The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, banks are required to have a comprehensive approach to risk management, including Board and Senior Management oversight, to ensure their resiliency and enhance overall financial stability.

Risk management, together with internal audit and compliance, comprise key control functions in a bank. The control functions have a responsibility, independent of the management of the bank’s business lines, to provide objective assessment, reporting and/or assurance. The control functions are an essential foundation for effective corporate governance, which is the set of relationships between the bank’s management, board, shareholders and other stakeholders. Collectively these comprise the structure through which the objectives of the bank are set, the means of attaining those established objectives and the monitoring of performance against the established objectives.

In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that banks’ approaches to risk management are in line with leading international practices.

This Regulation and the accompanying Standards establish an overarching prudential framework for risk management. Standards and supervisory expectations for selected specific risks are, or will be, established in other Central Bank regulations.

This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.

Where this Regulation, or the accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements, which are additional to the list provided in the relevant article.

The objective of this Regulation is to establish the minimum acceptable standards for Banks’ comprehensive approach to risk management with a view to:

i. Ensuring the soundness of banks; and

ii. Contributing to financial stability.

The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to risk management.

This Regulation and the accompanying Standards apply to all Banks. Banks established in the UAE with significant group relationships, including subsidiaries, affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and group-wide basis.

1. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
    
2. Bank: A financial entity that is authorized by the Central Bank to accept deposits as a bank.
    
3. Board: The Bank’s board of directors.
    
4. Central Bank: The Central Bank of the United Arab Emirates.
    
5. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
    
6. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
    
7. Group: A group of entities that includes an entity (the 'first entity') and:
    
   1. any Parent of the first entity;
       
   2. any Subsidiary of the first entity or of any Parent of the first entity; and
       
   3. any Affiliate.
       
8. Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
    
9. Parent: An entity (the 'first entity') which:
    
   1. holds a majority of the voting rights in another entity (the 'second entity');
       
   2. is a shareholder of the second entity and has the right to appoint or remove a majority of the board of directors or managers of the second entity; or
       
   3. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity.
       

      Or;

   4. if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
       
10. Risk appetite: The aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
     
11. Risk limits: Specific quantitative measures that must not be exceeded based on, for example, forward looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations or other measures as appropriate.
     
12. Risk profile: Point in time assessment of the bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
     
13. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the bank’s strategy; and identify, measure, manage and control risks.
     
14. Risk management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a bank-wide and, if applicable, group-wide basis.
     
15. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
     
16. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
     
    1. holds a majority of the voting rights in the first entity;
        
    2. is a shareholder of the first entity and has the right to appoint or remove a majority of the board of directors or managers of the first entity; or
        
    3. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
        

       Or;

    4. if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
        

1. A Bank must have an appropriate risk governance framework that provides a bank-wide and, if applicable, group-wide view of all material risks. This includes policies, processes, procedures, systems and controls to identify, measure, evaluate, monitor, report and control or mitigate material sources of risk on a timely basis. A bank’s definition and assessment of material risks must take into account its risk profile, nature, size and complexity of its business and structure.
    
2. The Board is in ultimate control of the Bank and bears ultimate responsibility for ensuring that there is a comprehensive risk governance framework appropriate to the risk profile, nature, size and complexity of the Bank’s business and structure.
    
3. The risk governance framework must, at a minimum, provide for the following items:
    
   1. A board-approved risk appetite statement including limits for all relevant risk categories and risk concentrations;
       
   2. Documentation of the roles and responsibilities of the different parts of the Bank involved in managing risk;
       
   3. Policies and procedures to ensure that all material risks are identified, measured, managed, mitigated and reported upon in a timely and comprehensive manner; and
       
   4. Contingency arrangements such as business continuity plans and contingency funding plans for risks that may materialize in stress situations.
       
4. The risk-governance framework, in addition to the risk management function, must include adequately resourced compliance and internal audit functions to assess bank-wide, or if applicable, group–wide adherence, to relevant legislation, policies and procedures and to provide independent assurance regarding the implementation and effectiveness of risk management policies, procedures, systems and controls.
    
5. Senior Management is responsible for the implementation of sound policies, effective procedures and robust systems consistent with the board-approved risk governance framework. The Board remains ultimately accountable, notwithstanding specific responsibilities delegated to Senior Management.

1. A Bank must have an adequately resourced Risk Management Function headed by a chief risk officer or equivalent. The function must be independent of the management and decision-making of the Bank’s risk-taking functions and have a direct reporting line to the Board or a board risk committee.
    
2. The Risk Management Function must include policies, procedures, systems and controls for monitoring and reporting risk and to ensure that risk exposures are aligned with the Bank’s strategy and business plan and consistent with the board-approved risk appetite statement and individual risk limits.
    
3. Exceptions to the Bank’s risk management policies, procedures or limits must be immediately addressed by the appropriate level of management or the Board.
    
4. A Bank must immediately notify the Central Bank when it becomes aware of a significant deviation from its board-approved risk appetite statement, risk management policies or procedures, or that a material risk has not been adequately addressed.
    

1. A Bank must have systems to measure and monitor risk which are commensurate with the risk profile, nature, size and complexity of its business and structure.
    
2. The Board must have sufficient expertise to understand and oversee the risk measurement systems including any use of models.
    
3. Where a Bank uses models to measure components of risk, it must have appropriate internal processes for the development and approval for use of such models and must perform regular and independent validation and testing of the models. The Board remains ultimately accountable whether the approval for use of models is provided by the Board or through authority delegated to management.

1. 1. A Bank must implement a forward-looking stress-testing program as part of its comprehensive approach to risk management. Extreme, but plausible, adverse scenarios for a range of material risks must be included in the stress-testing program, commensurate with the size of the Bank’s risk exposures. The results of the stress-testing program must be reflected on an ongoing basis in the Bank’s risk management, including contingency planning and the Bank’s internal assessment of its capital and liquidity.
    
2. A Bank’s internal process for assessing capital and liquidity requirements must take into account the nature and level of risks taken by the Bank. In addition to the specific risks identified in the Central Bank Capital Adequacy and Liquidity Regulations and Standards, a Bank must consider all other material risks.

A Bank must have information systems that enable it to measure, assess and report on the size, composition and quality of risk exposures on a bank-wide and where applicable group-wide, basis across all risk types, products and counterparties. Reports must be provided on a timely basis to the Board and Senior Management, in formats suitable for their use and understanding.

1. A Bank must have adequate policies and procedures to ensure that the risks inherent in strategic or major operational initiatives such as changes in systems, business models, or acquisitions are identified, understood and mitigated to the extent possible. At a minimum, policies and procedures must require:
    
   1. Approval by the Board, or a board committee, of strategic and major operational decisions; and
       
   2. Reporting that enables the Board and Senior Management to monitor and manage these risks on an ongoing basis.
       
2. Policies and procedures must establish appropriate levels of approval authority for introducing new products and material modifications to existing products. The Board remains ultimately accountable notwithstanding any delegation of approval authority to Senior Management. At a minimum, policies and procedures must ensure:
    
   1. Assessment of the risks and determination that the Bank’s control functions and systems are adequate to measure and mitigate the risks; and
       
   2. Reporting that enables the Board and Senior Management to monitor and manage these risks on an ongoing basis.
       
3. A Bank must appropriately account for risks in its internal pricing, performance measurement and new product approval process, for all significant business activities.

1. Banks, for which the Central Bank is the primary regulator, who have significant group relationships including subsidiaries, affiliates, or international branches, must develop and maintain processes to coordinate the identification, measurement, evaluation, monitoring, reporting and control or mitigation of all internal and external sources of material risk across the group. The process must provide the Board with a solo and group-wide view of all material risks including the roles and relationships of other group entities to one another and to the Bank.
    

   The methods and procedures applied by subsidiaries, affiliates and international branches must support risk management on a group-wide basis. Banks must conduct group-wide risk management and prescribe group policies and procedures, while the boards and Senior Management of subsidiaries and affiliates must have input with respect to the local or regional application of these policies and procedures and the assessment of local or regional risks.

2. Where the Central Bank is not the primary regulator of a bank that is part of a Group and any element of its comprehensive approach to risk management is controlled or influenced by another entity in the group, the bank’s risk governance framework must specifically take into account risks arising from the Group relationship and clearly identify:
    
   1. Linkages and any significant differences between the Bank’s and the Group’s risk governance framework;
       
   2. Whether the bank’s risk management function is derived wholly or partially from Group risk management functions; and
       
   3. The process for monitoring by, or reporting to, the Group on risk management.

1. A Bank must make publicly available, including through publication in its annual report and on its website, information on its Risk Governance Framework and the nature and extent of its risk exposures.

1. A bank offering Islamic financial services must ensure that its approach to risk management incorporates appropriate measures to comply with Sharī’ah provisions.
    
2. A bank offering Islamic financial services must ensure that its risk governance framework addresses the potential risk exposures arising from Islamic financing instruments with respect to credit, market and liquidity risks as well as equity investment risk and rate of return risk and the operational and reputational risks from failure to adhere to Sharī’ah provisions.

1. Violation of any provision of this Regulation and the accompanying Standards may be subject to supervisory action as deemed appropriate by the Central Bank.

1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

1. This Regulation and the accompanying Standards replace all previous Central Bank regulations with respect to risk management.

1. This Regulation and the accompanying Standards shall be published in the Official Gazette in both Arabic and English and must come into effect one month from the date of publication.

1. 1. These Standards form part of the Risk Management Regulation. All banks must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
2. 2. A bank's board of directors is in ultimate control of the bank and accordingly, ultimately responsible for the bank’s comprehensive approach to risk management. There is no one-size-fits-all or single best solution. Accordingly, each bank could meet the minimum requirements of the Regulation and Standards in a different way and thus may adopt an organisational framework appropriate to the risk profile, nature, size and complexity of its business and structure. The onus is on the Board to demonstrate that it has implemented a comprehensive approach to risk management. Banks are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards¹.
3. 3. The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.

¹ The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller banks may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited in the Standards.

1. 1. Affiliate: An entity that, directly or indirectly, controls, is controlled by or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity or of the power to direct or cause the direction of the management of another entity.
2. 2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a bank.
3. 3. Board: The Bank’s board of directors.
4. 4. Central Bank: The Central Bank of the United Arab Emirates.
5. 5. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
6. 6. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
7. 7. Group: A group of entities that includes an entity (the 'first entity') and:
   1. a. any Parent of the first entity;
   2. b. any Subsidiary of the first entity or of any Parent of the first entity; and
   3. c. any Affiliate.
8. 8. Parent: An entity (the 'first entity') which:
   1. a. holds a majority of the voting rights in another entity (the 'second entity');
   2. b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board or managers of the second entity; or
   3. c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity;

      Or;

   4. d.  if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
9. 9. Risk appetite: The aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
10. 10. Risk capacity: The maximum amount of risk a bank is able to assume given its capital base, risk management and control measures, as well as its regulatory constraints.
11. 11. Risk culture: A bank’s norms, attitudes and behaviors related to risk awareness, risk taking and risk management and controls that shape decisions on risks, influence the decisions of management and employees during day-to-day activities and is reflected in the risks they assume.
12. 12. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the board and management establish and make decisions about the bank’s strategy and approach to risk management; articulate and monitor adherence to the risk appetite and risks limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
13. 13. Risk limits: Specific quantitative measures that must not be exceeded based on, for example, forward looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations or other measures as appropriate.
14. 14. Risk management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a bank and, if applicable, group-wide basis.
15. 15. Risk profile: Point in time assessment of the bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
16. 16. Senior management: The executive management of the bank responsible and accountable to the board for the sound and prudent day-to-day management of the bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
17. 17. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
    1. a. holds a majority of the voting rights in the first entity;
    2. b. is a shareholder of the first entity and has the right to appoint or remove a majority of the board or managers of the first entity; or
    3. c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity;

       Or;

    4. d. if the first entity is a subsidiary of another entity that is itself a subsidiary of the second entity.

1. 1. A bank must establish, implement and maintain a risk governance framework that enables it to identify, assess, monitor, mitigate and control risk. The risk governance framework consists of policies, processes, procedures, systems and controls.
2. 2. The risk governance framework must be documented and approved by the Board and must provide for a sound and well-defined framework to address the bank's risks.
3. 3. The risk governance framework will vary with the specific circumstances of the bank, particularly the risk profile, nature, size and complexity of its business and structure. A bank must incorporate the following minimum elements into its risk governance framework or demonstrate to the Central Bank that its framework meets the requirements for a comprehensive approach to risk management without the presence of all of the elements set out below:
   1. a. Board: the board must approve, maintain and oversee the bank’s risk governance framework, including the risk appetite statement, risk limits by legal entity, business line or management units consistent with the risk appetite statement and policies and procedures to implement a comprehensive approach to risk management.
   2. b. Board risk committee: pursuant to a charter or terms of reference approved by the board, the board risk committee must (a) review and recommend the establishment of and revisions to the bank’s risk governance framework and (b) oversee its implementation by senior management.
   3. c. Board audit committee: pursuant to a charter or terms of reference approved by the Board, the board audit committee must oversee the independent assessment of the risk governance framework by the internal audit function and the internal audit function’s independent assessment of implementation of the bank’s comprehensive approach to risk management.
   4. d. Management risk committee: the management risk committee must develop and recommend the overall risk strategy, the risk governance framework and the risk appetite statement to the board or to the board risk committee and must be accountable for an effective bank-wide approach to risk management and for the communication of the comprehensive approach to risk management across the bank.
   5. e. Risk management function: headed by the chief risk officer (CRO) or equivalent, the risk management function must develop metrics relevant to the risk appetite statement, monitor and report on the risk metrics, escalate breaches and conduct stress tests.
   6. f. Compliance function: the compliance function must verify that compliance policies are observed and must report to senior management or the board, as appropriate, on how the bank is managing its compliance risk.
   7. g. Internal audit function: the internal audit function must provide independent assurance to the board and senior management on the quality and effectiveness of a bank’s internal control and risk management policies, procedures and systems, including measurement methodologies and assumptions. It reports directly to the board audit committee.
   8. h. Business line management: must receive and operationalize risk limits, establish procedures to identify and control risks including monitoring and escalation of breaches and report on risk metrics.
4. 4. In defining and assessing risks, a bank must consider both the probability of the risk materializing and its potential impact on the bank. In assessing the potential impact of a risk, a bank must assess factors including but not limited to: (a) potential disruption of the bank’s business operations; (b) effect on profitability, liquidity, capital adequacy and regulatory compliance; and (c) ability of the bank to meet its obligations to its customers or other counterparties.
5. 5. A Bank’s risk governance framework must address all material risks, which, at a minimum, must include the following items:
   1. a. Credit risk;
   2. b. Market risk;
   3. c. Liquidity risk
   4. d. Operational risk;
   5. e. Risks arising from its strategic objectives and business plans; and
   6. f. Other risks that singly, or in combination with different risks, may have a material impact on the bank.
6. 6. A Board is responsible for the implementation of an effective risk culture and internal controls across the bank and its subsidiaries, affiliates and international branches. The board approved risk governance framework must incorporate a “three lines of defense” approach including senior management of the business lines, the control functions of risk management and compliance and an independent and effective internal audit function:
   1. a. Business line management - identification and control of risks
      1. i. Manage and identify risks in the activities of the business line;
      2. ii. Ensure activities are within the bank’s risk appetite, risk management policies and limits;
      3. iii. Design, implement and maintain effective internal controls; and
      4. iv. Monitor and report on business line risks.
   2. b. Risk management function - sets standards and challenges business lines
      1. i. Headed by the CRO or equivalent;
      2. ii. Establish bank-wide or, if applicable, group-wide risk and control strategies and policies;
      3. iii. Provide oversight and independent challenge of business line accountabilities;
      4. iv. Develop and communicate risk and control procedures; and
      5. v. Monitor and report on compliance with risk appetite, policies and limits.
   3. c. Compliance function - assess bank-wide adherence to requirements
      1. i. Develop and communicate compliance policies and procedures; and
      2. ii. Monitor and report on compliance with laws, corporate governance rules, regulations, regulatory codes and policies to which the bank is subject.
   4. d. Internal audit function - independent assurance
      1. i. Independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; and
      2. ii. Independently assess the effectiveness of business line management in fulfilling their mandates and managing risk.
7. 7. The Board must ensure that the risk management, compliance and internal audit functions are properly staffed and resourced and carry out their responsibilities independently and effectively. This includes unrestrained access to all kinds of information needed for the risk management, compliance and internal audit functions to fulfil their tasks.
8. 8. The Board must review policies annually and controls on a regular basis with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues, as well as determine areas that need improvement.
9. 9. The Board must provide oversight of senior management. It must hold members of senior management accountable for their actions and enumerate the consequences if those actions are not aligned with the board’s expectations. This includes adhering to the bank’s values, risk appetite and risk culture, regardless of financial gain or loss to the bank.
10. 10. Senior management must implement, consistent with the direction given by the board, policies, procedures, systems and controls for managing the risks to which the bank is exposed and for complying with laws, Central Bank regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions, as well as an effective overall system of internal controls.
11. 11. Senior management must provide the board with the information it needs to carry out its responsibilities, including the supervision of senior management and assessment of the quality of senior management’s performance.

1. 1. The head of the risk management function, the CRO or equivalent, must be of sufficient seniority and stature within the bank, to credibly challenge the heads of business lines and functions. The risk management function is responsible for assisting the Board, board committees, executive committee (including the credit committee) and senior management to develop and maintain the risk governance framework.
2. 2. Appointment or dismissal of the CRO must be approved by the Board or board risk committee. If the CRO is removed, the bank must immediately advise the Central Bank of the reasons for such a removal.
3. 3. The CRO, or equivalent, must:
   1. a. Not have a decision-making role in the bank’s risk-taking functions, including credit underwriting, or the finance function;
   2. b. Have no revenue-generating responsibilities;
   3. c. Not have remuneration based on the performance of any of the bank’s risk-taking functions;
   4. d. Not be the chief executive of the bank, or head of the finance, compliance or internal audit function;
   5. e. Have a direct reporting line to the Board or board risk committee and appropriate reporting lines to senior management; and
   6. f. Have unfettered access directly to the board risk committee, including the ability to meet without other senior executives present.
4. 4. Key activities of the risk management function must include, but are not limited to:
   1. a. Identifying material individual, aggregate and emerging risks;
   2. b. Assessing these risks and measuring the bank’s exposure to them;
   3. c. Supporting the Board in its implementation, review and approval of the bank-wide or if applicable, group-wide risk governance framework;
   4. d. Ongoing monitoring to ensure risk-taking activities and risk exposures are in line with the board-approved risk appetite, risk limits and corresponding capital or liquidity needs;
   5. e. Establishing an early warning or trigger system as part of ongoing monitoring to ensure that breaches of the board-approved risk appetite and risk limits are reported on a timely basis to senior management, the Board or board risk-committee as required by board-approved policies;
   6. f. Influencing and, when necessary, challenging material risk decisions; and
   7. g. Reporting to senior management and the Board or board risk committee in accordance with the risk governance framework.

1. 1. A bank must use risk measurement methodologies commensurate with the risk profile, nature, size and complexity of the business and the structure of the bank. These could include VaR analysis, scenario analysis and stress testing and single counterparty and concentration limits. Common metrics must be employed on a bank (or group)-wide basis to foster a bank (or group)-wide approach and effective identification and monitoring of risks across the Bank (or Group).
2. 2. Risk measurement and modeling techniques must be used in addition to qualitative risk analysis and monitoring. The comprehensive approach to risk management must include policies and procedures for the development and internal approval for use of models or other risk measurement methodologies. Where the models, or data for the models, are supplied by a third party, there must be a process for validation of the model and data relative to the specific circumstances of the bank.
3. 3. A bank must perform regular validation and testing of models. This must include evaluation of conceptual soundness, ongoing monitoring including process verification and benchmarking and outcomes analysis, including back-testing. Stress-testing and scenario analysis must be used to take into account the risk of model error and the uncertainties associated with valuations and concentration risks. Widely recognized weaknesses in VaR such as dependence on historical data and inadequate volatility estimates must be explicitly addressed by banks in developing and implementing VaR methodologies. Banks employing VaR or other model methodologies must regularly back-test actual performance against model predictions and adjust their methodologies in light of experience.
4. 4. Model-based approaches must be supplemented by other measures. These include qualitative assessment of the logic, judgment and types of information used in models as well as assessments of policies, procedures, risk limits and exposures, especially with respect to difficult to quantify risks such as operational, compliance and reputational.

1. 1. A bank must have a forward looking stress testing program that addresses credit, market and operational risk with the bank taking into account that its risk profile is likely to require capital in excess of the minimum capital requirements. The stress testing program must also include any risk that is material for the bank given the nature of its business. These may include but are not limited to: concentration risk; interest rate risk in the banking book; liquidity risk; currency risk; reputation and compliance risks; contagion risk; country and transfer risks; legal risk; and strategic risk.
2. 2. The requirement for a bank to use stress tests and scenario analysis to better understand potential risk exposures under a variety of adverse circumstances is common to both the risk governance framework and ICAAP. A bank must have a comprehensive approach to stress-testing that meets its ICAAP and other risk management requirements. Stress-testing within business lines can be a useful part of the program, however, there must be a means to capture correlations across business lines and obtain a bank-wide or, if applicable, a group-wide overview of performance in stress scenarios.
3. 3. A bank’s stress-testing program must be undertaken on a regular basis to facilitate the tracking of trends over time and developments in key risk factors and exposure amounts, in addition to ad hoc stress tests as required. The program must cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management and, as applicable, the Board or board risk committee must review and approve the scenarios. The specifics of the program must be tailored to the risk exposures of the bank and, at a minimum, must take into account the following factors:
   1. a. Bank and Group-specific and system-wide events;
   2. b. Extreme but plausible shocks as well more gradual changes in key risk parameters such as interest and exchange rates;
   3. c. Potential reputational risk implications of the bank’s actions in a stress scenario;
   4. d. Potential for loss of key sources of funding; and
   5. e. Potential outflows related to customer activity.
4. 4. Stress test program results must be periodically reviewed by the Board or the board risk committee. Results must be incorporated into reviews of the risk appetite, the bank’s ICAAP and capital and liquidity planning processes. The risk management function is responsible for recommending any action required, for example adjustments to risk limits or contingency arrangements, based on stress test results. The results of stress tests and scenario analysis must be communicated to the relevant business line management and functional heads within the bank to assist them in understanding and mitigating the risks inherent in their activities. Stress test program results must factor in the bank’s contingency planning, particularly liquidity risk management and contingency funding.
5. 5. The identification and management of all material risks must be consistent on a bank-wide and if applicable, group-wide basis. This is of particular importance with respect to a bank’s and, if applicable, a group’s ICAAP, given the significant intersection and mutual reinforcement of risk management and capital adequacy. For example, capital and liquidity implications need to be considered in the determination of risks the bank is prepared to assume and the limits for those risks established in the risk appetite statement. Similarly, the impact on capital and liquidity is an important element of a bank’s procedures for review of new products or business lines or acquisitions.
6. 6. From the perspective of capital planning, the ICAAP must explicitly incorporate all material risks, which a bank identifies through its comprehensive approach to risk management. Stress test results must be considered in developing liquidity plans, particularly contingency funding arrangements.

1. 1.  A bank’s comprehensive approach to risk management must include policies and procedures designed to provide risk data aggregation and reporting capabilities appropriate for the risk profile, nature, size and complexity of the bank's business and structure. The policies and procedures for risk data aggregation and reporting must provide for the design, implementation and maintenance of a data architecture and information technology infrastructure that supports the bank’s monitoring and reporting needs in normal times and periods of stress.
2. 2. A bank’s systems must support supervisory reporting requirements and provision of risk reports to all relevant parties within the bank on a timely basis and in a format commensurate with their needs. The scope of reporting must be proportionate to the business activities and complexity of the bank. Ideally, banks will have a highly automated process, however, certain circumstances may mean that manual intervention is required to aggregate risk data and produce supervisory and internal risk management reports.
3. 3. The processes for aggregating the necessary data and producing supervisory and internal risk management reports must be fully documented and establish standards, cutoff times and schedules for report production. The aggregation and reporting process must be subject to high standards of validation through periodic review by the internal audit function using staff with specific systems, data and reporting expertise, particularly where the process requires substantial manual intervention.
4. 4. Banks are encouraged to adopt centralized databases with single identifiers and/or uniform naming conventions for legal entities, counterparties, customers and accounts to facilitate accessing multiple records of risk data across the bank or group in a timely manner. Bank systems must be adequate to compile gross and net exposures to institutional counterparties (i.e. interbank, central counterparties) and to capture credit risk concentrations on a bank-wide or, if applicable, group-wide basis, including on and off-balance sheet exposures, for individual counterparties, groups of related counterparties and other concentrations relevant to the bank’s business such as by currency, industry sector or geographic region. Banks are encouraged to have this information available on a daily basis.

1. l. A bank must have approval procedures for new products, material modification to existing products and strategic or major operational initiatives such as changes in systems, business models or acquisitions. The procedures must ensure that strategic and major operational decisions require approval by the board or a committee of the board. Approval authority for new products or material changes to existing projects may be delegated by the Board to the appropriate level of management, although the Board remains ultimately responsible.
2. 2. In addition to providing for reporting that enables the Board and senior management to monitor the associated risks on an ongoing basis, the procedures must include at a minimum:
   1. a. An assessment of risks under a variety of scenarios, particularly with more pessimistic assumptions than the base-line case;
   2. b. An assessment of the extent to which the bank’s risk management, legal and regulatory compliance, information technology, business line and internal control functions have the necessary expertise, systems and other tools to measure and manage the associated risks, if necessary withholding approval if the required measures are not in place; and
   3. c. An ongoing assessment of risk and performance relative to initial projections and if necessary adapting the risk management treatment in light of experience.
3. 3. Mergers and acquisitions, disposals and other changes to bank or group structure can pose special risk management challenges. Risks can arise from conducting insufficient due diligence that fails to identity post-transaction risks or activities conflicting with the bank’s strategic objectives or Risk Appetite. The risk management function must be actively involved in assessing the risks of such transactions and must report its findings directly to the Board or a committee of the board.

1. 1. A bank for which the Central Bank is the primary regulator is required to meet the objectives of the Regulation and Standards on a solo and group-wide basis. Subsidiaries and affiliates, including non-bank entities, must be captured by the bank’s comprehensive approach to risk management and must be part of the overall risk governance framework to ensure that the policies, business strategies, procedures and controls of the subsidiaries and affiliates are aligned with those of the group.
2. 2. The boards and senior management of subsidiaries and affiliates remain responsible for their entities’ risk management. The methods and procedures applied by subsidiaries and affiliates must support risk management on a group-wide basis. Parent banks must conduct group-wide risk management and prescribe group policies and procedures, while the boards and senior management of subsidiaries and affiliates must have input with respect to the local or regional application of these policies and procedures and the assessment of local or regional risks.
3. 3. Parent banks are responsible for ensuring that the risk management function in subsidiaries and affiliates is adequately resourced and that group reporting lines support the independence of the risk management, compliance and internal audit functions from the risk-taking business lines throughout the group. Parent banks are responsible for ensuring that reporting to the group by subsidiaries and affiliates is sufficiently detailed and timely to support effective group-wide risk management.
4. 4. Where the Central Bank is not the primary regulator of a bank that operates a branch in the U.A.E., the branch must have a risk governance framework and risk management function that meets the requirements of the Regulation and Standards. The “three lines of defense” approach must be incorporated within the branch. This will require a senior risk officer, compliance officer and senior internal audit officer with stature within the branch comparable to the business line managers².
5. 5. Reporting relationships between officers of the branch and group business lines and functions must support the independence of the risk management, compliance and internal audit functions from the risk-taking business lines. These branches must provide the Central Bank with unfettered access to any staff of the group involved in the risk management of the branch and any group reports or data that the Central Bank may request.

² Considering the principle of proportionality and the role of group functions in overseeing the branch, a bank may demonstrate to the Central Bank that it meets the requirements of the Regulation and Standards in some other way.

1. 1. A Bank must comply with the disclosure requirements. A bank must have a board-approved disclosure policy. A bank must describe in its disclosures its risk management objectives and policies including the following items:
   1. a. Strategies and processes (for each material risk);
   2. b. Structure and organization of its risk governance;
   3. c. Scope and nature of risk reporting and/or measurement systems;
   4. d. Policies for hedging and/or mitigating risk; and
   5. e. Strategies and processes for monitoring the continuing effectiveness of hedges/mitigants.

1. 1. The Board offering Islamic financial services must ensure that the comprehensive approach to risk management ensures compliance with Sharī’ah provisions in addition to meeting the other requirements of the Regulation and Standards. The risk governance framework must specifically identify and address for each relevant risk any elements arising from the use of Islamic financial instruments, as well as risks specific to Islamic instruments and agreements. At a minimum, the risk governance framework of a bank offering Islamic financial services must address:
   1. a. Identifying, monitoring and mitigating potential credit risk exposures that may arise at different stages of the various financing agreements;
   2. b. Requiring a due diligence review in respect of counterparties prior to deciding on the choice of an appropriate Islamic financing instrument;
   3. c. Considering separately and on an overall basis liquidity exposures with respect to each category of current account, unrestricted and restricted investment accounts;
   4. d. Ensuring adequate recourse to Sharī’ah-compliant funds to mitigate liquidity risk;
   5. e. Identifying and managing equity investment risk including appropriate and consistent valuation methodologies agreed between the bank and its equity investment partners and exit strategies with respect to equity investment activities;
   6. f. Ensuring compliance with Sharī’ah provisions to mitigate the risk of income having to be donated to charity rather than recognized;
   7. g. Implementing a comprehensive approach to assessing and reporting on the potential impacts of market factors affecting rates of returns on assets relative to the expected rates of return to investment account holders (rate of return risk);
   8. h. Using appropriate measures to safeguard the interests of all fund providers which will include but is not limited to ensuring that when investor funds are comingled with the bank’s funds, the basis for asset, revenue, expense and profit allocations are established, applied and reported in a manner consistent with the bank’s fiduciary responsibilities; and
   9. i. Ensuring that risks arising from the provision of Islamic financial services are appropriately captured in the bank's forward-looking stress-testing program.

1. 1.1This Standard re risk management requirements for Islamic banks (“the Standard”) forms part of the Risk Management Regulation (Circular 153/2018) issued by the Central Bank on 27^th May 2018. Licensed banks that conduct all or part of their activities in accordance with the provisions of Islamic Shari’ah (“Islamic Banks and Banks Housing an Islamic Window” both referred to hereafter as “IBs”) must comply with this Standard. This Standard is mandatory and enforceable in the same manner as the Regulation.
2. 1.2Banks housing an Islamic Window should comply with the provisions of this Standard in relation to the Shari’ah compliant businesses and activities. Banks housing an Islamic Window must integrate the risk management requirements stated in this Standard within the existing risk management framework and apply these requirements to the existing modes and contracts within the Islamic Window.
3. 1.3This Standard should be read in conjunction with the other risk management standards issued by the Central Bank. The Standard elaborates on risk management aspects pertaining to IBs that have not been specifically addressed in other regulations or standards issued by the Central Bank. IBs should comply with the requirements of this Standard in addition to the requirements stated in the other risk management regulations and standards.
4. 1.4It is crucial for IBs to recognize and evaluate the overlapping nature and transformation of risks that exist between and among the categories of the above-mentioned risks. IBs may also face consequential business risks relating to developments in the external marketplace. Adverse changes in IB’ markets, counterparties, or products as well as changes in the economic and political environments in which IBs operate and the effects of different Shari’ah standards are examples of business risk. These changes may affect IBs’ business plans, supporting systems and financial position. In this regard, IBs are expected to view the management of these risks from a holistic perspective.
5. 1.5IBs are exposed to reputational risk arising from failures in governance, business strategy and process. Negative publicity about the IBs business practices, particularly relating to Shari’ah non-compliance in their products and services, could have negative impact on their market position, profitability and liquidity.
6. 1.6This Standard is issued pursuant to the powers vested in the Central Bank under the provisions of the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments (“Central Bank Law”).
7. 1.7Where this Standard stipulates to provide information, undertake certain measures, or address certain terms listed as a minimum, the Central Bank may impose requirements, which are additional to those outlined in the relevant article of the Standard.
8. 1.8This Standard elaborates on the supervisory expectations of the Central Bank with respect to risk management for Shari’ah compliant businesses and activities.

1. 2.1This Standard applies to all IBs. IBs established in the UAE with Group relationships, including Subsidiaries, Affiliates, or international branches, must ensure that the Standard is adhered to on a solo and Group-wide basis.
2. 2.3An IB which sets up special purpose vehicles with the objective of conducting specific Shari’ah compliant activity must ensure that the risks arising in the special purpose vehicle are monitored and reported at the group level (risk management on a consolidated basis).
3. 2.4This Standard must also be read in conjunction with the Standards and Resolutions issued by the Higher Shari’ah Authority (HSA).

1. a.Affiliate: An entity that, directly or indirectly, controls, or is controlled by, or is under common control with another entity. The term control as used herein to mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direct of the management of another entity.
2. b.Board: The Islamic Bank’s board of directors.
3. c.Central Bank: The Central Bank of the United Arab Emirates.
4. d.Central Bank Law: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments.
5. e.Central Bank Regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
6. f.Credit Risk: The potential that a counterparty fails to meet its obligations in accordance with agreed terms. Credit risk includes the risk arising in the settlement and clearing transactions.
7. g.Compliance with Islamic Shari’ah refers to compliance with Shari’ah in accordance with:

   a.resolutions, fatwas, regulations, and standards issued by the Higher Shari’ah Authority in relation to licensed activities and businesses of IBs (“HSA’s Resolutions”), and

   b.resolutions and fatwas issued by Internal Shari’ah Supervision Committee (“ISSC”) of the respective IB, in relation to licensed activities and businesses of such institution (“the ISSC’s Resolutions”), provided they do not contradict HSA’s Resolutions.

8. h.Displaced Commercial Risk: Risk where the IB may be under market pressure to voluntarily pay a return that exceeds the rate that has been earned on assets financed by Investment Account Holder when the return on assets is under-performing as compared with competitors’ rates.
9. i.Equity Investment Risk: Risk arising from entering into a partnership for the purpose of undertaking or participating in a particular financing or general business activity as described in the contract, and in which the provider of finance shares in the business risk.
10. j.Fiduciary responsibilities and duties refers to the responsibilities of IB to treat all their fund providers appropriately and in accordance with the terms and conditions of their investment agreements.
11. k.Fiduciary Risk: Risk that arises from IBs’ failure to perform in accordance with explicit and implicit Standards applicable to their fiduciary responsibilities.
12. l.Fund Providers: Refers to the deposits received by IB and that includes (a) current account holders; and (b) Investment Account Holders.
13. m.Group: A group of entities which includes an entity (the ‘first entity’) and:

    a.any Controlling Shareholder of the first entity;

    b.any Subsidiary of the first entity or of any Controlling Shareholder of the first entity; and

    c.any Affiliate, joint venture, sister company and other member of the Group.

14. n.Internal Shari’ah Audit: Regular process to inspect and assess the IB’s compliance with Islamic Shari’ah and the level of effectiveness of the IB’s Shari’ah governance systems.
15. o.Internal Shari’ah Supervision Committee (ISSC): A body appointed by the IB, comprised of scholars specialized in Islamic financial transactions, which independently supervises the transactions, activities, and products of the IB and ensures they compliance with Islamic Shari’ah in all its objectives, activities, operations, and code of conduct.
16. p.Internal Shari’ah Control Division (or Section): Technical division (or section) in the IBs with a mandate to support the ISSC its mandate.
17. q.Investment Risk Reserve: Investment risk reserve is the amount appropriated by the IBs out of the income of Investment Account Holder (IAH), after allocating the Mudarib’s share, in order to cushion against future investment losses for IAH.
18. r.Investment Account: Refers to the deposits accepted by IBs on the basis of Mudarabah or Wakalah contract or any other profit generating contract.
19. s.Islamic Window: Refers to the licensed activities that are conducted in accordance with the Islamic Shari’ah that are carried by financial institutions for their account or for the account of or in partnership with third parties which comply with the regulatory requirements stated in this Standard and other regulations issued by the Central Bank.
20. t.Market Risk: Refers to the potential impact of adverse price movements such as benchmark rates, foreign exchange (FX) rates, equity prices and commodity prices, on the economic value of an asset.
21. u.Parent: An entity (the ‘first entity’) which:
    1. a.Holds a majority of the voting rights in another entity (‘the second entity’);
    2. b.Is a shareholder of the second entity and has the right to appoint or remove the majority of the board of directors or managers of the second entity; or
    3. c.Is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity; or
    4. d.If the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
22. v.Profit Equalization Reserve: The amount appropriated out of the Mudaraba profits, in order to maintain a certain level of return on investment for the Mudarib and unrestricted investment account holders and mitigate displaced commercial risk.
23. w.Rate of Return Risk: Overall balance sheet exposures where mismatches arise between assets and balances from fund providers.
24. x.Restricted Investment Accounts: The account holders authorize the IBs to invest their funds based on Mudaraba or Wakala contracts with certain restrictions as to where, how and for what purpose these funds are to be invested.
25. y.Risk Appetite: The aggregate level and types of risk an IB is willing to assume, decided in advance and approved by the Board and within its risk capacity, to achieve its strategic objectives and business plan.
26. z.Risk Limits: Specific quantitative measures that must not be exceeded based on, for example, forward-looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations or other measures as appropriate.
27. aa.Risk Profile: Point in time assessment of the bank’s gross (before the application of any risk mitigants) or net (after taking into account risk mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
28. bb.Risk Governance Framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the bank’s strategy; and identify, measure, manage and control risks.
29. cc.Risk Management Function: Collectively, the systems, structures, policies, procedures and people that measure, report and monitor risk on a bank-wide and, if applicable, group-wide basis.
30. dd.Senior Management: The executive management of the Bank responsible and accountable to the Board for sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
31. ee.Shari’ah Non-Compliance Risk: Probability of financial loss or reputational damage that IB might incur or suffer due to not complying with Islamic Shari’ah.
32. ff.Subsidiary: An entity (the ‘first entity’) is a subsidiary of another entity (the ‘second entity’) if the second entity:
    1. a.Holds a majority of the voting rights in the first entity;
    2. b.Is a shareholder of the first entity and has the right to appoint or remove the majority of the board of directors or managers of the first entity; or
    3. c.Is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity; or
    4. d.If the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
33. gg.Unrestricted Investment Accounts: The account where the holders authorize the IBs to invest their funds based on Mudaraba or Wakala (agency) contracts without laying any restriction on how the investment is to be managed. The IBs can commingle these funds with their own funds and invest them in pooled portfolio.

1. 4.1An IB must establish, implement and maintain a risk governance framework that enables it to identify, assess, monitor, mitigate and control risks. The risk governance framework consists of policies, procedures processes, systems, controls and limits. The risk governance framework must be comprehensive and address the specific risks associated with Shari’ah compliant businesses and activities.
2. 4.2IBs that are branches of foreign licensed financial institutions must adhere to this Standard or establish equivalent arrangements to ensure regulatory comparability and consistency. The equivalent arrangement, if applicable, should include the matters related to general assembly, the Board and its Committees without contradicting the prevailing laws in the UAE. The equivalent arrangements must be submitted to the Central Bank for approval.
3. 4.3IBs must ensure an adequate system of controls with appropriate checks and balances are in place. The controls must (a) comply with the Islamic Shari’ah, (b) comply with applicable regulatory and internal policies and procedures; and (c) take into account the integrity of risk management processes.
4. 4.4In addition to the minimum elements of the risk governance framework stated in the Central Bank’s Risk Management Standards (153/2018), IBs must incorporate the following minimum elements into the risk governance framework:
   1. a.Internal Shari’ah Supervisory Committee,
   2. b.Internal Shari’ah Compliance, and
   3. c.Internal Shari’ah Audit.
5. 4.5In defining and assessing risks, IBs must consider both the probability of the risk materializing and its potential impact on the IB. In addition to the factors to be assessed in the context of the potential risk impact as stated within Central Bank’s Risk Management Standards (153/2018) the IB must also assess the ability to meet its fiduciary responsibility to Investment Account Holders (IAH), both restricted and unrestricted investment accounts.
6. 4.6IBs risk governance framework must address all material risks which at a minimum must include the following items:
   1. a.Credit Risk;
   2. b.Market Risk;
   3. c.Liquidity Risk;
   4. d.Operational Risk and Shari’ah Non-compliance Risk;
   5. e.Displaced Commercial Risk;
   6. f.Equity Investment Risk;
   7. g.Rate of Return Risk;
   8. h.Risks arising from its strategic objectives and business plans; and
   9. i.Other risks that singly, or in combination with different risks, may have a material impact on the IB.
7. 4.7The Board is ultimately responsible for developing the IB’s Shari’ah compliant risk governance framework. The framework must incorporate a “three lines of defense” approach. In addition to the stated requirements within the Central Bank’s Risk Management Standards (153/2018) the IB’s approach should also include provisions relating to:
   • -Internal Shari’ah Supervision Committee (ISSC);
   • -Internal Shari’ah compliance, and
   • -Internal Shari’ah Audit.
8. 4.8The risk appetite statement must reflect a written articulation of the aggregate level and types of risk that an IB is willing to accept, or avoid, in order to achieve its business objectives. However, an IB should have no tolerance toward Shari’ah non-compliance risk. In addition to the minimum items set-out within Central Bank’s Risk Management Standards (153/2018), an IB’s risk appetite statement must also cover the following risks:
   • -Shari’ah Non-Compliance Risk,
   • -Displaced Commercial Risk,
   • -Rate of Return Risk and
   • -Equity Investment Risk.
9. 4.9IBs must define and document roles and responsibilities towards IBs’ risk governance framework.
10. 4.10The Board’s Risk Committee (“Risk Committee”) is responsible to review and approve the establishment of framework for managing all material risks as part of the overall risk management framework of the IB and must oversee its implementation by the Senior Management.
11. 4.11The Risk Committee must supervise and monitor the management of Shari’ah non-compliance risk and set controls in relation to this type of risk, in consultation with the ISSC and through the internal Shari’ah control division, or section.
12. 4.12The Risk Committee must ensure there is an information system that enables the IB to measure, assess and report all risks including but not limited to Shari’ah Non-Compliance Risk, Equity Investment Risk and Displaced Commercial Risk. Reports must be provided on a timely manner to the Board and Senior Management, in formats suitable for their use and understanding.
13. 4.13In addition to the minimum items set-out within Central Bank’s Risk Management Regulation, IBs must include in its documented ICAAP, within the Internal Control review, provisions relating to the Internal Shari’ah Audit function.
14. 4.14IBs should manage risks in accordance with the Shari’ah rules and the scope determined by the contracts IBs use as basis for their financial transactions. IBs may not transfer risks to counterparties, or avoid responsibilities and ownership risks, which result from using specific contracts. IBs may manage these risks by other means that do not conflict with the provisions of Islamic Shari’ah.

1. 5.1The head of the risk management function, the Chief Risk Officer (CRO) or equivalent is responsible for assisting the Board, board committees, executive committee (including the Internal Shari’ah Supervision Committee), senior management (including Internal Shari’ah Control Division or Section and Internal Shari’ah Audit) to develop and maintain the risk governance framework applicable to its IB.
2. 5.2In addition to the key activities set out within the Central Bank’s Risk Management Standards (153/2018), IBs must include identifying, assessing, monitoring and reporting risks associated specifically to Shari’ah compliant business and activities.

1. 6.1The risk assessment and measurement processes undertaken by IBs must specifically address the risk of loss arising from Mudaraba, Musharaka and Wakala contracts, where applicable. Rigorous risk evaluation (including due diligence) must be adequately conducted in view of the exposure to capital impairment.

1. 7.1IBs must ensure that risks arising from the provision of Shari’ah Compliant business and activities are appropriately captured in the IBs’ forward-looking stress-testing program.

1. 8.1IBs must ensure that an adequate system of controls with appropriate checks and balances are in place. The controls must:
   1. a.Ensure compliance with the provisions of Islamic Shari’ah, and
   2. b.Take into account the integrity of risk management processes.

1. 9.1As part of the IBs’ overarching approval process, the following at a minimum must be undertaken by IBs:
   1. a.New Product Approvals must include a risk assessment with a variety of scenarios, particularly with more pessimistic assumptions than the base-line case. The assessment should take into consideration the legal consequences of the underlying Shari’ah structure/contract throughout the life span of the products and services e.g. event of default, restructuring and rescheduling scenarios.
   2. b.Mergers and acquisitions, disposal and other changes must include adequate due diligence that identifies post-transaction risks or activities conflicting with the IBs’ Governance Framework and other specifities relating to IBs. An IB must have a strategy towards alleviating over-dependence on few types of underlying structures/contracts that may present limitations in terms of tradability and flexibility in the events where risk emerges (e.g. dependence on monetization products).

1. 10.1In addition to the requirements set out within Central Bank’s Risk Management Standards (153/2018) regarding disclosures, IBs must make appropriate and timely disclosure of information to Investment Account Holders. The disclosure should include information related to Profit Equalization Reserves and Investment Risk Reserves, if applicable, so that the investors are able to assess the potential risks and rewards of their investments and to protect their own interests in their decision-making process. Applicable international financial reporting standards must be used for this purpose.

1. 11.1IBs must have in place:
   • -an appropriate credit strategy, including pricing and tolerance for undertaking credit risks exposures;
   • -a risk management structure with effective oversight of credit risk management; credit policies and operational procedures including credit criteria and credit review processes, acceptable forms of risk mitigation, and limit setting;
   • -an appropriate measurement and careful analysis of exposures, including market and liquidity-sensitive exposures; and
   • -a system (a) to monitor the condition of ongoing individual credits to ensure the financings are made in accordance with the IBs’ policies and procedures, (b) to manage credit challenges according to an established remedial process; and (c) to ensure adequate provisions are allocated.
2. 11.2IBs must have in place an appropriate framework for credit risk management and reporting in respect to all assets. This includes credit risk related to different stages of the Shari’ah compliant products and investments. IBs must apply the credit risk principles to credit risks associated with securitization and investment activities.
3. 11.3The risk assessment and measurement processes undertaken by IBs must also be applicable to profit sharing assets (Mudaraba and Musharaka) which are classified under equity investments. Rigorous risk evaluation (including due diligence) and controls of these investments are necessary in view of their exposure to capital impairment. This must not contradict the risk sharing nature in these instruments as prescribed by Islamic Shari’ah.
4. 11.4IBs must have in place a strategy for financing, using various instruments in compliance with Shari’ah, whereby the strategy recognizes the potential credit exposures that may arise at different stages of the various financing agreements.
5. 11.5IBs must manage and account for the credit risk arising from Shari’ah compliant instruments where:
   • -no Shari’ah compliant compensation can be imposed, and/or
   • -the profit cannot be increased/continued.
6. 11.6IBs must have a policy for carrying out a due diligence review in respect of counterparties prior to deciding on the choice of an appropriate Shari’ah compliant financing instrument.
   This has to be carried in particular, for transactions involving:
   - New ventures with multiple financing modes: IBs should carry out due diligence processes on customers using multiple financing modes to meet specific financial objectives designed to address Shari’ah, legal or tax issues of customers.
   - Creditworthiness that may be influenced by external factors: Where significant investment risks are present in participatory instruments, especially in the case of Mudarabah financings, additional counterparty reviews and evaluations will focus on the business purpose, operational capability, enforcement and economic substance of the proposed project including the assessment of realistic forecasts of estimated future cash flows. IBs should put in place risk mitigating structures in place to the extent possible.
7. 11.7IBs must have in place Shari’ah compliant credit risk mitigating techniques appropriate for each Islamic financing instrument. IBs must be aware of the commencement of exposure to credit risk inherent in different financing instruments such as the non-binding nature of certain contracts. Risk management techniques should not change the nature or the Shari’ah aspects of the contract in order to mitigate the risk.
8. 11.8IBs should clearly define their credit risk-mitigating techniques including, but not limited to, having in place:
   • -a methodology for setting mark-up rates according to the risk rating of the counterparties, where expected risks should be taken into account in the pricing decisions;
   • -permissible and enforceable collateral and guarantees;
   • -stipulating the counter party’s commitment to donate in case of default in the legal documentations in accordance with the applicable Shari’ah resolutions and standards;
   • -clear documentation as to whether or not purchase orders are cancellable; and
   • -clear procedures for taking account of governing laws for contracts relating to financing transactions.
9. 11.9In a financing involving several related agreements, IBs must be aware of the binding obligations arising in connection with credit risks associated with the underlying assets for each agreement. IBs must ensure that all components of a financial structure comply with the Shari’ah parameters applicable to combination of contracts.
10. 11.10IBs must establish limits on the degree of reliance and the enforceability of collateral and guarantees subject to the provisions set-out within the relevant rules of Islamic Shari’ah.
11. 11.11IBs must have appropriate credit management systems and administrative procedures in place to undertake early remedial action in the case of financial distress of a counterparty or, in particular, for managing bad credits, potential and defaulting counterparties. This system should be reviewed on a regular basis. Remedial actions will include both administrative and financial measures.
    Administrative measures may inter alia include:
    • -negotiating and following-up pro-actively with the counterparty through maintaining frequent contact with the counterparty;
    • -setting an allowable timeframe for payment or to offer rescheduling (without an increase in the amount of the debt in debt based instruments) or Shari’ah compliant restructuring arrangements;
    • -using a debt-collection agency;
    • -resorting to legal action, including the attachment of any credit balance belonging to defaulters according to the agreement between them; and
    • -making a claim under Shari’ah-compliant insurance as applicable.

    Financial measures may include, among others:

    • -invoking commitment to donate clauses, where applicable, in accordance with the relevant Shari’ah parameters,; and
    • -establishing the enforceability of collateral or third party guarantees.
12. 11.12IBs must set appropriate measures for early settlements.
13. 11.13IBs must have policies to define adequately the action to be taken by the IB when a customer cancels a non-binding purchase order.
14. 11.14IBs should assess and establish appropriate policies and procedures pertaining to the risks associated with their own exposures in parallel transactions.
15. 11.15IBs must ensure, whenever possible or applicable, that there is sufficient Shari’ah-compliant insurance coverage of the value of the assets.
16. 11.16IBs must have in place an appropriate policy for determining and allocating provisions for (a) non-performing debt categories, including counterparty exposures; and (b) estimated impairment in value of assets.

1. 12.1Requirements on market risk must be read in conjunction with the Market Risk Regulation and accompanying Standards (Circular 164/2018).
   IBs must have in place an appropriate framework for market risk management in each stage of the contract, including reporting in respect of all assets held, particularly those that do not have a ready market and/or are exposed to high price volatility.
2. 12.2IBs must establish a sound and comprehensive market risk management process and information system, which (among others) comprises:
   • -a conceptual framework to assist in identifying underlying market risks;
   • -guidelines governing risk taking activities in different portfolios of restricted IAH and their market risk limits;
   • -appropriate frameworks for pricing, valuation and income recognition; and
   • -a strong management information system for controlling, monitoring and reporting market risk exposure and performance to appropriate levels of senior management.

   Given that all the required measures are in place (e.g. pricing, valuation and income recognition frameworks, strong MIS for managing exposures, etc.), the applicability of any market risk management framework that has been developed should be assessed taking into account consequential business and reputation risks.

3. 12.3IBs must adhere to the fiduciary duty to apply the same risk management policies and procedures to assets held on behalf of restricted Investment Account Holders as they do for assets held on behalf of shareholders and unrestricted Investment Account Holders.
4. 12.4IBs must be able to quantify market risk exposures and assess exposure to the probability of future losses in their net open asset positions.
5. 12.5IBs must take into consideration the specifics of each Shari’ah compliant instrument in the following manner:
   1. a.In operating Ijarah contracts, a lessor is exposed to market risk on the residual value of the leased asset at the term of the lease or if the lessee terminates the lease earlier (by defaulting), during the contract
   2. b.In Salam, an IB as a buyer is exposed to commodity price fluctuations on a long position after entering into a contract and while holding the subject matter until it is disposed of. In the case of parallel Salam, there is also the risk that a failure of delivery of the subject matter by the counterparty which exposes the IBs to commodity price risk as a result of the need to purchase a similar asset in the market in order to honor the parallel Salam contract.
   3. c.Before acquisition of financial assets not actively traded with the intention of selling them, an IB must analyze and assess the factors attributable to changes in liquidity of the markets in which the assets are traded and which give rise to greater market risk.

   IBs may hedge foreign exchange fluctuations arising from general FX spot rate changes in both cross-border transactions and the resultant foreign currency receivables and payables using Shari’ah compliant methods.

6. 12.6In the valuation of assets where no direct market prices are available, IBs must incorporate in their own product program a detailed approach to valuing their market risk positions. IBs may employ appropriate forecasting techniques to assess the potential value of these assets.
   Where available valuation methodologies are deficient, IBs must assess the need (a) to allocate funds to cover risks resulting from illiquidity and uncertainty in assumptions underlying valuation and realization; and (b) to establish a contractual agreement with the counterparty specifying the methods to be used in valuing the assets

1. 13.1IBs must establish an adequate framework towards the management of market risks inherent in the holding of Mudaraba, Musharaka, and Wakala instruments for investment purposes. This includes consideration of quality of the partner, underlying business activities and ongoing operational matters.
2. 13.2IBs must have in place appropriate mechanisms to safeguard the interests of all fund providers. Where IAH funds are commingled with the IBs’ own funds, the IBs must ensure that the bases for asset, revenue, expense and profit allocations are established, applied and reported in a manner consistent with the IB’s fiduciary responsibilities.
3. 13.3In performing the due diligence review, IBs must consider in evaluating the risk in Mudarabah, Musharakah, and Wakala instruments and the capabilities and risk profiles of potential partners (Mudarib or Musharakah partner). Such due diligence is essential to an IBs’ fiduciary responsibilities as an investor of IAH funds in profit sharing and loss-bearing instruments (such as Mudarabah, Musharkah and Wakala).
4. 13.4IBs must consider factors relating to the legal and regulatory environment affecting the equity investment performance during risk evaluation. These factors include policies pertaining to tariffs, quotas, taxation or subsidies and any sudden policy changes affecting the quality and viability of an investment.
5. 13.5IBs risk mitigation techniques attaching to lack of reliable information must require its investor to take an active role in monitoring the investment, or the use of specific risk mitigating structures.
6. 13.6IBs must define and set the objectives of, and criteria for, investments before using profit-sharing and loss-bearing instruments (such as Mudarabah, Musharkah and Wakala), including the types of investment, tolerance for risk, expected returns and desired holding periods.
7. 13.7IBs must have, and keep under review, policies, procedures and an appropriate management structure for evaluating and managing the risks involved in the acquisition of, holding and exiting from loss bearing investments. IBs must ensure proper infrastructure and capacity are in place to monitor continuously the performance and operations of the entity in which IB invest as partners. These should include evaluation of Shari’ah compliance, adequate financial reporting by, and periodical meetings with, partners and proper recordkeeping of these meetings.
8. 13.8IBs must identify and monitor the transformation of risks at various stages of investment lifecycles, for example, where the investee’s business involves innovative or new products and services in the marketplace.
9. 13.9IBs must analyze and determine possible factors affecting the expected volume and timing of cash flows for both returns and capital gains arising from equity investments.
10. 13.10IBs must use Shari’ah compliant risk-mitigating techniques, which reduce the impact of possible capital impairment of an investment. This may include the use of Shari’ah permissible security from the partner.
11. 13.11IBs must ensure that their valuation methodologies are appropriate and consistent and must assess the potential impacts of their methods on profit calculations and allocations. The methods must be mutually agreed between the IB and the Mudarib and/or Musharaka partners.
12. 13.12IBs must assess and take measures to deal with the risks associated with potential manipulation of reported results leading to overstatements or understatements of partnership earnings.
13. 13.13IBs must define and establish exit strategies in respect of their equity investment activities, including extension and redemption conditions for Mudaraba, Musharaka and Wakala investments, subject to the approval of the institution’s Internal Shari’ah Supervision Committee.
14. 13.14IBs must be aware that the risks arising from the use of profit-sharing instruments for financing purposes do not include credit risk in the conventional sense but share a crucial characteristic of credit risk because of the risk of capital impairment.

1. 14.1Requirements in this area must be read in conjunction with the Interest Rate and Rate of Return Risk in the Banking Book Regulation and accompanying Standards (Circular No. 165/2018). IBs must establish a comprehensive risk management and reporting process to assess the potential impacts of market factors affecting rates of return on assets in comparison with the expected rates of return for IAH.
2. 14.2IBs must take necessary steps to ensure that the management processes relating to the identification, measurement, monitoring, reporting and control of the rate of return risk (including appropriate structure) are in place.
3. 14.3IBs must be aware of the factors that give rise to rate of return risk. The primary form of rate of return risk to which IBs are exposed comprises increasing long-term fixed rates in the market. IBs must have in place appropriate systems for identifying and measuring the factors, which give rise to rate of return risk.
4. 14.4IBs must employ a gapping method for allocating positions into time bands with remaining maturities or repricing dates, whichever is earlier.
5. 14.5IBs’ rate of risk return measurement must highlight the importance of cash flow forecasting for instruments and contracts where IBs are required to simulate and assess their behavioral maturity, underlying assumptions and parameters, which must be reviewed periodically for reliability. The materiality of potential threats to future earnings and the usefulness of the resulting information must be considered in determining the type and extent of forecasted behavior for IBs.
6. 14.6IBs are encouraged to employ balance sheet techniques to minimize their exposures using the following strategies, among others:
   1. a.determining and varying future profit ratios according to expectations of market conditions;
   2. b.developing new Shari’ah-compliant instruments; and
   3. c.issuing securitization tranches of Shari’ah permissible assets.

1. 15.1IBs must have in place an appropriate framework for managing displaced commercial risk, where applicable.
2. 15.2IBs must have in place a policy and framework for managing the expectations of their shareholders and IAH.
3. 15.3IBs must develop and maintain an informed judgement about an appropriate level of the balances of Profit Equalization Reserve, bearing in mind that its essential function is to provide mitigation of displaced commercial risk.

1. 16.1IBs must have in place an appropriate framework, adequate systems, controls and limits for Operational and Shari’ah Non-Compliance Risk management.
2. 16.2IBs must consider the full range of material operational risks affecting their operations, including the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. IBs must also incorporate possible causes of loss resulting from Shari’ah non-compliance and the failure in their fiduciary responsibilities.
3. 16.3IBs must be aware of being exposed to risks relating to Shari’ah non-compliance and risks associated with the IBs’ fiduciary responsibilities towards different fund providers. These risks expose IBs to fund providers’ withdrawals, loss of income or voiding of contracts leading to a diminished reputation or the limitation of business opportunities.
4. 16.4IBs’ must be prudent towards Shari’ah compliance and such compliance requirements must permeate throughout the organization and their products and activities. The perception regarding IBs’ compliance with Shari’ah rules and principles is of great importance to their sustainability.
   In this regard, Shari’ah compliance is considered as falling within a higher priority category in relation to other identified risks. If IBs do not comply with Shari’ah rules and principles, the impacted transactions should be referred to the ISSC to decide on the appropriate treatment (remedy of contracts, derecognition of profit, etc.) and if needed such incidents may be escalated to the HSA.
5. 16.5IBs must ensure that their contract documentation complies with Shari’ah with regard to formation, termination and elements possibly affecting contract performance such as fraud, misrepresentation, duress or any other rights and obligations.
6. 16.6IBs must keep track of income not recognized due to Shari’ah non-compliance and assess the probability of similar cases arising in the future and ensure that appropriate controls are in place to avoid recurrences. This may include monitoring of income not recognized due to origination from Shari’ah non-compliant activities.
7. 16.7IBs must establish and implement a clear and formal policy for undertaking their different and potentially conflicting roles in respect of managing different types of investment accounts. The policy relating to safeguarding the interests of their IAH may include the following:
   • -identification of investing activities that contribute to investment returns and taking reasonable steps to carry on those activities in accordance with the IB’s fiduciary and agency duties and to treat all their fund providers appropriately and in accordance with the terms and conditions of their investment agreements;
   • -allocation of assets and profits between the IB and their IAH will be managed and applied appropriately to IAH having funds invested over different investment periods;
   • -determination of appropriate reserves at levels that do not discriminate against the right for better returns of existing IAH; and
   • -limiting the risk transmission between current and investment accounts.
8. 16.8IBs must adequately disclose information on a timely basis to their IAH and the markets in order to provide a reliable basis for assessing their risk profiles and investment performance.

1. 17.1The IBs should comply fully with these standard requirements within 180 days from publishing this Standard.
2. 17.2The Regulatory Development Division of the Central bank shall be the reference for interpretation of the provisions of this Standard.

The disclosures indicated may be made as part of the periodic financial reporting (marked “F” in Tables 1, and 2), or as part of product information published in connection with new products or changes in existing products - for example, prospectuses and offer documents (marked “P” in Tables 1, and 2). Some disclosures may be made under both headings.

Table 1: Investment Accounts (both Unrestricted and Restricted IAH)

Table 2: Unrestricted Investment Accounts