Internal Controls
Information Security Department
The mission of the Information Security Department is to assure the confidentiality, integrity and availability of information as appropriate. To this end, it is responsible for translating the risk appetite of the Group into effective and efficient controls which (a) minimise impact to operations, (b) ensure better risk management, and (c) are compliant with regulations.
The Information Security Department is responsible and accountable for the development and implementation of the Information Security Framework, to assist the Group’s efforts to protect its information assets.
The role of the head of Information Security includes the following (list is not exhaustive):
- Advise and provide recommendations to the Board on the development of an information security policy in line with the Group’s size and complexity of activities and information distribution channels.
- Advise and provide recommendations to senior management on the development and implementation of the Group’s information security program in the form of security policies, standards, guidelines, procedures and processes.
- Oversee the dissemination and implementation of the information security program institution-wide.
- Cooperate with the Bank’s business and support units and other internal control functions, for the effective implementation of security principles in the development of their policies and procedures.
- Develop and implement in cooperation with the Risk Management Division, an information security risk assessment and management program.
- Participate in the activities required for the implementation of effective security controls in the Bank’s IT infrastructure and provide guiding principles to the IT for the operations of network and information systems.
- Plan, organise and coordinate information security assessment activities throughout the institution.
- Monitor compliance with information security policies, standards, guidelines, processes and procedures.
The Head of Information Security submits an annual report to the Board, through the Risk Committee which includes among others a summary of the most important information security risks the Bank faces at the time of reporting and a list of all important information security incidents and corrective actions taken to prevent recurrence.
Compliance Division
The Bank’s Compliance Division (CD) provides independent oversight of the management of the Bank’s compliance with laws, regulations, guidelines and internal rules relevant to the activities of the Bank and reports directly to the Audit Committee of the Board of Directors.
The activities of the CD fall into four main areas and their role includes the following:
Regulatory Compliance:
- Oversees, coordinates, monitors and provides relevant assurance for compliance with existing laws, rules and regulations through the implementation of the Bank’s overall regulatory and governance framework in accordance with the requirements of the Central Bank of Cyprus (CBC) and other regulatory authorities in Cyprus, the European Union, the United Kingdom and Ireland. Such activity includes but is not limited to the identification and control of compliance risks, prudential reporting obligations as well as compliance training.
- Tracks and evaluates all new regulations or amendments to existing regulatory issuances and facilitates their implementation by issuing and maintaining compliance related policies and procedures and initiating requests for policy pronouncements or revisions to ensure new regulations are made part of the Bank's policies and procedures.
- Provides guidance, advice, support and training to employees on significant laws, regulations and ethical guidelines in an effort to establish a corporate culture of ethics.
- Reports to the Audit Committee of the Board of Directors on significant compliance issues and provides relevant recommendations.
- Conducts reviews and assessments to ensure effectiveness of controls and procedures in the management of compliance risks and recommends remedial actions.
- Liaises with the regulatory authorities and appears before their bodies upon summons to clarify matters related to the compliance framework.
- Annually prepares a report to the CBC on the Bank’s compliance with the CBC’s Directives.
Governance & Markets Compliance:
- Oversees, coordinates, monitors and provides relevant assurance for compliance with existing laws, rules and regulations regarding the provision of investment and ancillary services. Such activity includes but is not limited to the identification and control of compliance risks, prudential reporting obligations as well as compliance training.
- Reports to the Audit Committee of the Board of Directors on significant compliance issues regrding the provision of investment and ancillary services and provides relevant recommendations.
- Reviews the effectiveness and adequacy of the Corporate Governance Policy of the Group in coordination with the Nominations and Corporate Governance Committee (NCGC) and makes appropriate recommendations to the Board.
- Ensures compliance with the Cyprus Stock Exchange (CSE) Corporate Governance Code, the UK Code as well as the relevant directives of the CBC.
- Facilitates training of the Board members on their duties and responsibilities.
- Ensures the fitness & probity of all members of the Board and Senior Management and assesses their suitability as per the EBA guidelines and the relevant CBC directives on an on-going basis and reports to this respect on an annual basis.
- Performs the annual Board performance evaluation in coordination with the NCGC and submits a report to the Board and the CBC.
Financial Crime Compliance:
- Monitors Anti-Financial Crime activity through the investigation of alerts generated by a specialised Anti-Money Laundering (AML) system, the assessment of cash-based business clients, the assessment of internal SARs, the inception of internal AML investigations and the submission of Suspicious Activity Reports (SARs) to the local Financial Intelligence Unit (FIU).
- Provides AML assurance through the performance of onsite AML specific audits at the various units of the Bank, policy updates and follow-up of supervisory audits/investigations.
- Provides AML Customer Risk assessment by reviewing High and Significant risk customers, performing country risk assessments, sanction monitoring, responding to Correspondent banks and monitoring the AML regular review campaigns of business lines.
- Provides Third party Risk assessment by reviewing client accounts, assessing third parties (intermediaries and fiduciary service providers) and performing specialised reviews of Politically Exposed Persons (PEP) customers.
- Annually prepares a report to the CBC on the Bank's compliance with the CBC's AML Directive including an AML Risk Assessment which is performed using a sophisticated scenario based risk assessment methodology.
Data Privacy Management:
- Acts as liaison between the Personal Data Commissioner and the Bank of Cyprus.
- Supports and consults the Bank and the Board of Directors on personal data protection matters.
- Monitors and ensures the adequacy of established procedures for the implementation of data subject rights, data inventory and vendors management.
- Ensures that complaints on data protection issues are quickly and effectively handled.
- Performs reviews and assessments to ensure full compliance to the obligation of the General Data Protection Regulation (GDPR) across the Bank.
Internal Audit
The Bank has established the Three Lines of Defence model as a framework for effective risk management and control. Internal Audit, as the third line of defence, provides independent assurance to the Board of Directors and senior management over the effectiveness of the governance, risk management practices and internal control environment.
The main responsibilities of the Internal Audit include, but are not limited to, the following:
- Developing an audit plan approved by the Audit Committee to ensure that internal audit activities adequately cover areas with the greatest exposure to the key risks that could affect the Bank's ability to achieve its strategice objectives.
- Evaluating the appropriateness, adequacy and effectiveness of the corporate governance framework.
- Assessing the effectiveness of risk management processes.
- Evaluating the reliability, integrity and completeness of the accounting, financial reporting, management information and information technology systems.
- Assessing the design and operational effectiveness of internal control systems and control functions.
Risk Management
The Bank’s Risk Management Division (RMD) ensures that all material risks are identified, measured and properly reported. The Division is actively involved in elaborating the institution’s risk strategy and in all material risk management decisions.
The Board ensures the independence of the RMD by providing it with direct access to the Board and the Risk Committee without any impediment.
The RMD is independent from executive functions, business line responsibilities, operations and revenue generating functions. The RMD functionally reports to the Risk Committee and administratively to the CEO.
The role of the RMD includes the following (list is not exhaustive):
- Assist the Board of Directors (BoD) and senior management to establish and communicate the Bank’s risk management objectives and direction.
- Assist the Risk Committee and senior management to develop and communicate management policies.
- Facilitate in the identification, measurement, monitoring, reporting and control of risks.
- Monitor and assess decisions to accept particular risks whether these are consistent with BoD approved policies on risk tolerance and the effectiveness of the corresponding risk mitigation measures.
- Report to senior management, the Risk Committee and the BoD the results of the assessment and monitoring of risk exposures.
- Have sufficient expertise and operating experience enabling the challenging of decisions that affect the institution’s exposure to risk. Annually prepare a report to the Central Bank of Cyprus (CBC) presenting key issues and developments within the Bank and review of the main risk areas.
- Submit reports to the BoD and relevant Committees and attend their meetings to present said reports and provide additional information and/or classification or assistance on managing the issues raised.
- Involved in any changes to the institution’s strategy, risk appetite framework and risk limits.
- Identify the Group's significant risks and ensure that appropriate mitigating strategies are in place.
- The RMD via the Chief Risk Officer (CRO) has direct and unrestricted access to the BoD, through the Risk Committee.
- The RMD via the CRO has the right and is uninhibited in expressing and reporting its findings to the BoD and to the Board Committees without the presence of executive members of the BoD.
- The RMD has the right to initiate communication with any member of staff, to obtain full and unconditional access to all records and files of the Bank as well as any other information necessary to carry out its responsibilities.
- The RMD is authorised to perform consulting and advisory services related to governance, regulatory requirements, risk management and control as appropriate for the Bank and to evaluate specific operations at the request of BoD or management.
Additionally, the Risk Committee assesses and monitors the independence, adequacy and effectiveness of the RMD. The independent and strengthened RMD has a mandate to define sound policies reflecting the approved Risk Appetite of the Group and monitor risks in a proactive manner across the business segments.