Article (15) Internal policies and procedures
C 3/2023 Effective from 29/9/2023| 15.1 | The Finance Company must establish written organizational policies and procedures, which must be reviewed annually and communicated to employees in a timely manner. At a minimum, the organizational policies and procedures must include the following items:
| ||||||||||||||
| 15.2 | In keeping with provisions of Article 10 of this Regulation, a Finance Company must demonstrate that it has developed sound risk management policies and controls and adequate internal policies and procedures for each product offered by the Finance Company. | ||||||||||||||
| 15.3 | A Finance Company must have an appropriate and balanced organizational structure, showing the main departments, sections, lines of reporting, authorities and responsibilities; the structure should be acceptable to the Central Bank. | ||||||||||||||
| 15.4 | The segregation of duties must be maintained to ensure the application of the generally accepted policies and procedures for protecting the assets and funds of a Finance Company, and avoiding fraud and embezzlement. Executive positions must not be combined in such a way that they might introduce a conflict of interest. | ||||||||||||||
Additional Requirements for internal policies and procedures of an Islamic Finance Company | |||||||||||||||
| 15.5 | The management of an Islamic Finance Company must be responsible for observing and implementing Sharia'a rulings and decisions made by the Sharia'a supervision committee. The Finance Company is required to have procedures in place to ensure that any Sharia'a issues arising in the course of business are referred to the Sharia'a supervision committee for decisions, views and opinions. | ||||||||||||||
| 15.6 | A Finance Company must adhere to the Fit and Proper criteria that govern appointment, replacement and termination of members and chairmen of the Sharia’a Supervision Committee. | ||||||||||||||
| 15.7 | An Islamic Finance Company must take the necessary steps to ensure that proper systems and controls are in place in order to ensure Sharia'a provisions are complied with at all times, including but not limited to the following:
| ||||||||||||||
Extension of credit | |||||||||||||||
| 15.8 | A Finance Company must draw up policies and procedures for Financing, which, at a minimum, must include the following items:
| ||||||||||||||
| 15.9 | Finance Companies must establish and maintain regular procedures for classifying the loans and advances that they extend to their customers in accordance with the regulations and guidelines of the Central Bank. These requirements on the classification of loans and their provisions may occasionally be updated by the Central Bank. | ||||||||||||||
| 15.10 | Upon obtaining the borrower's consent, the Finance Company must review the consumer’s credit record to verify the consumer’s solvency, ability to repay and credit behavior and document such verification in a credit file. | ||||||||||||||
| 15.11 | A Finance Company must have a credit approval matrix for the extension of credit according to the type and amount of the credit. The credit approval matrix must be approved by the board of directors of the Finance Company. The decision to approve or reject credit must be in accordance with the authority granted in the credit approval matrix. | ||||||||||||||
| 15.12 | The Finance Company must follow a sound method with written, transparent and clear procedures to assess credit worthiness of the applicants and their ability to repay. The board of directors of the Finance Company must approve these procedures and review them at least once every two years and update the same if necessary. The Finance Company must apply these procedures before extending credit and document the same in the credit file. | ||||||||||||||
| 15.13 | Credit Exposure risks must be assessed and risk rated prior to making the decision to extend credit. The risk classification must be reviewed at least once a year. | ||||||||||||||
| 15.14 | The Finance Company must specify procedures for early detection of risks to identify credit exposures that manifests clear signs of increased risk and develop quantitative and qualitative indicators for early identification of risks. | ||||||||||||||
Risk management function | |||||||||||||||
| 15.15 | A Finance Company should establish a clear, written risk management policy that is approved by the board of directors of the Finance Company. The risk management policy must address all relevant risks, taking into account the full range of business activities conducted by the Finance Company. At a minimum, the policy must include the following risks:
| ||||||||||||||
| 15.16 | The risk management function must be functionally independent of the risk generating business lines and is responsible for the design, maintenance and ongoing development of the risk framework within the Finance Company. The risk management function must not report hierarchically or functionally to any person or function that is directly responsible for risk generation. The risk management function must have appropriate access to the board of directors of a Finance Company. | ||||||||||||||
| 15.17 | A Finance Company must set appropriate procedures for the identification, assessment, management and monitoring of risks and prepare risk reports thereon. | ||||||||||||||
| 15.18 | A Finance Company must prepare a quarterly risk report to be discussed by the board of directors after being reviewed by Senior Management. | ||||||||||||||
Information Technology and Security | |||||||||||||||
| 15.19 | The technical facilities and systems of a Finance Company must be sufficient for the operational needs, business activities and risk exposure of the Finance Company. | ||||||||||||||
| 15.20 | A Finance Company must maintain all business documents, records and files in an orderly, transparent and safe manner and ensure the completion and periodic updating of these files. Said documents, records and files must be retained for at least a period of five years from the date of termination of the relationship with the customer. | ||||||||||||||
| 15.21 | Information technology systems and related processes must be developed to ensure data availability, integration, integrity and confidentiality. Such systems must be periodically assessed by the Finance Company in accordance with relevant regulations and standards and must be tested prior to launching and after introducing any modification thereto. | ||||||||||||||
| 15.22 | The Finance Company must use its information technology infrastructure to enhance its ability to retrieve all know-yourcustomer and transactions records in a timely manner. | ||||||||||||||
| 15.23 | The Finance Company must develop a business continuity plan that ensures alternative solutions that will enable the recommencement of operations within a reasonable time in the event that they are disrupted. | ||||||||||||||
Internal audit function | |||||||||||||||
| 15.24 | The Finance Company must have an internal audit function that reports directly to the board of directors of the Finance Company. This function must be independent and its employees must not be assigned any other responsibilities. | ||||||||||||||
| 15.25 | The internal audit function must operate according to a comprehensive audit plan. The audit plan must be approved by the board of directors of the Finance Company and reviewed annually. Major activities and operations, including those related to risk management and compliance must be audited at least annually. | ||||||||||||||
| 15.26 | The internal audit function must prepare and submit to the board of directors a written report on its activities on a quarterly basis. | ||||||||||||||
Compliance function | |||||||||||||||
| 15.27 | A Finance Company must comply with all applicable laws and regulations, decisions, instructions, directives, circulars, correspondence and policies. To prevent violations, a Finance Company must implement adequate measures and controls. | ||||||||||||||
| 15.28 | A Finance Company must have an independent compliance function that ensures the compliance of the Finance Company with all applicable laws, regulations, decisions, instructions, directives, circulars, correspondence and policies. | ||||||||||||||
| 15.29 | A Finance Company must create the role of a compliance officer, which has a direct reporting line to the board of directors of the Finance Company. The compliance officer must be appointed by the board of directors. The compliance officer must be independent in carrying out his assigned duties and must not be assigned any other responsibilities. The compliance officer must submit a quarterly report on compliance to the board of directors. | ||||||||||||||
| 15.30 | A Finance Company must have a board approved written compliance policy. This compliance policy sets out the powers, obligations and responsibilities of the compliance function, as well as compliance programs and related procedures, including arranging regular anti-money laundering / combating the financing of terrorism training programs for the staff. | ||||||||||||||
| 15.31 | The Finance Company must set adequate internal policies and procedures to combat financial crimes, specifically money laundering and terrorism financing. A Finance Company must report any suspicious transactions, activities or operations to the Financial Intelligence Unit at the Central Bank in a timely manner. | ||||||||||||||
Remuneration and incentives | |||||||||||||||
| 15.32 | The Finance Company must ensure that it has an adequate number of staff who are experienced and qualified to meet the operational needs, business activities and risks of the Finance Company. Staff remuneration and incentives must be fair, in line with the risk management strategy of the Finance Company and not give rise to any potential conflict of interest. | ||||||||||||||
Outsourcing | |||||||||||||||
| 15.33 | A Finance Company must ensure that all Outsourcing agreements include appropriate provisions for the safeguarding of confidential data. These include, but are not limited to, contractual provisions to ensure that a service provider in possession of confidential data may not provide any other party with access to the confidential data without first obtaining the specific authorization of the Finance Company. | ||||||||||||||
| 15.34 | A Finance Company must ensure that it retains ownership of all data provided to a service provider, including but not limited to confidential data and has unfettered access to all data, including the right of return of all data and records for the duration of and at the termination of any Outsourcing agreement. | ||||||||||||||
| 15.35 | Finance Companies must have a process for determining the materiality of outsourced business activities. The process must consider the potential of the outsourced activity, if disrupted, to adversely affect the Finance Company’s operations or ability to manage risks. | ||||||||||||||
| 15.36 | The Outsourcing of Material Business Activities must be approved by the board of directors of the Finance Company, a committee of the board or designated senior officers. | ||||||||||||||
| 15.37 | A Finance Company must apply for and receive a notice of non-objection by the Central Bank prior to entering into an agreement to outsource a Material Business Activity, whether to a related party or third party. | ||||||||||||||
| 15.38 | While all requests for non-objection will be considered on their individual merits, the Central Bank will not permit the Outsourcing to a third party of core activities, key management and control functions of the Finance Company including, at a minimum, the following items:
| ||||||||||||||
| 15.39 | Every agreement governing an outsourced business activity must include an explicit provision giving the Central Bank, or an agent appointed by the Central Bank, access to the service provider. The provision must include the right to conduct on-site visits at the service provider if the Central Bank considers this necessary for supervisory purposes and require the service provider to provide directly to the Central Bank, or an agent appointed by the Central Bank, any data or information required for supervisory purposes, upon request by the Central Bank. | ||||||||||||||
| 15.40 | A Finance Company must not enter into an Outsourcing agreement with a third party or related party that involves the storage of Confidential Data outside of the U.A.E. A Finance Company may, however, enter into an Outsourcing agreement with a third party that involves the storage of Confidential Data in the Free Zones. | ||||||||||||||
| 15.41 | For any outsourced Material Business Activity, the internal audit function of the Finance Company must provide independent assurance similar to that required if the activity was undertaken by the Finance Company. | ||||||||||||||
| 15.42 | The internal audit function must regularly review and report to the board of directors of a Finance Company on compliance with the Outsourcing policies and procedures of the Finance Company. | ||||||||||||||
| 15.43 | For any outsourced Material Business Activity, the compliance function of the Finance Company must review and report to Senior Management or the board of directors of a Finance Company on the observance by the service providers of all applicable compliance policies of the Finance Company. | ||||||||||||||
| 15.44 | An Islamic Finance Company must ensure that its Outsourcing policies and arrangements are consistent with Sharia’a provisions. | ||||||||||||||
| 15.45 | An Islamic Finance Company must ensure that its policies and procedures for the assessment of any proposed Outsourcing arrangement specifically consider operational and reputational risks from failure by the service provider to adhere to Sharia’a provisions. | ||||||||||||||
| 15.46 | A Finance Company must report to the Central Bank on its Outsourcing arrangements in the format and frequency prescribed by the Central Bank. | ||||||||||||||
| 15.47 | A Finance Company must provide upon request any specific information with respect to Outsourcing arrangements that the Central Bank may require. | ||||||||||||||
| 15.48 | A Finance Company must immediately notify the Central Bank when it becomes aware of any material breach of the terms of an outsourcing agreement, or other development with respect to an outsourced business activity, that has, or is likely to have, a significant impact on operations, reputation or the financial condition of the Finance Company or otherwise lead to the disclosure of confidential information. | ||||||||||||||