[ BSP CIRCULAR NO. 429, S. 2004, May 11, 2004 ]
AMENDMENTS TO THE MANUAL OF REGULATIONS FOR BANK (MORB) AND THE MANUAL OF REGULATIONS FOR NON-BANK FINANCIAL INSTITUTIONS (MORNBFI)
Pursuant to Monetary Board Resolution No. 610 dated 29 April 2004, the Manual of Regulations for Banks (MORB) and the Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) are hereby amended, as follows:
This Circular shall take effect after fifteen (15) days following its publication either in the Official Gazette or in a newspaper of general circulation.
Adopted: 11 May 2004
(SGD.) ALBERTO V. REYES
Officer-in-Charge
SECTION 1. Subsecs. X170.3 and 4191Q.3 of the MORB and MORNBFI, respectively, are hereby added to read, as follows:
Subsecs. X170.3 and 4191Q.3 Compliance risk. Compliance risk is the risk of legal or regulatory sanctions, financial loss, or loss to reputation a bank/non-bank may suffer as a result of its failure to comply with all applicable laws, regulations, codes of conduct and standards of good practice.
SECTION 2. Subsecs. X170.4 and 4191Q.4 of the MORB and MORNBFI, respectively, are hereby added to read, as follows:
Subsecs. X170.4 and 4191Q.4 Responsibilities of the board of directors and senior management on compliance. Aside from the duties and responsibilities of the board of directors mentioned under Subsecs. X141.3 and 4141Q.3, the board should oversee the implementation of the compliance policy and ensure that compliance issues are resolved expeditiously. Senior management should be responsible for establishing a compliance policy, ensuring that it is observed, reporting to the board of directors on its ongoing implementation and assessing its effectiveness and appropriateness. Senior management should, at least once a year, report to the board of directors or a committee of the board on matters relevant to the compliance policy and its implementation, recommending any required changes to the policy. The report should assist the board members in making an informed assessment as to whether the institution is managing its compliance risk effectively. However, any material breaches of laws, rules and standards shall be reported promptly.
SECTION 3. Subsecs. X170.5 and 4191Q.5 of the MORB and MORNBFI, respectively, are hereby added to read, as follows:
Subsecs. X170.5 and 4191Q.5. Status. The compliance function should have a formal status within the organization established by a charter or other formal document approved by the board of directors that defines the compliance function's standing, authority and independence, and addresses the following issues:
1) measures to ensure the independence of the compliance function from the business activities of the bank;
2) its role and responsibilities;
3) its relationship with other functions or units within the organization;
4) its right to obtain access to information necessary to carry out its responsibilities;
5) its right to conduct investigations of possible breaches of the compliance policy;
6) its formal reporting relationships to senior management and the board of directors; and
7) its right of direct access to the board of directors or an appropriate committee of the board.
The compliance charter or other formal document defining the status of the compliance function shall be communicated throughout the organization.
SECTION 4. Subsecs. X170.6 and 4191Q.6 of the MORB and MORNBFI, respectively, are hereby added to read, as follows:
Subsecs. X170.6 and 4191Q.6 Independence. The compliance function should be independent from the business activities of the institution. It should be able to carry out its responsibilities on its own initiative in all units or departments where compliance risk exists and must be provided with sufficient resources to carry out its responsibilities effectively. It must be free to report to senior management and the board or a committee of the board on any irregularities or breaches of laws, rules and standards discovered, without fear of retaliation or disfavor from management or other affected parties. The compliance function should have access to all operational areas as well as any records or files necessary to enable it to carry out its duties and responsibilities.
SECTION 5. Subsecs. X170.7 and 4191Q.7 of the MORB and MORNBFI, respectively, are hereby added to read, as follows:
Subsecs. X170.7 and 4191Q.7 Role and responsibilities of the compliance function. The role and responsibilities of the compliance function should be clearly defined. If there is a division of duties and responsibilities between different functions such as legal, compliance, internal audit or risk management, the allocation of duties and responsibilities to each function should be properly delineated. There should likewise be formal arrangements for cooperation between each function and for the exchange of relevant information.
SECTION 6. Subsecs. X170.8 and 4191Q.8 of the MORB and MORNBFI, respectively, are hereby added to read, as follows:
Subsecs. X170.8 and 4191Q.8 Cross-border issues. The compliance function for institutions that conduct business in other jurisdictions should be structured to ensure that local compliance concerns are satisfactorily addressed within the framework of the compliance policy for the organization as a whole. As there are significant differences in legislative and regulatory frameworks across countries or from jurisdiction to jurisdiction, compliance issues specific to each jurisdiction should be coordinated within the structure of the institution's group-wide compliance policy. The organization and structure of the compliance function and its responsibilities should be in accordance with local legal and regulatory requirements.
SECTION 7. Subsecs. X170.9 and 4191Q.9 of the MORB and MORNBFI, respectively, are hereby added to read, as follows:
Subsecs. X170.9 and 4191Q.9 Outsourcing. Banks/non-banks should establish policies for managing the risks associated with outsourcing activities. Outsourcing of services/activities can reduce the institution's risk profile by transferring activities to others with the necessary expertise to manage the risks associated with specialized business activities. However, the use of third parties does not diminish the responsibility of the board of directors and senior management to ensure that the outsourced activity is conducted in a safe and sound manner and in compliance with applicable laws and regulations.
Compliance risk assessment and testing may be outsourced, subject to appropriate oversight by the compliance officer: Provided, a copy of the outsourcing agreement stating the duties and responsibilities as well as rights and obligations of the contracting parties, which agreement shall be approved by the board of directors of the institution concerned, must be submitted to the appropriate supervising and examining department of the Bangko Sentral at least thirty (30) days prior to its execution to enable review of its compliance with existing regulations on outsourcing of banking functions.
The service level agreement shall ensure a clear allocation of responsibilities between the external service providers and the bank. Furthermore, the outsourcing bank should manage residual risks associated with outsourcing arrangements, including default, operational failures, and possible disruption of services.
This Circular shall take effect after fifteen (15) days following its publication either in the Official Gazette or in a newspaper of general circulation.
Adopted: 11 May 2004
Officer-in-Charge