financing and be signed by the companies’ senior management. Article 43 also states that when a correspondent relationship includes the maintenance of transfer accounts funds in other places, entities must be satisfied that: i) their customer (the represented institution) has complied with all obligations of due diligence on their customers with direct access to accounts of the 235 PERU correspondent financial institution; and ii) upon request, the represented institution can supply identification information on its customers. Article 44 states that entities must establish and implement due diligence procedures regarding the entities with which it intends to establish or have established correspondent banking, including their AML/CFT frameworks, particularly in the case of companies located in countries with strict bank secrecy regulations or countries with low or no taxation. Assessments and other actions related to those entities must be kept in a separate file, available to the SBS. Article 45 establishes that in the event that the entity has been investigated and/or sanctioned publicly by deficiencies in their AML/CFT framework, or is licensed in a FATF non-cooperative country, entities must apply enhanced due diligence, which must be included in the record of the correspondent entity. Article 46 forbids entities from starting or continuing relationships with shell banks and require entities to ensure that the foreign entities with which they engage do not allow the use of its accounts by shell banks. SBS has established specific examination procedures for correspondent banking. The general AML/CFT examination procedures encompass procedures to assess correspondent banking and the review of the existence of internal procedures and policies for establishing correspondent banking relationships. In inspection visits, it can be applied two types of Workbook: general, which includes a basic analysis of correspondent banking, and specific, which deepens the risk assessment function of the institution. The decision is based on business priorities and previous information available. At an off-site level, the information provided by compliance officers through a special format is reviewed, including, among other things, the name of the correspondent bank, the area where it operates, the volume of transactions, information on its prevention measures and opened accounts. EC7 The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. Description and SBS heavily relies on the work performed by internal and external auditors reports findings re EC7 also making use of the Compliance Officer Reports and other information to determine if banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the finance of terrorism. On-site examinations include a module on the AML/CFT framework, including also the assessment of the existence and effectiveness of communication channels. EC8 The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. 236 PERU Description and As already described in EC1, the fifth section of the General Law on Suspicious findings re EC8 Financial Transactions, Article 381, includes, among the SBS powers, according to the legal framework, to deny, suspend or cancel a license. Apart from those measures, the ability to inform the Public Prosecutor of criminal acts detected during inspections (Art. 358), as well as sanctions, the SBS does not count with any other explicit powers to act against a bank that does not comply its obligations related to relevant laws and regulations regarding criminal activities. Powers related to the possibility of suspending dividends, restrictions to asset growth, operating in certain business lines and others would be important tools to better ensure banks comply with the AML/CFT framework. In terms of sanctions, the Sanctions Regulation considers as serious infractions the following related to the compliance with AML/CFT regulations: a) not have the necessary procedures related: to KYC, its proper update or enhancement; knowledge of the market; knowledge of correspondent banks, if any; ensuring a high level of integrity of the directors , managers and employees; the registration of operations in accordance with the regulations or its safety; exclusion of customers and periodic review of excluded customers; detecting unusual and suspicious transactions , or that such procedures are not properly implemented or are breached or that they do not comply with regulations on AML/CFT and internal rules; obtain the necessary information and documentation related to KYC, when using intermediaries or third - party verification services;. b) not to communicate (or present incomplete information) on suspicious transactions to the FIU-Peru, as per regulatory requirements; c) not have Code of Conduct and / or AML/CFT Manual, or that they are not applied properly, are unfulfilled or do not comply with the AML/CFT regulations d) failure to implement o an AML/CFT framework, lack of proper application or not compliance with AML/CFT regulations or standards internal adopted by the company in this matter. In addition, to transgress the duty of confidentiality enshrined in Article 12 ° of the AML Law, notifying any person, entity or body, through any medium or form, the fact that some information has been requested by or provided to the FIU is consider a very serious infraction. Entities serious infractions result in sanctions in the form of fines between 20 and 100 UITs while very serious infractions result in fines between 30 and 200 UITs. One UIT is equivalent to 4,050 soles, the maximum fine (for very serious infractions only) being, therefore, around USD 250,000, which seems too low. Sanctions to senior management or staff can result in fines, suspension or permanent disqualification. 237 PERU The SBS has applied 14 sanctions to banks since 2010. No sanctions have been applied to natural persons. EC9 The supervisor determines that banks have: a) requirements for internal audit and/or external experts 76 to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports; b) established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported; c) adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and d) ongoing training programs for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities Description and (a) findings re EC9 Title III of the AML Regulation establishes the role of the internal and external auditor on the assessment of the AML/CFT framework. Article 62 establishes that the design and implementation of the AML/CFT framework should be assessed by the IAU. The results of the evaluation must be submitted annually to the SBS as an Annex to the Compliance Report. Article 6 of the Internal Audit Regulations establish, among others, that the role of the Internal Audit is to verify the AML/CFT framework compliance. Article 19 requires the annual evaluation report consider, among others: a) adequate KYC policies, market knowledge and correspondent bank knowledge, where appropriate; b) the existence and compliance with the AML/CFT Manual; c) the existence of periodic training programs encompassing all levels of the bank; d) compliance with the AML/CFT regulations. Article 63 establishes that the external auditors are required to submit an independent report with an assessment of the AML/CFT framework. The External Audit Regulation establishes the obligation of entities to hire an external audit to perform an assessment of its AML/CFT framework (article 24). Article 25 lists the minimum elements to be assessed, including: a) internal controls implemented to prevent or detect money laundering and / or terrorist financing; b) warning signs to detect unusual transactions; c) identification and knowledge of customers; d) upkeeping and storage (physical and electronic) of relevant documentation on customers and transactions; 76These could be external auditors or other qualified parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 238 PERU e) records of unusual transactions, criteria for not consider them suspicious, as well assessment of procedures to register them; f) records of suspicious transactions, evaluation of the procedures followed by companies to carry out the registration and for communication to the FIU- Peru; g) disclosure mechanisms of internal and external regulations and procedures manuals; h) exempted customers from recording transactions justification for it; i) procedures for ensuring the propriety of staff; j) Staff knowledge and training on the AML/CFT program; k) Security procedures in storage physical and electronic information corresponding to the operations log; l) Compliance Officer plan and working procedures; m) Plan, procedures and working papers of internal audit. n) internal sanctions for breach of the Code of Conduct Handbook prevention of money laundering and terrorist financing, or existing rules on prevention of money laundering and terrorist financing. (b) Article 58 establishes that the Compliance offices as the one responsible to communicate to the FIU activities deemed suspicious, irrespectively of the amount. In order to deem an activity suspicious, the Compliance officer is expected to use judgements, taking into account information on the client, market, its own experience and training. Article 7 of the AML/CFT Regulation states that the Compliance Officer has direct employment, full time and exclusive with the bank. It should also be appointed by the Board and communicate directly with that governing body and enjoy autonomy and independence in the exercise of its functions; and must have training and / or experience associated with AML/CFT. The Compliance Officer should be at senior management level working with the CEO in implementing the policies and decisions established by the Board, without this implying a subordination to that body in the exercise of their functions. Article 48 of the AML/CFT Risks Management Regulations requires banks to have communication channels to report unusual activities detected by the Board, the management and staff to the Compliance Officer. (c) Article 35 of the AML/CFT Regulation require entities to implement a policy of due diligence for the assessment of its directors, managers and staff as part of the recruitment and selection programs for new permanent and temporary employees to ensure their moral integrity. Entities should require and evaluate a wide range of information. Article 36 require entities to develop due diligence procedures, listing minimum criteria for the selection of providers, considering as such he companies that provide goods or services that are related directly to SBS authorized activities. 239 PERU (d) Article 39 of the AML/CFT Regulation require entities to develop programs of training annually approved by the board, in order to instruct Directors, managers and staff on existing rules on AML/CFT, as well as current policies, standards and procedures. Training programs should be reviewed and updated by the Compliance officer in order to assess their effectiveness and adopt improvements that are deemed appropriate. Article 40 requires the Compliance Officer and its staff to be subject to at least two (2) specialized trainings per year (different from those for staff, management and Board). Article 41 require entities to have annually updated information as for the training received. New Board members, senior managers and staff should receive training on the AML/CFT framework 30 days after joining, the latest. Article 42 states that training for Directors, managers and staff should be tailored accordingly, providing a list of minimum topics, including: entity’s policies on prevention model and risk management of money laundry and terrorism financing; risks to which the entity is exposed; typologies; external and internal rules on AML/CFT; warning signs to detect unusual and suspicious transactions; procedure for communication of unusual transactions; responsibility of each director, manager and employee, as appropriate. The reports submitted by internal and external audit are reviewed off-site. Topics that attract attention are reviewed with the compliance officer in order to be informed on its scope and implementation. SBS has unrestricted access to reports and worksheets from internal and external audit. SBS review the quality of AML/CFT related work performed by internal and external auditors during their overall internal and external auditors review. On-site examinations include review of personnel files and training provided. EC10 The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities. Description and Article 48 of the AML/CFT Regulation states that entities must develop and findings re EC10 implement IT systems that enable the management of risks related to money laundering and terrorist financing, including the channels of communication between the compliance officer, the Board, management and support and business lines staff, taking into account their role and powers. 240 PERU Annex 2 of the AML/CFT Regulation, on the minimum content of the AML/CFT Manual, require that the Manual contains, with respect to roles and responsibilities, all general obligations applicable to all employees, as well as specific responsibilities related to their specific duties as Board, Management, Compliance Officer and staff (business lines and support) taking into account their roles and responsibilities (item 2). It also requires the establishment of internal procedures for consultation and communication of unusual or suspicious activities, as well as communication channels with the bank and with the various internal bodies (item 4). Examination procedures encompass procedures to verify if staff have tools to alert the Compliance Officer on possible unusual or suspicious transactions. SBS also reviews the list of reports used by the compliance officer to perform its controls activities, and performs an overall assessment of communication channels. EC11 Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. Description and The General Law provisions related to confidentiality of information pertaining to findings re EC11 banks, banks’ Boards and staff (Art. 140) excludes from those provisions matters related to suspicious activities. It also f states that banks are required to report suspicious activities to the FIU, further elaborating that banks and staff, which, complying with such requirement, report suspicious activities to the FIU do not bear legal responsibilities. Furthermore, article 378 on communicating suspicious activities, item 4, states that entities, as well as staff, management, Board members and other representatives are exempt from penal, civil or administrative penalties when communicating suspicious activities irrespectively of the results of the communication. There are no provisions stating that internal communications in good faith should not be in anyway internally punished. Examination procedures encompass the assessment of communication channels within the supervised entities, verifying that all staff have the necessary tools to properly communicate to the Compliance officer and if unusual operations are timely reported. EC12 The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. Description and The AML/CFT Executive Multisectoral Committee (CONTRALAFT) was created in 2011 findings re EC12 (Supreme Decree 057-2011-PCM), which aims to assist in the coordination and planning of actions by public and private entities. Ministry of Justice heads the CONTRALAFT, which meets every two months. The FIU is responsible for the Technical Secretariat. The CONTRALAFT is also responsible for monitoring implementation, compliance and updating of the AML/CFT National Plan. 241 PERU SBS cooperates with foreign supervisors under the MoUs detailed in CP3, reporting that the MoUs have helped strengthening cooperation and collaboration. Authorities shared with the assessors, cases of sharing information on sanctions and results of examinations. The SBS has a cooperation agreement with the SMV encompassing almost the entire spectrum of what is considered a financial institution under the FATF. In practice, SBS reports to have shared with SMV policies, procedures and manuals, upon request. EC13 Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. Description and There are no established procedures for disseminating overall information to banks findings re EC13 on risks of money laundering and the financing of terrorism to banks. SBS informed that in practice it does share information with the bank association and compliance officer on particular themes and on changes on regulations. Assessment of Largely Compliant Principle 29 Comments SBS has a robust AML/CFT framework but limited sanctions can potentially curb its effectiveness. The framework has been strengthened in recent years with the issuance of the AML/CFT risk management regulation and continuous enhancements in supervisory procedures. An important limitation in the current framework is the fact that sanctioning for banks is confined to fines up to USD 250,000, not enough to curb behavior. Other aspects for further improvement include: • Banks are not explicitly required to report to banking supervision suspicious activities in cases where such activities/incidents are material to the safety, soundness or reputation of the bank; there is a general requirement to inform major events related to the bank which has never been used; • The current framework regarding CDD does not encompass the overall requirements for banks to develop their own internal policies and criteria, in addition to the detailed requirements aiming at ensuring and effective CDD. • There are no requirements that the CDD management program has, as one of its essential elements, a customer acceptance policy that identifies business relationships that the bank will not accept; • There are no specific provisions in terms of requiring entities to gather sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; nor for not establishing relationships with those that are not effectively supervised by the relevant authorities. Authorities are recommended to amend the legal and regulatory framework in order to: 242 PERU • Be able to impose sizable fines to banks. In addition, powers related to the possibility of suspending dividends, restrictions to asset growth, operating in certain business lines and others could also be useful tools to support banks’ compliance with the AML/CFT framework; • Explicitly require banks to report to the SBS suspicious activities and incidents of fraud in cases where such activities/incidents are material to the safety, soundness or reputation of the bank; • Require banks to develop their own internal policies and criteria for CDD beyond what is expressly prescribed in regulation; • Explicitly require entities to gather sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; • Not allow banks to establishing relationships with correspondent banks that are not effectively supervised by the relevant authorities; • Require CDD management programs to have a customer acceptance policy that identifies business relationships that the bank will not accept. SUMMARY COMPLIANCE WITH THE BASEL CORE PRINCIPLES Core Principle Grade Comments 1. Responsibilities, objectives and powers MNC SBS responsibilities and powers are clearly defined in the legal framework. Overall, SBS has powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. A significant shortcoming, nevertheless, in the Peruvian legal framework is that its supervisory powers are limited regarding direct access to parents and affiliates, including their subsidiaries all being outside of the direct supervisory perimeter. Such legal limitation is particularly an issue of concern since two Peruvian (in terms of main shareholders, activities and management) conglomerates with foreign holding companies, for which the SBS is operating de facto as the home supervisor, are systemic. Although the SBS has done a remarkable job over the recent years in terms of gathering information on the conglomerates, monitoring 243 PERU their activities and requiring (by enforcement through the supervised entities and moral suasion) prudential requirements and controls, these legal limitations impair SBS’ ability to effectively regulate and supervise these conglomerates on a consolidated basis. 2. Independence, accountability, LC SBS has operational independence, resourcing and legal protection for accountability and governance arrangements in supervisors place and publicly disclosed. It has also no budged constraints. Allocation of resources do take into account the risk profile and systemic importance of individual banks although the proportion of staff allocated to banks and banking groups, in comparison to the microfinance institutions seems too low. Legal protection should be enhanced, nonetheless. Current provisions do provide certain protection but SBS and SBS staff liability are not shielded through a “good faith” test. In addition, current provisions extend only to the Superintendent and Deputy Superintendents and even in those cases covering only the first five years after they have left office. Governance arrangements have further room for improvement, particularly regarding the assessment of the effectiveness of supervisory activities. In addition, the fact that the Superintendent mandate coincides with the constitutional term of the government may potentially undermine his/her personal autonomy. 3. Cooperation and collaboration C Arrangements currently in place in Peru provide a framework for cooperation and collaboration with relevant domestic and foreign supervisors and do reflect the need to protect confidential information. Particularly regarding domestic authorities, SBS does not seem to feel the need to exchange much information to perform its supervisory duties, although providing information when requested. 4. Permissible activities C The permissible activities of institutions that are licensed, and subject to supervision as banks 244 PERU operating in Peru, are clearly defined and the use of the word “bank” in names is controlled. 5. Licensing criteria C SBS has a sound and comprehensive licensing process in place, encompassing the assessment of the ownership structure and governance, strategic and operating plans, internal controls, risk management and projected financial conditions. A non-objection is required in cases where the parent is a foreign bank. 6. Transfer of significant ownership LC SBS has the power to review, reject and impose prudential conditions on proposals to transfer significant ownership or controlling interest above 10 percent held directly or indirectly in existing banks to other parties. The legal and regulatory framework falls short with regard to significant influence, which would encompass situations where in practice there is significant influence on the management and policies of the bank even in situations with stakes below 10 percent. 7. Major acquisitions LC The SBS has the power to approve or reject on major acquisitions or investments by a bank including establishment of cross-border operations. The limit established for investments in publicly traded companies (not higher than 50 percent of the invested company) might result in banks having high stakes and controlling interest/influence in non-financial companies. 8. Supervisory approach LC The SBS has a sound and comprehensive supervisory approach, moving towards a more risk-based framework. It is supported by a rating methodology and encompasses a forward-looking perspective, assessing and addressing risk emanating from banks and the banking system. Elements related to the conglomerate are taken into account for overriding purposes, but are not embedded into the supervisory rating methodology. SBS seems to have a deep knowledge of the operations and risk profile of the major banks operating in Peru, making effective use of a broad range of information sources. Interactions with senior management and 245 PERU board have been enhanced but there is still room for further improvement. Resolvability of banks is a topic yet to be tackled by SBS. Issues related to EC8 and the legal limitations regarding consolidated supervision and the supervisory perimeter have been factored into the ratings of CP 1 and 12. 9. Supervisory techniques and tools C SBS has a broad range of techniques and tools to implement its supervisory approach. The integration of its on and off-site activities has been beneficial and the split between a specialized risk Deputy Superintendence and a Superintendence in charge of the general supervision of individual banks seems to be working well. In addition to the on-site examinations, SBS has an array of reports produces by both Superintendences, sometimes with overlap between them. Off-site surveillance is yet to establish a platform similar as for the on-site activities, facilitating analysis and monitoring of follow up activities. 10. Supervisory reporting C The SBS collects, reviews and analyses prudential reports and statistical returns from banks on both a solo and a consolidated basis, and independently verifies these reports through on-site examinations. 11. Corrective and sanctioning powers of LC SBS does effectively act at an early stage to supervisors address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The broad powers granted by the legal framework, paired with a moral suasion culture have enabled SBS to successfully tackle supervisory concerns. SBS has experienced senior staff that ensure consistency in the application of the corrective actions. Nonetheless, SBS would benefit from documenting the in practice used operation procedures and framework for corrective actions, to provide further assurance on its consistent application. 12. Consolidated supervision LC The legal framework in Peru empowers SBS to exercise full consolidated supervision only from the bank downwards. Holding companies of 246 PERU the banks are not formally regulated or supervised. The vast majority of foreign exposures are, however, held through holding companies. By enforcing through the supervised entities and moral suasion, SBS has been able in recent years to gather information on the conglomerates, monitoring their activities and requiring prudential requirements and controls. To a certain extent SBS acts “de facto” as the home supervisor and systematically conducts examinations of financial subsidiaries of the holding (in relation to which it has no formal supervisory powers). However, weaknesses remain with regard to the supervisory approach on a group-level to governance, risk management, capital adequacy assessment and liquidity risk management. 13. Home-host relationships C SBS is actively cooperating with home and host supervisors. Cross-border operations are concentrated in the two systemic conglomerates and represent almost 22 percent of gross total assets. Although from a legal perspective the vast majority of those operations are outside the supervisory perimeter (investments through the holding), SBS acts de facto as the home supervisor. None of the foreign operations are material from a host supervisor perspective. The SBS has not established Crisis Management Groups for the two Peruvian financial conglomerates 14. Corporate governance LC SBS’ governance requirements do not apply on a group-level for institutions for which the SBS acts as the home supervisor. As a result, the individual group Board members are not subject to a formal fit and propriety review by the SBS, group Board members are not required (GIR, article 9) to sign-off on their responsibilities as required for Board members of supervised institutions, and the supervisory approach to corporate governance on a group- level is less developed. In its regulatory and supervisory framework, the SBS puts significant emphasis on corporate 247 PERU governance of the licensed institutions and sets clear expectations regarding the role and responsibilities of the Board and the structure of its committees. However, the actual engagement with the Board and individual Board members could be further enhanced as it is currently not commensurate with the emphasis placed on it by the regulation and SBS’ governance expectations. In addition, the requirements regarding the composition of the committees (number of independent Board members and having an independent Board member as Chair) could be further aligned with the Basel Corporate Governance Principles issued in July 2015. The new Corporate Governance & GIR (coming into effect per April 1, 2018) sets the expectation of a periodic Board effectiveness self-assessment. However, the SBS has not yet developed a clear expectation with regard to the standards of such an assessment, an internal framework for assessing the collective suitability and effectiveness of the Board, and assessment criteria, in terms of expected seniority and experience, for key Board positions. Intensified engagement with Board members will also help to develop a more comprehensive view of the composition and the effectiveness of the Board (currently mainly based on the review of Board and Committee minutes). One way to intensify the engagement would be to invite new Board members (or at least key Board members or Board members of systemically important institutions) for a meeting/interview upon appointment. This would give the SBS the opportunity to convey its expectations and at the same time allow to gauge the Board member’s experience and maintain SBS’ view on the collective suitability up to date. The assessors note that per the regulation independent Board members at a group level, 248 PERU can also act as independent Board members at a subsidiary level. This dual position could in certain situations, however, result in divided loyalties. 15. Risk management process LC The regulatory framework for risk management is tailored to the specific economic circumstances in Peru, and sets clear risk management expectations for material risks to which the banking sector is exposed. Although the Consolidated Supervision Regulation to a certain extent redresses the fact that the risk management regulations (GIR and its successor Corporate Governance & GIR) do not apply on a group-wide basis, the resulting indirect form of regulation is not optimal. The SBS in practice reviews models (country risk, internal rating and credit scoring models and methodologies, etc.) used by FIs, however, its regulatory framework could be further enhanced by providing model governance guidelines and expectations. The SBS is currently working on proposal to establish guidelines for model governance. This regulation will include guidelines related to: i) relationship between model management and risk appetite; ii) responsibilities in model management; iii) development, validation, approval and monitoring processes; iv) supporting documentation; and, v) processes of outsourcing and system support. This regulation would further enhance the regulatory risk governance framework. There are currently no formal requirements for recovery and resolution plans for D-SIBs; however, FIs are required to have capital and liquidity contingency plans, taking into account their stress-testing results. These contingency plans provide the D-SIBs with a good starting point for developing recovery and resolutions plans. 16. Capital adequacy LC The SBS has made significant progress on the implementation of the Basel III regulatory 249 PERU reform agenda. Although there are differences in the implementation, in particular regarding the different capital buffers, the implemented approaches aim to achieve the same objectives and broadly equivalent overall capital levels. ICAAP and its supervisory review are not yet integrated in SBS’ rating methodology, but if needed taken into account as an override on the internal rating. A revised rating methodology which will include the results of the SREP is planned to be rolled-out in 2019. The activation trigger of countercyclical buffer is based only on GDP growth and may be not effective in situations where there is excessive credit growth when GDP growth is below 5 percent. The systemic risk and single name risk buffers need to be reviewed as they are currently not commensurate with the risk they are supposed to cover. These issues have already been identified by the SBS and are part of the review of the Additional Capital Requirements Regulation that is currently taking place. The supervisory group capital adequacy assessment could be improved by also taking into account: i) the capital adequacy of the holding on a solo level (in order to determine if the excess capital is available on a holding level); ii) the location of capital within the conglomerate, including the risk of ringfencing/non-transferability of capital allocated to entities supervised by authorities abroad; iii) the extent to which excess capital at a group level can be completely allocated to support the financial activities of the conglomerate. The assessment of the consolidated capital adequacy does not take adequately into account the necessary adjustments to account for the change in accounting standards; solo financials based on SBS accounting standards, while consolidated financials might be based on IFRS (for groups which holding’s financial statements are 250 PERU prepared in accordance with the IFRS), which could impact the provisioning levels and therefore the available capital on a consolidated basis. 17. Credit risk C The SBS has an adequate regulatory and supervisory framework for credit risk. The Credit Risk Management Regulation issued in 2011 and the Credit Risk Capital Requirements Regulation (Resolution SBS No. 8548-2012) address the comments made in the 2011 BCP assessment. 18. Problem assets, provisions, and C The LGSF and regulations issued by the SBS reserves provide a detailed framework for the identification and management of problem assets, the asset classification, provisioning and write-offs. The corresponding supervisory approach and practices to assure adequate policies and practices by FIs are sound. Reviewed documentation evidenced that in case the SBS observes deficiencies or weaknesses, supervisory action is undertaken. The Credit Conversion Factor (CCF), as used for provisioning purposes, for undisbursed granted credits and unused lines of credit deviates from the factors used for the credit risk capital requirements (Resolution SBS No. 14354-2009, which incorporates CCFs based on the Basel II capital requirements for credit risk). The Basel II framework establishes that commitments with an original maturity up to one year and commitments with an original maturity over one year will receive a CCF of 20 percent and 50 percent, respectively. Only commitments that are unconditionally cancellable at any time by the bank without prior notice, or that effectively provide for automatic cancellation due to deterioration in a borrower’s creditworthiness, will receive a 0 percent credit conversion factor. The current blanket approach, assigning a 0 percent CCF to all undisbursed and unused lines of credit is from a provisioning point of view less conservative. 19. Concentration risk and large C The SBS issued new rules on related parties and exposure limits economic groups in 2015 (Resolution SBS N° 251 PERU 5780-2015). The new regulation establishes stricter criteria for determining a linkage and adopts international standards for defining an economic group. The regulations do not consider a combined limit for large exposures, however, the large exposure limit (at a maximum 10 percent for uncollateralized exposures) is conservative compared to international standards. In addition, the SBS requires under the Additional Capital Requirements Regulation additional capital for single name concentration risk considering the top 20 exposures. This additional capital charge may not be significant, but has resulted in explicit attention to this risk in FIs’ risk management and ICAAPs. In addition, the SBS is currently reviewing the Additional Capital Requirements Regulation including the adequacy of the capital charge for single name concentration risk (see also CP 16). 20. Transactions with related parties C The SBS issued new rules on related party and economic groups in 2015 (Resolution SBS N° 5780-2015). The new regulation establishes stricter criteria for determining a linkage and adopts international standards for defining an economic group, which also is relevant for determining related parties of FIs and financial conglomerates. 21. Country and transfer risks C The regulatory provisioning requirements for country risk are conservative. Overall the assessors consider the regulatory framework and supervisory approach and practices to country risk adequate. 22. Market risk LC Considering the characteristics of the banking system (very limited trading activities), the current regulatory and supervisory framework is broadly adequate. As observed in the 2011 BCP Assessment, the existing Market Risk Management Regulation is outdated (1998). A revised and updated Market Risk Management Regulation has been issued to the industry for consultation. The assessors did not perform an in-depth review of the revised regulation. 252 PERU The Basel Committee is in the process of reviewing whether it will issue a simplified Basel III standard approach for market risk. The SBS should evaluate to what extent the current capital requirements would need to be recalibrated to bring them in line with the Basel III standard and whether the Basel III (simplified) standardized approach should be adopted. 23. Interest rate risk in the banking book C The overall regulatory and supervisory approach and practices are adequate. Apart from the risk management requirements, IRRBB is also included in the Additional Capital Requirements Regulation; requiring an additional capital buffer if the change in EVE is more than 15 percent of regulatory capital when applying a per maturity bucket a prescribed interest rate shock. 24. Liquidity risk LC The SBS has a well-established regulatory and supervisory framework for liquidity risk. With the inclusion of the LCR in 2012 the framework has been aligned with the Basel III framework. The SBS is currently working on the implementation of the NSFR and is already monitoring the banks on this ratio. However, given the primarily short-term nature of the assets and liabilities of the banking system the implementation of this ratio is less urgent. Apart from performing semi-annual stress- testing and developing a liquidity contingency plan, there are no group level liquidity requirements. Like for capital, the group requirement is indirectly enforced via the licensed institution in Peru. This indirect form of regulation is not optimal. The adoption of group liquidity contingency plans by the two groups for which the SBS acts as home supervisor is in its initial phase and the SBS only recently has started to push for more progress in this area. 25. Operational risk C The SBS has a sound regulatory and supervisory approach towards operational risk, 253 PERU which is performed by two specialized departments of the SAR. 26. Internal control and audit C The regulatory framework and supervisory approach and practices for internal control and audit are consistent with the scale and nature of the financial system. 27. Financial reporting and external audit LC The regulatory and supervisory framework are broadly adequate. However, the SBS could the regulatory and supervisory framework are broadly adequate. However, the SBS could improve its engagement with the external auditors. In addition, it could assess more in depth whether the current provisioning requirements are adequate when compared with the new IFRS9 standard, while also considering possible issues related to resulting differences in accounting standards (as a result of not implementing IFRS9) between supervised institutions (using SBS standards) and consolidated financial groups (which may use IFRS standards). 28. Disclosure and transparency C The regulatory and supervisory approach and practices for disclosures and transparency is adequate for the level of development of the financial system. The regulatory framework assures that the required disclosures are easily accessible on the website of the SMV. The required annual disclosures are based on IAS1. These disclosures are complemented by quarterly disclosures as required by the SBS. In addition, the SBS publishes detailed quantitative financial information of the supervised entities and the financial markets on its website. 29. Abuse of financial services LC SBS has a robust AML/CFT framework but limited sanctions can potentially curb its effectiveness. The framework has been strengthened in recent years with the issuance of the AML/CFT risk management regulation and continuous enhancements in supervisory procedures. An important limitation in the current framework is the fact that sanctioning for banks is confined to fines up to USD 250,000, not enough to curb behavior. 254 PERU Other aspects for further improvement include: • Banks are not explicitly required to report to banking supervision suspicious activities in cases where such activities/incidents are material to the safety, soundness or reputation of the bank; there is a general requirement to inform major events related to the bank which has never been used; • The current framework regarding CDD does not encompass the overall requirements for banks to develop their own internal policies and criteria, in addition to the detailed requirements aiming at ensuring and effective CDD. • There are no requirements that CDD management program has, as one of its essential elements, a customer acceptance policy that identifies business relationships that the bank will not accept., although requiring banks to not have business relationships in case it does not have the capacity to take all CDD measures; • There are no specific provisions in terms of requiring entities to gather sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; nor for not establishing relationships with those that are not effectively supervised by the relevant authorities; 255 PERU RECOMMENDED ACTIONS AND AUTHORITIES’ COMMENTS A. Recommended Actions Core Principle Recommendation Principle 1 • Amend the legal framework to grant SBS powers to exercise full consolidated supervision. Principle 2 • Amend the legal framework to further protect all SBS staff for acts or omissions in good faith including current and former staff (including senior management) even after leaving the SBS, irrespectively of the number of years of being out of the SBS; • Amend the legal framework so the Superintendence tenure does not coincide with the constitutional term of the government; • Review the allocation of resources to entities in relation to their systemic relevance and risk to ensure optimization of resources; • Enhance the Internal Audit Function, including the establishment of an Internal Audit Committee; • Operationalize the Financial Stability Committee; • Consider further elaborating on the discharge of supervision responsibilities relative to the objectives through the Annual Report. Principle 6 • Adequately incorporate significant influence as a qualitative indicator for significant ownership in the regulatory framework. Principle 7 • Lower the maximum percentage allowed to be held on a non-financial company ensuring there is no controlling interest/influence. Principle 8 • Establish a process for assessing resolvability of systemic banks; • Consider establishing a rating for conglomerates, and establishing a lead supervisor for the conglomerate, responsible for the overall view of operations and risks; • Further enhance interactions with senior management and particularly the Board of supervised entities, within the process of understanding strategy, operations, controls and risks. Principle 9 • Streamline off-site surveillance report through further coordination between SAR and SABM; • Speed up the process of establishing an off-site surveillance IT platform. Principle 11 • Operationalize legal powers into a regulation or procedures comprising a range of supervisory tools to be used depending on the severity of the situation, encompassing its full range of powers including withdrawing a license. Principle 12 • Amend the legal and regulatory framework to enhance SBS’ powers and better supporting its supervisory approach to consolidated supervision. Principle 13 • Establish Crisis Management Groups for the two systemic conglomerates. 256 PERU Principle 14 • Apply at a group-level, for groups for which the SBS acts as the home supervisor, the same governance and fit and proper requirements as applied to licensed institutions; • Enhance the requirements regarding the composition of the Board committees (number of independent Board members and having an independent Board member as Chair); • Board engagement needs to be further intensified; • The SBS should develop a framework for assessing the collective suitability of the Board and assessment criteria in terms of expected seniority and experience for key Board positions (e.g. Chair, Chair of the Risk Committee, Chair of the Audit Committee). Principle 15 • Develop and issue guidelines for model governance including the expectation for the Board and senior management to review the limitations and uncertainties relating to the output of the models and the risk inherent in their use; • Implement requirements for recovery and resolution planning for D-SIBs. Principle 16 • Incorporate as planned ICAAP and the related supervisory review in the revised supervisory rating methodology; • Finalize as planned the review of the current methodology, in particular regarding the countercyclical buffer and single name concentration, for the calculation of the additional capital requirements; • Enhance the group capital adequacy assessment by extending the current approach with the analysis of: i) the capital adequacy of the holding on a solo level (in order to determine if the excess capital is available on a holding level); ii) the location of capital within the conglomerate, including the risk of ringfencing/non-transferability of capital allocated to entities supervised by authorities abroad, and; iii) the extent to which excess capital at a group level can be completely allocated to support the financial activities of the conglomerate; • Review and revise the current group capital assessment methodology to assure that the necessary adjustments to account for difference in accounting standards between a solo and a consolidated level are properly taken into account. Principle 17 • The developed risk-based supervisory cycle for assessing credit risk should be formalized and as planned incorporated in the revised rating methodology and supervisory approach which is expected to be rolled-out in 2019. Principle 18 • Review the CCFs applied to undisbursed and unused credit lines. Principle 22 • Issue the revised and updated Market Risk Management Regulation; 77 • Evaluate to what extent the current capital requirements would need to be recalibrated to bring them in line with the Basel III standard and whether the Basel III (simplified) standardized approach should be adopted. 77 The regulation (SBS Resolution No. 4906-2017) has been issued after the assessment and will come into force June 1, 2018. 257 PERU Principle 23 • Review and consider the implementation of the Basel III standards for IRRBB. Principle 24 • The approach towards liquidity risk supervision of financial groups should be intensified; • Continue the work on the implementation of the Basel III NSFR (tailored to the local circumstances) as planned. Principle 25 • Follow up on the recommendations (and lead by example) of the industry- wide business continuity stress-test. Principle 27 • Assess in more depth the potential impact of implementation of IFRS9 on FIs provisioning requirements, in particular to determine whether the current provisioning requirements are sufficiently prudent; • Discuss and engage with the different stakeholders to further on the implementation strategy of IFRS9; • Consider developing a structured (risk-based) approach for conducting trilateral meetings with the external auditor and the FIs to discuss the management letter; • Strengthen the engagement with the external auditor and the audit profession as part of SBS’ supervisory approach . Principle 28 • Consider implementing the recommendations of the Enhanced Disclosure Task Force of the FSB and Pillar 3 of the Basel framework. Principle 29 Amend the legal/regulatory framework to: • Be able to impose sizable fines to banks. In addition, powers related to the possibility of suspending dividends, restrictions to asset growth, operating in certain business lines and others would be useful tools to support enforcement of banks’ compliance with the AML/CFT framework. • Explicitly require banks to report to the SBS suspicious activities in cases where such activities are material to the safety, soundness or reputation of the bank; • Require banks to develop their own internal policies and criteria for CDD beyond what is expressly prescribed in regulation; • Explicitly require entities to gather sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; • Not allow banks to establish relationships with correspondent banks that are not effectively supervised by the relevant authorities; • Require CDD management programs to have a customer acceptance policy that identifies business relationships that the bank will not accept. 258 PERU B. Authorities’ Response to Assessment78 • The SBS appreciates the opportunity to provide comments for this document. The SBS would like to thank the IMF and WB assessors for their full assessment of Peru’s compliance with the Basel Core Principles for Effective Banking Supervision as part of the comprehensive Financial Stability Assessment Program. • The discussions were fruitful with seasoned supervisors. There were many practical ideas and recommendations for improvement, not all of them making their way in this document but all of which will enrich the SBS internal discussion on future developments of the Peruvian banking regulation and supervision. • Overall, the assessment adequately reflects the current status of the Peruvian regulatory and supervisory frameworks. There is one point of disagreement regarding the grading of Principle 1. The Peruvian Banking Law defines ample legal powers for the SBS to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. The only area where there is some weakness is the limited legal powers for supervising holding companies, which the SBS considers has been over-weighted in the assessment of Principle 1. • Even though the SBS has not direct powers over holding companies, it has indirect legal powers to require information and impose prudential requirements through the supervised bank. These indirect powers have demonstrated to be effective in the supervision of the two major banking groups. The SBS recognizes there is room for improvement in the legal framework to deal with potential future risks; however, does not consider its current limited legal powers as a major source of risk. • Finally, as in previous evaluations, the SBS will carefully evaluate the recommendations and develop a plan to continue strengthening the robust regulatory and supervisory framework of the Peruvian Financial System. 78If no such response is provided within a reasonable time frame, the assessors should note this explicitly and provide a brief summary of the authorities’ initial response provided during the discussion between the authorities and the assessors at the end of the assessment mission (“wrap-up meeting”). 259