The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, banks are required to have a comprehensive approach to risk management, including Board and Senior Management oversight, to ensure their resiliency and enhance overall financial stability.

Risk management, together with internal audit and compliance, comprise key control functions in a bank. The control functions have a responsibility, independent of the management of the bank’s business lines, to provide objective assessment, reporting and/or assurance. The control functions are an essential foundation for effective corporate governance, which is the set of relationships between the bank’s management, board, shareholders and other stakeholders. Collectively these comprise the structure through which the objectives of the bank are set, the means of attaining those established objectives and the monitoring of performance against the established objectives.

In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that banks’ approaches to risk management are in line with leading international practices.

This Regulation and the accompanying Standards establish an overarching prudential framework for risk management. Standards and supervisory expectations for selected specific risks are, or will be, established in other Central Bank regulations.

This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.

Where this Regulation, or the accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements, which are additional to the list provided in the relevant article.

The objective of this Regulation is to establish the minimum acceptable standards for Banks’ comprehensive approach to risk management with a view to:

i. Ensuring the soundness of banks; and

ii. Contributing to financial stability.

The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to risk management.

This Regulation and the accompanying Standards apply to all Banks. Banks established in the UAE with significant group relationships, including subsidiaries, affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and group-wide basis.

1. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
    
2. Bank: A financial entity that is authorized by the Central Bank to accept deposits as a bank.
    
3. Board: The Bank’s board of directors.
    
4. Central Bank: The Central Bank of the United Arab Emirates.
    
5. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
    
6. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
    
7. Group: A group of entities that includes an entity (the 'first entity') and:
    
   1. any Parent of the first entity;
       
   2. any Subsidiary of the first entity or of any Parent of the first entity; and
       
   3. any Affiliate.
       
8. Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
    
9. Parent: An entity (the 'first entity') which:
    
   1. holds a majority of the voting rights in another entity (the 'second entity');
       
   2. is a shareholder of the second entity and has the right to appoint or remove a majority of the board of directors or managers of the second entity; or
       
   3. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity.
       

      Or;

   4. if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
       
10. Risk appetite: The aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
     
11. Risk limits: Specific quantitative measures that must not be exceeded based on, for example, forward looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations or other measures as appropriate.
     
12. Risk profile: Point in time assessment of the bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
     
13. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the bank’s strategy; and identify, measure, manage and control risks.
     
14. Risk management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a bank-wide and, if applicable, group-wide basis.
     
15. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
     
16. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
     
    1. holds a majority of the voting rights in the first entity;
        
    2. is a shareholder of the first entity and has the right to appoint or remove a majority of the board of directors or managers of the first entity; or
        
    3. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
        

       Or;

    4. if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
        

1. A Bank must have an appropriate risk governance framework that provides a bank-wide and, if applicable, group-wide view of all material risks. This includes policies, processes, procedures, systems and controls to identify, measure, evaluate, monitor, report and control or mitigate material sources of risk on a timely basis. A bank’s definition and assessment of material risks must take into account its risk profile, nature, size and complexity of its business and structure.
    
2. The Board is in ultimate control of the Bank and bears ultimate responsibility for ensuring that there is a comprehensive risk governance framework appropriate to the risk profile, nature, size and complexity of the Bank’s business and structure.
    
3. The risk governance framework must, at a minimum, provide for the following items:
    
   1. A board-approved risk appetite statement including limits for all relevant risk categories and risk concentrations;
       
   2. Documentation of the roles and responsibilities of the different parts of the Bank involved in managing risk;
       
   3. Policies and procedures to ensure that all material risks are identified, measured, managed, mitigated and reported upon in a timely and comprehensive manner; and
       
   4. Contingency arrangements such as business continuity plans and contingency funding plans for risks that may materialize in stress situations.
       
4. The risk-governance framework, in addition to the risk management function, must include adequately resourced compliance and internal audit functions to assess bank-wide, or if applicable, group–wide adherence, to relevant legislation, policies and procedures and to provide independent assurance regarding the implementation and effectiveness of risk management policies, procedures, systems and controls.
    
5. Senior Management is responsible for the implementation of sound policies, effective procedures and robust systems consistent with the board-approved risk governance framework. The Board remains ultimately accountable, notwithstanding specific responsibilities delegated to Senior Management.

1. A Bank must have an adequately resourced Risk Management Function headed by a chief risk officer or equivalent. The function must be independent of the management and decision-making of the Bank’s risk-taking functions and have a direct reporting line to the Board or a board risk committee.
    
2. The Risk Management Function must include policies, procedures, systems and controls for monitoring and reporting risk and to ensure that risk exposures are aligned with the Bank’s strategy and business plan and consistent with the board-approved risk appetite statement and individual risk limits.
    
3. Exceptions to the Bank’s risk management policies, procedures or limits must be immediately addressed by the appropriate level of management or the Board.
    
4. A Bank must immediately notify the Central Bank when it becomes aware of a significant deviation from its board-approved risk appetite statement, risk management policies or procedures, or that a material risk has not been adequately addressed.
    

1. A Bank must have systems to measure and monitor risk which are commensurate with the risk profile, nature, size and complexity of its business and structure.
    
2. The Board must have sufficient expertise to understand and oversee the risk measurement systems including any use of models.
    
3. Where a Bank uses models to measure components of risk, it must have appropriate internal processes for the development and approval for use of such models and must perform regular and independent validation and testing of the models. The Board remains ultimately accountable whether the approval for use of models is provided by the Board or through authority delegated to management.

1. 1. A Bank must implement a forward-looking stress-testing program as part of its comprehensive approach to risk management. Extreme, but plausible, adverse scenarios for a range of material risks must be included in the stress-testing program, commensurate with the size of the Bank’s risk exposures. The results of the stress-testing program must be reflected on an ongoing basis in the Bank’s risk management, including contingency planning and the Bank’s internal assessment of its capital and liquidity.
    
2. A Bank’s internal process for assessing capital and liquidity requirements must take into account the nature and level of risks taken by the Bank. In addition to the specific risks identified in the Central Bank Capital Adequacy and Liquidity Regulations and Standards, a Bank must consider all other material risks.

A Bank must have information systems that enable it to measure, assess and report on the size, composition and quality of risk exposures on a bank-wide and where applicable group-wide, basis across all risk types, products and counterparties. Reports must be provided on a timely basis to the Board and Senior Management, in formats suitable for their use and understanding.

1. A Bank must have adequate policies and procedures to ensure that the risks inherent in strategic or major operational initiatives such as changes in systems, business models, or acquisitions are identified, understood and mitigated to the extent possible. At a minimum, policies and procedures must require:
    
   1. Approval by the Board, or a board committee, of strategic and major operational decisions; and
       
   2. Reporting that enables the Board and Senior Management to monitor and manage these risks on an ongoing basis.
       
2. Policies and procedures must establish appropriate levels of approval authority for introducing new products and material modifications to existing products. The Board remains ultimately accountable notwithstanding any delegation of approval authority to Senior Management. At a minimum, policies and procedures must ensure:
    
   1. Assessment of the risks and determination that the Bank’s control functions and systems are adequate to measure and mitigate the risks; and
       
   2. Reporting that enables the Board and Senior Management to monitor and manage these risks on an ongoing basis.
       
3. A Bank must appropriately account for risks in its internal pricing, performance measurement and new product approval process, for all significant business activities.

1. Banks, for which the Central Bank is the primary regulator, who have significant group relationships including subsidiaries, affiliates, or international branches, must develop and maintain processes to coordinate the identification, measurement, evaluation, monitoring, reporting and control or mitigation of all internal and external sources of material risk across the group. The process must provide the Board with a solo and group-wide view of all material risks including the roles and relationships of other group entities to one another and to the Bank.
    

   The methods and procedures applied by subsidiaries, affiliates and international branches must support risk management on a group-wide basis. Banks must conduct group-wide risk management and prescribe group policies and procedures, while the boards and Senior Management of subsidiaries and affiliates must have input with respect to the local or regional application of these policies and procedures and the assessment of local or regional risks.

2. Where the Central Bank is not the primary regulator of a bank that is part of a Group and any element of its comprehensive approach to risk management is controlled or influenced by another entity in the group, the bank’s risk governance framework must specifically take into account risks arising from the Group relationship and clearly identify:
    
   1. Linkages and any significant differences between the Bank’s and the Group’s risk governance framework;
       
   2. Whether the bank’s risk management function is derived wholly or partially from Group risk management functions; and
       
   3. The process for monitoring by, or reporting to, the Group on risk management.

1. A Bank must make publicly available, including through publication in its annual report and on its website, information on its Risk Governance Framework and the nature and extent of its risk exposures.

1. A bank offering Islamic financial services must ensure that its approach to risk management incorporates appropriate measures to comply with Sharī’ah provisions.
    
2. A bank offering Islamic financial services must ensure that its risk governance framework addresses the potential risk exposures arising from Islamic financing instruments with respect to credit, market and liquidity risks as well as equity investment risk and rate of return risk and the operational and reputational risks from failure to adhere to Sharī’ah provisions.

1. Violation of any provision of this Regulation and the accompanying Standards may be subject to supervisory action as deemed appropriate by the Central Bank.

1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

1. This Regulation and the accompanying Standards replace all previous Central Bank regulations with respect to risk management.

1. This Regulation and the accompanying Standards shall be published in the Official Gazette in both Arabic and English and must come into effect one month from the date of publication.

1. 1. These Standards form part of the Risk Management Regulation. All banks must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
2. 2. A bank's board of directors is in ultimate control of the bank and accordingly, ultimately responsible for the bank’s comprehensive approach to risk management. There is no one-size-fits-all or single best solution. Accordingly, each bank could meet the minimum requirements of the Regulation and Standards in a different way and thus may adopt an organisational framework appropriate to the risk profile, nature, size and complexity of its business and structure. The onus is on the Board to demonstrate that it has implemented a comprehensive approach to risk management. Banks are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards¹.
3. 3. The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.

¹ The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller banks may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited in the Standards.

1. 1. Affiliate: An entity that, directly or indirectly, controls, is controlled by or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity or of the power to direct or cause the direction of the management of another entity.
2. 2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a bank.
3. 3. Board: The Bank’s board of directors.
4. 4. Central Bank: The Central Bank of the United Arab Emirates.
5. 5. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
6. 6. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
7. 7. Group: A group of entities that includes an entity (the 'first entity') and:
   1. a. any Parent of the first entity;
   2. b. any Subsidiary of the first entity or of any Parent of the first entity; and
   3. c. any Affiliate.
8. 8. Parent: An entity (the 'first entity') which:
   1. a. holds a majority of the voting rights in another entity (the 'second entity');
   2. b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board or managers of the second entity; or
   3. c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity;

      Or;

   4. d.  if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
9. 9. Risk appetite: The aggregate level and types of risk a bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
10. 10. Risk capacity: The maximum amount of risk a bank is able to assume given its capital base, risk management and control measures, as well as its regulatory constraints.
11. 11. Risk culture: A bank’s norms, attitudes and behaviors related to risk awareness, risk taking and risk management and controls that shape decisions on risks, influence the decisions of management and employees during day-to-day activities and is reflected in the risks they assume.
12. 12. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the board and management establish and make decisions about the bank’s strategy and approach to risk management; articulate and monitor adherence to the risk appetite and risks limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
13. 13. Risk limits: Specific quantitative measures that must not be exceeded based on, for example, forward looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations or other measures as appropriate.
14. 14. Risk management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a bank and, if applicable, group-wide basis.
15. 15. Risk profile: Point in time assessment of the bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
16. 16. Senior management: The executive management of the bank responsible and accountable to the board for the sound and prudent day-to-day management of the bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
17. 17. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
    1. a. holds a majority of the voting rights in the first entity;
    2. b. is a shareholder of the first entity and has the right to appoint or remove a majority of the board or managers of the first entity; or
    3. c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity;

       Or;

    4. d. if the first entity is a subsidiary of another entity that is itself a subsidiary of the second entity.

1. 1. A bank must establish, implement and maintain a risk governance framework that enables it to identify, assess, monitor, mitigate and control risk. The risk governance framework consists of policies, processes, procedures, systems and controls.
2. 2. The risk governance framework must be documented and approved by the Board and must provide for a sound and well-defined framework to address the bank's risks.
3. 3. The risk governance framework will vary with the specific circumstances of the bank, particularly the risk profile, nature, size and complexity of its business and structure. A bank must incorporate the following minimum elements into its risk governance framework or demonstrate to the Central Bank that its framework meets the requirements for a comprehensive approach to risk management without the presence of all of the elements set out below:
   1. a. Board: the board must approve, maintain and oversee the bank’s risk governance framework, including the risk appetite statement, risk limits by legal entity, business line or management units consistent with the risk appetite statement and policies and procedures to implement a comprehensive approach to risk management.
   2. b. Board risk committee: pursuant to a charter or terms of reference approved by the board, the board risk committee must (a) review and recommend the establishment of and revisions to the bank’s risk governance framework and (b) oversee its implementation by senior management.
   3. c. Board audit committee: pursuant to a charter or terms of reference approved by the Board, the board audit committee must oversee the independent assessment of the risk governance framework by the internal audit function and the internal audit function’s independent assessment of implementation of the bank’s comprehensive approach to risk management.
   4. d. Management risk committee: the management risk committee must develop and recommend the overall risk strategy, the risk governance framework and the risk appetite statement to the board or to the board risk committee and must be accountable for an effective bank-wide approach to risk management and for the communication of the comprehensive approach to risk management across the bank.
   5. e. Risk management function: headed by the chief risk officer (CRO) or equivalent, the risk management function must develop metrics relevant to the risk appetite statement, monitor and report on the risk metrics, escalate breaches and conduct stress tests.
   6. f. Compliance function: the compliance function must verify that compliance policies are observed and must report to senior management or the board, as appropriate, on how the bank is managing its compliance risk.
   7. g. Internal audit function: the internal audit function must provide independent assurance to the board and senior management on the quality and effectiveness of a bank’s internal control and risk management policies, procedures and systems, including measurement methodologies and assumptions. It reports directly to the board audit committee.
   8. h. Business line management: must receive and operationalize risk limits, establish procedures to identify and control risks including monitoring and escalation of breaches and report on risk metrics.
4. 4. In defining and assessing risks, a bank must consider both the probability of the risk materializing and its potential impact on the bank. In assessing the potential impact of a risk, a bank must assess factors including but not limited to: (a) potential disruption of the bank’s business operations; (b) effect on profitability, liquidity, capital adequacy and regulatory compliance; and (c) ability of the bank to meet its obligations to its customers or other counterparties.
5. 5. A Bank’s risk governance framework must address all material risks, which, at a minimum, must include the following items:
   1. a. Credit risk;
   2. b. Market risk;
   3. c. Liquidity risk
   4. d. Operational risk;
   5. e. Risks arising from its strategic objectives and business plans; and
   6. f. Other risks that singly, or in combination with different risks, may have a material impact on the bank.
6. 6. A Board is responsible for the implementation of an effective risk culture and internal controls across the bank and its subsidiaries, affiliates and international branches. The board approved risk governance framework must incorporate a “three lines of defense” approach including senior management of the business lines, the control functions of risk management and compliance and an independent and effective internal audit function:
   1. a. Business line management - identification and control of risks
      1. i. Manage and identify risks in the activities of the business line;
      2. ii. Ensure activities are within the bank’s risk appetite, risk management policies and limits;
      3. iii. Design, implement and maintain effective internal controls; and
      4. iv. Monitor and report on business line risks.
   2. b. Risk management function - sets standards and challenges business lines
      1. i. Headed by the CRO or equivalent;
      2. ii. Establish bank-wide or, if applicable, group-wide risk and control strategies and policies;
      3. iii. Provide oversight and independent challenge of business line accountabilities;
      4. iv. Develop and communicate risk and control procedures; and
      5. v. Monitor and report on compliance with risk appetite, policies and limits.
   3. c. Compliance function - assess bank-wide adherence to requirements
      1. i. Develop and communicate compliance policies and procedures; and
      2. ii. Monitor and report on compliance with laws, corporate governance rules, regulations, regulatory codes and policies to which the bank is subject.
   4. d. Internal audit function - independent assurance
      1. i. Independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; and
      2. ii. Independently assess the effectiveness of business line management in fulfilling their mandates and managing risk.
7. 7. The Board must ensure that the risk management, compliance and internal audit functions are properly staffed and resourced and carry out their responsibilities independently and effectively. This includes unrestrained access to all kinds of information needed for the risk management, compliance and internal audit functions to fulfil their tasks.
8. 8. The Board must review policies annually and controls on a regular basis with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues, as well as determine areas that need improvement.
9. 9. The Board must provide oversight of senior management. It must hold members of senior management accountable for their actions and enumerate the consequences if those actions are not aligned with the board’s expectations. This includes adhering to the bank’s values, risk appetite and risk culture, regardless of financial gain or loss to the bank.
10. 10. Senior management must implement, consistent with the direction given by the board, policies, procedures, systems and controls for managing the risks to which the bank is exposed and for complying with laws, Central Bank regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions, as well as an effective overall system of internal controls.
11. 11. Senior management must provide the board with the information it needs to carry out its responsibilities, including the supervision of senior management and assessment of the quality of senior management’s performance.

1. 1. The head of the risk management function, the CRO or equivalent, must be of sufficient seniority and stature within the bank, to credibly challenge the heads of business lines and functions. The risk management function is responsible for assisting the Board, board committees, executive committee (including the credit committee) and senior management to develop and maintain the risk governance framework.
2. 2. Appointment or dismissal of the CRO must be approved by the Board or board risk committee. If the CRO is removed, the bank must immediately advise the Central Bank of the reasons for such a removal.
3. 3. The CRO, or equivalent, must:
   1. a. Not have a decision-making role in the bank’s risk-taking functions, including credit underwriting, or the finance function;
   2. b. Have no revenue-generating responsibilities;
   3. c. Not have remuneration based on the performance of any of the bank’s risk-taking functions;
   4. d. Not be the chief executive of the bank, or head of the finance, compliance or internal audit function;
   5. e. Have a direct reporting line to the Board or board risk committee and appropriate reporting lines to senior management; and
   6. f. Have unfettered access directly to the board risk committee, including the ability to meet without other senior executives present.
4. 4. Key activities of the risk management function must include, but are not limited to:
   1. a. Identifying material individual, aggregate and emerging risks;
   2. b. Assessing these risks and measuring the bank’s exposure to them;
   3. c. Supporting the Board in its implementation, review and approval of the bank-wide or if applicable, group-wide risk governance framework;
   4. d. Ongoing monitoring to ensure risk-taking activities and risk exposures are in line with the board-approved risk appetite, risk limits and corresponding capital or liquidity needs;
   5. e. Establishing an early warning or trigger system as part of ongoing monitoring to ensure that breaches of the board-approved risk appetite and risk limits are reported on a timely basis to senior management, the Board or board risk-committee as required by board-approved policies;
   6. f. Influencing and, when necessary, challenging material risk decisions; and
   7. g. Reporting to senior management and the Board or board risk committee in accordance with the risk governance framework.

1. 1. A bank must use risk measurement methodologies commensurate with the risk profile, nature, size and complexity of the business and the structure of the bank. These could include VaR analysis, scenario analysis and stress testing and single counterparty and concentration limits. Common metrics must be employed on a bank (or group)-wide basis to foster a bank (or group)-wide approach and effective identification and monitoring of risks across the Bank (or Group).
2. 2. Risk measurement and modeling techniques must be used in addition to qualitative risk analysis and monitoring. The comprehensive approach to risk management must include policies and procedures for the development and internal approval for use of models or other risk measurement methodologies. Where the models, or data for the models, are supplied by a third party, there must be a process for validation of the model and data relative to the specific circumstances of the bank.
3. 3. A bank must perform regular validation and testing of models. This must include evaluation of conceptual soundness, ongoing monitoring including process verification and benchmarking and outcomes analysis, including back-testing. Stress-testing and scenario analysis must be used to take into account the risk of model error and the uncertainties associated with valuations and concentration risks. Widely recognized weaknesses in VaR such as dependence on historical data and inadequate volatility estimates must be explicitly addressed by banks in developing and implementing VaR methodologies. Banks employing VaR or other model methodologies must regularly back-test actual performance against model predictions and adjust their methodologies in light of experience.
4. 4. Model-based approaches must be supplemented by other measures. These include qualitative assessment of the logic, judgment and types of information used in models as well as assessments of policies, procedures, risk limits and exposures, especially with respect to difficult to quantify risks such as operational, compliance and reputational.

1. 1. A bank must have a forward looking stress testing program that addresses credit, market and operational risk with the bank taking into account that its risk profile is likely to require capital in excess of the minimum capital requirements. The stress testing program must also include any risk that is material for the bank given the nature of its business. These may include but are not limited to: concentration risk; interest rate risk in the banking book; liquidity risk; currency risk; reputation and compliance risks; contagion risk; country and transfer risks; legal risk; and strategic risk.
2. 2. The requirement for a bank to use stress tests and scenario analysis to better understand potential risk exposures under a variety of adverse circumstances is common to both the risk governance framework and ICAAP. A bank must have a comprehensive approach to stress-testing that meets its ICAAP and other risk management requirements. Stress-testing within business lines can be a useful part of the program, however, there must be a means to capture correlations across business lines and obtain a bank-wide or, if applicable, a group-wide overview of performance in stress scenarios.
3. 3. A bank’s stress-testing program must be undertaken on a regular basis to facilitate the tracking of trends over time and developments in key risk factors and exposure amounts, in addition to ad hoc stress tests as required. The program must cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management and, as applicable, the Board or board risk committee must review and approve the scenarios. The specifics of the program must be tailored to the risk exposures of the bank and, at a minimum, must take into account the following factors:
   1. a. Bank and Group-specific and system-wide events;
   2. b. Extreme but plausible shocks as well more gradual changes in key risk parameters such as interest and exchange rates;
   3. c. Potential reputational risk implications of the bank’s actions in a stress scenario;
   4. d. Potential for loss of key sources of funding; and
   5. e. Potential outflows related to customer activity.
4. 4. Stress test program results must be periodically reviewed by the Board or the board risk committee. Results must be incorporated into reviews of the risk appetite, the bank’s ICAAP and capital and liquidity planning processes. The risk management function is responsible for recommending any action required, for example adjustments to risk limits or contingency arrangements, based on stress test results. The results of stress tests and scenario analysis must be communicated to the relevant business line management and functional heads within the bank to assist them in understanding and mitigating the risks inherent in their activities. Stress test program results must factor in the bank’s contingency planning, particularly liquidity risk management and contingency funding.
5. 5. The identification and management of all material risks must be consistent on a bank-wide and if applicable, group-wide basis. This is of particular importance with respect to a bank’s and, if applicable, a group’s ICAAP, given the significant intersection and mutual reinforcement of risk management and capital adequacy. For example, capital and liquidity implications need to be considered in the determination of risks the bank is prepared to assume and the limits for those risks established in the risk appetite statement. Similarly, the impact on capital and liquidity is an important element of a bank’s procedures for review of new products or business lines or acquisitions.
6. 6. From the perspective of capital planning, the ICAAP must explicitly incorporate all material risks, which a bank identifies through its comprehensive approach to risk management. Stress test results must be considered in developing liquidity plans, particularly contingency funding arrangements.

1. 1.  A bank’s comprehensive approach to risk management must include policies and procedures designed to provide risk data aggregation and reporting capabilities appropriate for the risk profile, nature, size and complexity of the bank's business and structure. The policies and procedures for risk data aggregation and reporting must provide for the design, implementation and maintenance of a data architecture and information technology infrastructure that supports the bank’s monitoring and reporting needs in normal times and periods of stress.
2. 2. A bank’s systems must support supervisory reporting requirements and provision of risk reports to all relevant parties within the bank on a timely basis and in a format commensurate with their needs. The scope of reporting must be proportionate to the business activities and complexity of the bank. Ideally, banks will have a highly automated process, however, certain circumstances may mean that manual intervention is required to aggregate risk data and produce supervisory and internal risk management reports.
3. 3. The processes for aggregating the necessary data and producing supervisory and internal risk management reports must be fully documented and establish standards, cutoff times and schedules for report production. The aggregation and reporting process must be subject to high standards of validation through periodic review by the internal audit function using staff with specific systems, data and reporting expertise, particularly where the process requires substantial manual intervention.
4. 4. Banks are encouraged to adopt centralized databases with single identifiers and/or uniform naming conventions for legal entities, counterparties, customers and accounts to facilitate accessing multiple records of risk data across the bank or group in a timely manner. Bank systems must be adequate to compile gross and net exposures to institutional counterparties (i.e. interbank, central counterparties) and to capture credit risk concentrations on a bank-wide or, if applicable, group-wide basis, including on and off-balance sheet exposures, for individual counterparties, groups of related counterparties and other concentrations relevant to the bank’s business such as by currency, industry sector or geographic region. Banks are encouraged to have this information available on a daily basis.

1. l. A bank must have approval procedures for new products, material modification to existing products and strategic or major operational initiatives such as changes in systems, business models or acquisitions. The procedures must ensure that strategic and major operational decisions require approval by the board or a committee of the board. Approval authority for new products or material changes to existing projects may be delegated by the Board to the appropriate level of management, although the Board remains ultimately responsible.
2. 2. In addition to providing for reporting that enables the Board and senior management to monitor the associated risks on an ongoing basis, the procedures must include at a minimum:
   1. a. An assessment of risks under a variety of scenarios, particularly with more pessimistic assumptions than the base-line case;
   2. b. An assessment of the extent to which the bank’s risk management, legal and regulatory compliance, information technology, business line and internal control functions have the necessary expertise, systems and other tools to measure and manage the associated risks, if necessary withholding approval if the required measures are not in place; and
   3. c. An ongoing assessment of risk and performance relative to initial projections and if necessary adapting the risk management treatment in light of experience.
3. 3. Mergers and acquisitions, disposals and other changes to bank or group structure can pose special risk management challenges. Risks can arise from conducting insufficient due diligence that fails to identity post-transaction risks or activities conflicting with the bank’s strategic objectives or Risk Appetite. The risk management function must be actively involved in assessing the risks of such transactions and must report its findings directly to the Board or a committee of the board.

1. 1. A bank for which the Central Bank is the primary regulator is required to meet the objectives of the Regulation and Standards on a solo and group-wide basis. Subsidiaries and affiliates, including non-bank entities, must be captured by the bank’s comprehensive approach to risk management and must be part of the overall risk governance framework to ensure that the policies, business strategies, procedures and controls of the subsidiaries and affiliates are aligned with those of the group.
2. 2. The boards and senior management of subsidiaries and affiliates remain responsible for their entities’ risk management. The methods and procedures applied by subsidiaries and affiliates must support risk management on a group-wide basis. Parent banks must conduct group-wide risk management and prescribe group policies and procedures, while the boards and senior management of subsidiaries and affiliates must have input with respect to the local or regional application of these policies and procedures and the assessment of local or regional risks.
3. 3. Parent banks are responsible for ensuring that the risk management function in subsidiaries and affiliates is adequately resourced and that group reporting lines support the independence of the risk management, compliance and internal audit functions from the risk-taking business lines throughout the group. Parent banks are responsible for ensuring that reporting to the group by subsidiaries and affiliates is sufficiently detailed and timely to support effective group-wide risk management.
4. 4. Where the Central Bank is not the primary regulator of a bank that operates a branch in the U.A.E., the branch must have a risk governance framework and risk management function that meets the requirements of the Regulation and Standards. The “three lines of defense” approach must be incorporated within the branch. This will require a senior risk officer, compliance officer and senior internal audit officer with stature within the branch comparable to the business line managers².
5. 5. Reporting relationships between officers of the branch and group business lines and functions must support the independence of the risk management, compliance and internal audit functions from the risk-taking business lines. These branches must provide the Central Bank with unfettered access to any staff of the group involved in the risk management of the branch and any group reports or data that the Central Bank may request.

² Considering the principle of proportionality and the role of group functions in overseeing the branch, a bank may demonstrate to the Central Bank that it meets the requirements of the Regulation and Standards in some other way.

1. 1. A Bank must comply with the disclosure requirements. A bank must have a board-approved disclosure policy. A bank must describe in its disclosures its risk management objectives and policies including the following items:
   1. a. Strategies and processes (for each material risk);
   2. b. Structure and organization of its risk governance;
   3. c. Scope and nature of risk reporting and/or measurement systems;
   4. d. Policies for hedging and/or mitigating risk; and
   5. e. Strategies and processes for monitoring the continuing effectiveness of hedges/mitigants.

1. 1. The Board offering Islamic financial services must ensure that the comprehensive approach to risk management ensures compliance with Sharī’ah provisions in addition to meeting the other requirements of the Regulation and Standards. The risk governance framework must specifically identify and address for each relevant risk any elements arising from the use of Islamic financial instruments, as well as risks specific to Islamic instruments and agreements. At a minimum, the risk governance framework of a bank offering Islamic financial services must address:
   1. a. Identifying, monitoring and mitigating potential credit risk exposures that may arise at different stages of the various financing agreements;
   2. b. Requiring a due diligence review in respect of counterparties prior to deciding on the choice of an appropriate Islamic financing instrument;
   3. c. Considering separately and on an overall basis liquidity exposures with respect to each category of current account, unrestricted and restricted investment accounts;
   4. d. Ensuring adequate recourse to Sharī’ah-compliant funds to mitigate liquidity risk;
   5. e. Identifying and managing equity investment risk including appropriate and consistent valuation methodologies agreed between the bank and its equity investment partners and exit strategies with respect to equity investment activities;
   6. f. Ensuring compliance with Sharī’ah provisions to mitigate the risk of income having to be donated to charity rather than recognized;
   7. g. Implementing a comprehensive approach to assessing and reporting on the potential impacts of market factors affecting rates of returns on assets relative to the expected rates of return to investment account holders (rate of return risk);
   8. h. Using appropriate measures to safeguard the interests of all fund providers which will include but is not limited to ensuring that when investor funds are comingled with the bank’s funds, the basis for asset, revenue, expense and profit allocations are established, applied and reported in a manner consistent with the bank’s fiduciary responsibilities; and
   9. i. Ensuring that risks arising from the provision of Islamic financial services are appropriately captured in the bank's forward-looking stress-testing program.

1. 1.1This Standard re risk management requirements for Islamic banks (“the Standard”) forms part of the Risk Management Regulation (Circular 153/2018) issued by the Central Bank on 27^th May 2018. Licensed banks that conduct all or part of their activities in accordance with the provisions of Islamic Shari’ah (“Islamic Banks and Banks Housing an Islamic Window” both referred to hereafter as “IBs”) must comply with this Standard. This Standard is mandatory and enforceable in the same manner as the Regulation.
2. 1.2Banks housing an Islamic Window should comply with the provisions of this Standard in relation to the Shari’ah compliant businesses and activities. Banks housing an Islamic Window must integrate the risk management requirements stated in this Standard within the existing risk management framework and apply these requirements to the existing modes and contracts within the Islamic Window.
3. 1.3This Standard should be read in conjunction with the other risk management standards issued by the Central Bank. The Standard elaborates on risk management aspects pertaining to IBs that have not been specifically addressed in other regulations or standards issued by the Central Bank. IBs should comply with the requirements of this Standard in addition to the requirements stated in the other risk management regulations and standards.
4. 1.4It is crucial for IBs to recognize and evaluate the overlapping nature and transformation of risks that exist between and among the categories of the above-mentioned risks. IBs may also face consequential business risks relating to developments in the external marketplace. Adverse changes in IB’ markets, counterparties, or products as well as changes in the economic and political environments in which IBs operate and the effects of different Shari’ah standards are examples of business risk. These changes may affect IBs’ business plans, supporting systems and financial position. In this regard, IBs are expected to view the management of these risks from a holistic perspective.
5. 1.5IBs are exposed to reputational risk arising from failures in governance, business strategy and process. Negative publicity about the IBs business practices, particularly relating to Shari’ah non-compliance in their products and services, could have negative impact on their market position, profitability and liquidity.
6. 1.6This Standard is issued pursuant to the powers vested in the Central Bank under the provisions of the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments (“Central Bank Law”).
7. 1.7Where this Standard stipulates to provide information, undertake certain measures, or address certain terms listed as a minimum, the Central Bank may impose requirements, which are additional to those outlined in the relevant article of the Standard.
8. 1.8This Standard elaborates on the supervisory expectations of the Central Bank with respect to risk management for Shari’ah compliant businesses and activities.

1. 2.1This Standard applies to all IBs. IBs established in the UAE with Group relationships, including Subsidiaries, Affiliates, or international branches, must ensure that the Standard is adhered to on a solo and Group-wide basis.
2. 2.3An IB which sets up special purpose vehicles with the objective of conducting specific Shari’ah compliant activity must ensure that the risks arising in the special purpose vehicle are monitored and reported at the group level (risk management on a consolidated basis).
3. 2.4This Standard must also be read in conjunction with the Standards and Resolutions issued by the Higher Shari’ah Authority (HSA).

1. a.Affiliate: An entity that, directly or indirectly, controls, or is controlled by, or is under common control with another entity. The term control as used herein to mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direct of the management of another entity.
2. b.Board: The Islamic Bank’s board of directors.
3. c.Central Bank: The Central Bank of the United Arab Emirates.
4. d.Central Bank Law: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities and its amendments.
5. e.Central Bank Regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
6. f.Credit Risk: The potential that a counterparty fails to meet its obligations in accordance with agreed terms. Credit risk includes the risk arising in the settlement and clearing transactions.
7. g.Compliance with Islamic Shari’ah refers to compliance with Shari’ah in accordance with:

   a.resolutions, fatwas, regulations, and standards issued by the Higher Shari’ah Authority in relation to licensed activities and businesses of IBs (“HSA’s Resolutions”), and

   b.resolutions and fatwas issued by Internal Shari’ah Supervision Committee (“ISSC”) of the respective IB, in relation to licensed activities and businesses of such institution (“the ISSC’s Resolutions”), provided they do not contradict HSA’s Resolutions.

8. h.Displaced Commercial Risk: Risk where the IB may be under market pressure to voluntarily pay a return that exceeds the rate that has been earned on assets financed by Investment Account Holder when the return on assets is under-performing as compared with competitors’ rates.
9. i.Equity Investment Risk: Risk arising from entering into a partnership for the purpose of undertaking or participating in a particular financing or general business activity as described in the contract, and in which the provider of finance shares in the business risk.
10. j.Fiduciary responsibilities and duties refers to the responsibilities of IB to treat all their fund providers appropriately and in accordance with the terms and conditions of their investment agreements.
11. k.Fiduciary Risk: Risk that arises from IBs’ failure to perform in accordance with explicit and implicit Standards applicable to their fiduciary responsibilities.
12. l.Fund Providers: Refers to the deposits received by IB and that includes (a) current account holders; and (b) Investment Account Holders.
13. m.Group: A group of entities which includes an entity (the ‘first entity’) and:

    a.any Controlling Shareholder of the first entity;

    b.any Subsidiary of the first entity or of any Controlling Shareholder of the first entity; and

    c.any Affiliate, joint venture, sister company and other member of the Group.

14. n.Internal Shari’ah Audit: Regular process to inspect and assess the IB’s compliance with Islamic Shari’ah and the level of effectiveness of the IB’s Shari’ah governance systems.
15. o.Internal Shari’ah Supervision Committee (ISSC): A body appointed by the IB, comprised of scholars specialized in Islamic financial transactions, which independently supervises the transactions, activities, and products of the IB and ensures they compliance with Islamic Shari’ah in all its objectives, activities, operations, and code of conduct.
16. p.Internal Shari’ah Control Division (or Section): Technical division (or section) in the IBs with a mandate to support the ISSC its mandate.
17. q.Investment Risk Reserve: Investment risk reserve is the amount appropriated by the IBs out of the income of Investment Account Holder (IAH), after allocating the Mudarib’s share, in order to cushion against future investment losses for IAH.
18. r.Investment Account: Refers to the deposits accepted by IBs on the basis of Mudarabah or Wakalah contract or any other profit generating contract.
19. s.Islamic Window: Refers to the licensed activities that are conducted in accordance with the Islamic Shari’ah that are carried by financial institutions for their account or for the account of or in partnership with third parties which comply with the regulatory requirements stated in this Standard and other regulations issued by the Central Bank.
20. t.Market Risk: Refers to the potential impact of adverse price movements such as benchmark rates, foreign exchange (FX) rates, equity prices and commodity prices, on the economic value of an asset.
21. u.Parent: An entity (the ‘first entity’) which:
    1. a.Holds a majority of the voting rights in another entity (‘the second entity’);
    2. b.Is a shareholder of the second entity and has the right to appoint or remove the majority of the board of directors or managers of the second entity; or
    3. c.Is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity; or
    4. d.If the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
22. v.Profit Equalization Reserve: The amount appropriated out of the Mudaraba profits, in order to maintain a certain level of return on investment for the Mudarib and unrestricted investment account holders and mitigate displaced commercial risk.
23. w.Rate of Return Risk: Overall balance sheet exposures where mismatches arise between assets and balances from fund providers.
24. x.Restricted Investment Accounts: The account holders authorize the IBs to invest their funds based on Mudaraba or Wakala contracts with certain restrictions as to where, how and for what purpose these funds are to be invested.
25. y.Risk Appetite: The aggregate level and types of risk an IB is willing to assume, decided in advance and approved by the Board and within its risk capacity, to achieve its strategic objectives and business plan.
26. z.Risk Limits: Specific quantitative measures that must not be exceeded based on, for example, forward-looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations or other measures as appropriate.
27. aa.Risk Profile: Point in time assessment of the bank’s gross (before the application of any risk mitigants) or net (after taking into account risk mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
28. bb.Risk Governance Framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the bank’s strategy; and identify, measure, manage and control risks.
29. cc.Risk Management Function: Collectively, the systems, structures, policies, procedures and people that measure, report and monitor risk on a bank-wide and, if applicable, group-wide basis.
30. dd.Senior Management: The executive management of the Bank responsible and accountable to the Board for sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
31. ee.Shari’ah Non-Compliance Risk: Probability of financial loss or reputational damage that IB might incur or suffer due to not complying with Islamic Shari’ah.
32. ff.Subsidiary: An entity (the ‘first entity’) is a subsidiary of another entity (the ‘second entity’) if the second entity:
    1. a.Holds a majority of the voting rights in the first entity;
    2. b.Is a shareholder of the first entity and has the right to appoint or remove the majority of the board of directors or managers of the first entity; or
    3. c.Is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity; or
    4. d.If the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
33. gg.Unrestricted Investment Accounts: The account where the holders authorize the IBs to invest their funds based on Mudaraba or Wakala (agency) contracts without laying any restriction on how the investment is to be managed. The IBs can commingle these funds with their own funds and invest them in pooled portfolio.

1. 4.1An IB must establish, implement and maintain a risk governance framework that enables it to identify, assess, monitor, mitigate and control risks. The risk governance framework consists of policies, procedures processes, systems, controls and limits. The risk governance framework must be comprehensive and address the specific risks associated with Shari’ah compliant businesses and activities.
2. 4.2IBs that are branches of foreign licensed financial institutions must adhere to this Standard or establish equivalent arrangements to ensure regulatory comparability and consistency. The equivalent arrangement, if applicable, should include the matters related to general assembly, the Board and its Committees without contradicting the prevailing laws in the UAE. The equivalent arrangements must be submitted to the Central Bank for approval.
3. 4.3IBs must ensure an adequate system of controls with appropriate checks and balances are in place. The controls must (a) comply with the Islamic Shari’ah, (b) comply with applicable regulatory and internal policies and procedures; and (c) take into account the integrity of risk management processes.
4. 4.4In addition to the minimum elements of the risk governance framework stated in the Central Bank’s Risk Management Standards (153/2018), IBs must incorporate the following minimum elements into the risk governance framework:
   1. a.Internal Shari’ah Supervisory Committee,
   2. b.Internal Shari’ah Compliance, and
   3. c.Internal Shari’ah Audit.
5. 4.5In defining and assessing risks, IBs must consider both the probability of the risk materializing and its potential impact on the IB. In addition to the factors to be assessed in the context of the potential risk impact as stated within Central Bank’s Risk Management Standards (153/2018) the IB must also assess the ability to meet its fiduciary responsibility to Investment Account Holders (IAH), both restricted and unrestricted investment accounts.
6. 4.6IBs risk governance framework must address all material risks which at a minimum must include the following items:
   1. a.Credit Risk;
   2. b.Market Risk;
   3. c.Liquidity Risk;
   4. d.Operational Risk and Shari’ah Non-compliance Risk;
   5. e.Displaced Commercial Risk;
   6. f.Equity Investment Risk;
   7. g.Rate of Return Risk;
   8. h.Risks arising from its strategic objectives and business plans; and
   9. i.Other risks that singly, or in combination with different risks, may have a material impact on the IB.
7. 4.7The Board is ultimately responsible for developing the IB’s Shari’ah compliant risk governance framework. The framework must incorporate a “three lines of defense” approach. In addition to the stated requirements within the Central Bank’s Risk Management Standards (153/2018) the IB’s approach should also include provisions relating to:
   • -Internal Shari’ah Supervision Committee (ISSC);
   • -Internal Shari’ah compliance, and
   • -Internal Shari’ah Audit.
8. 4.8The risk appetite statement must reflect a written articulation of the aggregate level and types of risk that an IB is willing to accept, or avoid, in order to achieve its business objectives. However, an IB should have no tolerance toward Shari’ah non-compliance risk. In addition to the minimum items set-out within Central Bank’s Risk Management Standards (153/2018), an IB’s risk appetite statement must also cover the following risks:
   • -Shari’ah Non-Compliance Risk,
   • -Displaced Commercial Risk,
   • -Rate of Return Risk and
   • -Equity Investment Risk.
9. 4.9IBs must define and document roles and responsibilities towards IBs’ risk governance framework.
10. 4.10The Board’s Risk Committee (“Risk Committee”) is responsible to review and approve the establishment of framework for managing all material risks as part of the overall risk management framework of the IB and must oversee its implementation by the Senior Management.
11. 4.11The Risk Committee must supervise and monitor the management of Shari’ah non-compliance risk and set controls in relation to this type of risk, in consultation with the ISSC and through the internal Shari’ah control division, or section.
12. 4.12The Risk Committee must ensure there is an information system that enables the IB to measure, assess and report all risks including but not limited to Shari’ah Non-Compliance Risk, Equity Investment Risk and Displaced Commercial Risk. Reports must be provided on a timely manner to the Board and Senior Management, in formats suitable for their use and understanding.
13. 4.13In addition to the minimum items set-out within Central Bank’s Risk Management Regulation, IBs must include in its documented ICAAP, within the Internal Control review, provisions relating to the Internal Shari’ah Audit function.
14. 4.14IBs should manage risks in accordance with the Shari’ah rules and the scope determined by the contracts IBs use as basis for their financial transactions. IBs may not transfer risks to counterparties, or avoid responsibilities and ownership risks, which result from using specific contracts. IBs may manage these risks by other means that do not conflict with the provisions of Islamic Shari’ah.

1. 5.1The head of the risk management function, the Chief Risk Officer (CRO) or equivalent is responsible for assisting the Board, board committees, executive committee (including the Internal Shari’ah Supervision Committee), senior management (including Internal Shari’ah Control Division or Section and Internal Shari’ah Audit) to develop and maintain the risk governance framework applicable to its IB.
2. 5.2In addition to the key activities set out within the Central Bank’s Risk Management Standards (153/2018), IBs must include identifying, assessing, monitoring and reporting risks associated specifically to Shari’ah compliant business and activities.

1. 6.1The risk assessment and measurement processes undertaken by IBs must specifically address the risk of loss arising from Mudaraba, Musharaka and Wakala contracts, where applicable. Rigorous risk evaluation (including due diligence) must be adequately conducted in view of the exposure to capital impairment.

1. 7.1IBs must ensure that risks arising from the provision of Shari’ah Compliant business and activities are appropriately captured in the IBs’ forward-looking stress-testing program.

1. 8.1IBs must ensure that an adequate system of controls with appropriate checks and balances are in place. The controls must:
   1. a.Ensure compliance with the provisions of Islamic Shari’ah, and
   2. b.Take into account the integrity of risk management processes.

1. 9.1As part of the IBs’ overarching approval process, the following at a minimum must be undertaken by IBs:
   1. a.New Product Approvals must include a risk assessment with a variety of scenarios, particularly with more pessimistic assumptions than the base-line case. The assessment should take into consideration the legal consequences of the underlying Shari’ah structure/contract throughout the life span of the products and services e.g. event of default, restructuring and rescheduling scenarios.
   2. b.Mergers and acquisitions, disposal and other changes must include adequate due diligence that identifies post-transaction risks or activities conflicting with the IBs’ Governance Framework and other specifities relating to IBs. An IB must have a strategy towards alleviating over-dependence on few types of underlying structures/contracts that may present limitations in terms of tradability and flexibility in the events where risk emerges (e.g. dependence on monetization products).

1. 10.1In addition to the requirements set out within Central Bank’s Risk Management Standards (153/2018) regarding disclosures, IBs must make appropriate and timely disclosure of information to Investment Account Holders. The disclosure should include information related to Profit Equalization Reserves and Investment Risk Reserves, if applicable, so that the investors are able to assess the potential risks and rewards of their investments and to protect their own interests in their decision-making process. Applicable international financial reporting standards must be used for this purpose.

1. 11.1IBs must have in place:
   • -an appropriate credit strategy, including pricing and tolerance for undertaking credit risks exposures;
   • -a risk management structure with effective oversight of credit risk management; credit policies and operational procedures including credit criteria and credit review processes, acceptable forms of risk mitigation, and limit setting;
   • -an appropriate measurement and careful analysis of exposures, including market and liquidity-sensitive exposures; and
   • -a system (a) to monitor the condition of ongoing individual credits to ensure the financings are made in accordance with the IBs’ policies and procedures, (b) to manage credit challenges according to an established remedial process; and (c) to ensure adequate provisions are allocated.
2. 11.2IBs must have in place an appropriate framework for credit risk management and reporting in respect to all assets. This includes credit risk related to different stages of the Shari’ah compliant products and investments. IBs must apply the credit risk principles to credit risks associated with securitization and investment activities.
3. 11.3The risk assessment and measurement processes undertaken by IBs must also be applicable to profit sharing assets (Mudaraba and Musharaka) which are classified under equity investments. Rigorous risk evaluation (including due diligence) and controls of these investments are necessary in view of their exposure to capital impairment. This must not contradict the risk sharing nature in these instruments as prescribed by Islamic Shari’ah.
4. 11.4IBs must have in place a strategy for financing, using various instruments in compliance with Shari’ah, whereby the strategy recognizes the potential credit exposures that may arise at different stages of the various financing agreements.
5. 11.5IBs must manage and account for the credit risk arising from Shari’ah compliant instruments where:
   • -no Shari’ah compliant compensation can be imposed, and/or
   • -the profit cannot be increased/continued.
6. 11.6IBs must have a policy for carrying out a due diligence review in respect of counterparties prior to deciding on the choice of an appropriate Shari’ah compliant financing instrument.
   This has to be carried in particular, for transactions involving:
   - New ventures with multiple financing modes: IBs should carry out due diligence processes on customers using multiple financing modes to meet specific financial objectives designed to address Shari’ah, legal or tax issues of customers.
   - Creditworthiness that may be influenced by external factors: Where significant investment risks are present in participatory instruments, especially in the case of Mudarabah financings, additional counterparty reviews and evaluations will focus on the business purpose, operational capability, enforcement and economic substance of the proposed project including the assessment of realistic forecasts of estimated future cash flows. IBs should put in place risk mitigating structures in place to the extent possible.
7. 11.7IBs must have in place Shari’ah compliant credit risk mitigating techniques appropriate for each Islamic financing instrument. IBs must be aware of the commencement of exposure to credit risk inherent in different financing instruments such as the non-binding nature of certain contracts. Risk management techniques should not change the nature or the Shari’ah aspects of the contract in order to mitigate the risk.
8. 11.8IBs should clearly define their credit risk-mitigating techniques including, but not limited to, having in place:
   • -a methodology for setting mark-up rates according to the risk rating of the counterparties, where expected risks should be taken into account in the pricing decisions;
   • -permissible and enforceable collateral and guarantees;
   • -stipulating the counter party’s commitment to donate in case of default in the legal documentations in accordance with the applicable Shari’ah resolutions and standards;
   • -clear documentation as to whether or not purchase orders are cancellable; and
   • -clear procedures for taking account of governing laws for contracts relating to financing transactions.
9. 11.9In a financing involving several related agreements, IBs must be aware of the binding obligations arising in connection with credit risks associated with the underlying assets for each agreement. IBs must ensure that all components of a financial structure comply with the Shari’ah parameters applicable to combination of contracts.
10. 11.10IBs must establish limits on the degree of reliance and the enforceability of collateral and guarantees subject to the provisions set-out within the relevant rules of Islamic Shari’ah.
11. 11.11IBs must have appropriate credit management systems and administrative procedures in place to undertake early remedial action in the case of financial distress of a counterparty or, in particular, for managing bad credits, potential and defaulting counterparties. This system should be reviewed on a regular basis. Remedial actions will include both administrative and financial measures.
    Administrative measures may inter alia include:
    • -negotiating and following-up pro-actively with the counterparty through maintaining frequent contact with the counterparty;
    • -setting an allowable timeframe for payment or to offer rescheduling (without an increase in the amount of the debt in debt based instruments) or Shari’ah compliant restructuring arrangements;
    • -using a debt-collection agency;
    • -resorting to legal action, including the attachment of any credit balance belonging to defaulters according to the agreement between them; and
    • -making a claim under Shari’ah-compliant insurance as applicable.

    Financial measures may include, among others:

    • -invoking commitment to donate clauses, where applicable, in accordance with the relevant Shari’ah parameters,; and
    • -establishing the enforceability of collateral or third party guarantees.
12. 11.12IBs must set appropriate measures for early settlements.
13. 11.13IBs must have policies to define adequately the action to be taken by the IB when a customer cancels a non-binding purchase order.
14. 11.14IBs should assess and establish appropriate policies and procedures pertaining to the risks associated with their own exposures in parallel transactions.
15. 11.15IBs must ensure, whenever possible or applicable, that there is sufficient Shari’ah-compliant insurance coverage of the value of the assets.
16. 11.16IBs must have in place an appropriate policy for determining and allocating provisions for (a) non-performing debt categories, including counterparty exposures; and (b) estimated impairment in value of assets.

1. 12.1Requirements on market risk must be read in conjunction with the Market Risk Regulation and accompanying Standards (Circular 164/2018).
   IBs must have in place an appropriate framework for market risk management in each stage of the contract, including reporting in respect of all assets held, particularly those that do not have a ready market and/or are exposed to high price volatility.
2. 12.2IBs must establish a sound and comprehensive market risk management process and information system, which (among others) comprises:
   • -a conceptual framework to assist in identifying underlying market risks;
   • -guidelines governing risk taking activities in different portfolios of restricted IAH and their market risk limits;
   • -appropriate frameworks for pricing, valuation and income recognition; and
   • -a strong management information system for controlling, monitoring and reporting market risk exposure and performance to appropriate levels of senior management.

   Given that all the required measures are in place (e.g. pricing, valuation and income recognition frameworks, strong MIS for managing exposures, etc.), the applicability of any market risk management framework that has been developed should be assessed taking into account consequential business and reputation risks.

3. 12.3IBs must adhere to the fiduciary duty to apply the same risk management policies and procedures to assets held on behalf of restricted Investment Account Holders as they do for assets held on behalf of shareholders and unrestricted Investment Account Holders.
4. 12.4IBs must be able to quantify market risk exposures and assess exposure to the probability of future losses in their net open asset positions.
5. 12.5IBs must take into consideration the specifics of each Shari’ah compliant instrument in the following manner:
   1. a.In operating Ijarah contracts, a lessor is exposed to market risk on the residual value of the leased asset at the term of the lease or if the lessee terminates the lease earlier (by defaulting), during the contract
   2. b.In Salam, an IB as a buyer is exposed to commodity price fluctuations on a long position after entering into a contract and while holding the subject matter until it is disposed of. In the case of parallel Salam, there is also the risk that a failure of delivery of the subject matter by the counterparty which exposes the IBs to commodity price risk as a result of the need to purchase a similar asset in the market in order to honor the parallel Salam contract.
   3. c.Before acquisition of financial assets not actively traded with the intention of selling them, an IB must analyze and assess the factors attributable to changes in liquidity of the markets in which the assets are traded and which give rise to greater market risk.

   IBs may hedge foreign exchange fluctuations arising from general FX spot rate changes in both cross-border transactions and the resultant foreign currency receivables and payables using Shari’ah compliant methods.

6. 12.6In the valuation of assets where no direct market prices are available, IBs must incorporate in their own product program a detailed approach to valuing their market risk positions. IBs may employ appropriate forecasting techniques to assess the potential value of these assets.
   Where available valuation methodologies are deficient, IBs must assess the need (a) to allocate funds to cover risks resulting from illiquidity and uncertainty in assumptions underlying valuation and realization; and (b) to establish a contractual agreement with the counterparty specifying the methods to be used in valuing the assets

1. 13.1IBs must establish an adequate framework towards the management of market risks inherent in the holding of Mudaraba, Musharaka, and Wakala instruments for investment purposes. This includes consideration of quality of the partner, underlying business activities and ongoing operational matters.
2. 13.2IBs must have in place appropriate mechanisms to safeguard the interests of all fund providers. Where IAH funds are commingled with the IBs’ own funds, the IBs must ensure that the bases for asset, revenue, expense and profit allocations are established, applied and reported in a manner consistent with the IB’s fiduciary responsibilities.
3. 13.3In performing the due diligence review, IBs must consider in evaluating the risk in Mudarabah, Musharakah, and Wakala instruments and the capabilities and risk profiles of potential partners (Mudarib or Musharakah partner). Such due diligence is essential to an IBs’ fiduciary responsibilities as an investor of IAH funds in profit sharing and loss-bearing instruments (such as Mudarabah, Musharkah and Wakala).
4. 13.4IBs must consider factors relating to the legal and regulatory environment affecting the equity investment performance during risk evaluation. These factors include policies pertaining to tariffs, quotas, taxation or subsidies and any sudden policy changes affecting the quality and viability of an investment.
5. 13.5IBs risk mitigation techniques attaching to lack of reliable information must require its investor to take an active role in monitoring the investment, or the use of specific risk mitigating structures.
6. 13.6IBs must define and set the objectives of, and criteria for, investments before using profit-sharing and loss-bearing instruments (such as Mudarabah, Musharkah and Wakala), including the types of investment, tolerance for risk, expected returns and desired holding periods.
7. 13.7IBs must have, and keep under review, policies, procedures and an appropriate management structure for evaluating and managing the risks involved in the acquisition of, holding and exiting from loss bearing investments. IBs must ensure proper infrastructure and capacity are in place to monitor continuously the performance and operations of the entity in which IB invest as partners. These should include evaluation of Shari’ah compliance, adequate financial reporting by, and periodical meetings with, partners and proper recordkeeping of these meetings.
8. 13.8IBs must identify and monitor the transformation of risks at various stages of investment lifecycles, for example, where the investee’s business involves innovative or new products and services in the marketplace.
9. 13.9IBs must analyze and determine possible factors affecting the expected volume and timing of cash flows for both returns and capital gains arising from equity investments.
10. 13.10IBs must use Shari’ah compliant risk-mitigating techniques, which reduce the impact of possible capital impairment of an investment. This may include the use of Shari’ah permissible security from the partner.
11. 13.11IBs must ensure that their valuation methodologies are appropriate and consistent and must assess the potential impacts of their methods on profit calculations and allocations. The methods must be mutually agreed between the IB and the Mudarib and/or Musharaka partners.
12. 13.12IBs must assess and take measures to deal with the risks associated with potential manipulation of reported results leading to overstatements or understatements of partnership earnings.
13. 13.13IBs must define and establish exit strategies in respect of their equity investment activities, including extension and redemption conditions for Mudaraba, Musharaka and Wakala investments, subject to the approval of the institution’s Internal Shari’ah Supervision Committee.
14. 13.14IBs must be aware that the risks arising from the use of profit-sharing instruments for financing purposes do not include credit risk in the conventional sense but share a crucial characteristic of credit risk because of the risk of capital impairment.

1. 14.1Requirements in this area must be read in conjunction with the Interest Rate and Rate of Return Risk in the Banking Book Regulation and accompanying Standards (Circular No. 165/2018). IBs must establish a comprehensive risk management and reporting process to assess the potential impacts of market factors affecting rates of return on assets in comparison with the expected rates of return for IAH.
2. 14.2IBs must take necessary steps to ensure that the management processes relating to the identification, measurement, monitoring, reporting and control of the rate of return risk (including appropriate structure) are in place.
3. 14.3IBs must be aware of the factors that give rise to rate of return risk. The primary form of rate of return risk to which IBs are exposed comprises increasing long-term fixed rates in the market. IBs must have in place appropriate systems for identifying and measuring the factors, which give rise to rate of return risk.
4. 14.4IBs must employ a gapping method for allocating positions into time bands with remaining maturities or repricing dates, whichever is earlier.
5. 14.5IBs’ rate of risk return measurement must highlight the importance of cash flow forecasting for instruments and contracts where IBs are required to simulate and assess their behavioral maturity, underlying assumptions and parameters, which must be reviewed periodically for reliability. The materiality of potential threats to future earnings and the usefulness of the resulting information must be considered in determining the type and extent of forecasted behavior for IBs.
6. 14.6IBs are encouraged to employ balance sheet techniques to minimize their exposures using the following strategies, among others:
   1. a.determining and varying future profit ratios according to expectations of market conditions;
   2. b.developing new Shari’ah-compliant instruments; and
   3. c.issuing securitization tranches of Shari’ah permissible assets.

1. 15.1IBs must have in place an appropriate framework for managing displaced commercial risk, where applicable.
2. 15.2IBs must have in place a policy and framework for managing the expectations of their shareholders and IAH.
3. 15.3IBs must develop and maintain an informed judgement about an appropriate level of the balances of Profit Equalization Reserve, bearing in mind that its essential function is to provide mitigation of displaced commercial risk.

1. 16.1IBs must have in place an appropriate framework, adequate systems, controls and limits for Operational and Shari’ah Non-Compliance Risk management.
2. 16.2IBs must consider the full range of material operational risks affecting their operations, including the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. IBs must also incorporate possible causes of loss resulting from Shari’ah non-compliance and the failure in their fiduciary responsibilities.
3. 16.3IBs must be aware of being exposed to risks relating to Shari’ah non-compliance and risks associated with the IBs’ fiduciary responsibilities towards different fund providers. These risks expose IBs to fund providers’ withdrawals, loss of income or voiding of contracts leading to a diminished reputation or the limitation of business opportunities.
4. 16.4IBs’ must be prudent towards Shari’ah compliance and such compliance requirements must permeate throughout the organization and their products and activities. The perception regarding IBs’ compliance with Shari’ah rules and principles is of great importance to their sustainability.
   In this regard, Shari’ah compliance is considered as falling within a higher priority category in relation to other identified risks. If IBs do not comply with Shari’ah rules and principles, the impacted transactions should be referred to the ISSC to decide on the appropriate treatment (remedy of contracts, derecognition of profit, etc.) and if needed such incidents may be escalated to the HSA.
5. 16.5IBs must ensure that their contract documentation complies with Shari’ah with regard to formation, termination and elements possibly affecting contract performance such as fraud, misrepresentation, duress or any other rights and obligations.
6. 16.6IBs must keep track of income not recognized due to Shari’ah non-compliance and assess the probability of similar cases arising in the future and ensure that appropriate controls are in place to avoid recurrences. This may include monitoring of income not recognized due to origination from Shari’ah non-compliant activities.
7. 16.7IBs must establish and implement a clear and formal policy for undertaking their different and potentially conflicting roles in respect of managing different types of investment accounts. The policy relating to safeguarding the interests of their IAH may include the following:
   • -identification of investing activities that contribute to investment returns and taking reasonable steps to carry on those activities in accordance with the IB’s fiduciary and agency duties and to treat all their fund providers appropriately and in accordance with the terms and conditions of their investment agreements;
   • -allocation of assets and profits between the IB and their IAH will be managed and applied appropriately to IAH having funds invested over different investment periods;
   • -determination of appropriate reserves at levels that do not discriminate against the right for better returns of existing IAH; and
   • -limiting the risk transmission between current and investment accounts.
8. 16.8IBs must adequately disclose information on a timely basis to their IAH and the markets in order to provide a reliable basis for assessing their risk profiles and investment performance.

1. 17.1The IBs should comply fully with these standard requirements within 180 days from publishing this Standard.
2. 17.2The Regulatory Development Division of the Central bank shall be the reference for interpretation of the provisions of this Standard.

The disclosures indicated may be made as part of the periodic financial reporting (marked “F” in Tables 1, and 2), or as part of product information published in connection with new products or changes in existing products - for example, prospectuses and offer documents (marked “P” in Tables 1, and 2). Some disclosures may be made under both headings.

Table 1: Investment Accounts (both Unrestricted and Restricted IAH)

Table 2: Unrestricted Investment Accounts

The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, Banks must have appropriate policies, processes, procedures, systems and controls to identify, monitor and mitigate operational risks.

In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Banks’ approaches to operational risk are in line with leading international practices.

This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.

Where this Regulation or its accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements, which are additional to the list provided in the relevant article.

The objective of this Regulation is to establish minimum acceptable standards for Banks’ approach to managing operational risks, with a view to:

i Ensuring the soundness of Banks; and

ii Enhancing financial stability

The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to operational risk management.

This Regulation and the accompanying Standards apply to all Banks. Banks established in the UAE with significant Group relationships, including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and Group-wide basis.

This Regulation and Standards must be read in conjunction with the Risk Management Regulation and Standards, which establish the requirements for Banks’ overarching approach to risk management.

1. Affiliate: An entity that, directly or indirectly, controls, is controlled by or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
    
2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a Bank.
    
3. Board: The Bank’s Board of Directors.
    
4. Central Bank: The Central Bank of the United Arab Emirates.
    
5. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
    
6. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
    
7. Group: A group of entities that includes an entity (the 'first entity') and:
    
   1. a) any Parent of the first entity;
       
   2. b) any Subsidiary of the first entity or of any Parent of the first entity; and
       
   3. c) any Affiliate.
       
8. Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
    
9. Operational risk: The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk.
    
10. Parent: An entity (the 'first entity') which:
     
    1. a) holds a majority of the voting rights in another entity (the 'second entity');
        
    2. b) is a shareholder of the second entity and has the right to appoint or remove a majority of the Board of directors or managers of the second entity; or
        
    3. c) is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity.
       
       Or;
    4. d) if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
        
11. Risk appetite: The aggregate level and types of risk a Bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
     
12. Risk limits: Specific quantitative measures that must not be exceeded based on, for example, forward looking assumptions that allocate the Bank’s aggregate risk appetite to business lines, legal entities or management units within the Bank or Group in the form of specific risk categories, concentrations or other measures as appropriate.
     
13. Risk profile: Point in time assessment of the Bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
     
14. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the Bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
     
15. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
     
16. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
     
    1. a) holds a majority of the voting rights in the first entity;
        
    2. b) is a shareholder of the first entity and has the right to appoint or remove a majority of the Board of directors or managers of the first entity; or
        
    3. c) is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
       
       Or;
    4. d) if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
        

1. A Bank must have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk on a timely basis.
    
2. The members of the Board bear ultimate responsibility for ensuring that a Bank has an adequate operational risk governance framework, which must be fully integrated into the Bank’s overall risk governance framework.
    
3. A Bank must ensure that its operational risk strategy, policies and processes are consistent with its risk profile, systemic importance, risk appetite and capital strength and take account of market and macroeconomic conditions.
    
4. A Bank must address all major aspects of operational risk prevalent in the business of the Bank on a bank-wide and if applicable Group-wide basis.
    

1. The Board must approve and thereafter review at least annually, the Bank’s operational risk strategies, policies and processes, including disaster recovery and business continuity plans.
    
2. The Board must establish a formal process to oversee Senior Management and ensure that the strategies, policies and processes are implemented effectively at all decision levels.

1. Senior Management must ensure that the Board-approved operational risk management strategy and significant policies and processes are implemented effectively and fully integrated into the Bank’s overall risk management process.
    

1. The Board-approved operational risk management strategy must provide for the identification and assessment of the operational risks inherent in all material products, activities, processes and systems.

1. The Board-approved operational risk management strategy must foster a strong control environment that utilizes policies, processes and systems, appropriate internal controls and appropriate risk mitigation and transfer.

1. A Bank must have disaster recovery and business continuity plans in place to ensure its ability to operate on an ongoing basis and limit losses in the event of a severe business disruption. Such plans must be commensurate with the risk profile, nature, size and complexity of the Bank’s business and structure and take into account different scenarios to which the Bank may be vulnerable.
    
2. Disaster recovery and business continuity plans must ensure that critical business functions can be maintained or recovered in a timely manner to minimize the financial, legal, regulatory, reputational and other risks that may arise from a disruption.
    
3. The Board must ensure there is a periodic independent review of the Bank’s disaster recovery and business continuity plans to ensure adequacy and consistency with current operations, risks and threats, recovery levels and priorities.
    

1. A Bank must establish appropriate information technology policies and processes to identify, assess, monitor and manage technology risks.
    
2. A Bank must have appropriate information technology infrastructure to meet its current and projected business requirements under normal circumstances and in periods of stress. This infrastructure must ensure data and system integrity, security and availability and support integrated and comprehensive risk management.
    

1. A Bank must have appropriate and effective information systems to:
    
   1. a) Monitor operational risk;
       
   2. b) Compile and analyze operational risk data; and
       
   3. c) Facilitate appropriate reporting mechanisms at the Bank’s Board, Senior Management and business line levels that support proactive management of operational risk.
       

1. A Bank must promptly notify the Central Bank when it becomes aware of a significant deviation from its Board-approved operational risk appetite statement, policies or procedures, or becomes aware that a material operational risk has not been adequately addressed.
    
2. A Bank must provide, upon request, any specific information with respect to operational risk that the Central Bank may require.
    
3. A Bank’s publicly disclosed information must be appropriate to permit stakeholders to assess the Bank’s approach to operational risk management in the context of the Bank’s size, risk profile, complexity of operations and evolving industry practice.
    
4. A Bank must promptly notify the Central Bank of any operational risk event that triggers, or is likely to trigger disaster recovery or business continuity plans, or has, or is likely to have, a material impact on the Bank’s operations, profitability or capital.
    

1. The approval procedures for new businesses, products or systems or material modification of existing businesses, products or systems required by the Risk Management Regulation and Standards must explicitly address operational risk.
    

1. A Bank offering Islamic financial services must ensure that its operational risk management framework addresses any operational risks arising from potential non-compliance with Shari’a rules and principles.
    

1. Violation of any provision of this Regulation and the accompanying Standards shall be subject to supervisory action as deemed appropriate by the Central Bank.
    

1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
    

1. This Regulation and the accompanying Standards replace all previous Central Bank regulations with respect to operational risk.
    

1. This Regulation and the accompanying Standards shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.

1. 1.These Standards form part of the Operational Risk Regulation. All Banks must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
2. 2.Operational risk is inherent in all dimensions of a Bank, including all banking products, activities, processes and systems. Accordingly, the effective management of operational risk is a fundamental element of a Bank’s risk management program. Banks with a sound operational risk management framework, a strong risk management culture and ethical business practices, are less likely to experience potentially damaging operational risk events and better placed to deal effectively with those events that do occur.
3. 3.A Bank’s Board is in ultimate control of the Bank and accordingly ultimately responsible for operational risk management. There is no one-size-fits-all or single best solution. Accordingly, each Bank could meet the minimum requirements of the Regulation and Standards in a different way and thus may adopt an organizational framework appropriate to the risk profile, nature, size and complexity of its business and structure. The onus is on the Board to demonstrate that it has implemented an appropriate approach to operational risk management. Banks are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards.¹
4. 4.The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.

¹ The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller banks may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited in the Standards.

1. 1. Affiliate: An entity that, directly or indirectly, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
2. 2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a Bank.
3. 3. Board: The Bank’s Board of Directors.
4. 4. Central Bank: The Central Bank of the United Arab Emirates.
5. 5. Central Bank Law: Federal Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
6. 6. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
7. 7. Group: A group of entities that includes an entity (the 'first entity') and:
   1. a.any Parent of the first entity;
   2. b.any Subsidiary of the first entity or of any Parent of the first entity; and
   3. c.any Affiliate.
8. 8. Higher Shari’a Authority: The Higher Shari’a Authority for Islamic banking and financial activities that was established by the Cabinet Resolution no. 2016 (1/و5/102) at the Central Bank.
9. 9. Inherent risk: The risk existing if no controls or other mitigating factors are in place.
10. 10. Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
11. 11. Operational risk: The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk.
12. 12. Parent: An entity (the 'first entity') which:
    1. a.holds a majority of the voting rights in another entity (the 'second entity');
    2. b.is a shareholder of the second entity and has the right to appoint or remove a majority of the Board or managers of the second entity; or
    3. c.is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity;
       Or;
    4. d.If the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
13. 13. Residual risk: The risk exposure after controls are considered.
14. 14. Risk appetite: The aggregate level and types of risk a Bank is willing to assume, decided in advance and within it risk capacity, to achieve its strategic objectives and business plan.
15. 15. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the Bank’s strategy and approach to risk management; articulate and monitor adherence to the risk appetite and risks limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
16. 16. Risk limits: Specific quantitative measures that may not be exceeded, based on, for example, forward looking assumptions that allocate the Bank’s aggregate risk appetite to business lines, legal entities or management units within the Bank or Group in the form of specific risk categories, concentrations or other measures, as appropriate.
17. 17. Risk Management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a Bank-wide and, if applicable, Group-wide basis.
18. 18. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
19. 19. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
    1. a.holds a majority of the voting rights in the first entity;
    2. b.is a shareholder of the first entity and has the right to appoint or remove a majority of the Board or managers of the first entity; or
    3. c.is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity;
       Or;
    4. d.If the first entity is a subsidiary of another entity that is itself a subsidiary of the second entity.

1. 1.The fundamental premise of sound risk management is that the Board and the management of a Bank understand the nature and complexity of the risks inherent in the portfolio of the Bank’s products, services and activities. This is particularly important for operational risk.
2. 2.A Bank must establish, implement and maintain an operational risk governance framework, which enables it to identify, assess, evaluate, monitor, mitigate and control operational risk. The operational risk governance framework consists of policies, processes, procedures, systems and controls.
3. 3.The operational risk governance framework must be documented and approved by the Board of the Bank, must provide for a sound and well-defined framework to address the Bank's operational risk and must include definitions of operational risk and material operational loss.
4. 4.A Board is responsible for establishing, maintaining and overseeing a robust operational risk governance framework that must take into account the risk profile, nature, size and complexity of the Bank's business and structure.
5. 5.A Board must approve and subsequently review, at least annually, a risk appetite statement for operational risk that articulates the nature, types and levels of operational risk that the Bank is willing to assume and that sets appropriate limits and thresholds.
6. 6.The operational risk governance framework must be fully integrated into the Bank’s overall risk governance framework and risk management processes. This applies to all levels and areas of the Bank including to business lines and, if applicable, to Group levels, as well as new business initiatives, products, activities, processes and systems.
7. 7.The operational risk governance framework must clearly:
   1. a.Identify the governance structures used to manage operational risk, including reporting lines, responsibilities and accountabilities;
   2. b.Establish operational risk reporting and management information systems;
   3. c.Provide for periodic independent review and assessment of operational risk; and
   4. d.Require policies to be reviewed and revised as appropriate, whenever a material change in the operational risk profile of the Bank occurs.
8. 8.Larger or more complex Banks must have an Operational Risk Committee or other designated committee that addresses operational risk.
9. 9.A Bank must measure operational risks for capital purposes using the approach most appropriate to the risk profile, nature, size and complexity of the Bank's business and structure. Holding capital against operational risks, however, is not a substitute for effective operational risk management.
10. 10. A Bank must meet the following minimum criteria or demonstrate to the Central Bank that its framework meets the requirements for a comprehensive approach to operational risk management without the presence of all of the criteria enumerated below.
    1. a.A Bank must have an operational risk management system with clear responsibilities assigned to an operational risk management function. These responsibilities must include, but not be limited to, developing strategies to identify, assess, monitor and control or mitigate operational risk; codifying bank-level policies and procedures concerning operational risk management and controls; the design and implementation of the Bank’s operational risk assessment methodology; and the design and implementation of a risk-reporting system for operational risk.
    2. b.A Bank must systematically track relevant operational risk data including material losses by business line. Its operational risk assessment system must be closely integrated into the risk management processes and procedures of the Bank. Its output must be an integral part of the process of and procedures for monitoring and controlling the Banks operational risk profile. For instance, this information must play a prominent role in risk reporting, management reporting and risk analysis. The Bank must have techniques for creating incentives to improve the management of operational risk throughout the Bank.
    3. c.There must be regular reporting of operational risk exposures, including material operational losses, to business unit management, Senior Management and to the Board. The Bank must have procedures for taking appropriate action according to the information within the management reports.
    4. d.A Bank’s operational risk management system must be well documented. A Bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of non-compliance issues.
    5. e.A Bank’s operational risk management processes and assessment system must be subject to regular internal audit review. These reviews must include both the activities of the business units and of the operational risk management function.

1. 1.The Board must establish and maintain a strong operational risk management culture, which has to be guided by strong operational risk management that supports and provides appropriate standards and incentives for professional and responsible behaviour. The Board must ensure that a strong control environment is established and maintained.
2. 2.The Board must establish and maintain a code of conduct or an ethics policy that sets clear expectations for integrity and ethical values of the highest standard and identifies acceptable business practices and prohibits conflicts of interest.

1. 1.Senior Management must consistently implement and maintain throughout the Bank (and, if applicable, Group) policies, processes and systems for managing operational risk in all material products, activities, processes and systems, consistent with the risk appetite statement.
2. 2.Senior Management must clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability and to ensure that the necessary resources are available to manage operational risk in line with the Bank’s risk appetite statement. The management oversight process for operational risk must be appropriate to the risks inherent in a business unit’s activities.
3. 3.Senior Management must ensure that the control environment provides for appropriate independence and segregation of duties. The approach to operational risk management must incorporate the “three lines of defence” approach:
   1. a.Business line management responsible for identification and control of risks;
   2. b.Control functions of risk management and compliance; and
   3. c.Internal audit to provide independent assurance.
4. 4.Senior Management must implement a process to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms must be in place at the Board, senior management and business line levels that support proactive management of operational risk.
5. 5.Senior Management must ensure that an appropriate level of operational risk training is available at all levels throughout the Bank. Training that is provided must reflect the seniority, role and responsibilities of the individuals for whom it is intended.

1. 1.A Bank must identify and assess the operational risk inherent in all material products, activities, processes and systems. Effective identification and assessment considers both internal and external factors. This must include any operational risk arising from common points of exposure, such as a single external service provider serving the Bank.²
2. 2.A Bank’s approach to assessment of operational risk at a minimum must address the following items:
   1. a.Determining which operational risk assessment tools will be employed by the Bank and how they are to be used;
   2. b.Establishing and monitoring thresholds or limits for inherent and residual risk exposure;
   3. c.Calibration of identified risks against operational risk appetite limits, as well as thresholds or limits for inherent and residual risk and approved risk mitigation strategies and instruments; and
   4. d.Providing for common operational risk terminology to ensure consistency of risk identification and assessment on a bank-wide or, if applicable, Group-wide basis.
3. 3.A Bank must take into account its assessment of operational risk in its internal pricing and performance monitoring mechanisms.

² Appendix 1 provides examples of tools that may be used for identifying and assessing operational risk.

1. 1.A Bank must have a strong control environment, including but not limited to, appropriate segregation of duties and dual control. Areas of potential conflicts of interest must be identified, minimized and be subject to careful independent monitoring³ and review.
2. 2.A Bank, in addition to segregation of duties and dual control, must ensure that other traditional internal controls are in place. Such controls include but are not limited to:
   1. a.Clearly established authorities and/or processes for approval;
   2. b.Close monitoring of adherence to assigned risk thresholds or limits;
   3. c.Safeguards for access to and use of, Bank assets and records;
   4. d.Appropriate staffing level and training to maintain expertise;
   5. e.Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations;
   6. f.Regular verification and reconciliation of transactions and accounts; and
   7. g.A vacation policy that requires officers and employees to take a minimum leave of absence as determined by the Bank.
3. 3.Risk transfer and mitigation tools such as insurance are imperfect substitutes for sound controls and risk management so Banks must utilize risk transfer tools as complementary to, rather than a replacement for, internal operational risk control.

³ Independent monitoring may be done by the internal audit function or an external consultant, subject to the party having the appropriate skills to do so. The Central Bank will expect the Bank to explain and evidence its decision of how it chose an independent party and how their skills were assessed.

1. 1.Disaster recovery and business continuity planning must consider the whole of the Bank or Group, if applicable, to identify, assess and mitigate potential business continuity risks and ensure that the Bank is able to meet its financial and service obligations in the event of business disruptions.
2. 2.A Bank’s business continuity management (BCM) policy must be documented, set out its objectives and approach to BCM and be up-to-date. The BCM policy must clearly state the roles, responsibilities and authorities to act in relation to the BCM policy.
3. 3.A Bank must conduct business impact analysis (BIA) and risk assessment on an ongoing basis. A BIA involves identifying all critical business functions and assessing the impact of a disruption on these.
4. 4.Critical business functions are the business operations, resources and infrastructure that may, if disrupted, have a material impact on the Bank’s business functions, reputation, profitability or customers.
5. 5.When conducting the BIA, a Bank must consider at a minimum:
   1. a.Disruption scenarios over varying periods of time;
   2. b.The period of time for which the Bank could not operate without each of its critical business operations;
   3. c.The extent to which a disruption to the critical business operations might have a material impact on customers of the Bank; and
   4. d.The financial, legal, regulatory and reputational impact of a disruption to a Bank’s critical business operations over varying periods.
6. 6.A Bank must identify and document appropriate recovery objectives and implementation strategies based on the results of the BIA, taking into account the risk profile, nature, size and complexity of the Bank's business and structure. Recovery objectives are pre-defined goals for restoring critical business operations to a specified level of service (recovery level) within a defined period (recovery time) following a disruption.
7. 7.A Bank must maintain at all times a documented business continuity plan (BCP) that meets the objectives of the BCM policy. The BCP must reflect the specific requirements of the Bank and must identify:
   1. a.Critical business operations;
   2. b.Recovery levels and time targets for each critical business operation;
   3. c.Recovery strategies for each critical business operation;
   4. d.Infrastructure and resources required to implement the BCP;
   5. e.Roles, responsibilities and authorities to act in relation to the BCP; and
   6. f.Communication plans with staff and external stakeholders.
8. 8.A Bank must review and test its BCP at least annually or more frequently if there are material changes to business operations, to ensure that staff can effectively execute contingency plans and that recovery and resumption objectives and timeframes can be met. The results of the testing must be reported formally to the Board or to designated Senior Management in line with the BCM policy. The BCP must be updated if shortcomings are identified as a result of the review and testing.

1. 1.A Bank’s effective use and sound implementation of technology can contribute to the control environment. However, use of technology-related products, activities, processes and delivery channels exposes a Bank to strategic, operational and reputational risks and the possibility of material financial loss. Automated processes introduce risks that must be addressed through technology governance and infrastructure risk management programmes, including an information security management system.
2. 2.A Bank must have an integrated approach to identifying, measuring, monitoring and managing technology risk. Technology risk management includes but is not limited to:
   1. a.Governance and oversight controls that ensure technology, including outsourcing arrangements, are aligned with and supportive of the Bank’s business objectives;
   2. b.Establishment and maintenance of appropriate information technology policies, procedures and processes to identify, assess, monitor and manage technology risks;
   3. c.Establishment of a risk appetite statement and limits as well as performance expectations to assist in controlling and managing risk;
   4. d.Implementation of an effective control environment;
   5. e.Monitoring processes that test for compliance with policy thresholds or limits; and
   6. f.Establishment and maintenance of appropriate and sound information technology infrastructure to meet the current and projected business requirements of the Bank under normal circumstances and in periods of stress and which ensures data and system integrity, security and availability.

1. 1.A Bank must have information systems that enable accurate and timely monitoring of and reporting on operational risk. The level of sophistication of a Bank’s operational risk information system must be calibrated to the risk profile, complexity and systemic importance of the Bank.
2. 2.The processes for aggregating the necessary data and producing operational risk management reports must be fully documented. These must include standards, cut-off times and schedules for report production. The aggregation and reporting process must be subject to high standards of validation through periodic review by the internal audit function using staff with specific systems, data and reporting expertise, particularly where the process requires substantial manual intervention.
3. 3.Operational risk reports to Senior Management and the Board must provide aggregate information as well as sufficient supporting detail to enable Senior Management and the Board to understand and assess the Bank’s operational risk exposures.

1. 1.A Bank must notify the Central Bank promptly and no later than 24 hours after experiencing an operational risk event that triggers, or is likely to trigger, disaster recovery or business continuity plans, or has, or is likely to have, a significant impact on the Bank’s operations, profitability or capital. The Bank must explain to the Central Bank the nature of the event, actions being taken, the likely effect and the timeframe for returning to normal operations, where applicable. The Bank must notify the Central Bank when normal operations resume.
2. 2.A Board-approved disclosure policy must provide for the Bank’s publication of sufficient information on operational risk and controls to allow stakeholders to assess its approach to operational risk management and to determine whether the Bank identifies, assesses, evaluates, monitors and controls and mitigates operational risk effectively. In addition, a Bank must implement a process for assessing the appropriateness of its operational risk disclosures.
3. 3.Branches and Subsidiaries of foreign Banks operating in the UAE may largely rely on the Group’s disclosures, supplemented by disclosure, at least annually through their websites that are dedicated to their activities in the UAE, of a summary of the local branch or Subsidiary’s operational risk management framework.
4. 4.A Bank’s public disclosures must be commensurate with the size, risk profile and complexity of a Bank’s operations and evolving industry practice. A Bank’s disclosures must be consistent with how Senior Management and the Board assess and manage the operational risk of the Bank.

1. 1.In general, a Bank’s operational risk exposure is increased when a Bank engages in new activities, develops new products, enters unfamiliar markets, implements new business processes or technology systems and/or engages in businesses that are geographically distant from its head office. A Bank must ensure that its risk management control infrastructure is appropriate and that it keeps pace with the development of or changes to its products, activities, processes and systems.
2. 2.A Bank must have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process must consider at a minimum:
   1. a.Inherent risks, including but not limited to legal risks, in the new product, service or activity;
   2. b.Changes to the Bank’s risk profile and operational risk appetite, including the risk of existing products or activities;
   3. c.The necessary controls, risk management processes and risk mitigation strategies;
   4. d.Residual risk;
   5. e.Changes to relevant risk thresholds or limits;
   6. f.Procedures and metrics to measure, monitor and manage the risk of the new product or activity; and
   7. g.Whether appropriate investment has been made for human resources and technology infrastructure before new products are introduced.
3. 3.A Bank must ensure that the implementation of new products, activities, processes and systems is monitored in order to identify any material differences to the expected operational risk profile and to manage any unexpected risks.

1. 1.A Bank offering Islamic financial services must have in place adequate systems and controls, including a Shari’a Control Committee, to ensure compliance with Shari’a provisions. This includes policies and procedures for the approval of Islamic products, contracts and activities.
2. 2.A Bank offering Islamic financial services must keep track of income not recognized arising from Shari’a non-compliance and assess the probability of similar cases arising in the future. Based on historical reviews and potential areas of Shari’a non-compliance, the Bank must assess potential profits that cannot be recognized as eligible Islamic Banking profits.
3. 3.A Bank offering Islamic financial services must undertake a Shari’a compliance review at least annually, performed either by a separate Shari’a Audit function or as part of the existing internal and external audit function by persons having the required knowledge and expertise. The objective must be to ensure that the nature of the Bank’s financing and equity investment and its operations are executed in adherence to the applicable Shari’a rules and principles as per the fatwa, policies and procedures approved by the Shari’a Control Committee in accordance with the requirements set by the Central Bank and the Higher Shari’a Authority.
4. 4.A Bank offering Islamic financial services must establish and implement a clear and formal policy for undertaking its different and potentially conflicting roles in respect of managing different types of investment accounts. The policy relating to safeguarding the interests of its investment account holders may include but is not limited to:
   1. a.Identification of investing activities that contribute to investment returns and taking reasonable steps to carry on those activities in accordance with the Bank’s fiduciary and agency duties and to treat all its fund providers appropriately and in accordance with the terms and conditions of its investment agreements;
   2. b.Allocation of assets and profits between the Bank and its investment account holders must be managed and applied appropriately to investment account holders having funds invested over different investment periods;
   3. c.Determination of appropriate reserves at levels that do not discriminate against the right for better returns of existing investment account holders; and
   4. d.Limiting the risk transmission between current and investment accounts.
5. 5.A Bank offering Islamic financial services must adequately disclose information on a timely basis to its investment account holders and the markets in order to provide a reliable basis for assessing its risk profile and investment performance.
6. 6.A Bank offering Islamic financial services must maintain separate accounts in respect of the Bank’s operations undertaken for restricted investment account holders and ensure proper maintenance of records for all transactions in investments.

Examples of tools⁴ that may be used for identifying and assessing operational risk include:

• Internal loss data collection and analysis: Internal operational loss data provides meaningful information for assessing a Bank’s exposure to operational risk and the effectiveness of internal controls. Analysis of loss events can provide insight into the causes of large losses and information on whether control failures are isolated or systematic. Banks may also find it useful to capture and monitor operational risk contributions to credit and market risk related losses in order to obtain a more complete view of their operational risk exposure.
• External data collection and analysis: External data elements consist of gross operational loss amounts, dates, recoveries and relevant causal information for operational loss events occurring at organizations other than the Bank. External loss data can be compared with internal loss data, or used to explore possible weaknesses in the control environment or consider previously unidentified risk exposures.
• Risk assessments: In a risk assessment, often referred to as a risk self-assessment, a Bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. A similar approach, risk control self-assessments (RCSA), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment and residual risk (the risk exposure after controls) are considered. Scorecards built on RCSAs by weighting residual risks provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment.
• Business process mapping: Business process mappings identify the key steps in business processes, activities and organizational functions. They also identify the key risk points in the overall business process. Process maps can reveal individual risks, risk interdependencies and areas of control or risk management weakness. They also can help prioritize subsequent management action.
• Risk and performance indicators: Risk and performance indicators are risk metrics and/or statistics that provide insight into a Bank’s risk exposure. Risk indicators, often referred to as Key Risk Indictors (KRIs), provide insight into the status of operational processes, which in turn may provide insight into operational weaknesses, failures and potential loss. Risk and performance indicators are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt mitigation plans.
• Scenario analysis: Scenario analysis is a process of obtaining expert opinion of business line and risk managers to identify potential operational risk events and assess their potential outcome. Scenario analysis is an effective tool to consider potential sources of significant operational risk and the need for additional risk management controls or mitigation solutions. Given the subjectivity of the scenario process, a robust governance framework is essential to ensure the integrity and consistency of the process.
• Models: Larger Banks may find it useful to quantify their exposure to operational risk by using the output of the risk assessment tools as inputs into a model that estimates operational risk exposure. The results of the model can be used in an economic capital process and can be allocated to business lines to link risk and return.
• Comparative analysis: Comparative analysis consists of comparing the results of the various assessment tools to provide a more comprehensive view of the Bank’s operational risk profile. For example, comparison of the frequency and severity of internal data with RCSAs can help the Bank determine whether self-assessment processes are functioning effectively. Scenario data can be compared to internal and external data to gain a better understanding of the severity of the Bank’s exposure to potential risk events.
• Audit findings: While audit findings primarily focus on control weaknesses and vulnerabilities, they can also provide insight into inherent risk due to internal or external factors. Banks must not solely rely on internal audit to identify operational risks.

⁴ Banks are encouraged to use a range of tools to gain an understanding of their operational risks, in a manner consistent and proportional with the size and complexity of the bank and the operational risks it faces.

The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, Banks exposed to interest rate and rate of return risk in the banking book (IRRBB) must have appropriate policies, processes, procedures, systems and controls to identify, measure, monitor, report on, control and mitigate such risks.

In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Banks’ approaches to the management of (IRRBB) are in line with leading international practices.

This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.

Where this Regulation or its accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements, which are additional to the list provided in the relevant article.

The objective of these Regulations is to establish minimum requirements for (IRRBB) management for Banks, with a view to:

i. Ensuring the soundness of Banks; and

ii. Enhancing financial stability.

The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to the management of (IRRBB).

This Regulation and the accompanying Standards apply to all Banks. Banks established in the UAE with significant Group relationships, including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and Group-wide basis.

This Regulation and Standards must be read in conjunction with the Risk Management Regulation and Standards, which establish the requirements for a Bank’s overarching approach to risk management.

1. Affiliate: An entity that, directly or indirectly, controls is controlled by or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity or of the power to direct or cause the direction of the management of another entity.
    
2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a Bank.
    
3. Board: The Bank’s Board of Directors.
    
4. Banking Book: Positions in financial instruments that are expected to be held to maturity.
    
5. Central Bank: The Central Bank of the United Arab Emirates.
    
6. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of
    
7. Central Bank regulations: any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
    
8. Group: a group of entities which includes an entity (the ‘first entity’) and:
    
   1. a) any Parent of the first entity;
       
   2. b) any Subsidiary of the first entity or of any Parent of the first entity; and
       
   3. c) any Affiliate.
       
9. Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
    
10. Parent: an entity (the ‘first entity’) which:
     
    1. a) holds a majority of the voting rights in another entity (the ‘second entity’);
        
    2. b) is a shareholder of the second entity and has the right to appoint or remove a majority of the board or managers of the second entity; or
        
    3. c) is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity.
        

       Or;
       d) if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.

11. Risk appetite: The aggregate level and types of risk a Bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
     
12. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the Bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
     
13. Risk limits: Specific quantitative measures that must not be exceeded based on, for example, forward looking assumptions that allocate the Bank’s aggregate risk appetite to business lines, legal entities or management units within the Bank or Group in the form of specific risk categories, concentrations or other measures as appropriate.
     
14. Risk profile: Point in time assessment of the Bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
     
15. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including but not limited to the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
     
16. Subsidiary: an entity (the ‘first entity’) is a subsidiary of another entity (the ‘second entity’) if the second entity:
     
    1. a) holds a majority of the voting rights in the first entity;
        
    2. b) is a shareholder of the first entity and has the right to appoint or remove a majority of the board or managers of the first entity; or
        
    3. c) is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
        

       Or;
       d) if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.

17. Trading Book: Positions in financial instruments and commodities held either with trading intent or in order to hedge other elements of the trading book.
     

1. A Bank must have an appropriate IRRBB strategy and risk governance framework that provides a bank-wide and if applicable Group-wide view of IRRBB. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of IRRBB on a timely basis.
    
2. A Bank’s IRRBB strategy, policies and processes must be consistent with the risk appetite statement, risk profile and systemic importance of the Bank, taking into account market and macroeconomic conditions.
    
3. A Bank’s IRRBB strategy, policies, and processes must be reviewed at least annually and appropriately adjusted, where necessary, in line with the Bank’s changing risk profile and market developments.
    
4. A Bank’s strategy, policies and processes for IRRBB must be approved and reviewed at least annually by the Board.
    
5. The Senior Management must ensure that the strategy, policies and processes are developed and implemented effectively.
    
6. A Bank’s policies and processes must establish an appropriate and properly controlled IRRBB environment, including, at a minimum, the following items:
    
   1. Comprehensive and appropriate interest rate risk measurement systems;
       
   2. Regular review and independent (internal or external) validation of any models used by the functions tasked with managing IRRBB, including review of key model assumptions;
       
   3. Appropriate limits that are approved by the Board and Senior Management and that reflect the Bank’s risk appetite, risk profile and capital strength, and are understood by and regularly communicated to, relevant staff;
       
   4. Effective processes for exception tracking and reporting which ensure prompt action at the appropriate level of the Senior Management or Board, where necessary; and
       
   5. Effective information systems for accurate identification, aggregation, monitoring and timely reporting of IRRBB exposure to the Board and Senior Management.
       

1. A Bank’s risk management function must include policies, procedures and systems for monitoring and reporting to ensure that IRRBB exposures are aligned with the Bank’s strategy and business plan and consistent with the Board approved risk appetite statement and individual risk limits, as well as the systemic importance of the Bank, taking into account market and macroeconomic conditions.
    

1. A Bank must have comprehensive and appropriate interest rate risk measurement systems, which generate a quantification of the threat to earnings and economic value from IRRBB.
    
2. A Bank must ensure that there is a regular review and independent (internal or external) validation of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions).
    

1. A Bank must include appropriate scenarios in its stress testing programs to measure its vulnerability to loss under adverse interest rate movements, including but not limited to the impact on the banking book of a standardized interest rate shock as prescribed by the Central Bank.
    
2. A Bank must ensure that its internal capital measurement systems adequately capture IRRBB.
    

1. A Bank must have information systems that enable it to identify, accurately aggregate, monitor and report IRRBB to the Board and Senior Management on a timely basis, in formats suitable for their use.
    

1. Banks must report to the Central Bank on their IRRBB exposure in the format and frequency prescribed in the Standards.
    
2. A Bank must provide upon request any specific information with respect to IRRBB that the Central Bank may require.
    
3. A Bank must promptly notify the Central Bank when it becomes aware of a significant deviation from the Board-approved IRRBB risk limits, policies or procedures or becomes aware that a material interest rate risk has not been adequately addressed.
    

1. A Bank offering Islamic financial services must apply the provisions of this Regulation, subject to such adjustments as are necessary, in relation to its RoRR (rate of return risk).
    
2. A Bank offering Islamic financial services must establish a comprehensive risk management and reporting process to assess the potential impacts of market factors affecting rates of return on assets in comparison to rates paid on its liabilities.
    
3. A Bank offering Islamic financial services must have in place an appropriate framework for managing displaced commercial risk, where applicable.
    

1. Violation of any provision of this Regulation and the accompanying Standards shall be subject to supervisory action as deemed appropriate by the Central Bank.

1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

1. These Regulation and the accompanying Standards replace all previous Central Bank Regulations and Notices with respect to IRRBB.

1. This Regulation and the accompanying Standards shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.

1. 1.These Standards form part of the Interest Rate and Rate of Return Risk in the Banking Book (IRRBB) Regulation. All Banks must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
2. 2.Banks offering Islamic financial services must apply the same principles to address rate of return risk.
3. 3.IRRBB is a normal part of banking and can be an important source of profitability and shareholder value to a bank. However, excessive IRRBB can pose a significant threat to a Bank’s earnings and capital base. Changes in interest rates affect a Bank’s earnings by changing its net interest income and the level of other interest-sensitive income and operating expenses. Changes in interest rates also affect the underlying value of a Bank’s assets, liabilities and off-balance sheet items, as the present value of future cash flows change. Accordingly, an effective risk management process that maintains IRRBB within prudent levels is essential to the safety and soundness of a Bank.
4. 4.A Bank’s Board is in ultimate control of the bank and accordingly ultimately responsible for the bank’s approach to IRRBB. There is no one-size-fits-all or single best solution. Accordingly, each bank could meet the minimum requirements of the Regulation and Standards in different ways and thus may adopt an organizational framework appropriate to the risk profile, nature, size and complexity of its business and structure. The onus is on the Bank’s Board to demonstrate that it has implemented an approach that adequately addresses IRRBB. Banks are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards.¹
5. 5.The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.

¹ The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller banks may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited in the Standards.

1. 1.Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
2. 2.Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a bank.
3. 3.Basis risk: The risk of loss arising from imperfect correlation in changes of the rates earned and paid on different instruments with otherwise similar re-pricing characteristics.
4. 4.Board: The Bank’s Board of Directors.
5. 5.Central Bank: The Central Bank of the United Arab Emirates.
6. 6.Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
7. 7.Central Bank regulation: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
8. 8.Displaced commercial risk: Market pressure to pay a return that exceeds the rate earned on assets financed by the investment account holders of a Bank offering Islamic financial services in order to attract or retain funds provided by investment account holders.
9. 9.Group: a group of entities that includes an entity (the ‘first entity’) and:
   1. a.any Parent of the first entity;
   2. b.any Subsidiary of the first entity or of any Parent of the first entity; and
   3. c.any Affiliate.
10. 10.Interest rate risk (IRR): The risk of loss arising from changes in interest rates. Interest rate risk has a number of manifestations, including basis risk, optionality, re-pricing risk and yield curve risk and can present itself in a Bank’s banking book and in its trading book.
11. 11.Interest rate risk in the banking book (IRRBB): The risk of loss in the banking book caused by changes in interest rates.
12. 12.Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
13. 13.Option risk: The risk of loss arising from the exercise by a counterparty of an option to re-price, redeem or change maturity of bank assets, liabilities or off balance sheet items.
14. 14.Parent: an entity (the ‘first entity’) which:
    1. a.holds a majority of the voting rights in another entity (the ‘second entity’);
    2. b.is a shareholder of the second entity and has the right to appoint or remove a majority of the Board or managers of the second entity; or
    3. c.is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity;

       
       Or;

    4. d.If the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
15. 15.Rate of return risk: The risk that unexpected changes in market rates of return adversely affect the earnings of a Bank offering Islamic financial services.
16. 16.Re-pricing risk: The risk of loss arising from timing differences in the maturity (for fixed-rate) and re-pricing (for floating-rate) of Bank assets, liabilities and off-balance sheet positions.
17. 17.Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the Bank’s strategy and approach to risk management; articulate and monitor adherence to the risk appetite and risks limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
18. 18.Risk limits: Specific quantitative measures, which may not be exceeded, based on, for example, forward looking assumptions that allocate the Bank’s aggregate risk appetite to business lines, legal entities or management units within the Bank or Group in the form of specific risk categories, concentrations or other measures as appropriate.
19. 19.Risk Management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a Bank and if applicable Group-wide basis.
20. 20.Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including but not limited to the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
21. 21.Subsidiary: an entity (the ‘first entity’) is a subsidiary of another entity (the ‘second entity’) if the second entity:
    1. a.holds a majority of the voting rights in the first entity;
    2. b.is a shareholder of the first entity and has the right to appoint or remove a majority of the Board or managers of the first entity; or
    3. c.is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity;

       
       Or;

    4. d.If the first entity is a subsidiary of another entity that is itself a subsidiary of the second entity.
22. 22.Yield curve risk: The risk of loss arising from unanticipated shifts of the yield curve adversely effecting a Bank’s earnings or economic value.

1. 1.A Bank must establish, implement and maintain an interest rate and rate of return risk governance framework, which enables it to identify, assess, monitor, mitigate and control interest rate risk. The interest rate and rate of return risk governance framework consists of policies, processes, procedures, systems and controls.
2. 2.The interest rate and rate of return risk governance framework must be documented and approved by the Board of the Bank and must provide for a sound and well-defined framework to address the Bank’s interest rate and rate of return risk.
3. 3.A Bank’s Board is responsible for establishing, maintaining and overseeing a robust interest rate and rate of return risk governance framework which must take into account the risk profile, nature, size and complexity of the Bank’s business and structure.
4. 4.A Bank’s interest rate and rate of return risk governance framework must address the following with respect to IRRBB:
   1. a.Effective oversight by the Board;
   2. b.Adequate risk management policies and procedures;
   3. c.Larger and more complex Banks must address IRRBB as part of the asset and liability management process, which must include an Assets and Liability Management Committee (ALCO) or other designated committee;
   4. d.Capturing all material sources and accurately measuring IRRBB;
   5. e.Effective processes for analyzing and assessing IRRBB;
   6. f.Regular monitoring of the IRRBB profile;
   7. g.Monitoring and enforcement of IRRBB limits;
   8. h.Stress-testing of IRRBB and use of results in decision-making;
   9. i.Oversight by the risk management function;
   10. j.Independent assurance by the internal audit function; and
   11. k.Regular reporting to Senior Management and the Board.
5. 5.The Board-approved risk appetite statement must specify authorized activities, investments and instruments and specify any activities, investments and instruments, which are not consistent with the Bank’s risk appetite.
6. 6.A Bank must clearly define the individuals, functions and/or committees responsible for managing interest rate risk and must ensure that there is adequate separation of duties in the risk management process to avoid conflicts of interest.
7. 7.A Bank must have risk measurement, monitoring and control functions with clearly defined duties that are sufficiently independent from position-taking functions and the finance function and which report interest rate risk exposures directly to Senior Management and the Board.

1. 1.Larger or more complex banks must have an ALCO or other designated committee, which addresses IRRBB. The control functions carried out by the ALCO or other designated committee, such as administering the risk limits are part of the overall risk management and internal control system.
2. 2.The personnel charged with measuring, monitoring and controlling interest rate risk must have a well-founded understanding of all types of interest rate risk faced throughout the Bank.
3. 3.The goal of a Bank’s interest rate risk management must be to maintain a Bank’s interest rate risk exposure within self-imposed parameters over a range of possible changes in interest rates. The limits must be appropriate to the size, complexity and capital adequacy of the Bank, as well as its ability to measure and manage its risk.

1. 1.A Bank must have an interest rate risk measurement systems that assesses the effects of rate changes on both earnings and economic value. These systems must provide meaningful measures of a Bank’s current levels of interest rate risk exposure and must be capable of identifying any excessive exposures that might arise.
2. 2.As a general rule, a Bank’s measurement systems must incorporate interest rate risk exposures arising from the full scope of a Bank’s activities, including both trading and non-trading sources, to enable management to have an integrated view of interest rate risk across products and business lines. This does not preclude different measurement systems and risk management approaches being used for different activities.
3. 3.A Bank’s interest rate risk measurement system must address all material sources of interest rate risk, including re-pricing, yield curve, basis and options risk exposures. While all of a Bank’s holdings must receive appropriate treatment, concentrations and instruments which might significantly affect a Bank’s aggregate position, must receive rigorous treatment. Instruments with significant embedded or explicit option characteristics must receive special attention.
4. 4.At a minimum on a monthly basis, a Bank must prepare a maturity/re-pricing schedule with indicators of the interest rate risk sensitivity of both earnings and economic value, based on both a contractual and behavioral basis. Systemically important Banks must employ more sophisticated interest rate risk measurement systems, including simulation techniques.
5. 5.In designing interest rate risk measurement systems, a Bank must ensure that the degree of detail about the nature of their interest-sensitive positions is commensurate with the complexity and risk inherent in these positions.
6. 6.A Bank must also consider its dependency on various funding sources since a sudden withdrawal of these funds can have an adverse effect on earnings and economic value through basis risk, re-pricing risk and yield curve risk.

1. 1.A Bank must, at a minimum, include in its stress test scenarios the impact of a 200 basis point upward and downward parallel change in interest rates in addition to other scenarios which the Bank determines are appropriate considering the risk profile, nature, size and complexity of its business and structure. A Bank, which is exposed to an economic value decline exceeding 20 percent of total capital from this standardized 200 basis point interest rate shock (or some other level determined by the Central Bank) will be required by the Central Bank to reduce its risk and/or hold additional capital.
2. 2.Other stress scenarios which a Bank may use include, but are not limited to, more severe changes in the general level of interest rates, changes in the relationships among key market rates (basis risk), changes in the slope and shape of the yield curve (yield curve risk), changes in the liquidity of key financial markets or changes in the volatility of market rates. In addition, stress scenarios must include conditions under which key business assumptions and parameters break down. A Bank’s Internal Capital Assessment Process must address IRRBB exposures as part of Pillar 2.

1. 1.A Bank’s systems must support supervisory reporting requirements for IRRBB as provided in these Standards as well as provision of IRRBB reports to all relevant parties within the Bank on a timely basis and in a format commensurate with their needs.
2. 2.The processes for aggregating the necessary data and producing supervisory and internal IRRBB management reports must be fully documented. These must include standards, cut-off times and schedules for report production. The aggregation and reporting process must be subject to high standards of validation through periodic review by the internal audit function using staff with specific systems, data and reporting expertise, particularly where the process requires substantial manual intervention.
3. 3.Interest rate risk reports to Senior Management and the Board must provide aggregate information as well as sufficient supporting detail to enable Senior Management and the Board to assess the sensitivity of the Bank to changes in market conditions and other important risk factors.

1. 1.A Bank must submit to the Central Bank the Report on Interest Rate in the Banking Book’ on a quarterly basis.
2. 2.A bank offering Islamic financial services must submit to the Central Bank the Report on Rate of Return Risk on a quarterly basis.

1. 1.A Bank providing Islamic financial services must be aware of the factors that give rise to rate of return risk (RoRR), primarily increasing long-term fixed profit rates. (RoRR) is generally associated with overall balance sheet exposures of Banks offering Islamic financial services where mismatches arise between assets and balances from fund providers.
2. 2.Cash flow forecasting is central to the measurement and management of RoRR. Banks offering Islamic financial services must consider behavioural maturity in addition to contractual maturity and re-pricing dates for instruments and contracts, and other relevant parameters. Depending on the size and complexity of the Bank, measurement techniques may include simple gap analysis, more advanced simulations or dynamic approaches to assess future cash flow variability and the impact on economic value and income.
3. 3.A Bank offering Islamic financial services must assess, monitor and manage its dependency on current account holders funds, as a sudden withdrawal of these funds can have an adverse impact on the overall potential rate of return for the holders of the Bank.
4. 4.A consequence of RoRR may be displaced commercial risk. As part of an appropriate framework for the management of displaced commercial risk, a Bank offering Islamic financial services must have in place a policy and framework for managing the expectations of its shareholders and investment account holders and monitoring the market rates of returns of competitors.

1. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or the power to direct or cause the direction of the management of another entity.
    
2. Bank: A financial entity which is authorized by the Central Bank to accept deposits as a bank.
    
3. Board: The Bank’s board of directors.
    
4. Central Bank: The Central Bank of the United Arab Emirates.
    
5. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of banking as amended or replaced from time to time.
    
6. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
    
7. Country risk: The risk of loss caused by events in a foreign country, which may include changes in economic, social, political or regulatory conditions that affect obligors in that country and, potentially, obligations denominated in that country’s currency.
    
8. Group: A group of entities that includes an entity (the ‘first entity’) and:
    
   1. any Parent of the first entity;
       
   2. any Subsidiary of the first entity or of any Parent of the first entity; and
       
   3. any Affiliate.
       
9. Parent: An entity (the ‘first entity’) which:
    
   1. holds a majority of the voting rights in another entity (the ‘second entity’);
       
   2. is a shareholder of the second entity and has the right to appoint or remove a majority of the board or managers of the second entity; or
       
   3. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity;
       

      Or;
       

   4. if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
       
10. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the bank’s strategy and risk approach, articulate and monitor adherence to the risk appetite and risk limits relative to the bank’s strategy; and identify, measure, manage and control risks.
     
11. Risk limits: Specific quantitative measures that may not be exceeded, based on, for example, forward-looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations, or other measures, as appropriate.
     
12. Risk management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a bank-wide and, if applicable, group-wide basis.
     
13. Senior management: The executive management of the bank responsible and accountable to the Board for the sound and prudent day-to-day management of the bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
     
14. Subsidiary: An entity (the ‘first entity’) is a subsidiary of another entity (the ‘second entity’) if the second entity:
     
    1. holds a majority of the voting rights in the first entity;
        
    2. is a shareholder of the first entity and has the right to appoint or remove a majority of the board or managers of the first entity; or
        
    3. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
        

       Or;

    4. if the first entity is a subsidiary of another entity, which is itself a subsidiary of the second entity.
        
15. Transfer risk: The risk that a borrower will not be able to convert local currency into foreign exchange and so be unable to make debt service payments in foreign currency.

The objective of the Regulation is to establish the minimum acceptable standards for banks’ approach to managing country and transfer risks with a view to:

1.  Ensuring the soundness of banks; and
    
2.  Contributing to financial stability.

The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to the management of country and transfer risks.

The Regulation and the accompanying Standards apply to all Banks. Banks established in the UAE with significant Group relationships, including subsidiaries, affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and group-wide basis.

The Regulation and Standards must be read in conjunction with the Risk Management Regulation and Standards, which establish the requirements for Banks’ overarching approach to risk management.

The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, banks exposed to country and transfer risks are required to have appropriate policies, processes, procedures, systems and controls to identify, monitor and mitigate such risks.

In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Banks’ approach to managing country and transfer risks are in line with leading international practices.

The Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.

Where the Regulation, or their accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements that are additional to the list provided in the relevant Article.

1. A Bank’s risk governance framework must include policies and procedures for the identification, measurement, monitoring and reporting on country and transfer risk in the Bank’s international funding, lending and investments on a timely basis.
    
2. The risk governance framework must provide a bank-wide, or if applicable, group-wide view of country and transfer risks, including, where relevant, intra-group exposures.
    
3. For Banks with material exposure to country and transfer risks, the risk governance framework must, at minimum, provide for the following items:
    
   1. Country and transfer risk limits established in the board-approved risk appetite statement;
       
   2. Documentation of the roles and responsibilities of the different parts of the Bank involved in managing country and transfer risk;
       
   3. Definition of material country and transfer risks taking into account the size and nature of cross-border exposures relative to the total business of the Bank;
       
   4. Policies and procedures to ensure that all material country and transfer risks are identified, measured, managed, mitigated and reported upon in a timely and comprehensive manner;
       
   5. Policies and procedures to ensure that developments affecting country and transfer risks are monitored, and where required, appropriate countermeasures such as reducing exposure limits or other techniques are employed; and
       
   6. Policies and procedures to ensure that provisioning reflects prudent minimums based on internal standards for exposure to each relevant country or through explicit consideration of country and transfer risk in the provisioning for individual exposures.

1. The risk management function must include policies, procedures, systems and controls for monitoring and reporting to ensure that country and transfer risk exposures are aligned with the Bank’s strategy and business plan and consistent with the board-approved risk appetite and individual risk limits.

1. A Bank with material country and transfer risks exposure must include in its stress testing program appropriate scenarios reflecting potential shocks such as introduction of capital and exchange controls in relevant foreign jurisdictions, taking into account the impact on all exposures, domestic or cross-border, affected by such shocks.

1. A Bank must have information systems that enable it to accurately aggregate, monitor and report country exposures. Reports must be provided on a timely basis to the Board and Senior Management, in formats suitable for their use.

1. Banks must report to the Central Bank on their country and transfer risks exposure in the format and frequency prescribed by the Central Bank.
    
2. A Bank must provide upon request any specific information with respect to country and transfer risks that the Central Bank may require.
    
3. A Bank must immediately notify the Central Bank when it becomes aware of a significant deviation from the country and transfer risk limits established in its board-approved policies, or becomes aware that a material country or transfer risk has not been adequately addressed.

1. Violation of any provision of this Regulation and the accompanying Standards may be subject to supervisory action as deemed appropriate by the Central Bank.

1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

1. This Regulation and the accompanying Standards replace all previous Central Bank Regulations with respect to country and transfer risks.

1. This Regulation and the accompanying Standards shall be published in the Official Gazette, in both Arabic and English, and shall come into effect one month from the date of publication.

1. 1.These Standards form part of the Country and Transfer Risks Regulation. All Banks must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
2. 2.Banks engaged in international activities are exposed to the risk that conditions and events in a foreign country will adversely affect their financial performance. They are further exposed to the risk that capital controls or foreign exchange restrictions may limit the ability of a foreign counterparty, branch or subsidiary to make contractual payments. These country and transfer risks could threaten the soundness of a bank if not monitored and controlled.
3. 3.A Bank’s board of directors is in ultimate control of the bank and accordingly, ultimately responsible for the bank’s approach to country and transfer risk. Country and transfer risks may not be material for all banks. The Board is responsible for ensuring that country and transfer risks exposures are identified and if required, that appropriate policies and procedures are in place to manage those risks. There is no one-size-fits-all or single best solution. Accordingly, each Bank could meet the minimum requirements of the Country and Transfer Risks Regulation and Standards in a different way and thus may adopt a country and transfer risk framework appropriate to the risk profile, nature, size and complexity of its business and structure. The onus is on the bank’s board to demonstrate that it has implemented an approach that adequately addresses country and transfer risks. Banks are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards¹.
4. 4.The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.

¹ The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller banks may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited in the Standards.

1. 1.Affiliate: An entity that, directly or indirectly, controls, is controlled by or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity or of the power to direct or cause the direction of the management of another entity.
2. 2.Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a bank.
3. 3.Central Bank: The Central Bank of the United Arab Emirates.
4. 4.Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
5. 5.Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
6. 6.Country risk: The risk of loss caused by events in a foreign country that may include changes in economic, social, political or regulatory conditions that affect obligors in that country and obligations denominated in that country’s currency.
7. 7.Group: A group of entities that includes an entity (the ‘first entity’) and:
   1. a.any Parent of the first entity;
   2. b.any Subsidiary of the first entity or of any Parent of the first entity; and
   3. c.any Affiliate.
8. 8.Parent: An entity (the ‘first entity’) which:
   1. a.holds a majority of the voting rights in another entity (the ‘second entity’);
   2. b.is a shareholder of the second entity and has the right to appoint or remove a majority of the board of directors or managers of the second entity; or
   3. c.is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity;

      Or;

   4. d.if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
9. 9.Risk governance framework: As part of the overall approach to corporate governance, the framework through which the board and management establish and make decisions about the bank’s strategy and approach to risk management; articulate and monitor adherence to the risk appetite and risks limits relative to the bank’s strategy; and identify, measure, manage and control risks.
10. 10.Risk limits: Specific quantitative measures which may not be exceeded, based on, for example, forward looking assumptions that allocate the bank’s aggregate risk appetite to business lines, legal entities or management units within the bank or group in the form of specific risk categories, concentrations or other measures as appropriate.
11. 11.Risk management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a bank and, if applicable, group-wide basis.
12. 12.Senior management: The executive management of the bank responsible and accountable to the board for the sound and prudent day-to-day management of the bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
13. 13.Subsidiary: An entity (the ‘first entity’) is a subsidiary of another entity (the ‘second entity’) if the second entity:
    1. a.holds a majority of the voting rights in the first entity;
    2. b.is a shareholder of the first entity and has the right to appoint or remove a majority of the board of directors or managers of the first entity; or
    3. c.is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity;

       Or;

    4. d.if the first entity is a subsidiary of another entity that is itself a subsidiary of the second entity.
14. 14.Transfer risk: The risk that a borrower will not be able to convert local currency into foreign exchange and so be unable to make debt service payments in foreign currency.

1. 1.The risk governance framework varies with the specific circumstances of each bank, particularly the risk profile, nature, size and complexity of its business and structure. For a bank with material country and transfer risk exposures, its risk governance framework must address the following:
   1. a.Effective oversight by the board of directors;
   2. b.Adequate risk management policies and procedures;
   3. c.An accurate system for reporting country exposures;
   4. d.An effective process for analyzing country risk;
   5. e.A country risk-rating system;
   6. f.Country risk exposure limits;
   7. g.Regular monitoring of country conditions;
   8. h.Provisioning policies that explicitly consider country and transfer risks;
   9. i.Periodic stress-testing of foreign exposures;
   10. j.Oversight by the risk management function; and
   11. k.Independent assurance by the internal audit function.
2. 2.A bank’s definition and identification of material country and transfer risks must take into account the risk profile, nature, size and complexity of its business and structure. The Central Bank will generally consider as material an aggregate exposure to any single foreign jurisdiction exceeding five percent, or an aggregate exposure to all foreign jurisdictions exceeding 10 percent, of any relevant metric which may include but is not limited to total loans, total liabilities, interest income, interest expense and non-interest income. Banks are encouraged to establish lower thresholds for materiality if required for consistency with the board-approved risk appetite statement.
3. 3.A bank must establish and maintain a board-approved risk appetite statement that specifies the types of country risk the bank is prepared to assume in pursuit of its business strategy and objectives and limits for those risks. For banks with moderate country risk exposure it may be appropriate to address these risks under a single grouping of cross-border exposures, but depending on the business of the bank, it may be appropriate to specifically address some or all of the below:
   1. a.Sovereign risk — a foreign government’s capacity and willingness to repay its direct and indirect foreign currency obligations;
   2. b.Contagion risk — adverse developments in one country lead to a downgrade and/or difficulty accessing international markets not only for that country but for others in a region or investment class, notwithstanding that the other countries may be more credit worthy;
   3. c.Currency risk — a borrower’s domestic currency holdings and cash flow become inadequate to service its foreign currency denominated debt due to changes in exchange rates²;
   4. d.Indirect country risk — the repayment ability of a domestic borrower is affected by adverse developments in a country where the borrower has significant business interests;
   5. e.Liquidity risk — developments in a country where the bank raises a significant portion of its deposits or other funding may adversely affect the bank’s liquidity and funding profile; and
   6. f.Macroeconomic risks — a foreign counterparty may be adversely affected by high interest rates, currency depreciation or broader macroeconomic instability, affecting its repayment capacity.
4. 4.The board-approved risk appetite statement must specify authorized activities, investments and instruments and delineate any types of country and transfer risk that the bank is not prepared to assume and, where appropriate, specify any activities, investments and instruments that are not consistent with the bank’s risk appetite. Risk limits are typically established on a country basis, but banks must also consider whether regional or other limits such as aggregate exposures to lesser developed countries are appropriate.
5. 5.A bank must also consider whether different limits may be established for different types of exposure in a specific country.
6. 6.Country exposure limits, sub-limits and regional or other limits with respect to country and transfer risk as established in the board-approved risk appetite statement must take into account the following:
   1. a.The bank’s overall strategy guiding its international activities;
   2. b.Country risk ratings and the bank’s risk tolerance;
   3. c.Perceived business opportunities in the country (or region); and
   4. d.Support for the international business needs of domestic customers.
7. 7.A bank’s provisioning policies must expressly consider country and transfer risks. Provisions for country and transfer risks may be made on an aggregate basis by country in addition to specific provisions against individual exposures, or by factoring an element of provision for each country risk into the specific provisioning for each individual exposure. Regardless of the approach, banks must ensure adequate provisioning for country and transfer risks based on their assessment of the probability of losses on their cross-border exposures.

² Note that this is in addition to transfer risk — the risk that official restrictions on currency conversion and/or cross-border remittances may affect the counterparty’s ability to make payments.

1. 1.The specific requirements for the risk management function will vary with the specific circumstances of each bank, particularly the risk profile, nature, size and complexity of its business and structure. For banks with material country and transfer risks exposure, the risk management function must address the following:
   1. a.Quantitative and qualitative ongoing assessment of the risks associated with each country in which the institution has or is planning to have exposure;
   2. b.Formal analysis of country risk completed at least annually, with an effective system for monitoring developments in the interim;
   3. c.Conclusions reported to Senior Management and the board in a manner that provides a bank-wide and, if applicable, group-wide view of country and transfer risks exposures; and
   4. d.Verification that individual and aggregate country and transfer risks exposure limits are adhered to, with a process for escalating breaches to senior management, the board or the board risk committee, as appropriate.
2. 2.A bank with material country and transfer risks exposures must have a country risk rating system reflecting a structured approach to assessing country and transfer risk. Banks may use external country ratings as part of their internal approach. A bank’s country risk-rating system must be linked to its country and transfer risk provisioning methodology. A bank is encouraged to compare for reasonableness the results of their internal country risk-rating process to one or more external rating systems, such as export credit agencies classifications, OECD country risk assessments³, or ratings agencies sovereign ratings.

³ Country risk classifications of the OECD Participants to the Arrangement on Officially Supported Export Credits are available at http://www.oecd.org/tad/xcred/crc.htm.

1. 1.A bank with material country and transfer risks exposure must include in its stress testing program appropriate scenarios for country and transfer risk. This does not necessarily require sophisticated modelling tools, but does require the bank to evaluate the potential impact of various scenarios affecting countries, regions or types of foreign exposures, as appropriate considering the bank’s business. Scenarios may include, but are not limited to, macro-economic shocks such as interest rate and exchange rate movements, GDP contraction and the introduction of exchange or capital controls.

1. 1.A bank’s systems must support supervisory reporting requirements for country and transfer risks as provided in this Regulation and Standards as well as provision of country and transfer risks reports to all relevant parties within the bank on a timely basis and in a format commensurate with their needs.
2. 2.The processes for aggregating the necessary data and producing supervisory and internal country and transfer risks management reports must be fully documented and must establish standards, cut-off times and schedules for report production. The aggregation and reporting process must be subject to high standards of validation through periodic review by members of the internal audit function with specific systems, data and reporting expertise, particularly where the process requires substantial manual intervention.

1. 1.A bank must submit to the Central Bank on a quarterly basis the Report on Country and Transfer Risks in a format specified by the Central Bank.

The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, Banks must have a comprehensive approach to market risk management, including Board and Senior Management oversight, to ensure their resiliency and enhance overall financial stability.

In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Banks’ approaches to the management of market risk are in line with leading international practices.

This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.

Where this Regulation, or its accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements, which are additional to the list provided in the relevant article.

The objective of this Regulation is to establish the minimum acceptable standards for Banks’ approach to market risk management, with a view to:

i. Ensuring the soundness of Banks; and

ii. Enhancing financial stability.

The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to market risk management.

This Regulation and the accompanying Standards apply to all Banks. Banks established in the UAE with significant Group relationships, including Subsidiaries, Affiliates or international branches must ensure that the Regulation and Standards are adhered to on a solo and group-wide basis.

This Regulation and the accompanying Standards must be read in conjunction with the Risk Management Regulation and Standards issued by the Central Bank, which establish the requirements for a Bank’s overarching approach to risk management.

1. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
    
2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a Bank.
    
3. Board: The Bank’s Board of Directors.
    
4. Banking Book: Positions in financial instruments that are expected to be held to maturity.
    
5. Central Bank: The Central Bank of the United Arab Emirates.
    
6. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
    
7. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
    
8. Group: A group of entities that includes an entity (the 'first entity') and:
    
   1. any Parent of the first entity;
       
   2. any Subsidiary of the first entity or of any Parent of the first entity; and
       
   3. any Affiliate.
   
    

9. Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
    
10. Market risk: The risk of losses in on and off-balance sheet positions arising from movements in market prices.
     
11. Parent: An entity (the 'first entity') which:
     
    1. holds a majority of the voting rights in another entity (the 'second entity');
        
    2. is a shareholder of the second entity and has the right to appoint or remove a majority of the board of directors or managers of the second entity; or
        
    3. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity.
       
         Or;
    4. if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
    
     

12. Risk appetite: The aggregate level and types of risk a Bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
     
13. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the Bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
     
14. Risk limits: Specific quantitative measures that must not be exceeded, based on, for example, forward looking assumptions that allocate the Bank’s aggregate risk appetite to business lines, legal entities or management units within the Bank or Group in the form of specific risk categories, concentrations or other measures, as appropriate.
     
15. Risk profile: Point in time assessment of the Bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
     
16. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
     
17. Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
     
    1. holds a majority of the voting rights in the first entity;
        
    2. is a shareholder of the first entity and has the right to appoint or remove a majority of the board of directors or managers of the first entity; or
        
    3. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
       
        Or;
       if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.

18. Trading Book: Positions in financial instruments and commodities held either with trading intent or in order to hedge other elements of the trading book.
     

1. A Bank must have an appropriate market risk strategy and market risk governance framework that provides a Bank-wide and, if applicable, Group-wide view of market risk. This includes policies, processes, procedures, systems and controls to identify, measure, evaluate, monitor, report and control or mitigate material sources of market risk on a timely basis.
    
2. The Board must approve the Bank’s strategies, policies and processes for the management of market risk, which must be reviewed annually.
    
3. The Board must ensure that the Bank has in place adequate systems to identify, measure and manage market risk. Roles and responsibilities must be clearly articulated and provisions must be made for adequate separation of duties and avoiding conflicts of interest.
    
4. The Board must ensure that the Bank has appropriate market risk management processes that provide a bank-wide and, if applicable, Group-wide view of market risk exposure. These must be consistent with the risk appetite statement, risk profile, systemic importance and capital strength of the Bank, take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity.
    
5. Senior Management must ensure that the strategy, policies and procedures are developed and implemented effectively. The Board must oversee the Senior Management to ensure that the strategies, policies and processes are implemented effectively and fully integrated into the Bank’s overall risk management process.
    
6. A Bank’s policies and processes must establish an appropriate and properly controlled market risk environment, including, at a minimum, the following items:
    
   1. Effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the Board and Senior Management;
       
   2. Appropriate market risk limits consistent with the Bank’s risk appetite, risk profile and capital strength and with the management’s ability to manage market risk and which are understood by and regularly communicated to, relevant staff;
       
   3. Exception tracking and reporting processes that ensure prompt action at the appropriate level of the Senior Management or Board, where necessary;
       
   4. Effective controls around the use of models to identify and measure market risk and set limits; and
       
   5. Sound policies and processes for allocation of exposures to the trading book.

7. A Bank must ensure that intra-day exposures are managed within limits established by the Board-approved market risk policies.
    
8. A Bank wishing to establish a trading book must submit for the Central Bank’s review a trading book policy statement that specifies those activities that belong in the trading book. Any significant change in a Bank’s existing trading book policy must be promptly submitted to the Central Bank for review.
    

1. A Bank’s market risk measurement systems, monitoring and controls must enable it to maintain capital adequacy on a continuous basis and remain within its intra-day and other market risk limits.
    
2. An independent review of a Bank’s market risk measurement system and the overall market risk management process must be earned out at least annually, as part of the Bank’s own internal auditing process, by functionally independent, appropriately trained and competent personnel.
    
3. A Bank must capture all transactions on a timely basis.
    
4. A Bank’s internal models must be validated internally by suitably qualified parties independent of the model development process, to ensure that they are conceptually sound and adequately capture all material market risks.
    
5. A Bank must have its internal models validated externally by an independent and suitably qualified party on a regular basis and, in addition, on an as-needed basis.
    
6. A Bank’s back-testing program must consist of periodic comparisons of its model results with the realized profit or loss (trading income) relating to corresponding periods.

1. A Bank must have systems and controls to ensure that the Bank’s mark-to-market positions, whether in the banking book or trading book, are revalued frequently.
    
2. A Bank’s valuation process must use consistent and prudent practices and reliable market data, or, in the absence of market prices, internal or industry-accepted models, verified by a function independent of the relevant risk-taking business units.
    
3. A Bank that relies on modelling for the purposes of valuation must ensure that the model is validated by a function independent of the relevant risk-taking business units.
    
4. A Bank must establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid and stale positions.
    
5. A Bank must make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities.
    
6. A Bank operating a trading book must establish an appropriate valuation methodology and measurement model.

1. A Bank must at all times hold appropriate levels of capital against unexpected losses, which may arise from its market risk exposures.
    
2. A Bank must ensure that market risk capital requirements are met on a continuous basis.

1. A Bank must include market risk exposure in its forward-looking stress-testing programs as part of its comprehensive approach to risk management.

1. A Bank must inform the Central Bank of all significant changes in its market risk measurement systems and in its market risk profile.
    
2. A Bank must promptly notify the Central Bank when it becomes aware of a significant deviation from its Board-approved market risk limits, policies or procedures, or becomes aware that material market risks have not been adequately addressed.
    
3. Banks must report to the Central Bank on market risk in the format and frequency prescribed in the Standards.

1. A Bank offering Islamic financial services must ensure that its comprehensive approach to market risk management incorporates appropriate measures to comply with Shari’a rules and principles and related Shari’a control functions.

1. Violation of any provision of this Regulation and the accompanying Standards shall be subject to supervisory action as deemed appropriate by the Central Bank.

1. The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

1. This Regulation and the accompanying Standards replace all previous Central Bank regulations with respect to market risk.

1. This Regulation and the accompanying Standards shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.

1. 1. These Standards form part of the Market Risk Regulation. All Banks must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as Regulation.
2. 2. A Bank’s Board is in ultimate control of the Bank and accordingly ultimately responsible for market risk management. There is no one-size-fits-all or single best solution. Accordingly, each Bank could meet the minimum requirements of the Regulation and Standards in different ways and thus may adopt an organizational framework appropriate to the risk profile, nature, size and complexity of its business and structure. The onus is on the Board to demonstrate that it has implemented an approach that adequately addresses market risk. Banks are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards.¹
3. 3. The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.

¹ The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller Banks may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited in the Standards.

1. 1. Affiliate: An entity that, directly or indirectly, controls, is controlled by, or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
2. 2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a Bank.
3. 3. Banking book: Positions in financial instruments that are available for sale or expected to be held to maturity. The following instruments must be assigned to the banking book:
   1. a. Unlisted equities;
   2. b. Instruments designated for securities warehousing;
   3. c. Real estate holdings;
   4. d. Retail and small and medium-sized enterprise credit;
   5. e. Equity instruments in a fund in which the Bank cannot look through the fund daily or obtain daily prices for its investment in that fund;
   6. f. Derivative instruments that have instruments of the type specified in 1.3.a through 1.3.e above as underlying assets;
   7. g. Instruments held for the purpose of hedging a particular risk of a position in the types of instruments of the type specified in 1.3.a through 1.3.e above; and
   8. h. Any other instrument as may be determined by the Central Bank.
4. 4. Board: The Bank’s Board of Directors.
5. 5. Central Bank: The Central Bank of the United Arab Emirates.
6. 6. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
7. 7. Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
8. 8. Financial instrument: Any contract that gives rise to both a financial asset of one entity and a financial liability of another entity. Financial instruments include primary financial instruments (or cash instruments) and derivative financial instruments. A financial asset is any asset that is cash and or, the right to receive cash or another financial instrument. A financial liability is a contractual obligation to deliver cash or another financial asset or to exchange financial liabilities under conditions that are potentially unfavourable.
9. 9. Group: A group of entities that includes an entity (the ‘first entity’) and:
   1. a. any Parent of the first entity;
   2. b. any Subsidiary of the first entity or of any Parent of the first entity; and
   3. c. any Affiliate.
10. 10. Independent price verification: The process by which market prices or model inputs are regularly verified for accuracy. Independent price verification is distinct from daily marking-to-market. Independent price verification entails a higher standard of accuracy in which the market prices or model inputs are used to determine profit and loss figures, whereas daily marks are collected primarily for management reporting in between reporting dates.
11. 11. Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
12. 12. Market risk: The risk of losses in on- and off-balance sheet positions arising from movements in market prices. For the purposes of these Standards, these risks are,
    1. a. In the trading book of the bank, the risks pertaining to interest rate related instruments and equities, and
    2. b. Throughout the bank, the risks pertaining to foreign exchange and commodities.
13. 13. Marking-to-market: Valuation of positions at readily available close-out prices in orderly transactions that are sourced independently. Examples of readily available close-out prices include exchange prices, screen prices, or quotes from several independent reputable brokers. Marking-to-market may be performed by dealers. Daily marking-to-market is distinct from independent price verification.
14. 14. Marking-to-model: Any valuation, which has to be benchmarked, extrapolated or otherwise calculated from a market input.
15. 15. Parent: An entity (the ‘first entity’) which:
    1. a. holds a majority of the voting rights in another entity (the ‘second entity’);
    2. b. is a shareholder of the second entity and has the right to appoint or remove a majority of the Board of directors or managers of the second entity; or
    3. c. is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity;

       Or;

    4. d. If the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
16. 16. Residual risk: The risk exposure after controls are considered.
17. 17. Risk appetite: The aggregate level and types of risk a Bank is willing to assume, decided in advance and within it risk capacity, to achieve its strategic objectives and business plan.
18. 18. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the Bank’s strategy and approach to risk management; articulate and monitor adherence to the risk appetite and risks limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
19. 19. Risk limits: Specific quantitative measures that may not be exceeded, based on, for example, forward-looking assumptions that allocate the Bank’s aggregate risk appetite to business lines, legal entities or management units within the Bank or Group in the form of specific risk categories, concentrations, or other measures, as appropriate.
20. 20. Risk Management function: Collectively, the systems, structures, policies, procedures and people that measure, monitor and report risk on a Bank-wide and, if applicable, Group-wide basis.
21. 21. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer and heads of the compliance and internal audit functions.
22. 22. Subsidiary: An entity (the ‘first entity’) is a subsidiary of another entity (the ‘second entity’) if the second entity:
    1. a. holds a majority of the voting rights in the first entity;
    2. b. is a shareholder of the first entity and has the right to appoint or remove a majority of the board of directors or managers of the first entity; or
    3. c. is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity;
       Or;
    4. d. If the first entity is a subsidiary of another entity that is itself a subsidiary of the second entity.
23. 23. Trading book: Positions in financial instruments and commodities held either with trading intent or in order to hedge other elements of the trading book. Any instrument held for one or more of the following purposes must be assigned to the trading book:
    1. a. Short-term resale;
    2. b. Profiting from short-term price movements;
    3. c. Locking in arbitrage profits;
    4. d. Hedging risks that arise from instruments meeting criteria 3.16.a through 3.16.c above; and
    5. e. Any other instrument as may be determined by the Central Bank.

1. 1. A Bank must establish, implement and maintain a market risk governance framework, which enables it to identify, assess, monitor, mitigate and control market risk. The market risk framework consists of policies, processes, procedures, systems and controls.
2. 2. The market risk governance framework must be documented and approved, maintained and overseen by the Board and must provide for a sound and well-defined framework to address the Bank’s market risks.
3. 3. A Bank’s market risk management processes must be integrated with the Bank’s overall risk management processes. Banks that have trading books must develop separate and specific trading book policy statements and risk frameworks.
4. 4. The Board and Senior Management must be actively involved in the market risk control process and must regard risk control as an essential aspect of the business to which significant resources need to be devoted. In this regard, the daily reports prepared by the market risk management function must be reviewed by a level of management with sufficient seniority and authority to enforce both reductions of positions taken by individual traders and reductions in the Bank’s overall risk exposure.

1. 1. A Bank must mark-to-market at least on a daily basis its market risk positions. The more prudent side of bid/offer must be used, unless the Bank is a significant market maker in a particular position type and it can close-out at mid-market. A Bank must maximize the use of relevant observable inputs and minimize the use of unobservable inputs when estimating fair value using a valuation technique. However, observable inputs or transactions may not be relevant, such as in a forced liquidation or distressed sale, or transactions may not be observable, such as when markets are inactive. In such cases, the observable data must be considered, but may not be determinative.
2. 2. A Bank may use mark-to-model only where marking-to-market is not possible, but it must be able to demonstrate to the Central Bank that this approach is prudent. When marking-to-model, an extra degree of conservatism is appropriate. The Central Bank will consider the following in assessing whether a mark-to-model valuation is prudent:
   1. a. Senior Management must be aware of the elements of the trading book or of other fair-valued positions which are subject to mark-to-model and must understand the materiality of the uncertainty this creates in the reporting of the risk/performance of the business;
   2. b. Market inputs must be sourced, to the extent possible, which show satisfactory track record of the actual position held. The appropriateness of the market inputs for the particular position being valued must be reviewed regularly;
   3. c. Where available, generally accepted valuation methodologies for particular products must be used as far as possible;
   4. d. A Bank’s model must be based on appropriate assumptions which have been assessed and challenged by suitably qualified parties independent of the development process. This can take the form of a Technical Committee. The model must be developed or approved independently of the risk-taking functions and must be independently tested;
   5. e. There must be formal change control procedures in place and a secure copy of the model must be held and periodically used to check valuations;
   6. f. The independent risk management function must be aware of the weaknesses of the models used and how best to reflect those in the valuation output;
   7. g. The model must be subject to periodic review to determine the accuracy of its performance (e.g. assessing continued appropriateness of the assumptions, analysis of profit and loss versus risk factors, comparison of actual close out values to model outputs); and
   8. h. Valuation adjustments must be made as appropriate (for example, to cover the uncertainty of the model valuation).
3. 3. As part of its procedures for marking-to-market, a Bank must establish and maintain procedures for considering valuation adjustments. A Bank using third-party valuations must consider whether valuation adjustments are necessary. Such considerations are also necessary when marking-to-model.
4. 4. A Bank must, at a minimum, formally consider credit valuation adjustments, unearned credit spreads, close-out costs, operational risks, early termination, investing and funding costs, future administrative costs and, where appropriate, model risk.
5. 5. The Board-approved polices must provide for independent verification of market prices or model inputs by a unit independent of the risk taking functions, at least monthly and depending on the nature of the market/trading activity, more frequently. Senior Management must take appropriate action to ensure the elimination of inaccurate daily marks.
6. 6. Where pricing sources are more subjective, such as when only one available broker quote is provided, prudent measures, such as valuation adjustments must be taken as appropriate.

1. 1. A Bank must calculate a capital charge for interest rate risk, options risk and equity positions in the trading book. Equity exposure, foreign exchange risk and commodity risk and options risk must be calculated on the Bank’s entire positions. Options risk must also be calculated for options on foreign exchange or commodities positions not belonging to the trading book. In addition, a Bank must take into account other relevant market risk exposures, including but not limited to interest rate risk in the Banking book, as part of the Internal Capital Adequacy Assessment Process to ensure that it holds adequate capital against all market risks.

1. 1. A Bank must have a forward-looking stress-testing program that addresses market risks as well as other Pillar 1 risks and any relevant Pillar 2 risks. Consideration of market risks must include liquidity implications as well as impacts on earnings and capital.
2. 2. A Bank’s stress scenarios must cover a range of market risk factors that can create extraordinary losses or gains in trading portfolios, or make the control of risk in those portfolios very difficult. Stress scenarios need to shed light on the impact of such events on positions that display both linear and nonlinear price characteristics (for instance options and instruments that have options-like characteristics).
3. 3. A Bank’s stress tests must be both of a quantitative and qualitative nature, incorporating both market risk and liquidity aspects of market disturbances. Quantitative criteria must identify plausible stress scenarios to which a Bank could be exposed. Qualitative criteria must emphasize that the two major goals of stress testing are to evaluate the capacity of the Bank’s capital to absorb potential large losses and to identity steps the Bank can take to reduce its risk and conserve capital. This assessment is integral to setting and evaluating the Bank’s management strategy and the results of stress testing routinely must be communicated to Senior Management and periodically to the Board.
4. 4. From time to time, the Central Bank may require Banks to carry out stress tests based on Central Bank prescribed scenarios. A Bank must combine the use of stress scenarios as prescribed by the Central Bank with internally developed stress tests to reflect the specific risk characteristics of its portfolio. A Bank must submit the following information on stress testing to the Central Bank:
   1. a. Supervisory scenarios requiring no simulations by a Bank: A Bank must make information on the largest losses experienced during the reporting period available to the Central Bank. This loss information must be compared to the level of capital that results from a Bank’s internal measurement system. For example, it could provide the Central Bank with a picture of how many days of peak day losses would have been covered by a given value-at-risk or expected shortfall estimate;
   2. b. Supervisory scenarios requiring simulations by a Bank: A Bank must subject its portfolios to a series of simulated stress scenarios and provide the Central Bank with the results. These scenarios could include testing the current portfolio against past periods of significant disturbance. A second type of scenario would evaluate the sensitivity of the Bank’s market risk exposure to changes in the assumptions about volatilities and correlations. Applying this test would require an evaluation of the historical range of variation for volatilities and correlations and evaluation of the Bank’s current positions against the extreme values of the historical range. Due consideration must be given to the sharp variation that at times has occurred in a matter of days in periods of significant market disturbance. (for example, the global financial crisis and earlier major market disturbances involved correlations within risk factors approaching the extreme values of 1 or −1 for several days at the height of the disturbance); and
   3. c. Scenarios developed by the Bank itself to capture the specific characteristics of its portfolio: A Bank must develop its own stress tests which it identifies as most adverse based on the characteristics of its portfolio (such as adverse regional developments combined with a sharp move in oil prices). The market shocks applied in the tests must reflect the nature of portfolios and the time it could take to hedge or manage risks under severe market conditions. The Bank must provide the Central Bank with a description of the methodology used to select and carry out the scenarios as well as with a description of the results derived from these scenarios. The stress tests must also address:
      1. i. Illiquidity/gapping of prices;
      2. ii. Concentrated positions (in relation to market turnover);
      3. iii. One-way markets;
      4. iv. Non-linear products/deep out-of-the-money positions;
      5. v. Events and jumps-to-defaults; and
      6. vi. Other risks that may not be captured appropriately in the models (in the case of VaR models for example, these may include but are not limited to: recovery rate uncertainty, implied correlations, skew risk, default risk, migration risks and shocks to the exchange rate regime).
5. 5. Senior Management must review the stress test results periodically, but at least monthly and such results must be reflected in the policies and limits set by management and the Board. Stress test results must be used in the internal assessment of capital adequacy. The Bank must take prompt steps to manage vulnerabilities identified in stress testing, which can include but are not limited to hedging against identified outcomes, reducing the size of exposures or increasing capital.

1. 1. A Bank must submit to the Central Bank on a quarterly basis the Report on Market Risk Exposures. A Bank must calculate the number of exceptions in back-tests using trading outcomes and provide this information to the Central Bank in such form and frequency as the Central Bank may specify.

1. 1. A Bank offering Islamic financial services must have in place an appropriate framework for market risk management, including reporting, in respect of all assets held, particularly those that do not have a ready market and/or are exposed to high price volatility.
2. 2. A Bank offering Islamic financial services must develop a market risk strategy including the level of acceptable market risk appetite taking into account contractual agreements with fund providers, types of risk-taking activities and target markets in order to maximize returns while keeping exposures at or below the pre-determined levels. The strategy must be reviewed at least annually, communicated to relevant staff and disclosed to fund providers. The strategy must provide for guidelines governing risk-taking activities in different portfolios of restricted investment account holders and applicable market risk limits.
3. 3. A Bank offering Islamic financial services must ensure that its strategy includes a definition of its risk appetite for tradable assets and that its risk appetite is adequately supported by capital held for that purpose.
4. 4. A Bank offering Islamic financial services must be able to quantify market risk exposures and assess exposure to the probability of future losses in its net open asset positions. The Bank must incorporate a detailed approach to valuing its market risk positions where no direct market prices are available. This may include appropriate forecasting techniques to assess the potential value of these assets.
5. 5. Where available valuation methodologies are deficient, a Bank offering Islamic financial services must assess the need to:
   1. a. allocate funds to cover risks resulting from illiquidity, new assets and uncertainty in assumptions underlying valuation and realization; and
   2. b. establish a contractual agreement with the counterparty specifying the methods to be used in valuing the assets.
6. 6. A Bank offering Islamic financial services must apply the same risk management policies and procedures to assets held on behalf of restricted investment account holders as it does to assets held on behalf of shareholders and unrestricted investment account holders.
7. 7. Where a Bank offering Islamic financial services plays the role of market maker to restricted investment account holders, the resultant liquidity risk must be managed appropriately.