ROMANIA FINANCIAL SECTOR ASSESSMENT PROGRAM May 2018 DETAILED ASSESSMENT OF OBSERVANCE BASEL CORE PRINCIPLES FOR EFFECTIVE BANKING SUPERVISION Prepared By This Detailed Assessment Report was prepared in the context of a joint IMF-World Bank Financial Sector Monetary and Capital Assessment Program (FSAP) mission to Romania during Markets Department, October 31–November 21, 2017, and January 11–23, International Monetary 2018 led by Erlend Nier, IMF and Laurent Gonnet, World Fund, and Finance, Bank, and overseen by the Monetary and Capital Competitiveness and Markets Department, IMF, and the Finance, Innovation Global Competitiveness and Innovation Global Practice, World Practice, World Bank Bank. http://www.imf.org/external/np/fsap/fssa.aspx and http://www.worldbank.org/fsap. INTERNATIONAL MONETARY FUND THE WORLD BANK ROMANIA CONTENTS Glossary __________________________________________________________________________________________ 4 SUMMARY _______________________________________________________________________________________ 6 INTRODUCTION AND METHODOLOGY ________________________________________________________ 7 A. Information and Methodology Used for Assessment __________________________________________ 8 INSTITUTIONAL AND MARKET STRUCTURE ___________________________________________________ 9 PRECONDITIONS FOR EFFECTIVE BANK SUPERVISION ______________________________________ 11 A. Sound and Sustainable Macroeconomic Policies ______________________________________________ 11 B. Framework for Financial Stability Policy Formulation __________________________________________ 12 C. A Well-Developed Public Infrastructure _______________________________________________________ 13 D. Framework for Crisis Management, Recovery, and Resolution ________________________________ 14 E. Public Safety Net ______________________________________________________________________________ 14 F. Effective Market Discipline ____________________________________________________________________ 15 MAIN FINDINGS________________________________________________________________________________ 16 A. Responsibilities, Objectives, Powers, Independence, and Accountabilities (CPs 1–2) __________ 16 B. Ownership, Licensing, and Structure (CPs 4–7) ________________________________________________ 16 C. Ongoing Supervision (CPs 8–10, 12) __________________________________________________________ 17 D. Corrective and Sanctioning Powers (CP 11) ___________________________________________________ 18 E. Cooperation and Cross-Border Banking Supervision (CPs 3, 13)_______________________________ 19 F. Corporate Governance, Risk Management, Internal Control and Audit (CPs 14, 15, 26) _______ 19 G. Capital Adequacy and Liquidity Risk (CPs 16, 24) _____________________________________________ 20 H. Credit Risk, and Problem Assets (CPs 17–18) _________________________________________________ 21 I. Related Parties Transactions, Concentration, and Country risks (CPs 19–21) ___________________ 21 J. Market Risk, Interest Rate Risk in the Banking Book, and Operational Risk (CPs 22, 23, 25) ____ 22 K. Financial Reporting, Auditing and Disclosure (CPs 26–28)_____________________________________ 23 L. Abuse of Financial Services (CP 29) ____________________________________________________________ 23 DETAILED ASSESSMENT _______________________________________________________________________ 24 A. Supervisory Powers, Responsibilities, and Functions __________________________________________ 24 B. Prudential Regulations and Requirements ___________________________________________________ 112 SUMMARY COMPLIANCE OF BASE CORE PRINCIPLES _____________________________________ 236 2 ROMANIA RECOMMEDED ACTIONS AND AUTHORITIES' COMMENTS________________________________ 245 A. Recommended Actions ______________________________________________________________________245 B. Authorities’ Response to the Assessment ____________________________________________________ 249 BOX 1. The 2012 Revised Core Principles ______________________________________________________________ 9 TABLE 1. Overview of the Structure of the Banking System (As of end–2016) ___________________________ 10 3 ROMANIA Glossary AC Additional Criteria (of the Core Principles) ASF Financial Supervisory Authority AMA Advanced Measurement Approach AML/CFT Anti Money Laundering and Combating the Financing of Terrorism ANEVAR National Association of Valuators in Romania AQR Asset quality review BCBS Basel Committee for Banking Supervision BCP Basel Core Principles BRRD Bank Recovery and Resolution Directive CAR Capital Adequacy Ratio CEBS Committee of European Banking Supervisors CET 1 Common Equity Tier 1 CI Credit Institution COREP Common Reporting CP Core Principle CRD IV Capital Requirements Directive IV (2013/36/EU) CRR Capital Requirements Regulation (EU Regulation 575/2013) CSIPPC Public Interest Oversight Board for the Accountancy Profession DSTI Debt Service to Income EBA European Banking Authority EC Essential Criteria (of the Core Principles) ECB European Central Bank ECL Expected Credit Loss EIOPA European Insurance and Occupational Pension Authority ESCB European System of Central Banks ESMA European Securities and Markets Authority EU European Union FATF Financial Action Task Force FGDB Bank Deposit Guarantee Fund FINREP Financial Reporting FIU Financial Intelligence Unit FSAP Financial Sector Assessment Program FSD Financial Stability Department GL EBA Guideline ICAAP Internal Capital Adequacy Assessment Process ICT Information and Communication Technology IFRS International Financial Reporting Standards ILAAP International Liquidity Adequacy Assessment Process IRRBB Interest Rate Risk in the Banking Book 4 ROMANIA KRI Key Risk Indicator LCR Liquidity Coverage Ratio LTV Loan to Value ML/TF Money Laundering and Terrorism Financing MOPF Ministry of Public Finance MOU Memorandum of Understanding NBR National Bank of Romania NCA National Competent Authority NCMO National Committee for Macroprudential Oversight NPE Nonperforming Exposure NPL Nonperforming Loan OSII Other Systemically Important Institutions OUG Government Emergency Ordinance RCAP Regulatory Consistency Assessment Program RON Romanian leu RWA Risk Weighted Asset SD Supervision Department SEP Supervisory Examination Program SME Small and Medium-sized Enterprises SRB Single Resolution Board SREP Supervisory Review and Evaluation Process SSM Single Supervisory Mechanism 5 ROMANIA SUMMARY1 1. As an European Union (EU) Member State, Romania is subject and aligned to the EU common regulatory framework for banking supervision. The EU regulatory framework for banking supervision has been subject to significant changes since the 2008 global financial crisis and the subsequent sovereign debt crisis. The adoption of the Capital Requirements Regulation and the Capital Requirements Directive IV (CRR/CRD IV) which forms the Single Rule Book was an important step towards stronger prudential regulation. Given that a large part of Romania’s banking system is owned by Eurozone banks, the Single Supervisory Mechanism (SSM), as the home supervisor for Eurozone banks, is a key partner of the National Bank of Romania (NBR). Prudential regulations of the NBR are broadly aligned to the requirements of the Basel Core Principles (BCP). As of 2017, the NBR has identified 11 banks as systematically important, of which 8 are supervised at group level by the SSM. 2. The supervisory approach of the NBR has been changing toward a more risk based approach since the previous BCP assessment, but more needs to be done. As of January 2016, the NBR Board approved the adoption of the Supervisory Review and Evaluation Process (SREP) Guidelines of the European Banking Authority (EBA)2 into national supervisory practices making it the core supervisory tool for banking supervision. Nevertheless, the new EBA SREP methodology is still in the early stages of implementation. The processes for ensuring consistency and accuracy of scoring, findings, and supervisory measures across different banks need to be improved and have yet to be formalized and documented. The NBR needs to further enhance off-site monitoring tools by incorporating more forward-looking views (e.g., bottom up stress testing tools). More risk- focused and thematic banking industry-wide analyses and examinations triggered by recent trends or events are also warranted. 3. Further development of the NBR’s supervisory approach will make supervision more effective and in line with the requirements of the 2012 BCP. The NBR may need to devote more supervisory attention to banks’ risk models and building up further expertise in specialized areas such as IT and market risk. In the area of corrective actions and sanctions, the NBR should review its framework to ensure it is protected from undue legal challenges, and strengthen internal procedures to ascertain that supervisory measures or sanctions are more consistently applied across the banking system. Post examination processes should be enhanced for banks to implement supervisory measures in a prompt manner. Intensified engagement with nonexecutive/independent board members is warranted for a more proactive supervisory practice. 4. Some weaknesses were observed concerning regulations not governed by the harmonized EU framework. Prudential regulations of the NBR are broadly aligned with the requirements of the BCP. However, the regulations on related party transactions and country/transfer risk include only high level principles, and lack sufficient specificity. The NBR should 1 This Detailed Assessment Report has been prepared by Hee Kyong Chon, IMF and Cedric Mousset, World Bank. 2 EBA/GL/2014/13. 6 ROMANIA consider giving more specific guidance to banks and supervisors through amending regulations, issuing instructions, and/or developing the on-site handbook. The NBR also needs to enhance its oversight of concentration risk and intra-group transactions, even if the exposures comply with the regulatory limits. 5. The authorities should maintain their current successful and proactive approach to steer the timely reduction in problem assets. Nonperforming loans (NPLs) peaked at 21.9 percent in 2013 following the 2007 crisis, before declining to close to 6 percent in 2017. The NBR successfully led efforts to clean up banks’ balance sheets through multiple initiatives designed to ensure the timely recognition, realistic provisioning and disposal of NPLs, and maintains annual bank-by-bank supervisory targets for NPL reductions. The framework for credit risk management was significantly strengthened and close monitoring, including through annual examinations, is conducted. Considering still high levels of nonperforming and forborne exposures, the NBR shall continue to closely monitor these exposures and ensure that proactive measures are implemented to clean up bank balance sheets and prevent any new increase in credit risk. 6. The NBR should better ensure banks’ boards effectively exercise their responsibilities. Corporate governance requirements were appropriately strengthened in recent years and now constitute a cornerstone of the NBR’s supervisory approach. Attention is paid to effective implementation during on-site full-scope examinations and when approving key persons. However, the NBR only requires some banks (i.e., subsidiaries) to have an “adequate” number of independent board members. Banks usually only have one or two independent board member(s), which is insufficient. Although the NBR places a lot of responsibilities on the board, it does not yet organize regular exchanges with nonexecutive and independent members. INTRODUCTION AND METHODOLOGY 7. This assessment of the implementation of the BCP in Romania has been completed as part of the Financial Sector Assessment Program (FSAP), which has been jointly undertaken by the International Monetary Fund (IMF) and the World Bank in 2017, at the request of the Romanian authorities. The assessment reflects the regulatory and supervisory framework in place as of the completion of the assessment. It is not intended to analyze the state of the banking sector or the crisis management framework, which are addressed by other assessments conducted in this FSAP. 8. An assessment of the effectiveness of banking supervision requires a review not only of the legal framework, but also a detailed examination of the policies and practices of the institutions responsible for banking regulation and supervision. In line with the BCP methodology, the assessment focused on the NBR’s supervision of banks, and did not cover the specificities of regulation and supervision of other financial intermediaries, which are addressed by other assessments conducted in this FSAP. 7 ROMANIA A. Information and Methodology Used for Assessment 9. This assessment was against the standard issued by the Basel Committee on Banking Supervision (BCBS) in 2012. Since the past BCP assessment, which was conducted in 2011, the BCP standard has been revised. The revised Core Principles (CPs) strengthen the requirements for supervisors, the approaches to supervision, and the supervisors’ expectations of banks through a greater focus on effective risk-based supervision and the need for early intervention and timely supervisory actions. Furthermore, the 2012 revision placed increased emphasis on corporate governance and supervisors’ conducting sufficient reviews to determine compliance with regulatory requirements and thoroughly understanding the risk profile of banks and the banking system. This assessment was thus performed according to a significantly revised content and methodological basis, compared to the previous BCP assessment carried out in 2011 (Box 1). 10. The Romanian authorities opted to be assessed against both essential criteria (EC) and the additional criteria (AC) but graded on the basis of EC only. To assess compliance, the BCP Methodology uses a set of EC and AC for each principle. The EC set out minimum baseline requirements for sound supervisory practices. The AC are recommended as the best practices against which the authorities of some more complex financial systems may agree to be assessed and graded. Romanian authorities chose to be graded against only EC. 11. Grading is not an exact science and the CPs can be met in different ways. The assessment of compliance with each principle is made on a qualitative basis. Compliance with some criteria may be more critical for effectiveness of supervision, depending on the situation and circumstances in a given jurisdiction. Emphasis should be placed on the commentary that accompanies each Principle grading, rather than on the grading itself. 12. The assessment team held extensive meetings with NBR staff, the Ministry of Public Finance (MOPF), the industry, and other relevant counterparts who shared their views with the assessors. The team also reviewed the framework of laws, regulations, and supervisory guidelines. The NBR provided self-assessments of the CPs and comprehensive questionnaires filled out by the authorities. The NBR also facilitated access to supervisory documents and files, staff, and systems. 13. The assessment team appreciated the excellent cooperation, including extensive provision of internal guidelines/procedures, supervisory files, and reports. In particular, the team would like to thank the NBR staff who responded to the extensive and detailed request promptly and accurately during the assessment. 8 ROMANIA Box 1. The 2012 Revised Core Principles The revised BCP reflect market and regulatory developments since the last revision, taking account of the lessons learned from the financial crisis in 2008/2009. These have also been informed by the experiences gained from FSAP assessments as well as recommendations issued by the G-20 and the FSB, and take into account the importance now attached to: (i) greater supervisory intensity and allocation of adequate resources to deal effectively with systemically important banks; (ii) application of a system-wide, macro perspective to the microprudential supervision of banks to assist in identifying, analyzing, and taking pre-emptive action to address systemic risk; (iii) the increasing focus on effective crisis preparation and management, and recovery and resolution measures for reducing both the probability and impact of a bank failure; and (iv) fostering robust market discipline through sound supervisory practices in the areas of corporate governance, disclosure, and transparency. The revised BCP strengthen the requirements for supervisors, the approaches to supervision and supervisors’ expectations of banks. The supervisors are now required to assess the risk profile of the banks not only in terms of the risks they run and the efficacy of their risk management, but also the risks they pose to the banking and financial systems. In addition, the supervisors need to consider how the macroeconomic environment, business trends, and the build-up and concentration of risks inside and outside the banking sector may affect the risks to which individual banks are exposed. While the BCP set out the powers that supervisors should have to address safety and soundness concerns, there is heightened focus on the actual use of the powers in a forward-looking approach through early intervention. The number of principles has increased from 25 to 29. The number of essential criteria has expanded from 196 to 231. This includes the amalgamation of previous criteria (which means the contents are the same), and the introduction of 35 new essential criteria. In addition, for countries that may choose to be assessed against the additional criteria, there are 16 additional criteria. While raising the bar for banking supervision, the CPs must be capable of application to a wide range of jurisdictions. The new methodology reinforces the concept of proportionality, both in terms of the expectations on supervisors and in terms of the standards that supervisors impose on banks. The proportionate approach allows assessments of banking supervision that are commensurate with the risk profile and systemic importance of a wide range of banks and banking systems. INSTITUTIONAL AND MARKET STRUCTURE 14. Romania’s financial sector remains dominated by banks that hold around 80 percent of financial sector assets. In April 2018, there were 35 banks in Romania, 29 of which are foreign- owned (22 subsidiaries, seven branches). The five largest banks concentrate about 60 percent of total deposits in the system (57 percent of all loans). The nonbank financial sector remains small, although their relative share slightly increased, with investment funds, private pension funds, insurance companies and other nonbank financial institutions accounting for about 20 percent of financial system assets. The Romanian insurance market has one of the lowest levels of insurance density and insurance penetration in Europe. The sector has recently stagnated as several major insurance companies have come under financial strain. The Romanian capital market is characterized by relatively few issuers, a limited number of new issues and initial public offereings (IPOs), and low 9 ROMANIA liquidity. The equity market with only 84 listed companies had a market capitalization of EUR 32 billion as at the end of 2015. The fixed-income market is also relatively small and undiversified, with around 80 bonds traded at the Bucharest Stock Exchange, the majority being securities issued by central and local governments. There are only seven corporate bonds issued. Table 1. Overview of the Structure of the Banking System (As of end–2016) Number Market Share of Banks (total assets) Banks incorporated in Romania Controlled by Romanian interests 9 23.7% - Public 2 8.3% - Private 7 15.4% Controlled by EU banking groups supervised by the SSM /ECB 14 61.1% Controlled by other EU banking groups 5 4.0% Controlled by banking groups based outside the EU 1 0.3% Branches Branches of EU banking groups supervised by the SSM /ECB 5 10.5% Other branches of EU banks 3 0.4% Source: NBR. 15. Foreign-owned banks’ dependencies on parent funding has significantly declined. The share of deposits from the domestic private sector (about a third of which are demandable, and the rest at short terms of up to one year) has increased from about 48 percent of banks’ total liabilities in 2011 to about 66 percent in 2017, while parent funding has declined markedly to about EUR 7 billion (approximately 7 percent of total liabilities), a third of the level in 2011. As a result, the system-wide loan-to-deposit ratio fell to around 77 percent in 2017, from 131 percent in 2008. In the context of the Vienna initiative, debt liabilities were replaced by capital injections from parent banks, boosting capital ratios and reducing vulnerabilities. 16. As a non-Eurozone EU Member State, Romania is subject to the EU common regulatory framework for banking supervision. All Member States must apply the CRR/CRD IV. The SSM is applicable only to Eurozone members and non-Eurozone members who opt to join. Until now, no non-Eurozone EU members have officially opted into the SSM. For non-Eurozone EU countries like Romania, where a large part of the banking system is owned by SSM-supervised Eurozone banks, the SSM has become the home supervisor with whom close collaboration with the NBR takes place. 17. Responsibilities for prudential supervision of the financial sector are split: • The NBR is an administratively independent Central Bank with a mandate to supervise credit institutions and verify observance of the laws and regulations that apply to the banking sector. 10 ROMANIA • The Financial Supervisory Authority (ASF), established in 2013, is responsible for the supervision of nonbanking financial market participants and the licensing and registration of individuals and institutions. In particular, it supervises (i) the intermediaries of financial instruments operations (financial investment undertakings, undertakings for collective investment, investment management companies, financial investment consultants, financial instruments markets, market and system operators, central depositories, clearing houses, central counterparties, market operations, securities issuers); (ii) insurance, insurance- reinsurance and reinsurance companies, mutual undertakings, and insurance intermediaries; and (iii) the private pension system. 18. The NBR plays key roles in the institutional framework underpinning financial stability. The NBR, established under the Law 312/2004, is responsible for ensuring and maintaining price stability. The main tasks of the NBR include the following: to define and implement the monetary policy and the exchange rate policy; to license, regulate and supervise credit institutions; to promote and oversee the payment systems; to issue notes and coins to be used as legal tender on the territory of Romania; to set the exchange rate regime and supervise its observance; and to manage the official reserves of Romania. PRECONDITIONS FOR EFFECTIVE BANK SUPERVISION A. Sound and Sustainable Macroeconomic Policies 19. Romania made important progress in addressing economic imbalances and restoring growth after the global financial crisis. Partly in the context of successive EU and IMF-supported programs in the period to 2015, macroeconomic stability was restored. Growth more recently accelerated on the back of fiscal stimulus, and Romania’s real GDP growth surged to 6.9 percent in 2017. Low imported inflation and indirect tax cuts kept inflation subdued, but inflationary pressures have increased since mid-2017 on account of sharp wage increases and strong domestic demand, leading monetary policy to tighten after a long period of accommodation. With signs of overheating, there is a risk that the current policy trajectory increases macroeconomic volatility, and wears down buffers, adversely afecting market confidence. 20. Implementation of sound macroeconomic policies is essential for the stability of the Romanian financial system as a whole. Relatively weak cooperation, coordination and synchronization among policies (monetary, macroprudential and fiscal policies) may lead to cyclical imbalances and structural vulnerabilities. Such imbalances and vulnerabilities could lead to negative spill-overs on the financial and the general macro equilibrium, creating the potential for negative reaction to the occurrence of adverse standard business cycle or rare shocks. 11 ROMANIA B. Framework for Financial Stability Policy Formulation 21. The institutional framework for macroprudential policymaking has recently been strengthened and contains a clear mandate and well-defined objectives, but NBR’s role seems constrained. A new National Committee for Macroprudential Oversight (NCMO) was established in April 2017. By law, the NCMO is the national macroprudential authority with a clear legal mandate to set macroprudential policies with the objective to contribute to safeguarding financial stability by strengthening the resilience of the financial system and containing the build-up of systemic risk. The law was the result of a three-year long parliamentary process, mainly due to concerns about excessive powers of the NBR. As a result, the number of NBR representatives in the nine-member NCMO was reduced from the proposed five members to three, giving the NCMO the same number of representatives as the ASF, and the Government. It is chaired by the Governor of the NBR and the Secretariat resides within the NBR. 22. The institutional arrangement seems to guarantee adequate powers to ensure the NCMO’s ability to act, but its willingness to act remains to be more thoroughly tested. The NCMO has direct (hard) powers over a wide-range of macroprudential tools. It is empowered to recommend actions to be taken by other supervisory authorities or the Government, and to issue warnings, coupled with a ‘comply or explain’ mechanism. As of April 2018, it has only held five meetings and issued ten recommendations, including the required quarterly recommendations on the countercyclical capital buffer. The Technical Commissions on Systemic Risk and Financial Crisis Management, respectively, who should support the NCMO’s work, are still to become operational. 23. The communication process is performed in a transparent and relatively effective manner. The communication process includes the following: (i) an official press release is published on the website after the meeting of NCMO’s General Board, which includes a summary of the meeting; (ii) publication of a macroprudential policy strategy; (iii) publication of the recommendations and adopted decisions on the NCMO’s official website, where the motivation behind these is also detailed; (iv) the publication of the Annual Report, which will take place for the first time next year, by 30 June 2018; (v) publication of opinions; (vi) NCMO’s own website provides various information about macroprudential policies; (vii) the macroprudential measures can also be found within the Financial Stability Report of the NBR which is published on a semi-annual basis; and (viii) there will be future seminars and debates to promote the activities of the NCMO. 24. The macroprudential policy toolkit was recently expanded with the CRR/CRD IV framework becoming operational in Romania. In particular, the authorities have implemented or are phasing-in a number of capital buffers. The stressed Debt Service to Income (DSTI) limit is currently applied to consumer loans and maximum LTV ratios on mortgages have been undermined by the Prima Casa program. 12 ROMANIA C. A Well-Developed Public Infrastructure 25. The delay in implementing the new personal insolvency regime may be hampering access to credit. The new Personal Insolvency Law3 aims at providing over-indebted consumers with a second chance by allowing them to access a debt discharge, which is in line with the trend observed in Eastern European countries in recent years. Initially scheduled to enter into force in January 2016, implementation of the Law has been postponed several times due to administrative reasons, including the establishment of specialized regional administrative bodies and the lack of trained personnel and financial resources. The law was adopted without an impact assessment and its final effects on the financial sector remain to be seen. On June 9, 2017, the Government approved the methodological norms required to administer the procedure, although additional rules, regulations, and guidelines would need to be prepared for an efficient implementation. 26. Significant improvements have been made on the credit reporting system in the past decade. Credit information sharing is universally considered a key credit infrastructure component for its positive impact on the quality of lending (for example, by reducing information asymmetry) and overall financial sector stability (by providing data driven tools for both lenders and regulators). The project for establishing a Private Credit Bureau was initiated in 2004 with a large participation of local banks. The process of collecting and disseminating data was initially limited to negative information, but later expanded to include positive data following international best practices. After five years of operations, the Bureau started to provide additional services to banks, such as credit scoring. 27. Both the NBR and the ASF have taken important steps to strengthen the oversight of systemically important financial market infrastructures, and increased cooperation between the authorities is recommended. The NBR oversees the real time gross settlement payment system and SaFIR, the central securities depository for government securities and NBR securities, whereas the ASF supervises the clearing and settlement systems of the Bucharest Stock Exchange. The legal framework for financial market infrastructures has been strengthened through the adoption of EU legislation. The NBR also formally adopted the CPSS-IOSCO Principles for Financial Market Infrastructures and has assessed the systems under its purview against these principles. The NBR’s project to internalize the payment and settlement systems within the central bank is expected the strengthen the financial infrastructure. 28. Parliament passed several populist laws last year that would have allowed debtors to walk away from mortgages (‘datio in solutum’) and convert Swiss Franc denominated loans at historical exchange rates. Recent rulings by the constitutional court have limited the potential negative impact on the banking sector of these laws, but there is a concern that further legislative measures could be in the offing. The final effects of the personal insolvency law, providing over- indebted consumers with a second chance by allowing them to access a debt discharge, remain to be seen. Recently, Romania’s Government decided to cap deductions from nonperforming loan 3 Law No. 151/2015 on insolvency of natural persons was adopted by the Romanian Parliament in June 2015. 13 ROMANIA sales to 30 percent of their value, limiting tax deductibility of losses incurred by firms who sell NPLs at a discount relative to what they had provisioned for. As such, banks are discouraged to sell receivables and are encouraged to directly execute debtors. D. Framework for Crisis Management, Recovery, and Resolution 29. Implementation of the Bank Recovery and Resolution Directive (BRRD) in Romania is recent and institutions are still adapting to the change. The transposition of the EU directive into the country’s primary legislation concluded in 2015 (Law 312/2015). Since then, the institutions in charge of the bank recovery and resolution framework (NBR, MOPF, ASF, and Bank Deposit Guarantee Fund (FGDB)) have made important strides towards adapting to their new responsibilities and toolkit. As the resolution authority, the NBR has been charged with all key responsibilities in the bank resolution area, while some components of the framework have been delegated to the deposit insurer (management of the bank resolution fund and financing of the resolution measures) and to the MOPF (granting extraordinary public financial support) as a key domestic counterpart in crisis prevention and resolution. Some of the operational elements of implementing the new framework have yet to settle, especially part of the contingent arrangements (e.g., a Memorandum of Understanding (MOU), framework agreements between the MOPF and FGDB). The operational readiness has not been tested and given a market structure where systemic banks are subsidiaries of major international banks (61 percent of assets in the banking sector fall under single resolution board’s (SRB’s) authority), part of the contingent arrangements require a tight cross-border coordination with the other relevant authorities within the resolution colleges. This international coordination work has started, at the level of the resolution colleges, where a continuous process of reviewing the group resolution plans takes place. 30. The responsibilities of the FGDB have been significantly enlarged in the area of bank resolution. The 2015 resolution framework empowered the FGDB as the administrator of the newly created bank resolution fund. The resolution fund’s target level is 1 percent of deposits covered and is currently at 60 percent of that objective, which should be attained latest by 2024. In addition, the FGDB has the mandate to serve as (i) a temporary administrator; (ii) special administrator of a credit institution under resolution; (iii) shareholder of a bridge institution; or (iv) shareholder of an asset management vehicle.4 E. Public Safety Net 31. The NBR has over the years strengthened its liquidity provision framework. The overarching criteria for liquidity provision are based on objectives of preservation of economic stability and the support to solvent but illiquid entities. However, the existing arrangement has not been tested in recent years under economic stress of systemic nature, and a formal operational framework for emergency liquidity assistance is still under construction. Authorities are using the 4 Before the BRRD, the FGDB already had the following prerogatives: (i) act as special administrator; (ii) name delegated administrators of a credit institution in distress; and (iii) be the sole shareholder of a bridge-bank stated by Romanian regulatory framework. 14 ROMANIA legal framework of the European Central Bank (ECB) 2017 agreement in this area as the base for their formulation. 32. In December 2015, Romania adopted new legislation (Law 311/2015) which transposed EU Directive 2014/49 on deposit guarantee schemes. The deposit insurance fund has a high level of coverage (99.5 percent of accounts), and at 3.4 percent of the amount of eligible deposits has nearly reached its target. Contingent financing continues to remain work in progress. While the law allows the FGDB to count on the MOPF within specific time limits (five days), the specific arrangements for the financing to take place are yet to be finalized. 33. Romania undertook a crisis simulation exercise in 2013. While many of its lessons have been internalized by the BRRD transposition and other regulatory and supervisory enhancements since then, a new simulation exercise would be useful to test preparedness domestically and in coordination with regional counterparties. Ultimately, authorities should consider preparing a program of continuous tests and simulations that keep the crisis management framework up to speed. F. Effective Market Discipline 34. Financial reporting, auditing and disclosure requirements in Romania are largely harmonized with those applicable across the European Union and in line with international standards. The Romanian banking system has been required to report financial information based on the International Financial Reporting Standards (IFRS) at a consolidated level since 2006 and at individual level since January 2012. Banks representing close to three quarters of banking assets are subsidiaries of EU banking groups, which are generally listed and subject to effective market discipline at group level. A 2017 law created a new public oversight body for external auditors in Romania. A 2016 analysis of the corporate governance framework conducted by the European Bank for Reconstruction and Development assessed corporate governance along five dimensions and rated the structure and functioning of the Board, internal control and stakeholders and Institutions as fair, transparency and disclosure as fair/moderately strong and the rights of shareholders as moderately strong. Areas where corporate governance was considered weak included board effectiveness (incl. lack of requirement for the Board to approve the company’s budget and set the risk profile/appetite, uncommon practice on board evaluation and limited numbers of their audit committee meetings), gender diversity at the Board, and the functioning and independence of the Audit Committee (incl. minority of independent members, lack of proper qualification of members, insufficient disclosure on number of meetings). 35. With respect to rules on corporate governance, according to the Romanian Banking Law , each credit institution must have robust governance arrangements, which include a clear 5 organizational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, 5 Government Emergency Ordinance No. 99/2006 on credit institutions and capital adequacy. 15 ROMANIA adequate internal control mechanisms, including sound administration and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management. In this respect, the governance arrangements of a credit institution, the processes to identify, manage, monitor and report the risks, the internal control mechanisms as well as the remuneration policies and practices must be established by its Articles of Association and internal regulations, according to the Companies Law and in compliance with the provisions of national and European legal framework in banking area. MAIN FINDINGS A. Responsibilities, Objectives, Powers, Independence, and Accountabilities (CPs 1–2) 36. The NBR has clear responsibilities as a supervisor, adequate resources and independence, even if the framework protecting the latter should be strengthened. Banking supervision in Romania falls exclusively within the responsibility of the central bank. As Romania is a member of the EU, banking supervision is also significantly harmonized and integrated across member states. Laws and regulations are regularly updated. The NBR, as a supervisory authority, possesses stable governance arrangements and effective operational independence. However, the MOPF could participate in NBR Board meetings and the reasons for the dismissal of a Board member do not have to be disclosed. The decision to approve sanctions/orders is the sole responsibility of the first deputy governor; there is no internal guidance or formal independent function available to assist the first deputy governor in determining adequate decisions. The NBR dedicates large resources to supervision, in terms of staff, equipment and other variable costs. The NBR adopted detailed arrangements to prevent and manage conflicts of interests at all levels. However, there is no post-employment or cooling-off framework covering situations where a staff or Board member intends to take (or takes) a position in a bank supervised by the NBR (or that it has directly supervised). Although the NBR board members and staff are adequately protected against lawsuits for actions taken and/or omissions made while discharging their duties in good faith, this protection does not apply to the institution. B. Ownership, Licensing, and Structure (CPs 4–7) 37. The NBR implements a well-designed regime for licensing, transfer of significant ownership and major acquisitions. Only licensed credit institutions can provide banking services. NBR has exclusive competence for granting and withdrawing the license of banks incorporated in Romania and branches of banks located outside the EU. The NBR last licensed a bank in 2009. The licensing framework includes clear and detailed criteria. The ownership structure of locally incorporated banks and branches of EU banks is transparent. The NBR implements a rigorous definition of transfer of significant ownership, in line with the provisions of CRD IV, as well as requirements on the transparency of bank ownership. This largely, but may not fully, cover the transfer of beneficial ownership. The NBR has a detailed framework to review major acquisitions. As 16 ROMANIA part of the consolidation of the Romanian banking system, The NBR reviewed and approved four requests for acquisitions in the past five years (all related to mergers between banks licensed in Romania). Romanian banks only have small activities outside Romania. C. Ongoing Supervision (CPs 8–10, 12) 38. The supervisory approach of the NBR has changed towards a more risk based approach since the previous BCP assessment. As of January 1, 2016, the NBR Board approved the adoption of the EBA SREP Guidelines (EBA/GL/2014/13) into national supervisory practices. The Romanian regulatory framework has implemented the provisions of CRR, CRD IV and BRRD (resolvability assessment). The SREP is a core supervisory tool of banking supervision in Romania and deploys a good mix of onsite and offsite supervisory tools and techniques. The NBR has broad information collecting power by legislation; in particular, the Central Credit Register allows supervisors to access high-granularity data. 39. Nevertheless, the new EBA SREP methodology is still in the early stages of implementation. During SREP, there is no structured/independent review to ensure consistency and accuracy of scoring, findings, and measures of the supervisory report. Considering the recent adoption of the EBA SREP methodology in Romania, the quality assurance procedure is critical. Authorities should consider a way to ensure consistency and objectivity of SREP scores, findings, and supervisory measures. For instance, the authorities could establish an independent review process, develop on-site and off-site supervisory assessment handbooks, and improve the electronic platform to more effectively manage findings, measures, and follow-ups. 40. With regard to off-site supervision, a significant part of this off-site function includes the approval/rejection of requests concerning amendments in a bank’s situation.6 This responsibility of the offsite function could limit to a certain extent, the ability of the NBR to maintain a thorough and deeper analysis of the risks that banks and banking groups are facing. Regulatory cost and benefit exercises may be warranted in respect of optimum allocation of supervisory resources. Authorities could review the off-site activities regarding various approval processes for supervisors so they may focus more on qualitative risk analysis. 41. More risk-focused, banking industry-wide thematic analyses and examinations across systems, triggered by recent trends or events, appear to be limited. The Financial Stability Department (FSD) publishes financial stability reports on a half yearly basis and performs top-down stress testing, and shares the results with banking supervisors. However, the results of the FSD have limited applicability and are not directly communicated to individual banks for supervisory purposes. During 2016 and 2017, there were no thematic inspections carried out at the banking system level. The NBR is not differentiating the frequency of full-scope examinations based on the outcome of 6 The off-site activities of line supervisors include in-depth interviews and approval of persons nominated to exercise administration and/or management responsibilities, key function holders, and financial auditors, etc. For example, the NBR have interviewed around 1,700 board members, executives, and middle managers (key function holders) from 2009–2017. More than half of the interviewees were middle managers. 17 ROMANIA the risk profile analysis of banks; instead, the asset size and the overall SREP score of the previous year are the main factors in determining the scope and intensity of examinations. Authorities should consider a more risk-focused approach such as conducting thematic analysis and/or examinations across the banking system with a mix of off- and on-site activities for a specific type of risk. 42. Other improvements should be sought, including cooperation with other domestic supervisors, bottom-up stress tests, monitoring of intra-group exposures, and more frequent off-site monitoring on a consolidated basis. While the NBR and ASF share relevant data and supervisory findings, there are no regular meetings between the NBR and ASF, and there is no systematic process to prepare on-site examinations of banking groups, develop a joint view on risks in relation to a particular banking group, align supervisory approaches, and discuss potential concerns on the banking group or subsidiaries. In addition, the main quarterly monitoring tools of the NBR do not seem to have embedded a forward-looking view of a bank’s risk profile (e.g., no bottom up stress testing tools) and quarterly KRIs are monitored on a solo basis.7 The NBR should consider developing a bottom-up stress testing methodology as a complementary supervisory tool, and enhance the intra-group exposures monitoring and consolidated supervision, in coordination with the ASF where relevant. D. Corrective and Sanctioning Powers (CP 11) 43. The NBR has sanctioning powers and tools in almost all respects, however, the sanctioning/order issuance process needs to be enhanced. Regarding the internal process for determining measures and sanctions, the NBR currently conducts insufficient analysis to ensure consistency, accuracy and justification of inspection outcomes and sanctions across the banking system. More specifically, there is no consistent internal independent review process to ascertain that the applied measures or corrective actions are adequate and consistent. Therefore, the NBR should consider establishing an independent review process and/or introducing relevant guidance in this regard. In addition, the NBR, as a competent authority of credit institutions, cannot impose any measures regarding the merger process or acquisition by a third party per Banking Law8. 9 44. Post examination processes should be improved to guarantee more effective implementation of corrective actions. Regarding the supervisory follow-up, the time frame described in the internal rules of the NBR is not always adhered to. Assessors note that the issuance 7 The NBR mentioned that it would revise the following internal rule to address the deficiencies: “Procedure on the operational flow of the process of assessment and evaluation of the management framework, strategies, processes and mechanisms implemented by credit institutions, Romanian legal persons, as well as credit institutions from other Member States, respectively from third countries.” 8 The term “Banking Law” is used throughout to refer to Government Emergency Ordinance No. 99/2006 on credit institutions and capital adequacy. 9 This could be an EU-wide common issue by implementing the BRRD, but CP 11 mentions this tool (“facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank ”) as a preventive measure for supervisory authorities. (continued) 18 ROMANIA of supervisory reports and written orders is often delayed.10 Assessors were informed that formal wrap-up meetings after on-site inspections do not always take place. This practice would hinder banks from implementing supervisory measures in a prompt manner. E. Cooperation and Cross-Border Banking Supervision (CPs 3, 13) 45. Cooperation among EU supervisors is intense, reflecting increasing integration of the EU banking market and the dominance of EU banking groups in Romania. Arrangements are in place to facilitate and ensure cooperation with relevant domestic and foreign authorities. Cooperation among domestic authorities is organized, but meetings with the ASF are too infrequent to allow for effective coordination. International cooperation is in place for EU banking groups, that control three quarters of banking assets in Romania, and where the NBR is the host supervisor. The NBR is a member of 15 EU colleges of supervisors, which allow for effective information sharing and unified supervisory actions. Close coordination is also in place for crisis management and resolution, at the domestic level with the resolution arm of the NBR and, for large banks active in Romania, within EU supervisory and resolution colleges. All Romanian banks prepared recovery plans starting in 2016; resolution plans were also prepared for almost all of these institutions (and their groups where applicable) F. Corporate Governance, Risk Management, Internal Control and Audit (CPs 14, 15, 26) 46. An increased emphasis on the role of independent directors and direct and regular exchanges between the NBR and non-executive Board members are essential to ensure effective corporate governance. Corporate governance requirements were strengthened at the EU level and transposed in Romania starting in 2013, clearly laying out the responsibilities of the management body in ensuring banks operate in a safe and sound manner. The NBR conducts a thorough review process, including challenging interviews, before approving members of the management body, and during the on-site full-scope examinations. However, the NBR only requires subsidiaries to have an “adequate” number of independent members in the management body. Banks usually only have 1 or 2 independent member(s), which is insufficient to encourage challenging other executive and nonexecutive members and, where appropriate, lead specialized committees. Moreover, although the NBR places a lot of responsibilities on the management body, it does not yet meet on a regular basis with its nonexecutive and independent members (nor sends them letters detailing serious shortcomings or transmitting on-site reports). 47. Regulations set detailed and demanding requirements for control functions. Discussions with the NBR confirmed the importance placed on risk management, internal control and audit during on-site inspections. However, the NBR has not yet developed detailed internal 10 The draft should be sent to banks within 60 working days according to NBR internal procedure, but many examination reports were issued to banks more than six months later with the issuance of written orders taking even longer. 19 ROMANIA methodologies to facilitate a comprehensive and consistent review of these issues. Reviews of practices at industry level in these areas could also usefully inform the supervisory process. G. Capital Adequacy and Liquidity Risk (CPs 16, 24) 48. It is noteworthy that the Regulatory Consistency Assessment Program (RCAP) of the BCBS reviewed the EU-wide capital and liquidity framework and concluded that certain features deviated from Basel standards.11 The RCAP concluded that the EU requirements follow the Basel standards set by the BCBS broadly, but with a number of divergences, where the EU is less conservative than the BCBS, which positively impacts ratios. In terms of the capital framework, the most significant divergences between the Basel III framework and the EU capital regulation do not seem to be material for Romanian banks. A deviation concerns the treatment of credit exposures for small and medium-sized enterprises (SMEs) under the Standardized Approach, where less stringent capital requirements do seem to be applied. 49. There is no dedicated team or unit within the NBR’s supervisory department (SD) responsible for evaluating, approving, reviewing and overseeing banks’ internal models. Two banks have been approved to use the advanced approach to calculate regulatory capital for credit risks and three banks for operational risks. Although the number of banks applying the advanced approach is small, the banks that apply it are large in Romania. The FSD has a quantitative assessment division that assists the SD whenever supervisors need to approve the advanced approach in a certain bank or validate internal models, but they are not involved in supervision and examination on an ongoing basis. There would be an increasing need to devote more supervisory attention to banks’ risk models used for their own risk management purposes and in regulatory capital calculations. NBR examiners should focus more on periodic validations and independent testing of different models, even when the banks are not generating inputs for the regulatory capital calculations. 11 https://www.bis.org/bcbs/publ/d300.pdf, https://www.bis.org/bcbs/publ/d410.pdf 20 ROMANIA H. Credit Risk, and Problem Assets (CPs 17–18) 50. Following the sharp deterioration in credit quality after the global financial crisis, the NBR led efforts to clean up banks’ balance sheet and ensure their soundness. The framework for credit risk management was significantly strengthened and close monitoring, including through annual examinations, is still conducted. Nonperforming exposures (NPE) increased rapidly and dramatically after 2007 and peaked at 22 percent in 2013 before declining to 6.4 percent in December 2017. The NBR was instrumental in promoting this rapid reduction through multiple initiatives designed to ensure the timely recognition and realistic provisioning of NPEs (e.g., interim June audits, independent collateral revaluations, full provisioning of high risk exposures, write-offs etc.). The NBR continues to closely monitor NPEs, thanks to detailed and regular reportings, and ensures proactive implementation of requirements on problem loans. I. Related Parties Transactions, Concentration, and Country risks (CPs 19– 21) 51. The current regulation on the transactions with related parties (RP) has deficiencies against the CP. The current definition of affiliated parties is not as broad as the requirements in this CP. For example, the current definition fails to capture any person in a key position or a major individual shareholder of other group entities within a banking group, including the parent bank/company itself. In terms of RP identification, there is no explicit presumption power of the NBR in the regulation, although the NBR, in practice, may exercise discretion in applying the definition on a case by case basis. Moreover, there are no explicit provisions that require that the “write-off” of RP exposures exceeding specified amounts is subject to prior approval by the board. Information on RP transactions collected during off-site supervision is not sufficiently granular to capture the exact characteristics. Overall, RP regulation describes high level principles, but does not give clear guidance to banks. The NBR should review and amend the regulation on affiliated party transactions in a more prudent manner. 52. The NBR applies the EU-wide large exposure regime, and the banks’ concentration risk management is assessed in the context of SREP. However, there is no explicit requirement in the regulation that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board, even though the practices are examined during on-site inspections. The explicit inclusion in regulation may be important in Romania considering the high level of sovereign debt concentration in banking industry. Even if the exposures comply with the large exposure or RP limits, assessors noted several examples where certain exposures should be examined further in the context of concentration risk or RP transaction management.12 The NBR should consider conducting a thematic review on concentration risks across banks (particularly 12 See the comment section of CP 20. (continued) 21 ROMANIA focusing on banks where the large exposure limit is set at EUR 150 million or 100 percent of capital, and banks that have high concentration risks).13 53. The NBR regulation for country and transfer risk management is not sufficiently comprehensive. The NBR will check the country/transfer risk policies and processes implemented by banks if the country and transfer risks are significant for a bank or banking group. However, the regulation includes only high-level principles similar to the BCP text, and lacks sufficient substance. The NBR does not give any further/specific guidance to banks and supervisors through regulations, instructions, or the on-site handbook. It is difficult to ascertain what and how supervisors should examine during on-site inspections.14 There are no specific regulatory provisioning standards for country risk and transfer risk in Romania. Also, there are no specific regulatory requirements for banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis. It is therefore not clear how supervisors perform a banking group-wide country risk analysis across each entity to form a comprehensive view of country risk. J. Market Risk, Interest Rate Risk in the Banking Book, and Operational Risk (CPs 22, 23, 25) 54. In the Romanian banking system, the level of market risk is low for most of the Romanian credit institutions that do not have complex instruments. As of June 2017, risk weighted assets (RWAs) for market risk were around three percent of total RWAs. None of the banks use the advanced approach for computing market risk capital charges. The CRR and EBA SREP guidelines are comprehensively stipulated and the NBR conducts on-site inspection on all credit institutions annually. However, there is no market risk specialist in the supervision department; one should be assigned to build up expertise in this area. In terms of interest rate risk in the banking book (IRRBB), the Basel Committee published a new guideline on standards for IRRBB in April 2016, but the NBR has not updated the IRRBB rules accordingly. Authorities mention that currently they are in the process of amending regulation regarding IRRBB. 55. With respect to operational risks, a guideline on cyber security and/or information communication technology (ICT) for banks has not been implemented yet. Regarding IT resources, the SD has one IT systems specialist but does not have a dedicated unit; this could be considered insufficient in times of increasing demand, since the SD does not use external IT experts. The authorities mentioned that they are planning to hire more IT risk experts and new EBA Guidelines on ICT Risk Assessment (2017) will be implemented starting January 2018. 13 The authorities informed the assessors that a thematic review on large exposure limits and concentration across banks will be performed during the first quarter of 2018. 14 For example, the regulation is silent in the essential areas to be developed by banks and examined by supervisors to manage country and transfer risks (e.g., procedures for dealing with country risk in times of crisis, oversight mechanism, a periodic review requirement by the board, etc.) 22 ROMANIA K. Financial Reporting, Auditing and Disclosure (CPs 26–28) 56. Financial reporting, auditing and disclosure requirements are largely harmonized at the EU level. Banks are required to prepare financial statements in compliance with the IFRS and have them certified by an external auditor which complies with international audit standards. Banks’ external auditors belong to the network of the four biggest global auditing firms and a large French auditing firm (with the exception of the credit cooperative network). Rotation requirements are implemented since 2014, either for the firm or the signing partner. All banks adopted specific policies and most rotated the firm. Five small banks appointed their external auditor in 2001–08 and only rotated the signing partner. The NBR confirmed that the tenure of these signing partners did not exceed seven years. There is, however, no internal methodology defining criteria used by the NBR to assess the adequacy of banks’ policies on rotation (and set a maximum time limit to guide supervisory assessments). Financial and prudential disclosure requirements are detailed and largely unified at the EU level. The NBR confirmed that these fully apply to banks incorporated in Romania on annual basis. The NBR verifies individual disclosure requirements and published detailed and updated information on banking activities and risks. A review of disclosure practices across the entire industry could usefully be conducted. L. Abuse of Financial Services (CP 29) 57. In recent years, the Anti Money Laundering and Combating the Financing of Terrorism (AML/CFT) supervision of the NBR was strengthened particularly to be in line with the changes imposed by the new European Directive. The new European regulatory framework Directive (EU) 2015/849 provides a number of requirements on risk-based supervision, and a newly enhanced AML/CFT law is to be submitted for the Parliament’s legislative procedure. The NBR is in the early stages of implementing a risk-based approach to AML/CFT supervision. The NBR has assessed the Money Laundering and Terrorism Financing (ML/TF) risks, ranked banks, and established a detailed methodology for a risk-based approach to its AML/CFT supervisory activities. 58. Nevertheless, several shortcomings remain. Under Romanian law, only correspondent banking relationships with banks outside the EU are subject to enhanced due diligence measures. Under the Financial Action Task Force (FATF) standard, however, enhanced due diligence should be implemented with respect to all correspondent banking relationships, and no exception is currently made for intra EU correspondent banking relationships. Simplified due diligence is imposed in specific circumstances without a sound assessment that would have established that these circumstances present low ML/TF risks. 23 ROMANIA DETAILED ASSESSMENT A. Supervisory Powers, Responsibilities, and Functions Principle 1 Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.15 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.16 Essential criteria EC1 The responsibilities and objectives of each of the authorities involved in banking supervision17 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. Description and Banking supervision in Romania falls within the responsibility of the central bank, the findings re EC1 National Bank of Romania (NBR), which is the only domestic prudential supervisor for banks in Romania (Article 3 of the NBR statutes18). As Romania is a member country of the European union (EU), important responsibilities regarding banking supervision are harmonized, coordinated or exercised at the EU or eurozone levels (see Institutional and market structure section and CP 5 on branches of EU banks and freedom to provide banking services for EU banks). The objectives of the NBR, in banking supervision, focus on ensuring financial stability, protecting the interests of depositors and ensuring a sound and viable banking sector (considering a primary objective of ensuring and maintaining price stability, as indicated in Article 2–1 of the NBR statute). • Article 2–2–b of the NBR statute indicates that: “the main tasks of the National Bank of Romania shall be: […] to conduct the authorization, regulation and prudential supervision of credit institutions and to promote and oversee the smooth operation of the payment systems with a view to ensuring financial stability. “ • Article 164 of the banking law indicates that “for protecting the interests of depositors and ensuring a sound and viable banking sector, the National Bank of Romania shall carry on the prudential oversight of credit institutions.” 15 In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example nonbank (including nonfinancial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation. 16 The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles. 17 Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification. 18 Law 312, Statute of the National Bank of Romania, June 28, 2004. 24 ROMANIA The responsibilities of the NBR regarding licensing, regulation and supervision are consistently defined by its statute and the banking law. The banking law Article 4 indicates that: “the National Bank of Romania is the competent authority for the regulation, licensing, prudential supervision of credit institutions”. EC 2 The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. Description and Both the banking law Article 164 and the NBR statute Article 2–2 give NBR the findings re EC2 responsibility to promote the safety and soundness of banks and the banking system (considering the NBR primary objective of ensuring and maintaining price stability. EC3 Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile19 and systemic importance.20 Description and Laws and regulations provide a framework for the supervisor to set and enforce minimum findings re EC3 prudential standards for banks and banking groups. Minimum prudential standards are primarily set at the Romanian and EU levels. The NBR statute Article 25 empowers NBR to: “(a) Issue regulations, take measures for their observance and apply legal sanctions in cases of infringement and (b) check and verify, based on off-site and on-site supervision.” The NBR regularly issues regulations in areas not covered by EU regulations. Some EU regulations are directly enforceable (e.g., 2013 Capital requirement regulation - CRR- and implementation of technical standards -ITS- regulations, e.g., on supervisory reporting), while others need to be transposed in Romanian laws and regulations (e.g., the CRD IV, which is transposed in the banking law-and guidelines issued by the European banking authority -EBA-). The CRR defines binding requirements in some areas (e.g., key aspects of the capital adequacy regime or large exposure regime); in such cases, national supervisor cannot set additional regulatory requirements. NBR is involved in the preparation of banking regulations at the EU level, including participation in several EBA working groups21, to ensure its views can be expressed and considered at an early stage. NBR has the power to increase prudential requirements for individual banks and banking groups based on their risk profile Article 226–3 and 226–4. The supervisory review and 19 In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a b ank. 20 In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement , November 2011. 21 In 2016, NBR participated to Board of Supervisors and the Resolution Committee of EBA as well as in other structures and substructures, such including the Standing Committee on Oversight and Practices, the Standing Committee on Regulation and Policy, the Standing Committee on Accounting, Reporting and Auditing, the Subcommittee on Anti-Money Laundering of the Joint Committee of the European Supervisory Authorities, the Subgroup on Own Funds, the Subgroup on Securitization and Covered Bonds, the Subgroup on Governance and Remuneration, the Subgroup on Liquidity, the special Working Group on Stress Testing, the special Working Group on Impact Study, and the special Working Group on Information Technology Risk Supervision. 25 ROMANIA evaluation process (SREP) allows NBR to review on an annual basis the opportunity to impose additional capital requirements and, where applicable, define their amount (in the case of subsidiaries of EU banks, such additional capital requirements need to be imposed through a joint decision with the home supervisor, see CP 13). The National committee on macroprudential oversight (NCMO), chaired by NBR, is responsible for identifying systemic institutions and, where applicable, making recommendations on additional prudential requirements they should meet (see CP 3). NBR is then empowered to impose such additional prudential requirements. EC4 Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. Description and Banking laws, regulations and prudential standards are frequently updated, as needed and findings re EC4 without apparent delays. Such amendments are largely driven by changes in the EU regulatory framework, which need to be transposed in Romania. The banking law was amended every year (except 2014) since it was passed in 2006; regulations are also frequently amended considering the specificities of the Romanian banking environment (particularly NBR Regulation 5/2013 which contains key prudential requirements). In Romania, all draft laws and regulations are subject to public consultations based on the provisions of Law No. 52/2003 on decisional transparency in public administration. For NBR draft regulations, after the completion of internal consultation within NBR, a draft regulation is published on the NBR website for public consultation; after the public consultation, a new draft regulation is prepared, approved and published in the Official Gazette (as required by Article 56 of the NBR Statute). There is a specific detailed consultation process at the EU level with public consultations organized by the EU Commission on all draft regulations and directives and by the EBA on its draft guidelines. NBR mentioned that banks and the banking industry are well-aware of this process and provide comments where appropriate. EC5 The supervisor has the power to: (a) have full access to banks’ and banking groups’ Boards, management, staff and records in order to review compliance with internal rules and limits as well as external laws and regulations; (b) review the overall activities of a banking group, both domestic and cross-border; and (c) Supervise the activities of foreign banks incorporated in its jurisdiction. Description and Both NBR statute Article 25 and the banking law empower NBR to have full access to findings re EC5 relevant information and persons for supervisory purposes: • NBR shall have all information gathering and investigatory powers that are necessary for the exercise of its functions Article 225–5 of the banking law; • As part of investigations, NBR can require the submission of documents, examine books and records of the bank, its affiliate and, where applicable, its holding company, obtain written or oral explanations from any such person, and interview 26 ROMANIA any other person who consents to be interviewed for collecting information relating to the investigation Article 225–8 of the banking law; • During on-site examinations, banks shall allow NBR to “examine their reports, accounts and operations and to provide all the documents and information related to the activity performed, as they are requested,” Article 171. In practice, NBR did not report facing any constraint in accessing banks’ and banking groups’ Boards, management, staff and records. The banking law Article 176 defines cases where supervision shall be applied on a consolidated basis. The scope of Article 176 includes cases where the Romanian bank is a parent undertaking (as defined by the CRR) or the Romanian bank is the only or main bank controlled by an EU financial holding company. The scope of consolidated supervision includes both domestic and cross-border activities. NBR is responsible for the supervision of subsidiaries and branches of countries which do not belong to the European union (see Article 67 and following on branches of third countries and CP 5 on subsidiaries of third countries and subsidiaries and branches of EU banks). EC6 When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to: (a) take (and/or require a bank to take) timely corrective action; (b) impose a range of sanctions; (c) revoke the bank’s license; and (d) cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate. Description and When, in NBR judgment, a bank is not complying with laws or regulations, or it is or is findings re EC6 likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to: • take (and/or require a bank to take) timely corrective action and impose a range of sanctions (see CP 11); and • revoke the bank’s license. cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate (see CP 3). EC7 The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. Description and NBR has the power to review the activities of parent companies and of companies findings re EC7 affiliated with parent companies, as part of an application for a banking license is made (see CP 5 on the process followed by NBR) and on an ongoing basis. 27 ROMANIA For supervision purposes, the banking law Article 225 mentions that NBR “shall have all information gathering and investigatory powers that are necessary for the exercise of its functions”, including the power to conduct all necessary investigations of any natural or legal person which are credit institutions, financial holding companies, mixed financial holding companies, mixed-activity holding companies as well as persons belonging to these four entities. NBR mentioned that on-site examination teams verified annually that banks collect adequate information to identifying and assess persons holding qualifying holdings. Regulation 6 also requires banks to keep necessary information to allow the identification of persons holding qualifying holdings and submit annually a statement of all shareholders (including identity, residence and nationality, percentage of participation in capital and voting rights) and, for shareholders holding directly, indirectly or in concert, qualifying holdings, updated financial information (including annual, individual and consolidated financial statements for legal entities and income statements for natural persons). Assessment of Compliant Principle 1 Comments Banking supervision in Romania falls within the responsibility of the central bank, the National Bank of Romania (NBR). The primary objective of banking supervision is to promote safety and soundness (and no other objective of NBR conflicts with this objective). As Romania is a member of the European union (EU), important responsibilities regarding banking supervision are harmonized, coordinated or exercised at the EU or eurozone levels. As part of the passporting regime, EU banks can set-up branches or directly provide financial services in Romania while being supervised by their home authority. Laws and regulations are regularly updated (almost on an annual basis for the banking law), largely in response to new regulations and guidelines issued at the EU level. NBR has powers to take corrective actions and sanctions, when necessary. Principle 2 Independence, accountability, resourcing and legal protection for supervisors . The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. Essential criteria EC1 The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. Description and Governance. findings re EC1 NBR statute Article 33 indicates that its Board has responsibility for banking supervision and is made of nine members: four executives—the Governor who chairs the Board, a 28 ROMANIA senior deputy governor and two deputy governors, and five nonexecutive directors. All Board members are appointed for a (renewable) five-year term by Parliament (on the recommendation of the competent standing committees of the two Chambers of Parliament). Board members were last appointed in October 2014 (except for a deputy governor who resigned in October 201622 and was replaced in April 2017 following parliamentary elections in December 2016). A majority (five) of Board members were appointed over eight years ago: The Governor was first appointed in 1990, the senior deputy Governor in 2004, and two members were already present on the Board in 2004 and one in 2009. A supervisory committee including NBR executive directors and senior management was set-up, as envisaged by NBR statute Article 32 and is at the core of the supervisory process. Regulation 99/2 governs its membership (10 members including the Governor as chair, first deputy Governor, two deputy Governors, directors for supervision, regulation and authorization, financial stability, legal, resolution and deputy director of banking supervision); defines its responsibilities (assess and monitor banking activity and risks, approve the on-site examination program and supervisory strategies, approve or reject individual requests from banks—with a few exceptions e.g., changes in the approval of middle management—approve sanctions based on the findings of on-site examinations and validate reports and note prepared for the Board —authorization, draft regulations, etc.; contemplates weekly meetings—or when requested by the Chair—during which decisions are made by consensus or vote and require that its conclusions are sent to the Board on a monthly basis. NBR confirmed that the supervisory committee held regular meetings (sometimes virtual). It met 24 times in 2016. Its activity included the following: (i) notification of the intention on acquiring a qualifying holding in the capital of a bank and/or on increasing such participations; (ii) approval of changes in Board members and/or executives, scope of activity, external auditors, operations on preferential terms set forth in the employee benefits and incentive packages, mergers, etc.; (iii) draft pieces of legislation concerning the activity of banks and nonbank financial institutions; (iv) implementation of EBA Guidelines in the national legal framework and/or in supervisory practices; and (v) monitoring of developments in terms of financial stability, identifying, monitoring and assessing systemic risks and those related to systemically-important credit institutions, specific analyses (monitoring the lending terms and conditions, overseeing the way in which the financial system contributes to the sustainable resumption of lending to the real economy, etc.). See CP 8 on supervisory approach. Independence. 22 The resignation was prompted by public allegations of corruption related to a position held before joining NBR. 29 ROMANIA NBR statute mentions that (i) NBR is independent Article 1 and (ii) NBR or members of its decision-making bodies “shall not seek or take instructions from public authorities or from any other institution or authority” Article 3. The Statute further indicates that Board members cannot be deputies, senators, or politically affiliated and may not belong to the judicial authority or to the public administration Article 34 of the statute. The Minister of Public Finance (and its State secretary) may participate to NBR board, without voting right, Article 33 of NBR statute). The assessors were informed by the Ministry that it never participated to NBR Board meetings. However, if Article 33 was implemented, it could significantly hamper supervisory independence. In practice, NBR has been able to independently express its opinion when it deemed it justified23. The review of supervisory practices did not identify any case where the independence of the supervisor may have been compromised. Accountability. The banking law Article 224 requires that NBR discloses on a regular basis (i) the texts of laws, regulations, instructions and general guidance adopted in the field of prudential regulation; (ii) the manner of exercise of the options and discretions available in the EU regulations; (iii) general criteria and methodologies used in the review and evaluation of the governance arrangements, strategies, processes and mechanisms implemented by the credit institutions and in the assessment of the risks to which credit institutions are or might be exposed; and (iv) aggregate statistical data on key aspects of the implementation of the prudential framework, including the number and nature of supervisory measures taken and of administrative penalties imposed. NBR statute Article 35 requires that it annually submit to Parliament a report covering its activities during the previous year. The 2016 NBR report contains information on the governance of NBR (including activities performed by its supervisory committee), licensing and regulation (including changes in the prudential and accounting frameworks), implementation of supervision (including distribution of the industry by SREP ratings, implementation of on-site examination program, statistics on corrective measures and sanctions) and key activity and risk indicators for the banking system. Banking supervision is subject to the internal audit of NBR (see CP 8 and 9). At the EU level, several reporting and review requirements for national supervisors also significantly contribute to the accountability framework (e.g., EBA peer reviews on the implementation of guidance and the functioning of supervisory colleges, publication of comparable data across countries etc.). 23 “During the debates on Law No. 77/2016 on the discharge of mortgage-backed debts through transfer of title over immovable property, the NBR highlighted the negative consequences that the enforcement of this law in the proposed form might have on lending conditions, financial stability, economy as well as on the decline in foreign investor confidence amid the increase in legal uncertainty. Moreover, the central bank underscored that the retroactive enactment of the law may generate moral hazard and may have a significant negative impact on financial stability and the smooth functioning of credit institutions.” NBR, 2016 annual report 30 ROMANIA EC2 The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. Description and The head of the supervisory authority is the Governor of NBR. The first deputy Governor findings re EC2 also plays a prominent role in banking supervision (see CP 8). Both are appointed by Parliament, based on recommendations from relevant standing committees (see EC 1); the processes and criteria followed by these standing committees are not known. The fit and proper criteria the standing committees of Parliament responsible for the appointment of Board members expect applicants to meet are unknown. The Governor was regularly reappointed since 1990 and the first deputy Governor since 2004. All Board members have a five-year term limit. The NBR statute indicates Article 33 that: “a member of the Board may be recalled from office by the Parliament, at the joint proposal submitted by the competent standing committees of the two Chambers of Parliament, if s/he no longer fulfills the conditions required for the performance of her/his duties or if s/he has been found guilty of serious misconduct” and specifies that “no member of the NBR’s Board can be replaced for other reasons or following” another procedure. Moreover, “appointment, retirement and recalling from office of any member of the N BR’s Board” must be published in the official gazette and can be appealed to the High Court of Cassation and Justice within 15 days following such publication. There is no explicit provision that the reason(s) for removal is publicly disclosed. There have not been cases where NBR Board members were removed from office (see EC 1 on the resignation of a deputy Governor in 2016). EC3 The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives. 24 Description and Besides the general objectives and tasks stipulated by the NBR Statute, the NBR makes findings re EC3 publicly available in its annual report, its specific objectives in the field of prudential supervision as well as the main actions taken in the past year (see CE 2 on accountability). EC4 The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. Description and NBR adopted a regulation defining the responsibilities of the supervisory committee. findings re EC4 Detailed responsibilities of senior management are also defined (including the responsibilities of the first deputy Governor and director of supervisor who approve and sign most supervisory measures -unless they fall within the responsibilities of the supervisory committee and the Board- and escalation processes within the departments). The decision to approve types of measure or sanction is the sole responsibility of the first deputy governor; there is no internal guidance available to assist the first deputy governor 24 Please refer to Principle 1, Essential Criterion 1. (continued) 31 ROMANIA in determining adequate decisions. For example, after on-site supervisory activities, the inspection team will propose its corrective measures or sanctions for banks through written order to first deputy governor. 25 The first deputy governor then approves the orders are they are sent to banks. At times, the inspection team, at its sole discretion, may seek guidance from legal department and discuss within the supervision department prior to submitting the order for approval (see CP 11 EC 4). Communication among key stakeholders are frequent and effective. Article 34 of the NBR statute defines the regime on “incompatibilities and conflicts of interests” (see CE 5). Specific rules are also applied at the EU level (e.g. , EBA conflict of interest policy covering inter alia the director and deputy director of banking supervision which declarations of interests are publicly available). EC5 The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. Description and Banks and other public stakeholders consistently confirmed the solid credibility of NBR findings re EC5 supervisory staff and their professionalism. NBR statute requires that both Board members and staff preserve the confidentiality of information obtained through their work, including after they leave NBR Article 52. The statute also identifies specific cases were such confidentiality requirements are lifted (e.g., during judicial proceedings, when implementing international and cooperation agreements, and in some instances related to the liquidation of a bank). The NBR statute does not mention specific sanctions for failure to comply with such provisions; the code of ethics for supervisory staff (see below) mentions that: “any disclosure of confidential or classified information constitutes misconduct /offence and is sanctioned under applicable law”. Such cases would be reviewed by NBR, including within its overall human resource management framework (i.e., disciplinary actions) and /or reviewed and decided upon by the judiciary. No breach of confidentiality requirements was reported to the assessors by NBR. NBR statute also indicate that: “the employees exercising supervisory tasks are not allowed to take part either in expertise commissions or in any other control actions beyond the tasks and competences granted to them by law” (Article 25). Codes of ethics exist at the level of the Board, NBR and for supervisory staff. The code of ethics for staff with supervisory responsibilities was issued in 2005 and regularly updated (the latest version from October 2015 takes into account general principles implemented at the level of The European System of Central Banks (ESCB) and ECB). This detailed code defines the principles of integrity, independence, objectivity, confidentiality, professional competence which staff need to follow, general principles and prohibitions regarding conflicts of interests (e.g., no supervision of entities where the staff or its close relatives have a financial interest, no direct holdings of bonds or shares in a supervised entity, no gifts - 25 The NBR mentions that there is a fist deputy governor’s counselor, who makes consistency checks of materials which are subject to approval/notice/signature by the first deputy governor. 32 ROMANIA with limited exceptions-, no external activities unless approved by management) and sets rules of conduct applicable to all staff). Board members and staff must submit declarations of interest which facilitates verification of compliance with the provisions of these different codes of ethics. There is no post-employment policy or cooling off period for Board, staff and management. A supervisory staff could thus leave NBR to immediately work for a bank it used to supervise, which could affect the integrity of the supervisory process. NBR indicated to the assessors that no such case occurred in a recent past. EC6 The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes: (a) a budget that provides for staff in sufficient numbers and with skills commensurate with the risk profile and systemic importance of the banks and banking groups supervised; (b) salary scales that allow it to attract and retain qualified staff; (c) the ability to commission external experts with the necessary professional skills and independence, and subject to necessary confidentiality restrictions to conduct supervisory tasks; (d) a budget and program for the regular training of staff; (e) a technology budget sufficient to equip its staff with the tools needed to supervise the banking industry and assess individual banks and banking groups; and (f) a travel budget that allows appropriate on-site work, effective cross-border cooperation and participation in domestic and international meetings of significant relevance (e.g., supervisory colleges). Description and Supervision is financed out of NBR overall budget approved by its Board, and does not findings re EC6 involve any transfer from the Ministry of finance or revenues collected from the industry. NBR profitability and reserves are large enough to ensure adequate funding of supervisory activities (NBR reported profits of 783 million RON (196 million USD) in 2015 and 125 million RON (31 million) in 2016; capital and reserves totaled 17.8 billion RON -4.5 billion USD- in 2016). The overall cost of supervision is not identified as such in a comprehensive manner, but is appropriately financed. NBR staff working on supervisory issues includes 131 staff in the supervision department (55 percent with off-site and 45 percent with on-site) and 42 staff in the regulation and licensing department at the end of 2016. Senior staff is very experienced (e.g., the director, deputy director and heads of division in the supervision department have all been working in this department for at least 14 years). Staffing levels are primarily assessed based on (i) the needs expressed by each division, reviewed by management and eventually approved by the Board of NBR and (ii) experiences in implementing the work program and new tasks. The current level is considered adequate by NBR to conduct its main responsibilities considering the number and complexity of institutions supervised. Staffing level has been roughly stable in recent 33 ROMANIA years. Some positions are not yet filled, because they were recently approved (e.g., four new positions in the AML /CFT division), because no suitable candidate could be identified or positions only recently became vacant. As several staff retired in 2017, the number of vacant positions recently increased (17 in 2017, 8 in 2016, 8 in 2015, 13 in 2014, and 5 in 2013). NBR implements a rigorous process to hire supervisors. Job offers are publicly advertised and can attract up to a hundred applicant for a position. The hiring process involves a written examination tailored to the specific position, an interview and a psychometric examination. This process is led by the hiring department with the involvement of human resources. Most people are hired after five to six years of professional experience, following this process. Most staff working on banking supervision were hired for this purpose as it is uncommon for NBR staff with different expertise to later move to banking supervision (some internal mobility can take place between the regulation, supervision, resolution and financial stability departments). NBR is viewed as an attractive employer, as indicated for instance by the high level of applications when positions are advertised (although it can face challenges in finding candidates with rare and specific skills, e.g., quantitative or IT banking expertise). NBR compensation system was designed with the support of external consultants and aligned with best practices. A formal review conducted in 2014 concluded that NBR median salary was above the industry average. Salaries are considered higher up to the level of head of division (comparison at that level and above are difficult as positions are not directly comparable). The turnover is low, mostly linked to retirements (confirming inter alia that salary scales allow to retain qualified staff) and does not affect the ability of NBR to perform its tasks. Staff turnover reached a peak of 6.9 percent for the first nine months of 2017, primarily because of retirements (4.7 percent in 2016, 1.9 percent in 2015, 4 percent in 2014, and 0.4 percent in 2013). Resignations are exceptional and generally linked to staff moving to international institutions (e.g., ECB). NBR indicated that no staff working on supervisory issues left NBR to work in a commercial bank in recent years. Training, travel and IT budgets are appropriate to allow NBR to perform its supervisory work, including actively engaging in international cooperation (e.g., colleges of supervisors and EBA working groups). Overall budgets in these areas are approved annually by the Board; within overall envelopes approved by the Board for NBR adjustments can be made during the year where additional needs surface. NBR has the power and overall budget necessary to commission external experts (Article 203 of the banking law allows NBR to use such experts and, for financial auditors, Article 52 of the NBR statute specifically mentions this should comply with confidentiality requirements). However, NBR had not used external experts to perform supervisory activities in recent years (in some cases, it asked banks to hire external experts e.g., to conduct independent reviews of collateral valuation see CP 18). EC7 As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into 34 ROMANIA account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified. Description and The identification of skills required is conducted on an annual basis in the process of staff findings re EC7 performance assessment which is performed by each head of division in the first quarter. General training needs, for all relevant staff, re also identified such as: liquidity requirements, SREP, IFRS 9, Recovery Plans etc. Moreover, the participation to the colleges of supervisors, committees, working groups and tasks force set up at the EBA level and joint on-site visits performed in the context of Review panel assessment also contribute to building skills. EC8 In determining supervisory programs and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. Description and All banks are subject to annual full-scope on-site examinations and close on-going off-site findings re EC8 supervision (see CP 8 and 9). As part of the supervisory review and examination program (SREP), conducted on an annual basis, the risk profile and systemic importance of individual banks and banking groups are assessed. These findings guide the allocation of supervisory resources. EC9 Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. Description and The NBR statute Article 25 mentions that: “the members of the NBR’s Board and the NBR’s findings re EC9 employees charged with prudential supervision tasks shall not be subject to any civil or penal sanctions, as the case may be, if the Court finds that these persons fulfilled or failed to fulfill, in good faith and with due care, any action or fact related to the discharge, by law, of prudential supervision tasks. “The costs associated with the judicial proceedings instituted against [these] persons […] shall be borne by the N BR.” These provisions were effectively applied in cases when NBR and its staff were sued by banks, their shareholders, directors or senior management. There is however no legal provision protecting the NBR against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. Assessment of Materially Noncompliant Principle 2 Comments NBR, as a supervisory authority, possesses stable governance arrangements (including a Governor and first deputy Governor which were respectively appointed for the first time in 1990 and 2004) and effective operational independence, facilitated by adequate funding provided out of incomes it generates. It could publicly voice its concerns regarding parliamentary of government initiatives which may affect banking safety and soundness when it considered it necessary, and to consistently supervise all banks, irrespective of their ownership structure, including taking corrective actions when necessary. However, to strengthen arrangements to protect the independence of NBR, the Parliamentary subcommittees responsible for the appointment of NBR board members shall publish rigorous fit and proper criteria and the central bank statute shall be revised 35 ROMANIA so that the Minister of Public Finance (and its State secretary) may not participate to NBR board meetings. It should also be required that the reason(s) for removal of a board member are disclosed. The NBR as an institution should, in addition to its board members and staff, also be protected against lawsuits for actions taken and/or omissions made while discharging its duties in good faith. With respect to internal governance of NBR, the decision to approve sanctions or orders is the sole responsibility of the first deputy governor; there is no internal guidance available to assist the first deputy governor in determining adequate decisions. NBR dedicates generous resources to supervision, in terms of staff, equipment and other variable costs. There is also appropriate flexibility in the allocation of these resources to allow NBR to respond to emerging priorities. The number of vacant positions increased significantly in 2017, largely due to retirements. Although this did not hamper effective supervision, NBR should fill these positions as soon as possible and, going forward, ensure recruitment processes can be completed ahead of planned retirements. NBR adopted detailed arrangements to prevent and manage conflicts of interests at all levels. These should be complemented by a post-employment or cooling-off policy to ensure effective rules govern situations where a staff or Board member intends to take a position in a bank supervised by NBR; effective monitoring and possible sanctions should be associated to this regime. While the assessors were informed that no NBR staff or Board member took a senior position in a bank supervised by NBR in recent years, such situations could happen and should be addressed. Principle 3 Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.26 Essential criteria EC1 Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary. Description and The banking law Article 218–1 and the statutes of the central bank Article 3 authorize NBR findings re EC1 to exchange information with other domestic authorities responsible for the safety and soundness of the financial system, other financial institutions and financial stability (including deposit insurance, reorganization, resolution and liquidation). Cooperation is also explicitly contemplated with external auditors (see CP 29 for aspects related to cooperation related to anti-money laundering and combating terrorism, AML /CFT). Moreover, internal arrangements facilitate close cooperation within NBR between the supervisory function and other relevant functions (financial stability, resolution, etc.). 26 Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29). 36 ROMANIA On microprudential supervision The banking law requires NBR and the Financial supervision authority (ASF), which is the integrated authority responsible for the insurance, securities and pension sectors since 2013, to enter written cooperation arrangements Article 189 of the banking law). An MOU was last updated in 2007. Three banks are listed, including the largest domestic bank (13.2 percent of assets at end 2016). NBR mentioned that nonbanking activities (including some under NBR supervision such as leasing) remain relatively limited in size (<10 percent of consolidated assets), even if several banks have small insurance and securities subsidiaries. No bank is controlled by an insurance or securities firm. The banking law requires that “for the exercise of their supervisory tasks on an individual and/or on a consolidated basis [… NBR and the ASF] shall provide on request all relevant information and on their own initiative all essential information” (Article 190). The banking law further requires, where applicable, consultations prior to taking a “decision of importance” affecting a bank or a financial investment company Article 191–1) and sharing of any information “likely to simplify their task and to allow supervision of the activity and overall financial situation of the undertakings they supervise” where a bank (or a related holding company) controls one or more subsidiaries that are insurance companies or other undertakings provided investment services Article 202–1). A working procedure was issued in 2012 for the exchange of information among the Romanian financial supervisory authorities (NBR and ASF) with respect to the supervised entities within financial groups. It focuses on information relevant to financial soundness (including changes in the structure of the financial group, developments that may significantly affect other entities of the group in terms of capitalization, liquidity, profitability, asset quality etc., sanctions and exceptional measures taken by authorities, conclusions of controls). In addition to exchanges on macroprudential issues which take place in the context of the National Macrofinancial Overnight Committee on systemic risk and financial stability issues, exchanges between NBR and the ASF are primarily written and related to the authorization and modification of the situation of institutions supervised by the two authorities (and related persons who require approval by NBR or the ASF). On-site examinations processes are not coordinated, not have joint or coordinated inspections ever taken place. Technical meetings between NBR and ASF staff tasked with supervisory responsibilities are exceptional. However, there are no regular meetings between the NBR and ASF (i) to discuss the situation and risk profiles of individual institutions active in banking and another sector supervised by the ASF of issues of common interests (e.g., on governance -where a code for listed companies exist-, disclosure requirements or financial reporting) and (ii) coordinate (or agree on joint) supervisory actions, including on-site examination. Considering some banks are listed, many have financial groups and areas of common interest (including governance, financial reporting, disclosure etc.) exist, such regular meetings would be beneficial (both for NBR and the ASF) (See CP8). On financial stability 37 ROMANIA An MOU was signed between NBR, the Ministry of Finance, and authorities later integrated into the ASF (Securities Commission, Insurance Supervisory Commission and Private Pension Scheme Supervisory Commission) in July 2007 creating the National Committee for Financial Stability to ensure the exchange of information between the authorities, and prevent, appraise and manage possible difficulties having a systemic impact. The Law 12/2017 (17 March 2017) on the macroprudential oversight of the national financial system created the National Committee for Macroprudential Oversight (NCMO) replacing the National Committee for Financial Stability. The NCMO is comprised of NBR (three board members), the ASF (three Board members) and the Government /Ministry of Finance (three Board members). It is an inter-institutional structure, without legal personality, responsible for coordinating the macroprudential oversight at national level by setting the macroprudential policy and the appropriate instruments for its implementation. It is mainly responsible Article 3 of Law 12/2017) for (i) identifying, collecting and analyzing information related to its objective; (ii) identifying, monitoring and assessing systemic risk and) identifying systemically important financial institutions and financial system structures; (iii) preparing a strategy on macroprudential policy; (iv) issuing recommendations and warnings in order to prevent or mitigate systemic risks (and monitor implementation); (v) setting and monitoring the intermediate objectives and instruments of macroprudential policy; (vi) issuing recommendations; and (vii) also be responsible for the coordination of financial crisis management. The NCMO is both (i) entitled to request all relevant data and information necessary for achieving its fundamental objective from NBR, ASF, other authorities and institutions, (if the appropriate arrangements are in place to ensure confidentiality) and (ii) required to provide the MOPF, NBR and the ASF with the relevant information necessary to fulfil their tasks. The NCMO issued five recommendations in 2017 (as of November), including setting up working groups on households’ indebtedness and firms’ financial soundness with NBR and the Ministry of Public Finance /National Agency for Fiscal Administration leading such working groups. It is unclear whether any initiative led by a member of the NCMO, as well as other relevant initiatives (i.e., from Parliament), which could have an impact on bank safety and soundness needs to be reviewed in the context of the NCMO (e.g., it was unclear whether the NCMO discussed the proposed reduction in the tax deductibility of provisions on nonperforming loans as they are sold to a third party). It would be advisable that where a public initiative that can affect bank soundness is led by a member of the NCMO, the opinion of the NBR be systematically sought. The Bank Resolution Law No. 312/2015 also has relevant provisions (Article 4, Article 6, Articles 469–472) regarding exchange of information, cooperation and coordination of authorities, for similar purposes. An MOU was also signed between the NBR and the Bank Deposit Guarantee Fund in April 2012 (and amended in 2016 and 2017). EC2 Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign 38 ROMANIA supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. Description and The banking law Articles 215 and NBR statutes Article 3 authorize NBR to cooperate with findings re EC2 relevant foreign supervisors, including EU and third country supervisors, the European Systemic Risk Board and the European Banking Authority (EBA). Article 222 also allows the NBR to share information “for the purposes of achieving their tasks “with central banks of the European System of Central Banks, institutional protection schemes, other public authorities responsible for overseeing payment systems, European Systemic Risk Board, the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). The European Central Bank (ECB) /Single Supervision Mechanism (SSM), has been the home supervisor of banking groups which subsidiaries and branches have a combined market share of 72 percent of banking assets in Romania (end 2016) since 2014. NBR actively cooperates with the ECB /SSM, even if an MOU is still to be signed (a draft written coordination agreement on supervisory colleges was submitted by the ECB /SSM for comments in 2017). While this process is ongoing, it was agreed that the provisions of MOUs signed before 2014 with the previous home supervisors would be implemented (NBR signed such MOUs with supervisors including Austria, Cyprus, France, Germany, Greece, Hungary, Italy, Spain, Portugal, and the Netherlands). The provisions of multilateral cooperation and coordination agreements governing supervisory colleges of supervisors (based on the 2009 EBA template for a multilateral cooperation and coordination agreement on the supervision of group) also continue to be implemented until a new framework recognizing the responsibilities of the ECB /SSM is established. NBR is a member of 15 supervisory colleges covering the main EU banking groups active in Romania (see CP 13 on the role of such colleges in the supervisory process). EU regulation 1093 /2010 establishing the European banking authority (EBA) defines areas where information can or shall be shared between EU domestic supervisors (including Romania) and the EBA, mechanisms to implement this as well as the applicable confidentiality regime. NBR concluded cooperation agreements with competent authorities of third countries (Republic of Moldova -where Romanian banks have subsidiaries-, Turkey, Lebanon). According to NBR, the lack of MOU with Israel has not impeded collaboration where needed (in particular at the time of authorizing key persons). The subsidiary of an Israel bank (with a market share of 0.3 percent of assets at the end of 2016) is the only one from a country not belonging to the EU. EC3 The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party. Description and Articles 215, 217, and 218 of the banking law allow NBR to provide confidential findings re EC3 information to domestic, EU and third country authorities as long as they are subject to “professional secrecy” requirements similar to those applicable to NBR (as defined in 39 ROMANIA Article 214 of the banking law). In practice, cooperation almost exclusively takes place with domestic and EU counterparts. Confidentiality requirements in other EU member states are considered equivalent to the Romanian regime as the CRD IV imposes that each country introduce such requirements in its domestic legal order (Article 53 of CRD IV). MOU signed with EU competent authorities can also include specific requirements on confidentiality (e.g., the MOU with the Bank of Italy mentions that: “compliance with the obligation of professional secrecy by all employees who receive confidential information from the other Authority in the course of their activities is a necessary condition for a successful co-operation between the Authorities. The Authorities agree that any confidential information shared through these arrangements will be used only for lawful supervisory purposes. To the extent permitted by law, the Authorities will maintain the confidentiality of all information received through these arrangements and will not disclose any such information unless it is necessary for carrying out their supervisory responsibilities and after having obtained the prior consent of the other authority.”) For third-country supervisory authorities, as none of the authorities NBR cooperate with has been considered by the EBA as having an equivalent confidentiality regimes for participation in supervisory colleges, NBR performed its own assessment of equivalence of regime for cooperation and was satisfied its requirements were met (such cooperation takes place outside the framework of supervisory colleges). NBR did not report any case where the lack of adequate “professional secrecy” requirements prevented it f rom exchanging information with relevant authorities. The banking law also requires that information provided by NBR is used for supervisory purposes only in the case of third country authorities, Article 217 and bodies involved in the liquidation and bankruptcy of banks, contractual or institutional protection schemes (as defined in Article 113–7 of the CRR) and bodies overseeing financial auditors Article 219. EC4 The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and can deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. If the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. Description and The banking law Article 216 requires NBR to use confidential information received from findings re EC4 other supervisors for bank-specific or system-wide supervisory purposes only. 40 ROMANIA • Article 216: “The National Bank of Romania may use the information received under Article 214 and Article 215 only in the performance of its supervisory tasks and only for the following purposes: (a) to check that the conditions governing the taking-up of the business of credit institutions are met and to facilitate monitoring, on an individual and/or consolidated basis, of the conduct of such business, especially with regard to the monitoring of liquidity, solvency, large exposures, and administrative and accounting procedures and internal control mechanisms; (b) to impose penalties; (c) in the appeal against a decision of the National Bank of Romania; and (d) in court proceedings initiated pursuant to Article 275 paragraph 2 or to the provisions laid down in other law applicable to credit institutions.” The supervisor does not disclose confidential information received to third parties without the permission of the EU supervisor providing the information. If the supervisor is legally compelled to disclose confidential information it has received from another EU supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. • Article 219–2: “where the information received by the National Bank of Romania originates in another Member State, it shall not be disclosed […] without the express agreement of the competent authorities which have disclosed it, and where appropriate, solely for the purposes for which those authorities gave their agreement.” There is no such explicit provision in the banking law or applicable regulations in the case of information received from authorities located outside the EU (i.e., no disclosure without the permission of the originating supervisor and, when disclosure is legally required, prompt information of the originating supervisor). NBR indicates that these aspects were covered in MOUs, as applicable. EC5 Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions. Description and Per Law 312/2015 on bank recovery and resolution, NBR is the resolution authority for findings re EC5 banks. The resolution function at NBR is operationally independent, structurally separated from and subject to separate reporting/subordination lines from the banks’ supervisory function, as well as from the other central bank functions. The resolution and supervisory structures collaborate following the NBR internal procedure regarding the information, the frequency and way the information are transmitted between the Bank Resolution Department (resolution structure) and the Supervision Department (supervisory structure) in the context of recovery and resolution. Recovery According to the provisions of Law 312/2015 on bank recovery and resolution: 41 ROMANIA • Each bank (which is not part of a group subject to consolidated supervision) shall draw up and maintain a recovery plan providing for measures to be taken by the entity to restore its financial position following a significant deterioration of its financial situation (in cases of subsidiaries and significant branches of EU banking groups, NBR shall review the plan submitted by the consolidating supervisor); • The supervisory structure provides the recovery plan to the resolution structure; • The resolution function examines the recovery plan with a view to identifying any actions in the recovery plan which may adversely impact the resolvability of the credit institution and make recommendations to the supervisory structure about those matters; • The supervisory structure shall transmit the group recovery plan to the resolution structure. • Based on this legal framework, all banks prepared and sent to NBR (or through consolidating supervisors) their recovery plans at individual or at the group level. The recovery plans received were assessed by the staff from the off-site supervision (and during the on-site inspections). • Recovery plans received by the competent authority from credit institution or from the consolidating supervisor (in case of banking groups for which National Bank of Romania acting as a host authority) are sent by Supervision Department to the Resolution Department to be assessed. The result of the assessment performed by the resolution authority is communicated to the Supervision Department. Resolution According to Law 312/2015 on bank recovery and resolution: • NBR, as a resolution authority, shall draw up a resolution plan for each bank, Romanian legal entity (as an individual /group-level resolution authority for the banks under its remit or as a resolution authority at an individual level of a subsidiary, shall draw up, together with the group level resolution authority and the other resolution authorities of subsidiaries involved, group resolution plans); • The resolution structure shall draw up the resolution plan after consulting the supervisory structure; • The supervisory structure shall promptly communicate to the resolution structure any change that necessitates such a revision or update of the plans; • The supervisory structure shall transmit available information relevant to the preparation of a resolution plan to the resolution structure. According to the Article 180(1) of the Law No. 312/2015 (transposing Article 32(1) of the BRRD), the NBR, as a resolution authority, shall take a resolution action in relation to a credit institution only if it considers that all of the following conditions are met: • The NBR, as a competent authority, shall determine that the credit institution is failing or is likely to fail. For this purpose, the supervisory structure shall consult the resolution structure; • Having regard to timing and other relevant circumstances, there is no reasonable prospect according to which failure could be prevented within a reasonable 42 ROMANIA timeframe, by any alternative private sector measures, including measures by an institutional protection scheme, or supervisory action, including early intervention measures or the write-down or conversion of relevant capital instruments in accordance with Article 359 taken in respect of the credit institution concerned; • A resolution action is necessary in the public interest pursuant to Article 182. For 2016, NBR, as a resolution authority, participated in drafting, or where applicable, drafted resolution plans for: • Fourteen credit institutions that are subsidiaries of cross –border groups, subject to consolidated supervision, within the resolution colleges established by the SRB/other group level resolution authorities (63 percent of the banking assets at end 2016). • Eight credit institutions that do not belong to cross–border groups, under the NBR’s remit (23 percent of banking assets at end 2016) More broadly, the supervisory structure shall notify the resolution structure without delay upon determining that a bank infringes or is likely in the near future to infringe key prudential requirements Article 150 of the recovery and resolution law. Moreover, the supervisory structure shall consult the resolution structure ahead of NBR determining that a bank is “is failing or likely to fail”, which shall trigger resolution (if all conditions referred to in Article 180–1 are fulfilled). Assessment of Largely Compliant Principle 3 Comments Arrangements are in place to facilitate and ensure cooperation with relevant domestic and foreign authorities. There is intense cooperation among EU authorities to jointly supervise EU banking groups, which entities have a combined market share of 76 percent of banking assets in Romania (see CP 13). Cooperation among domestic authorities is organized, including with the ASF which regulates insurance and capital market activities and, for macroprudential matters, within the National committee for macroprudential oversight set up in 2017. However, there are no regular meetings between the NBR and ASF (i) to discuss the situation and risk profiles of individual institutions active in banking and another sector supervised by the ASF of issues of common interests (e.g., on governance -where a code for listed companies exist-, disclosure requirements or financial reporting) and (ii) coordinate (or agree on joint) supervisory actions, including on-site examination. Considering some banks are listed, many have financial groups and areas of common interest (including governance, financial reporting, disclosure etc.) exist, such regular meetings would be beneficial (both for NBR and the ASF). Following the adoption of law 312/2015 on bank recovery and resolution, detailed processes are implemented to ensure effective coordination between NBR supervisory and resolution functions to undertake recovery and resolution planning and actions. These 43 ROMANIA arrangements have been effectively implemented in 2016 and 2017 as recovery and resolution plans were prepared. Explicit provisions could be added in the banking law regarding the treatment of information received from authorities located outside the EU (i.e., no disclosure without the permission of the originating supervisor and, when disclosure is legally required, prompt information of the originating supervisor). This would ensure strengthen existing practices where such issues are covered in MOUs. Principle 4 Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. Essential criteria EC1 The term “bank” is clearly defined in laws or regulations. Description and Article 7–1 of the banking law defines banking activity as the taking of deposits or other findings re EC1 repayable funds from the public and granting of credits for its own account. EC2 The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations. Description and Article 18–1 defines the activities which “credit institutions” can perform: findings re EC2 • Acceptance of deposits and other repayable funds; • Lending including, inter alia: consumer credit, mortgage credit, factoring with or without recourse, financing of commercial transactions, including forfeiting; • Financial leasing; • Payment services; • Issuing and administering other means of payment such as travelers’ checks and bankers' drafts; • Issuing guarantees and commitments; • Trading for own account or for account of customers in money market instruments (incl. checks, bills, promissory notes, certificates of deposit), foreign currency, financial futures and options, instruments on foreign exchange and interest rate, transferable securities and other financial instruments; • Participation in securities issues and other financial instruments by underwriting and selling them or by selling them and providing ancillary services; • Advice on capital structure, business strategy and other related issues, advice and other services relating to mergers and purchase of undertakings as well as other advice services; • Portfolio management and advice; • Safekeeping and administration of financial instruments; • Intermediation on the inter-bank market; • Credit reference services related to provision of data; • Safe custody services; • Issuing of electronic money; • Operations with precious metals, gems and objects thereof; • Acquiring of participations in the capital of other entities; 44 ROMANIA Any other activities or services in the financial field, abiding by the special laws regulating those activities, where appropriate. EC3 The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. Description and Article 6 of the banking law prohibits “any person, other than an authorized credit findings re EC3 institution […] from using the name “bank” or “credit co-operative organization”, “credit co- operative”, “central body of credit co-operatives”, “cooperative bank”, “cooperative central bank”, “mortgage bank/mortgage loan bank”, “savings bank for housing”, or derivatives or translations of these names, in connection with an activity, a product or a service.” It allows the following exceptions: “where this use is imposed or acknowledged by law or by an international agreement, or when, from the context in which the respective name is used, it follows undoubtedly the fact that no banking activity is being pursued.” EC4 The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.27 Description and Article 5 of the banking law prohibits “any natural person, legal person or entity without findings re EC4 legal personality which is not an authorized credit institution […] from carrying on the business of taking deposits or other repayable funds from the public, or the business of raising and/or managing amounts from the contributions of the members of an association with a view to saving and lending in a collective system to purchase goods and/or services by its members.” The following exceptions to the prohibition for unlicensed persons to take deposits are allowed: (i) EU member state or EU member state's regional or local authorities; (ii) public international bodies of which one or more EU member States are members; and (iii) in cases expressly provided by the Romanian legislation or EU law provided that those activities are subject to regulations and controls relating to such cases, intended to protect depositors and investors.” NBR indicated that no institution fell in this category (iii) in Romania. The law on nonbank financial institutions (NBFI) also explicitly prohibits these from taking deposits. Small credit unions and a post office exist in Romania but are not allowed to take deposits (i.e., credit unions can only offer services to their members, contributions members make are used to fund loans to members, people lose their quality of member if they withdraw their contributions). According to NBR, there has not been any recent case of illegal provision of banking activities. EC5 The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. Description and Article 417 of the banking laws requires that “the credit institutions which perform their findings re EC5 activity in Romania […], including the branches of the credit institutions from other 27 The Committee recognizes the presence in some countries of nonbanking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system. 45 ROMANIA Member States and from third countries, shall be registered by the National Bank of Romania in the register of credit institutions which shall be available to all those interested.” NBR publishes on its website an updated list of all credit institutions incorporated in Romania (by category), authorized branches as well as other EU banks authorized to provide financial services in Romania. Assessment of Compliant Principle 4 Comments Only licensed credit institutions are allowed to provide banking services. Principle 5 Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)28 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. Essential criteria EC1 The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. Description and NBR has exclusive competence for granting and withdrawing the license of the following findings re EC1 institutions: • Banks incorporated in Romania. As of October 2017, 25 banks had a full license and two were housing banks; • Branches of banks of countries located outside the European union Article 67–1 of the banking law). As of October 2017, no branch from a third country was licensed (and no such request was ongoing); • Credit cooperatives. As of October 2017, there was one credit cooperative central body licensed (as a bank) and 41 individual credit cooperatives. Aggregated assets of the credit cooperative central body and 41 individual credit cooperatives represent 0.3 percent of banking assets. 28 This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction. 46 ROMANIA As part of the EU passporting regime, banking services, including deposit taking, may also be offered in Romania by banks licensed and supervised in another EU country, without the prior approval of NBR. Such services are either be offered through a branch established in Romania or directly by the head office located in another EU country. In both cases, NBR must receive a notification by the home supervisor: • In the case of the establishment of a branch (Article 48 of the banking law), NBR has up to two months to communicate to the EU bank the list of nonprudential requirements applicable to the branch, including in the area of AML /CFT (i.e., “legal acts issued in the interest of general good, stipulating the particular conditions under which certain activities may be carried on”). NBR cannot impose specific prudential requirements to the branch, nor conduct supervision on aspects other than nonprudential areas; • An EU bank can use the freedom to provide financial services across the EU as soon as NBR received the notification from its home supervisor (Article 49 of the banking law). NBR cannot impose specific prudential requirements or conduct supervision. This EU framework exists across the EU and is established on the premise that licensing, regulatory, supervisory and resolutions arrangements are harmonized and consistently applied across EU countries. As of October 2017, 10 branches of EU banks were registered by NBR (some of which were no more active as their head-office was resolved) and 308 institutions had notified NBR of their intention to provide financial services in Romania (without having a physical presence). Branches of EU banks represent 10 percent of assets in Romania, with the largest holding two thirds of these (see CP 13 on home-host arrangements in the EU and NBR participation to the college of supervisor of the bank with the largest branch). In the rest of this CP, references made to banks do not, unless otherwise indicated, include branches of EU banks or EU banks using the freedom to provide financial services in Romania. EC2 Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. Description and The banking law empowers NBR to set criteria for licensing banks Article 10–2; this regime findings re EC2 is largely harmonized at the EU level (see CRD IV and EBA 2012 guidelines on the assessment of the suitability of members of the management body and key function holders). NBR issued in 2007 Regulation 11 on the authorization of credit institutions, Romanian legal entities, and branches in Romania of third-country credit institutions which defines its licensing requirements. The EBA published in July 2017 draft regulatory technical standards (RTS) on the information applicants and draft implementing technical standards 47 ROMANIA (ITS) related to the templates to be used, which once issued by the EU Commission will replace relevant provisions of Regulation 11. NBR can reject an application if licensing criteria are not fulfilled or if the information provided is inadequate Article 38–1 of the banking law. It can also withdraw a license if a license was granted based on false information Article 39 of the banking law. EC3 The criteria for issuing licenses are consistent with those applied in ongoing supervision. Description and The criteria for issuing licenses are defined by the banking law -as regularly updated- and findings re EC3 regulation 11 -issued in 2007 and amended in 2009 and 2011-. They are consistent with key criteria applied for ongoing supervision. The last time a bank was licensed by NBR was in 2009 and no new license application was received recently. Should a new application be received, considering significant evolutions in supervisory expectations and practices since 2009, it would be important to closely involve staff from the supervision department in the review of the application to ensure it is in line with current supervisory practices. EC4 The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.29 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. Description and Laws and regulations require NBR to ensure the proposed legal, managerial, operational findings re EC4 and ownership structures of the bank and its wider group will not hinder effective supervision: • Article 15–2 of the banking Law: “Where close links exist between the credit institution, a Romanian legal entity, and other natural or legal persons, the National Bank of Romania shall grant authorization only if those links do not prevent the effective exercise of its supervisory functions. In this respect, it should also consider situations in which the laws, regulations or administrative measures of a third country governing one or more natural or legal persons with which the credit institution has close links, or difficulties involved in the application of those laws, regulations or administrative measures preventing the effective exercise of its supervisory functions.” • Article 18(19) of Regulation 11: “(1) Assessing the suitability of th e significant shareholder also considers whether the bank will be able to comply with the prudential requirements […] and, in particular, whether the group of which he is part of, has a structure that allows the exercise of effective supervision […] (3) Th e assessment of issues related to exercise effective supervision envisages that National Bank of Romania should not be impeded to fulfill its supervisory tasks by the bank’s close links with other natural or legal persons or by laws, regulations or administrative measures in another state governing the natural or legal person which is closely linked to the bank, or by difficulties in implementing these laws, regulations or administrative measures. 29 Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003.) 48 ROMANIA • Article 18(20) of Regulation 11: “Both the bank and the group shall have a clear and transparent governance and management framework and a suitable organization, including effective internal control and independent control functions (risk management, compliance and internal audit). NBR mentioned that it paid attention to transparency and the lack of impediment to effective supervision when it reviewed several license applications in the 1990s and early 2000s. Banks licensed in Romania have transparent ownership structures and NBR did not face any impediment to effective supervision. EC5 The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. Description and Identification of major shareholders including beneficial owners findings re EC5 The banking law, transposing relevant provisions of the CRD IV, establishes information requirements which aim at allowing NBR to identify the bank’s major shareholders and others that may exert significant influence. Article 15–1 requires that: • NBR is “informed on the identities of the shareholders or members, natural or legal persons, that are going to have, directly or indirectly, qualifying holdings in that credit institution, and on the amounts of those holdings”. The CRR defines a qualifying holding as “a direct or indirect holding in an undertaking which represents 10 percent or more of the capital or of the voting rights or which makes it possible to exercise a significant influence over the management of that undertaking” • “Where there are no qualifying holdings, th e National Bank of Romania shall be informed on the identity of the 20 largest shareholders or members and on the amounts of their holdings.” The questionnaire in Annex 2 of Regulation 11 which any of the major shareholders (as defined by Article 15–1 of the banking law) need to fill includes a requirement to communicate the identity of all persons who are real beneficiaries of the legal entity and defines “real beneficiaries are individuals who finally own or control the stockholder, as well as persons on account of which the participation is acquired . It includes also persons exercising ultimately effective control over the stockholder, that is a legal person or a legal arrangement (such as a trust)”. This definition adequately places the emphasis on the natural person(s) who have ultimate ownership or control (and the banking law explicitly indicates that any license granted based on false information can be revoked by NBR). Suitability of major shareholders The banking law Article 15–1 indicates that NBR “shall only grant authorization if, taking into account the need to make sure the sound and prudent management of the credit institution, it is satisfied as to the suitability of those persons.” Regulation 11 provides additional details regarding the assessment of suitability. 49 ROMANIA Transparency of the ownership structure Article. 1820 of Regulation 11 requires that: “both the bank and the group shall have a clear and transparent governance and management framework and a suitable organization” and Article 1819 defines a group as the group members, including parent undertakings and subsidiaries. More broadly, the transparency of the ownership structure would be reviewed by NBR as it assesses the suitability of the shareholders (including ultimate beneficial owners). Source of funds There are direct requirements regarding the sources of funds. Article 1824 requires that “the funds used for participation in the capital shall originate from legitimate sources and funding mechanism shall be transparent. In this regard, it will demonstrate at least that these funds are transferred through credit institutions or financial institutions subject to supervision by competent authorities of Member States or third countries considered to have equivalent systems to those in the European Union to fight against money laundering and terrorist financing.” Ability of shareholders to provide additional financial support Article. 1821 specifically addresses the ability of shareholders to provide additional financial support: NBR “will take into account whether the significant shareholder will be able to: (a) provide the bank with financial support which it may need for the proposed activity, (b) provide the bank with capital which it may need for the further development of the business, (c) implement any appropriate solution to adjust future needs of the bank's own funds.” EC6 A minimum initial capital amount is stipulated for all banks. Description and The banking law Articles 11, 70, and 345 and NBR Regulation 5/2013 Article 249 set a findings re EC6 minimum capital amount for different categories of banks: • 37 million RON (9.25 million USD) for a bank licensed in Romania or a branch of a third country (unless it is only authorize to perform activities of mortgage bank or building societies); • 25 million RON (6.125 million USD) for a mortgage bank or a building society (or a branch of a third country bank authorized only to doncut such activities) licensed in Romania; • Equivalent in RON of 10 million EUR (9 million USD) for the entire network of credit cooperatives including at least the eqiivaent in RON of 5 million EUR (4.2 million USD) for the central body of credit cooperatives and 300,000 RON (75.000 USD) for each individual credit cooperative. Branches of EU banks are exempt from such requirements (he parent needs to meet such requirements in its home jurisdiction). EC7 The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank and (ii) no record of criminal activities or adverse regulatory judgments that make a person 50 ROMANIA unfit to uphold important positions in a bank.30 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. Description and For banks incorporated in Romania, NBR needs to approve the bank’s proposed Board findings re EC7 members and senior management as to expertise and integrity (fit and proper test) at authorization and on an ongoing basis. The banking law requires each of the members of the Board, members of senior management, “as well as the person s appointed to conduct the business regarding the management and control of risks, internal audit, judicial, conformity, treasury, lending activity, as well as any other activities which may expose the credit institution to significant risks” Article 108 shall be at any time of “good reputation, knowledge, skills and have sufficient experience to match the nature, size and complexity of the business of the credit institution and of the entrusted responsibilities and shall conduct the activity according to a sound and prudent banking practice”. The fit and proper criteria include: • Skills and experience in relevant financial operations commensurate with the intended activities of the bank; • No record of criminal activities or adverse regulatory judgments, in Romania and abroad, that make a person unfit to uphold important positions in a bank. Regulation 11 (Article 17) requires, in particular, NBR to review, at least over the last ten years: o whether a person has been in conflict with a supervisory authority, sanctioned, denied approval or “have been in other situation which, given its relevant aspects, might have negative effects on the image of the bank”, o if an institution where the person assumed Board or senior management responsibilities (or a significant shareholding) were sanctioned, denied or withdrawn an authorization or faced a material deterioration of its prudential situation, o whether the person has been subject to criminal or administrative proceedings. Article 109 of the banking law gives broad power to NBR to appreciate whether these requirements are met (NBR has “the power to analyze to what extent the minimum requirements of this emergency ordinance and of the regulations issued for its application are observed, to assess all circumstances and information regarding the activity, reputation, moral integrity and background of each person mentioned under Article. 108 and to decide whether the respective person fulfils the requirements laid down both at the individual and joint level.”) The requirement for NBR to determine whether the bank’s board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks 30 Please refer to Principle 14, Essential Criterion 8. 51 ROMANIA are covered in Article 108–4 of the banking law. The NBR also indicated these aspects were addressed during the reviews and interviews of individual Board members. The NBR last licensed a bank in 2009, but NBR implements a thorough review as it assesses the merits of new Board member or senior management as part of its ongoing supervision. (see CP 14 for the details regarding this process). For branches of third country, at least two persons shall be responsible for the management of the branch, shall be empowered to legally engage the credit institution in Romania, shall enjoy sufficiently good reputation and expertise to discharge the assigned duties and should be subject to a similar approval process as that described for locally incorporated banks Article 71 of the Banking Law. There was no branch of a third country (or ongoing application) at the time of the BCP assessment. EC8 The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank. 31 Description and The Banking Law Article 17 requires NBR: (i) to review the proposed strategic and findings re EC8 operating plans of the bank (respectively referred to as the program of operations linked to intended objectives and the structural organization) and (ii) to ensure the operating structure is consistent with the type, size, and complexity of the envisaged activities. • Article 17: “any authorization application of a credit institution shall be accompanied by a program of operations setting out at least the types of business envisaged and the structural organization of the credit institution. The program of operation should demonstrate the credit institution’s ability to achieve its intended objectives in a way consistent with the rules of a prudent and sound banking practice, by means of adjusting its management structure, procedures, internal mechanisms and capital structure to the type, size and complexity of the envisaged activities.” Regulation 11 Article 23 defines minimum information that the proposed plan of activity should cover. These includes: • the formal framework for the administration of the bank activity, including the draft of the organization structure of the bank, the assignment of tasks for each department/responsibility center of the bank and the relations between them (information flows), the tasks of the branches and other secondary offices of the bank, the tasks of the specialized committees of the bank, the responsibilities of the administration and/or management bodies of the bank (Board of Directors, managers, the supervisory council and the directorate), of the persons charged with the management of bank departments, branches and other secondary offices and of other employees performing transactions in the name and account of the 31 Please refer to Principle 29. 52 ROMANIA bank. Where appropriate, it will be presented also the position of the credit institution within the belonging group, in terms of management structures and lines; • the outsourcing policies, the activities to be outsourced and the types of entities (inside or outside the group) to which the activities are outsourced in the first three years of activity • The description of “know your customers” policies . Expectations and information requirements related to the detection and the prevention of criminal activities could usefully be described in more details. EC9 The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. Description and NBR reviews pro forma financial statements and projections of the proposed bank, findings re EC9 including. Applicants have to provide a plan of activity Article 23 of Regulation 11 covers estimated financial statements for the first three years of activity, based on applicable IFRS requirements on a solo or consolidated basis, as applicable, and accompanied by a report from a financial auditor prepared according to international standards on auditing. EC10 In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. Description and EU banks findings re EC10 Where an EU bank applies for a license to set-up a bank in Romania, the banking law Article 37 stipulates that NBR shall consult the competent EU home supervisor if the Romanian bank would be a subsidiary of the bank located in this other EU country (or of the parent of the latter) or would be controlled by the same persons. Where an EU bank intends to set-up a branch in Romania, the license is issued by the home supervisor and takes effect after NBR communicates the list of applicable nonprudential requirements to the branch (the notification initially issued by the home supervisor ensures it does not have objections). Banks from a third country Where a bank from a third country applies for a license to set-up a subsidiary in Romania, there is a clear, if indirect, requirement to assess whether the home supervisor practices consolidated supervision, indirect requirement to contact the home supervisor (see EC 7) and no requirements that it does not object to the proposed acquisition: • The banking law indirectly requires NBR to assess whether consolidated supervision equivalent to that implemented in Romania is practiced in the third country, as it requires that it otherwise consider applying “other appropriate supervisory techniques in order to achieve the objectives of supervision on a consolidated basis of credit institutions” (Articles 206 and 207). 53 ROMANIA • Article 1813 of Regulation 11 indicates that : “the assessment of reputation requirements may be facilitated by cooperation with the competent supervisory authority from the third country whose regulations on reputation requirements are considered equivalent if: (a) the significant shareholder is a natural or legal person, already considered to have a good reputation as a significant shareholder of an entity regulated and supervised by a supervisory authority in a third country; (b) the significant shareholder is a natural person who provides the management and/or administration of an entity regulated and supervised by a supervisory authority in a third country; and (c) the significant shareholder is an entity regulated and supervised by a supervisory authority in a third country.” Where a bank from a third country applies for a license to set-up a branch, the banking law (Article 67–1) requires NBR to establish that the home supervisor “does not oppose the establishment of a branch in Romania”. EC11 The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. Description and The annual on-site full scope inspection (and SREP process) allow close monitoring of findings re EC11 newly licensed banks. Concerning nonprudential topics where NBR is competent, on-site examinations of branches of EU banks are conducted (see CP 8 and 9). Assessment of Compliant Principle 5 Comments NBR has exclusive competence for granting and withdrawing the license of banks incorporated in Romania, branches of banks located outside the EU, and credit cooperatives. NBR has the power to set licensing criteria, within the framework of the CRD IV and the banking law, and has done so by issuing and updating two regulations (6 and 11). These regulations cover inter alia the assessment of the ownership structure and governance of the bank and its wider group as well as its strategic, operating and financial plans. The licensing process is led by NBR licensing and regulation department. NBR last licensed a bank incorporated in Romania in 2009 and no new application was received recently. No branch of a third country is licensed in Romania, nor have any application been received for this purpose. Should a new application be received, and considering significant evolutions in supervisory expectations and practices since 2009, it would be important to closely involve staff from the supervision department (and, where applicable, from the resolution department) in the review of such application. A few aspects could be clarified or covered in more details in the regulatory framework regarding: (i) in the case of shareholders with banking interests in a third country, requirement for NBR to contact the home supervisor and ensure it does not have objection and (ii) expectations and information requirements related to the detection and the prevention of criminal activities could usefully be described in more details. Banking services, including deposit taking, may also be offered in Romania by banks licensed and supervised in another EU country, without the prior approval of NBR. Such services are either offered through a branch established in Romania or directly by the head 54 ROMANIA office located in another EU country. In both cases, NBR must receive a notification by the home supervisor. Prudential responsibilities stay with the home supervisor based on the expectation that it will perform “equivalent” supervision. Five branches of EU banks were established during the past five years. A notification regime applies in such cases. Branches established since 2012 include a branch of Veneto Banca, a small Italian bank, in 2014; Veneto Banca which was liquidated in 2017. Its Romanian branch assets were taken over by a newly authorized branch of Intesa San Paolo, a large Italian banking group; this branch started its activities two months after Veneto Banca was liquidated. There was no bank run (Romanian depositors were covered by the Italian deposit insurance scheme which did not have to intervene) or disruption of activities in the Romanian branch. Activities in Romania were small in the Veneto Banca group an unrelated to the problems it faced. The ownership structure of locally incorporated banks and branches of EU banks is transparent: there are 19 subsidiaries of EU banks, 8 branches of EU bank, 1 subsidiary of an Israeli bank, and 9 locally-owned banks (including a large listed private bank, two state- owned banks; only two of locally-owned banks have natural persons who hold qualifying holdings and subject to close oversight by NBR). Principle 6 Transfer of significant ownership. The supervisor32 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. Essential criteria EC1 Laws or regulations contain clear definitions of “significant ownership” and “controlling interest”. Description and The banking law refers to the definition of qualifying holding included in the CRR findings re EC1 (see CP 5 EC 5 for the detailed definition). A proposed acquisition is defined by the banking law Article 7 as: “the decision taken by a proposed acquirer to acquire, whether directly or indirectly, a qualifying holding in a credit institution, Romanian legal person, or to increase its qualifying holding so that the proportion of the voting rights or of the capital held would reach or exceed 20 percent, 33 percent or 50 percent or so that the credit institution would become its subsidiary.” Regulation 11 Article 2 defines a significant shareholder as “a natural or legal person, or a group of natural and/or legal persons, acting in concert, who holds, whether directly or indirectly, qualifying holdings in a credit institution” EC2 There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. 32 While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority. 55 ROMANIA Description and The banking law sets detailed requirements for acquisitions (Article 25): findings re EC2 • Any proposed acquirer shall notify NBR in advance when it intends to acquire 20 percent, 33 percent, or 50 percent of the capital or of the voting rights of a bank (as well as when the bank would become its subsidiary). When the notification cannot be made in advance, “for objective reasons”, the notification is required from the date of acquisition; • NBR shall acknowledge in writing, within two days, receipt of the notification and indicate the expiration date for the assessment period, which shall not exceed 60 working days after all required documents are received; • NBR may require additional information no later than the 50th business day of the assessment period and the proposed acquirer shall provide this information within 20 working days; • The assessment period may be extended by 30 days if the proposed acquirer is situated outside the EU or is not subject to prudential supervision; and • If NBR does not oppose the proposed acquisition within the assessment period in writing, it shall be deemed to be approved. The banking law Article 26 indicates that NBR shall assess the suitability of the proposed acquirer and the financial soundness of the proposed acquisition against all the following criteria: • the reputation of the proposed acquirer, respectively its integrity and professional competence, • the reputation, knowledge, skills and experience of any person who will direct the business of the bank, as a result of the proposed acquisition; • the financial soundness of the proposed acquirer, in particular in relation to the type of business pursued and envisaged in the credit institution in which the acquisition is proposed, • whether the bank institution will be able to comply with prudential requirements, including whether the group of which it will become a part has a structure that makes it possible to exercise effective supervision, effectively exchange of information among the competent authorities and determine the allocation of responsibilities among these authorities, • whether there are reasonable grounds to suspect that, in connection with the proposed acquisition, there has been committed an offence or an attempt of offence on money laundering or terrorist financing or that the proposed acquisition could increase the risk thereof. For disposals, the banking law requires Article 27) any natural or legal person who has decided to dispose or reduce a qualifying holding so that the proportion of the voting rights or of the capital held would fall below 20 percent, 30 percent or 50 percent or so that the credit institution would cease to be his subsidiary, to notify in writing NBR (Regulation 6, Article 1513 indicates that the notification shall be made in advance, without further details). 56 ROMANIA Regulation 6, Article 1515 requires licensed banks to inform NBR immediately about any acquisition or disposal of their shares which exceeds or is below the levels for which there is an obligation to notify based on Article 25 and 27 of the banking law (see above). The banking law contains detailed provisions change in ownership or the exercise of voting rights over a particular threshold or change in controlling interest. However, there is no definition of beneficial ownership. EC3 The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership. Description and NBR has the power to reject any proposal for a change in significant ownership or findings re EC3 controlling interest, where it is not satisfied with the suitability of the proposed acquirer and the financial soundness of the proposed acquisition after completing the assessment specified in the banking law (see EC 1). Where a person completes an acquisition during the assessment period or despite the opposition of NBR or when a person disposes of a qualifying holding without notifying NBR, NBR shall (i) issue an order requiring the natural or legal person responsible to cease the conduct and to desist from a repetition of that conduct and (ii) suspend the voting rights of the (responsible) shareholders Articles 229–2 and 2291 of the banking law). If NBR determines that the change in significant ownership was based on false information, it has the power to suspend related voting rights based on the broad provisions of Article 230–1 of the banking law: “Where the persons having qualifying holdings in a credit institution, Romanian legal person, do not longer comply with the requirements provided by the law and by regulations issued for its application regarding the quality of a credit institution’s shareholding, or if they exercise an influence that jeopardizes the credit institution’s prudent administration, the National Bank of Romania shall take appropriate measures to cease that situation. For this purpose, regardless of any other measures or penalties against the credit institution or persons performing administration and/or management duties, the National Bank of Romania may decide on the suspension of exercising the voting rights attached to the shares held by those shareholders or members”. The banking law empowers NBR to require that a change in significant ownership, which occurred without notification, during the assessment period or against the opposition of NBR, is reversed within three months or nullified: • Article 232: “(1) The persons who acquired a qualifying holding despite the opposition of [NBR] must sell, within three months of the date when the 57 ROMANIA opposition was communicated, their shares representing qualifying holdings acquired in such a way. After the expiry of this time limit, unless the shares are sold, [NBR] shall require the credit institution, Romanian legal person, to cancel the shares involved, to issue and sell new shares bearing the same number, and the amount of money collected from the sale shall be made available to the initial acquirer, after the cost related to the sale was deducted; • (2) The Board of administration of the credit institution, or the Directorate, as the case may be, is responsible for the implementation of measures necessary for the cancellation of shares in accordance with the provisions of paragraph (1), and for the sale of the newly issued shares; • (3) If, for want of buyers, the sale did not take place or was only partially accomplished in terms of the newly issued shares, the credit institution shall proceed to the reduction of its share capital by subtracting the amount representing the difference between the registered share capital and the share capital held by shareholders with voting rights. • (4) The provisions of paragraph 1–3 are also applicable in case of persons who failed to notify the National Bank of Romania of the acquisition of a qualifying holding, pursuant to Article 25 paragraph 1, and do not comply, in the time limit set by the National Bank of Romania, with the requirement to provide the necessary information and documentation for the assessment provided by Article 26 paragraph 1. In this situation the National Bank of Romania could oppose to the acquisition according to the provisions of Article 26 paragraph (2).” EC4 The supervisor obtains from banks, through periodic reporting or on-site examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. Description and Regulation 6 (Article 1516) requires banks to submit annually to NBR findings re EC4 • Financial information related to shareholders which hold, directly or indirectly or in concert, qualifying holdings: o For legal entities, annual, individual and, where appropriate, consolidated financial statements, o For natural persons, income statement submitted to the tax authorities (or, where appropriate, solemn declaration showing the income source and amount as well as the nature of obligations assumed) • A statement of all shareholders, including the following information: identity, residence and citizenship for individuals, nationality and address, for legal entities, the number and value of shares held, the percentage of participation in the share capital and of the voting rights. There is no specific requirement for banks to provide information regarding identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. NBR indicated such aspects were verified during the annual full-scope on-site examinations (in the absence of an on-site inspection manual or 58 ROMANIA methodology, it is difficult to assess whether this is done on a systematic basis and how such verifications are conducted). EC5 The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor. Description and Where a change control has taken place without the necessary notification or approval findings re EC5 from the supervisor, NBR can suspend the exercise the voting rights, require that the related shares are sold within three months and, should his not be done, require that the shares be nullified. (see EC 3) EC6 Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Description and There are no specific laws or regulations stipulating that institutions must notify NBR as findings re EC6 soon as they became aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Assessment of Largely Compliant Principle 6 Comments In the past five years, 33 requests for changes in significant ownership were received, largely related to the consolidation process in the banking industry. 31 such requests were approved and two denied (respectively in 2013 and 2014). Rejections were motivated (i) in one case, by insufficient integrity of the proposed shareholder as its chairman of the Board was investigated and sanctioned by the ASF and (ii) in another case, in insufficient transparency of the shareholders abroad as NBR did not receive appropriate information to assess their suitability. NBR implements a rigorous definition of transfer of significant ownership, in line with the provisions of the CRD IV (i.e., direct, indirect or control 20 percent, 33 percent, or 50 percent of the capital or voting rights of a bank or acquisition making the bank a subsidiary), as well as requirements on the transparency of bank ownership. It could usefully complement its regulatory requirements by introducing a definition of ultimate beneficial owner and require banks to provide information regarding the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. While banks keep close contacts with NBR and ted to inform it of any material development, it would be relevant to include a specific requirement that banks must notify NBR as soon as they became aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Principle 7 Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. Essential criteria EC1 Laws or regulations clearly define: 59 ROMANIA (a) what types and amounts (absolute and/or in relation to a bank’s capital) of acquisitions and investments need prior supervisory approval; and (b) cases for which notification after the acquisition or investment is sufficient. Such cases are primarily activities closely related to banking and where the investment is small relative to the bank’s capital. Description and In the past five years, there were only four significant acquisitions which involved the findings re EC1 acquisition of a Romanian bank by another Romanian bank. The regime in Romania, as well as in other EU countries, is based on the notion of qualifying holding (see CP 5 EC 5 for the detailed definition). The banking law Article 2, transposing relevant provisions of the CRD IV, defines a proposed acquisition as: “the decision taken by a proposed acquirer to acquire, whether directly or indirectly, a qualifying holding in a credit institution, Romanian legal person, or to increase its qualifying holding so that the proportion of the voting rights or of the capital held would reach or exceed 20 percent, 33 percent, or 50 percent or so that the credit institution would become its subsidiary”. Prior approval Where a Romanian bank intends to acquire a qualifying holding in an undertaking in a third country, prior approval is required if, following the acquisition of a qualifying holding, the entity located in a third country would be included in the scope of prudential consolidation Article 146 of the banking law). Such undertakings which can be included in scope of prudential consolidation (Article 18 of the CRR) include both “institutions” (i.e., credit institutions and investment firms) and “financial institutions” (i.e., other institutions which principal activity is to acquire holdings or to pursue one or more of the following activities lending, financial leasing. payment services, issuing and administering other means of payment, guarantees and commitments, trading for own account or for account of customers in money market instruments, foreign exchange, financial futures and options, exchange and interest-rate instruments, transferable securities, participation in securities issues and the provision of services relating to such issues, advice to undertakings on capital structure and industrial strategy, money broking, portfolio management, advice, safekeeping and administration of securities and issuing electronic money). Notification The acquisition of any other qualifying holding by a Romanian bank needs to be notified to NBR within five business days (Article 147 of the banking law). In the case of the acquisition of qualifying holdings in EU credit institutions, NBR can share its views with the relevant EU supervisor prior to the acquisition. The regime applicable to the transfer of significant ownership defined by the CRD IV (which transposition in Romania is described in CP 6) applies: prior notification by the acquirer (the Romanian bank) to the EU supervisor responsible for the credit institution in which a qualifying holding is acquired (Article 22 of the CRD IV), detailed timeframe and criteria for the 60 ROMANIA assessment (Articles 22 and 23) and consultation between the supervisors of the EU and Romanian credit institutions, i.e., NBR (Article 24). Limitations and prohibitions For other investments, the CRR (Article 89) limits individual participations to 15 percent of a bank’s own funds and the aggregate of such participations to 60 percent of a bank’s own funds (see EC 5). Moreover, the banking law (Article 144) prohibits Romanian credit institutions from acquiring qualifying holdings in entities covered by Article 89 of the CRR if they would then become their subsidiaries. EC2 Laws or regulations provide criteria by which to judge individual proposals Description and See CP 6 for a detailed description of the regime applicable to transfer of control of findings re EC2 Romanian banks. Where a Romanian bank intends to establish a branch in another EU country (Article 81-1 of the banking law), it shall send a notification to NBR with details regarding the address and country of the proposed branch, a program of operations (including at least the types of business that are to be carried on and the structural organization of the branch) and the identity of the persons designated to ensure the management of the branch and information regarding their reputation and professional expertise). Within three months of receipt of the notification, NBR shall (i) either communicate the information received to the EU host supervisor and inform the credit institution accordingly; or (ii) oppose the establishment of the branch if it has “reasons to ascertain that the administrative structure or the financial situation of the credit institution is not adequate” (and convey the underlying rationale of its decision to the Romanian bank). Where a Romanian bank intends to establish a branch in a third country not belonging to the European union, Article 91 of the banking law mentions it shall submit a request for approval to NBR. NBR may reject the application if, on the basis of information held and documentation submitted, it ascertains that: (i) the bank does not have an adequate financial standing or the administrative capacity to carry on the envisaged activity through the branch; (ii) the existing legislative framework of the third country and/or the manner in which it is implemented impedes the exercise by NBR of its supervisory functions; or (iii) the bank posts an inappropriate development of the prudential indicators or does not comply with other prudential requirements. EC3 Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.33 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into 33 In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank. 61 ROMANIA consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. Description and See EC 2 findings re EC3 Where a Romanian bank intends to acquire a qualifying holding in an undertaking in a third country which would then be included in its prudential consolidation, NBR shall conduct its review to ensure Article 146–2 that (i) the acquisition shall not expose the Romanian bank to undue risks or hinder effective supervision on a consolidated basis and (ii) the Romanian bank shall have adequate financial and organizational resources to handle the acquisition and management of the respective holdings. In such cases, the application for approval shall be accompanied by Article 14 of Regulation 6) a presentation of the legal and institutional framework in the third country, including at least information on supervisory authorities and financial sector supervisory system, legislation on professional secrecy in the financial sector, prevention of money laundering and terrorist financing, know your customer standards and any other relevant information regarding potential impediments in carrying out prudential supervision by NBR , such as restricting access to information or the possibility of carrying out on-site inspections. EC4 The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. Description and Where a Romanian bank intends to acquire a qualifying holding in an undertaking in a findings re EC4 third country which would then be included in its prudential consolidation, Article 146–2 of the banking law requires that the bank have adequate financial and organizational resources to handle the acquisition and management administering of these holdings. For other acquisitions (i.e., in the EU), requirements that credit institutions have an organizational and risk management structure adequate to its size, complexity and business structure apply (see CP 15 EC 1). EC5 The supervisor is aware of the risks that nonbanking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in nonbanking activities. Description and The EU CRR Article 89 limits individual participations in nonbanking entities to 15 percent findings re EC5 of a bank’s own funds and the aggregate of such participations to 60 percent of a bank’s own funds. The banking law Article 144 prohibits Romanian banks from exercising control over such entities. The banking law Article 20–1 limits the direct provision of nonbanking services (nonfinancial mandate or commission operations, management of portfolio of movable and/or immovable assets, services to own clients related to banking operations) as the total amount of revenues from these activities may not exceed 10 percent of the bank’s net profit. From a macroprudential perspective, the identification of risks related to nonbanking or shadow banking activities would also fall within the mandate of the NCMO (see CP 3). 62 ROMANIA AC1 The supervisor reviews major acquisitions or investments by other entities in the banking group to determine that these do not expose the bank to any undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.34 Where necessary, the supervisor is able to effectively address the risks to the bank arising from such acquisitions or investments. Description and findings re AC1 Major acquisitions or investments by other entities located in third countries Prior approval by NBR is required under Article 146 of the banking law for any qualifying holding the bank intends to hold in an undertaking from a third country, which would be included in its prudential consolidation following the acquisition. As qualifying holdings are broadly defined to include direct or indirect holdings, a major acquisition conducted by a subsidiary would also be covered. In such cases, NBR would review that these do not expose the bank to any undue risks or hinder effective supervision before giving its approval. Major acquisitions or investments by other entities located in the EU NBR shall be notified within five business days of the acquisition of any qualifying holding Article 147 of the banking law. See also CP12 EC5. Assessment of Compliant Principle 7 Comments As part of the consolidation of the Romanian banking system in recent years, NBR reviewed and approved four requests for acquisitions in the past five years (all related to mergers between banks licensed in Romania). NBR has been actively involved in the review of the proposed acquisitions at different stages of the process. In a 2016 case where the acquired bank was large and had a deteriorated risk profile, NBR implemented a thorough review to ensure this would not expose the acquirer to undue risks. NBR was satisfied inter alia as a large portfolio of risky loans denominated in CHF was converted in local currency ahead of the acquisition, thorough due diligence was conducted by the acquirer and the acquisition price did not threaten the acquirer’s capital buffers. Romanian banks only have small activities outside Romania (i.e., no subsidiary and only one branch in another EU country and small financial subsidiaries in Moldova). Principle 8 Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become nonviable. 34 Please refer to Footnote 33 under Principle 7, Essential Criterion 3. 63 ROMANIA Essential criteria EC1 The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks: (a) which banks or banking groups are exposed to, including risks posed by entities in the wider group; and (b) which banks or banking groups present to the safety and soundness of the banking system. The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. Description and The NBR introduced EBA Guidelines on common procedures and methodologies for the findings re EC1 supervisory review and evaluation process (SREP) framework for determining and assessing the risk profile of banks and banking group from 2016. As of January 1, 2016, the NBR Board approved the implementation of EBA SREP Guidelines (EBA/GL/2014/13) into national supervisory practices. The objective of SREP of credit institutions is to promote a sound banking system, which is essential for ensuring the sustainable financing of the economy. The SREP process of a credit institution includes the following components: a. Categorization of institutions based on the institution’s size, structure and internal organization, and the nature, scope and complexity of its activities, and periodic review of this classification; b. Monitoring of key indicators; c. Business Model Analysis (Advanced Measurement Approach (AMA)); d. Assessment of internal governance and institution-wide controls; e. Assessment of risks to capital; f. Assessment of risks to liquidity and funding; g. Capital adequacy assessment; h. Liquidity adequacy assessment; i. Overall SREP assessment; and j. Supervisory measures (including early intervention measures, as appropriate). Regarding the first component of the SREP process, the categorization of institutions, this is performed based on the methodology described by an “internal procedure” issued by the SD and approved by the first deputy governor. Per above mentioned guidelines, the supervised entities are allocated into four major categories, depending on their qualification as other systemically important financial institutions (OSII), size, relative market share, and business model, as follows: • Category 1 - OSII; • Category 2 - large and medium institutions other than OSII with universal business model and a market share by assets more than 5 percent; 64 ROMANIA • Category 3 - small and medium credit institutions with universal business model and a market share by assets below or equal to 5 percent; and • Category 4 – specialized credit institutions, respective savings bank for housing, which facilitates the peer comparisons between banks. This classification is used by the NBR as a basis for applying the principle of proportionality to the scope and intensity of the supervisory commitment and the dialogue with the credit institution. The SREP assessment is based on both quantitative and qualitative information, including the arrangements, strategies, processes and mechanisms implemented by each credit institution. The data concerning the breakdown at risk level of the total SREP capital requirements are centralized at the banking system level. This allows basic comparison between banks from the same peer group with regards to the capital allocation for the risks assessed in the Internal Capital Adequacy Assessment Process (ICAAP)/SREP. On a quarterly basis, the data from the supervisory reports are loaded into centralized reports, which serve as a source of information for the horizontal assessment relating to the SREP scores. The aggregate data of SREP elements by the score assigned are disclosed in the Assessment of banking risks section from the 2016 NBR’s annual report. The SREP assessment is performed on site annually for all 28 supervised banks or banking group by legislation Article 166 NBR Regulation No. 5/201335, and leads to an overall SREP score that is updated off site on an ongoing basis as significant developments occur. The NBR is not differentiating the frequency of full-scope examinations based on the outcome of risk profile analysis of banks. The asset size and the SREP score of previous year are the main factors in determining the examination periods and the number of examiners. The review of the arrangements, strategies, processes and mechanisms implemented by each credit institution, and its assessment are also performed by off-site personnel on an on-going basis. The off-site supervision also addresses the periodic assessment of the several key indicators concerning the credit risk, market risk, operational risk, IRRBB, liquidity risk, business model (based on the profitability indicators) and the changes within the internal governance of credit institutions. Regular monitoring of these key indicators is used to identify material changes in the risk profile of an institution and in the SREP assessment. The rating methodology consists of a scale from 1–4 (1 equaling to “no discernible risk” and 4 “high risk”) and one negative grade (F) for an institution that is failing or likely to fail (within the meaning of Article 32 of the BRRD). Concluding to the above mentioned, the SREP summary is issued annually, based on the outcome of the annual supervisory report (containing supervisory findings made over the course of the previous 12 months), properly reflecting along the most significant 35 NBR Regulation 5/2013 on prudential requirements for credit institutions. 65 ROMANIA developments affecting the institution’s risk profile and viability, and changes in the financial conditions, as disclosed in the monitoring process (key indicators evolutions, on- site targeted visits, meetings with institution’s representatives etc.). This EC requires supervisors to assess the resolvability of banks and banking groups as an input into the ongoing risk assessment. In the EU framework, however, the assessment of resolvability is not the responsibility of competent authorities, but the responsibility of the resolution authority (see Article 10(2) and 15 of the BRRD). Thus, the Resolution Department (RD) within the NBR assesses banks’ resolvability , after consulting the SD, and the outcome and issues are communicated with the SD. The SD takes into account the resolvability assessment outcome in their supervision activities as needed. Although there is no clear methodology on how the resolvability assessment results are fed into supervisory activities, the NBR mentions that any issue of resolvability of banks are considered in the SREP assessment qualitatively. In terms of supervisory methodology in relation to the need to assess risks which banks or banking groups present to the safety and soundness of the banking system, there is a quarterly risk dashboard that provides bank-specific data, sector and peer group. In addition, the FSD analyze the safety and soundness of the banking system as well as publishes financial stability reports on a half yearly basis. The FSD shares the analysis results with SD, including the top-down stress testing results, which are fed into supervisory activities. EC2 The supervisor has processes to understand the risk profile of banks and banking groups and employs a well defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. Description and The banking supervision is performed within the three inspection divisions in the findings re EC2 Supervision Department, all of them having the same organization, on-site and off-site activities. For the SREP process, currently there is an internal procedure divided into two sections, one dedicated to on-site activities, and the other one to off-site activities. Each of them describe, in details, the specific operational flow of the process of verification and evaluation of the arrangements, strategies, processes and mechanisms implemented by the credit institutions. (See CP9 EC2) Additionally, in the supervisory practices NBR adopted the common procedures and methodologies promoted by the EBA Guidelines and of the other binding technical standards with relevance to the matter in question (such as: SREP Guidelines, RTS on colleges, RTS on Joint Decision, Guidelines on triggers for use of early intervention measures pursuant to Article 27(4) of Directive 2014/59/EU, etc.). In parallel with the internal procedure used to assess the viability and sustainability of credit institutions (the assessment of the business model), internal governance including 66 ROMANIA internal control, the adequacy of risk to capital, the adequacy of risk to liquidity, systemic risk and ICAAP for those subjects which require competent authority to develop internal supervisory methodologies based on the guideline orientation, such as categorization of institution, articulation of own funds requirements, communication of the TSCR ratio/OCR ratio, methodologies for calculation of add-on capital requirements, NBR formalized the procedure concerning the methodology for determining additional own funds requirement Pillar II and the method of determining and expressing it in the capital evaluation process SREP. NBR has implemented a monitoring system based on quantitative risk indicators (Key risk indicators) which allows the identification of deterioration of the risk profile of each entity, the results of the monitoring system being used both for on-site and off-site supervisory activities. The Supervision Department has identified 26 KRIs which are used for scoring with thresholds for each rating (1–4) from the total of 34 KRIs. These scores are a starting point for the SREP scores and are automatically updated based on the availability of new reported data. KRI thresholds may also trigger an update of SREP elements outside the annual cycle. All indicators are split into groups (risk categories) which also allows to assign automated scores for SREP elements and risk categories (e.g., credit risk score), which serves a starting point for further analysis. Monthly and quarterly off-site analysis relies on data from ITS on supervisory reporting but also on additional reporting requirements (e.g., Financial Reporting (FINREP) solo monthly, classification of loans and investments monthly, NBR NPL loans by client monthly, asset sales monthly, liquidity reports weekly and monthly). For every bank there is a quarterly risk dashboard, providing bank-specific data, and sector and peer group details. During the SREP process, however, the forward-looking perspective is assessed based on a minimum two years projection of the business plan and the capitalization considering the base line scenario and the adverse (stressed) scenario in the capital adequacy assessment and the BMA. Top-down stress tests are performed by Financial Stability Department) at aggregate and individual level. The supervisory work in each bank is based on the result of the above-mentioned analysis and annual SREP assessment. EC3 The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. Description and The supervisory activities in NBR include both assessing compliance with applicable findings re EC3 regulatory framework (at national and European level) and the evaluation of the intrinsic exposure to risks and of the overall viability of the institution. Based on the provision of Article 166 of the banking law, the governance arrangements of a credit institution, the processes to identify, manage, monitor and report the risks, the internal control mechanisms as well as the remuneration policies and practices are established by the credit institution’s Articles of Association and internal regulations according to the legislation in force applicable to commercial companies and in 67 ROMANIA compliance with the provisions of the mentioned emergency ordinance and the applicable regulations. Assessments are performed in cases where changes in banks’ internal regulations subject to specific notifications requirements (i.e., concerning the individuals lending activity) occur. The information is also used to update the credit institution template. The noncompliance cases are documented into the supervisory letters, written orders (usually following off-site assessment) and/or reports, communicated to the banks management and corrective measures are applied if necessary. EC4 The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in nonbank financial institutions, through frequent contact with their regulators. Description and The NBR requires credit institution to conduct stress tests, as part of the ICAAP, in order to findings re EC4 identify those events or changes in the market conditions in which they operate and may adversely affect their future. Thus, for assessing the reliability of capital planning, credit institutions utilized the results of crisis simulations used to assess the viability of the capital plan in adverse circumstances. The NBR, as part of the SREP, reviews how the evolution of the macroeconomic environment is taken into consideration by the credit institutions in the strategic plans and in the capital planning, that the base line scenario and the stress test scenario must be designed based on the forecasted evolution of a minimum set of macroeconomic indicators, including interest rates, GDP, unemployment rate, real estate market evolution, consume and FX rates. These macroeconomic indicators are also used by the NBR in the top down stress tests performed for the banking system. The FSD performs the top-down stress tests for individual institutions and banking system using macroeconomic indicators and scenarios. The key variables include economic growth, interest rate projections, exchange rate developments, risk premium, and unemployment. The results are shared with the SD for reference, and serve as benchmarks during the SREP process. The cross-sectoral view of the nonbank financial institutions is ensured by the supervisory activities performed for these entities within the same supervisory body (in the NBFI and payment institutions division within the SD). While there is sharing among supervisors on relevant data and supervisory findings on a need basis, there is no systematic process or regular meetings with securities and insurance supervisors (ASF) before on-site examination on banking groups to discuss the risks in the banking group supervised, supervisory approaches, and potential concerns about the banking group or subsidiaries. Authorities mention that banks normally carry more than 90 percent of assets within the banking group, so such meetings can be considered not a core need. In addition, the authorities also mention that there is a high level national coordination framework among domestic supervisory authorities (see EC5). 68 ROMANIA EC5 The supervisor, in conjunction with other relevant authorities, identifies, monitors, and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. Description and The monitoring and assessment of risks, trends and concentrations within and across the findings re EC5 banking system as a whole is carried out by the BSD and FSD. The mechanism of NBR to identify, monitor, and assess the build-up of risks, trends and concentrations within and across the banking system are: • Semi-annual FSR—which is reported to the NBR senior management and to the FSDC on a half- yearly basis. The FSR presents detailed analyses of banking sector developments and soundness, including credit risk, asset quality, results of the macro-financial stress tests, liquidity risk analysis, and various other financial soundness indicators per different types of financial entities; • Quarterly risk dashboard— provides bank-specific data, sector, and peer group on trends and developments of risk categories. The NBR incorporates these analyses into its assessment of banks under the SREP process. The NBR also communicates to banks any significant trends or emerging risks identified as part of its analyses during onsite examination and discussions under the SREP. Other than the above analysis, industry-wide thematic analyses triggered by detected trends or recent events, and analyses of sources of liquidity (such as domestic and foreign currency funding conditions and costs) seem to be limited within the SD. 36 The emerging risks at the bank level were addressed through measures imposed through written orders signed by the senior management of the NBR, following on and off-site supervisory reports. In some cases, emerging risks at the bank/system level were treated through letters of recommendation sent to the banks, meetings with the bank’s representatives and/or third parties (external auditors) or through ad hoc or enhanced reporting on special items (see CP 9 EC5). In addition, there is a national coordination regarding the monitoring and mitigation of risk accumulation at system level. The NBR communicates to other relevant authorities under the NCMO mechanism and by issuing half-yearly FSRs. The NCMO may issue warnings and recommendations (soft law), which are based on an “act or explain” mechanism and addressed to the NBR or the ASF, in their capacity as national authorities responsible for sectoral financial oversight. EC6 Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses th e bank’s resolvability 36 The NBR performed AQRs, based on the methodology developed by the EBA for three large domestic banks in 2014, and in 2017 there was IFRS9 data collection exercise in preparation of IFRS9 implementation. 69 ROMANIA where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. Description and The Romanian regulatory framework has implemented the provisions of the BRRD findings re EC6 regarding resolvability assessments. When the NBR as resolution authority (RD), after consulting the SD, determines that there are substantive impediments to the resolvability of that institution, the RD, would notify in writing the SD as the national competent authority (NCA). Article 92 paragraph 2 of Law No. 312/2015. Furthermore, the RD should consult the SD when assessing whether the measures identified by credit institutions effectively address or remove the substantive impediments in question, and when establishing alternative measures that may achieve that objective. For the 2016 resolution planning process, the NBR, as resolution authority, either at the level of institutions not being part of a group or at the level of the Romanian subsidiaries in cross-border groups, participated in drafting or where applicable, drafted resolution plans for: • Fourteen credit institutions that are subsidiaries of cross –border groups, subject to consolidated supervision, within the resolution colleges established by the SRB/other group level resolution authorities—they represent approx. 63 percent of the Romanian banking system’s total net assets as of December 2016. • Eight credit institutions that do not belong to cross–border groups, under the NBR’s remit—they represent approximately 23 percent of the Romanian banking system’s total net assets as of December 2016. Also, all credit institutions prepared and sent their recovery plans (individual or group level) to NBR or through the consolidating supervisors. The recovery plans received by the SD were assessed by off-site function. Assessments during the on-site inspections were made with a view to identify any actions in the recovery plan that may adversely impact the viability of the credit institutions. The competent authority (SD) may dispose measures to credit institutions to reduce the risk profile of the institution, including liquidity risk, enable timely recapitalization measures, review the institution’s strategy and structure, make changes to the funding strategy so as to improve the resilience of the core business lines and critical functions and make changes to the governance structure of the institution. The recovery plans received by the NBR from credit institution or from the consolidating supervisor (in case of banking groups for which NBR acting as a host authority) are sent by SD to the RD in order to be assessed from the resolvability point of view. The result of the assessment performed by the RD is communicated to the SD. 70 ROMANIA Having completed the first round of recovery and resolution plans last year, Romania is starting the second one which is expected to incorporate requirements, comments, and lessons learned during the initial effort. Regarding recovery plans, the NBR must aim at increasing the level of specificity of recovery measures, especially those that correspond to foreign bank’s subsidiaries whose plans are prepared at the parent level. In addition, the NBR’s resolution planning for foreign subsidiaries is based mainly on single point of entry considerations, and incorporating other resolution alternatives (e.g., multiple point of entry) will require a strategy for the development of loss-absorbing eligible instruments in the domestic capital market as well as ensuring separability and autonomy from group/parent undertaking from both a financial and operational point of view, so that Romanian subsidiaries would be able to operate their businesses on a stand-alone basis as going concern. EC7 The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. Description and The Romanian regulatory framework has implemented the provisions of the BRRD. The findings re EC7 legal basis for handling credit institutions in times of stress are set out in Article 166–2 of Banking Law and Article 180–1(a) and 181 of Law No. 312/2015 on the recovery and resolution of credit institutions and investment firms. In accordance with Article 4 paragraph (1) letters (d) and (e) of the Law No. 312/2015 on the recovery and resolution of credit institutions and investment firms, the NBR, both as a competent authority and as a resolution authority, has the following responsibilities: • to adopt and publish relevant internal rules of relevance, including those relating to professional secrecy and the exchange of information between the structures responsible for the various functions exercised by law (letter d); • to establish procedures for the structures and persons exercising, in the name of the NBR, the supervisory and the resolution functions, respectively, to cooperate closely in the preparation, planning and implementation of resolution decisions (letter (e). In this respect, the NBR issued and published on its intranet a formal procedure which contains the categories of the data and information which can be the object of the informational flow between the organizational structures fulfilling the supervisory function and, respectively the resolution function, the frequency and the mode of transmission, as well as the circumstances that intervenes with the requirement to provide information necessary for them to exercise their attributions regarding the recovery and the resolution of the credit institutions. The main objective of this formal procedure is to establish the nature of information to be exchanged and the frequency and way the information is transmitted between the RD and SD in the context of recovery and resolution and to support timely decisions regarding the recovery and resolution of distressed banks. 71 ROMANIA The NBR will carry out resolution actions only when three cumulative conditions are satisfied: the institution is failing or is likely to fail; there are no alternative measures of the private sector/supervisory authority to prevent the failure of the institution within a reasonable timeframe; the resolution action is justified by reasons of public interest. With regards to the supervision of credit institutions belonging to the cross-border banking groups, the NBR works with the other supervisory authorities by means of supervisory colleges, which are structures that ensure optimum dissemination of information and the making of joint decisions on capital and liquidity adequacy and on credit institutions’ recovery plans. In this case, the responsibility for the planning and coordination of the supervisory activities (e.g., early intervention measures) lies with the consolidating supervisor within the college framework. Romanian credit institutions (which are not subsidiaries of European banking groups) are required to submit their recovery plans to the NBR for assessment. The assessment was performed and determined whether the plans were comprehensive and could feasibly restore an institution’s viability. On the basis of this assessment, if necessary, corrective actions are required to improve the quality of recovery planning. In this respect, Law No. 312/2015 stipulates in Article 24 and 25 the stages of the evaluation process and the types of related measures. EC8 Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. Description and The NBR is a regulator and supervisor of NBFIs. The NBFI supervision and inspection findings re EC8 function lies within the supervision department. As a prudential supervisor of NBFIs, the NBR has powers to act if such bank-like activities outside regulatory perimeters would be noticed. These practices will properly be addressed through regulatory and supervisory actions. The NBR has not identified banks attempting to re-organize or restructure for purposes of regulatory arbitrage or avoidance, but the NBR has powers to address this attempt. Information on the bank-like activities and on any boundary issues that may be identified would be exchanged among the SD. In addition, the NCMO cooperation mechanism among domestic authorities (securities and insurance) could address the issue if happens. Assessment of Largely Compliant Principle 8 Comments The supervisory approach of the NBR has undertaken changes toward a more risk based approach since the previous BCP assessment. As of January 1, 2016, the NBR Board approved the implementation of EBA SREP Guidelines (EBA/GL/2014/13) into national supervisory practices. The Romanian regulatory framework has implemented the provisions of the CRD IV and BRRD (resolvability assessment). The partnership, communication, and information sharing in relation to resolvability assessment and related 72 ROMANIA actions with resolution authorities (the Resolution Department within the NBR) appears to be working. Nevertheless, the new EBA SREP methodology is still in the early stages of implementation. The SREP assessment is performed on site annually for all 28 supervised banks or banking group by legislation, and leads to assigning an overall SREP score, which is updated off site on an ongoing basis. The NBR is not differentiating the frequency of full-scope examinations based on the outcome of risk profile analysis of banks; instead, the asset size and the overall SREP score of previous year are the main factors in determining the scope and intensity of examination. However, when the SD establishes the examination program for the following year, there is limited substance to set out the proposed priorities for the year. (e.g., the SD could submit a memo to supervisory committee, the decision-making body, who should be informed of the priorities and specific risks of each banking group before the approval of next year’s examination program) For off-site supervisory activity, there is a quarterly risk dashboard, providing bank-specific data, and sector and peer group details. These monitoring tools do not seem to have embedded a forward-looking view of a banks risk profile (i.e., there are no early warning indicators or bottom up stress testing tools). The FSD publishes FSRs on a half yearly basis as well as performs top-down stress testing, the results of which are shared with banking supervisors for reference. However, more risk- focused, banking industry-wide thematic analyses triggered by detected trends or recent events, and examinations across systems seem to be limited. (During the 2016 and 2017 there were no thematic inspections carried out at the banking system level.) The Resolution Department (RD) within the NBR assesses banks’ resolvability and the outcome and issues are communicated with the SD. The SD takes into account the resolvability assessment outcome in their supervision activities as needed. However, there is no clear methodology on how the resolvability assessment results are fed into supervisory activities. While there is sharing among other supervisors on relevant data and supervisory findings on a need-to-know basis, there is no regular meeting/ systematic process with securities and insurance supervisors (ASF) before on-site examinations of banking groups to discuss a common view of risks in the particular banking group supervised, supervisory approaches, and potential concerns on the banking group or subsidiaries. The authorities should consider the following supervisory approach: • Enhance off-site monitoring tools by incorporating more forward-looking views (e.g., bottom up stress testing tools). • Enhance a yearly examination planning/approval process to clearly set out the proposed priorities of each bank or banking group for the following year. 73 ROMANIA • Establish a systematic framework that collects relevant information from NBFI (including securities or insurance supervisors) to facilitate on-site examination. • Conduct thematic analysis and/or examination across banking system with a mix of off and on-site activities on a particular risk (e.g., cyber security risk). Principle 9 Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. Essential criteria EC1 The supervisor employs an appropriate mix of on-site37 and off-site38 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment, and the corrective measures necessary to address supervisory concerns. The specific mix between on-site and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed. Description and In NBR, the supervision function is integrated into the Supervision Department (SD) and findings re EC1 coordinated by one Board member, the First Deputy Governor. Banking supervision is performed within the three inspection divisions, all of them having the same organization, on-site and off-site activities. The SD has in place internal procedures to document the specific on and offsite activities and the related tools and workflows. The procedures are regularly revised and updated in order to accommodate any new changes required by the regulatory framework or as required by the changes in the internal organization (including adoption of new supervisory tools). In 2016, EBA SREP methodology was implemented. (See CP8) Within each Inspection Division of the SD, banks are allocated to off-site examiners and analysts called “line supervisors” covering each credit institution. There is a rotation of personnel within each inspection division or rotation of banks among the inspection divisions. On-site teams within the divisions are mixed and cover all banks allocated to the division. The internal supervisory procedures of each bank or banking group are issued by dedicated teams consisting of off-site and on-site examiners from the Banking Inspections Divisions and supported by the Banking System Assessment, Methodology and Supervision Procedures Division. 37 On-site work is used as a tool to provide independent verification that adequate policies, procedures and controls exist at banks, determine that information reported by banks is reliable, obtain additional information on the bank and its related companies needed for the assessment of the condition of the bank, monitor the bank’s follow -up on supervisory concerns, etc. 38 Off-site work is used as a tool to regularly review and analyze the financial condition of banks, follow up on matters requiring further attention, identify and evaluate developing risks and help identify the priorities, scope of further off-site and on-site work, etc. 74 ROMANIA Off-site supervision is designated to monitor the developments of the bank’s overall risk profile and its components through the analyses performed based on financial and prudential indicators, the approval/rejection of requests concerning amendments in bank’s situation (e.g.,: persons nominated to exercise administration and/or management responsibilities, key function holders, acquisition of qualifying holdings, financial auditors, completion of the core business), and to participate in activities arising from colleges of supervisors, both in normal times and in crisis situations. The responsibilities at the level of the off-site activity are shared according to the job description between the line supervisors, in charge mainly with the approval process, and the risk analysts which mainly focused on the qualitative risk analysis and the college of supervisors’ work On-site supervision represents an integral part of the supervisory approach in NBR which is designated to obtain an objective and comprehensive assessment of particular aspects of a credit institution and allow for the focused investigation of risks, risk controls, processes, systems and personnel. On-site activities include a verification of the functioning of the risk management framework in practice and an assurance on the correctness of the data transmitted by the credit institutions and used in off-site supervision. They are performed at the premises of the credit institution on the basis of the annual supervisory program approved by the Supervisory Committee. There are two types of on-site missions: full-scope inspections covering a comprehensive spectrum of risks and activities, which typically last two to five weeks depending on the bank’s size and targeted inspections focusing on a particular business activity or specific issues, e.g., AML/CFT. Usually, 3 to 10 people are appointed (larger teams for other systemically important institutions (OSIIs)) for each credit institution team (larger teams for OSIIs). The NBR does not differentiate between domestic from foreign-owned institutions when defining the frequency or setting the scope of on-site inspections. Also, according to the examination programs, all the credit institutions are subject to a full scope examination that covers all the areas provided by the EBA SREP guidelines. Although Article 167 paragraph 2 from Regulation No. 5/2013 states that annual inspections should be carried out for (a) credit institutions for which the results of the stress tests indicate significant risks to their ongoing financial soundness or indicate breaches of provisions of the banking law; (b) credit institutions that pose systemic risk to the financial system; and c) any other credit institution, if considered necessary by NBR , in practice, the annual examination programs approved by the senior management of the NBR included all the supervised credit institutions. The SD does not have a team dedicated to banks internal model analysis. The FSD has a quantitative assessment division, which assists the SD whenever supervisors need to approve advanced approach in certain banks or validation of internal models. Currently, two banks received approval from the NBR for using the advanced approach in credit risks and three banks for operational risks in Romania. EC2 The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on 75 ROMANIA a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and off-site functions. Description and The planning and execution of on and offsite activities are described in the above findings re EC2 mentioned internal procedures, which includes the roles and responsibilities for each involved party in the supervisory process. Permanent sharing of information between on site and offsite components occurs and supports the specific supervisory processes. The on-site examination program is annually approved at the level of Supervisory Committee of NBR. The supervisory examination program provides the on-site visits schedule for all credit institutions during the year, the allocated period of each visit and the objectives to be reviewed. All the credit institutions are subject to a full scope examination that covers all the areas provided by the EBA SREP guidelines. Although prioritization could be less of a critical issue in the Romanian context, there is no such process to set out the proposed priorities and inspection plans for the following year or thematic analysis/examination when the SD establishes the examination program for the following year. For example, the decision-making body should be informed of the priorities and specific risks of each banking group/ banking industry before approval of next year’s examination program when the SD submits a memo to the supervisory committee (See CP8). As part of the planning process, the team is set before the visits by the head of the inspection division and approved by the head of SD and the First Deputy Governor of the NBR. When necessary, in developing the College Supervisory Examination Program (SEP), the coordination with supervisory activities performed within supervisory colleges are considered (SREP submissions, JDs signing deadlines). Prior to on-site examinations, the off-site component of supervision a set of information (data and materials) under which it has established the preliminary risk profile. Such information includes reports, information requested by NBR from credit institution, documents resulting from information exchange with other supervisory authorities, the credit institution template, an internal document containing general information about the bank, ownership structure, credit institution reporting requirements, credit institution’s internal regulation subject to approval or validation, outsourced activities, information regarding off-site supervisory reports, data on the last on-site evaluation, other information regarding cooperation, information exchange, reports to ECB/EBA in the matter of supervision of the credit institution. It also includes a risk assessment template, which is a supervisory tool comprising information on the scores allocated to the significant risks (from Pillar I and Pillar II), general risk profile, ICAAP, stress-tests and updated according to the institution’s risk profile changes from the last on -site examination or other significant events occurred in the bank’s activ ity. Among these tasks, a significant part of this off-site function includes the approval/rejection of requests concerning amendments in bank’s situation (e.g., persons nominated to exercise administration and/or management responsibilities, key function holders, acquisition of qualifying holdings, financial auditors, completion of the core business). 76 ROMANIA The NBR has identified a set of KRIs which are also used for scoring with thresholds for each rating (1–4). These scores are a starting point for the SREP scores and are updated based on the availability of new reported data. KRI thresholds may also trigger an update of SREP elements outside the annual cycle. The templates are updated monthly or quarterly and significant developments registered by each bank are reviewed. The NBR communicates quarterly to banks with their own KRIs template containing information on peer group KRIs. Off-site supervisors also receive all policies and procedures of banks and the information is used in risk assessment. In addition, the assessment of SREP elements is reviewed/updated outside of the planned on-site examination schedules using the information from ITS on supervisory reporting and additional reporting requirements (e.g., FINREP on individual basis monthly, classification of loans and investments monthly, NBR NPL loans by client monthly, asset sales monthly, liquidity reports weekly and monthly, and sources from external counterparts on 10 days basis). The results are presented through monthly/quarterly reports containing data on the capital, balance-sheet assets and liabilities structure, loans portfolio breakdown by type of customers (individuals/corporate), currencies, RAS/IFRS provisioning, depreciated claims, overdue loans, or risk indicators. Any potential risk drivers at credit institutions level identified following the assessment performed by the SD on the information received (from supervisory reporting, other institutions or customers complaints) may be subject to further analysis and checks, performed through unscheduled on-site missions. Unscheduled on-site inspections are usually carried out when during the regular off-site monitoring processes detect a significant deterioration of the prudential or financial position of a bank, or when there are suspicions regarding violations of the regulatory framework. Also, ad hoc on-site inspections were carried out when customer’s complaints (not involving customer’s protection legislation) were received or other parties highlighted operational or reputational risks on banks. The decision to perform such unscheduled on-site missions belongs to the SD management. EC3 The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable 39 and obtains, as necessary, additional information on the banks and their related entities. Description and The sources of information that can be used in the supervisory activities (which include the findings re EC3 above mentioned types of information) are described in the internal procedures of the Supervision Department. (See EC2) The prudential reports and other internal data used in the MIS are analyzed and assessed especially during on site missions through sampling of data and reconciliations. 39 Please refer to Principle 10. 77 ROMANIA Also, the NBR uses the information collected by credit public registers for on-site and off- site activity. Credit Risk Bureau and Payment Incident Bureau offer important support for the on-going supervisory process. Additionally, there are other IT applications developed by the SD staff and used in the off-site monitoring processes to keep track of the risk aspects derived from customer complaints or the changes in the network units of the credit institutions that are subject to notification to the NBR. The prudential reports and other internal data used in the MIS are analyzed and assessed especially during on site missions through sampling of data and reconciliations. When on-site, the inspection team collects, centralizes and processes the necessary data and materials provided by the off-site function, such as: • reports, notifications according to the legislation in the field; • information communicated to NBR by the credit institutions; • information requested by the NBR from credit institutions; • documents resulting from the exchange of information with domestic and international supervisory authorities, as appropriate; • the credit institution template, as previously described; • the risk assessment template, etc. According to Article 171 (2) of Banking Law, the NBR has the sufficient power to collect any information from CIs, in order to fulfill the supervisory competencies. EC4 The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as: (a) analysis of financial statements and accounts; (b) business model analysis; (c) horizontal peer reviews; (d) review of the outcome of stress tests undertaken by the bank; and (e) analysis of corporate governance, including risk management and internal control systems. The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any. Description and The NBR carries out a monthly/ quarterly review of financial statements of banks through findings re EC4 the off-site assessment and during the on-site inspection where inspectors analyze the most recent available balance sheet and P&L statements. Another important output is a comprehensive set of predefined KRIs focused on the asset quality, profitability, capital adequacy, and liquidity. The Excel sheets are available in time- 78 ROMANIA series on monthly or quarterly basis, for the individual banks or for the banking system as a whole. (See CP8 EC2) With regard to the business model assessment, the off-site supervision covers the main changes in the bank’s business model strategic plan and financial ratios, based on t he bank’s regular reports as well as the measures implemented by bank in order to address findings following business model analysis performed during on-site examination in the SREP. In terms of peer group analysis, the most important indicators are computed system/peer groups averages which are used for comparison. The KRI monitoring system consists of key financial and risk indicators addressing almost all risk categories covered by SREP: credit risk, operational risk, market risk, IRRBB, liquidity and funding risks, profitability, concentration risk, capital adequacy, etc. For the most important indicators (usually for each SREP element), thresholds (statistically determined, adjusted on professional judgement) are set, along with computed system averages and peer group averages. These indicators are monitored on a quarterly even monthly basis in some cases, for each institution irrespective of category. The evolution of the patterns, the breach of the thresholds, the distance from system and peer group average, should be analyzed and reviewed in accordance with the institution’s risk profile. Supervisory actions are to be taken when the assessment identifies significant/material changes in financial conditions and/or risk profile, thresholds breaches, anomalies in the behavior of indicators, etc. These actions could be, on case by case basis, the following: • Dialogues/meetings with institution; • Early intervention measures; • On-site visits; • Requests of relevant information/ explanations, more frequent reporting. The regular assessment performed based on the monitoring of KRIs could be used in order to review the assessment of the relevant SREP element and could change the scores assigned for that SREP element. The outcomes of the monitoring of KRIs is used as a source of information and preparation for the programmed on-site inspection (scope, samples, targets of examination, size and structure of inspection team and period allocated in order to carry out the visit etc.) Also, the data from the supervisory reports are loaded into centralized files every quarter, which serve as a source of information for the horizontal assessment with regard to the SREP scores. The centralizing of the data concerning the breakdown at risk level of the total SREP capital requirements (using the same SREP template as the one submitted for the colleges of supervisors) at the banking system level allows basic comparison between banks from the same peer group with regard the capital allocation for the risks assessed in the ICAAP/SREP. 79 ROMANIA The NBR implemented EBA SREP methodology. In terms of the review, the on-site examinations mainly assess the outcome of stress tests undertaken by the bank, and the analysis of corporate governance, including risk management and internal control systems (See CP8 EC1). Particularly with the group structure, the legislation requires credit institutions on an annual basis, to submit to the NBR the financial information related to shareholders which hold, directly or indirectly or in concert, qualifying holdings or to communicate to the NBR through interbank communications network, a statement of all shareholders (identity, residence and citizenship for individuals, nationality and address, for legal entities, the number and value of shares held, the percentage of participation in the share capital and of the voting rights). Follow up for the identified deficiencies/vulnerabilities and the related measures is performed both at the on and offsite level. The findings are formalized and communicated to the bank’s management and remedial actions are imposed through written orders or supervisory letters of the senior management of the NBR. EC5 The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system- wide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. Description and The NBR discusses potential risks at the banks and remedial strategies on a continuous findings re EC5 basis. Potential vulnerability identified following the off-site monitoring is communicated with the banks involved, mainly at the level of SD management through direct calls or ad- hoc meetings with the credit institutions top management. Emerging risks at the bank/system level are treated through letters of recommendation sent to the banks. The charts and the “traffic lights” within the KRIs templates, including industry average and supervisory benchmarks of each indicators are communicated with banks. More importantly, the SD may send written warning letters to all banks that may be affected by a certain vulnerability. For example, in cases where the level of prudential indicators is in the proximity to the regulatory limits, when counterfeit documents such as payment instruments, warranty letters were identified in the banking system, when the number of the managers decreased below the minimum regulatory in order to appoint new managers within the period of two months as prescribed by the regulation framework in force, etc. The NBR meets the bank’s representatives on an ad hoc basis and/or regular basis and, in some cases, requires enhanced reporting on special items (e.g., intra-group transactions, exposures to certain governments, legislative initiatives—payment in kind, Swiss franc conversion etc.). The supervisors meet external auditors of banks on a quarterly basis to discuss weaknesses in the banking system and/or specific banks and broad supervisory issues. 80 ROMANIA Stress tests are performed regularly at the individual bank level in the ICAAP context and system-wide level by the FSD. During the SREP process, the output of the stress tests is used for imposing supervisory measures, including setting higher minimum capital adequacy ratios. The SD does not have dedicated tools for supervisory bottom up stress-tests nor for financial simulation. However, the stress test buffers set by the banks and included in the ICAAP results are assessed. The SD analyzes the outcome of the stress tests performed by the institutions as part of their capital planning and determines if they prudently evaluated the impact of the adverse scenarios on their available capital and on their Pillar 1 and Pillar 2 capital requirements, in order to establish whether the TSCR and OCR ratios can be met over the planning horizon (usually 2–3 years). If not, adequate and credible action plans are then established by the bank. EC6 The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. Description and Internal audit function’s quality and effectiveness is periodically assessed through on site findings re EC6 missions and ad hoc meetings with the head of department or Audit Committee members. Given that the internal audit function is assessed annually in the on-site inspections, contact with the head of this function takes place regularly in order to assess the effectiveness and efficiency of the internal audit and to gather additional information on the risk exposures identified through internal audit missions, corresponding remedial actions and the quality of internal controls. Off-site analysis are performed in order to identify areas of potential risk based on the data submitted by banks to the NBR through the reports about the conditions on which internal controls was performed, with a distinct presentation of the aspects related to the internal audit function (i.e., deficiencies identified within the function of the internal control system and the measures taken to correct those; a description of the material changes within the function of the internal control system during the respective period; a description of the conditions for applying the control procedures inherent to new activities; performance of internal control within the secondary premises of the credit institution operating abroad). The banks’ internal audit reports deliver information regarding the audit engagements performed in the respective period along with the conclusions and recommendations of the internal audit and implementation suggested by the management body of the credit institutions. The internal audit reports are used as preliminary inputs into the supervisory assessment and the potential areas of risks are further investigated by the supervisory team. In Romania, the internal audit managers are subject to NBR’s prior approval by legislation (NBR Regulation No. 6/2008). Individuals in middle level management positions performing important activities in banks need approval by NBR and the internal audit activities are one of the key functions. EC7 The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, nonexecutive Board members and senior and middle management (including 81 ROMANIA heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models. Description and The NBR has regular meetings with the bank’s senior and middle management , and other findings re EC7 representatives. Subjects such as strategies and business model are challenged and discussed with the bank’s senior management and board members. There are various forms of contact between the supervisors and the bank management, internal auditors and different bank committees. Meetings are held between the NBR`s senior management and the credit institution board’s members to discuss broad issues such as the strategic plans of the credit institution, the risks aroused in the banking system that can pose a threat, while other meetings are held in the course of on-site inspections and off-site surveillance. During the on-site missions, the contact with the members of senior management and of various committees of the bank is made when various SREP elements are examined, in order to get a better perspective on the risks to which the bank is exposed, the internal controls put in place, the projected or implemented changes in the business or risk strategies, the status for various action plans resulting from internal risk assessments, internal and external audit reports, supervisory reports etc. The meetings usually take place at the beginning of the on-site mission and throughout the supervisory mission whenever the need arises. In off-site supervision activity, these meetings are held as needed to clarify technical matters on different problems, monitor the correction of irregularities or share views on specific issues. EC8 The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. Description and All the findings of the supervisory work are formalized in writing through letters or reports findings re EC8 and are discussed with the bank’s management. The NBR also has at all levels, regular/ ad - hoc meetings with the bank’s senior and middle management and other representatives to communicate the findings of its supervisory analyses. The off-site supervisory analyses are also communicated on at least a quarterly basis. When necessary, the findings of the external auditors are also discussed with the bank’s management. (See EC5 and 7) However, there is no systematic process of regular meeting with nonexecutive/ independent members after on-site examination to discuss findings and the remedial actions. Contact with such members rarely occur during on-site missions. (See CP 14) 82 ROMANIA EC9 The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner. Description and Follow up for the supervisory measures are performed as a part of the on-site and off-site findings re EC9 activities, based on the documents provided by the banks and correlate with the deadlines imposed for the implementation. In Romania, sanctions are imposed on the responsible entities within the bank/senior management and/or bank’s board members in case of failure to adequately implement the prescribed measures on timely manner. A dedicated section to disclose the sanctions disposed by the supervisory authority to the credit institutions is available on the NBR’s website (http://www.bnro.ro/Sancțiuni-emise-de-BNR-12553.aspx). Assessors saw cases that the sanctions are imposed to all board members and senior managements when the failure of implementation of the supervisory measures occurs. EC10 The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. Description and Notifications or prior approval on certain activities are required by the regulatory findings re EC10 framework in place and may happen in practice, covering a wide range of topics. Some of the changes that occur are subject to the NBR’s prior approval. The requirements are described in detail in the NBRs and other EU regulations in force. (e.g., NBR Regulation No. 6/2008 Article 3 and 4). EC11 The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. Description and According to the banking legislation independent third parties (financial auditors, experts) findings re EC11 can be used in the supervisory process, but the final prudential responsibilities remain with the supervisory authority (Article 170 of Banking Law). There have been no such cases to date. The external auditors’ main involvements concern the audit of the annual financial statements. Usually, the management letter is submitted by the credit institutions to the NBR or presented during the on-site missions. Instead, there are certain requests addressed by the SD directly to the credit institutions which need the certification of results from the external auditors. (i.e., NPLs identification, collaterals evaluation, stress—test exercise in order to estimate the expected impact over the exposures as of June 2017 following the IFRS 9 implementation). Also, the NBR has already started organizing meetings with financial auditors of credit institutions, where exchange of information of common interest takes place such as 83 ROMANIA developments at the credit institutions level in external auditor’s portfolio concerning the main risk areas. EC12 The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. Description and A broad range of financial information and prudential reports is monitored and processed findings re EC12 by a Banking System Assessment, Methodology and Supervision Procedures Division within the SD, the results of this activity being shared regularly with the department’s management and the onsite and offsite teams. The SD mainly uses three electronic systems for collecting primary indicators from the credit institutions, processing and dissemination of the results, and also, to warehouse the documents and databases, as follows: • ABACUS - for the financial information and prudential reports of the credit institutions which have consolidation perimeter (FINREP at a consolidated level, COREP, Liquidity Coverage Ratio (LCR), Large Exposures, NSFR, AE, ALMM); • SIRBNR - for the financial reports of the other Romanian credit institutions, legal entities, at individual level, and branches in Romania of Member State and third- country credit institutions and also, for other prudential reports (such as benchmark remuneration, high earner remuneration); • RCI - for prudential reports (individual COREP) of the credit institutions and banks’ internal regulations, accounting balances and ad-hoc reports requested by NBR. These systems facilitate analysis of prudential information and aid the identification of areas requiring follow-up action. Additional criteria AC1 The supervisor has a framework for periodic independent review, for example by an internal audit function or third-party assessor, of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate. Description and The adequacy and effectiveness of the supervisory process is periodically assessed by EBA findings re AC1 and the internal audit function within the NBR. The effectiveness and adequacy is assessed mainly by EAB and more technical areas such as IT data securities or work flows based on internal procedures are audited by internal audit function once every 2 –3 years. Recommendations for improvements are properly addressed and are subject to follow up by the aforementioned entities. Assessment of Largely Compliant Principle 9 Comments The SREP methodology in Romania deploys a good mix of onsite and offsite supervisory tools and NBR has established a comprehensive range of supervisory tools and techniques to implement RBS approach. The NBR has broad information collecting power by legislation and the Central Credit Register allows supervisors to access high-granularity data. 84 ROMANIA The SREP is a core supervisory tool of banking supervision in Romania. However, the process of ensuring consistency and accuracy of scoring, findings and supervisory measures across different banks is weak. Concluding the SREP assessment, the annual supervisory report (containing supervisory findings and measures) is issued annually. The draft is sent to banks within 60 working days with the review of head of inspection division. After further discussion with banks and receiving official response from banks, the final report is issued within two weeks with the signature of director of supervision. Meanwhile, the SREP summary report is reported to the fist deputy governor. During this process, there is no structured/independent review to ensure consistency and accuracy on scoring, findings, and measures of the supervisory report. Considering the recent adoption of the EBA SREP methodology in Romania, the quality assurance procedure is critical. Furthermore, given that SREP is first and foremost a methodology for assessing capital adequacy, other proactive supervisory approach may also need to be considered in company with SREP (See CP8). With regard to the off-site function, it is designated to monitor the developments of the bank’s overall risk profile and its components through the analyses performed based on financial and prudential indicators. However, a significant part of this off-site function also includes the approval/rejection of requests concerning amendments in bank’s situation (e.g., persons nominated to exercise administration and/or management responsibilities, key function holders, acquisition of qualifying holdings, financial auditors, completion of the core business). For example, the NBR has interviewed approximately 1,700 board members, executives, middle managers (key function holders) from 2009 to 2017. More than half of the interviewees were middle managers. This responsibility, despite positive benefits, could limit to a certain extent, the ability of the NBR to maintain a thorough and deeper analysis of the risks that banks, banking group and banking industry are facing. Regulatory cost and benefit exercises may be warranted in respect of optimum allocation of supervisory resources. The NBR also has regular/ ad-hoc meetings with the bank’s senior and middle management and other representatives to communicate the findings of its supervisory analyses. However, there is no systematic process of regular meeting with nonexecutive/ independent members after on-site examination to discuss findings and the remedial actions. Contact with such members occurs less often during on-site missions. Given that in many cases the board of directors comprises mostly nonexecutive members and NBR’s supervisory work heavily relies on the annual examination, it is critical to keep them informed of the main findings and possible remedial actions promptly after on-site visit. (See CP 14) The authorities should consider the following activities: • Ensure consistency and objectivity in SREP score, findings and supervisory measures (e.g., establish the independent review unit, develop on-site and off-site supervisory assessment handbook, and improve an electronic platform to more effectively manage findings, measures, and follow-ups). 85 ROMANIA • Review the off-site activities regarding various approval process within SD for supervisors to better focus on its qualitative risk analysis. • Intensify engagement with nonexecutive/independent board members as part of the on-site examination process (See CP 14). Principle 10 Supervisory reporting. The supervisor collects, reviews and analyses prudential reports and statistical returns40 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts. Essential criteria EC1 The supervisor has the power41 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk. Description and According to Article 153, 165, 59, and 171 (2) of Banking Law, the NBR is statutorily findings re EC1 empowered to collect financial statements and other data and information from credit institutions (CIs), on both a solo and a consolidated basis, as required by the NBR. The EU harmonized supervisory reporting requirement establishes uniform requirements for supervisory reporting to competent authorities for the following areas: (a) own funds requirements (capital adequacy) and financial information; (b) losses stemming from lending collateralized by immovable property; (c) large exposures and other largest exposures (counterparty, sectoral, geographical); (d) leverage ratio; (e) liquidity coverage requirements and net stable funding requirements; (f) asset encumbrance; (g) additional liquidity monitoring metrics. NBR Regulation No. 5/2013 doesn’t provide derogations or exemptions from the applications, on an individual basis, of the prudential requirements specified by Regulation (EU) No. 575/2013, irrespective of consolidated supervision being applied or not. All banks are required to prepare and deliver common reporting (COREP) based on the harmonized European supervisory reporting framework, provided for in the CRD and EC regulations on reporting, that encompass a comprehensive range of information for the supervisor to perform a risk assessment. The reporting requirements are defined by EBA ITS on supervisory reporting, which were introduced in Q1 2014 and are being phased in over a number of years. Frequency varies between reporting from monthly (liquidity) to quarterly and semi-annual or annual for some individual templates. 40 In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27. 41 Please refer to Principle 2. 86 ROMANIA According to EBA ITS on supervisory reporting, COREP data must be reported on both a solo and consolidated basis by all banks, while FINREP is mandatory for banks at consolidated level only. Solo level reporting remains national discretion, but reporting templates in Romania (in case of solo FINREP) are consistent with those at consolidated level. COREP covers capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector and geography), asset quality, loan loss provisioning, related party transactions, and market risk, while FINREP covers, inter alia, on- and off- balance sheet assets and liabilities, and P&L42. The NBR also has power to require regular reporting outside the scope of the ITS on supervisory reporting and banks are compelled according to the Banking Law to transmit to the NBR any information required by the latter in order to perform its responsibilities established by law. The additional reporting requirements compliments the scope of the ITS on supervisory reporting. EC2 The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. Description and The Romanian banking system is required to report financial information based on the findings re EC2 IFRS at consolidated level since January 2006 and at individual level since January 2012. FINREP reporting templates for supervisory purposes are based on the IFRS both at the solo and consolidated level. Reporting instructions for consolidated level are included in Commission Implementing Regulation (EU) No. 680/2014 that contains detailed instructions for the submission of supervisory reporting. Reporting instructions on a solo basis are included in the National Regulation (NBR Order No. 6/2014 regarding the FINREP individual financial statements, NBR Order No. 5/2014 regarding the financial information reporting of branches of CIs having their headquarters in other Member States). EC3 The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. Description and According to Article 24 of CRR, the valuation of assets and off-balance sheet items shall be findings re EC3 effected in accordance with the applicable accounting framework. The NBR introduced IFRS for all CIs in 2012, and the measurement of fair values and valuation rules are also determined on the grounds of IFRS requirements. Article 105 of CRR stipulates that a comprehensive range of requirements for prudent valuation and Article 34 requires that CIs shall apply the requirements of Article 105 to all assets measured at fair value when calculating the amount of their own funds and shall 42 FINREP also covers templates on asset quality. 87 ROMANIA deduct from Common Equity Tier 1 capital the amount of any additional value adjustments necessary. NBR Regulation No. 5/2013 also requires that the management body be actively involved and ensure that adequate resources are allocated to address all the significant risks addressed in this Regulation and CRR as well as for the purpose of asset valuation, the use of external ratings and internal models relating to those risks, providing the legal basis for governance arrangements and control processes for the valuation. NBR order No. 6/2014 (methodological norms point 2) also requires that CIs prepare FINREP individual financial statements that give a true and fair view of the position and financial performance of credit institutions for the related period. Adherence to the IFRS valuation standards (mainly IAS 39, IFRS 13) and other regulations is assessed during on site missions. The assessment also includes the existence of an adequate independent validation of methodologies. In case of inappropriate practices, supervisory measures were imposed, including adjustments of the provisions level or of the capital. EC4 The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. Description and The information submitted to the NBR has the frequency and structure of the EU findings re EC4 harmonized reporting framework from monthly to quarterly, and semi-annual or annual for some individual templates. In the EU reporting framework, the frequency of the submissions is set differently depending on the complexity of the information, the size (including different reporting templates) and the risk profile of banks (higher frequency for the banks with a higher risk profile). In Romanian context regarding prudential reports for supervisory purposes, the scope and periodicity are the same for all credit institutions, except the branches of credit institutions having their headquarters in other Member States; these are not subject to reporting prudential information to NBR under Regulation (EU) No. 680/2014. (See EC1). The NBR occasionally requires banks to submit additional information more frequently such as daily liquidity reporting, or more granular NPL data as deemed necessary. EC5 In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). Description and The harmonized European reporting framework covers the issues that this EC requires in findings re EC5 Romania. Standardized regulatory returns under the Romanian and EU regulatory framework, COREP, FINREP at consolidated level define reporting dates and periods and reporting requirements for all credit institutions. In the case of solo FINREP, the reporting templates are consistent with those at consolidated level. After collection, the data is used for diverse analytical outputs such as risk indicators, trends, peers, stocks, and flows. 88 ROMANIA EC6 The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information. Description and The Banking Law provides the legal authority for NBR to require all the information findings re EC6 needed to perform its activity. According to Article 169 Index 1 paragraph 2 and Article 226, the NBR is empowered to request additional or more frequent reporting . The national regulatory framework allows it to request from banks any information deemed necessary to perform the individual and consolidated supervision of banks and banking groups. EC7 The supervisor has the power to access43 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required. Description and Supervisors have access to any kind of information that is considered useful for findings re EC7 supervisory purposes. Also, there are no restrictions on the access to the bank’s Board, management, and staff. According to Article 171 (1), CIs are compelled to allow the NBR to examine their reports, Accounts, and operations and to provide all documents and information related to the activity performed, as requested. Article 171 (2) states that CIs shall transmit to the NBR any information required by the latter, to assess their compliance with the prudential requirements of the Banking Law and CRR and with the applicable regulations. The internal control mechanisms and administrative and accounting procedures of the CIs also shall permit, at any time, the verification of their compliance with such rules. EC8 The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. Description and EU harmonized reporting rules define reporting reference dates and the reporting and findings re EC8 corrections shall also be submitted to the NCA without undue delay. In the off-site process of NBR, any report received from a Credit Institution (CI) has to be reviewed with regard to possible discrepancies. Inconsistencies have to be clarified with the credit institution. If the data provided is inconsistent, resubmission may be requested. The staff from the SD surveys the banks’ compliance with deadlines for each repor ting date. Also, there is a cross check of the submission situation by each bank/type of reports/reporting date carried out by the Banking System Assessment, Methodology and Supervision Procedures Division. When a report is delayed, the submission is allowed only after the assessment and the approval process. When the credit institution fails or is late in submitting the reporting data the NBR contacts the bank and sets a deadline for the correction and resubmission of the report. 43 Please refer to Principle 1, Essential Criterion 5. 89 ROMANIA During the evaluation process of data quality, the bank supervisor involved in this process informs management of any issues in the validation process depending on the importance of the problems occurred and the degree of difficulties. After the deadline, management involvement is expected when the credit institutions did not comply with the reporting deadline or the quality requirements. The supervisory authority can impose measures and sanctions when the reports received are not compliant with the reporting framework in place (Banking Law Article 228 Paragraph 1). The management of the bank is held responsible for the late or missing or inaccurate reports. In the off-site activity, when a supervisor has noticed mistakes within the credit institutions reports, as the credit institution didn’t meet several requirements of the legal framework applicable (ITS 680/2014 laying down implementing technical standards with regard to supervisory reporting of institutions as regards instructions, templates and definitions), a supervisory report is concluded in order to solve the deficiencies identified within a certain timeframe. Following the recommendation issued based on the conclusions from the said supervisory report, the credit institution has to resubmit the reports. Depending on the gravity of the findings, actions are taken by NBR and measures are disposed after the conclusion of the on-site mission and based on the findings filled in the supervisory reports. The NBR Regulation No. 5/2013, Article 11 stipulates that the management body defines, oversees and is accountable for the implementation of the governance arrangements that ensure effective and prudent management of a credit institution, including the segregation of duties in the organisation and the prevention of conflicts of interest. Also, the management body must ensure the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards. EC9 The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a program for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external expert s.44 Description and Validation rules for COREP and FINREP reporting are applied on submission. findings re EC9 Resubmissions are required for in cases of errors and noncompliance with the validation rules. Following receipt of the data, the NBR carries out a program of plausibility checks (comparison to previous periods and using available information), focusing on data sets that are of greatest importance, such as capital adequacy, liquidity, and FINREP returns. In particular, the staff from the SD observe the banks compliance with deadline for each reporting date. Also, there is a crosscheck of the submission situation by each bank/type of reports/reporting date carried out by the SD. During the reporting process, the 44 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 90 ROMANIA fulfillment of the validation is checked online and a message is automatically generated by the system about the failed validation, message that is also received by the reporting entity. When a blocking validation fails, the credit institution report is not accepted by the system and the reporting entity takes measures to solve the issues. When a submission is successful, the supervisory staff also assesses the failed nonblocking validation rules, should it occur. If the result is satisfactory, the report is marked as validated (there is signoff function to be activated). If not, the credit institution will be contacted to solve the reporting issues. The supervisory staff in the SD verifies the correctness, reasonability or plausibility of the reasoning for the failed validation and contact the credit institution for additional explanation, as needed. Supervisory information is regularly tested through on site and off site analysis, including through sampling. When necessary, external auditors are requested to perform limited scope audits of the financial situations of some banks (without being commissioned and under a formal supervisory mandate) and the outcome of the assessment is submitted to the NBR. EC10 The supervisor clearly defines and documents the roles and responsibilities of external experts,45 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. Description and The NBR can assign external experts or auditors for supervisory tasks (Banking Law findings re EC10 Article 170 (1)), but in practice there were no such cases. The regulations define the framework under which supervisory tasks can be delegated to financial auditors Banking Law Article 170 (2). However, there are no comprehensive guidelines/criteria for hiring third parties to conduct supervisory tasks in place of, or for assessing the quality of the work performed by those experts. EC11 The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. Description and There is a provision (Banking Law Article 156) that the financial auditor of a credit findings re EC11 institution shall inform the NBR while performing his duties, as soon as he encounters any fact or decision concerning the credit institution which is liable to: (a) constitute a material breach of the law and/or regulations or other documents issued for its application, which lays down the conditions for authorization or requirements related to the pursuit of activity; (b) affect the functioning of the credit institution; and (c) lead to the financial auditor’s refusal to express an opinion on the financial s tatements or to the expression of reservations. 45 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts. 91 ROMANIA However, there is no explicit requirement in the law that external experts promptly bring to the NBR’s attention any identified material shortcomings during the course of any work undertaken by them for supervisory purposes. However, the use of external experts in this regard is very rare. EC12 The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. Description and The reporting formats are developed by the EBA and are issued under a Regulation which findings re EC12 is directly applicable to all credit institutions across European Union. The format and content of the reporting formats are periodically reviewed both at the initiative of the EBA and of the NCAs. The authorities mentioned that the information collected (except the one collected according to the common European reporting framework) is frequently reassessed in order to determine its relevance and comprehensiveness for the supervisory purposes. The emergence of new risks drivers has determined changes in the ad hoc reporting requested from the banks (litigations, payment in kind etc.). 46 However, there is no explicit assessment process in place to periodically review the prudential returns (except the one collected according to the common European reporting framework). Assessment of Largely Compliant Principle 10 Comments The Banking Law provides the legal authority for NBR to require all the information needed to perform its activity. The Romanian banking system has been required to report financial information based on IFRS at consolidated level since 2006 and at individual level since 2012. The supervisory reporting/ validation rules and templates are mainly governed by a harmonized EU reporting framework. In case of solo FINREP, as required by the national legislation, the reporting templates are consistent with those at EU reporting requirements. The supervisory staff verifies the reports through off-site and on-site examination. Authorities indicated that there are ongoing projects in many banks related to the improvement of data warehouse. In order to further assure that the reported information is accurate, comprehensive and consistent, the banks should keep upgrading the system and implement a large variety of controls. The NBR also needs to keep providing feedback on data quality assessments to banks. 46 Then NBR mentions that all additional prudential returns were required by SD based on the need to know basis. When the information required was not anymore needed, letters have been submitted to banks in order to stop the reporting obligation. 92 ROMANIA There are no explicit guidelines/criteria for hiring third parties who conduct supervisory tasks to assess the quality of the work performed by those experts, or obligating them to report to the NBR promptly any material shortcomings identified. Although the NBR has not used external experts for supervisory tasks, the issuance of such guidelines could be contemplated if the use of third parties were to increase. Also, there is no explicit/regular evaluation process in place to periodically review the information collected to determine that it satisfies a supervisory need particularly in the case of additional prudential returns (except the ones collected according to the common European reporting framework). The authorities should consider the following activity: • Develop rules and processes for hiring external experts, including the process of the quality control and avoiding conflicts of interests. • Perform a periodic review of whether the prudential returns (required outside of European reporting framework) satisfy a supervisory need. Principle 11 Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. Essential criteria EC1 The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. Description and In accordance with the internal procedures of SD, the team discusses the findings with findings re EC1 banks at the end of the on-site examination. After completing the draft supervision report, the findings are sent to the bank and the bank sent observations and comments. Not all observations and comments from bank may be included in the final version of the report The proposals of the SD can be materialized into sanctions, measures, and recommendations through written orders sent to the management of the bank. Where significant corrective actions are identified, the authorities stipulate by written order that these measures/actions be presented to the board. However, the NBR order is not directly submitted by the NBR in a written document to the bank’s Board. The recommendations and corrective measures (through written orders) are monitored by the NBR. Moreover, the bank is required to prepare an appropriate action plan to address all the issues from the examination report (supervisory report) that were not included in the order after the completion of the supervisory report. The banks are obligated to 93 ROMANIA inform the NBR in writing about the remedial status of the measures from the orders and action plans within specific timeframe. One of the objectives of the on-site examination during the next on-site examination is to assess if the measures have been implemented. During the ongoing off-site activities, written explanations and corrective measures are required to be sent to the bank if supervisors identify changes in the financial situation, prudential ratios of a bank or other difficulties or negative developments that can affect its activity. The NBR routinely monitors the efficiency and effectiveness of the measures put in place. If an off-site staff identifies issues during an ongoing supervision that indicates high risk exposure or activity by credit institutions due to noncompliance with the regulations in force, a supervision report will be prepared. With regard to the operational procedure of the SD, on the basis of the findings of the inspection team, the supervisory draft report should be finalized within a period of 60 working days after the on-site assessment ends. This draft is sent to the inspected credit institution for the “right to be heard” stage in which the bank can make observations. The final draft should be finalized within 10 working days of the discussions with the credit institution or after the team receives the additional documents submitted by the bank including clarification from the specialized departments of the central bank on how to interpret the legal provisions that are likely to be applied to findings from the inspection action. After the signed version of the report is received, a consolidated note will be drawn by the members of the inspection team within 15 working days; this note includes a summary of the findings and the proposal regarding the supervision measures, sanctioning measures, and recommendations. However, this time frame is not consistently followed by the SD. EC2 The supervisor has available47 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. Description and The NBR has the tools necessary to require corrective actions of credit institutions or to findings re EC2 impose sanctions. If a CI does not comply with the requirements per banking law, the regulations issued in their application, or in the event that the NBR has determined the CI will unlikely comply with the aforementioned provisions, then the NBR may require a CI to undertake the necessary steps to remedy the deficiencies. 47 Please refer to Principle 1. 94 ROMANIA According to Article 226 from Banking Law, in the past two years the NBR imposed supervisory measures regarding the business management framework and the internal capital adequacy assessment process, as follows: • Maintaining own funds at a level higher than the minimum capital requirements • Reducing the risk inherent to activities, products and systems • Implementing a specific provisioning policy or treatment of assets • Submitting a plan for restoring compliance with supervisory requirements With respect to escalation policies in response to the accumulation of risk, the NBR underlines the provisions of the Banking Law stating that measures and sanctions shall be effective and proportionate with the acts and irregularities, taking in consideration the gravity and consequences, as well as the personal and circumstances of the committed deed, having a dissuasive effect. Therefore, should the credit institution not comply with the measures imposed by the NBR, the supervisory authority can take more restrictive actions in order to respond to the accumulation of risk, applying the provisions of Article 226 paragraph 3 from the Banking Law. These measures include but not limited to: • Require the CI to hold own funds in excess of the requirements; • Require the CI to apply a specific provisioning policy or treatment of assets in terms of own funds requirements; • Restrict or limit the business, operations or network of CIs, including by withdrawal of the approval granted on establishment of branches abroad, or to request the divestment of activities that pose excessive risks to the soundness of a credit institution; • Require the CI to reduce of the risk inherent in its activities, products and systems; • Require the CI to limit variable remuneration as a percentage of net revenues inconsistent with the maintenance of a sound capital base; • Require the CI to use net profits to strengthen its own funds; • Require the CI to replace the individuals appointed to conduct the branches of the CI; • Limit qualifying holdings in financial or nonfinancial entities where the CI is bound to sell them; • Require the CI to present a plan to restore compliance with supervisory requirements detailing the steps and actions to be taken, and set a deadline for their implementation; • Limit or prohibit distribution by the CI of profit from distributable item to shareholders or to their members, and/or interest payments to the holders of Additional Tier 1 instruments, where the prohibition does not constitute an event of default of the credit institution; • Impose additional or more frequent reporting requirements including reporting on capital and liquidity positions; • Impose specific liquidity requirements including restrictions on maturity mismatches between assets and liabilities of CIs; • Require additional disclosures to CIs etc. 95 ROMANIA The administrative penalties that can be applied include the following Article 229 Paragraph 1: • Written warning; • A public warning indicating the natural person, the CI, the financial holding company or the mixed financial holding company responsible and the deed committed; • Administrative pecuniary penalties of up to 10 percent of the total annual net turnover including the gross income; • In the case of a natural person, administrative pecuniary penalties of up to EUR 5 000 000, to the corresponding value in the national currency on July 17, 2013; • Withdrawal of the approval granted to the key persons referred to in Article 108 paragraph (1) of Banking Law; • Administrative pecuniary penalties up to twice the amount of profit gained, where determinable. The sanctions that can be applied include the following Article 229 Paragraph 2: • An order requiring the natural or legal person responsible to cease and desist from a repetition of the conduct in question; • Temporary ban in exercising functions in a credit institution by persons referred to in Article 108 paragraph (1) or by persons appointed to head the branches of the credit institution, held responsible for committing the deeds. • Withdrawal of the authorization granted to the credit institution, in accordance with the provisions of Article 39; • Suspension of voting rights of the shareholders or of the responsible shareholders. In practice, the NBR actively imposes sanctions and measures to banks and relevant individuals and discloses them on its webpage (http://www.bnr.ro/Sanc%c8%9biuni- emise-de-BNR-12553.aspx). EC3 The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. Description and The powers of the NBR granted by Banking Law are available when the CI is in breach of findings re EC3 the requirements and when the NBR has evidence that the bank is likely to breach the requirements within the next 12 months Article 226. Specifically, the NBR is able to dispose a CI to undertake the necessary steps to remedy the deficiencies in the following situations: • The credit institution does not comply with the requirements laid down in Banking Law, in CRR, and the regulations issued in their application; • The NBR has indications that it is likely that the CI will not comply with the above- mentioned provisions. 96 ROMANIA Based on SREP methodology, the NBR also determines to what extent the management framework, strategies, processes and mechanisms implemented by a CI, the own funds held and its liquidity, ensures prudent management and adequate coverage of the risks in relation to the CI's risk profile. The NPR has a wide range of options to address the bank’s breach of threshold requirements and to prevent it from reaching its threshold (See EC2). For example, NBR often requested that banks maintain own funds at a level higher than the minimum capital requirements, reduce the risk inherent to activities, and setting up specific requirements, etc. EC4 The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. Description and The NBR has a broad range of possible measures to address, at an early stage, such findings re EC4 scenarios as described in essential criterion 2 above (See EC2 and EC3). Applicable in this case can be the provisions of Banking Law Article 226 by which the NBR shall require any CI that does not meet the requirements of Banking Law, of the regulations or other administrative provisions issued for the application thereof, or fails to comply with a recommendation of the NBR, to take the necessary actions at an early stage to address the situation. In this respect, the NBR may require the CI to comply with the reinforcement of the arrangements, processes, mechanisms, and strategies implemented in accordance with Article 24 and Article 148. In accordance with the Article 39 from Banking Law, the NBR may withdraw the authorization granted to a CI in case of breaching the prudential requirements stipulated in part III (capital requirements), IV (large exposures), and VI (liquidity) from CRR. Along with the withdrawal of the credit institution’s authorization, the NBR shall order the dissolution and windup of the credit institution as per Article 44 and Article 255 from Banking Law. Also, Law No. 312/2015 (Recovery and Resolution Law) contains provisions under the NBR, as a competent authority, has at its disposal a range of early intervention measures. Further, Article 149 paragraph 1 states that the NBR, as a competent authority, may require changes to the legal or operational structures of the credit institution. Per Article 153, the NBR may appoint one or more temporary administrators to the credit institution. 97 ROMANIA Thus, the NBR has an appropriate range of supervisory tools available for use when a credit institution is not complying with laws, regulations or supervisory actions. Among the measures required by the EC4, the NBR, as a competent authority, does not have the explicit power to facilitate a takeover by or merger with a healthier institution per Banking Law. A competent authority cannot impose on CIs any measures regarding the merger process or acquisition by a third party per Banking Law. Purchase and assumption transactions are possible resolution instruments according to Law No. 312/2015. When determining the type of sanctions, administrative penalties and fines, the NBR shall take into account relevant circumstances on the commitment of the offence, inter alia, the gravity, and the duration of the breach Article 225 paragraph 4. Where written orders or decision to impose sanctions on banks or individuals are issued, the first deputy governor of the NBR has full responsibility in determining the types of measures and sanction to be taken. Upon completion of on or off-site supervisory activities, the inspection team shall consolidate its findings and propose supervisory measures and sanctions to the first deputy governor for approval. The inspection teams may at times consult the legal department for additional guidance and discuss within the supervision department, as needed—the decision to involve other departments and parties is made solely by the inspection team. EC5 The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. Description and In accordance with Article 225 from Banking Law, the NBR may adopt measures and findings re EC5 impose sanctions aimed specifically at ending observed infringements or the causes of such infringements against a CI or persons effectively controlling the business of Cis that infringe laws, regulations or other administrative provisions issued for the application thereof concerning the supervision or pursuit of their activities. According to Article 229, the NBR may apply various types of sanctions/penalties through written warnings such as withdrawal of approval granted, financial penalties, cease and desist orders, etc. (see EC2). The enforcement of sanctions does not remove the material, civil or penal responsibility. The sanctioning powers are exercised and applied to banks, management, and/or the Board, or individuals. EC6 The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. Description and In accordance with Article 166 of Banking Law, the NBR assesses the risks to which the CI findings re EC6 may be exposed and if it identifies risks related to the operations carried out with the parent company. In such cases, the NBR may dispose measures, provided by Article 226 paragraph 3 (e) in the Banking Law, to require the CI to reduce the risks associated with its operations, products and systems, to limit or prohibit the distribution by the CI of profit from distributable elements as defined in Article 4 paragraph (1) point 128 of CRR, to its 98 ROMANIA shareholders or members, and/or the payment of interest to the holders of Tier 1 capital instruments should the prohibition not be a default for the credit institution. (See EC2) The provisions of Article 230 (1) state that where persons holding qualifying holdings in the CI no longer fulfill the requirements regarding the quality of the CI's shareholding or exercise and considered an influence that may jeopardize the prudent management of the CI, the NBR, in addition to any other measures or sanctions that may be imposed on the CI or the persons exercising its management and management responsibilities, may suspend the voting rights attached to the shares held by the shareholders or members in question The NBR may dispose measures to restrict or limit the business, operations or network of CI by withdrawing the authorization issued for establishment of branches abroad or require the cessation of activities involving excessive risks to the credit institution's soundness. When the actions taken by subsidiaries, parallel-owned banking structures and other related companies could impair the safety and soundness of the bank, the NBR can limit the qualifying holdings of the CI in financial or nonfinancial institutions where the credit institution is bound to sell them. EC7 The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). Description and The NBR, as the competent authority, has responsibilities of cooperation with relevant findings re EC7 authorities in case of resolution process according to Law No. 312/2015 regarding the recovery and resolution of CIs, which transpose the provisions of the BRRD. The NBR, as a resolution authority, shall take a resolution action in relation to a CI only if it considers that all of the following conditions are met: • The NBR, as a competent authority, shall determine that the credit institution is failing or is likely to fail. For this purpose, the supervisory structure shall consult the resolution structure; • Having regard to timing and other relevant circumstances, there is no reasonable prospect according to which failure could be prevented within a reasonable timeframe, by any alternative private sector measures, including measures by an institutional protection scheme, or supervisory action, including early intervention measures or the write-down or conversion of relevant capital instruments; • A resolution action is necessary in the public interest. As for the liquidation process of CIs, the Deposits Guarantee Fund in the banking system has competencies according to Article 256 paragraph 2 from Banking Law. Additional criteria AC1 Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions. 99 ROMANIA Description and The Supervision Department internal procedure regarding the operational flow of the findings re AC1 process of verification and evaluation of the management framework, strategies, processes, and mechanisms implemented by credit institutions establishes deadlines for the supervisory authority and for the banks (See EC1). However, these procedures are set by the “internal rules” of SD in NBR, not by laws or regulations. AC2 When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of nonbank related financial entities of its actions and, where appropriate, coordinates its actions with them. Description and The provisions of Article 189 of the Banking Law stated that in order to establish and findings re AC2 facilitate effective supervision at the national level of credit institutions, investment firms, and financial institutions, the NBR and the Financial Supervisory Authority (ASF) shall conclude written coordination and cooperation agreements. Considering the above, the NBR and the supervisory authorities of the financial market (ASF - Financial Supervisory Authority) signed an agreement in order to set up the rules for the cooperation between these authorities and to ensure an efficient supervision of the entities involved in banking, market and insurance activities. This agreement enables the exchange of information between the authorities and facilitates the performance of the supervisory actions on a need basis. However, there is no systematic or regular process that informs the supervisor of nonbank related financial entities of its actions. Assessors were told that the Romanian financial sector is dominated by banks and setting up the regular process is unnecessary, as a need- base cooperation is sufficient. Besides, all sanctions and written orders are disclosed on NBR webpage. Assessment of Largely Compliant Principle 11 Comments The NBR has the tools necessary to require timely corrective actions of credit institutions and to impose sanctions. The NBR has an adequate range of supervisory, sanction measures, and administrative penalties available for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations, or supervisory actions. Corrective actions and sanctioning powers are exercised in a forceful manner and a broad range of measures and sanctions have been applied to banks, management, and/or the Board, or individuals. However, regarding the internal process of measures and sanctions, there appears to be an insufficient amount of mandatory review and analysis processes needed to ensure consistency or justification of inspection outcomes and supervisory/ sanction measures across the banking system. In sum, there is no consistent internal independent review process present to ascertain that the degree/type of measures or the corrective actions are adequate according to the law and regulations. In the case that banks do not agree with the measures/sanctions, the dispute shall be entered into the NBR board. Approximately 45 cases were submitted to the board within a five-year period with 18 cases being contested in court. Some of the issues were about 100 ROMANIA clarification of findings. Thus, assessors are of the opinion that the corrective action and sanctioning regime in the NBR would benefit from adding an independent review process to assist the first deputy governor to make approvals in a more informed manner. This would also enhance the credibility of the supervisors as well as the consistency of corrective actions and sanctions. Among the measures required by the EC4, the NBR, as a competent authority, does not have the explicit power to facilitate a takeover by or merger with a healthier institution per Banking Law. A competent authority cannot impose on CIs any measures regarding the merger process or acquisition by a third party per Banking Law. Purchase and assumption transactions are possible resolution instruments according to Law No. 312/2015, All EU members may have this exception, but still considered a deficiency. With respect to supervisory follow-ups, the time frame described in the internal rules of the NBR is not always kept. Assessors note that the process of supervisory reports and written orders were sometimes delayed. The draft should be sent to banks within 60 working days according to NBR internal procedure, but many examination reports were issued to banks more than 6 months later (on average approximately 140 days in 2016), and the issuance of written orders too even longer. Assessors were told that sometimes wrap-up meetings after on-site inspection were not held in an official manner. This practice could hinder banks to implement supervisory measures in a prompt manner.48 In addition, there is no systematic or regular process informing the supervisor of nonbank related financial entities (including ASF), the NBR’s actions, and there is no process to coordinate its action with them. There is a need-base cooperation between them in this regard. The authorities should consider the following activity: • Establish an independent review process in determining written orders and sanctions to guarantee consist approach and clearer justification; introduce internal guidance to ensure more objectivity, accuracy and consistency in exercising sanctioning power and corrective actions. • Improve the post-examination process by formalizing a wrap-up meeting to convey findings that require immediate improvement or corrective actions. • Intensify engagement and cooperation with the ASF in the process of imposing corrective actions and sanctions. Principle 12 Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide. 49 Essential criteria 48 The NBR mentions that a wrap up meeting after on-site will be formalized to reflect the FSAP recommendations. 49 Please refer to footnote 19 under Principle 1. 101 ROMANIA EC1 The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including nonbanking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system. Description and Requirements for supervision on a consolidated basis are established in CRR and CRD IV. findings re EC1 In order to prevent and reduce specific banking risks, the NBR shall carry on the prudential supervision of credit institutions (CIs) and their branches established in other Member States or in third countries, by setting rules and prudential banking indicators, by monitoring their observance and compliance with other requirements laid down by law, and by the applicable regulations on an individual basis, consolidated, or sub-consolidated basis, as deemed appropriate. As of June 2017, the scope of banking supervision covered 28 credit institutions and Romanian legal persons. These included 5 stand-alone domestic credit institutions, 1 foreign stand-alone non-EU subsidiary and 22 foreign EU subsidiaries. There are no financial conglomerates in Romania. Regarding the foreign EU subsidiaries (22), their parent banking groups in Europe are, at consolidated EU level, under the direct/indirect supervision of Single Supervisory Mechanism (SMM), Central Bank of Hungary, Polish Financial Supervision Authority, Bank of Israel, Cyprus Central bank, and the NBR. While the NBR is not serving as a consolidating supervisor, it may participate in colleges of supervisors. These colleges provide the necessary instruments for enhancing the supervision of entities within banking groups. CIs supervised on a consolidated basis by the NBR have to comply with prudential requirements based on their consolidated situation. CIs prove to their fulfilment of the prudential requirements to the NBR by means of prudential reports (COREP and FINREP according to Regulation (EU) No. 680/2014). Each CI has also to comply with prudential requirements on an individual basis, irrespective of being supervised on a consolidated basis by the NBR. The NBR conducts SREP assessments on a consolidated basis and the evaluation of activities for each member of the group and their activities within the group are examined during an annual on-site examination. The quantifiable and nonquantifiable (e.g., reputational risk) risks incurred by credit institutions as members of groups are monitored and controlled by the NBR for consolidated banking supervision. The NBR has the power to request any information from the bank subsidiaries and the parent company as deemed necessary for its consolidated supervision. However, there are currently no systematic procedures in place for the overall monitoring and assessment of contagion and reputation risks that may jeopardize the safety and soundness of the bank and the banking system. The authorities state that the contagion 102 ROMANIA risk is taken into consideration by CIs and examined by the NBR. For example, according to Banking Law, a CI shall establish internal limits on intragroup liquidity risk to mitigate the risk of contagion under stress, including for each currency used by the CI. EC2 The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure. Description and In Romania, parent credit institutions as Romanian legal entities must comply with the findings re EC2 obligations provided by CRR and Directive 2013/36/EU (ICAAP) on the basis of their consolidated situation. Banking groups are subject to regulations on capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure. Each credit institution, irrespective of being supervised on a consolidated basis by the NBR, has also to comply with prudential requirements on an individual basis. Prudential information is provided, on a consolidated basis, to the competent authorities according to Regulation (EU) No. 680/2014, which establishes ITS with regards to supervisory reporting of institutions according to CRR. The NBR carried out annual SREP assessments on a consolidated basis. While the NBR is not a consolidating supervisor it remains responsible for the supervision of credit institutions and may participate in colleges of supervisors. These colleges provide the necessary instrument for enhancing the supervision of entities within banking groups. Credit institutions demonstrate their fulfilment of the prudential requirements by means of prudential reports (COREP and FINREP according to Regulation (EU) No. 680/2014) sent to the designated competent authority As an off-site activity, the quarterly key risk indicators are mainly monitored on a solo basis rather than a consolidated basis. Authorities mentioned that Romanian banking sector is bank dominated and the consolidated figures are usually more prudent than a solo basis. EC3 The supervisor reviews whether the oversight of a bank’s foreign operation s by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross - border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations. Description and Article 7 of NBR Regulation No. 5/2013 stipulates that within a group structure, the findings re EC3 management body of a parent credit institution as a Romanian legal entity must ensure that within the group there is an adequate framework for the management of the activity and that it is appropriate to the structure, activity, and risks of the group and its entities. In order to fulfill its responsibilities within the management framework, the management body of a parent credit institution must: 103 ROMANIA • establish a structure for the management framework that contributes to the effective supervision of its subsidiaries which takes into account the nature, scale and complexity of the various risks to which the group and its subsidiaries are exposed; • approve a policy regarding the management framework for the entire group and for its subsidiaries, including the commitment to meet all the requirements applicable to the management framework; • ensure that there are sufficient resources for each subsidiary to meet both group-level standards and local management framework standards; • have adequate means to monitor that each subsidiary complies with all applicable requirements on the management framework; • ensure that reporting lines at the level of the group are clear and transparent, especially if the lines of activity do not overlap with the organization of the group from a legal point of view. Article 8 also stipulates the responsibility for the management body of a parent institution to: • understand not only the organization of the group but also the purpose of the different entities and the links and the relations between them; • ensure that the various entities in the group (including the credit institution itself) receive sufficient information to have a clear perception of the overall objectives and risks of the group; • ensure that it is kept informed of the risks posed by the group structure. The NBR reviews whether the oversight of a bank’s foreign operations by management is adequate during the annual on-site examination. In case of cross border groups, the NBR is participating in 9 colleges of supervisors. Regarding the expertise needed in foreign operations, the NBR does not give specific guidance to Romanian banks on the soft and hard skills needed by bank officials who are posted overseas. The effectiveness of host country supervision does not seem to be assessed in the course of managing cross-border supervision arrangements on a regular basis since it has limited applicability in Romanian context. Authorities state that there is only one Romanian bank’s overseas subsidiary in Moldova and one branch in It aly so the need for regular assessments is not significant. EC4 The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. Description and In 2016, the NBR conducted onsite inspections of a Romanian bank subsidiary in Moldova, findings re EC4 focusing on credit risks and other supervisory concerns. This was the first on-site visit of the NBR to a Romanian bank’s foreign offices; the NBR met the host supervisor during these visits. To date, the lone branch operating in Italy (0.3 percent of the respective banking group’s total assets) has yet to be visited. 104 ROMANIA According to the banking law, the NBR may perform direct on-site inspections after having first informed the competent authorities of the host Member States, or may ask these competent authorities to perform this task on its behalf and participate in the inspection process, if necessary. EC5 The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. Description and In Romania, the majority of the credit institutions are subsidiaries of European banking findings re EC5 groups. Consolidated supervision of the whole group is performed by ECB while the NBR is responsible with the supervision of the Romanian subsidiary at individual and sub- consolidated levels (the credit institution authorized as Romanian legal person and its affiliates included in the prudential consolidation perimeter). Considering this, the NBR does not reach the banking holding companies or affiliated companies directly, but the measures imposed on the credit institution authorized in Romania (with respect to the capital ratio necessary to be maintained above the minimum level, to make changes in the business model, in the management body composition, restrict some activities or business lines, the limitation or even the cessation of activities involving excessive risks to the credit institution's soundness, to limit qualified holdings in financial or nonfinancial entities, where the credit institution is obliged to sell it) can affect the parent company and affiliates indirectly. According to Article 1516 of Regulation 6/2008, the credit institutions shall submit annually to the NBR and within six months of the previous financial year, the financial information related to shareholders who hold directly, indirectly, or in concert, qualifying shares. Within 30 days of the financial year end date, credit institutions shall annually disclose to the NBR through the interbank communications network, a statement of all shareholders including the following information: identity, residence and citizenship for individuals, nationality and address, for legal entities, the number and value of shares held, the percentage of participation in the share capital and of the voting rights. In cases where the parent companies are investment firms, the NBR cooperates with the Financial Supervision Authority responsible with their supervision at an individual level. The cooperation between the two supervisory authorities is regulated in the Government Emergency Ordinance (OUG) 99/2006, Articles 189–192), which stipulates the necessity of concluding written cooperation and coordination agreements. In terms of relevant supervisory actions, the NBR also is empowered to adopt various measures in this regard. For example, according to Article 294 of Banking Law, the NBR has the power to impose the sanctioning measure of a suspension of the exercise of the voting rights of the shareholder(s) responsible, in all cases stipulated in this Article. (See CP 11 EC2) 105 ROMANIA The main activities of parent companies and of companies affiliated with the parent companies are mainly reviewed during on-site examination and the NBR takes actions as deemed necessary. EC6 The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that: (a) the safety and soundness of the bank and banking group is compromised because the activities expose the bank or banking group to excessive risk and/or are not properly managed; (b) the supervision by other supervisors is not adequate relative to the risks the activities present; and/or (c) the exercise of effective supervision on a consolidated basis is hindered. Description and When the NBR determines that arrangements, strategies, processes, and mechanisms findings re EC6 implemented by a credit institution, and the own funds and liquidity held do not ensure sound management and coverage of risks, it may take the following measures: • restrict or limit the business, operations or network of credit institutions, including by withdrawal of the approval granted on establishment of branches abroad, or to request the divestment of activities that pose excessive risks to the soundness of a credit institution; and • require the credit institution the reduction of the risk inherent in its activities, products and systems. According to Article 85 of Banking Law, if the NBR is informed by the competent authority of the host Member State of the fact that a credit institution, that has a branch or directly provides services within the territory of the Member State concerned, does not comply with the legal provisions adopted in that Member State, the NBR shall within the shortest delay take the necessary measures to ensure that the offending credit institution puts an end to that irregular situation. The nature of these measures shall be communicated to the competent authority of the host Member State. Also, the NBR may reject the application for approval of the establishment of the branch if, on the basis of information held and documentation submitted by the credit institution (a Romanian legal entity) it ascertains that the existing legislative framework of the third country and/or the manner in which it is implemented impedes the exercise of supervisory functions by the NBR. EC7 In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand- alone basis and understands its relationship with other members of the group. 50 Description and Credit institutions in Romania have to comply with the obligations provided by CRR and findings re EC7 Directive 2013/36/EU (ICAAP) on an individual basis as well as on a consolidated basis (See 50 Please refer to Principle 16, Additional Criterion 2. 106 ROMANIA EC2). In addition, credit institutions that are not subsidiaries, parent undertaking, or not included in prudential consolidation should comply with the obligations on an individual basis. The European regulation provides some derogations from the application of prudential requirements on an individual basis but these were not exercised in Romania. Additional criteria AC1 For countries which allow corporate ownership of banks, the supervisor has the power to establish and enforce fit and proper standards for owners and senior management of parent companies. Description and According to banking law Article 15 and Article 26, the NBR has the power to set and enforce findings re AC1 fit and proper standards for owners and senior management of parent corporates. (see CP5 and CP6) For example, Article 26 stipulates that in order to ensure the sound and prudent management of the credit institution in which an acquisition is proposed and having regard to the likely influence of the proposed acquirer on the credit institution, the NBR assesses the suitability of the proposed acquirer and the financial soundness of the proposed acquisition against all of the following criteria: • the reputation of the proposed acquirer, specifically its integrity and professional competence; • the reputation, knowledge, skills and experience of any person who will direct the business of the credit institution, as a result of the proposed acquisition; • the reputation and experience of any person performing management and/or running responsibilities of the credit institution, as a result of the proposed acquisition. In order to grant authorization to a CI, the NBR should be satisfied as to suitability of the persons where close links exist between the credit institution and other natural or legal persons; • the financial soundness of the proposed acquirer, in relation to the type of business pursued and envisaged in the credit institution in which the acquisition is proposed. The authorities mention that the NBR shall monitor compliance with the conditions referred to shareholders on a continuous basis and take appropriate measures if the requirements on ensuring prudent and sound management are no longer met. However, the formal fit and proper reviews for owners and senior management of parent corporates are not conducted on a regular basis after acquisition or granting licenses Assessment of Largely Compliant Principle 12 Comments In Romania, the majority of the credit institutions are subsidiaries of European banking groups. Consolidated supervision of the whole group is performed by ECB or respective authorities while the NBR is responsible for the supervision of the Romanian subsidiary at individual and sub-consolidated levels (the credit institution authorized as a Romanian legal person and its affiliates included in the prudential consolidation perimeter). While the NBR is not a consolidating supervisor, it is responsible supervision of credit institutions 107 ROMANIA and may participate in colleges of supervisors. These colleges provide the necessary instrument for enhancing the supervision of entities within banking groups. The NBR conducts SREP assessments on a consolidated basis and the requirements for consolidated supervision are established in CRR and CRD IV. The intra-group activities are examined during an annual on-site examination. However, there seems to be limited systematic procedures in place for overall monitoring and assessment of contagion and reputation risks that may jeopardize the safety and soundness of the bank and the banking system. The authorities state that this is taken into consideration by CIs. For example, a CI shall establish internal limits on intragroup liquidity risk to mitigate the risk of contagion under stress, including for each currency used by the CI. However, assessors note that some credit institutions have exposures to a group entity of around 80–90 percent of capital at a point of time. Authorities mention that those are mainly deposits to headquarters so related risk is not significant. Nevertheless, it is not clear what the supervisors’ expectations and risk tolerance are in terms of intra-group risk management without clear supervisory guidelines. In addition, as one of the off-site activities of consolidated supervision, the quarterly key risk indicators are mainly monitored on a solo basis rather than both solo and consolidated basis. In terms of fit and proper standards on the owners and senior management of parent corporates, the NBR has the power to set and enforce the standards. However, the formal fit and proper reviews are conducted in the stage of acquisition or granting licenses, and not conducted on a regular basis.51 The authorities mention that the NBR shall monitor compliance with the conditions referred to shareholders on a continuous basis, although there is no formal regular fit and proper review after granting licenses. The authorities should consider following: • Further enhance monitoring contagion and reputational risks within the banking group or establish guidelines on risk management of intra-group exposures and transactions, if needed; • Conduct off-site monitoring on a consolidated basis more frequently; • Conduct fit and proper reviews on a regular basis in case of corporate owner of banks. Principle 13 Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. Essential criteria 51 This fact does not weigh on grading as it is related with AC. 108 ROMANIA EC1 The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, considering the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. Description and The banking law Article 1851 authorizes NBR to establish bank specific supervisory colleges findings re EC1 as a home supervisor where needed. Locally owned banks do not have significant branches or subsidiaries abroad. No supervisory college has yet been set-up by NBR as a home supervisor. EC2 Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group52 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information. Description and The legal and regulatory framework allows appropriate home-host cooperation. NBR is a findings re EC2 member of 15 EU supervisory colleges, including all significant EU subsidiaries and a significant branch (with 7 percent of assets at end 2016). MOUs have all been signed with national supervisors of countries where the largest EU banks active in Romania are headquartered (see CP 3 EC 2). The ECB / SSM has been the home supervisor of the largest EU subsidiaries and branches (72 percent of assets in 2016) since 2014. NBR actively cooperates with the ECB /SSM, even if a draft written coordination agreement governing supervisory colleges is still to be signed (draft submitted by the ECB /SSM for comments in 2017). While this process is ongoing, the provisions of existing arrangements are implemented, with the participation of ECB /SSM as home supervisor. Detailed and mandatory templates for group and individual risk assessments are included in the EU Commission implementing Regulation 2016/99 of 16 October 2015 laying down implementing technical standards with regard to determining the operational functioning of the colleges of supervisors. NBR highlighted the intensity and quality of exchanges within supervisory challenges, which is confirmed by EBA analyses. The EBA report on the functioning of supervisory colleges in 2016 highlights the effective (and improving) functioning of these colleges, including intense college interactions, detailed group risk assessments (with progress needed on the business profile component in some cases), dialogue between the consolidating supervisor and the relevant competent authorities in a multilateral setting to discuss and agree upon the proposed capital and liquidity requirements, then reflected in 52 See Illustrative example of information exchange in colleges of the October 2010 BCBS Good practice principles on supervisory colleges for further information on the extent of information sharing expected. 109 ROMANIA joint decisions which were considered well-reasoned (even if in many college mandatory risk-by-risk decomposition of the capital requirement was not shared and discussed in the college setting and liquidity joint decisions were of a lower quality than the capital joint decisions, mainly because of their less granular reasoning, particularly for the subsidiaries). EC3 Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. Description and Supervisory activities are coordinated in the context of colleges. The home and host findings re EC3 supervisors agree on the annual SEP, as contemplated by CRD IV Articles 99 and 116. For this reason, each competent authority provides its scheduled annual supervisory activities (on-going and on-site) by filling the SEP. NBR, as a host authority, regularly participates and contributes to the planning of supervisory activities, discussions and information exchange. In recent years, NBR jointed the ECB as a home supervisor in on-site inspections carried out in three Romanian subsidiaries of the EU banks. Detailed exchanges of information on liquidity risks were also introduced at the time of the Greek crisis between members of the supervisory colleges of Greek banks to share daily updates on the liquidity situation of different group members, including Romanian subsidiaries. EC4 The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. Description and NBR is only a host authority. Where NBR is part of a supervisory college, cooperation findings re EC4 agreements in place and agreed practices of the colleges provide the basis for the exchange of information and the communication strategy to the bank (on a case-by-case basis). EC5 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. Description and A new framework for dealing with failing banks, the BRRD was agreed in 2014, and findings re EC5 transposed in Romania and across the EU in 2015. It organized cross-border crisis preparedness, cooperation, management and ultimately resolution. For crisis management, written coordination arrangements are in place covering inter alia the means of communication, information to be exchanged and relevant persons to be contacted (these arrangements are reviewed on annual basis). For Romanian subsidiaries, NBR (resolution function) make their own assessment of critical functions. 110 ROMANIA Both the supervisory and resolution functions of NBR are involved as a host in the preparation of cross-border recovery and resolution plans. The resolution function is taking the lead on the preparation of resolution plans (with inputs from the supervisor function), while the supervisory function takes the lead in the review of recovery plans prepared by banks, with inputs from the resolution function (see CP 3). EC6 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. Description and See EC 5 and CP 3 on respective responsibilities and cooperation between the supervisory findings re EC6 and resolution functions of NBR. Resolution plans were prepared for almost all Romanian banks and, where appropriate, approved by joint decisions in resolution colleges (starting in 2016). Resolution plans for 15 out of 19 subsidiaries of cross-border groups subject to consolidated supervision have been elaborated and revised, where applicable, within the respective resolution colleges (i.e., 96.88 percent of the cross-border groups’ subsidiaries net assets as of June 2017). EC7 The host supervisor’s national laws or regulations require that the cross -border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. Description and Cross-border operations of EU banks are subject to similar prudential, inspection and findings re EC7 regulatory reporting requirements similar to those of domestic banks, in application of EU regulatory and supervisory arrangements. Article 206–1 of the banking law mentions that: “where a credit institution, a Romanian legal person, having as parent undertaking a credit institution, an investment firm, a financial holding company or a mixed financial holding company, the head office of which is in a third country, is not subject to consolidated supervision performed by a competent authority of a Member State, the National Bank of Romania shall verify whether the credit institution is subject to consolidated supervision exercised by a third-country competent authority, which is equivalent to that governed by the principles laid down in this” banking law. EC8 The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. Description and There is an explicit provision in the law regarding the possibility for home supervisors of findings re EC8 EU branches to perform on-site inspections at the head office of the branch in Romania Article 211–1. There is no such explicit provision for the on-site inspections by the home supervisors of subsidiaries of EU banking groups, However, this falls under broader cooperation arrangements (including MOU and WCCA) and has been regularly practiced (including as part of asset quality reviews conducted across the EU in 2014; in that case, NBR was informed and joined the mission as an observer or more recently with ECB teams inspecting three banks). 111 ROMANIA There is no explicit provision authorizing home supervisors from third country to perform on-site inspections in subsidiaries in Romania Article 212 of the banking law only covers branches). NBR may allow it on a case by case basis. There is currently only one small subsidiary from a third country (Israel), where no inspection was conducted by the home supervisor. EC9 The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. Description and The banking Law sets out certain requirements that must be met to establish a bank which findings re EC9 prohibits shell banks from operating within Romania. All credit institutions must be registered with and have a licence issued by the NBR, and the NBR must affirm that the management of the bank is meeting Romanian “fit and proper” standards. The NBR supervises the licensing process for all credit institutions, Romanian legal entity, and has the sole authority to grant and revoke banking licenses. (See CP5) EC10 A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. Description and NBR is a member of colleges of supervisors of all significant EU subsidiaries and branches, findings re EC10 which include detailed consultation mechanisms (and often require a joint decisions). For other subsidiaries and branches of EU banks, MOUs were signed covering relevant aspects. More broadly, Article 188–1 of the banking law requires NBR to “consult the other competent [i.e., EU] authorities responsible for the supervision on an individual and/or on a consolidated basis prior to taking a decision that is of importance for those competent authorities’ supervisory tasks.” Assessment of Compliant Principle 13 Comments The NBR is primarily a host supervisor. It is a member of 15 EU colleges of supervisors, which allow effective exchanges of information (based on unified templates and shared methodologies) and unified supervisory actions (including joint decisions). Close coordination is also in place for crisis management and resolution, at the domestic level with the resolution arm of NBR and, for large banks active in Romania, within EU supervisory and resolution colleges. All Romanian banks prepared recovery plans starting in 2016; resolution plans were also prepared for almost all of these institutions (and their groups where applicable). B. Prudential Regulations and Requirements Principle 14 Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,53 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. 53 Please refer to footnote 27 under Principle 5. 112 ROMANIA Essential criteria EC1 Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. Description and Romanian banks can choose between two types of governance arrangements: findings re EC1 1. One-tier or unitary system (22 banks at end 2016) It includes: • A board of Directors • Senior management In the unitary management system, the Board and senior management can and generally do overlap (i.e., members of senior management are also members of the Board). Article 107-1 of the banking law indeed indicates that management needs to be delegated by the Board of directors to at least two managers and Article 143 of the 1990 company law states that managers may be appointed from among board members or from outside. In practice: • The assessors identified three cases where the Board does not include any executive member (i.e., senior management is completely distinct); • The most common case is that the Board includes one executive member (who belongs to senior management); • The assessors identified six cases where there were two to four executive members on the Board (i.e., all members of senior management belong to the Board); 2. two-tier or dual management system (7 banks at end 2016) It includes two separates Boards: • A Board with supervisory responsibility (“supervisory committee”} • A Board with management functions (“directorate”). Article 107-2 of the banking law indicates that: “where a credit institution opts for a dual management system, the directorate comprises at least 3 members.” In the dual management system, the Board and senior management are completely distinct The company law requires that Board include 3 to 11 members. In practice, most bank Board include 6 to 9 members (with only small banking subsidiaries having as few Board members as 5 in the unitary system and 3 in the dual management system). Romanian laws and regulations refer to “the management body” and “senior management” of credit institutions as defined by the CRD IV (NBR Regulation 5/2013 explicitly defines these terms using the CRD IV definitions, the banking law does not, which could usefully be corrected as it is updated): • “Management body means an institution's body or bodies, which are appointed in accordance with national law, which are empowered to set the institution's strategy, objectives and overall direction, and which oversee and monitor 113 ROMANIA management decision-making, and include the persons who effectively direct the business of the institution”; • “Management body in its supervisory function means the management body acting in its role of overseeing and monitoring management decision-making” which is represented by the management body (Board of administration) within the unitary management system, and by the supervisory board within the two-tier management system; • “Senior management means those natural persons who exercise executive functions within an institution and who are responsible, and accountable to the management body, for the day-to-day management of the institution.” Senior management is represented by directors within the unitary management system and by the directorate within the two-tier management system. The banking law and NBR Regulation 5/2013 establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business: • Article 106 of the banking law indicates that:” the Board members and the managers or, as appropriate, the supervisory committee and the directorate of the credit institution shall discharge the duties and tasks provided for in the legislation on commercial companies, and they are responsible for the fulfillment of all requirements provided for in this emergency ordinance and the regulations issued for its enforcement.” NBR Regulation 5/2013 transposes and complements relevant aspects of the CRD IV regarding a bank’s Board: • Article 11 indicates that: (1) the management body shall define, oversee and be accountable for the implementation of the governance arrangements that ensure effective and prudent management of a credit institution, including the segregation of duties in the organization and the prevention of conflicts of interest “and that (2) “within the meaning of para. (1) the governance arrangements shall comply with the following principles: o the management body must have the overall responsibility for the credit institution and approve and oversee the implementation of the credit institution's strategic objectives, risk strategy and internal governance of credit institution; o the management body must ensure the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards; o the management body must oversee the process of disclosure and communications; o the management body must be responsible for providing effective oversight of senior management (this Article could usefully be clarified by indicating the management body in its supervisory capacity to clarify that executive directors can oversee their performance or that of fellow members of senior management); Article 12–1 indicates that: “the management body is responsible also for setting and overseeing: o the amounts, types and distribution of both internal capital and own funds adequate to cover the risks of the credit institution; o a robust and transparent organizational structure with effective communication and reporting channels; 114 ROMANIA o a policy on the nomination and succession of individuals with key functions in the credit institution; o a remuneration framework that is in line with the risk strategies of the credit institution; o the governance principles and corporate values of the institution, including through a code of conduct or comparable document and; o an adequate and effective internal control framework, that includes well- functioning risk control, compliance and internal audit functions as well as an appropriate financial reporting and accounting framework.” Article 12–2 indicates that: “the management body shall approve and periodically reviews the strategies and policies for taking up, managing, monitoring and mitigating the risks the institution is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the busines s cycle.” Article 13–1 indicates that: “the management body shall monitor and periodically assess the effectiveness of the credit institution's governance arrangements and take appropriate steps to address any deficiencies.” NBR Regulation 5/2013 transposes and complements relevant aspects of the CRD IV regarding senior management: • Article 3–3 defines senior management as: “natural persons who exercise executive functions within a credit institution and who are empowered to carry out the day-to-day management activity of the credit institution and are accountable to the management body, for its accomplishment. The senior management is represented by directors, within the unitary management system, and by the directorate, within the two-tier management system. • Other Articles more specifically defines its responsibility In particular regarding information of the management body Article 14–3, approval of the details of the internal capital adequacy assessment process Article 79–3, implementation of the credit risk management strategy Article 84–2, approval of certain credit risk exposures Article 90 monitoring of related parry transactions Article 103 prompt review of exception from policies Article 130–3, consideration of stress test results Article 135–2, responsibility for the development of strategies, policies, processes and systems to manage the liquidity risk Article 137–9 and of review liquidity developments Article 137–10), verification that market access is actively monitored Article 140–5), verification of effective implementation of the operational risk strategy Article 154, monitoring of the financial performance of the outsourcing service provider Article 240–f, verification that the control mechanisms and measurement systems adopted by the credit risk control unit are adequate and that the overall internal ratings based approach system remains effective over time Article 495–1, good understanding of the lending policies, underwriting standards, lending practices, and collection and recovery practices Article 495–2, verification of the soundness of risk-taking processes, determination of how internal ratings are used in the risk-taking processes, identification and assessment of the main risk drivers, based on the information provided by the credit risk control unit, definition of the tasks of the credit risk control unit and evaluation of the adequacy of its professional skill levels, monitoring and management of all sources of potential conflicts of interest, establishment of effective communication channels, examination of reports from 115 ROMANIA internal audit Article 495–3 and regular verification that the control procedures and measurement systems remain effective Article 496. Supervisory expectations are primarily enshrined in NBR Regulation No. 5/2013 (including relevant provisions from the 2011 EBA guidelines on internal governance). There have not been further communication or guidance made to the industry on corporate governance. The EBA published in September 2017 revised guidelines on internal governance, which NBR intends to incorporate in NBR Regulation No. 5/2013 in 2018. As indicated by the EBA, these new guidelines: • Put more emphasis on the duties and responsibilities of the management body in its supervisory function in risk oversight, including the role of their committees • Aim at improving the status of the risk management function, enhancing the information flow between the risk management function and the management body and ensuring effective monitoring of risk governance by supervisors • The ‘know–your–structure' and complex structures sections, especially following the ‘Panama events', have been strengthened to ensure that the management body is aware of the risks that can be triggered by complex and opaque structures and to improve transparency. • The framework for business conduct has been further developed and more emphasis is given to the establishment of a risk culture, a code of conduct and the management of conflicts of interest. For branches of EU banks/banking groups, corporate governance aspects fall exclusively within the responsibility of the home supervisor (NBR only needs to be notified of the names of the two managers responsible for the branch). In the case of the largest branch active in Romania, NBR is part of the college of supervisors. NBR indicated that corporate governance aspects at group level were systematically and thoroughly discussed in this context (including in relation to SREP analyses). EC2 The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. Description and The banking law requires that NBR uses the SREP approach, which includes provisions on findings re EC2 corporate governance. EBA SREP guidelines define areas which need to be looked at both at the institution level and in the context of specifics risks. At the institution level, SREP guidelines require that the following aspects be reviewed: • overall internal governance framework; • corporate and risk culture; • organization and functioning of the management body; • remuneration policies and practices; • risk management framework, including ICAAP and Internal Liquidity Adequacy Assessment Process (ILAAP); • internal control framework, including internal audit function; • information systems and business continuity; and • recovery planning arrangements. These individual components are included in the template for on-site inspection reports and assessed during annual examinations. Although a comprehensive set of findings and recommendations in corporate governance is not available, discussions with on-site teams 116 ROMANIA (buttressed by a review of sanctions publicly disclosed in 2016 and 2017) confirm that teams understand and pay attention to corporate governance issues. However, on-site inspection teams only exceptionally meet with nonexecutive directors (see CP 9) and essentially assess the effectiveness of the Board (and its committees) by reviewing minutes and interviewing other participants to these committees (executive directors and key control function holders). While such verifications are important, they cannot replace direct interactions with nonexecutive and independent Board members to assess the effectiveness and implementation of corporate governance arrangements in a bank. The off-site supervisory process also plays a key function in ensuring that banks have a sound corporate governance: • As part of the SREP process and rating attribution (see CP 8 and 9 for an overall presentation and discussion); • During the vetting of Board members, senior and middle management, before they can take office. This is a key moment when NBR can review the qualifications and suitability of Board members as well as their understanding of their individual and collective responsibilities (see EC 3 and 4); • When reviewing procedures applicable to governance arrangements (Article 671- 1 of NBR Regulation 5/2013 requires banks to submit to NBR all procedures on governance arrangements) and annual reports banks need to file with NBR on internal controls. However, there is no internal guideline for NBR staff to decide when, how and to which extent, to review these procedures and annual reports. The analyses conducted are generally not documented, unless they lead to a supervisory action. NBR indicated that off-site reviews regularly lead to supervisory actions, demonstrating that reviews were conducted. It also mentioned that the systematic review of procedures and annual reports received was primarily conducted during the on-site examinations (as an annual review was considered sufficient). There has not been any review of corporate governance practices across the industry (or by types of institutions, (e.g., independent banks or subsidiaries or banking groups), which could have helped identify potential risks and best practices (and facilitate the preparation of guidance to the industry tailored to the Romanian environment and complementing existing requirements). Sanctions are regularly taken by NBR due to corporate governance shortcomings, as confirmed by a review of sanctions publicly disclosed (2016 and first nine months of 2017): • Fines of RON 20,000 to RON 30,000 (USD 5,000 to USD 7.500 ) to five natural persons due to (i) the absence of an evaluation of the knowledge, skills and experience of each member of the management body and of the management body as a whole; (ii) a failure of the risk management committee to advise the management body on the overall risk management strategy and on its implementation; (iii) failure of the risk management committee verify pricing fully takes into account the business model and risk management strategy; (iv) failure of the management body to conduct appropriate oversight as the executive did not respond to its request for additional Information on its work; and (v) lack of involvement of risk management in the review of new products. • Fine of RON 15.000 (USD 3.750) to a natural person for (i) inappropriate exercise of the responsibilities regarding the coordination of the activities for elaboration and updating of internal policies, rules, procedures and instructions regarding the 117 ROMANIA activity of the subordinated structures and (ii) maintaining as a director of the Internal Audit Department of a person without the prior approval of NBR, • Fine of RON 20,000 (USD 5,000) for various shortcomings including (i) lack of a policy regarding the selection, monitoring and planning of the succession of the members of the Board of Directors; (ii) lack of a policy of promoting diversity within the governing body; (iii) failure by the Risk Management Committee to verify the manner in which risk, capital, liquidity, as well as probability and timing of profits were taken into consideration when granting the variable remuneration; and (iv) noninvolvement of control function staff in the elaboration of remuneration policies and bonuses. • Fine of RON 25.000 (USD 6.250) for various shortcomings including: (i) failure by the management body to carry out on time and effectively the attributions of approving adequate measures to remedy the findings of the internal audit function, taking into account the inappropriate practice of extending the deadlines for the implementation of the internal audit recommendations; (ii) shortcomings linked to the Audit Committee; (iii) failure to implement adequate control mechanisms in the issuance and use of electronic payment instruments, thus increasing compliance risk. More broadly, NBR imposed 21 supervisory measures on strengthening governance an internal capital management in 2016 and 32 in 2016. Corporate governance is discussed within supervisory colleges to which NBR participates (including presentations at group and country levels and discussion of relevant SREP ratings). No specific joint-decision imposing specific requirements was taken in 2016 or 2017 the area of corporate governance for EU banking groups covered by supervisory colleges where NBR is represented. EC3 The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced nonexecutive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced nonexecutive members Description and The banking law (107–108) and NBR Regulation 5/2013 Articles 15–19 set requirements findings re EC3 regarding the composition of the management body: • It shall have an adequate number of members and an appropriate composition; • Banks shall assess the suitability of members (based on the criteria defined by in the banking law), at the time they are appointed and “when events make a re - assessment necessary”; • Banks and, where applicable their nomination committees, shall consider a broad set of qualities and competences when recruiting members to the management body (and have a policy promoting diversity in the management body); • The selection of the members of the management body shall ensure that there is sufficient expertise and independence within it; • Members shall have an adequate collective level of knowledge, skills, and experience allowing them to understand the activities of the bank, including major risks; • The management body shall have policies for selecting, monitoring and planning the succession of its members; 118 ROMANIA • The size and composition of the management body should be appropriate to the size and complexity of the bank and the nature and scope of its activities; • Members shall be able to dedicate appropriate time to their tasks (for significant institutions, limits are placed on the number of other “directorships” they may hold, unless they represent the State (NBR could usefully remove this exception), • In a unitary management system, the chairman of the Board cannot be the general manager. The assessors were informed that, exceptionally and with the approval of the NBR, the cumulation of functions may be exercised by a credit institution in well-justified cases. Regarding independent directors: • Only subsidiaries are required to have in place a sufficient number of independent members in the management body (Article 7, NBR Regulation 5/2013). Where a company is required by its statute or its general assembly to have a minimum number of independent directors, the company law provides a rigorous definition of independence54; • For other banks, there is only a requirement that the chair of the audit committee is independent (see below); Based on statistics provided by NBR covering 17 subsidiaries (out of 19) and 6 locally owned banks (out of 9): • All subsidiaries of banking groups have independent Board members, but their number is limited to 1 or 2 (for a total of 6 to 9 members generally). This set-up is conducive to a strong integration within the group, which brings benefits, but may not allow independent members of the management body to effectively challenge executive and nonexecutive members closely related to the group (as non-executive directors generally occupy senior positions in the group outside Romania) and play their role of check and balances, including based on their closer and broader knowledge of the local market; • Locally owned banks also generally only have 1 or 2 independent director(s) (for a total of 5 to 7 members generally), with the exception of the largest state-owned bank (7 out of 11 members of the management body) for which criteria applied are unclear. 54 Article 138^2 of the company law mentions that: (1) the constitutive act or the decision of the general assembly of shareholders may provide that one or more members of the board of directors must be independent, (2) In the appointment of independent administrator, the general assembly of shareholders will take into account the following criteria: a) not to be a manager of the company or of a company controlled by it or not to fill such a position over the last 5 years; b) not to be an employee of the company or of a company controlled by it or not to have such a labor relation over the last 5 years; c) not to receive or have not received or from the company or from a company controlled by it an additional remuneration or other advantages, others than those corresponding to its capacity of non-executive administrator; m) not to represent a significant shareholder of the company; d) not to have or did not have over the last year business relations with the company or with a company controlled, either in person, or as associated, shareholder, administrator, manager or employee of a company that has such relations with the company, if, by virtue of their substantial character, they are likely to affect their objectivity; e) not to be or have been over the last 3 years financial auditor or an associate employee of the present financial auditor of the company or 9of a controlled company; f) not to be a manager in another company where a manager of the company is a non- executive administrator; g) not to have been a non-executive administrator of the company for more than 3 terms of office; h) not to have family relationships with a person that finds itself in one of the situations provided in letter a) and d). 119 ROMANIA There is no specific requirement regarding the nomination and appointment of Board members across the banking group (some Romanian banks have subsidiaries in Romania and abroad, even if the parent bank is still largely dominant in such groups). This is only addressed to a limited extent by the broader requirement that banking groups have a clear organizational structure, with well-defined, transparent and consistent lines of responsibility. NBR conducts an in-depth vetting process of all members of the management body (based on Article 109 of the banking law), including thorough background checks (e.g., criminal records in Romania and all countries where the person has worked, intelligence reports, feedback from supervisory authorities of all countries where the person has worked etc.) followed by face to face interview. The NBR panel which usually comprises a dozen people is led by the banking supervision department, which also provides most of its members (other departments commonly present include financial stability and payments; the resolution department does not yet appear to participate and its participation could usefully be considered). The interview is quasi-examination (for which it is not uncommon that applicants need to get specialized training a couple of months before the interview). It commonly lasts a couple of hours and during which the proposed Board member is questioned about its background, future responsibilities and the regulatory environment in Romania. NBR pays attention to the diversity of the Board, in terms of skills and experiences. Available statistics show that this is not a formality as rejection commonly occur. Banks confirmed that this process was thorough, demanding and its outcomes uncertain. Regarding specialized committees of the management body, Regulation requires the management body to consider setting up specialized committees (Article 21–1) and, in some cases, requires it: • All banks are required to have an audit committee chaired by an independent member of the management body Article 22 of NBR Regulation 5/2013; • Significant banks (in terms of size, internal organization and the nature, scope and complexity of activities) need also have risk management, nomination and remuneration committees Articles 23–1, 24–1 and 173–1 of NBR Regulation 5/2013 respectively) o Members of the risk, nomination and remuneration committees shall be nonexecutive; o There is no requirement that these committees are chaired by independent members of the management body; o The scope of the risk, nomination and remuneration committees are respectively defined in Articles 23, 24 and 173 of NBR Regulation 5/2013. NBR provided statistics regarding specialzed committees for 28 locally incorporated banks: • All have an audit committee chaired by an independent member of the management body; • 16 have a risk committee, with a chair who is an independent member of the management body in 8 cases; • 13 have a nomination committee, with a chair who is an independent member of the management body in 4 cases; 120 ROMANIA • 11 have a remuneration committee, with a chair who is an independent member of the management body in 3 cases. The composition, chairmanship and effectiveness of the specialized committee is primarily assessed during the annual full-scope on-site examinations. On-site inspection teams only meet with nonexecutive members on an exceptional basis. The review of the performance of the management body and its specialized committees is thus primarily based on that of procedures, minutes of meetings and discussions with other members or participants of these committees, where applicable (such exercise is informed by the broader review of the bank’s risk appetite and profile). Recommendations are commonly made to ensure the proper functioning of these committees, and sanctions towards individuals or banks taken on such grounds (see EC 2 for examples of such recent sanctions). EC4 Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.55 Description and The banking law sets key requirements regarding the suitability of Board members, their findings re EC 4 duties of care and loyalty as well as their effectiveness: • Article 108 of the banking law defines key requirements Board members need to meet: “ (1) Each of the members of the management body and the directors, or where appropriate, the members of supervisory board and of the directorate of a credit institution, as well as the persons appointed to conduct the business regarding the management and control of risks, internal audit, judicial, conformity, treasury, lending activity, as well as any other activities which may expose the credit institution to significant risks shall be at any time of good reputation, knowledge, skills and have sufficient experience to match the nature, size and complexity of the business of the credit institution and of the entrusted responsibilities and shall conduct the activity according to a sound and prudent banking practice. The composition of these bodies of the credit institution shall reflect the overall of a sufficiently wide range of relevant professional experience . […] (4) The members of the management body and the directors, or where appropriate, the members of the supervisory board and of the directorate shall have an adequate collectively level of knowledge, skills, and experience allowing them to understand the activities of the credit institution, including their major risks and to make well-grounded decisions concerning all the issues related to the activity of the credit institution on which they shall decide in compliance with their duties. • Article 108–41 of the banking law defines the duty of loyalty: “each member of the management body, or where appropriate, of the supervisory board of a credit institution, shall act with honesty, integrity and objectively to effectively assess 55 The OECD (OECD glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables”, 2003, www.oecd.org/dataoecd/19/26/23742340.pdf.) defines “duty of care” as “The duty of a board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the board member to approach the affairs of the company in the same way that a ’prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” as “The duty of the board member to act in the interest of the company and shareholders. The duty of loyalty should prevent individual board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.” 121 ROMANIA and discuss the decisions of the directors or directorate (senior management), by case, when necessary, and to effectively oversee and monitor the management decision-making process.” • Article 108–5 of the banking law defines the duty of care: “the persons appointed as administrators, directors, members of the supervisory board or by case, of the directorate, shall perform effectively the administration and/or management responsibilities they are entitled to. • Article 1081-1 of the banking law requires adequate time availability of Board members: “the members of the management body and the directors, or where appropriate, the members of supervisory board and of the directorate shall allocate sufficient time to perform their duties.” NBR Regulation 5/2013 sets detailed requirements on the Board and its members which complement those of the banking law: • Article 16 sets requirement on the objectivity and independence of Board members: “(1) members of the management body shall engage actively in the business of a credit institution and shall be able to make their own sound, objective and independent decisions and judgements. The selection of members of the management body shall ensure that there is sufficient expertise and independence within the management body. The credit institution shall ensure that members of the management body can commit enough time and effort to fulfil their responsibilities effectively. […] (4) The members of the management body shall be able to act objective, critically and independently. • Article 18 requires adequate training of Board members: “(1) credit institutions shall devote adequate human and financial resources to the induction and training of members of the management body.” • Article 16–1 defines key requirements on the suitability of Board members: “the persons designated to exercise administration and/or management responsibilities of the bank shall have a good reputation and the professional experience appropriate for the scope, extent and complexity of the activity carried out by the credit institution and for the related responsibilities in order to ensure a prudent and sound management of the bank.” Compliance with these requirements is initially verified through in-depth background checks and interviews (see EC 3) and during annual on-site inspections (even if meetings with nonexecutive Board members do not typically take place during such inspections). EC5 The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite 56 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment. 56 “Risk appetite” reflects the level of aggregate risk that the bank’s Board is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously. 122 ROMANIA Description and NBR Regulation 5/2013 requires that the Board approves and oversees implementation of findings re EC5 the bank’s strategic direction, risk appetite and strategy, establishes and communicates corporate culture and values, and establishes conflicts of interest policies and a strong control environment: • Article 11-2 requires Board approval and oversight of the strategy and risk appetite: “the management body must have the overall responsibility for the institution and approve and oversee the implementation of the credit institution's strategic objectives, risk strategy and internal governance.” • Article 12-1 requires the Board to establish and communicate corporate culture and values: the management body is responsible also for setting and reviewing: […] the governance principles and corporate values of the institution, including through a code of conduct or comparable document • Articles 17, 25 and 26–1 require the Board to establish conflict of interest policies; Article 17: “The management body shall have a written policy on managing conflicts of interests for its members.”, Article 25–1: “the management body shall develop and promote high ethical and professional standards.” And Article 26–1: “the management body shall establish, implement and maintain effective policies to identify actual and potential conflicts of interest. Conflicts of interest that have been disclosed to and approved by the management body shall be appropriately managed.” • Article 12–1 sets detailed requirements the Board needs to follow, including establishing a strong control environment: “the management body shall be also responsible for the establishment and reexamination […] of an adequate and effective internal control framework which includes the risk management, compliance and internal audit functions, and an appropriate framework related to the financial reporting and accounting.” Each bank is required to set up an audit committee, chaired by an independent Board member (Article 22 of NBR Regulation 5/2013). Article 65 of Law No. 162/2017 on statutory audit of annual financial statements states that the audit committee must be composed of nonexecutive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity or, for entities without shareholders, by an equivalent body. The audit committee assist the management body and has responsibilities in monitoring the effectiveness of internal control, internal audit and risk management, recommending for approval and supervising external auditors, examining and approving the scope and frequency of internal audits, reviewing internal audit reports and verifying that senior management takes corrective actions in a timely manner. EC6 The supervisor determines that the bank’s Board, except where required otherwise by laws or Regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them. Description and Regulation 6 requires that the bank’s Board has established fit and proper standards in findings re EC6 selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them: 123 ROMANIA • Article 12–4 requires the Board to review the suitability of senior management: “credit institutions shall assess the suitability of key function holders before they are appointed or shall re-assess their suitability as appropriate and record the assessment/re-assessment and their results.” • Article 12–1-c requires the Board to have nomination and succession policies: “the management body is responsible also for setting and reviewing: […] c) a policy on the nomination and succession of individuals with key functions in the credit institution; • Article 11–2 requires the Board to oversee senior management: “the management body must be responsible for providing effective oversight of senior management” • Article 14–2–a requires the Board to challenge senior management when necessary: “The management body in its supervisory function shall be ready and able to challenge and review critically in a constructive manner propositions, explanations and information provided by members of the senior management body; • Article 14–2–b and –c require the Board to monitor senior management’s performance against standards established for them: “b) monitor whether the strategy, risk tolerance/appetite and policies of the credit institution are consistently implemented and whether the performance standards are maintained in accordance with the long term financial interests and with its solvency; and c) […] monitor the performance of the senior management members against those standards. See EC2 on the supervisory process to review effectiveness. EC7 The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies. Description and NBR Regulation 5/2013 sets detailed requirements regarding a bank’s and banking findings re EC7 group’s compensation system: • Article 12–1 defines the Board’s responsibilities regarding the compensation system: “ • the management body is responsible also for setting and reviewing […] d) a remuneration framework that is in line with the risk strategies of the credit institution; • Article 169–1 and 170–2 require that the compensation system has appropriate incentives aligned with prudent risk takin; Article 169-1: “the management body in its supervisory function shall ensure that remuneration policy and practices of the staff of credit institution, including members of the management body in its supervisory function and members of senior management shall be in line with the culture of credit institution, long term objectives and business strategy, as well as the control environment.” Article 170–2: “when establishing and applying the total remuneration policies, inclusive of salaries and discretionary benefits such as pensions, for categories of staff including senior management, risk takers, staff engaged in control functions and any employee receiving total remuneration that takes them into the same remuneration bracket as senior management and risk takers, whose professional activities have a material impact on their risk profile, 124 ROMANIA credit institutions comply with the following principles in a manner and to the extent that is appropriate to their size, internal organization and the nature, scope and complexity of their activities: a) the remuneration policy is consistent with and promotes sound and effective risk management and does not encourage risk- taking that exceeds the level of tolerated risk of the institution, b) the remuneration policy is in line with the business strategy, objectives, values and long-term interests of the institution, and incorporates measures to avoid conflicts of interest.” • Article 170–2–d requires that an independent review of the implementation of the compensation framework be conducted at least annually and its outcomes reported to the Board: “the implementation of the remuneration policy is, at least annually, subject to central and independent internal review for compliance with policies and procedures for remuneration adopted by the management body in its supervisory function.” See EC2 on the supervisory process to review effectiveness. EC8 The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. Description and NBR Regulation 5/2013 requires that the bank’s board and, when it belongs to the findings re EC8 management body, senior management knows and understand the bank’s and banking group’s operational structure and its risks: • Article 8 indicates that: (1) The management body shall fully know and understand the operational structure of a credit institution and ensure that it is in line with its approved business strategy and risk profile. (2) The management body shall guide and understand the credit institution’s structure, its evolution and limitations and shall ensure the structure is justified and does not involve undue or inappropriate complexity. The management body is also responsible for the approval of sound strategies and policies for the establishment of new structures. Likewise, the management body should recognize the risks that the complexity of the legal entity’s structure itself poses and should ensure the institution can produce information in a timely manner, regarding the type, charter, ownership structure and businesses of each legal entity. (3) The management body of a credit institution’s parent company, Romanian legal entity shall: a) understand not only the corporate organization of the group but also the purpose of its different entities and the links and relationships among them; b) ensure the different group entities (including the institution itself) receive enough information for all of them to get a clear perception of the general aims and risks of the group; and c) ensure it keeps itself informed about the risks the group’s structure causes. • Article 9 sets detailed for credit institutions which operate through special purpose structures or related structures or jurisdictions that impede transparency. No such cases have been identified for banks licensed in Romania. Both on-site inspections and the extensive vetting process of Board members and senior management allow NBR to verify that these persons know and understand the bank’s and 125 ROMANIA banking group’s operational structure and its risks. Moreover, in practice, Romanian banking groups have simple and transparent corporate structures. EC9 The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. Description and The banking law empowers NBR to withdraw its approval to any Board member, senior findings re EC9 manager as well as other middle managers subject to its approval: • Article 228–1 allows NBR to take sanctions where Board members and senior management do not fulfill their duties: “the National Bank of Romania has the competence to apply sanctions in accordance with Article 229 paragraph (1) and sanctions referred to in Article 229 paragraph (2) letter a) and letter b), when it finds that a credit institution, Romanian legal entity, and/or any of the persons referred to in Article 108 paragraph 1, or the persons appointed to head the branches of the credit institution are found guilty of the following facts: (a) the credit institution has obtained an authorization through false statements or any other irregular means; […] (d) the credit institution fails to have in place governance arrangements required by the National Bank of Romania in accordance with the provisions of Article 24; […] (o) the credit institution allows one or more persons not complying with Article108 to become or remain a member of the management body. • Articles 229–1 allows NBR to withdraw the approval of Board members and senior management: “The administrative penalties that can be applied under this emergency ordinance shall include the following: e) withdrawal of the approval granted to the persons referred to in Article108 paragraph (1).” In 2014, NBR withdrew the approval of the chairman of the Board of a bank who was convicted (as he stopped meeting meet reputation and integrity requirements). Additional criteria AC1 Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management. Description and There is no explicit provision requiring banks to notify the supervisor as soon as they findings re AC1 become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior managemen t. In practice, banks are well-aware of NBR supervisory expectations and communicate in a timely manner any material event affecting them. Article 15–3 of NBR Regulation 5/2013 requires for banks to re-assess the suitability of members of the management body, when events make a re-assessment necessary (which is vague), and only to inform NBR of the outcomes of such re-assessment if these are negative (i.e., later than when they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management). Assessment of Largely Compliant Principle 14 Comments Both the global financial crisis, and the Romanian crisis, showed the fundamental role of corporate governance in ensuring banks’ safety and soundness. In the Romanian context, 126 ROMANIA banks implemented aggressive growth strategies, particularly in 2007-200857, which were followed by a sharp increase in NPLs. Banks’ board did not effectively oversee, or curb, ris k appetites and strategies (including partly due to insufficient abilities of the Boards to challenge EU parent banking group’s strategies). NBR also identified governance challenges in recent years in small locally owned banks (e.g., dominant industrial shareholder not taking appropriate corrective actions and chairman of the Board sentenced by a court) and had to take corrective actions and sanctions. Corporate governance requirements were revised at the EU level (CRD IV and EBA guidelines) and then transposed in Romania starting in 2013. Both Regulations and the supervisory process appropriately make the management body responsible for ensuring banks operate in a safe and sound manner (and include detailed requirements for this purpose). NBR conducts a thorough review process, including challenging interviews, before approving members of the management body. It is not uncommon that some do not pass this “test”. This is a demanding but effective approach. Requirements to have an “adequate” number of independent members of the management body should apply to all banks, and not only to subsidiaries of EU banks. Eventually, the number of independent members of the management body is generally limited to 1 or 2 which is insufficient to encourage challenging other executive and nonexecutive members and, where appropriate, lead the work of specialized committees (particularly, but not only, in subsidiaries of EU banks where nonexecutive directors generally have senior executive responsibilities in other parts of the group). For all banks, NBR should either formalize criteria a bank should follow to determine the minimum number of independent directors it should have (and ensure it would lead to an “appropriate” level) or set a minimum level (possibly as a share of the number of members of the management body) above the generally observed practice (1 or 2) which is too low. NBR should also regularly meet with these independent members (separately from other members) to ensure they effectively exercise their responsibilities and discuss the situation of the bank. Although NBR places a lot of responsibilities on the management body (particularly in its supervisory responsibility), it does not yet meet on a regular basis with nonexecutive members (neither as part of the off-site process nor during the annual full-scope examinations). NBR should organize regular meetings with nonexecutive members of the management body to discuss their views on the bank, the implementation of their role and supervisory expectations. Moreover, NBR sends its letters detailing serious shortcomings or transmitting on-site reports only to senior management, rather than to the management body in its 57 For the avoidance of doubt, the grading of this CP is not based on the 2007–2008 episode. This reference is only provided as context. 127 ROMANIA supervisory capacity (or with copy to the latter). When corrective actions are required, NBR usually requires that proposed measures are endorsed by the management body, to ensure it is adequately informed and involved. Considering the emphasis placed on the responsibilities of the management body, it would be appropriate for NBR to directly send it written communications on key findings, material shortcomings and corrective actions. In line with the 2015 guidelines on corporate governance principles for banks issued by the BCBS, NBR could usefully specify that each committee chair (including risk management and remuneration) should be an independent and nonexecutive member of the management body and that a majority of the members of the risk management committee should be independent. NBR could usefully initiate a review of (all or select) corporate governance arrangements and practices across the industry to complement its review at an individual level. Such analyses would facilitate the benchmarking of governance practices, potential undue divergences across institutions in terms of governance, areas requiring clarifications from the supervisor and best practices. Where relevant, communication on the outcomes of such work could help convey to the industry supervisory expectations in the area of corporate governance. When reviewing procedures applicable to governance arrangements (Article 671–1 of NBR Regulation 5/2013 requires banks to submit to NBR all procedures on governance arrangements) and annual reports banks need to file with NBR on internal controls. However, there is no internal guideline for NBR staff to decide when, how and to which extent, to review these procedures and annual reports and when and how to document such work. Such internal guidelines could usefully be prepared. NBR could usefully introduce in its regulation (i) an explicit provision requiring banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management and (ii) requirements regarding the nomination and appointment of Board members across the banking group. Principle 15 Risk management process. The supervisor determines that banks58 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate59 all material risks on a timely basis and to assess the adequacy of their capital 58 For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group. 59 To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents. (continued) 128 ROMANIA and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that consider the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.60 Essential criteria EC1 The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that: (a) a sound risk management culture is established throughout the bank; (b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite; (c) uncertainties attached to risk measurement are recognized; (d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and (e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite. Description and The banking law and NBR Regulation 5/2013 set requirements for banks to have findings re EC1 appropriate risk management strategies and frameworks approved by their management body including: • Overall risk management requirements: Article 24 of the banking law sets broad requirements on governance, with a particular attention to risk management: “(1) Every credit institution shall have robust governance arrangements, which include a clear organizational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management. (2) The governance arrangements, processes and mechanisms referred to in paragraph (1) shall be comprehensive and proportionate, related to the nature, scale and complexity of the risks inherent in the business model and of the credit institution's activities.” • Risk appetite: Article 23–2 of NBR Regulation 5/2013 indirectly requires that the Board sets a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. It indicates that: “The risk management committee shall advise the management body on the credit institution's overall current and future risk appetite and strategy and assist the management body in overseeing the implementation of that strategy by senior management. The management body shall retain overall responsibility for risks.” 60 It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management. 129 ROMANIA • Management body responsibility: Articles 11-2-a and 12–2 of NBR Regulation 5/2013 give overall responsibility for risk management to the management body and set minimum requirements in this regard; Article 11–2: “the management body must have the overall responsibility for the institution and approve and oversee the implementation of the institution's strategic objectives, risk strategy and internal governance.” Article 12–2: The management body of a credit institution approves and periodically reviews the strategies and policies for taking up, managing, monitoring and mitigating the risks the credit institution is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle. • Limits, policies and procedures: Article 4–1 and 30–1 of NBR Regulation 5/2013 require that a sound risk management framework is established (including limits): Article 4–1: “Credit institutions are responsible for the existence of a sound risk management framework”. Article 30–1: a credit institution's risk management framework shall include policies, procedures, limits and controls providing identification, measurement or assessment, monitoring, mitigation and reporting of the risks posed by its activities at the business line and institution-wide levels. Article 40–4 further indicated that: “The risk control function shall share responsibility for implementing a credit institution’s risk strategy and policy with all the institution’s business units within credit institution. While the business units shall implement the relevant risk limits, the risk control function shall be responsible for ensuring the limits are in line with the institution’s overall risk appetite/risk tolerance and monitoring on an on-going basis that the institution is not taking on excessive risk.”. • Risk management culture: Article 28 sets requirements for effective risk management, including a sound risk management culture. “Risk management within a credit institution implies: a) the existence of risk culture, b) the existence of risk management framework, c) the existence of new product approval policy .” • Consideration of risk profile: Article 5–2 requires risk management arrangements to consider the banks’ risk profile: “credit institutions shall adapt their risk management framework taking into account the nature, scale and complexity of the risks inherent in the business model and of the credit institution's activities .” • Risk measurement uncertainties: There is no specific requirement that uncertainties attached to risk measurement are recognized (except for Article 354 which only covers rating models); • Senior management responsibility: there is no specific requirement for senior management to take necessary steps to monitor and control all material risks consistent with the approved strategies and risk appetite. Such a requirement exists for credit risk (Article 84) and to some extent for liquidity risk (Article 137) and operational risk (Article 154). NBR follows the EBA SREP methodology which contains instructions for the supervisory review and assessment of aspects of an institution’s corporate governance and risk management, including duties and responsibilities of the managing body, assessment of the internal governance framework, risk management, risk culture and risk management framework. Risk management is at the core of the annual on-site examinations, either specially or as a cross-cutting theme. As an example, mentioned by NBR, on-site teams assess the risk management culture based on their expert judgment typically verifying that staff is aware 130 ROMANIA of the bank’s strategy, its roles and responsibilities and that each business unit understands and develops its own controls (on-site reports do not include any specific section covering risk management culture and relevant aspects are scattered in different parts of the report). The SREP guidelines have a broad scope but do not include sufficient details to ensure supervisory staff can review risk management aspects (both on and off-site) in a consistent, realistic and systematic fashion (including properly considering the Romanian environment and previous findings and recommendations made by NBR). There is no other internal methodology to review risk management, ether on- or off-site (also CP 14 EC 2 on the latter). Only SREP ratings provide an overview of the quality of risk management across the industry. There has not been any review of (all or some) risk management practices across the industry done either on-site or off-site (including through an analysis of all findings on individual banks). The broader internal governance components of the SREP ratings provides an overview of NBR supervisory assessment of governance and risk management for locally incorporated banks: at end 2016, 11 banks had a rating of 2 for this sub- component, 17 were rated 3 and 1 was rated 4 (on a scale of 1 to 4). EC2 The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate: (a) to provide a comprehensive “bank-wide” view of risk across all material risk types; (b) for the risk profile and systemic importance of the bank; and (c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s r isk management process. Description and NBR requires banks to have comprehensive risk management policies and processes to findings re EC2 identify, measure, evaluate, monitor, report and control or mitigate all material risks. • Comprehensive risk management policies and processes: the banking law (Article 24) requires banks to have governance arrangements, including risk management, which are comprehensive, proportionate to the nature, scale and complexity of the risks inherent in the business model and the bank’s activities and which cover all risks; • NBR Regulation 5/2013 (Articles 28 to 32) requires banks to have: integrated risk culture reflecting the bank’s risk tolerance/appetite, awareness of each individual of its risk management responsibilities, risk management arrangements covering all business units, support and control functions and recognizing the economic substance of risk exposures, policies, procedures, limits and controls which ensure the identification, measurement or assessment, monitoring, mitigation and reporting of risks at the level of business lines and the bank as a whole, existence of forward and backward-looking instruments, regular, documented and transparent reporting mechanisms or involvement of the risk management function in the approval of new products or in significant changes to existing products. Moreover, NBR Regulation 5/2013 requires banks to perform stress tests which consider the macroeconomic environment, system-wide interactions 131 ROMANIA and possible feedback effects (Articles 208 & 209), and consider their results for risk management purposes (Article 178). In addition to requirements for NBR to implement the SREP approach (Article 164, see CP 8 and 9), the banking law (Article 166–1) requires NBR to review the arrangements, strategies, processes and mechanisms implemented by each bank and assess (i) risks to which the bank is or might be exposed, (ii) risks that a bank poses to the financial system taking into account the identification and measurement of systemic risk and (iii) risks identified by stress tests taking into account the nature, scale and complexity of the credit institution's activities. SREP guidelines (Title 5) set out the supervisory review processes to examine and assess the extent of risk management processes across the entire spectrum of operations of a bank and banking group. The SREP guidelines sets out supervisory activities to assess the overall governance and risk management framework of the institution as well as specific control functions within each of the individual Pillar 1 risks (credit, market and operational risk) and for capital and liquidity. They also set out the expectations for supervisors to assess the risks arising from the macroeconomic environment on the bank’ s business strategy and profitability outlook. SREP guidelines are implemented for the off- and on-site supervisory process (see CP 8 and 9). Risk management is always reviewed during annual full-scope on-site inspections (with a specific section included in the template for examination reports). It is also discussed during meetings of supervisory colleges. EBA guidelines contain additional description on expectations for banks to establish bank-wide risk management policies and processes (particularly EBA Guideline (GL) 44 on internal governance published in 2011; updated guidelines were published in September 2017 which supervisors are expected to implement by June 30, 2018), including: • GL44 Title II, 5.1 (checks and balances): banks should have a group-wide view of risk and for governance arrangements appropriate to the structure, business and risks of the group and component entities; • GL44 Title II: the management body should fully understand the operational structure of an institution and ensure it is in line with its approved business strategy and risk profile (see paragraph 6 Know-your structure); • GL 44 Paragraph 20.4: institution should have a holistic risk management framework extending across all its business, support and control units, recognizing fully the economic substance of its risk exposures and encompassing all relevant risks; • GL44 Paragraph 20: bank should establish an integrated and institution-wide risk culture, based on a full understanding of the risks it faces and how they are managed considering its risk tolerance and appetite. • GL44 Paragraph 25: expectations for the establishment of a risk control function. However, the 2011 EBA guidelines on internal governance are not binding for NBR staff and the aspects they cover beyond those incorporated in the regulatory framework and the SREP process have not been incorporated in an internal methodology NBR staff shall follow (and document). 132 ROMANIA EC3 The supervisor determines that risk management strategies, policies, processes and limits are: (a) properly documented; (b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and (c) communicated within the bank Description and NBR Regulation 5/2013 requires banks to have risk management strategies, policies, findings re EC3 processes and limits which are documented (Article 30–1), communicated within the bank (Article 29), including by means of internal rules (Article 31), regularly updated considering changes in the risk appetite, risk profile and the environment (Articles 45, 78, and 81), and approved by the management body (Article 84). NBR indicated that these aspects are systematically reviewed during full-scope on-site examinations, weaknesses frequently identified and corrective actions required. EC4 The supervisor determines that the bank’s Board and senior management obtain suffi cient information on, and understand, the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive. Description and See EC 1 on reporting requirements to the management body. findings re EC4 NBR Regulation 5/2013 (Articles 30–5) requires that each bank “establish regular and transparent reporting mechanisms so that the management body and all relevant units in a credit institution receive reports in a timely, accurate, concise, understandable and meaningful manner and can share relevant information about the identification, measurement or assessment and monitoring of risks.” NBR reviews during on-site examinations that the bank’s Board and senior management obtain sufficient information on, and understand (including the limitations), the nature and level of risk being taken by the bank, and how this risk relates to adequate levels of capital and liquidity (see CP 14 on limitations of such review due to the lack of contacts with nonexecutive and independent members of the management body). EC5 The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. Description and NBR Regulation 5/2013 requires banks to have an appropriate internal process for findings re EC5 assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile • ICAAP: the banking law (Article 149) makes each bank responsible for the internal assessment process of the adequacy of its capital to its risk profile. ICAAP is defined in NBR Regulation 5/2013 (Article 313) as a process “to ensures the adequate identification, measurement, aggregation and monitoring of the credit institution's risks, the holding of an internal capital suitable for the risk profile and the use and development of sound risk management systems ”. NBR Regulation 5/2013 (Article 68) further requires that this represent a component of the 133 ROMANIA management process of the credit institution and of its organizational culture and that this gives the management body the possibility to assess, on an ongoing basis, the risk profile of a credit institution and the adequacy of its internal capital in relation to it; • ILAAP: NBR Regulation 5/2013 (Article 137) requires banks (i) to have adequate levels of liquidity buffers, (ii) to have strategies, policies, processes and systems proportionate to the complexity, risk profile, scope of operation of the bank and risk tolerance set by the management body (and reflect the bank’s importance in each Member State in which it carries out business), (iii) to communicate risk tolerance to all relevant business lines. SREP guidelines set out supervisory activities to assess the adequacy and soundness of capital and liquidity against a bank’s inherent risk appetite. The SREP establishes the expectations for banks to fully consider all risks to capital within its ICAAP (see also CP16) and to liquidity in the ILAAP (see also CP24). Within the SREP guideline, specific reference to the activities expected of a supervisor when assessing an ICAAP and ILAAP include paragraphs 94102. Theses aspects are reviewed at least annually as part of the SREP process (and during full- scope on-site examinations). Where applicable, additional capital buffers are imposed as a result (based on joint decisions for subsidiaries of EU banking groups). EC6 Where banks use models to measure components of risk, the supervisor determines that: (a) banks comply with supervisory standards on their use; (b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and (c) banks perform regular and independent validation and testing of the models The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. Description and There is no general requirement that the banks’ Boards and senior management findings re EC6 understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use, but specific requirements which aim at achieving the same objective • For ICAAP, banks need to document and report to NBR (Article 69 of NBR Regulation 5/2013) (i) how the process is structured (Article 69 of NBR Regulation 5/2013), (ii) the assumptions used (and underlying risks), risk sensitivity and confidence levels, the process of risk aggregation (Article 69) and (iii), where applicable, detailed explanations regarding the definitions of risk (and their degree of significance) as well as and the internal capital (and its components) (Article 73). The management body is responsible for approving the conceptual design of the ICAAP process—at least, the scope, the methodology, while senior management shall approve the technical concepts (Article 79). • For stress testing. Article 177 of NBR Regulation 5/2013) the members of management body (or relevant designated committee) shall actively engage in the discussion, and where necessary, challenge the key modelling assumptions 134 ROMANIA and scenario selection and is expected to analyses the assumptions underlying the stress tests from a common/business sense perspective (e.g., whether assumptions about correlations in a stressed environment are reasonable). EC7 The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. Description and Banks are required to have effective and reliable information and communication systems findings re EC7 covering all significant activities (Article 61), comply with generally accepted IT standards when implementing IT systems (Article 62), meet detailed requirements for liquidity purposes (Article 142), country risk (Article 101), market risk (120) and operational risk (Article 156). Periods of stress are covered under the general requirement (Article 149) that banks ensure contingency and business continuity plans are in place to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. The SREP guideline describes the supervisor activities to test and assess an inst itution’s information systems (see paragraphs 106 and 107) where supervisors should assess whether an institution has effective and reliable information systems and whether these systems fully support risk data aggregation capabilities at normal times as well as during times of stress. According to the SREP guideline, NCA’s should assess whether an institution is at least able to: - Generate accurate and reliable risk data; - Capture and aggregate all material risk data across the institution; - Generate aggregate and up-to-date risk data in a timely manner; and - Generate risk data to meet a broad range of on-demand requests from the management body or NCA. See CP 25 on assessment performed on-site by the NBR only IT expert and findings in this regard. EC8 The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,61 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management can monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s poli cies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. Description and Banks are required to have in place a well-documented new product approval policy findings re EC8 approved by the management body which addresses the development of new markets, products and services and significant changes to existing ones (Article 32 of NBR Regulation 5/2013), the risk management function shall be involved in approving new 61 New products include those developed by the bank or by a third party and purchased or distributed by the bank. 135 ROMANIA products or significant changes to existing products (Article 32) and should have a clear overview of the roll-out of new products (or significant changes to existing products) across different business lines and portfolios, the Compliance function has also the responsibility to verify that new products and new procedures comply with the current legal environment (Article 52). Article 6 of NBR Regulation 5/2013 requires that the management body assesses how the changes within the group's structure, which may derive, without being exhaustive, from the setting up of new subsidiaries, mergers and acquisitions, the sale or dissolution of parts of the group or from developments which are outside the group, affect its soundness Beyond these, there is no specific requirement for banks to have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in major management initiatives (such as changes in systems, processes, business model and major acquisitions). EC9 The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. Description and NBR Regulation 5/2013 sets detailed requirements on risk management: findings re EC9 - Comprehensive scope. Article 38 requires that the risk management function ensures all material risks are identified, measured and properly reported and Article 34–2 requires that the internal control framework (including risk management) covers the bank as a whole, including the activities of all business units, support and control functions; - Independence, authority, resources and segregation from risk-taking functions. Article 37 requires banks to have a risk management function independent from the operational functions and with sufficient authority, stature, resources and access to the management body, in accordance with the size, internal organization and nature, scope and complexity of activities. Article 35–2 also requires all control functions (including risk management) to be independent from the business and support units they monitor and control (as well as organizationally independent from each other); - Report to the management body and senior management. Article 35–2 requires that control functions (including risk management) are established at an adequate hierarchical level and report directly to the management body; and - Review by internal audit. Article 54–2 explicitly mentions that the risk management (and compliance) functions should be covered by the internal audit. The SREP guidelines set out the supervisory activities to assess the adequacy and functioning of the risk management framework. Paragraph 88 of the SREP guidelines state that the supervisor should assess whether effective interaction exists between the management and the supervisory functions of the management body and the setting, overseeing and regular assessment of the internal governance framework with its main components by the managing body. Paragraph 104 sets out the supervisory assessment to ensure there is an independent risk control function (104 (a) to (d)). This paragraph also 136 ROMANIA ensures that the independent risk function has the capacity to report directly to the management body. There is no additional NBR internal methodology to review these aspects. EC10 The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Description and Article 48 of NBR Regulation 5/2013 requires that (i) the head of the risk management findings re EC10 function shall be an independent senior manager with distinct responsibility for the risk management function (where the nature, scale and complexity of the activities of the institution do not justify a specially appointed person, another senior person within the credit institution may fulfil that function, provided there is no conflict of interest) and (ii) the head of the risk management function shall not be removed without prior approval of the management body in its supervisory function and shall be able to have direct access to the management body in its supervisory function where necessary. There is no requirement that this removal generally should be disclosed publicly. Regulation 6 (Article 151) requires that the bank seeks NBR approval “for any amendment intended to replace a person with middle level management position in particularly important activities that has been approved and occupies such a position and designation of another person in his place”; the head of risk management is one of these positions (see CP 9). EC11 The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk. Description and NBR is empowered and issued standards related to credit risk, market risk, liquidity risk, findings re EC11 interest rate risk in the banking book and operational risk (see relevant CPs). EC12 The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that consider the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangement s in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. Description and NBR Regulation 5/2013 requires that: findings re EC12 - Information systems must be secure and supported by adequate contingency arrangements (Article 62–1); - A bank needs to establish a sound business continuity management process to ensure its ability to operate on an on-going basis and limit losses in the event of severe business disruption (Article 63); - Based on a careful analysis of a bank’s exposure to severe business disruptions, including quantitative and qualitative assessment of their potential impact using internal and/or external data and scenario analysis (Article 64), a bank shall establish: 137 ROMANIA o Contingency and business continuity plans to ensure it reacts appropriately to emergency situations and can maintain its most important business activities if there is disruption to its ordinary business procedures; o Recovery plans for critical resources to enable it to return to ordinary business procedures in an appropriate timeframe. Any residual risk from potential business disruptions should be consistent with the credit institution’s risk tolerance/appetite. NBR assesses during onsite examinations the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The resolution function is involved in the review of the recovery plans (see CP 5). Such verifications are primarily conducted by the only NBR supervisory staff with appropriate IT skills (see CP 8 and 9). EC13 The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program: (a) promotes risk identification and control, on a bank-wide basis (b) adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks; (c) benefits from the active involvement of the Board and senior management; and (d) is appropriately documented and regularly maintained and updated. The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process Description and NBR Regulation 5/2013 sets detailed requirements on stress testing in line with the findings re EC13 requirement of this criterion. Its provisions cover the following aspects: - Banks shall use stress testing programs taking account its nature, scale, complexity and risk profile (Article 175); - The management body has ultimate responsibility for the overall stress testing program and shall take appropriate management actions (Articles 177–1 and 179–3); - The members of management body (or the relevant designated committee) shall actively engage in the discussion, and where necessary, challenge key modelling assumptions and scenario selection and analyze assumptions underlying the stress tests from a common/business sense perspective (Article 177–1); - Stress tests shall be actionable and inform decision making at all appropriate management levels of a credit institution, including strategic decisions (Article 179); 138 ROMANIA - The bank shall regularly review, and at least annually, its stress testing program and assess its effectiveness and adequacy (Article 181–1); - Stress tests shall cover all significant risks (Article 182) taking into account a comprehensive analysis of the nature and composition of portfolios and an analysis of the environment in which the bank operate; - The bank shall combine sensitivity analyzes and scenario-based analyzes in stress testing programmers (Article 182–3); - Banks shall base their stress tests on exceptional, but plausible, events (Article 187–1); - For capital planning the credit institution shall consider a severe economic downturn (Article 188–1) and correlate the outcomes of the stress testing program with its regulatory capital and resources; - Depending on the outputs of stress, tests the management body shall develop a set of plausible measures to ensure the bank's solvency on an ongoing basis, including in the stressed scenario highlighted by those simulations (Article 201); - Banks shall consider a broad range of mitigating techniques and contingency plans against a range of plausible stressed conditions with a focus on at least a severe but plausible negative scenario (Article 202–1) Based on the SREP guideline, NBR assesses during on-site inspections stress testing programs, covering the appropriateness of the selection of the relevant scenarios, and the underlying assumptions, methodologies and infrastructure, as well as the use of the outcomes. Stress testing outcomes are also to be extensively assessed as part of the SREP process for each of the material risk types: credit risk (see CP18), market risk (CP22), operational risk (CP25), liquidity (CP24), and capital (CP16). EC14 The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities. Description and Some specific requirements exist: findings re EC14 NBR Instruction of September 14, 2012 regarding Liquidity Cost Benefit Allocation requires the following: • In order to develop an allocation mechanism, the credit institutions shall have a funding transfer pricing system; • The funding cost benefit allocation mechanism shall have a proper governance structure supporting it; • The overall methodology used within the global liquidity management risk framework shall be approved by the management body in its supervisory function. The resulting internal prices shall be generated in a transparent and consistent manner; • Given the importance of the internal prices for price setting, the management body shall expect that all relevant management levels use the information generated actively and properly; • The prices generated by the agreed methodology shall be used for the internal pricing of liquidity, performance measurement and the appraisal of new products or businesses for all significant business activities; • 5.5 The product approval and internal pricing processes shall be integrated. When the institution is making a risk- and profitability analysis of a potential new 139 ROMANIA product, the implication for the institutions liquidity risk position as well as the potential liquidity cost or benefit of the product shall be taken into account. • NBR Regulation 5/2013 requires a bank to have in place a well-documented new product approval policy approved by the management body, which addresses the development of new markets, products and services and significant changes to existing ones (Article 32–1) NBR follows SREP guideline to perform business model analysis as part of the SREP. Within the guideline, supervisors are expected to include both qualitative and quantitative factors which include risks associated with their internal pricing, performance measurement and new product approval. Supervisors are expected to determine the plausibility and consistency of the assumptions made by the institution that drive its strategy and forecasts; these may include assumptions in areas such as macroeconomic metrics, market dynamics, volume and margin growth in key products, segments and geographies. Additional criteria AC1 The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks. Description and other material risks not directly addressed in the subsequent Principles, such as findings re AC1 reputational and strategic risks need to be assessed by banks as part of their ICAAP process. The ICAAP results are reviewed by NBR as part of the SREP process. Assessment of Largely Compliant Principle 15 Comments Regulations set detailed and demanding risk management requirements for banks. Discussions with NBR confirmed the importance placed on risk management during on- site inspections, as well as the familiarity of its staff with key aspects of risk management. NBR has not yet developed an internal methodology (including criteria to be applied where judgment is needed, previous decisions made by NBR, approaches to test specific aspects -e.g., incorporation of risk in internal pricing-, group risk management framework in the cases of subsidiaries etc.). to guide the review of risk management aspects, in addition to the SREP guideline. Such a methodology would help foster the comprehensiveness and consistency of supervisory approaches. Explicit requirements would usefully complement existing supervisory practices on the following aspects: (i) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use, (ii) the banks’ Boards and senior management understand the risks inherent in major management initiatives (such as changes in systems, processes, business model and major acquisitions) and (iii) uncertainties attached to risk measurement need to be recognized. Principle 16 Capital adequacy.62 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in 62The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II, and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for (continued) 140 ROMANIA the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. Essential criteria EC 1 Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. Description and The capital requirements for covering the risks faced by an institution as well as the capital findings re EC1 components are provided by CRR63 and directly applicable to all Romanian credit institutions. (Article 126, Banking Law) Capital requirements that shall be met at all times – Common Equity Tier 1 (CET1) 4.5 percent, Tier 1 capital ratio 6 percent and total capital ratio 8 percent. According to Article 72 of CRR, own funds instruments consist of Tier 1 capital (the sum of the Common Equity Tier 1 capital and Additional Tier 1 capital) and Tier 2 capital. As an example, common Equity Tier 1 items consist of the following: (a) capital instruments, provided that the conditions laid down in Article 28 or where applicable, Article 29 are met; (b) share premium accounts related to the instruments referred to in point (a); (c) retained earnings; (d) accumulated other comprehensive income; (e) other reserves; (f) funds for general banking risk. The capital instruments shall qualify as CET1 instruments only if all the following conditions regarding loss-absorbing characteristics are met: • compared to all the capital instruments issued by the institution, the instruments absorb the first and proportionately greatest share of losses as they occur, and each instrument absorbs losses to the same degree as all other Common Equity Tier 1 instruments; • the instruments rank below all other claims in the event of insolvency or liquidation of the institution; • the instruments entitle their owners to a claim on the residual assets of the institution which, in the event of its liquidation and after the payment of all senior claims, is proportionate to the amount of such instruments issued and is not fixed or subject to a cap, except in the case of the capital instruments referred to in Article 27, etc. compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it. 63 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013R0575&from=EN 141 ROMANIA Likewise, additional Tier 1 and Tier 2 capital instruments defined and related items shall meet certain requirements laid down in CRR (art 51, 52 etc.). According to the most recent data submitted to the NBR, the capital structure reveals a concentration in high quality capital. The total capital ratio of the banking sector in Romania is 19.83 percent. EC2 At least for internationally active banks, 64 the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. Description and The definitions of capital, risk coverage, method of calculation, and thresholds for the findings re EC2 prescribed requirements are regulated by CRR and NBR Regulation No. 5/2013, which apply to all Romanian credit institutions. There is no differentiation in the capital requirements for non-internationally active banks and those of internationally active banks. Also, NBR Regulation No. 5/2013 doesn’t provide derogations or exemptions from the applications of the prudential requirements specified by CRR. However, it is noteworthy that in December 2014, the RCAP Assessment Team of the Basel Committee reviewed EU-wide capital framework and concluded that the following features have gaps: definition of capital, standardized approach for credit risk, securitization framework, standardized approach for market risk (“Largely Compliant”), and IRB approach for credit risk (“Materially Non Compliant”), and counterparty credit risk (“Non Compliant”) etc.65 Since most significant divergences between Basel III framework and the EU capital regulation have been identified in the IRB and for the CVA, the deviations of the EU capital framework in relation to the Basel standards do not seem to be material for Romanian banks. However, some elements of the deviations may be significant. For example, in the case of SME exposures under the Standardized Approach in credit risk, capital requirements, both in the EU and abroad, are multiplied by a factor of 0.7619 under the transitional provisions in the CRR. The NBR requires banks to hold capital in excess of the minimum level under Pillar 2 and this practice has been commonly used by the NBR. Banks are required to conduct ICAAP at individual and consolidated levels with the results representing the starting point for the 64 The Basel Capital Accord was designed to apply to internationally active banks, which must calculate and apply capital adequacy ratios on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a stand-alone basis. 65 https://www.bis.org/bcbs/publ/d300.pdf (continued) 142 ROMANIA supervisory assessment. Nonprudential approaches in this field are addressed through supervisory measures and/or setting capital surcharges in cases where not all the risks are captured or the risks are inappropriately covered with capital. EC3 The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)66 entered into by the bank. Both on-balance sheet and off- balance sheet risks are included in the calculation of prescribed capital requirements. Description and In order to remedy the deficiencies at an early stage, the NBR has power to require a credit findings re EC3 institution to take the necessary measures. In this respect, the Romanian legal framework determines the hypothesis in which it is still possible to restore the capital from falling below the minimum level required and it is provided with the powers to address the identified shortcoming. The main power is to request for additional own funds (by using the flexibility provided by the CRD IV to competent authorities), but the available tools are not limited to capital requirements (e.g., another relevant power is to restrict or limit the banks’ business, operations or network). In addition, the NBR has the power to directly impose adjustments to the risk weights and criteria applied for certain exposures (e.g., according to Article 124 CRR) and to impose the counter-cyclical buffer following the recommendation by the Romanian macro-prudential authority (NCMS) under Article 258 NBR regulation No. 5/2013 in order to mitigate the systemic risk identified at the national level. Both on-balance sheet and off-balance sheet risks are included in the calculation of capital requirements as prescribed by the CRR. EC4 The prescribed capital requirements reflect the risk profile and systemic importance of banks67 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. Description and In accordance with the CRR and CRD IV, the prudential tools provided by the Romanian findings re EC4 legal framework reflect the risk profile and a certain degree of systemic importance of banks. Banks shall calibrate capital requirements to address the micro perspective (the risks that banks might be exposed and the results of the stress tests) as well as the macro perspective through stress testing. The macro perspective is enhanced by the capital requirements imposed as counter cyclical buffer and OSII buffers, which are settled via 66 Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006. 67 In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (a) the potential loss absorbency of the instruments included in the bank’s capital base, (b) the appropriateness of risk weights as a proxy for the risk profile of its exposures, (c) the adequacy of provisions and reserves to cover loss expected on its exposures, and (d) the quality of its risk management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses. 143 ROMANIA institutional arrangement involving NBR and NCSM (Romanian macro-prudential authority). Article 166 of Banking Law stipulates that the NBR shall review the arrangements, strategies, processes and mechanisms implemented by each credit institution to comply with Banking Law, with CRR, and with the applicable regulations, and shall assess the following risks: • risks to which the credit institution is or might be exposed; • risks that a credit institution poses to the financial system taking into account the identification and measurement of systemic risk under Article 23 of Regulation (EU) No. 1093/2010 etc.; • risks identified by stress tests taking into account the nature, scale and complexity of the credit institution's activities. In addition, the NBR shall determine the risks or elements of risks not covered and is entitled to request additional capital (the so-called “Pillar 2 capital requirements”) (See EC3). The banking law and NBR regulation No. 5/2013 stipulates that credit institutions shall have own funds for capital conservation buffer (2.5 percent) with transitional arrangement, countercyclical capital buffer (currently zero percent), OSII buffer (currently one percent), a systemic risk buffer (currently zero percent). CRR regulates the composition of the leverage ratio, but currently there is no binding leverage ratio requirement for banks. Banks are currently required to compute the leverage ratio, report it to the competent authorities, and to publicly disclose it. At the European Union level, CRR is being amended to include supplemental risk reduction measures, one of these measures being the introduction of a binding 3 percent leverage ratio requirement, beginning in 2019. EC5 The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use: (a) such assessments adhere to rigorous qualifying standards; (b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor; (c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken; 144 ROMANIA (d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and (e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval. Description and According to CRR, the NBR’s prior permission to use internal models is required for all findings re EC5 internal approaches (IRB/VAR/AMA/IMA) as mentioned in the following Articles: Article 143 (1) for credit risk, Article 363(1) for market risk, Article 283(1) for counterparty credit risk and Article 312(2) for operational risk. For credit institutions that are part of European banking groups, the approval is the result of a joint decision of the competent authorities relevant to the group. Commission Implementing Regulation (EU) 2016/10068 specifies the joint decision process referred to in point (a) of Article 20(1) of CRR with regard to the applications for the permissions referred to in Article 143(1), Article 151(4) and (9), Article 283, Article 312(2), and Article 363 of that Regulation with a view to facilitating joint decisions. The conditions for the approval are set in CRR as well as in other RTSs. Additional provisions that supplement the ones prescribed by CRR and RTSs are set in Regulation No. 5/2013. Regulation No. 5/2013 specifies the elements of the minimum documentation to be provided to NBR accompanied by an internal assessment, requires institutions to have adequate systems and procedures, ensures a solid administration framework and makes further specifications regarding the qualitative standards and quantitative standards of the internal model, including solid and adequate IT systems and providing the legal basis for NBR to comprehensively assess the institution internal model and when necessary, to request further documentation or complementary analysis. Furthermore, NBR approval is required for any material extensions and changes of the rating system or internal models and processes as described in Article 143 (3) for credit risk (IRB Approach), Article 363 (3) for market risk, Article 312 (2) paragraph 2 for operational risk (AMA). In 2017, the NBR approved a significant change of the PD component for the group wide model related to institutions asset class. The NBR shall review at least every 3 years, institutions' compliance with the requirements regarding approaches that require permission by the competent authorities before using such approaches for the calculation of own funds requirements. If the NBR identifies material deficiencies in risk capture by an institution’s internal approach, the NBR shall ensure that these deficiencies are rectified and take the appropriate steps to mitigate their 68http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0100&qid=1502434544539&from=EN 145 ROMANIA consequences by imposing higher multiplication factors, imposing capital add-ons, or by taking other appropriate and effective measures. If an institution has received permission to apply an approach but no longer meets the requirements for that approach, the NBR shall require the institution to either demonstrate to the satisfaction of the NBR that the effect of noncompliance is immaterial or present a plan for the timely restoration of compliance with the requirements with an appropriate implementation deadline. The NBR shall require improvements to that plan if it is unlikely to result in full compliance or if the deadline is inappropriate. If the institution is unlikely to be able to restore compliance within an appropriate deadline and, where applicable, has not satisfactorily demonstrated that the effect of noncompliance is immaterial, the permission to use the approach shall be revoked or limited to compliant areas or to those where compliance can be achieved within an appropriate deadline. In practice, the assessment for approval of whether all the conditions for using the internal models are met is done jointly by the Supervision Department and Financial Stability Department following an on-site inspection at the bank’s premises; a technical analysis of the model is performed by the Financial Stability Department’s staff. The decision is made by the Supervisory Committee of the NBR and is communicated accordingly to the applicant. Currently, two banks were approved for the IRB approach on the credit risk and three banks have the NBR approval to use AMA for operational risk. However, there is no dedicated team or unit within the Supervision Department responsible for evaluating, approving, reviewing and overseeing internal models. EC6 The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing). 69 The supervisor has the power to require banks: (a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and (b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank. Description and According to Article 75 in regulation No. 5/2013, ICAAP shall take into account the findings re EC6 institution’s strategic plans and their relation to macro-economic factors. The NBR has the power to require credit institutions to develop a strategy for maintaining capital levels, which shall incorporate factors such as loan growth expectations, future sources and uses of funds and dividend policy, and any variation during an economic cycle of minimum own funds requirement set out according to CRR. 69 “Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyses and reverses stress testing. 146 ROMANIA Credit institutions capital plan shall at least comprise the following: • institution's objectives and the time horizon for achieving those objectives • general description of the capital planning process and the responsibilities for that process • the way the credit institution will comply with capital requirements in the future • any relevant limits related to capital • a general contingency plan for dealing with divergences and unexpected events; for example, raising additional capital, restricting business, or using risk mitigation techniques. In addition, the NBR requires credit institutions to conduct appropriate stress tests which take into account the risks specific to the jurisdiction in which the credit institutions operate and the particular stage of the business cycle among other factors. Credit institutions shall use the results of stress tests in their internal available capital planning process as well as in the calculation of the internal capital requirements consistent with their risk profile. In particular, regulation No. 5/2013 Title II, Chapter IV – Stress tests stipulates credit institutions shall take forward-looking view in their risk management, strategic planning and capital planning using the stress testing tool. Furthermore, to determine the appropriate level of own funds, the NBR shall assess the adequacy of capital taking into account the assessment of systemic risk (Article 226) AC1 For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks. Description and In Romania, the capital requirements, including the definition of capital, the risk coverage, findings re AC1 the method of calculation, the scope of application and the capital required are regulated by CRR, Directive 2013/36/EU and NBR Regulation No.5/2013, which apply to all credit institutions. Therefore, the requirements for non-internationally active banks are the same as for internationally active banks. NBR Regulation No. 5/2013 doesn’t provide derogations or exemptions from the applications of the prudential requirements specified by CRR. AC2 The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks. 70 Description and Capital adequacy is assessed both at individual and consolidated levels depending on the findings re AC2 existence of a prudential consolidation perimeter. Therefore, for banks that have a prudential consolidation perimeter the total SREP capital ratio is determined separately at individual and consolidated levels following the same approach. 70 Please refer to Principle 12, Essential Criterion 7. 147 ROMANIA A proper distribution of capital within different entities of a group is mainly ensured by the general treatment provided by CRR in relation with prudential requirements applicable at individual level even if the requirements are applicable at the consolidated level. Assessment of Largely Compliant Principle 16 Comments Romania is subject to EU common regulatory framework, and applies the CRR and CRD IV. The CRD IV has been transposed into Romania regulation No. 5/2013 on different capital buffers. However, it is noteworthy that in December 2014, the RCAP assessment team of the Basel Committee reviewed EU-wide capital framework and concluded that certain features deviated from Basel standards. In Romania, two banks have been approved to use advanced approach to calculate credit risk regulatory capital and three banks for operational risks. Although the number of banks applying the advanced approach is small, those banks using the approach are large banks with considerable percentage based total own funds requirement (Credit risk: 17 percent, Operational risk: 38 percent). There is no dedicated team or unit within the SD responsible for evaluating, approving, reviewing and overseeing banks’ internal models. Although the FSD has a quantitative assessment division, which assists the SD whenever supervisors need to approve advanced approach in a certain bank or validate internal models, they are not involved with supervision on an ongoing basis. There would be an increasing need to devote more supervisory attention to risk model in banks used for their own risk management purposes, as well as regulatory capital calculation. Although the majority of banks apply a standardized approach in Romania, NBR examiners should more focus on periodic validations and independent testing of different models in banks even when the banks are not generating inputs for the regulatory capital calculations. In particular, the NBR will have to consider strengthening supervisory capacity within the SD in the area of supervision of banks applying Basel II advanced models on an ongoing basis. The authorities should consider the following activity: • Devote further supervisory attention to risk models including advanced approach for regulatory capital calculation (e.g., establish a dedicated unit for more periodic and rigorous model reviews and validation) Principle 17 Credit risk.71 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk 72 (including 71 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 72 Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities. (continued) 148 ROMANIA counterparty credit risk)73 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. Essential criteria EC1 Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring. Description and The banking law and NBR Regulation 5/2013 require banks to have appropriate credit risk findings re EC1 management processes that provide a comprehensive bank-wide view of credit exposures. The banking law requires banks to have comprehensive risk management processes (including credit risk management processes), consistent with the bank’s risk profile. NBR Regulation 5/2013 sets more detailed requirements on the scope and objectives of the credit risk management framework (see CP 15 on broader aspects related to the risk management process): • Article 24 of the banking law disposes that: “(1) every credit institution shall have robust governance arrangements, which include a clear organizational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management. (2) The governance arrangements, processes and mechanisms referred to in paragraph (1) shall be comprehensive and proportionate, related to the nature, scale and complexity of the risks inherent in the business model and of the credit institution's activities.” • Article 83 of NBR Regulation 5/2013 (section 2.1.1.1 General provisions on credit risk) disposes that: “Credit institutions shall have in place an appropriate risk management process that takes into consideration the risk appetite and risk profile of the credit institution, as well as market and macroeconomic conditions. It includes conservative policies and processes to identify, measure, assess, monitor, report and control or mitigate credit risk (including counterparty credit risk), in a timely manner” • Article 495 of NBR Regulation 5/2013 states that: “(1) The senior management of a credit institution shall ensure, on an ongoing basis, that the control mechanisms and measurement systems adopted by the credit risk control unit are adequate and that the overall internal ratings based approach system remains effective over time. (2) The senior management of a credit institution shall have a good understanding of the lending policies, underwriting standards, lending practices, and collection and 73 Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments. 149 ROMANIA recovery practices, and shall understand how these factors affect the estimation of relevant risk parameters.” The EBA SREP guidelines implemented by NBR (both for off and on-site supervision) sets more detailed supervisory expectations and identify more detailed topics which need to be reviewed by NBR (in particular to ensure credit risk management processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, taking into account market and macroeconomic conditions and resulting in prudent standards of credit underwriting, evaluation, administration and monitoring). Section 6.2.3 of the SREP guidelines cover the assessment of credit risk management and controls with detailed requirements set on • Credit risk strategy and appetite. This includes a requirement for supervisors to review whether: “d) whether the institution’s credit risk strategy is appropriate for the institution given its: business model, overall risk appetite, market environment and role in the financial system, and financial condition, funding capacity and adequacy of own funds.” and “f) whether the institution’s credit risk strategy broadly covers all the activities of the institution where credit risk can be significant.” • the organizational framework, • policies and procedures, • Risk identification, measurement, monitoring and reporting, • Internal control framework. These aspects are primarily addressed by NBR during annual on-site examinations. While a detailed on-site examination manual could usefully complement SREP guidelines and better ensure that the work is conducted in a systematic and consistent fashion (see principle 9 on supervisory techniques and tools), discussions with NBR indicate that its staff ensure that credit risk management processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank. In a typical on-site examination, one or two team members focus exclusively on credit risk management processes (including reviewing a sample of credit files), while others assess other relevant aspects (e.g., review of the risk appetite as part of the business model analysis). When significant deficiencies are identified, increased attention can be paid to such issues (as was the case in bank then sanctioned in 2016, see below). As a follow-up to on-site examinations, recommendations on strengthening credit risk management processes are regularly made to banks. A bank was sanctioned in 2016 with a written warning due to inadequate credit policies and insufficient provisioning; its Board members and senior management also received written warnings in 2017 for similar reasons (see EC3 for additional examples of sanctions taken in 2017). Relevant information to assess the credit risk management frameworks is also received by the off-site divisions: • Annual reports bank file with NBR on risk management (Article 673–1 of NBR Regulation 5/2013) and the internal capital adequacy assessment process, ICAAP 150 ROMANIA (Article 674–1 of NBR Regulation 5/2013). The team was informed that these were systematically reviewed and deficiencies acted upon, but few details are provided by the supervisor on its expectations regarding the content of such reports, no methodology exist to review them in a systematic and consistent manner, and the analyses performed are not documented beyond the letters exceptionally sent to banks when serious shortcomings are identified (see principles 8 and 9); • Credit risk management procedures [Article 671–1 of NBR Regulation 5/2013). These are not systematically reviewed, nor have internal guidelines on how to prioritize and conduct such reviews been prepared (see principles 8 and 9). NBR indicated that reviews of such procedures are conducted when needed (e.g., to follow on the implementation of recommendations of on-site inspections) and actions taken when appropriate. The regulation and supervision of credit risk management falls exclusively within the responsibility of the home supervisor for branches of EU banks (10.5 percent of banking assets at end 2016). NBR belongs to the college of supervisors of the largest branch present in Romania (67 percent of assets held by all branches of EU banks), where credit risk management issues are discussed. EC2 The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming, 74 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the policies and processes. Description and NBR Regulation 5/2013 sets requirements for the Board to approve and review credit risk findings re EC2 management policies (and ensure these are consistent with the risk appetite) and for senior management to develop related policies and procedures and implement such strategy. • Article 84–1 indicates that: “the credit institutions’ Board approves, and regularly reviews (at least once in a year), the credit risk management strategy and significant policies and processes for assuming, identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. These strategies, policies and processes must cover the credit institution’s activities for which the credi t exposure leads to a significant risk. • Article 84–2 indicates that: ”senior management implements the credit risk strategy and develops the policies and processes mentioned at point 1. Such aspects are mostly assessed during on-site inspections. On-site inspection teams do not meet with nonexecutive Board members (see CP 9 on supervisory techniques and 14 on corporate governance), but ensure that adequate credit risk management strategy 74 “Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments. 151 ROMANIA and asociated policies and procedures exsite and review Board (and Board committee) minutes to check that the strategy and associated policies and procedures have been adequately discussed and approved. NBR mentioned as examples of shortcomings identified in 2016 and 2017 one case where limits had not been recently reviewed by the Board and another where Board minutes were lacking thus preventing a review by NBR (see EC3 for detals of a 2017 sanction related to the lack of Board approval of procedures). EC3 The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including: (a) a well-documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments; (b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures; (c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system; (d) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis; (e) prudent and appropriate credit limits, consistent with the bank’s risk app etite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff; (f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and (g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits. Description and Regulations 5 and 16 sets detailed requirements on credit risk management policies and findings re EC3 procedures which mirror those of this essential criterion: • Article 87 of NBR Regulation 5/2013 mentions that : ”credit institutions must have in place policies and proceses that establishes an appropriate and properly controlled credit risk environments, including: a) a well documented and effectively implemented strategy and sound policies and processes for assuming credit risk and pricing, without undue reliance on external credit assessments; where own funds requirements are based on a rating by an External Credit Assessment (ECAI) or based on the fact that an exposure is unrated, this shall not exempt institutions from additionally considering other 152 ROMANIA relevant information for assessing their allocation of internal capital; b) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, contractual requirements, collateral and other forms of credit risk mitigation; furthermore, Article 86 b) and c) requires credit institutions to have effective systems for the ongoing administration and monitoring of credit risk bearing exposures, as well as internal methodologies that enable them to assess credit risk exposures to individual obligors; c) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board on an ongoing basis; d) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff; e) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and f) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.” • Article 89 of NBR Regulation 5/2013 mentions that: ”credit institutions shall have well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for modifying, renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures.” • Article 5–4 of Regulation 16 requires that: ”the financial performance category of the debtors, legal persons, shal be determined at least twice a year.” 75 These aspects are primarily assessed during annual on-site inspections (see EC1 on relevant aspects covered by the off-site supevrisory process). Weaknesses identified during on-site examinations led to sanctions (wither due to their seriousness or the absence of adequate and timely corrective measures). Some sanctions taken in 2017 (and published on the NBR website by November 11, 2017) refkect measures taken in this area: • Written warning to a bank due to serious weaknesses in its evaluation and monitoring of credit risk; • Fine of 20,000 lei (ca. 4,000 USD) for various breaches including lack of formulation and implementation of comprehensive criteria for the identification of all nonperforming exposures, lack of adequate procedures to monitor nonperforming exposures with have been restructured and Inadequate review of the capacity of nonresident debtors to repay foreign exchange exposures; Fine of RON 25,000 (ca 6,250 USD) for failure to have some key credit risk management procedures (e.g., identification of nonperforming exposures and classification of 75 Regulation No. 16/ 2012 on classification of loans and investments, as well as the establishment and use of prudential value adjustments was repealed by Regulation 1/2018 starting with February 14, 2018. 153 ROMANIA restructured exposures, credit norms for individuals, mortgage and consumer loan approval procedures) approved at Board level (approval was only at senior management level) and weaknesses in the credit administration process (defective process for the automatic repayment of credit, resulting in undue penalities and recording of undue revenues. EC4 The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. Description and NBR Regulation 5/2013 sets detailed requirements which mirror and complement those of findings re EC4 this essential criterion: • Article 93 requires that: ”credit institutions shall have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including unhedg ed foreign exchange risk.” • Article 94 disposes that: ”in order for the credit institution’s capital to be maintained at a level that ensures business continuity and ongoing loss absorption capacity, credit institutions shall adequately incoporate in their internal risk management systems the foreign currency lending risks related to unhedged borrowers.” • Article 3-1-16 defines: ” natural hedge operation - an operation within which the obligors receive income denominated or indexed in the foreign currency in which the loan is granted, including the collection of cash from transfers or exports.” For individuals, NBR has a long experience in monitoring and regulating Debt service to Income (DSTI) and Loan to Value (LTV) ratios 76. The DSTI and LTV caps have undergone several changes since their first implementation in early 2004. From their implementation in early 2004, these prudential measures have been applicable to all credit institutions (including branches, except in 2007–2011). In 2003, the DSTI cap was set at 30 percent for consumer loans and 35 percent for mortgage loans and the LTV cap was set at 75 percent. In 2007 as Romania joined the EU, the NBR eliminated explicit caps on DSTI and LTV and requested banks to set up their own rules for establishing maximum indebtedness’ levels, differentiated by classes of risk for borrowers5. The NBR introduced in 2008 a new approach based on the mandatory assessment of debtors’ capacity to repay their debt in a stress scenario and the requirement for lenders to calibrate the DSTI level (at origination) in such a way that debtors should not exceed the maximum indebtedness level over the entire life of the loan. NBR teams confirmed that policies and processes to monitor the total indebtedness of entities to which they extend credit (and any risk factors that may result in default including significant unhedged foreign exchange risk) were reviewed during on-site examinations. Attention is paid to criteria taken into account in banks’ credit risk management procedures (e.g., types of loans, fixed or variable rate, loan maturity, FX loan, hedged or unhedged borrower, unemployment etc.) and their implementation. Regarding 76 See NBR, Implementing loan-to-value and debt service-to-income measures: a decade of Romanian experience, Occasional paper, June 2015 154 ROMANIA the content of internal procedures, banks must convince NBR they found the right balance (in the absence of specific guideless for supervisors, expert judgment is then used by NBR). In 2017, one sanction was taken by NBR based on shortcomings identified in this area (see EC 3). Recommendations made to banks in 2016 (a small sample of which was provided and reviewed as part of this BCP assessment) included a case where NBR required a bank to reassess certain debtors (i.e., analysis of capacity and real possibility of debt’s reimbursement on due date and adequate additional adjustments for depreciation). EC5 The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. Description and NBR Regulation 5/2013 requires that banks make credit decisions free of conflicts of findings re EC5 interest and on an arm’s length basis: • Article 88 requires that: ”credit institutions must ensure that they make independent credit decision, free of conflicts of interest, influences or pressures”. • Article 109–1 states that: “The credit institution will not carry out other non-arm's length transactions than the ones provided by packages of remunerative measures and incentives for employees of the entities which are members of the credit institution's group, where those packages provide non-arm's length transactions which, if they are carried out by a member of a group of individuals exercising a significant influence, acting as employees a) are broadly available for the employees of the entity/entities within the credit institution's group, in which the group of individuals with significant influence has or exercises such an influence and b) do not favor any member of the group of individuals with significant influence over the employees of the entities in which that group of individuals with significant influence has or exercises such an influence. (2) Non- arm's length transactions allowed according to paragraph (1) will be carried out exclusively in relation to employees.” Non-arm’s length transactions are defined in Article 108 f and a non-exhaustive list of such situations mentioned (with Article 109–4 empowering NBR to establish if a transaction is done on an arm’s length basis). Compliance is assessed on-site. No material issues were reported in this regard. EC6 The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activ ities. Description and NBR Regulation 5/2013 requires that major and particularly risky credit exposures are findings re EC6 decided by the bank’s senior management. • Article 90 requires that: ”the credit policy of a credit institution shall prescribe that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital, as well as those credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities, are to be decided by the credit institution’s senior management.” 155 ROMANIA The Board is not expected to approve such exposures. There is no specific regulatory requirement for the Board to be informed of such approvals by senior management (see CP 14 on corporate governance), although NBR indicated that the existence of such provisions in internal policies and their implementation is systematically reviewed during on-site examinations. EC7 The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. Description and Laws and regulations provide NBR with full access to information in the credit and findings re EC7 investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. • Article 171–1 of the banking law indicates that: “credit institutions are compelled to allow the staff of the National Bank of Romania and other persons authorized to carry out the inspection, to examine their reports, accounts and operations and to provide all the documents and information related to the activity performed, as they are requested. • Article 171–2 of the banking law indicates that: “credit institutions shall provide to NBR all the necessary information in order to assess their compliance with all prudential requirements stipulated in this OUG, the EU Regulation No. 575/2013 and all other relevant Delegated Regulations. The internal control mechanisms and administrative procedures of credit institutions shall allow the verification of compliance with prudential requirements at any time.” NBR indicated it never faced any challenge in getting access to appropriate information and persons, when needed. EC8 The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. Description and NBR Regulation 5/2013 requires banks to include their credit risk exposures into their findings re EC8 stress testing programs for risk management purposes • Article 178–1 requires that: ”the stress testing program shall be an integral part of an institution’s risk management framework and be supported by an effective infrastructure.” • Article 178–3 requires that: `stress testing must be as an integral part of the Internal Capital Adequacy Assessment Process (ICAAP). The ICAAP shall be forward-looking and consider the impact of a severe scenario that could impact the institution. The ICAAP shall demonstrate that stress testing reports provide the management body and senior management with a thorough understanding of the material risks to which the credit institution may be exposed.” • Section 7.3 sets detailed requirements on credit risk stress testing. Article 212 requires that: “(1) Credit institutions shall perform stress tests to assess the potential credit losses and the changes in capital requirements due to, for example, changes in credit quality and collateral values. (2) For credit losses estimation, credit institutions shall develop models and approaches which challenge historical relations and data. ” • Article 75–6 indicates that: “credit institutions shall use the results of the stress testing both in the process of planning the available internal capital, and in determining the internal capital requirements adequate for the risk profile.” NBR mentioned this was reviewed during on-site examinations. It indicated that it could observe that some banks effectively reviewed their limits following the conduct of stress 156 ROMANIA tests. Stress tests are generally performed directly by risk management units, which facilitates their integration in the broader risk management framework. NBR mentioned one example where a bank had not properly taken into account results of stress tests for ICAAP purposes (adequate corrections were made following NBR recommendations). Assessment of Compliant Principle 17 Comment Key regulatory requirements regarding credit risk management are covered by the banking law and NBR Regulation 5/2013 (which were significantly strengthened based on new EU requirements after 2013 and the Romanian experience with problem assets, see CP 18). NBR implements a thorough supervisory process, with an emphasis on credit risk - the main risk of Romanian banks-. NBR regularly requires corrective actions, in this area, or take sanctions where appropriate (three banks were sanctioned due to weaknesses in their credit risk management frameworks over the first nine months of 2017). For subsidiaries of EU banking groups, as well as for the main branch of an EU banking group, these issues are addressed by supervisory colleges (including the parent group’s consolidated credit risk management framework). Principle 18 Problem assets, provisions and reserves.77 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves. 78 Essential criteria EC1 Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. Description and NBR has prudential responsibilities for banks, while financial reporting and the accounting findings re EC1 framework are essentially set by the EU and other Romanian authorities (see EC 27 on financial reporting). This did not prevent NBR from taking appropriate actions to deal with the NPL crisis in 2009–2015 (see below). The banking law and NBR Regulation 5/2013 require banks to formulate policies and processes for identifying and managing risks, including problem assets: • Article 24–1 of the banking law requires that: “every credit institution shall have robust governance arrangements, which include […] effective processes to identify, manage, monitor and report the risks it is or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management.” • Article 86 of NBR Regulation 5/2013 indicates that: ”with regard to credit and counterparty risk credit institutions shall have in place: […] b) effective systems for the ongoing administration and monitoring of the various credit risk-bearing portfolios and exposures of institutions , including for identifying and managing 77 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 78 Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit). 157 ROMANIA problem credits and for making adequate value adjustments and provisions , c) internal methodologies that enable them to assess the credit risk of exposures to individual obligors, securities or securitisation positions and credit risk at the portfolio level.” Banks are required to perform a regular review of their problem assets and asset classification: • For prudential purposes, Article 87–b of NBR Regulation 5/2013 indicates that: “credit institutions shall have in place policies and processes that establish an adequate and appropriately controlled environment for the credit risk that includes: […] b) effective policies and credit management processes, that include the ongoing examination of the capacity and availability of customers to repay debts at maturity (including the review of the performance of underlying assets in case of securitization exposures), monitoring the documentation, contractual clauses, guarantees and other forms of credit risk mitigation . ” • For financial reporting purposes, paragraph 58 of IAS 39 indicates that: “an entity shall assess at the end of each reporting period whether there is any objective evidence that a financial asset or group of financial assets is impaired. If any such evidence exists, the entity shall apply paragraph 63 (for financial assets carried at amortized cost), paragraph 66 (for financial assets carried at cost) or paragraph 67 (for available-for-sale financial assets) to determine the amount of any impairment loss.” NBR dealt over the past decade with a large increase in NPLs. Based on a narrow definition of NPLs (loans more than 90 days past due or for which a legal procedure has been initiated) then implemented for prudential reporting, NPLs increased from 7.9 percent of gross loans at end 2009 to 21.9 percent at end 2013. NBR took multiple actions, mostly though recommendations, to ensure the adequate recognition and coverage of these problem assets. An NPL resolution plan was prepared in 2014 as part of the Vienna initiative and guided NBR’s efforts, including: • NBR recommended banks in 2014 to: o Ensure all NPLs which repayment was more than 360 days past due, and where no judicial procedures were ongoing, were fully covered with IFRS provisions; o Ensure at least 90 percent of exposures on debtors in insolvency (without an ongoing reorganization plan) were provisioned; • NBR recommended in 2015 to outlier banks to conduct an independent review of external of collateral valuation (i.e., banks which provisioning levels on exposures on insolvent debtors were below the industry average of 73 percent). About 20 companies can perform independent collateral reviews (and are licensed for this purpose by the National Association of Valuators in Romania (ANEVAR)). Findings did not lead to large adjustments; • NBR recommended banks in 2016 to ensure unsecured loans with repayment of principal or interest more than 180 days past due are fully covered with IFRS provisions; • NBR recommended that interim accounts at June be audited in June 2012, June 2013 and June 2014. This resulted in the early recognition of significant additional provisions (about 600 million EUR in June 2012, 60 MEUR in June 2013 and 700 M EUR in June 2014); 158 ROMANIA • NBR recommended banks in 2014–2016 to move fully provisioned nonperforming exposures off-balance sheets, while ensuring their claims on debtors on debtors remain valid; • NBR performed asset quality reviews (AQRs), based on the methodology developed by the EBA for three large domestic banks (subsidiaries and branches of large banking groups were covered as part of separate AQRs across the EU). Corrective actions were required when appropriate. The implementation of these measures was closely monitored through both the on- and off-site supervisory processes, including through review of loan performance during on- site missions and close coordination with external auditors, where appropriate. Their effective implementation facilitated the timely recognition and coverage of problem assets in Romania. Besides, the EBA issued in May 2017 a guideline on credit institutions’ credit risk management practices and accounting for expected credit losses (ECL Guideline), which NBR intends to implement in 2018 (i.e., this guideline is not yet implemented in Romania; where needed, amendments to NBR Regulation 5/2013 are expected to be made after this BCP assessment. This EBA guideline builds on the guidance on credit risk and accounting for expected credit losses issued in In December 2015 by the BCBS and aims at facilitating a sound implementation of IFRS 9 which will replace IAS 39 in the EU in January 2018. They include detailed guidance for banks organized around eight principles: management body and senior management responsibilities, sound expected credit losses (ECL) methodologies, credit risk rating process and grouping, adequacy of the allowance, ECL model validation, experienced credit judgement, common processes systems tools and data, disclosure. The implementation of this EBA guideline will facilitate a consistent and systematic approach by the NBR in this area, as NBR does not have written internal methodologies for on-site examinations (or off-site reviews) covering problem loans. EC2 The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes Description and NBR indicated that its on-site teams systematically review rating, classification and findings re EC2 provisioning policies during their annual on-site examinations (and test their implementation based on a review of a sample of exposures). All banks have rating systems, with different levels of sophistication based on their size (the smallest ones largely rely on the 5 categories defined in Regulation 16), while two banks implement sophisticated approaches related to their IRB frameworks). Rating, classification and provisioning policies are also received by the off-site department and can be reviewed, where needed. As described in EC 1, NBR also required banks to involve external auditors and independent valuers in the review of banks’ classification and provisioning policies in recent years, as banks had to recognize and cover large amounts of problem assets. 159 ROMANIA NBR intends to amend NBR Regulation 5/2013 in 2017 to implement the 2017 ECL guidelines issued by the EBA. This will usefully complement the existing high-level requirements on credit risk management covered by the banking law and NBR Regulation 5/2013 with such new detailed requirements for banks as ensuring that: • the policies and procedures are sound and consistent with the credit risk strategy, and cover all the main businesses and processes relevant to managing, measuring and controlling credit risk: o credit-risk measurement and monitoring: for example, criteria for identifying groups of connected counterparties; criteria for assessing borrowers’ creditworthiness and collateral evaluation and frequency for their review; criteria for quantifying impairments, credit valuation adjustments and provisions; and o credit management: for example, criteria for reviewing products, terms and conditions; criteria for applying forbearance practices or restructuring; criteria for loan classification and management of NPLs; The credit risk rating system captures all lending exposures when assessing the impact of changes in credit risk, and not only those that may have experienced significant increases in credit risk, have incurred losses or are otherwise credit impaired. This is to allow for an appropriate differentiation of credit risk and grouping of lending exposures within the credit risk rating system, and to reflect the risk of individual exposures as well as, when aggregated across all exposures, the level of credit risk in the portfolio. In this context, an effective credit risk rating system should allow credit institutions to identify both migration of credit risk and significant changes in credit risk. EC3 The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.79 Description and Banks are required to ensure off-balance sheet exposures are adequately considered in findings re EC3 the credit risk management process. Article 83 of NBR Regulation 5/2013 requires banks to have in place an adequate credit risk management process including prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk and explicitly mentions that credit risk may result from both on-balance sheet and off- balance sheet exposures. Off-balance sheet exposures were not clearly covered in classification and provisioning requirements until 2012, when IFRS standards were introduced for Romanian banks. Since 2012, off-balance sheet exposures are clearly included within the scope of IAS 3980 (they are also clearly covered by prudential reporting requirements to NBR). On-site 79 It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled. 80 Not all of the off-balance sheet exposures are included within the scope of IAS 39. According to IAS 39, a scope exclusion has been made for loan commitments that are not designated as financial liabilities at fair value through profit or loss, cannot be settled net in cash or by delivering or issuing another financial instrument, and do not involve a loan at a below-market interest rate (see the provisions of IAS 39.2 (h) and IAS 39.4). As regards the financial guarantees, the scope of IAS 39 includes only financial guarantee contracts issued, except for those accounted for as insurance contracts, according to IFRS 4. 160 ROMANIA examinations look at the assessment of off-balance sheet exposures and verify that internal management information systems adequately capture such exposures. NBR indicated that no material issue was identified in recent years. EC4 The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. Description and The EBA SREP Guidelines requires the supervisor (i) to assess that banks have appropriate findings re EC4 policies for the identification, management, measurement and control of credit risk, including credit-risk measurement and monitoring (e.g., criteria for assessing borrowers’ creditworthiness and collateral evaluation and frequency for their review; criteria for quantifying impairments, credit valuation adjustments and provisions) and credit management (e.g., criteria for reviewing products, terms and conditions; criteria for applying forbearance practices or restructuring; criteria for loan classification and management of NPLs) (paragraph 182) and (ii) to determine whether the level of loan loss provisions and credit valuation adjustments are appropriate for the quality of the exposures and, where relevant, for the level of collateral (paragraph 175). The supervisor is also expected to determine whether loan loss provisions are consistent with relevant macro-economic developments. As mentioned, the banking law requires NBR to implement the SREP process (Article 164). These aspects (including the timeliness and adequacy of provisions and write-offs) are systematically reviewed as part of the full-scope on-site examinations conducted on an annual basis. As mentioned in EC1, NBR issued recommendations to banks in 2014, 2015, and 2016 for banks to write-off specific types of exposures in a timely manner (i.e., required exposures to be derecognized and moved off-balance sheet when it did not have reasonable expectations for recovery). NBR observed that in the first years following the NPL crisis, banks were reluctant to write-off exposures and that its recommendations helped speed up this process and the clean-up of credit portfolios across the industry. NBR recommendations usefully complemented broad requirements set by IFRS standards on write-off policies (e.g., IFRS 7 require banks to disclose their write-off policy, including the indicators that there is no reasonable expectation of recovery and information about the policy for financial assets that are written-off but are still subject to enforcement activity). For prudential purposes, the methodological rules annexed to NBR order 6/2014 (FINREP reporting) includes detailed instructions on the reporting of write-offs using FINREP templates. As of January 2018, IFRS 9 (paragraph 5.4.4) and the new FINREP reporting framework according to IFRS 9 (applicable starting with January 1, 2018) will specifically indicate that write-offs should be considered as derecognition events (unlike IAS 39 and NBR order 6/2014 which are not specific in that respect).81 EC5 The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). 81 NBR Order 6/2014 was repealed and replaced by Order 9/2017, as of November 14, 2017. 161 ROMANIA The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans). Description and NBR regularly checks that banks have appropriate policies and processes, and findings re EC5 organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations (and makes recommendations accordingly). Beyond the SREP guideline, there is however no specific methodology for conducting such specific work on- and off-site (see CP 8 and 9). During full-scope on-site examinations conducted annually (or when classification and provisioning policies received by the off-site supervision departments are reviewed), NBR assesses banks’ provisioning policies, including criteria on the number of days past due before an exposure is classified. Although IAS 39 does not set specific requirements in this regard, banks tend to implement at a minimum the criteria set in regulation 16 which defines prudential filters (i.e., all exposures which are more than 90 days past due have to be classified in the loss category); the methodological rules annexed to NBR Order No. 6/2014 and NBR Order No. 5/2014 also specifically indicate that all material exposures which are more than 90 days past due have to be classified as nonperforming exposures. During on-site examinations, NBR tests banks’ treatment of assets with a view t o identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans). Information on performing and nonperforming exposures with forbearance measures which are included in regular FINREP reporting can facilitate the identification of attempts at circumventing classification and provisioning requirements. Tests conducted during on-site examinations are based on the review of a sample of credit files. The sample is defined by the examination team at the beginning of its work, based on its expert judgment. There is no internal methodology or guideline on the way such sample should be determined. NBR mentioned that it frequently requested banks to adjust the classification and provisioning of some exposures, but had not identified systematic attempts to circumvent existing rules in a recent past. NBR intends to amend NBR Regulation 5/2013 in 2017 to implement the 2017 ECL guidelines issued by the EBA, which will usefully complement existing requirements. The EBA guidelines require that: • Banks should have credit risk assessment and management processes in place to ensure that significant credit risk increases are detected well ahead of exposures becoming past due or delinquent (paragraph 135); • When adopting a definition of default for accounting purposes, banks should be guided by the definition used for regulatory purposes provided in Article 178 of Regulation (EU) 575/2013, which includes both a qualitative criterion (“unlikely to pay”) and an objective indicator (obligor is past due more than 90 days”) (paragraph 89); Banks should take care of the possible circumvention of the classification and rating requirements, including rescheduling, refinancing or reclassification of lending exposures (paragraph 40). EC6 The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The 162 ROMANIA supervisor requires banks to have adequate documentation to support their classification and provisioning levels. Description and NBR has full access to information concerning the classification of assets and provisioning findings re EC6 and obtains information on a regular basis and in relevant detail. The supervisory reporting framework of the EBA (as introduced in Romania by order 6) governs the collection by supervisors of data on impaired loans and debt securities, non- performing exposures, forborne exposures, as well as past-due loans and securities and associated impairment (see templates FINREP F4, F7, F12, F18, and F19 in Annex 3 of the ITS on supervisory reporting). The following reporting template are particularly relevant in the context of this CP: • F 18.00 – Information on performing and non-performing exposures which presents the information on performing and non-performing exposures, including the gross carrying amount / nominal amount, accumulated impairment, the accumulated negative changes in fair value due to credit risk and provisions and maximum amount of the collateral or guarantee that can be considered. • F 19.00 – Information forborne exposures which presents the information on forborne exposures, including: the gross carrying amount / nominal amount, accumulated impairment, the accumulated negative changes in fair value due to credit risk and provisions and maximum amount of the collateral or guarantee that can be considered. • F 12.00 - Movements in allowances for credit losses and impairment of equity instruments which presents the movements in allowances for credit losses and impairment measured under IAS 39. The reporting frequencies for these templates are the followings: - F 18.00 and F 19.00 – Solo monthly and consolidated quarterly. - F 12.00 - Solo and consolidated quarterly. Additional reporting requirements have been introduced at the domestic level (based on Article 165 of the banking law), including monthly information on individual non– performing exposures (since June 2013), quarterly information on 500 largest restructured exposures, quarterly information on individual exposures on insolent companies (monthly reporting initially). Information on write-offs was periodically requested (and is currently assessed based on information collected by the credit reference bureau). EC7 The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. Description and As IFRS standards were introduced for banks in 2012 (see CP 26), NBR issued regulation findings re EC7 16/2012 on the classification of credits and investments, as well as the establishment and use of prudential value adjustments (Regulation 16) to assess whether the classification of the assets and the provisioning was adequate for prudential purposes and to require adjustments for prudential purposes (“prudential filters”) when needed. The provisions of Regulation 16 apply on a solo basis to banks implementing the standardized approach for credit risk (only two banks are allowed to use IRB approaches). 163 ROMANIA After the implementation of IFRS and the repeal of NBR specific classification and provisioning requirements, Regulation 16 introduced a regime largely inspired by previous NBR classification and provisioning requirements. Banks need to (i) classify their credit exposures in five categories (standard, watch, substandard, doubtful and loss) primarily based on the numbers of days past due, the existence of a judicial proceedings and the financial performance of the debtor; (ii) to deduct eligible credit mitigation techniques from exposures and (iii) eventually to apply prudential adjustment coefficients (former provisioning coefficients) per category which are slightly higher for foreign currency exposures than for domestic currency exposures. The difference between the prudential amount so computed and IFRS provisions is deducted from own funds for the computation of the capital adequacy ratio, large exposures, related party exposures and the sensitivity of the economic value to an interest rate shock. It was indicated that without these prudential filters the average capital adequacy ratio of the banking system would have been 200-300 basis points higher in 2012 (it stood at 14.7 percent at end 2012). The EU CRR (Article 481) allowed such prudential filter only until the end of 2017 and required their gradual phasing out (20 percent only of the prudential filter computed according to regulation 16 are applied). Prudential filters will be prohibited starting in 2018 and banks will start implementing the provisions of IFRS 9 (replacing IAS 39). NBR indicated that based on a preliminary analysis of an impact study of IFRS 9 implementation based on data at June 2017, the implementation of IFRS 9 is expected to lead to an increase in provisions across the system roughly equal to the prudential adjustments made in 2017. The impact of the implementation of IFRS 9 would thus be minimal on prudential ratios. With the phasing-out of prudential filters at the end of 2017, NBR will not be allowed to set new prudential adjustments applicable to the entire industry. It will retain its power to apply such measures to individual banks when necessary. The banking law disposes that where a bank does not meet or is likely not to meet prudential requirements (Article 226- 1), NBR can take corrective actions including requiring the bank “to apply a specific provisioning policy or treatment of assets in terms of own funds requirements” ( Article 226-3-c) or to hold additional capital (Article 226-3-a). Following on-site missions, banks tend to book provisions required by NBR in their financial accounts. Should this not be the case, NBR could take action (I) because a bank is not adequately implementing its own provisioning policies or (ii) because its provisioning policies are not adequate (see corrective powers described in the previous paragraph). EC8 The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions. Description and NBR Regulation 5/2013 requires banks to have appropriate mechanisms in place for findings re EC8 regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. It requires banks to have “effective credit administration policies and processes, including […] monitoring of […] collateral and other forms of credit risk mitigation ( Article 87)”, to ensure immovable collateral (incl. real estate) is enforceable and recoverable (Article 91), valued based on international valuation standards and, for collateral located in 164 ROMANIA Romania, guidelines on valuation issued by the ANEVAR (Articles 92-1 and 92-2) and valued by “persons having the qualification, competences and experience necessary to perform a valuation and who are independent of the decision-making process related to the loan” (Article 92–3). NBR mentioned that since July 2016, ANEVAR is keeping all valuation results in a single database, facilitating access, comparisons and identification of market trends as well as fostering consistency across valuations. EC9 Laws, regulations or the supervisor establish criteria for assets to be: (a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and (b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected). Description and From a financial reporting perspective, Romanian banks implement IFRS standards. IAS 39 findings re EC9 includes a detailed regime for impaired assets, which is close but not similar to that of problem assets (e.g., there must be an objective evidence that losses will be incurred -i.e., collateral can be taken into account- or 90 days past due exposure may not be considered impaired while they are generally considered to be problem assets). IAS 39 mentions that a financial asset or a group of financial assets is impaired and impairment losses are incurred if, and only if, there is objective evidence of impairment as a result of one or more events that occurred after the initial recognition of the asset (a ‘loss event’) and that loss event (or events) has an impact on the estimated future cash flows of the financial asset or group of financial assets that can be reliably estimated. Objective evidence that a financial asset or group of assets is impaired includes observable data that comes to the attention of the holder of the asset about the following loss events: (a) significant financial difficulty of the issuer or obligor, (b) a breach of contract, such as a default or delinquency in interest or principal payments, (c) the lender, for economic or legal reasons relating to the borrower’s financial difficulty, granting to the borrower a concession that the lender would not otherwise consider, (d) it becoming probable that the borrower will enter bankruptcy or other financial reorganization or (e) the disappearance of an active market for that financial asset because of financial difficulties. An asset ceases to be reported as impaired under IAS 39 as soon as it no longer meets the criteria to be considered impaired. IFRS does not provide clear guidance regarding in which circumstances a modification of contractual terms would lead to derecognition of the financial asset. It is not compulsory for all arrears to have been cleared and the loan brought fully current, for repayments to have been made in a timely manner over a continuous repayment period and continued collection. From a prudential perspective, Article 178 of the EU CRR, provides a definition of default, which encompasses that of problem asset. In general, a default shall be considered to have occurred when either the institution considers that the obligor is unlikely to pay its credit obligations in full without recourse by the institution to actions or the obligor is past due 165 ROMANIA more than 90 days on any material credit obligation. The CRR is unspecific on the discontinuation of the default status (Article 178.5). The EBA 2014 ITS on Supervisory Reporting (ITS 680) develops technical standards on nonperforming and forborne exposures (the latter can be performing or not) to ensure comprehensive, consistent, regular and detailed reporting on problem assets. Based on the ITS, NBR issued its order 6/2014 on the Methodological rules regarding the preparation of FINREP individual financial statements for prudential supervision purposes. NBR Order 2014 defines performing and nonperforming exposures, consistently with the definition of problem assets : (i) nonperforming exposures shall be (a) material exposures which are more than 90 days past due and (b) the debtor is assessed as unlikely to pay its credit obligations in full without realization of collateral, regardless of the existence of any past due amount or of the number of days past due; and (ii) forbearance measures should only lead to a reclassification as performing if (a) exposures are not considered to be impaired or defaulted; (b) one year has passed since the forbearance measures were applied; and (c) there is not, following the forbearance measures, any past-due amount or concern regarding the full repayment of the exposure according to the post-forbearance conditions. EC10 The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. Description and NBR Regulation 5/2013 (Article 30–5) sets broad reporting requirements to the Board in findings re EC10 line with this criterion: Banks are required to “establish regular and transparent reporting mechanisms so that the management body and all relevant units in an institution are provided with reports in a timely, accurate, concise, understandable and meaningful manner and can share relevant information about the identification, measurement or assessment and monitoring of risks.” However, there are no specific requirements or guidelines focusing on asset quality and provisioning (i.e., condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets, including at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred). It appeared in discussions with on-site examination teams that such expectations were nonetheless clear to banks and that NBR teams verified their implementation. The planned implementation of EBA guidelines on credit institutions’ credit risk management practices and accounting for expected credit losses will usefully complement the existing framework (see EC1). These guidelines mention in particular that ”the management body should instruct senior management to […]establish and implement an effective internal control system for credit risk assessment and measurement, report periodically the results of the credit risk assessment and measurement processes, including estimates of its ECL allowances” (paragraph 26) and that “competent authorities’ 166 ROMANIA evaluation should include, but not be limited to, whether: […] appropriate information about the credit risk of lending exposures, changes in credit risk, the related ECL allowance and changes in allowance estimates is provided to the credit institution’s management body and senior management on a regular (for example, quarterly or, if warranted, more frequent) basis (paragraph 139)” EC11 The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. Description and From a financial reporting perspective, IAS 39 requires that any entity assesses whether findings re EC11 objective evidence of impairment exists individually for financial assets that are individually significant (paragraph 64) at the end of each reporting period (paragraph 58). There is no further detail on what significant means. The “reporting period” is the year for the implementation of IFRS (mid-year review, classification and booking of provisions were required by NBR in 2012, 2013, and 2014). However, Romanian credit institutions should make monthly assessments of the impairment for the financial assets, taking into consideration the solo FINREP reporting requirements on impairment and the monthly frequency of the related templates. There is no specific requirement for banks to set an appropriate threshold for identifying significant exposures and to regularly review the level of the threshold. The planned transposition of EBA guidelines on credit institutions’ credit risk management practices and accounting for expected credit losses will fill part of this gap (see EC 1). NBR Draft Regulation supplementing and modifying NBR Regulation No. 5/2013 on prudential requirements for credit institutions will require that: "The [Expected Credit Loss] ECL assessment approach used should be the most appropriate in the particular circumstances, and typically should be aligned with how the credit institution manages the lending exposure, provided that (i) collective assessment is used for large groups of homogeneous lending exposures with shared credit risk characteristics, such as retail portfolios and (ii) individual assessments are conducted for significant exposures, or where credit concerns have been identified at the individual loan level, such as watch list and past due loans ." EC12 The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. Description and Trends and concentrations in risk and risk build-up across the banking sector in relation to findings re EC12 banks’ problem assets are regularly reviewed by the supervisory department based on information submitted by the banks. Complementary analyses are conducted by the financial stability department to assess where concentrations may be a source of systemic risks (these analyses are discussed by the National committee on macroprudential oversight, see CP 3). 167 ROMANIA Assessment of Compliant Principle 18 Comments Non-performing exposures (NPE) increased rapidly and dramatically after 2007. They reached a peak of 22 percent in 2013. NPEs have decreased significantly since. With a stricter definition than that in place in 2013, NPEs were less than 10 percent of gross credit at the end of 2016 (which remains a high level, even when accounting for coverage by provisions). NBR was instrumental in promoting this rapid reduction through many initiatives designed to ensure the timely recognition and realistic provisioning of NPEs (e.g., interim June audits, independent collateral revaluations, full provisioning of high risk exposures, write- offs etc.). The full deductibility of provisions was also important in encouraging this clean- up. NBR continues to closely monitor NPEs, thanks to detailed and regular reporting it receives (including information on individual exposures). Requirements regarding the frameworks to address problem loans exist and their implementation is closely monitored by NBR, both off- and on-site. NBR intends to amend existing requirements to incorporate key elements of the EBA 2017 guidelines on credit risk management practices and accounting for expected credit losses, which will be welcome. Efforts are also made at the financial stability level to collect relevant information to facilitate the independent review of the valuation of assets (incl. real estate assets) and overall trends regarding the creditworthiness of firms and individuals (see CP 3 on working groups set-up in 2017 by the NCMO). Principle 19 Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.82 Essential criteria EC1 Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk. 83 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured. Description and According to Article 24 of banking Law, banks are required to have robust governance findings re EC1 arrangements that include a clear organisational structure with well-defined, transparent 82 Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof. 83 This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity as well as off-balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies. 168 ROMANIA and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, adequate internal control mechanisms, etc. The considered risks in this Article include credit risk and counterparty credit risk, residual risk, concentration risk, securitization risk, market risk, interest rate risk in nontrading activities, operational risk, liquidity risk and excessive leverage risk. In particular, Article 111 of Regulation No. 5/2014 stipulates that credit institutions shall address and control by written policies and procedures, the concentration risk arising from exposures to each counterparty, including central counterparties, to groups of connected counterparties, and counterparties in the same economic sector, geographic region or from the same activity or commodity, and the application of credit risk mitigation techniques. Risks associated with large indirect credit exposures such as a single collateral issuer are addressed and controlled by written policies and procedures. In assessing the internal capital adequacy, the credit institution shall identify and evaluate all significant risks to which it is or may be exposed, including concentration risks. Banks were also required to develop frameworks to adequately manage their exposures and off-balance sheet instruments. Off balance sheet items are included in the calculation of large exposures and concentration of risk. Banks are required to report large exposures and risk concentration (also off-balance sheet) on a consolidated basis to the NBR. These are reviewed during onsite inspections. EC2 The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure84 to single counterparties or groups of connected counterparties. Description and According to Article 393 of CRR, bank shall have ccapacity to identify and manage large findings re EC2 exposures. An institution shall have sound administrative and accounting procedures and adequate internal control mechanisms for the purposes of identifying, managing, monitoring, reporting, and recording all large exposures and subsequent changes to them in accordance with this Regulation. Banks’ information systems are required to provide the data for reporting large exposures and concentration risks to the NBR on a quarterly basis. Onsite inspections examine the accuracy of the group of connected clients and determine whether a bank’s information system identifies and agg regates exposures creating risk concentration and large exposures on a timely basis. EC3 The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes 84 The measure of credit exposure, in the context of large exposures to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e., it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see “Measuring and controlling large credit exposures, January 1991). 169 ROMANIA require all material concentrations to be regularly reviewed and reported to the bank’s Board. Description and The Supervision Department has developed a procedure on the methodology for findings re EC3 determining the additional own funds requirement for Pillar II, as well as how to determine and express it in the SREP capital assessment process provided that the NBR has a supervisory reference system, specifically, the concentration risk, the interest rate risk from nontrading activities (IRRBB) and the risk arising from foreign currency lending to borrowers not covered by foreign exchange risk. The capital requirements determined by the institution in the ICAAP will be assessed with the results of the supervisor’s reference. Article 87 of No. 5/2013 requires banks to have policies and processes that establish an appropriately and adequately controlled credit risk environment and include prudent and appropriate credit limits consistent with the risk appetite, risk profile and credit worthiness of the credit institutions that are regularly communicated to and understood by the relevant staff. Article 111 requires banks to address and control the concentration risk (See EC1). In addition, the NBR published Instructions as of 29 December 2016 regarding the limits on exposures to shadow banking entities that carry out banking activities outside a regulated framework for more oversight. http://www.bnr.ro/DocumentInformation.aspx?idDocument=24092&directLink=1 However, there is no explicit requirement that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board, although the NBR states that the practices are examined during on-site inspection. EC4 The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. Description and According to a harmonized EU reporting framework, an institution in Romania shall report findings re EC4 the following information about every large exposure to the competent authorities on a quarterly basis: • the identification of the client or the group of connected clients to which an institution has a large exposure; • the exposure value before taking into account the effect of the credit risk mitigation, when applicable; • where used, the type of funded or unfunded credit protection; • the exposure value after taking into account the effect of the credit risk mitigation, etc. Specifically, Regulation No. 680/2014 defines the implementing technical standards (ITS) with regards to supervisory reporting of institutions according to CRR and indicates that credit institutions are required to report credit concentration data through the following reporting templates: • Large Exposures limits • Identification of the counterparty • Exposures in the nontrading and trading book • Detail of the exposures to individual clients within groups of connected clients 170 ROMANIA • Maturity buckets of the exposures in the nontrading and trading book • Maturity buckets of exposures to individual clients within groups of connected clients Moreover, credit institutions are monitored using specific indicators (traffic light) and ad- hoc reporting (forborne exposures, 500 debtor’s exposures). The NBR regularly obtains concentration risk information including sectoral, geographical, and currency exposures through other FINREP templates, ICAAP reports, and foreign currency monitoring reports. These items are reviewed during on-site and off-site assessments. EC5 In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis. Description and Article 4 of CRR defines a group of connected clients as any of the following: findings re EC5 • two or more natural or legal persons who, unless shown otherwise, constitute a single risk because one directly or indirectly has control over the other(s); • two or more natural or legal persons between whom there is no relationship of control as described in point (a) but who are to be regarded as constituting a single risk because they are so interconnected that if one of them were to experience financial problems, in particular funding or repayment difficulties, the other or all of the others would also be likely to encounter funding or repayment difficulties. There are two criteria in consider clients as a common source of risk: a) relation of control, which can be determined based on: - owning directly or indirectly more than half of the capital or voting power - owning less than half of the voting power but having (i) the power to direct the activities of the entity; (ii) the power to appoint or remove the majority of directors, the supervisory board, the members of the board of directors; (iii) the power to cast the majority of votes at meetings of the board of directors; and (iv) the power to co-ordinate the management of an undertaking with that of other undertaking. b) economic interconnection, which can be determined based on supply chain links, dependence on large customers or counterparty exposures and financial dependency. Although there are no specific provisions, in cases of divergence between the opinion of the institution and that of the competent authority, in practice the NBR decides whether a client must be regarded as part of a group of connected clients. 85 85 The NBR mentioned that before the entering into force of Regulation (EU) No 575/2013, there was such a provision where NBR could determine differently than the credit institutions the composition of the group of connected clients (Article 7 para 2 of NBR Regulation No 16/2006 which is currently repealed). After Regulation (EU) No 575/2013 became applicable, the large exposures regulatory framework is uniformly set at the EU level. (continued) 171 ROMANIA EC6 Laws, regulations or the supervisor set prudent and appropriate 86 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off- balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis. Description and According to Article 395 of CRR, an institution shall not incur an exposure to a client or findings re EC6 group of connected clients the value of which exceeds 25 percent of its eligible capital after taking into account the effect of the credit risk mitigation in accordance with Article 399 to 403. Where that client is an institution or where a group of connected clients includes one or more institutions, that value shall not exceed the higher of 25 percent of the institution's eligible capital or EUR 150 million provided that the sum of exposure values (after taking into account the effect of the credit risk mitigation) to all connected clients that are not institutions does not exceed 25 percent of the institution's eligible capital. Where the amount of EUR 150 million is higher than 25 percent of the institution's eligible capital, the value of the exposure (after taking into account the effect of credit risk mitigation in accordance with Articles 399 to 403) shall not exceed a reasonable limit in terms of the institution's eligible capital. That limit shall be determined by the institution in accordance with the policies and procedures to address and control concentration risk. This limit shall not exceed 100 percent of the institution's eligible capital. Exposures for this purpose include all claims and transactions, on and off-balance sheet. With regard to concentration risk, the NBR requires credit institutions to address and control, through written policies and procedures, the risk of concentration arising from exposures to each counterparty including central counterparties, groups of counterparties and counterparties in the same economic sector, the same geographical region or performing the same activity or supplying the same commodity or applying credit risk mitigation techniques, including in particular the risks associated with large indirect credit exposures. (Regulation No. 5/2013 pct.2.3 Article 111) The NBR has the power to require banks to reduce the concentrations by applying measures/sanctions (under the Banking Law) or can request to the banks to build up additional capital in order to cover up the risk. The NBR is performing an on-going monitoring of the limits regulated and assesses the internal limits established by the banks on a solo and consolidated basis during the on-site missions. EC7 The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes. Description and According to Article 193, 225, and 226 of Regulation No. 5/2013, the NBR requires credit findings re EC7 institutions to conduct stress tests covering individual portfolios and the specific types of 86 Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on large exposures is still under consideration. 172 ROMANIA risks that have an impact on them. Credit institutions must ensure that stress tests dealing with portfolios and business lines enable the identification of risk concentrations. Also, credit institutions shall carry out stress tests at the individual level to take into account the potential risk concentrations specific to local markets and as a means to address the types of concentrations that can materialize at group level. In particular with stress tests, credit institutions should consider changes that may arise in the business environment and may lead to the materialization of risk concentrations. Additional criteria AC1 In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following: (a) Ten percent or more of a bank’s capital is defined as a large exposure; and (b) Twenty-five percent of a bank’s capital is the limit for an individual large exposure to a private sector nonbank counterparty or a group of connected counterparties. Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks. Description and According to Article 392 of CRR, a large exposure is defined as follows: findings re AC1 An institution's exposure to a client or group of connected clients shall be considered a large exposure where its value is equal to, or exceeds 10 percent of its eligible capital. With regard to limits to large exposure, see EC6. According to Article 396 paragraph 1 of CRR if, in an exceptional case, exposures exceed the large exposure limit, the institution shall report the value of the exposure without delay to the competent authorities who may in turn allow the institution a limited period of time in which to comply with the limit where warranted. Where the amount of EUR 150 million referred to in Article 395(1) is applicable, the competent authorities may allow the 100 percent limit in terms of the institution's eligible capital to be exceeded on a case-by-case basis. Assessment of Largely Compliant Principle 19 Comments The NBR applies EU-wide large exposure regime. The NBR set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties according to CRR. During on-site inspection and through quarterly reporting on large exposures and concentration risks, the NBR determines that banks have adequate policies and processes to manage concentrations of risk on a timely basis. In addition to the regulatory large exposure limit, the NBR assesses the internal concentration risk limits established by the banks on a solo and consolidated basis during the on-site missions. Also, the banks’ concentration risk management is mainly assessed in the context of SREP assessment. With regard to the large exposure limit, the CRR allows that competent authorities may set a lower limit than EUR 150 million as an absolute limit, but the NBR has not exercised this 173 ROMANIA option. As of June 2017, 8 of the 28 banks apply the large exposure limit of EUR 150 million (i.e., 100 percent of capital limit) instead of 25 percent of capital. Assessors note that some credit institutions have exposures to a group entity of around 80–90 percent of capital at a point of time (See also CP 12). Authorities mentions, however, that the bank’s internal limit shall also be set by the institution in accordance with the policies and procedures to address and control concentration risk. In this context, it is not entirely clear how and in what procedure the NBR determines that the internal limit for each institution and the relevant exposures are appropriate. Also, there is no explicit regulatory requirement that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board, although the practices are examined during on-site inspection. This could be critical aspect in Romania, considering high level of sovereign debt concentration in banking industry87. The authorities should consider following activities: • Conduct a thematic review on the large exposure limit across banks (particularly focusing on banks that the large exposure limit is set EUR 150 million or 100 percent of capital and banks have high concentration risks) and review the suitability of EUR 150 million as an absolute limit • Include explicit provision in the regulation that require that all material concentrations be regularly reviewed and reported to the bank’s Board; in practice require banks to manage de facto all concentration risk including sovereign risks Principle 20 Transactions with related parties. In order to prevent abuse arising in transactions with related parties88 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties89 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. Essential criteria EC1 Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the 87 EBA guidelines for the SREP include the following: when assessing credit concentrations, competent authorities should consider the possibility of overlaps (e.g., a high concentration to a specific government will probably lead to a country concentration and single-name concentration) 88 Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies. 89 Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party. 174 ROMANIA footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis. Description and According to Article 102 of NBR Regulation No. 5/2013, “parties affiliated” to the credit findings re EC1 institution shall include at least: • any entity over which the credit institution exercises control; • any entity in which the credit institution holds participations; • entities exercising control over the credit institution; • any entity in which the entities referred to in point (c) may exercise control or hold participations; • shareholders owning qualifying holdings in the credit institution's capital; • any entity in which the shareholders referred to in paragraph (e) may exercise control or hold participations; • the members of the credit institution's management body and persons holding key positions in the credit institution together with: (i) the entities in which they have direct or indirect interests, and (ii) close family members who are expected to influence or be influenced by them in relation to the credit institution. These may include the life partner and children of the person, the children of the person's life partner, and dependents of the person or his / her life partner. The definition of affiliated parties is not comprehensive enough to meet the requirements in this CP (Article 102). The definition does not explicitly include “corresponding persons in affiliated companies” as described in the footnote to this Principle. As a result, the current definition fails to capture any person in a key position or a major individual shareholder of other group entities within a banking group (e.g., executives, board members, or shareholders of other subsidiaries of the mother banking group and/or mother group). The definition does not explicitly include “special purpose entities”, but authorities mention that SPEs are covered by the definition of “any entity in which the credit institution holds participations.” In terms of identification of related parties, the authorities mention that the NBR, in practice, may exercise discretion in applying the definition on a case by case basis. Nevertheless, there is no explicit provision that depicts presumption power of the NBR in the regulation. 90 EC2 Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with nonrelated counterparties.91 90 The NBR mentions that although there is no explicit power in regulation for the supervisor to exercise discretion, the wording of “at least” was intended to confer the supervisory power of deciding differently than banks regarding the affiliated parties. 91 An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g., staff receiving credit at favorable rates). 175 ROMANIA Description and According to Article 102 para 4 of NBR Regulation No. 5/2013, transactions with affiliated findings re EC2 parties include credit exposures from the balance sheet and off-balance sheet in addition to relationships like service contracts, asset purchases and sales, construction contracts, leasing arrangements, derivative financial instruments transactions, borrowing, and write- offs. The term “transaction” should be broadly interpreted to include not only transactions with affiliated parties but also situations where a person with whom the credit institution is not in a relationship (against which the credit institution has an exposure) becomes later affiliated. According to Article 109, the credit institution shall not carry out other non-arm's length transactions than the ones provided by packages of remunerative measures and incentives for employees of the entities which are members of the credit institution's group. In terms of transactions with employees of the banking group, Article 109 also stipulates that “The credit institution shall not carry out operations on more favourable terms other than those provided by the packages of remuneration and incentive packages for the employees of the entities of the credit institution group. The operations on more favourable terms provided by the packages of remuneration measures and incentives for the employees of the entities of the credit institution group may be performed only after their analysis by and obtaining the prior approval of the NBR.” EC3 The supervisor requires that transactions with related parties and the write-off of related- party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions. Description and According to Article 105 of NBR Regulation No. 5/2013, any operation that results in the findings re EC3 origination or modification of an exposure to an affiliated party exceeding a threshold set by the internal rules of the credit institution and similar operations that present a particular risk will only be performed with the prior approval of the credit institution's management body.92 The members of the management body of the credit institution in conflict of interest are excluded from the process of approving and managing transactions with affiliated parties. However, there is no explicit provision that requires that “write-off” of RP exposures exceeding specified amounts-is subject to prior approval by the board. EC4 The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. Description and According to Article 106 of NBR Regulation No. 5/2013, credit institutions shall have in findings re EC4 place adequate policies and processes to prevent the persons involved in the transaction or the persons related thereto from being involved in the process of approving and managing the transaction in accordance with Article 102 3) point g) (i.e., members of the credit institution's management body and key function holders of that credit institution). 92 The NBR mentions that the write-off is included in the term “modification” of an exposure. 176 ROMANIA However, there is no guidance that banks are required to put in place procedures for resolving conflicts of interest arising from RP transactions. The regulation in this regard only describes high level principles and lacks substance, which may lead to an undesirable divergence of practices. EC5 Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. Description and The limits for exposures to a group of affiliated parties are set on aggregate exposures findings re EC5 and the limits are the same as the large exposure limit; the limit for exposure to the parties affiliated to the credit institution is 25 percent of the eligible capital. Where the group of affiliated parties includes one or more institutions, the exposure to the group may not exceed the higher of 25 percent of capital or EUR 150 million (See CP 19). There are provisions for additional tier 1 capital deductions, but only if the exposure has characteristics reflecting non-arm’s length transactions (Article 656 paragraph 1 letter c) of NBR Regulation No 5/2013). The NBR mentions that in cases when limits are breached, the NBR can impose a supervisory measure to the bank. EC6 The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions. Description and Article 103 (1) requires credit institutions to have in place adequate policies and processes findings re EC6 to identify individual exposures to transactions with affiliated parties, to determine the total amount of such exposures, and to monitor and report such exposures by means of an independent process of verifying or auditing credit activity. Exceptions to the application of policies, procedures and limits shall be reported to senior management and, where appropriate, to the management body in its supervisory function for appropriate follow-up actions. Transactions with parties affiliated to the credit institution shall be monitored by both senior management on a continuing basis and by the management body in its supervisory function. EC7 The supervisor obtains and reviews information on aggregate exposures to related parties. 177 ROMANIA Description and The NBR requires credit institutions to report to the NBR - Supervision Department, the findings re EC7 exposures to affiliated parties through FINREP (semi-annually) and prudential returns (quarterly). The NBR reviews the information on aggregate exposures and determines compliance of the limit on exposures. However, the information collected is not sufficiently granular since the prudential report does not include information such as the share size, positions held by the concerning related party or types of exposures (e.g., loans, guarantees. commitment, letter of credit, etc.). Authorities mention that the number of shares is available through different reporting to NBR. Assessment of Materially Noncompliant Principle 20 Comments The NBR conducts on-site examination on the transactions with related parties. However, assessors concluded that the current regulation No. 5/2013 on related party transactions does not meet many ECs under this CP, and these regulatory shortcomings raise doubts about the authority’s ability to achieve compliance. The definition of affiliated parties is not comprehensive enough to meet the requirements in this CP (Article 102). The current definition fails to capture any person in a key position or a major individual shareholder of other group entities within a banking group including the parent bank/company itself (e.g., senior management, board members, or individual shareholders of other subsidiaries of the banking group and/or parent company of the credit institution). The definition does not explicitly extend that coverage, and this gap could be potentially important where many banks in Romania are subsidiaries of EU banking group and the corporate ownership of banks is allowed. Also, the definition of affiliated parties does not explicitly include “special purpose entities.”93 Although authorities mention that SPEs are covered by the definition of “any entity in which the credit institution holds participations”, the regulation would benefit from including more explicit terminology. In terms of identification of related parties, the authorities mention that the NBR, in practice, may exercise discretion in applying the definition on a case by case basis. Nevertheless, there is no explicit presumption power in the regulation. The NBR would benefit from having explicit power that can presume certain parties as bank’s affiliates, taking into account the nature of the relations and transactions with the bank. There is no explicit provision that requires that “write-off” of RP exposures exceeding specified amounts -is subject to prior approval by the board. Authorities mention that “modification” of an exposure to an affiliated party exceeding a threshold set by the internal rule is subject to approval and this also applies to write-off. However, there was no 93 The NBR mentions that the finding in relation to SPEs should not weigh on grading as SPEs are one of the examples of definition of related parties in EC1, and assessors took it into consideration. 178 ROMANIA definition or explanation of “modification” in this context, therefore, more concrete requirement is warranted. There are no requirements allowing the NBR to deduct from capital the exposures exceeding the related party transaction limit when assessing capital adequacy. 94 Although this fact does not weigh on grading, deduction from capital the exposures exceeding the limit, if needed, is a good practice, in addition to setting limits for exposures to related parties. There are provisions for additional tier 1 capital deductions, but those provisions are applied only if the exposure has characteristics reflecting non-arm’s length transactions. The NBR collects information on related party transactions on a regular basis. However, the information collected is not sufficiently granular to capture the exact characteristic during off-site supervision. For instance, the prudential report does not include information such as the share size, positions held by the concerning related party or types of exposures (e.g., loans, guarantees. commitment, letter of credit, etc.). Authorities mention that the number of shares is available through different reporting to the NBR, but the reporting timing is different. Assessors also note several examples where related party transactions should be examined further; when some credit institutions have exposures to a group entity, one of the affiliated parties, of around 80–90 percent of capital at a point of time (see CP12); when a certain bank has exposure its related party around 300 percent of capital (if protections/collaterals are not considered); when a certain bank has exposures to a number of individual affiliated parties without collateral – those could be examples that further inspections may be needed, even if the transactions comply with the affiliated party exposure limit. Overall, the RP regulation only describes high level principle similar to this CP, does not give clear guidance to banks, and lacks sufficient substance. This may lead to an undesirable divergence of practices and undermine the consistency of examination across banks. For example, there is no guidance that banks are required to put in place procedures for resolving any conflicts of interest arising from RP transactions. As an illustrative example of guidance, following provisions could be considered: the senior management or board member who is directly or indirectly concerned in any proposed RP transaction should disclose the nature of his/her interest to the board when any such proposal is discussed. He/she should not be present in the meeting and shall not vote on any such proposal. No staff or committee comprising the staff as a member shall, while exercising powers of granting any credit facility, approve any credit facility to his/her families members, etc. The authorities should consider following activities; 94 The NBR mentions that this finding should not weigh on grading as the NBR’s choice in EC5 was to set limits for exposures to related parties, and assessors took it into consideration. 179 ROMANIA • Review and amend the regulation on affiliated party transactions in a more prudent manner (e.g., expand the definition of affiliated parties to comprehensively capture the relevant transaction, include an explicit presumption power in terms of identification of affiliated parties, require prior approval on write-off of RP exposures exceeding specified amounts, etc.); • Improve the prudential reporting template on related party transaction for more effective monitoring (e.g., include type of exposures, number of shares, asset classification, etc.); • Issue a guidance note/instruction that lays down more concrete requirements for monitoring and managing related party transaction and exposures Principle 21 Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk95 and transfer risk96 in their international lending and investment activities on a timely basis. Essential criteria EC1 The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank- wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. Description and Article 3 of Regulation No. 5/2013 defines country risk and transfer risks as follows: findings re EC1 • Country risk - the risk of exposure to losses caused by events occurring in a foreign country. The concept is wider than sovereign risk because all forms of lending and investment activities cover individuals, companies, credit institutions, and central governments; • Transfer risk - the risk that a debtor may not convert the local currency into a foreign currency, thus, being unable to make payments on account of the debt in that foreign currency. This risk normally results from foreign exchange restrictions imposed by the government of the country of the debtor Article 98 (1) requires that credit institutions shall have in place policies and processes to identify, measure, assess, monitor, report and control or mitigate country risk and transfer 95 Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporate, banks or governments are covered. 96 Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics – Guide for compilers and users, 2003.) 180 ROMANIA risk. The processes must be consistent with the risk profile, systemic importance and risk appetite of the credit institution. The processes must also take into account market conditions and macroeconomic conditions, and provide a full picture of the overall credit exposure of the credit institution to country risk and transfer risk. Exposures (including intra-group exposures where applicable) are identified, monitored and administered per country in addition to the monitoring of the final borrower / counterparty. Credit institutions shall monitor and assess developments in country risk and transfer risk and take appropriate measures to counteract them. Authorities mention that if the country and transfer risks are significant for a bank or banking group, supervisors will check the policies and processes implemented by banks for managing these risks during on-site missions. However, the NBR does not give any further guidance to banks through regulation or documented instruction. For example, following areas may need further guidance: situation that a bank is required to formulate the country risk management policy, or essential/minimum elements that a bank should include in its internal policy and processes. EC2 The supervisor determines that bank’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description and Article 99 of No. 5/2013 stipulates that the credit institution's management body approves findings re EC2 strategies, policies and processes on country risk management and transfer risk, and performs the management to ensure that policies and processes are implemented effectively and are fully integrated into the overall risk management process of the credit institution. The NBR reviews above aspects during the on-site examination, however, no further guidance/ on-site inspection manual exists in this regard. EC3 The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. Description and Article 100 and 101 of No. 5/2013 stipulates that credit institutions shall have information, findings re EC3 risk management and internal control systems to aggregate, monitor and report the country exposures adequately and in a timely manner, while ensuring compliance with the limits on exposures on every country. Credit institutions shall set limits on exposures per country. The NBR reviews a bank’s information, risk management and internal control systems during the on-site examination and ensures the system tracks the exposures. EC4 There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include: 181 ROMANIA (a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate. (b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate. (c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor. Description and There are no specific regulatory provisioning standards for country risk and transfer risk in findings re EC4 Romania.97 Each bank should make impairments and provisions under IFRS. NBR monitors the intra- group placements and transfers to other related foreign parties. In the SREP process, supervisors assess if banks have in place adequate strategies, policies and procedures for country and transfer risk management. EC5 The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. Description and Article 182 stipulates that credit institutions shall carry out an effective stress test program findings re EC5 on all significant risks.98 The adequacy of bank’s stress testing is examined during on -site examinations. However, there are no specific regulatory requirements that banks include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. EC6 The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations). Description and Under the CRR context, in order to report information on own funds and related findings re EC6 requirements, institutions shall submit the following information on a quarterly basis: Information on the geographical distribution of exposures by country where nondomestic original exposures in all ‘nondomestic’ countries and in all exposures classes are equal to or higher than 10 percent of total domestic and nondomestic original. For this purpose, 97 The NBR mentioned that according to Article 481 para 1 of Regulation (EU) No. 575/2013, starting with 2018, EU Member States will no longer be allowed to impose additional deductions from banks’ capital, and the prudential provisioning would have the effect of affecting the capital. 98 The NBR mentioned that all significant risks articulated in Article 182 include country risk and transfer risk. (continued) 182 ROMANIA exposures shall be deemed domestic when they are exposures to counterparties in the Member State where the institution is located. 99 In offsite examinations, risk assessments are performed quarterly and in line with the frequency requirement of the Common Reporting (COREP). In addition, the NBR has the power to obtain additional information as needed. In practice, assessors note that the NBR has collected and reviewed relevant information on an ad-hoc basis where country risks are elevated and took necessary supervisory measures (e.g., Ukraine, Greek and Turkey’s cases). Assessment of Materially Noncompliant Principle 21 Comments During on-site inspections, the NBR will check the country/transfer risk policies and processes implemented by banks if the country and transfer risks are significant for a bank or banking group. Country risk is assessed mainly on an ad hoc basis. However, the assessors indicated that the NBR regulation for country risk/ transfer risk management are not sufficiently comprehensive to meet the ECs in this CP. Regulation No. 5/2013 includes high level principles similar to this principle; however, there are no specific guidelines or regulation for country or transfer risks outside of the principle. More specifically, the NBR does not give any further guidance to banks through regulation or documented instruction. There is no on-site inspection manual in this regard, so it is difficult to ensure what and how supervisors should examine during on-site inspections. For example, the regulation is silent in the essential areas to be developed by banks and examined by supervisors. Authorities could consider the following areas that may need further guidance: situation that a bank is required to formulate the country risk management policy, how to identify, measure, assess, and control country risks, and essential elements that a bank should include in its country risk management policies and processes (e.g., including appropriate procedures for dealing with country risk such as contingency plans or exit strategies in times of crisis, appropriate oversight mechanism, a periodic review requirement by the board, etc.) There are no specific regulatory provisioning standards for country risk and transfer risk in Romania. There are no specific stipulations in the regulation that banks include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. The authorities mention that general risk management and stress testing regulations apply. Although the reporting framework of FINREP/COREP includes the data geographical breakdown, the reporting components do not include any risk classification or 99 In the NBR regulation applicable for solo FINREP (NBR Ord No. 6/2014), the threshold is let down to one percent, and no reporting threshold for the templates F20.1 to F20.3. 183 ROMANIA (internal/external) country rating, which is important for country risk management. It is not clear how supervisors perform a banking group-wide country risk analysis across each regulated entity to form a comprehensive view of country risk from this reporting. The authority should consider following activities: • Review and strengthen the regulation on country and transfer risks or develop a guidance note for supervisors and banks. • Include explicit requirements that banks include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis. • Ensure greater focus on oversight on risks stemming from country (including sovereign) risks and transfer risks on a regular basis during on –and off–site supervision. Principle 22 Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. Essential criteria EC1 Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk. Description and In Romania, the market risk regulatory framework consists of the following: findings re EC1 • Part Three – Capital requirements, Title IV – Own funds requirements for market risk of CRR • Article 116–126 of NBR Regulation No. 5/2013 which transpose: o Article 83 of Directive (EU) No. 36/2013 o Basel Core Principle No. 22 – Market risk • Title VIII of NBR Regulation No. 5/2013—Approval of certain items of internal models used to calculate the minimum capital requirements for market risk. • EBA SREP guideline was adopted in January 2017. Moreover, there are legal provisions regarding the responsibility of the compliance function of a credit institution to advise its management body regarding the standards that the credit institution is required to meet (Article 51 of NBR Regulation No. 5/2013). Article 116–118 stipulates that credit institutions shall implement policies and processes for the identification, measurement, and management of all material sources and effects of market risks. Credit institutions shall have in place adequate market risk management processes that provide a comprehensive credit institution-wide view of market risk exposure. CRR (Article 104) also states the minimum requirements of the policies and procedures for the overall management of trading books. 184 ROMANIA The market risk management processes shall: • be consistent with the risk appetite, risk profile, systemic importance and capital strength of the credit institution; • take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; • clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk. The banks are also required to have an ICAAP which takes into account market and macroeconomic conditions in its market risk management processes. On-site inspection under SREP methodology is carried out to examine the requirements. EC2 The supervisor determines that bank’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description and Article 119 of Regulation No. 5 stipulates that credit institutions shall have in place findings re EC2 strategies, policies, and processes for the management of market risk. The strategies, policies, and processes referred to in paragraph (1) shall be approved by the credit institutions' management body in its supervisory function. The respective management body oversees management in a way that ensures policies and processes are implemented effectively and fully integrated into the credit institutions’ overall risk management process. The NBR assesses the effectiveness of market risk management under the SREP framework by considering: • Senior management properly implements the market risk strategy approved by the management body, ensuring that the institution’s activities are consisten t with the established strategy, written procedures are drawn up and implemented, and responsibilities are clearly and properly assigned; • The institution’s market risk strategy and appetite are appropriate for the institution, given its business model, overall risk strategy and appetite, market environment, role in the financial system and financial condition, funding capacity, and capital adequacy; • the institution’s market risk strategy broadly covers all the activities of the institution where market risk is significant, etc. EC3 The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including: (a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management; (b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to ma nage market risk and which are understood by, and regularly communicated to, relevant staff; (c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary; 185 ROMANIA (d) effective controls around the use of models to identify and measure market risk, and set limits; and (e) sound policies and processes for allocation of exposures to the trading book. Description and Article 120 of NBR Regulation No. 5/2013 stipulates that credit institutions shall have in findings re EC3 place policies and processes establishing an appropriate and properly controlled market risk environment including all the criteria that this EC describes as the NBR transposed this EC into regulation No. 5/2013. Article 103 of CRR and lays down the requirements that the institution shall comply. These aspects are assessed as part of SREP. In particular, the following essential requirements at banks for market risk management are also prescribed in the SREP guideline; • The institution has effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk activities; • The management and control area reports regularly to the management body and senior management with, at minimum, information on current market exposures, P&L results and risk measures (e.g., VaR) compared to policy limits; • There are operating limits aimed at ensuring market risk exposures do not exceed levels acceptable to the institution; • The institution’s internal controls and practice are able to identify breaches of individual limits set at desk or business-unit level, as well as breaches of the overall limit for the market activities, and allow daily identification and monitoring of breaches of limits and/or exceptions; • Risk managers and the institution’s senior management are aware of the degree of model risk that prevails in the institution’s pricing models and risk measurement techniques and whether they periodically check the validity and quality of the different models used in market risk activities; • Policies and processes regarding the positions to include in, and to exclude from, the trading book for regulatory purposes, are sound and consistent with the market risk strategies of the banks etc. EC4 The supervisor determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. Description and CRR Article 105 provides a number of requirements for banks regarding prudent valuation findings re EC4 of trading book positions and NBR Regulation No. 5 complemented the requirements. According to EBA SREP guidelines, the NBR assesses whether: • The framework for ensuring that all positions measured at fair value are subject to prudent valuation adjustments in accordance with the relevant legislation, in particular Regulation (EU) No. 526/2014, are sound and consistent with the market risk strategy. 186 ROMANIA • This framework includes requirements for complex positions, illiquid products, and products valued using models. The RTS on prudent valuation of fair-valued positions provides details of calculating additional valuation adjustments (AVAs).100 The market risk is assessed on-site on an annual basis and off-site on a quarterly basis, in line with the frequency of COREP reporting framework. EC5 The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. Description and Article 123 of NBR Regulation No. 5/2013 stipulates that credit institutions shall hold findings re EC5 appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. Also, Article 125 mentions that the internal capital shall be adequate for material market risks that are not subject to an own funds requirement. The NBR determines during on-site examination whether banks hold appropriate capital against unexpected losses and make appropriate valuation adjustments for uncertainties. EC6 The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. Description and According to EBA SREP guideline, the NBR assess whether an institution has implemented findings re EC6 adequate stress tests that complement its risk measurement system. For this purpose, the NBR takes into account the following elements: a. stress test frequency; b. whether relevant risk drivers are identified (e.g., illiquidity/gapping of prices, concentrated positions, one-way markets, etc.); c. assumptions underlying the stress scenario; and d. internal use of stress-testing outcomes for capital planning and market risk strategies. Article 124 of Regulation No. 5/2013 also stipulates that credit institutions shall include market risk exposure into their stress testing programs for risk management purposes. Assessment of Compliant Principle 22 Comments In the Romanian banking system, the level of the market risk is low for most of the Romanian credit institutions that do not have complex instruments that may expose the bank to significant risk. As of June 2017, RWAs for market risk were around three percent of total RWAs. No banks are using the advanced approach for computing market risk capital charge. Most of the positions included in trading books are constituted by government securities, stocks traded on the local stock exchange, and derivatives (in principal swaps and forwards used for positions covering or obtaining liquidity). In practice, the main driver of market 100 Commission delegated regulation (EU) 2016/101 supplementing Regulation (EU) No. 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards for prudent valuation under Article 105(14) 187 ROMANIA risk in Romania is related to foreign exchange risk. In order to monitor the market risk exposures of the banks, the NBR is paying special attention to foreign exchange positions considering that the foreign exchange risk is the main component of market risk. CRR and EBA SREP guidelines are stipulated in a comprehensive way and the NBR conducts on-site inspection on all credit institutions annually. However, there is no market risk specialist in the supervision department; one should be assigned to build up expertise in this area. Principle 23 Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk101 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. Essential criteria EC1 Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. Description and Article 127 and 131 of NBR regulation No. 5/2013 stipulate that credit institutions shall findings re EC1 implement systems to identify, evaluate, and manage the risks arising from potential changes in interest rates that affect an institution's nontrading activities. Credit Institutions should be able to demonstrate that their level of internal capital obtained through their measurement system is commensurate with the level of the interest rate risk in their banking book. Credit institutions shall develop and use their own methodologies for calculating the potential changes in their economic value resulting from changes in the levels of interest rates, in accordance with their risk profile and risk management policies. If the internal methodology of a credit institution is considered inadequate by the NBR – Supervision department or does not exist, the credit institution shall apply the standardized methodology described in the annex of No. 5/2013 regulation. According to the EBA SREP Guidelines, the NBR assess during on-site examination: • Whether the institution has a sound, clearly formulated and documented IRRBB strategy, approved by the management body. • Whether the institution’s IRRBB strategy and appetite are appropriate for the institution considering: its business model, its overall risk strategy and appetite, its market environment and role in the financial system, and its capital adequacy 101 Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22. 188 ROMANIA • Whether the institution’s IRRBB strategy broadly covers all the activities of the institution where IRRBB is significant • whether the management body approves the policies for managing, measuring and controlling IRRBB, and discusses and reviews them regularly • whether the institution has an appropriate framework for identifying, understanding and measuring IRRBB, in line with the institution’s size and complexity EC2 The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. Description and The NBR requires that the management body of a credit institution shall approve and findings re EC2 regularly review the interest rate risk strategies, policies, and processes established in order to identify, measure, monitor, and control the interest rate risk. The management body of a credit institution shall ensure that the strategies, policies, and processes of interest rate risk are developed and implemented (Article 128). Credit institutions also shall allocate interest rate management responsibilities to persons independent from those responsible for trading and/or other risk taking activities, or who shall also benefit from separate reporting lines (Article 129). According to the EBA SREP Guidelines, the NBR assess the following during on-site examination: • Whether the management body clearly expresses the IRRBB strategy and appetite and the process for the review thereof • Whether senior management is responsible for developing the policies and procedures for the management of IRRBB and ensuring adequate implementation of the management body’s decisions. EC3 The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including: (a) comprehensive and appropriate interest rate risk measurement systems; (b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions); (c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff; (d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and (e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management. 189 ROMANIA Description and Article 130 stipulates that credit institutions shall have in place comprehensive and findings re EC3 appropriate risk measurement systems for interest rate risk and that any models and hypothesis used shall be regularly validated at minimum on an annual basis. The limits established by the credit institutions shall reflect their risk strategies, shall be understood by, and communicated to, the relevant personnel on a regular basis. Any exception from the established policies, processes, and limits shall be promptly analyzed by the senior management and by the management board in its supervisory function where necessary. Article 134 requires that larger and/or more complex institutions should also take into account scenarios where different interest rate paths are computed and where some of the assumptions, including assumptions about behavior, contribution to risk and balance sheet size and composition, are themselves functions of interest rate levels. In addition, Article 136 requires that credit institutions shall have a well-reasoned, robust and documented policy to address all issues that are important to their individual circumstances. EBA SREP guidelines also cover some aspects that this EC requires. The NBR annually reviews these aspects in addition to the bank’s exception tracking and reporting processes and information system in terms of accuracy and timeliness during on-site inspections. However, there is no explicit provision that requires “independent” validation of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions) . EC4 The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. Description and Article 223 and 224 requires that credit institutions shall undertake stress tests which findings re EC4 capture all sources of interest rate risk in the nontrading book, namely, re-pricing risk, yield curve risk, basis risk, and option risk. Credit institutions shall undertake stress tests in accordance with the complexity of the interest rate risk in the nontrading book and in accordance with the complexity of the financial instruments used. Where less complex financial instruments are employed, the effect of a shock can be calculated by the institution using sensitivity analysis by applying the shock to the portfolio without identifying the origin of the shock. Where an institution uses more complex financial instruments on which the shock has multiple and indirect effects, it should use more advanced approaches with specific definitions of the adverse (stress) situations. The NBR assesses whether the institution has implemented adequate stress test scenarios that complement its risk measurement systems based on the regulations above and EBA SREP guidelines. Additional criteria AC1 The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book. 190 ROMANIA Description and Article 132 requires that credit institutions must be able to compute and report to the NBR findings re AC1 – Supervision Department, the change in their economic value as a result of sudden and unexpected change(s) of interest rates - standard shock(s) prescribed by the NBR. The calculation and reporting of the change in their economic value shall be undertaken on a quarterly basis at the individual level and on a biannual basis at the consolidated level. The NBR monitors the level of IRR by tracking the potential changes in the Economic Value resulting from +/- 200bps sudden and parallel change in interest rates. Credit institutions are reporting on a quarterly basis. AC2 The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book. Description and Article 131 stipulates that credit Institutions should be able to demonstrate that the level findings re AC2 of their internal capital, obtained through their measurement system, is commensurate with the level of the interest rate risk in their banking book. Credit institutions should be able to calculate the potential changes in their economic value resulting from changes in the levels of interest rates and the overall interest rate risk in the banking book at individual and consolidated levels. Article 166 (5) also mentions that the SREP performed by the NBR shall include the exposure of institutions to the interest rate risk arising from nontrading activities. The NBR takes measures on institutions whose economic value declines by more than 20 percent of their own funds due to a sudden and unexpected change in interest rates of 200 basis points. Assessment of Largely Compliant Principle 23 Comments In Romania, interest rate risk is assessed on-site yearly and off-site quarterly. The IRR risk measures are reported quarterly by the banks. The limits and controls are reported on a yearly basis in the ICAAP report. The changes in internal procedure framework regarding IRR risk are monitored on a continuous basis by the off-site function. The NBR assesses the IRR risk management, risk profile, appetite, tolerance and the stress tests made by the credit institutions during yearly on-site visits. Depending on the assessment results, the NBR can determine the need for an additional SREP capital requirement. However, there is no explicit provision in the regulation that requires “independent” validation of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions). It is important that the interest rate risk management system be independently validated or audited. The Basel Committee on Banking Supervision published a new guideline on standards for IRRBB in April 2016. Under the new standards, thresholds for identifying outlier banks have become stricter – the threshold being reduced from 20 percent of a bank's total capital to 15 percent of a bank's Tier 1 capital. The NBR has not updated its IRRBB regulations yet. The authorities mention that currently they are in the process of amending regulation 191 ROMANIA regarding IRRBB to make it in line with EBA guidelines on IRRBB (2015)102 and will also be updated according to EU-level review plan103. The authorities should consider the following activities: • Include explicit requirement in the regulation that banks conduct independent (internal or external) validation of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions). • Update current regulation based on EU-wide regulatory amendment process reflecting new BCBS standards for IRRBB (2016). Principle 24 Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. Essential criteria EC1 Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. Description and The liquidity regulations applied to all Romanian credit institutions are the following: findings re EC1 Commission Delegated Regulation (EU) 2015/61(hereinafter DA), CRR, Commission Implementing Regulation (EU) No. 680/2014, NBR regulation No. 25/2011, and banking law. According to Article 4 of DA, credit institutions in Romania shall calculate their liquidity coverage ratio in accordance with the following formula: • Liquidity Buffer/Net Liquidity Outflows over a 30-calendar day stress period = Liquidity Coverage Ratio; • Credit institutions shall maintain a liquidity coverage ratio of at least 100 percent. Where an institution does not meet or expects not to meet the requirement, including during times of stress, it shall immediately notify the competent authorities and submit without undue delay to the competent authorities, a plan for the timely restoration of compliance. Until compliance has been restored, the institution shall report daily by the 102 https://www.eba.europa.eu/documents/10180/1084098/EBA-GL-2015-08+GL+on+the+management+of+interest+rate+risk+.pdf 103 EBA has recently issued a consultation paper on the new guidelines on the management of IRRBB (EBA/CP/2017/19 – 31/10/2017) which takes account also of the existing supervisory expectations and practices including the standards on interest rate risk in the banking book published by the BCBS in April 2016. 192 ROMANIA end of each business day unless the competent authority authorizes a lower reporting frequency and a longer reporting delay. Competent authorities shall only grant such authorizations based on the individual situation of an institution and taking into account the scale and complexity of the institution's activities. They shall monitor the implementation of the restoration plan and shall require a more speedy restoration if appropriate (Article 414 of CRR). As an additional liquidity requirement, NBR Regulation No. 25/2011 lays down, the minimum level of liquidity on an individual level. According to this Regulation, the liquidity ratio shall be calculated as a ratio between the effective liquidity and necessary liquidity on each maturity band. The maturity bands may be up to 1 month, between 1 and 3 months, between 3 and 6 months, between 6 and 12 months, and over 12 months. • Effective liquidity is determined by summing, on each maturity band, the assets, the commitments received and recorded off-balance sheet (including those relative to the spot exchange operations), and the receivables in respect of derivatives. • Necessary liquidity is determined by summing, on each maturity band, the liabilities, the commitments given and recorded off-balance sheet (including those relative to the spot exchange operations), and the liabilities in respect of derivatives. • In the event of recording an excess of liquidity on any of the maturity bands, with the exception of the last band, the excess shall be added to the level of effective liquidity of the next maturity band. The credit institutions shall permanently maintain the liquidity ratio calculated for all the operations in RON equivalent, at least at the level of 1 (one) for the following maturity bands: up to 1 month; between 1 and 3 months; between 3 and 6 months; between 6 and 12 months. The credit institution shall calculate the liquidity ratio distinctly for the operations in Euro and in RON for all maturity bands, and for all the operations in RON equivalent for maturity band of over 12 months. Nevertheless, it is noteworthy that the EU-wide requirement follows the LCR set by the BCBS, but with less conservative divergences and resulting in improved ratios. These include, most notably: • the inclusion of covered bonds that meet certain requirements to Level 1 HQLA with a 7 percent haircut and a cap of 70 percent (DA Article 10); • inclusion of non-externally rated covered bonds into Level 2BV HQLA (DA Article 12); • inclusion of assets and representing claims to or guaranteed by the central government, the central bank, regional governments, local authorities or public sector entities (PSEs) of a Member State to Level 1 HQLA even if they are not marketable securities (DA Article 10); and, • securitization of auto, SME and consumer loans to Level 2B HQLA (DA Article 13). In Romania, the above elements that the RCAP found deviations in the calculation of LCR could not have a significant impact on the Romanian banks under the circumstance of no covered bond holdings. In addition, regarding the eligibility criteria for LCR, the NBR has chosen not to include in the level 1 assets the amounts representing minimum reserve 193 ROMANIA requirements. As a consequence, the NBR recognizes as HQLA only the part from the amounts deposited with central bank that exceeds minimum reserve requirements (Article 648 of Regulation No. 5/2013). EC2 The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. Description and See EC1. A LCR reflects the liquidity risk profile of banks and include on and off-balance findings re EC2 sheet risks. Specifically, the DA contains treatments for both on and off-balance sheet items and in different areas reflecting market risk. EBA implementing technical standards on additional liquidity monitoring metrics under Article 415(3)(b) of CRR includes reporting on rollover of funding and pricing of funding. In addition, EBA SREP guidelines include the evaluation of actual market access and recommends national competent authorities to take into account warnings and recommendations issued by macro-prudential authorities. According to Article 226 of the Banking Law, the NBR shall assess whether any imposition of a specific liquidity requirement is necessary to capture liquidity risks to which an institution is or might be exposed, taking into account systemic liquidity risk that threatens the integrity of the financial markets in Romania. EC3 The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance Description and Article 137 of regulation No. 5/2013 stipulates the following requirements, but is not findings re EC3 limited to; • Credit institutions shall maintain adequate levels of liquidity buffers. • Credit institutions shall have robust strategies, policies, processes and systems for the identification, measurement, management and monitoring of liquidity risk over an appropriate set of time horizons, including intraday. • The strategies, policies, processes and systems shall be tailored to business lines, currencies, branches and legal entities and shall include adequate allocation mechanisms of liquidity costs, benefits and risks. • The strategies, policies, processes and systems shall be proportionate to the complexity, risk profile, scope of operation of the credit institutions and risk tolerance set by the management body and reflect the credit institution’s importance in each Member State in which it carries out business. • Credit institutions shall have liquidity risk profiles that are consistent with, and not in excess of those required for a well-functioning and robust system, taking into account the nature, scale and complexity of their activities. 194 ROMANIA • The strategies, policies, processes and systems in liquidity risk management be approved and reviewed by the management body at least annually. • A credit institution’s management body in its supervisory function shall ensure that senior management manages liquidity risk effectively. • Senior management is responsible for developing the strategies, policies, processes and systems to manage liquidity risk in accordance with the established risk tolerance, as well as to ensure that the credit institution maintains sufficient liquidity. Under the SREP, the NBR reviews annually the robustness of a bank’s liquidity management framework including the above requirements. EC4 The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including: (a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards; (b) sound day-to-day, and where appropriate intraday, liquidity risk management practices; (c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide; (d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and (e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate. Description and Article 137 of No. 5/2013 comprehensively describes the requirements in terms of banks’ findings re EC4 liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment (See EC3). When the NBR annually assesses the quality of liquidity risk management of bank, the following items are taken into consideration based on regulation No. 5/2013 and SREP guidelines, etc.: • the analysis of the liquidity risk strategy and tolerance to be approved by the management body and updated at least annually, to be effectively communicated to relevant staff, to be clearly defined and not just a summary of general statements, objectives stated into the strategy be realistic, properly documented and correlated with its business model; • assessment of the liquidity risk profile established according to internal methodology: to what extent the risk profile captures the exposure of the bank to liquidity risk, 195 ROMANIA whether the indicators and thresholds used are appropriate, a comparison with supervisory benchmarking; • assessment of the organizational framework and internal regulations established for the governance and management of liquidity and funding risk: whether banks have appropriate policies and procedures for the management of liquidity and funding risk, whether there are sufficient human and technical resources; • assessing the key risk indicators system developed by credit institutions for identifying and measuring liquidity and funding risk and to what extent this system, together with associated thresholds is appropriate for each bank, the frequency of which this indicator is calculated and reported to the appropriate recipients (management body, senior management or asset-liability committee); • the analysis of limits and tools used by credit institutions for managing intraday liquidity: the way banks monitor cash flows and liquidities in order to meet intraday obligations (including in stress conditions), existence of funding agreements for intraday liquidity purposes, internal limits for holding unencumbered treasury bills to fill the liquidity shortfalls; • assessing quality of the liquidity stress tests used by credit institutions: the number of liquidity stress scenarios used, the severity levels, the plausibility of the assumptions taken into consideration, whether the liquidity buffer covers the potential outflows calculated for the survival period set by the banks. To date, the NBR doesn’t use supervisory liquidity stress tests as an independent tool to assess short and medium- term liquidity risks; • whether the risk limits and monitoring systems of the bank are consistent with its liquidity risk tolerance and regularly reviewed, as well as whether they incorporate the outcomes of internal liquidity stress tests. Article 142 stipulates that a credit institution shall have a reliable management information system designed to provide the management body in its supervisory function, senior management and other appropriate personnel with timely and forward-looking information on the liquidity position. EC5 The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include: (a) an analysis of funding requirements under alternative scenarios; (b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress; (c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits; (d) regular efforts to establish and maintain relationships with liability holders; and (e) regular assessment of the capacity to sell assets. 196 ROMANIA Description and The NBR requires banks to establish and regularly review funding strategies and policies findings re EC5 and processes. The policies and processes should include consideration of how other risks may impact the bank’s overall liquidity strategy. The requirements in this EC are well described in Article 137, 138, 139, 140, 141, and 144 of NBR regulation No. 5/2013, Article 3, 7, and 8 of DA, and in the SREP guideline. Relevant requirements are as follows: • Credit institutions shall develop methodologies for the identification, measurement, management and monitoring of funding positions. • Credit institutions shall consider alternative scenarios on liquidity positions and on risk mitigants and review the assumptions underlying decisions concerning the funding position at least annually • Credit institutions shall distinguish between pledged and unencumbered assets that are available at all times, in particular during emergency situations. • Credit institutions shall consider different liquidity risk mitigation tools, including a system of limits and liquidity buffers in order to be able to withstand a range of different stress events, as well as an adequately diversified funding structure and access to funding sources, and shall review them regularly. • Credit institutions shall maintain an active presence within markets relevant for their funding strategy and build strong relationships with fund providers to promote effective diversification of funding sources. For diversification of the funding sources, credit institutions shall establish limits by counterparties, secured versus unsecured market funding, instrument types, securitisation vehicles, currencies and geographic market. • Credit institutions shall check that the credit institution's processes for the timely monetization of assets are effective. These aspects areexamined under the SREP on an annual basis. EC6 The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies. Description and Article 145 of No. 5/2013 stipulates the following but is not limited to: findings re EC6 • Credit institutions shall adjust their strategies, internal policies and limits on liquidity risk and develop effective contingency plans, taking into account the outcome of the alternative scenarios. • Credit institutions shall take into account liquidity risk concentrations when setting up contingency funding plans. 197 ROMANIA • At a minimum, the plans shall consider the potential contingency funding sources available in the event of a reduction in supply from different counterparty classes. • Credit institutions shall consider the feasibility of measures included in the contingency funding plans if more than one credit institution tries to undertake them at the same time. • Credit institutions shall include in the contingency plans strategies to address the contingent encumbrance resulting from relevant stress events Article 146 stipulates that the plans shall be tested by the credit institutions at least annually, updated on the basis of the outcome of the alternative scenarios, reported to and approved by senior management, so that internal policies and processes can be adjusted accordingly. Also, credit institutions are required to demonstrate to the NBR – Supervision Department that all measures were taken to ensure the necessary conditions to apply contingency plans quickly when appropriate, including by entering into funding agreements (Article 147). During the on-site inspection (following SREP), the NBR assesses and determines that banks have robust liquidity contingency funding plans. The NBR also assesses whether banks have adequate procedures with respect to communication within the institution and with external parties (including communication with the NBR). In addition, the appropriateness of assumptions regarding the role of central bank funding in the liquidity funding plan is also assessed. EC7 The supervisor requires banks to include a variety of short-term and protracted bank- specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans. Description and Article 144 and 145 of NBR Regulation No. 5/2013 stipulates that credit institutions shall findings re EC7 consider alternative scenarios on liquidity positions and on risk mitigants and review the assumptions’ underlying decisions concerning the funding position at least annually. Credit institutions are required to consider the potential impact of credit institution- specific, market-wide and combined alternative scenarios. In addition, credit institutions shall adjust their strategies, internal policies and limits on liquidity risk and develop effective contingency plans, taking into account the outcome of the alternative scenarios. According to Article 220 and 221, credit institutions are required to analyze the impact of alternative scenarios on liquidity buffers. The market-wide alternative scenario should be considered and it might assume a decline in the liquidity value of some assets and deterioration in funding market conditions in addition to market disruptions or changes in the macroeconomic environment in which the credit institution is operating. Credit institutions also shall consider different time periods and varying degrees of stress conditions. 198 ROMANIA Regarding the use of stress test results, according to the EBA guidelines, the NBR assesses whether the outcomes of stress testing are integrated into the institution’s strategic planning process for liquidity and funding. (See EC4 and EC5) EC8 The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. Description and Article 138 of regulation No. 5/2013 stipulates that a credit institution shall identify findings re EC8 measure, manage and monitor the funding positions for currencies in which the credit institution is active. Credit institutions are required to: • undertake a separate analysis of its strategy and monitor its liquidity needs separately for each currency in which it has significant activity; • use stress tests to determine the mismatches in that currency; • set and review limits on the cash flow mismatches for currencies in aggregate and for each significant currency; • assess the likelihood of loss of access to the foreign exchange markets, as well as the convertibility of the currencies in which it carries out its activities These aspects are examined during annual on-site inspection in the context of SREP. Additional criteria AC1 The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks. Description and Article 1391 of regulation No. 5/2013 stipulates that credit institutions shall put in place findings re AC1 risk management policies to define their approach to asset encumbrance, as well as procedures and controls that ensure that the risks associated with collateral management and asset encumbrance are adequately identified, monitored and managed. The policies are required be approved by the management body. In addition, the NBR published instructions in May 2016 regarding the disclosure of encumbered and unencumbered assets. This instruction provides a set of principles and 199 ROMANIA templates that enable the disclosure of information on encumbered and unencumbered assets by products on a consolidated basis. On setting limits, the EBA SREP guidelines recommend supervisors to assess whether the limit and control framework helps institution to ensure the availability of sufficient and accessible liquid assets. There is no regulatory requirement on the banks’ levels of encumbered balance-sheet assets or disclosure requirements. Assessment of Compliant Principle 24 Comments In Romania, the LCR and other liquidity qualitative and quantitative requirements apply to all credit institutions. Banks are required to have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements, including regular stress testing and contingency funding plans. The NBR conducts on-site inspection annually and off-site quarterly for all banks. The EU-wide requirement follows the LCR set by the BCBS broadly, but with some divergences that could result in improved ratios. However, the impact is not significant in Romanian context (i.e.,: no covered bonds holdings, conservative eligibility criteria regarding certain HQLA level 1 asset, and high level of average LCR ratio in the banking industry, etc.). Principle 25 Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk 104 on a timely basis. Essential criteria EC1 Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the b ank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). Description and The NBR transposed ECs from this CP into Regulation No. 5/2013. Article 150, 151, 152 of findings re EC1 NBR Regulation No. 5/2013 and requires credit institutions to have appropriate operational risk management strategies, policies and processes to identify, assess, monitor, report and control/mitigate operational risk. The operational risk management framework should be consistent with the bank’s risk appetite and risk tolerance, while taking into account market and macroeconomic conditions. Furthermore, Article 152 requires that institutions’ strategies include policies, processes, and all major aspects of 104 The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk. 200 ROMANIA operational risk prevalent in the businesses of the bank including periods when operational risk could increase. The use of SA and AMA is allowed depending on compliance with certain criteria and standards (CRR Article 312). The criteria for SA are detailed in Article 320 and the qualitative requirements for AMA are described in Article 321. Currently in Romania, three banks have been allowed to use AMA, two are using SA, and the rest applies BIA. The following are the guidelines that have been issued by the EBA/Committee of European Banking Supervisors (CEBS) in respect to operational risks under the AMA approach and transposed into Regulation No. 5/2013, or taken into account via instructions: • Guidelines on the implementation, validation and assessment of AMA and IRB approaches.105 • Guidelines on operational risk mitigation techniques.106 • Guidelines on the management of operational risks in market-related activities.107 • Guidelines on AMA extensions and changes.108 In short, the overall qualitative standards refer to the robustness of internal governance, internal control, organization framework for operational risk management, internal reporting, independent review and internal audit. These aspects are examined during on- site examination. EC2 The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively. Description and Article 153 of regulation No. 5/2013 requires that credit institution’s strategies, policies findings re EC2 and processes for the management of operational risk be approved and regularly reviewed by the Board. Article 154 specifies that the Board should oversee the implementation of these policies and processes. For banks under SA and AMA approaches, there is a additional requirement for operational risk reports to be provided to senior management. Based on EBA SREP guidelines, the NBR assesses the following on an annual basis: • whether the institution has defined and formalized a sound operational risk management strategy and tolerance level that’s approved by the management body and specifically takes into account whether: 105 https://www.eba.europa.eu/regulation-and-policy/credit-risk/guidelines-on-the-implementation-validation-and-assessment-of-advanced- measurement-ama-and-internal-ratings-based-irb-approaches 106 https://www.eba.europa.eu/regulation-and-policy/operational-risk/guidelines-on-operational-risk-mitigation-techniques 107 https://www.eba.europa.eu/regulation-and-policy/operational-risk/guidelines-on-the-management-of-operational-risk-in-market-related-activities 108 https://www.eba.europa.eu/regulation-and-policy/operational-risk/guidelines-on-ama-extensions-and-changes/-/regulatory-activity/consultation- paper 201 ROMANIA o the management body clearly expresses the operational risk management strategy and tolerance level, as well as the process for the review thereof (e.g., in the event of an overall risk strategy review, a loss trend and/or capital adequacy concerns, etc.); o senior management properly implements and monitors the operational risk management strategy approved by the management body, ensuring that the institution´s operational risk mitigation measures are consistent with the strategy established; o these strategies are appropriate and efficient with respect to the nature and materiality of the operational risk profile and whether the institution monitors their effectiveness over time and their consistency with the operational risk tolerance level; o the institution’s operational risk management strategy covers all the activities, processes and systems of the institution – including on a forward-looking basis through the strategic plan – where operational risk is or may be significant; o the institution has an appropriate framework in place to ensure that the operational risk management strategy is effectively communicated to relevant staff. • the management body approves the policies for managing operational risk and reviews them regularly, in line with the operational risk management strategies. EC3 The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process. Description and Article 154 of Regulation No. 5/2013 states that management shall effectively implement findings re EC3 the approved strategy and the policies and processes, under the control of the Board through its supervisory function. Article 320 of CRR requires that an institution’s operational risk assessment system shall be closely integrated into the risk management processes of the institution under SA approach. For AMA institutions, Article 321 stipulates that an institution’s internal operational risk measurement system shall be closely integrated into its day to day risk management processes. In addition, the SREP guideline includes this aspect and is examined by the NBR during the SREP assessment (See EC2). EC4 The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. Description and The NBR assesses the bank’s disaster recovery and business continuity plans based on the findings re EC4 requirements of NBR Regulation No. 5/2013 and EBA SREP guidelines. Article 149 (3) of Regulation No. 5/2013 transposes Article 85 (2) from the CRD, requiring institutions to implement business continuity plans that ensure the institution’s ability to operate on an ongoing basis and limit losses in the event of severe business disruption. 202 ROMANIA Article 64 stipulates that an institution shall establish a sound business continuity management to ensure its capacity to function continuously and to limit the losses in case of severe business disruption. Thus, the credit institution shall dispose of: • Contingency and business continuity plans to ensure it reacts appropriately to emergencies and is able to maintain its most important business activities if there is disruption to its ordinary business procedures. • Recovery plans for critical resources to enable it to return to ordinary business procedures in an appropriate timeframe. Any residual risk from potential business disruptions should be consistent with the institution’s risk tolerance/appetite. Therefore, during the SREP the supervisor will assess the quality and effectiveness of business continuity testing and planning (e.g., ability of the institution’s IT system to keep the business fully operational). Business continuity plans are assessed annually under SREP process. EC5 The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. Description and Article 155 of regulation No. 5/2013 requires that credit institutions shall implement findings re EC5 appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The credit institutions shall have appropriate and sound information technology infrastructures to meet their current and projected business requirements under normal circumstances and in periods of stress to ensure data and system integrity, security and availability of the data and supports integrated and comprehensive risk management. The EBA SREP guideline has some recommendations based on the well-established industry standards (e.g., ISO 27000, Control Objectives for Information and Related Technology (COBIT), Information Technology Infrastructure Library (ITIL), etc.) to be used by competent authorities within the process of ICT risk assessments. In assessing the appropriateness and soundness of the information technology infrastructure, the supervisor determines if this meets the current and projected business requirements (under normal circumstances and in periods of stress, having in view also the data center and the disaster recovery center) and ensures data and system integrity, security and availability, and supports integrated and comprehensive risk management. The supervisor assesses the significance of the potential impact of ICT risk in terms of both losses and reputational damage to the institution. In this respect, relevant sensitivity and scenario analyses or stress testing results are used, when available. However, there are currently no comprehensive guidelines on cyber security and information and communication technology in banks. The authorities mention that 203 ROMANIA beginning January 2018, the NBR will take into consideration the new EBA Guidelines on ICT Risk Assessment under the SREP. Regarding the IT resources, Supervisory Department disposes one IT systems specialist, who is an ISACA member and CRISC certified, and does not use outside IT experts. EC6 The supervisor determines that banks have appropriate and effective information systems to: (a) monitor operational risk; (b) compile and analyze operational risk data; and (c) facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk. Description and Article 156 of regulation No. 5/2013 requires credit institutions to have appropriate and findings re EC6 effective information systems to monitor operational risk, compile and analyze operational risk data and facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk. EBA SREP guidelines include a recommendation that banks should have appropriate information systems and methodologies to quantify or assess the operational risk, which comply at minimum, with the requirements for determining relevant minimum own funds (e.g., for the AMA, the length of time series, treatment of insurance, correlation, etc.). In particular, the NBR assesses the following elements during SREP: • the security of internal and external access to systems and data (e.g., whether the IT system provides information and access only to the right people); • the accuracy and integrity of the data used for reporting, risk management, accounting, position keeping, etc. (e.g., whether the IT system ensures that the information and its reporting are accurate, timely and complete); • the agility of change execution (e.g., whether changes in IT systems are carried out within acceptable budgets and at the required speed of implementation). EC7 The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. Description and Article 157 of regulation No.5/2013 stipulates broad requirement as following: findings re EC7 Credit institutions must periodically inform the NBR of developments with a significant impact on operational risk at least annually and as required by objective conditions. Article 160(1) of NBR Regulation No. 5/2013 provides that credit institutions shall report to the NBR the suspicious activities and incidents of fraud where, due to their level of materiality, they may affect the safety, soundness and reputation of the credit institutions. However, the scope of this reporting is not as broad as this EC require 204 ROMANIA EC8 The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers: (a) conducting appropriate due diligence for selecting potential service providers; (b) structuring the outsourcing arrangement; (c) managing and monitoring the risks associated with the outsourcing arrangement; (d) ensuring an effective control environment; and (e) establishing viable contingency planning. Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. Description and NBR Regulation No. 5/2013 Chapter V – Conditions for outsourcing the credit institution’s findings re EC8 activities sets out the principles for management of risks associated with outsourcing including: • The ultimate responsibility for the proper management of the risks associated with outsourcing and for the outsourced activities lies with the outsourcing credit institution’s management body. • The credit institution is responsible for its authorized activities, including those outsourced. • credit institutions to have a written policy on their approach to outsourcing which shall include, inter alia, o the setting of terms and conditions to perform the outsourced activity, including the requirements regarding the outsourcing service provider and the quality of services provided by this and the criteria of election of the outsourcing service provider; (i.e., appropriate due diligence) o the analysis of the risks related to outsourcing and setting the methods to be used in the management of those risks o appropriate monitoring and assessment by the credit institution’s bodies having management function of the financial performance and essential changes in the service provider’s organization structure and ownership st ructure, so that necessary measures can be promptly taken; o contingency plans and clearly defined exit strategies. The regulation (Article 235 and 236) establishes the features of the outsourcing contract that facilitate proper risk management of the outsourced activities by the outsourcing credit institution (e.g., the assessment by the credit institution of the service provider, continuously monitoring and assessment, inclusion of a contract termination clause or unilateral cancelation of the contract etc.) and sets the obligation of the outsourcing service provider to grant complete access to its data/information related to outsourced services to the CI’s compliance and internal audit functions, and to external auditors. It 205 ROMANIA also sets the obligation of the provider to permit in relation to the outsourced services, the direct access of the NBR to its data as well as the right of the NBR to conduct on-site inspections. These aspects are assessed by the NBR during on-site and/or off-site supervision. Additional criteria AC1 The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities). Description and Section 3, Chapter V of No. 5/2013 indicates that notifications to the NBR regarding the findings re AC1 outsourcing of a credit institution’s material activities shall include a description of the service provider including at minimum, the name and scope of activity, the operating market and market position, the applicable jurisdiction, its ownership structure and, by case, the extent to which the service provider is included in the credit institution’s group and in the consolidated supervision of that group. Notification of a change in the outsourcing provider shall be made one month before the possible date of concluding the new outsourcing contract, so the NBR may evaluate the new circumstances and take any necessary measures. In this way, the NBR can identify common points of exposure to operational risk or potential vulnerability. To date, the NBR has not met/interact directly with the major service providers to assess the issues from an operational risk perspective. Assessment of Largely Compliant Principle 25 Comments In Romania, three banks have been allowed to use AMA, two are using SA, and the rest use BIA to calculate operational risk regulatory capital. As of June 2017, RWAs for operational risk have been around 15 percent of total RWAs. The supervision on operational risk management of banks is conducted based on provisions in CRR, NBR regulation No. 5, and EBA SREP guidelines. The adequacy of the overall operational risk management framework and its effective implementation is assessed during the annual onsite inspections. However, in terms of ICT risks, a comprehensive guideline on cyber security and information technology for banks has not been implemented yet. Authorities mention that starting January 2018, the NBR will implement the new EBA Guidelines on ICT Risk Assessment (2017) under the SREP. Regarding IT resources, the Supervisory Department has one IT systems specialist but does not have a dedicated unit; this could be considered insufficient in times of increasing demand. The Supervision Department does not use outside IT experts. Authorities mention that they are planning to hire more IT risk experts. 206 ROMANIA With respect to banks’ operational risk reporting, the current reporting requirement is not sufficiently broad as this EC require, the template does not exist and the reporting timing is also unclear. It would be useful to have explicit requirement in the regulations that banks “immediately” notify the NBR of “any” developments affecting operational risk, should they occur. In addition, there is no template/framework specifying the minimum elements the bank should report to the NBR (e.g., related staff members, dates of occurrence/identification/reporting, types of incidents, (expected) loss amount, total related amount, recovered amount, internal measure/actions taken by the bank, problems in internal control, prevention measure, etc.). The authorities should consider the following activities: • Introduce guidelines on a comprehensive information and communication technology as intended; • Enhance IT risk supervisory capacity (e.g., establish a specialized unit/ increase IT specialists); • Expand the scope and required items of reporting on operational risk events to keep the NBR apprised of developments affecting operational risk in a timelier and comprehensive manner. Principle 26 Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent109 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. Essential criteria EC1 Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address: (a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance); 109 In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee. 207 ROMANIA (b) accounting policies and processes: reconciliation of accounts, control lists, information for management; (c) checks and balances (or “four eyes principle”): segregation of duties, cross -checking, dual control of assets, double signatures; and (d) safeguarding assets and investments: including physical control and computer access. Description and The regulatory approach in Romania, largely defined by EU directives, has been (i) to set findings re EC1 high level requirements and principles on internal control which banks have to comply with and (ii) to hold Boards (and senior management) accountable for complying with these principles. Detailed requirements on internal control were removed ahead of Romania’s accession to the EU in 2007. More specifically, the banking law and NBR Regulation 5/2013 set the following high-level requirements on internal control frameworks, which are consistent but not as detailed as those included in the essential criterion: • Every bank must have on an ongoing basis “adequate internal control mechanisms, including sound administration and accounting procedures” (Article 24–1 of the banking law) • The internal control framework must be “comprehensive and proportionate, related to the nature, scale and complexity of the risks inherent in the business model and of the credit institution's activities” (Article 24–2 of the banking law) • The Internal control framework is broadly defined by NBR Regulation 5/2013 (Article 3-1-4) as “a framework that shall ensure the pursuit of certain effective and efficient operations, the appropriate control of risks, the prudential pursuit of activity, the credibility of financial and nonfinancial information reported both inland and abroad, as well as the compliance with the legal and regulatory framework, the supervision requirements and the internal rules and decisions of the credit institution”; • The management body is responsible for “setting and overseeing an adequate and effective internal control framework, that includes well-functioning risk management, compliance and internal audit functions as well as an appropriate financial reporting and accounting framework” (Article 12–1 of NBR Regulation 5/2013); • Banks must have independent control functions (Article 33–b of NBR Regulation 5/2013); • The management body shall define, oversee and be accountable for the implementation of governance arrangements that ensure effective and prudent management of the credit institution, including the segregation of duties within the organization and the prevention of conflicts of interest (Article 11–1); • The policy on conflicts of interest shall establish measures that are to be adopted in order to prevent or manage conflicts of interest including an adequate separation of duties (Article 26–1). A few specific requirements mentioned in this EC are not individually mentioned (e.g., reconciliation of accounts, control lists, cross-checking, dual control of assets, double signatures) but are covered by broader requirements; some of these specific requirements were also covered by previous regulations (creating an expectation they are engrained in banking and supervisory practices). 208 ROMANIA NBR mentioned that these issues were systematically looked at during on-site inspections (including by looking at the quality and outcomes of the work of the different control functions, including the work conducted by the group -e.g., audit- in the case of subsidiaries of EU banking groups). Discussions with NBR teams confirm their knowledge of and attention to the issues covered by the essential criterion, but the fact that they are addressed in a systematic (or appropriately risk-based) and consistent manner is hard to assess in the absence of a detailed methodology (or guidance) for the conduct of on-site inspections (and the template for on-site inspections only cover such issues at a high level). A review of sanctions taken and published by NBR in 2016 and 2017 confirms that shortcomings are identified and acted upon: • written warning to a bank in 2017 due to a lack of timely follow up by the management body to implement the recommendations of the internal audit, a lack of audit committee during nine months and a failure to implement adequate control regarding the issuance and use of electronic payment instruments; Written warning to a bank in 2016 due, inter alia, to inadequate internal control mechanisms regarding the compilation and transmission to the supervisory authority of annual consolidated reports covering the main deficiencies identified in the internal control functions and the conditions under which internal control was carried out. EC2 The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units. Description and For control functions, NBR Regulation 5/2013 (Article 35–4) requires that control functions findings re EC2 have an adequate number of qualified staff (and be trained on an ongoing basis as needed) and that such staff have appropriate authority and access to appropriate data systems, information and other types of support. NBR Regulation 5/2013 (Article 35) requires that the control functions (including risk management, compliance and internal audit functions) be • Independent, which requires at a minimum that: (i) its staff does not perform any tasks that fall within the scope of the activities the control function is intended to monitor and control, (ii) the control function is organizationally separate from the activities it is assigned to monitor and control, (iii) the head of the control function is subordinate to a person who has no responsibility for managing the activities the control function monitors and controls (and it generally shall report directly to the management body and any relevant committees and shall regularly attend their meetings), (iv) the remuneration of the control function’s staff should not be linked to the performance of the activities it monitors and controls; • established at an adequate hierarchical level, and • report directly to the management body. NBR Regulation 5/2013 also indicates that control functions shall regularly submit to the management body formal reports on major identified deficiencies (including follow-up on earlier findings and, for each new identified major deficiency, the relevant risks involved, an impact assessment and recommendations) and that the management body shall 209 ROMANIA act on the findings of the control functions in a timely and effective manner and require adequate remedial action. For back offices and operational management, there is no specific requirement for banks to (i) ensure an appropriate balance in the skills and resources of the back office and operational management relative to the business origination units and (ii) ensure the staff of the back office have sufficient expertise and authority within the organization to be an effective check and balance to the business origination units. This is only covered by broader requirements. NBR indicated such aspects were reviewed as part of the on-site process and, regarding the expertise and authority of the head(s) of back office(s), when they are interviewed by NBR before they are approved. Specific NBR guidelines (or methodologies) for supervisors on internal control and audit could usefully complement the existing framework (law, regulations, SREP etc.) and facilitate the implementation of comprehensive and consistent approaches, particularly for on-site examinations (e.g., in areas where detailed requirements are not spelled out -back offices- or subject to interpretation -e.g., adequate number of qualified staff, adequate training, appropriate authority, appropriate support or direct access to the management body-). There is no analysis (beyond SREP ratings) conducted, regularly or at points in time, at industry level on the implementation of internal control and audit requirements (e.g., review of reporting framework to Board, parent where applicable, staffing etc. to identify both best practices and outliers). EC3 The supervisor determines that banks have an adequately staffed, permanent and independent compliance function110 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function is suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. Description and NBR Regulation 5/2013, Article 50 requires that the compliance function ensures that the findings re EC3 compliance policy is observed, and report to the management body on the management of compliance risk. It also requires that the findings of the compliance function are taken into account by the management body within the decision-making process. The compliance function shall also advise the management body on the provisions of the legal and regulatory framework and standards the credit institution needs to meet and assess the possible impact of any changes in the legal and regulatory framework on the credit institution activities Article 51. NBR mentioned that the main compliance risks for banks include: (i) the risk of litigation (NBR regularly ask banks to increase their provisions to cover litigation costs); (ii) money laundering and terrorism financing (see CP 29); (iii) conflicts of interests (Banks compliance officers check the implementation of internal policies in this respect. The lack of disclosure 110 The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance who should be independent from business lines. 210 ROMANIA of such conflicts of interests by bank staff -at different levels- was identified in a number of banks. In one bank, the compliance function identified that none of the Board members had been submitted declaration of interests; and (iv) customer complaints. NBR mentioned as a recent example of corrective action a request it made for a bank to increase the frequency of reporting on compliance risk to the Board of a bank at least to a quarterly basis. See EC 1 and 2 on adequate staffing, permanence, independence, training, experience and authority (for aspects applicable to all control functions). EC4 The supervisor determines that banks have an independent, permanent and effective internal audit function111 charged with: (a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and (b) ensuring that policies and processes are complied with. Description and NBR Regulation 5/2013, Article 54 requires banks to have an internal audit function findings re EC4 (i) to assess the compliance of all activities and business units of a credit institution (including the risk management and compliance functions) with the credit institution's policies and procedures and (ii) to assess whether existing policies and procedures are appropriate and comply with the requirements of the legal and regulatory framework. See EC 1 and 2 on adequate staffing, permanence, independence, training, experience and authority (for aspects applicable to all control functions). The assessment of the internal audit function primarily relies on annual full-scope on-site examinations (as well as the approval process of the head of the internal audit). EC5 The supervisor determines that the internal audit function: (a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing; (b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations; (c) is kept informed in a timely manner of any material changes mad e to the bank’s risk management strategy, policies or processes; 111 The term “internal audit function” does not necessarily denote an organizational unit. Some countri es allow small banks to implement a system of independent reviews, e.g., conducted by external experts, of key internal controls as an alternative. 211 ROMANIA (d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties; (e) employs a methodology that identifies the material risks run by the bank; (f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and (g) has the authority to assess any outsourced functions. Description and In addition to aspects covering all control functions (see EC 1 and 2), NBR Regulation findings re EC5 5/2013 requires that (i) the internal audit function has unfettered access to relevant documents and information in all operational and control units Article 56 and (ii) Internal audit work is performed in accordance with an audit plan and detailed audit programs following a risk based approach Article 59. There is no specific requirement that the internal audit is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes. aspects covered by this essential criterion are primarily assessed during annual full-scope on-site inspections (including checking the existence of relevant clauses allowing the internal audit to assess outsourced activities, and the work performed in this regard). Shortcomings regularly identified include (i) the lack of sufficient resources (sometimes due to turnover) leading to delays in the implementation of audit plans; (ii) insufficiently risk-based audit approaches leading to insufficient periodicity of some activities (up to a 3–4 year cycle); and (iii) when the ICAAP process was introduced, NBR also identified that the internal audit was often not adequately involved in the review of such work (an issue which is not common anymore). See EC 2 on the absence of specific NBR guidelines or internal methodologies for supervisor. Assessment of Largely Compliant Principle 26 Comments Internal control and audit are at the core of the supervisory process implemented by NBR. Detailed requirements exist, with a few small exceptions, regular exchanges take place between NBR and control functions (including a thorough approval process when the head of audit and compliance take their positions) and the adequacy and performance of the internal control and audit are systematically assessed during annual full-scope on-site examinations. These areas are also covered in detail by the SREP approach and, where applicable, discussed for the parent group in the context of EU supervisory colleges. Specific NBR guidelines (or methodologies) for supervisors on internal control and audit could usefully complement the existing framework (law, regulations, SREP etc.) and facilitate the implementation of comprehensive and consistent approaches, particularly for on-site examinations (e.g., in areas where detailed requirements are not spelled out -back offices- or subject to interpretation -e.g., adequate number of qualified staff, adequate training, appropriate authority, appropriate support or direct access to the management body etc.,-). 212 ROMANIA NBR could usefully introduce a specific requirement that the internal audit is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes. The conduct of periodic industry level analyses on the design and implementation of internal control and audit requirements could usefully complement the existing supervisory approach (e.g., review of reporting framework to Board, relationships with the parent senior management and control functions where applicable, staffing levels, etc. to identify both best practices, outliers, possible gaps etc.). Principle 27 Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. Essential criteria EC1 The supervisor112 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data. Description and Banks are required to prepare financial statements in accordance with accounting policies findings re EC1 and practices that are widely accepted internationally: • NBR Order 27/2010 of 16 December 2010 (on the basis inter alia of the Accounting Law No. 82/1991) requires Romanian banks to prepare their financial statements both on a solo and consolidated basis in compliance with IFRS standards (as Romania joined the European union, the order was amended so that banks would apply EU IFRS standards as adopted according to the procedure laid out in the EU regulation 1606/2002); • International auditing standards have been implemented in Romania since the implementation of the emergency government ordinance 90 /2008 on statutory audit. Article 152–2 of the banking law specifically requires the use of such standards for banks: “the annual and, as the case may be, the annual consolidated financial statements of credit institutions shall be audited by financial auditors, in accordance with international standards and practices.” The banking law requires banks to keep adequate records (and, with NBR Regulation 5/2013, sets detailed requirements regarding internal control and risk management frameworks, see CP 15 and 26). 112 In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors. 213 ROMANIA • Article 152: “credit institutions shall permanently keep accounting records according to the provisions of the Accounting Law No.82/1991, republished, and shall draw up annual financial statements and, accordingly, consolidated annual financial statements providing a fair view of the financial position, financial profitability, cash flows and other information related to the activity performed.” Annex 1 to NBR Order No. 27/2010 indicates Article 13–2, that: “members of the management body and the directors, members of the supervisory board and of the directorate (senior management) of a credit institution shall jointly ensure that the annual financial statements and the management report are drawn up and published in accordance with national legislation.” EC2 The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. Description and Banks are required to have their accounts audited by the independent external auditor. findings re EC2 NBR Order 27/2010 (Article 21 of the methodological annex) requires that: “the duly approved annual financial statements, together with the management report and the audit report signed by the liable person, as stated by the law, shall be published as laid down by the laws in force.” (see EC 1 on requirement to perform an audit based on international standards) EC3 The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. Description and Banks are required to prepare financial statements in compliance with IFRS (see EC1), findings re EC3 which sets detailed valuation requirements. The preparation and reliability of financial statements, including valuation practices, are reviewed by external auditors. Valuation practices are also assessed reviewed during NBR on-site inspections. Attention is paid to credit exposures (including reviewing a sample of credit files) and banks are frequently required to adjust their provisioning policies and provisioning levels as a result. Moreover, NBR took many actions starting in 2013 to ensure the independent and prudent valuation of problem assets resulting in increased provisioning efforts by Romanian banks (see CP18 on problem assets). Moreover, the 2013 EU CRR, directly applicable in EU member countries, sets detailed requirements for the prudent valuation of trading book exposures, including having systems and controls sufficient to provide prudent and reliable valuation estimates (see CP 22 on market risk): • “1. All trading book positions shall be subject to the standards for prudent valuation specified in this Article. • 2. Institutions shall establish and maintain systems and controls sufficient to provide prudent and reliable valuation estimates. Those systems and controls 214 ROMANIA shall include at least the following elements: (a) documented policies and procedures for the process of valuation, including clearly defined responsibilities of the various areas involved in the determination of the valuation, sources of market information and review of their appropriateness, guidelines for the use of unobservable inputs reflecting the institution's assumptions of what market participants would use in pricing the position, frequency of independent valuation, timing of closing prices, procedures for adjusting valuations, month end and ad-hoc verification procedures and (b) reporting lines for the department accountable for the valuation process that are clear and independent of the front office. EC4 Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit. Description and The Banking Law Article 154 allows NBR to establish the scope of external audits of banks, findings re EC4 for purposes other than the preparation of financial statements. NBR requested in several cases reviews by external auditors based on a methodology it defined (see CP 18 on the impact assessment of the implementation of IFRS 9 with the involvement of external auditors in 2017). The external audit of financial statements is solely based on International auditing standards as implemented in Romania (see EC 1). These include the use of a risk and materiality based approach in planning and performing the external audit. EC5 Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. Description and International auditing standards (referred to in the Audit Directive and transposed in findings re EC5 Romania) cover the items mentioned in this EC. EC6 The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. Description and NBR can reject and rescind the appointment of an external auditor who is deemed to have findings re EC6 inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. • Article 155: “(1) The financial auditors of credit institutions shall be approved by the National Bank of Romania. (2) The National Bank of Romania may reject the appointment of a financial auditor if it considers that the auditor lacks the adequate expertise and/or independence for the fulfilment of its specific tasks or if it is established that the auditor failed to observe the particular requirements of ethical and professional conduct.” • Article 157: “The National Bank of Romania may withdraw the approval granted to a financial auditor when he does not carry out, in an appropriate manner, the 215 ROMANIA duties provided by law or does not observe the particular requirements of ethical and professional conduct.” In practice, NBR approve external auditing firms rather than individuals. Beyond these corrective measures, powers to sanction external auditors rest with the Public Interest Oversight Board for the Accountancy Profession (CSIPPC) and the judiciary (e.g., NBR cannot impose fines or other penalties to external auditors). NBR is a member of the CSIPPC and is represented by the banking supervision department. It is thus well informed of compliance with professional standards. In practice, external auditors of Romanian banks belong to the network of large international auditing firms (Ernst and Young, Price Waterhouse Coopers, Deloitte, KPMG and Mazars), with the only exception of the credit cooperative network. This situation reflects the emphasis placed on expertise and experience as NBR reviews requests to approve banks’ external auditors. EC7 The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. Description and The banking law requires the rotation of external auditors, but does not set a specific time findings re EC7 after which such rotation needs to take place, and allows the rotation of the audit coordinator only, rather than the firm (as NBR approves the firm ); the term “coordinator” is not defined by regulation but has been interpreted by NBR has being the signing partner. Following the introduction of this requirement, NBR wrote to all banks in 2014 to require them to update their policies on external auditors’ rotation and, where necessary, implement such rotation. NBR indicated to the assessors that all banks established in internal regulations the obligation to replace the external auditor or to rotate the signing partner within a period of seven years from the date of designation. Twenty-three banks appointed their external auditor (firm) after 2012 and five small banks in 2001–2008 (as of November 2017). For the latter cases, NBR ensured that the coordinator /signing partner was regularly rotated (in one case for which details were provided to the assessors, the signing partner was rotated in 2016 after a seven-year tenure). EC8 The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. Description and NBR met with all external audit firms on a regular basis (at least annually until 2017 and findings re EC8 quarterly starting with Q1 2017). The information exchanged since 2017 are based on the provisions of the 2016 EBA guidelines on communication between competent authorities supervising credit institutions and the statutory auditor(s) and the audit firms(s) carrying out the statutory audit of credit institutions. For instance, NBR held meetings with the largest auditing firms in 2016 to discuss the implementation and impact if Law 77/2016 on the discharge of debt obligations. 216 ROMANIA Moreover, on a case by case basis, external auditors are invited for discussions to the Supervision Department. These discussions can for instance include a review of provisions on credit exposures at individual and portfolio levels. EC9 The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality. Description and The banking law requires external auditors to inform NBR of material issues they identified findings re EC9 during their work, and protects them against legal actions in such cases. Article 156 of the banking law: “ (1) While performing his duties, the financial auditor of a credit institution shall inform the National Bank of Romania as soon as he finds out about any fact or decision concerning the credit institution which is liable to: (a) constitute a material breach of the law and/or regulations or other documents issued for its application, which lay down the conditions for authorization or requirements related to the pursuit of activity; (b) affect the functioning of the credit institution; and (c) lead to the financial auditor’s refusal to express an opinion on the financial statements or to the expression of reservations. (2) At the National Bank of Romania’s request, the financial auditor of the credit institution shall provide any details, specifications, explanations related to the audit performed. […] (4) The fulfilment in good faith by the financial auditor of the obligation to inform the National Bank of Romania, per paragraph. (1–3), shall not constitute a breach of the obligation to keep professional secrecy, which rests with the financial auditor according to the law or the contractual clauses, and shall not involve the financial auditor in liability of any kind.” Additional criteria AC1 The supervisor has the power to access external auditors’ working papers, where necessary. Description and The banking law allows NBR to access “all the documents drawn up by the financial findings re AC1 auditors during the audit” Article 156–5. This provision was never explicitly used. Assessment of Compliant Principle 27 Comments Banks are required to prepare financial statements in compliance with IFRS, as implemented in the EU, and have them certified by an external auditor approved by NBR. Auditors authorized to practice in Romania must meet international standards on audit, as implemented in the EU, and are now subject to independent oversight. Romanian banks have external auditors who belong to the networks of the four biggest global auditing firm and a large French auditing firm (with the only exception of the credit cooperative network). The banking law has since 2014 required banks to design and implement policies on external auditors’ rotation. This rotation can apply to the firm or the signing partner. Most 217 ROMANIA banks rotated the firm. Five small banks appointed their external auditor in 2001–2008 (except the credit cooperative network, all of these auditors belong to the networks of the Big four) and only rotated the signing partner. NBR confirmed that the tenure of these signing partners did not exceed seven years. It could usefully document in an internal methodology criteria used to assess the adequacy of banks’ policies on rotation and set a maximum time limit to guide supervisory assessments. Principle 28 Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. EC1 Laws, regulations or the supervisor require periodic public disclosures 113 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. Description and Both financial and prudential disclosure requirements are largely unified at the EU level: findings re EC1 • Disclosures requirements in Part Eight of CRR on disclosure by institutions (Article 431 and ff) correspond to the Basel II version of Pillar 3 disclosures, as lastly updated in 2011 for disclosures requirements on remuneration, plus some EU specificities (additional information required), for instance regarding Pillar 2 requirements, Countercyclical capital buffer, Asset encumbrance, GSIB, IRB models, Remuneration) and in Articles 89 and 90 CRD for disclosures on tax and return on Assets; • Disclosure requirements within the IFRS accounting standards (mainly IAS 1, IFRS 7, IFRS 10, IFRS 11, IFRS 12, IFRS 13, and IAS 27) endorsed in the EU and Romania (for banks). Disclosure requirements are also in place towards market participants (particularly for listed banks). NBR confirmed that these disclosure requirements were fully applicable for banks incorporated in Romania, including subsidiaries of EU banks. Financial and prudential disclosure is required of all banks in Romania on an annual basis. These requirements can be of regulatory nature (Part Eight of the CRR focuses on information about how banks meet the various regulatory requirements pertaining to capital and capital requirements, risk management, credit risk, market risk, counterparty credit risk, securitization risk, equities risk, interest rate risk, asset encumbrance, leverage, operational risk, remuneration) or of financial nature (IFRS disclosure focus on financial performance and on the risks posed to this performance by financial instruments). The CRR does not yet cover disclosure amendments made by the BCBS since 2015 114. 113 For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor. 114 Key amendments made in 2015 are: (i) the rebalancing the disclosures required quarterly, semi-annually and annually; (ii) streamlining the requirements related to disclosure of credit risk exposures and credit risk mitigation techniques and (ii) clarifying and streamlining the disclosure requirements for securitization exposures. Key (continued) 218 ROMANIA Amendments to the CRR are being prepared at the EU level, and are expected to be ready in 2018 and incorporate the BCBS 2015 amendments. In addition, the EBA issued several guidelines on disclosure including most recently draft guidelines on disclosure requirements on IFRS 9 transitional arrangements (2017), Guidelines on disclosure requirements under Part Eight of the CRR (2016) and Guidelines on liquidity coverage ratio (LCR) disclosure (2017). NBR is reviewing recent EBA disclosure guidelines and planning to introduce them into its regulatory requirements in 2018. Financial disclosures are expected to take place in the financial statements, especially in their notes (see IFRS 7). Specific formats (templates and definitions) have been introduced by the EBA to improve comparability between institutions in some Pillar 3 disclosure areas (e.g., own funds, leverage ratio, expositions used to compute the countercyclical buffer, disclosures of G-SIBs indicators, encumbered and unencumbered assets). IFRS does not require the use of specific format for disclosures (with a few exceptions). As regards the comparability over time, there is no requirement in Pillar 3 disclosures to disclose comparative information except for disclosures related to the value adjustments on IRB exposures and the back-testing of IRB model. The practice of institutions is however to provide comparative information. As for financial statements disclosures, IFRS requires the disclosure of comparative information in respect of the previous period for all amounts reported in the current period’s financial statements. For Pillar 3 information, Article 431 CRR requires Pillar 3 disclosures to be appropriate and timely, in the event the disclosure requirements laid out in the CRR would not be enough to convey their risk profile comprehensively to market participants, institutions shall disclose any supplementary information necessary, to the extent that information is material, not proprietary and not confidential. Guidelines issued in 2014 by the EBA frame the possibilities to avoid disclosing information due to materiality reasons or concerns about their proprietary or confidential nature Pillar 3 information is not required to be audited. Disclosures in accordance with IFRS are to be audited (included Pillar 3 information disclosed in the notes to the financial statements). Article 433 CRR requires disclosure of Pillar 3 information at least on an annual basis, in conjunction with the date of publication of the financial statements, and requires institutions to assess their need to publish some or all disclosures (especially disclosures on own funds, capital requirements, information on risk exposures and other items prone to rapid changes) more frequently than annually based on their relevant characteristics. amendments made in 2017 are: (i) a consolidation of all existing BCBS disclosure requirements into the Pillar 3 framework; (ii) introduction of a "dashboard" of banks' key prudential metrics and new requirement for banks which record prudent valuation adjustments to provide users with a granular breakdown of its calculation; and (iii) updates to reflect ongoing reforms (total loss-absorbing capacity -TLAC- regime for G-SIB and revised market risk framework). 219 ROMANIA Specific requirements apply to branches of third countries (see Article 76 and ff. of the banking law). EC2 The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. Description and Qualitative and quantitative information are required from institutions on the following in findings re EC2 CRR Pillar 3, CRD Articles 89 and 90, IFRS 7 and IAS 1: Statement of financial positions and P&L (IFRS 7.8, .9, .20, .B4), risk management, objective and policies including governance (Article 435 CRR, IFRS 7.33 to .35, .B5, .B6), scope of application (Article 436 CRR), own funds (Article 437 CRR) and capital (IAS 1.134), capital requirements (Article 438 CRR), exposures to counterparty credit risk (Article 439 CRR), exposures entering in the computation of the countercyclical buffer (Article 440 CRR), indicators of global systemic importance (Article 441 CRR), credit risk (Article 442 CRR, Article 444 CRR, Article 452 CRR, Article 453 CRR, IFRS 7.16, .35, .36), market risk (Article 445 CRR, Article 455 CRR, IFRS 7.40 to 42,.B17 to .B28), operational risk (Article 446 CRR, Article 454 CRR), securitization (Article 449 CRR, IFRS 7.42A to 42H, .B29 to .B39, IFRS 12), remuneration (Article 450 CRR), Equities risk (Article 447 CRR), interest rate risk (Article 448 CRR), unencumbered assets (Article 443 CRR, IFRS 7.14, .15 and .42A to 42H, .B29 to .B39, IFRS 12.13 and .22), leverage (Article 451 CRR), liquidity risk (IFRS 7.39, .B10A to B11F), activities, turnover, total employees, profit and loss, tax paid and subsidies received in different jurisdictions and return on assets. Disclosures on exposures and transactions with related parties (IAS 24) and accounting policies (IAS 1.117 to .124, IFRS 7.21) are only required in the financial statements, with the exception of accounting policies for past-due and impaired Article 442a, CRR) and securitization transactions Article 449j, CRR). As regards disclosures in the financial statements, IAS 1.29 requires the separate presentation of each material class of similar items, and of items of a dissimilar nature or function unless they are immaterial. IAS 1.30 clarifies that a line item is not individually material, it is aggregated with other items either in those statements or in the notes, but that an item that is not sufficiently material to warrant separate presentation in those statements may warrant separate presentation in the notes. IFRS 7 leave banks determine the level of aggregation and disaggregation they see fit in the statements and in the notes, stressing the minimum level of aggregation by accounting portfolio and that entity decide in the light of circumstances, how much detail to provides, taking into consideration that a balance must be stroke between overburdening financial statements with excessive detail that may not assist users of financial statements and obscuring important information as a result of too much aggregation. 220 ROMANIA EC3 Laws, regulations or the supervisor require banks to disclose all material entities in the group structure. Description and For supervisory purposes, the scope of consolidation is the prudential scope of findings re EC3 consolidation rather than IFRS consolidation. Accordingly, the group structure in Pillar 3 disclosures relates to the prudential scope of consolidation. CRR requires the disclosure of an outline of the differences in the basis of consolidation for accounting and prudential purposes, with a brief description of the entities therein, explaining whether they are: (i) fully consolidated; (ii) proportionally consolidated; (iii) deducted from own funds; or (iv) neither consolidated nor deducted. Disclosures to be provided in the financial statements (and which therefore follow an accounting scope of consolidation) relate to the name and registered office of subsidiaries, associates, proportionally consolidated entities, indirect subsidiaries, immaterial entities excluded from consolidation and entities for which consolidation would be too onerous, the proportion of capital held in the above-mentioned entities, the proportion of voting rights held in the above-mentioned entities, and the rationale for consolidation of subsidiaries. EC4 The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. Description and NBR verifies that prudential disclosure statements comply with existing requirements as findings re EC4 part of the annual on-site supervisory examinations and off-site supervisory process. It conducts some specific verifications (based on regulatory requirements but without a specific methodology or check list(s)) and reviews on-site controls performed by banks in this area, including findings of the internal audit (there is no specific methodology in this regard either, beyond regulatory requirements and the SREP process). NBR also verifies that fundamental financial disclosure requirements are met. It intervened in 2016 to have one bank publish online its 2015 financial statements in a timely fashion. The detailed external verification of financial disclosure primarily falls within the responsibility of the external auditor. For listed banks (3), the ASF is also expected to review disclosure practices. There are however no particular exchanges or meetings in this regard between NBR and the ASF. EC5 The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). Description and NBR regularly publishes aggregate information on the banking system (including balance findings re EC5 sheet structure, capital ratios, income earning capacity, and risk profiles). This information is both available on the website of NBR and of the EBA. Information as of June 2017 was available at the time of the assessment (which took place in November). There is no single repository in Romania where individual banks’ disclosures could be accessed online (i.e., information needs to be found for each bank separately). 221 ROMANIA Additional criteria AC1 The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period. Description and Disclosures are more often provided using end-of-period values. Nevertheless some findings re AC1 average values or over-the-period values are requested for prudential disclosure (e.g., Article 442 (c), Article 449 (n) (iv) or Article 443 CRR) on median value for disclosure on asset encumbrance) and financial disclosure (e.g., IFRS 7.42 G c), in case the transfer activity qualifying for derecognition was not evenly distributed throughout the reporting period, disclosure is required of when the greatest transfer activity took place within that reporting period, the amount recognized from transfer activity in that part of the reporting period the total amount of proceeds from transfer activity in that part of the reporting period). Assessment of Compliant Principle 28 Financial and prudential disclosure requirements are detailed and largely unified at the EU level. The NBR confirmed that these disclosure requirements were fully applicable for banks incorporated in Romania, including subsidiaries of EU banks. Disclosure requirements apply on an annual basis (unless there are material events) and NBR could usefully consider the opportunity to require, at least for significant banks, more frequent disclosure. The NBR verifies individual disclosure requirements as part of its supervisory process and during regular exchanges with external auditors. The NBR publishes detailed and updated information on banking activity and risks. The NBR could usefully conduct a review of disclosure practices on governance aspects across the banking industry (and formulate recommendations accordingly). Principle 29 Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.115 Essential criteria EC1 Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities. 115 The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit, rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 , and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle. 222 ROMANIA Description and The core elements of Romania’s anti-money laundering and countering terrorism findings re EC1 financing (AML/CFT) regime are established in the provisions of specialized laws and regulations aimed at implementing the 40 FATF Recommendations and transposing the requirements of the Third European AML Directive (Directive 2005/60/EU). At the time of this assessment, the main piece of legislation was the Law No. 656 of December 2002 on the prevention and sanctioning of money laundering and on setting up certain measures for the prevention and combating of terrorism financing” as updat ed by law No. 125 of 2017. Further amendments to the AML/CFT legal framework are expected to come into force in December 2017. According to Article 24 paragraph 1a; Article 10b of the AML/CFT Law; Article 17 paragraph 1; and Article 3 of Government Emergency Ordinance No. 202/2008 on the implementation of international sanctions, the NBR is the national competent authority for monitoring conformity with the AML/CFT and international sanctions obligations for all credit institutions operating in Romania, including the branches of foreign banks. The NBR has the following tasks in preventing money laundering and combating terrorism financing: • to supervise the implementation of the relevant legal provisions; • to impose specific measures or sanctions for failure to comply with relevant legislation. The NBR has the following tasks regarding relevant international sanctions applicable in the financial and banking fields: • to oversee the implementation of international sanctions; • to ensure the dissemination of legislation instituting mandatory international sanctions in Romania; • to adopt specific regulations on overseeing the enforcement of international sanctions; • to impose specific measures or sanctions for breach of applicable laws, etc. AML/CFT Law imposes obligations regarding Customer Due Diligence (CDD) and internal safeguard measures. The Banking Laws and Regulations No. 5/2013 on prudential requirements for credit institutions cover not only provisions to prevent money laundering and terrorist financing but also the prevention of other criminal activities that may harm the normal functions of credit institutions. The supervisors determine the adequacy of policies and processes of credit institutions. EC2 The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. Description and According to Article 37 of Banking Law, when assessing the suitability of the CI’s findings re EC2 shareholders/members (and those involved in management of entities in the same group) expected to manage the institution, the NBR will exchange information relevant with other national and international competent authorities for granting this authorization. This information may also be used for the ongoing assessment of the compliance conditions 223 ROMANIA for the pursuit of business. The NBR may also require the Romanian Financial Intelligence Unit (FIU) (the National Office for Prevention and Control of Money Laundering) to submit relevant information regarding the risk of ML/TF related to the assessed persons and entities. Supervisory expectations regarding the existence of policies and processes to guard against criminal activities are contained in the AML/CFT Law and NBR Regulation No. 9/2008, which define, inter alia, the conditions for applying CDD measures in normal, low, and high risk cases. In order to comply with the requirements of Law and subsequent regulations, the credit institutions must have AML/CFT systems in place to prevent the misuse of the institutions for ML/TF activities. The KYC norms implemented by each institution should correspond with the nature, volume, complexity, and area of its activities, adapted to the risk level related to the customer categories the institution provides financial or banking services to, and to the degree of risk related to the products/services offered. Article 5 of NBR Regulation No. 9/2008 describes the essential elements that KYC norms must include to meet the obligations set out in the AML/CFT law. Know-your-customer norms shall be approved by the institution’s management and reviewed when necessary, at minimum once a year. Know-your-customer norms shall be known by the entire staff with responsibilities in the field of know-your-customer for the purpose of money laundering or terrorism financing prevention. Know-your-customer norms shall be submitted to the NBR – Supervision Department within five days of their approval, or modification by the institution’s competent bodies. Verification that banks have adequate policies and processes to prevent misuse for criminal activities is done on-site and off-site by the NBR. The NBR has recently assessed the ML/TF risks of the banking sector, ranked banks according to their ML/TF risks, and established a detailed methodology to ensure a more risk-based approach to its AML/CFT supervisory activities. The inspection objectives regarding compliance of the credit institutions with the provisions of AML/CFT legislation cover a broader range of institutional aspects that may impact the efficiency of the prevention systems. These objectives are structured in order to provide a risk based evaluation of the supervised entities. Data and information is obtained from off-site supervision (based on the regular request of relevant data and information) and on-site supervision (including in prudential supervisory activities). The information collected focuses on the institutions’ understanding of the inherent ML/TF risk factors and the factors that mitigate the risk of ML/TF inherently associated with an assessed entity or cluster. In 2016, 39 inspections were conducted. In addition to the scheduled inspections based on the supervisory program, one narrowly‑targeted thematic inspection was conducted following concerns raised by the public prosecution about possible AML/CFT violations by 224 ROMANIA one credit institution. For noncompliance with AML/CFT (?) requirements, orders were imposed for remedial action plans and letters of recommendation were sent to improve the framework for managing the risk of money laundering and terrorism financing. Thirty-eight sanctions were imposed to 20 institutions for offences committed—19 warnings and 19 fines (the latter totaling RON 335,000). During on-site examinations, special attention was given to the verification of transactions flagged by the anti-money laundering software of credit institutions and not reported to the FIU. Attention was also given to the reasons STRs were not filed and to the degree that transaction reporting was required. Whenever a lack of caution in their analysis was detected, sanctions were imposed and the suspicious transactions were reported to the FIU. The increase in the number of sanctions imposed to financial institutions supervised by the NBR appears to have led to an increase in the number of STRs (from 4.610 in 2015 to 8.555 in 2016116, an increase of 85.57 percent, compare to the increase of 30 percent registered in the previous year). EC3 In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank. 117 Description and According to Article 160 of NBR Regulation No. 5/2013 on prudential requirements for findings re EC3 credit institutions, banks report to the NBR suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank. In this respect, credit institutions must define this materiality threshold within their internal rules. The adequacy of the threshold is examined during on-site examination. According to Article 5 and Article 6 of AML/CFT Law, suspicious transactions report (STRs) are required to be submitted to the FIU by all reporting entities including banks. EC4 If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. Description and According to Article 24 of AML/CFT Law, when the obtained data contains suspicions of findings re EC4 ML, TF, or other infringements of the provisions of the law, the NBR immediately informs the FIU. During on-site examinations, attention was given to the analysis of transactions that were flagged by the anti-money laundering software used by credit institutions and not reported to the FIU. Attention was also given to the reasons STRs were not filed and to the degree to which reporting these transactions was required. 116 FIU’s activity reports: http://www.onpcsb.ro/html/prezentare.php?section=8 117 Consistent with international standards, banks are to report suspicious activities involving cases of potential money laundering and the financing of terrorism to the relevant national center, established either as an independent governmental authority or within an existing authority or authorities that serves as an FIU. 225 ROMANIA In 2016, six notifications concerning suspicious transactions of money laundering identified by inspection teams were submitted to the FIU and another notification was submitted to the prosecutors with competencies in this field. In the first semester of 2017, the Supervision Department of the NBR notified the FIU seven times regarding suspicious money laundering transactions identified by the inspection teams. In six cases, the prosecutors were notified. EC5 The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage, and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements: (a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks; (b) a customer identification, verification and due diligence program on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant; (c) policies and processes to monitor and recognize unusual or potentially suspicious transactions; (d) enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk); (e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and (f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five-year retention period. Description and Supervisory expectations with regard to the existence of policies and processes to guard findings re EC5 against criminal activities are contained in the AML/CFT Law and NBR Regulation No. 9/2008, which define the conditions for applying CDD measures in normal, low, and high-risk cases. To comply with the requirements set out in the AML/CFT law, credit institutions must have KYC Norms in place that according to Article 5 of NBR Regulation No. 9/2008, shall include, at least, the following elements: 226 ROMANIA • a customer acceptance policy, establishing at a minimum the customer categories the institution is addressing to, the gradual procedures of acceptance, and the level of approval for customer acceptance in accordance with the level of risk related to the client category, types of products and services that can be offered to each customer category; • customer identification and ongoing monitoring procedures with a view to classifying customers in the relevant category, respectively for passing through another customer category; • the details of standard, simplified and enhanced CDD measures, for each category of customer and products or transactions subject to each of these types of measures; • procedures for the ongoing monitoring of operations performed by the customers for the purpose of unusual and suspect transactions detection; • procedures for conducting the transactions and relation with customers in and/or from the jurisdictions that do not impose the enforcement of CDD, etc.; • adequate record-keeping procedures and access to these records; • procedures and control systems of the KYC program’s implementation and their efficiency assessment, including through the external audit; • standards for the employment and training programs of the staff in the KYC field; • reporting procedures, internal and to competent authorities. • KYC norms should be approved by the institution’s management and reviewed whenever necessary, at least annually. KYC norms should be known by the entire staff with responsibilities in the field of KYC for the purpose of ML/TF prevention. KYC norms should be submitted to the NBR – Supervision Department within 5 days of their approval, or modification by the institution’s competent bodies. The requirements for customer and beneficial owner identification and verification are laid out in the AML/CFT Law, NBR Regulation No. 9/2008 and Government Decision No. 594/2008. Based on a sample of customers, the NBR checks on-site the manner in which credit institutions apply the CDD requirements, and update customer data and information as set out in the applicable legislation or internal procedures. Internal norms are analyzed to ensure compliance with the applicable legislation. If the internal norms of credit institutions do not provide regular updates of customers' data, differentiated by risk level, the NBR compels the credit institutions to introduce such provisions within their internal procedures through issuance of a letter of recommendation or imposing measures. Article 18 of AML/CFT Law requires credit institutions to apply enhanced CDD, in addition to the standard CDD, in all situations that can present a higher risk of ML/TF. Pursuant to Article 18 paragraph (2), enhanced CDD measures are mandatory in at least three situations: • for the persons who are not physically present when the transactions are carried out; 227 ROMANIA • for correspondent banking relationships with credit institutions from states which are not Member States of the European Union or of the European Economic Area; • for transactions or business relationships with politically exposed persons, who are residents of another Member State of the European Union or of the European Economic Area or of a third country. Article 16 of NBR Regulation No. 9/2008 stipulates that for customers and transactions with potentially higher risk, credit institutions must establish, in addition to the standard CDD measures, extra CDD, which should include, inter alia: • approving at a higher level of authority the initiation or continuation of the business relationship with such customers and/or for performing those transactions. • approving at a higher level of authority the transactions exceeding a certain predetermined value level when requesting that the first transaction be carried out through an account opened with a credit institution. • Taking reasonable measures to establish the source wealth. • Conducting enhanced monitoring of the business relationship. Article 3 of the Law No. 656 defines PEPs as “individuals who or have worked with important public functions, their families and persons publicly known to be close associates of individuals acting in important public functions.” With respect to former PEPs, the anti-money laundering regulations clarifies that should be considered as PEPs those individuals who were entrusted with prominent functions” at any time in the preceding year.” Article 3 paragraph 2 and 3 of the AML/CFT law provides a list of functions considered prominent (e.g., Heads of State or of Government, members of parliament, members of the administrative, supervisory and management bodies of state-owned enterprises, etc). The definition and listing in the law are sufficiently broad to cover all categories of PEPs included in the AML/CFT standard (domestic, foreign and international organization PEPs). Domestic PEPs, while not explicitly mentioned, are subject to enhanced due diligence if they present a higher ML/TF risk, in application of Article 18 paragraph 2 of the AML/CFT law. In addition, foreign PEPs residing in Romania are not subject to enhanced due diligence. According to Article 19 of AML/CFT Law, the credit institutions must identify the customer and keep a copy of the proof of identity or identity references for a period of at least five years starting from the termination date of the business relationship with the customer. Article 17 of the AML/CFT law imposes simplified CDD measures in some instances without requiring that there be a proven low risk (e.g., for transactions in electronic money, and when a customer is a credit or financial institution from a Member state of the EU). There type of measures that banks may forgo in these instances is not clear. Verification that banks have adequate policies and processes to prevent them from being used for criminal activities is done in accordance with the supervisory objectives set forth within the supervisory methodology and approved by the Supervisory Committee. 228 ROMANIA The inspection objectives regarding compliance of the institutions supervised by NBR with the provisions of AML/CFT legislation were amended in January 2017 and cover a broader range of institutional aspects that may impact the efficiency of the prevention systems. EC6 The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include: (a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and (b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks. Description and Pursuant to the AML/CFT law, the application of the enhanced CDD measures is findings re EC6 mandatory in the case of correspondent relations with credit institutions within third countries (i.e., countries outside the EU and the European Economic Area). In this case, according to Article 12 paragraph 3 of Government Decision No. 594/2008, credit institutions shall apply the following measures: • gather sufficient information about the credit institution from a third country for fully understanding the nature of its activity and for establishing, based on the publicly available information, its reputation and the quality of supervision; • asses the control mechanisms implemented by the credit institution from a third country in order to prevent and combat money laundering and terrorism financing; • obtain approval from executive management before establishing a new correspondent relation; • establish based on documents the liability of each of the two credit institutions; • in case of correspondent account directly accessible for the clients of credit institution from third country, it shall ensure that this institution has applied standard customer due diligence measures for all the clients who has access to these accounts and that it is able to provide, upon request, information on the clients, data obtained following the enforcement of the respective measures. The law does not require similar measures in the context of intra-EU correspondent banking relationships. Article 12 of AML/CFT Law prohibits banks from entering into or continuing correspondent banking relationships with shell banks. Per Law, a shell bank is a credit institution, or an institution engaged in equivalent activities, incorporated in a jurisdiction in which it has no physical presence, that the leadership and management activity and institution’s records are not in that jurisdiction, and is unaffiliated with a regulated financial group. No reference it made to licensing and the type of supervision that this financial group should be subject to. These aspects are examined during on-site examination. 229 ROMANIA EC7 The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. Description and Article 37 of Directive (EC) 2005/60 (3AMLD), respectively Article 48 of Directive (EU) findings re EC7 2015/849 (4AMLD), requires supervisors to monitor banks’ compliance with all of the Directive’s requirements, which include measures to prevent and detect money laundering and terrorist financing and to report suspicious transactions. Pursuant to Article 5 of the AML/CFT Law, as soon as a natural person, in the course of his/her activity for a credit institution has a suspicion that a transaction to be carried out is intended for ML or TF, they shall report to the person designated under Article 20 (1), who in turn shall immediately notify the FIU. The designated person shall examine the information received and shall report to the FIU the suspicions based on reasonable grounds. According to Article 20 of AML/CFT Law, banks must appoint one or more persons responsible for the implementation of this law, whose names are communicated to the FIU. Together with the nature and extent of their responsibilities, the person(s) establish appropriate policies and procedures on customer due diligence, reporting, record-keeping of secondary or operative evidence, internal control, risk assessment and management, compliance management and communication to prevent and hinder suspected money laundering or terrorist financing operations, and to ensure the proper training of the employees. When evaluating the existence of a robust internal control framework for AML/CFT activities (ML/FT risk management, effectiveness of compliance and internal audit functions), the inspection teams check whether: • the internal control framework adequately covers the KYC/AML/CFT activities and the application of international sanctions • the banks establish and apply adequate internal control procedures • an appropriate framework for ML/FT risks management, respectively for their identification, evaluation, reporting, monitoring and diminution is in place. EC8 The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. Description and The NBR is legally empowered to take action against banks for failure to comply with their findings re EC8 AML/CFT obligations. The NBR applies the amount of fines imposed by law and the complementary contravention sanctions as provided by Article 28 of AML/CFT Law and Article 26 of Government Emergency Ordinance No. 202/2008. It may also apply specific sanction measures, according to their competencies. In 2016, for the noncompliance with legal provisions governing the prevention and sanctioning of ML/TF, orders were imposed for remedial action plans and letters of recommendation were sent to improve the framework for managing the risk of money laundering and terrorist financing; 38 sanctions for offences committed and applied to 20 institutions—19 warnings and 19 fines (the latter totaling RON 335,000). In the first semester of 2017, 52 sanctions —32 warnings and 20 fines (the latter totaling RON 435,000), were applied to 24 institutions. 230 ROMANIA EC9 The supervisor determines that banks have: (a) requirements for internal audit and/or external experts118 to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports; (b) established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported; (c) adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and (d) ongoing training programs for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities. Description and The credit institutions must have in place internal know-your-customer norms, which findings re EC9 according to Article 5 of NBR Regulation No. 9/2008, shall include, inter alia, the following elements: • procedures and control systems of the know-your-customer program’s implementation and of their efficiency assessment, including through the external audit; • standards for the employment and training programs of the staff in the KYC field. The Banking Law compels banks to have robust governance arrangements and internal control mechanisms shall provide at least the organizing of the risk management tasks, and compliance with conformity and internal audit. External auditors also cover the quality of internal controls in banks as part of their mandate. The NBR has access to all the documents drawn up by the financial auditors during the audit. According to Article 20 of AML/CFT Law No. 656/20012, banks shall appoint one or more persons responsible for the implementation of this law (See EC7). Credit institutions shall appoint a compliance officer subordinate to the executive management, who shall coordinate the implementation of internal policies and procedures for the application of this law. The persons appointed are responsible for carrying out the tasks established for the implementation of this law and shall have direct and timely access to the relevant data and information necessary to fulfil the obligations provided by the law. When assessing the adequacy of the human resources involved in AML/CFT activities, the inspection teams check if: • The staff involved in the AML/CFT activity and the enforcement of international sanctions has the qualifications and experience required to adequately fulfill the assigned responsibilities; 118 These could be external auditors or other qualified parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 231 ROMANIA • The bank implements a continuous, active training of the personnel involved in the AML/CFT activity through participation in training, projects and other activities in order to improve the bank's AML/CFT function, as well as how the bank tests the degree of acquiring knowledge, etc. These aspects are checked and evaluated during on-site inspections, while the follow-up of the remedial measures assumed by banks are monitored off-site. According to Article 24 of the NBR Regulation No. 9/2008, the institutions are required to impose high standards for the employment of the staff, inclusively regarding the reputation and integrity; also the institutions must verify the information supplied by the candidates. The NBR Regulation No. 5/2013 compels banks to establish technical and professional requirements for key positions, including for outsourcing relationships and to provide adequate training to their staff. Information about training activities (including training materials, program participants, and evaluations) are kept in the banks and submitted to the supervisory authority upon request. EC10 The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities. Description and According to Article 5 of NBR Regulation No. 9/2008, KYC norms shall include reporting findings re EC10 procedures made internally and to the competent authorities regarding suspicious activities and transactions. KYC norms shall be approved by the institution’s management and shall be reviewed whenever necessary, at least annually. KYC norms shall be known by the entire staff with responsibilities in the field of know-your-customer for the purpose of money laundering or terrorism financing prevention. As mentioned under EC 7, banks must report suspicious transactions to the FIU and designate a reporting officer. During on-site visits, the inspection teams analyze the information flow related to AML/CFT activities and the enforcement of international sanctions, such as: • the drafting and submission of reports and briefings on the AML/CFT activity and enforcement of international sanctions to the management body, but also to the structures with responsibilities on the respective line of activity • the implementation of information and reporting channels both for information on developments and situations at the level of the credit institution, as well as for anticipatory purposes, in order to prevent the occurrence of potential risks • the Compliance Directorate must have direct reporting lines to the management body. 232 ROMANIA In particular, according to Article 27 of NBR Regulation No. 5/2013, the management body shall ensure that the credit institution has adequate internal alert procedures for the staff to communicate its concerns about the activity management framework. Credit institutions shall have in place appropriate internal alert procedures that can be used by staff to draw attention to legitimate concerns and of the substance concerns about governance issues. Also, Article 35 paragraph (5) of NBR Regulation No. 5/2013 stipulates that the control functions shall regularly report to the management body on the major deficiencies identified. These reports should include follow-up measures for previous findings and for any identified major deficiencies, the relevant risks involved, an impact assessment, and recommendations. The management body must act on the findings of the control functions on time and in an effective manner and should seek appropriate remedial action. EC11 Laws provide that a member of a bank’s staff who reports s uspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. Description and Article 9 of the AML/CFT Law provides that the application in good faith, by natural and/or findings re EC11 legal persons, of the provisions of Article 5–7 on reporting suspicious activity internally or directly to the relevant authorities, cannot give rise to their disciplinary, civil or criminal liability. EC12 The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. Description and According to Article 8 paragraph (8) of AML/CFT Law, the FIU shall provide the NBR with findings re EC12 information on the suspicious transactions and the typologies of ML/TF. Similarly, according to Article 24 paragraph (2), when the obtained data contains suspicions of ML, TF, or of other infringements of the provisions of the law, the NBR immediately informs the FIU (see also EC 4). Further, the NBR sends a representative to participate in the Interinstitutional Council meetings which were established in compliance with Article 13 of Government Emergency Ordinance No. 202/2008 for providing the general cooperation framework for the application of international sanctions, ensured the documentation and expertise in the financial and banking area. Based on the mandate granted by the NBR Board, the dedicated department ensured cooperation with: (i) the supervisory authorities, the FIU, and the Financial Supervisory Authority, for the enforcement of regulations on preventing ML and TF, for providing information on a mutual basis while observing the professional secrecy requirements stipulated by law and (ii) the other national and international authorities tasked with the application of international sanctions, in compliance with the provisions of the legal cooperation framework. Cross-border supervision activity includes colleges, joint visits and other information requests. On request and according to the law and protocols, the central bank will provide relevant information under cooperation agreements between the competent authorities. 233 ROMANIA Following the supervision of the branches of credit institutions from Member States, the NBR informs the competent authorities on the main deficiencies identified in the AML / CFT activity of the branch. The NBR has signed bilateral and multilateral Memorandums of understanding and Cooperation agreements concerning the cooperation in the field of supervision (please see the link http://www.bnr.ro/Participation-in-the-European-cooperation-structures- 3414.aspx). EC13 Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. Description and The NBR has in-house resources with specialists for addressing criminal activities. In order findings re EC13 to ensure human resources are in line with the increasing demand in this area, there is a specialized division for AML/CFT supervision within the Supervision Department with on-site and off-site supervision teams of around twenty staff members. The authorities mentioned that the number of staff is the process of being increased. The AML/CFT division provides the credit institutions with the guidelines, best practices, statements, briefings, etc. adopted by the international standard setting bodies and organizations for AML/CFT and for the freezing of funds and economic resources. As such, the NBR promptly informs the credit institutions about: (i) The adoption, amendment or supplementation of the sanctions to be applied in the financial and banking field; (ii) The adoption/update of guidelines and good practices in the field and (iii) The risk of money laundering and/or terrorist financing considering the vulnerabilities identified by the FATF, in order to take appropriate measures. Furthermore, as part of ongoing communication with the supervised institutions in 2016, the NBR provided the banking sector with the following materials: • EU Good practices for the effective implementation of restrictive measures adopted by the EU Council nr.7383/1/15, REV 1; • Guide on methods financing the Islamic State of Iraq and Levant (ISIL) and high- risk transactions associated with them, developed by Egmont (confidential); • FATF Public Statements, etc. Also, the NBR confidentially provided the credit institution information on relevant risk indicators for detecting TF (especially regarding the economic profile and behavior of the customer that can be detected/verified during the course of business —i.e., changes in the source of funds and expenses) and requiring the supervised institution to take adequate measures and to report them to the central bank. Assessment of Large Compliant Principle 29 Comments In recent years, the AML/CFT Supervision was strengthened particularly to be in line with the changes imposed by the new European regulatory framework Directive (EU) 2015/849 that provided a number of requirements on risk-based supervision. The NBR is in the early 234 ROMANIA stages of implementing a risk-based approach to AML/CFT supervision. A new enhanced AML/CFT law will be enforced in February 2018. Verification that banks have adequate policies and processes to prevent them from being used for criminal activities is done on-site and off-site by the NBR. In 2016, 39 inspections were conducted. In addition to the scheduled inspections based on supervisory program, one narrowly‑targeted thematic inspection was also conducted to follow-up on concerns expressed by the public prosecution. Since then, the NBR has assessed the ML/TF risks that banks in Romania face, ranked banks according to the identified risks, and established a detailed methodology for a risk-based approach to its AML/CFT supervisory activities. For noncompliance with provisions, orders were imposed for remedial action plans. 38 sanctions were applied to 20 institutions for offences committed—19 warnings and 19 fines (the latter totaling RON 335,000) However, assessors noted a few shortcomings: Under Romanian law, only correspondent banking relationships with banks outside the EU are subject to enhanced due diligence measures. Under the FATF standard, however, enhanced due diligence should be implemented with respect to all correspondent banking relationships, and no exception is currently made for intra EU correspondent banking relationships.119 The requirements with respect to foreign politically-exposed persons are based on residence rather than the country where the person exercises or has exercised his or her functions. Simplified due diligence is imposed in specific circumstances without a sound assessment that would have established that these circumstances present low ML/TF risks. The authorities should consider following activities: • Continue implementing a risk-based approach to AML/CFT supervision • Ensure that simplified due diligence is authorized only in instances of proven low ML/TF risks. • Ensure that banks are required to implement CDD measures with respect to foreign politically exposed persons in line with FATF Recommendation 12. • Ensure that the requirements related to correspondent banking relationships also apply to intra-EU correspondent banking relationships. 119 The NBR mentions that the Romanian approach to correspondent banking relationships and simplified due diligence is due to the regime accepted and applicable at EU level and derives from EU Directives. 235 ROMANIA SUMMARY COMPLIANCE OF BASE CORE PRINCIPLES Core Principle Grade Comments 1. Responsibilities, C Banking supervision in Romania falls exclusively within the responsibility objectives and of the central bank. Laws and regulations are regularly updated powers 2. Independence, MNC The NBR, as a supervisory authority, possesses stable governance accountability, arrangements and effective operational independence. The NBR resourcing and dedicates large resources to supervision, in terms of staff, equipment and legal protection for other variable costs. The NBR adopted detailed arrangements to prevent supervisors and manage conflicts of interests at all levels. However, the fit and proper criteria the standing committees of Parliament responsible for the appointment of Board members expect applicants to meet are unknown, the Minister of Public Finance (and its State Secretary) is allowed by law to attend NBR Board meetings (which could compromise its independence), the NBR as an institution is not protected against lawsuits for actions taken and/or omissions made while discharging its duties in good faith, the reason(s) for removal of a Board member do not have to be disclosed and there is no post-employment or cooling-off period framework covering situations where a staff or Board member intends to take (or takes) a position in a bank supervised by the NBR. 3. Cooperation and LC Arrangements are in place to facilitate and ensure cooperation with collaboration relevant domestic and foreign authorities. Cooperation among domestic authorities is organized, including with the ASF which regulates insurance, pension and capital market activities, and cooperation with EU authorities is intense. There are no regular meetings between the NBR and ASF to discuss the situation and risk profiles of individual institutions and groups active in banking and other sector(s) supervised by the ASF and the issues of common interests, and coordinate (or agree on joint) supervisory actions. 4. Permissible C Only licensed credit institutions can provide banking services. activities 5. Licensing criteria C The NBR has exclusive competence for granting and withdrawing the license of banks incorporated in Romania and branches of banks located outside the EU. The NBR last licensed a bank in 2009. The licensing framework defines clear criteria for licensing. The ownership structure of locally incorporated banks and branches of EU banks is transparent. 236 ROMANIA Core Principle Grade Comments 6. Transfer of LC The NBR implements a rigorous definition of transfer of significant significant ownership, in line with the provisions of CRD IV, as well as requirements ownership on the transparency of bank ownership. This largely, but may not fully, cover the transfer of beneficial ownership. While banks keep close contacts with the NBR, there is no specific requirement that banks notify the NBR as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. 7. Major C The NBR has a detailed framework to review major acquisitions. As acquisitions part of the consolidation of the Romanian banking system, the NBR reviewed and approved four requests for acquisitions in the past five years (all related to mergers between banks licensed in Romania). 8. Supervisory LC The Romanian regulatory framework has implemented the provisions of approach the CRR, CRD IV and BRRD (resolvability assessment). As of January 2016, the NBR Board approved the implementation of EBA SREP Guidelines into national supervisory practices. Nevertheless, the new EBA SREP methodology is still in the early stage of implementation. • There is no systematic process with securities and insurance supervisors (ASF) before on-site examinations of banking groups to discuss a common view of risks in the particular banking group supervised, supervisory approaches, and potential concerns on the banking group or subsidiaries. • The off-site monitoring tools do not seem to have embedded a forward-looking view of a bank’s risk profile. • More risk-focused, banking industry-wide thematic analyses triggered by detected trends or recent events, and thematic examinations across systems seem to be limited. 9. Supervisory LC The SREP is a core supervisory tool of banking supervision in Romania. It techniques and deploys a good mix of onsite and offsite supervisory tools and tools techniques. The NBR has broad information collecting power by legislation; in particular, the Central Credit Register allows supervisors to access high-granularity data. Nevertheless, the process of ensuring consistency and accuracy of scoring, findings and supervisory measures across different banks is weak. • During SREP, there is no structured/independent review to ensure consistency and accuracy on scoring, findings, and measures of the supervisory report. Considering the recent adoption of the EBA SREP methodology in Romania, the quality assurance procedure is critical. • With regard to the off-site supervision, a significant part of this off- site function includes the approval/rejection of requests concerning amendments in a bank’s situation (including approvals of middle managers of each bank). Tis responsibility, despite positive benefits, could limit to a certain extent, the ability of the NBR to maintain a 237 ROMANIA Core Principle Grade Comments thorough and deeper analysis of the risks that banks, banking groups, and the banking industry are facing. • There is no systematic process of regular meeting with nonexecutive/ independent members after on-site examination to discuss findings and the remedial actions (See CP14). 10. Supervisory LC The Romanian banking system has been required to report financial reporting information based on IFRS at consolidated level since 2006 and at individual level since January 2012. The supervisory reporting/ validation rules and templates are mainly governed by a harmonized EU reporting framework. In case of solo FINREP, as required by national legislation, the reporting templates are consistent with those at EU reporting requirements. The following shortcomings still remain: • There are no explicit guidelines/criteria for hiring third parties who conduct supervisory tasks to assess the quality of the work performed by those experts, or obligating them to report to the NBR promptly any material shortcomings identified. • There is no explicit/regular evaluation process in place to periodically review the information collected to determine that it satisfies a supervisory need, particularly in the case of additional prudential returns (except the ones collected according to the common European reporting framework). 11. Corrective LC The NBR has a range of supervisory, sanction measures, and actions and administrative penalties available for use when, in the supervisor’s sanctioning powers judgment, a bank is not complying with laws, regulations, or supervisory of supervisors actions. In practice, corrective actions and sanctioning powers are exercised in a forceful manner and a broad range of measures have been applied to banks, management, the Board, and/or individuals. Regarding the internal process of measures and sanctions, there is an insufficient amount of mandatory review and analysis processes for ensuring consistency, accuracy, and justification of inspection outcomes and supervisory/sanction measures across the banking system. • There is no consistent internal independent review process present to ascertain that the degree/type of measures or the corrective actions are adequate according to the law and regulations and consistent across the banking system.120 • With respect to supervisory follow-ups, the time frame described in the internal rules of the NBR is not always kept. Assessors note that the process of supervisory reports and written orders were in many cases delayed. Assessors were informed that wrap-up meetings after on-site inspection were not held in an official manner. This practice 120 Approximately 45 cases were submitted to the board within a five-year period with 18 cases being contested in court. Some of the issues were about clarification of findings. 238 ROMANIA Core Principle Grade Comments would hinder banks from implementing supervisory measures in a prompt manner. Moreover, the overall follow-up procedures are set by the internal rules in the NBR, not by laws or regulations. • Among the measures required by the EC4, the NBR, as a competent authority, does not have the explicit power to facilitate a takeover by or merger with a healthier institution per Banking Law. • There is no systematic or regular process informing the supervisor of nonbank related financial entities (including ASF), of the NBR’s actions, and there is no process to coordinate its action with them. 12. Consolidated LC In Romania, the majority of the credit institutions are subsidiaries of supervision European banking groups. Consolidated supervision of the whole group is performed by ECB or respective authorities while the NBR is responsible for the supervision of the Romanian subsidiary at individual and sub-consolidated levels. The NBR conducts SREP assessments on a consolidated basis. • However, there seems to be limited systematic procedures in place for overall monitoring and assessment of contagion and reputation risks that may jeopardize the safety and soundness of the bank and the banking system. • As off-site activities of consolidated supervision, the quarterly key risk indicators are mainly monitored on a solo basis rather than both solo and consolidated basis. • In terms of fit and proper standards on the owners and senior management of parent corporates, the formal fit and proper reviews are conducted in the stage of acquisition or granting licenses, and not conducted on a regular basis. 13. Home-host C The NBR is only a host supervisor. It is a member of 15 EU colleges of relationships supervisors, which allow for effective exchanges of information and unified supervisory actions (including joint decisions). Close coordination is also in place for crisis management and resolution, at the domestic level with the resolution arm of the NBR and, for large banks active in Romania, within EU supervisory and resolution colleges. All Romanian banks prepared recovery plans starting in 2016; resolution plans were also prepared for almost all of these institutions (and their groups where applicable). 14. Corporate LC Corporate governance requirements were strengthened at the EU level governance and transposed in Romania starting in 2013. Both regulations and the supervisory process appropriately make the management body responsible for ensuring banks operate in a safe and sound manner. The NBR conducts a thorough review process, including challenging interviews, before approving members of the management body, and during the on-site full-scope examinations. 239 ROMANIA Core Principle Grade Comments The NBR only requires subsidiaries to have an “adequate” number of independent members of the management body. Banks usually only have 1 or 2 independent member(s), which insufficient to foster challenging other executive and nonexecutive members and, where appropriate, lead the work of specialized committees (only the audit committees currently has to be chaired by an independent member). Although the NBR places a lot of responsibilities on the management body, it does not yet meet on a regular basis with its non-executive and independent members (neither as part of the off-site process nor during on-site examinations) (See CP9). Moreover, the NBR only sends letters detailing serious shortcomings or transmitting on-site reports to senior management, rather than to the management body in its supervisory capacity. Regulations do not include (i) an explicit provision for banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management and (ii) requirements regarding the nomination and appointment of Board members across the banking group. The NBR has not yet performed qualitative analyses on corporate governance arrangements and practices at the industry level (to complement individual work and SREP analyses). 15. Risk LC Regulations set detailed and demanding risk management requirements management for banks. Discussions with the NBR confirmed the importance placed on process risk management during on-site inspections. The NBR has not yet developed an internal methodology to guide the review of risk management aspects, in addition to the SREP guideline. Explicit requirements would usefully complement existing supervisory practices on the following aspects: (i) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; (ii) the banks’ Boards and senior management understand the risks inherent in major management initiatives (such as changes in systems, processes, business model and major acquisitions); and (iii) uncertainties attached to risk measurement need to be recognized. 16. Capital LC Romania is subject to EU common regulatory framework, and applies the adequacy CRR and CRD IV. Two banks have been approved to use advanced approach to calculate credit risk regulatory capital and three banks for operational risks. Although the number of banks applying the advanced approach is small, those banks using the approach are large banks with a 240 ROMANIA Core Principle Grade Comments considerable percentage based total own funds requirement (credit risk: 17 percent, operational risk: 38 percent). • In this CP, it is noteworthy that in December 2014, the RCAP assessment team of the Basel Committee reviewed EU-wide capital framework and concluded that certain features deviated from Basel standards. • There is no dedicated team or unit within the Supervision Department responsible for evaluating, approving, reviewing and overseeing banks’ internal models. 17. Credit risk C Key regulatory requirements regarding credit risk management exist and were significantly strengthened based on new EU requirements and the Romanian experience with problem assets. The NBR implemented a thorough supervisory process, with an emphasis on credit risk. It regularly requires corrective actions or takes sanctions where appropriate. For subsidiaries of EU banking groups, as well as for the main branch of an EU banking group, credit risk management is addressed by supervisory colleges. 18. Problem assets, C Nonperforming exposures (NPE) increased rapidly and dramatically after provisions, and 2007 with a peak at 2013, but declined to 6.4 percent in December 2017. reserves The NBR was instrumental in promoting this rapid reduction through many initiatives designed to ensure the timely recognition and realistic provisioning of NPEs (e.g., interim June audits, independent collateral revaluations, full provisioning of high risk exposures, write-offs etc.). The NBR continues to closely monitor NPEs, thanks to detailed and regular reporting. Requirements regarding the frameworks to address problem loans exist and their implementation is closely monitored. NBR intends to amend existing requirements to incorporate key elements of the EBA 2017 guidelines on credit risk management practices and accounting for expected credit losses. 19. Concentration LC The NBR applies EU-wide large exposure regime and the banks’ risk and large concentration risk management is assessed in the context of SREP exposure limits assessment. The CRR allows that competent authorities may set a lower limit than EUR 150 million as an absolute limit, but the NBR has not exercised this option. As a result, as of June 2017, around 29 percent of Romanian banks apply the large exposure limit of EUR 150 million (i.e., 100 percent of capital limit) instead of 25 percent of capital. Assessors note that some credit institutions have exposures to a group entity of around 80–90 percent of capital at a point of time. Although banks’ internal limits are reviewed during on-site, it is not entirely clear how and in what procedure the NBR determines that the internal limit set by each institution and the relevant transactions are appropriate. 241 ROMANIA Core Principle Grade Comments Also, there is no explicit requirement in the regulation that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board. 20. Transactions MNC The current regulation on RP transactions does not meet important ECs with related parties under this CP. • The definition of affiliated parties is not comprehensive enough to meet the requirements in this CP. The current definition fails to capture any person in a key position or a major individual shareholder of other group entities within a banking group including the parent bank/company itself; the definition of affiliated parties also does not explicitly include “special purpose entities.” • In terms of identification of related parties, the authorities mention that the NBR, in practice, may exercise discretion in applying the definition on a case by case basis. Nevertheless, there is no explicit presumption power of the NBR in the regulation. • There is no explicit provision that requires that the “write-off” of RP exposures exceeding specified amounts is subject to prior approval by the board. • The information on -RP transactions collected is not sufficiently granular to capture the exact characteristic during off-site supervision. • Overall RP regulation only describes high level principle, does not give clear guidance to banks, and lacks sufficient substance. 21. Country and MNC The NBR will check the country/transfer risk policies and processes transfer risks implemented by banks if the country and transfer risks are significant for a bank or banking group. However, the NBR regulation for country risk/ transfer risk management are not sufficiently comprehensive to meet the ECs in this CP. • Regulation includes only high level principles similar to this BCP text. The NBR does not give any further/specific guidance to banks through regulation or documented instruction. There is no on-site inspection manual in this regard, so it is difficult to ensure what and how supervisors should examine during on-site inspections. For example, the regulation is silent in the essential areas to be developed by banks and examined by supervisors to manage country and transfer risks (e.g., procedures for dealing with country risk such as contingency plans or exit strategies in times of crisis, oversight mechanism, a periodic review requirement by the board). • There are no specific regulatory provisioning standards for country risk and transfer risk in Romania. • There are no specific stipulations in the regulation that banks include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. 242 ROMANIA Core Principle Grade Comments • Although FINREP/COREP reporting contains geographical breakdown information, the necessary information for country risk management, such as risk classification or (internal/external) country rating, is not included in the reporting. It is not clear how supervisors perform a banking group-wide country risk analysis across each entity to form a comprehensive view of country risk. 22. Market risk C In the Romanian banking system, the level of the market risk is low for most of the Romanian credit institutions that do not have complex instruments that may expose the bank to significant risk. As of June 2017, RWAs for market risk were around three percent of total RWAs. No banks are using the advanced approach for computing market risk capital charge. CRR and EBA SREP guidelines are stipulated in a comprehensive way and the NBR conducts on-site inspection on all credit institutions annually. However, there is no market risk specialist in the supervision department; one should be assigned to build up expertise in this area. 23. Interest rate risk LC The NBR assesses the IRRBB risk management, risk profile, appetite, in the banking tolerance and the stress tests made by the credit institutions during book yearly on-site examination. Following points are worthy to mention: • The Basel Committee published a new guideline on standards for IRRBB in April 2016, but the NBR has not yet updated the IRRBB rules, since the updating process is based on the EU-wide regulatory amendment process. • There is no explicit provision that requires “independent” validation of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions). 24. Liquidity risk C Banks are required to have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements, including regular stress testing and contingency funding plans. The NBR conducts on-site inspection annually and off-site quarterly for all banks. The EU-wide requirement follows the LCR set by the BCBS broadly, but with some divergences that could result in improved ratios. However, the impact is not significant in Romanian context (i.e.,: no covered bonds holdings, conservative eligibility criteria regarding certain HQLA level 1 asset, and high level of average LCR ratio in the banking industry, etc.) 25. Operational risk LC In Romania, three banks have been allowed to use AMA, two are using SA, and the rest use BIA to calculate operational risk regulatory capital. As of June 2017, RWAs for operational risk have been around 15 percent of total RWAs. • A comprehensive guideline on cyber security and information technology for banks has not been implemented yet. • Regarding IT resources, the Supervisory Department has one IT systems specialist but does not have a dedicated unit. 243 ROMANIA Core Principle Grade Comments • With respect to operational risk reporting, the scope of reporting is not sufficiently broad as this EC require. There is no template/framework specifying the minimum elements the bank should report to the NBR, and the timing is also unclear. 26. Internal control LC The NBR regularly assesses for each bank incorporated in Romania and audit compliance with its detailed requirements on internal control and audit. Beyond regulatory and SREP requirements (which cover essential topics but with limited details), there is no internal methodology to guide on- site inspections on internal control and audit (detailed scope, criteria to assess specific areas, group approaches etc.) and ensure these aspects are reviewed in a comprehensive and consistent manner. Banks are not specifically required to ensure that the internal audit is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes . Industry level analyses are not conducted on internal control and audit. 27. Financial C Banks are required to prepare financial statements in compliance with reporting and IFRS and have them certified by an external auditor which complies external audit international standards on audit and is approved by the NBR. Banks’ external auditors belong to the networks of the four big global audit firms and a large French audit firm (with the exception of the credit cooperative network); Rotation requirements are implemented since 2014, either for the firm or the signing partner. All banks adopted specific policies and most rotated the firm. Five small banks appointed their external auditor in 2001–2008 and only rotated the signing partner. The NBR confirmed that the tenure of these signing partners did not exceed seven years. There is no internal methodology defining criteria used by the NBR to assess the adequacy of banks’ policies on rotation and the NBR has not set an explicit maximum time limit to guide supervisory assessments 28. Disclosure and C Financial and prudential disclosure requirements applied to banks are transparency detailed and largely unified at the EU level. The NBR verifies individual disclosure requirements and published detailed and updated information on banking activity and risks. 29. Abuse of LC In recent years, the AML/CFT Supervision was strengthened particularly to financial services be in line with the changes imposed by the new European regulatory framework Directive (EU) 2015/849 that provided a number of requirements on risk-based supervision. In 2016, 39 inspections were conducted, and one narrowly‑targeted thematic inspection was also conducted. However, assessors noted following shortcomings: • Under Romanian law, only correspondent banking relationships with banks outside the EU are subject to enhanced due diligence (EDD) measures. Under the FATF standard, however, EDD should be implemented with respect to all correspondent banking relationships, 244 ROMANIA Core Principle Grade Comments and no exception is currently made for intra EU correspondent banking relationships. • Simplified due diligence is imposed in specific circumstances without a sound assessment that would have established that these circumstances present low ML/TF risks. RECOMMEDED ACTIONS AND AUTHORITIES' COMMENTS A. Recommended Actions Core Principle Recommendation 2. Independence, • Revise the central bank statute to remove the possibility that the Minister accountability, of Public Finance (and its Secretary of State) participate in NBR Board resourcing and legal meetings. protection for • Introduce a legal provision protecting the NBR as an institution against supervisors lawsuits for actions taken and/or omissions made while discharging its duties in good faith. • Introduce a legal provision that the reason(s) for removal of a Board member have to be publicly disclosed. • Publish rigorous fit and proper criteria the standing committees of Parliament responsible for the appointment of Board members expect applicants to meet. • Adopt and implement a post-employment or cooling-off period framework covering situations where a staff or Board member intends to take (or takes) a position in a bank supervised by the NBR (or that it has directly supervised). 3. Cooperation and • Organize regular meetings between the NBR and ASF to discuss the collaboration situation and risk profiles of individual institutions and groups active in banking and other sector(s) supervised by the ASF, and the issues of common interest, and coordinate (or agree on joint) supervisory actions, including on-site examination (and implement agreed joint actions). • Introduce an explicit provision in the banking law regarding the treatment of information received from authorities located outside the EU (i.e., no disclosure without the permission of the originating supervisor and, when disclosure is legally required, prompt information of the originating supervisor). 6. Transfer of • Introduce a definition of ultimate beneficial ownership focusing on natural significant ownership persons in the context of transfer of significant ownership (and defined related requirements for review and reporting). 245 ROMANIA Core Principle Recommendation • Introduce a requirement that banks notify the NBR as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. 8. Supervisory • Establish a systematic framework that collects relevant information from approach NBFI (including securities or insurance supervisors) to facilitate on-site examination on banks and banking group. • Enhance off-site monitoring tools by incorporating more forward-looking views (e.g., bottom up stress testing tools). • Enhance a yearly examination planning/approval process to clearly set out the proposed priorities of each banks or banking group for the following year. • Conduct thematic analysis and/or examination across banking system with a mix of off and on-site activities on a particular risk (e.g., concentration risk, cyber risk). 9. Supervisory • Ensure consistency and objectivity in SREP score, findings and supervisory techniques and tools measures (e.g., establish an independent review function, develop an on- site and off-site supervisory assessment handbook, and improve the electronic platform to more effectively manage findings, measures, and follow-ups). • Review the off-site activities regarding various approval process within SD for supervisors to better focus on its qualitative risk analysis. • Intensify engagement with nonexecutive/independent board members as part of the on-site examination process (See CP14). 10. Supervisory • Perform a periodic review of whether the prudential returns (required reporting outside of European reporting framework) satisfy supervisory needs. • Develop rules and processes for hiring external experts, including the process of the quality control and avoiding conflicts of interests. 11. Corrective and • Establish an independent review process in determining written orders and sanctioning powers of sanctions to guarantee consistent approach across banks and clearer supervisors justification; introduce internal guidance to ensure more objectivity, accuracy and consistency in exercising corrective actions and sanctioning powers. • Improve the post-examination process by formalizing a wrap-up meeting to clearly convey findings that require immediate improvement or corrective actions. • Intensify engagement and cooperation with the ASF in the process of imposing corrective actions and sanctions. 12. Consolidated • Further enhance monitoring contagion and reputational risks on banking supervision group or establish guidelines on risk management of intra-group exposures and transactions, if needed. • Conduct off-site monitoring on a consolidated basis more frequently. • Conduct fit and proper reviews on an ongoing basis in case of corporate owner of banks. 246 ROMANIA Core Principle Recommendation 14. Corporate • Require all banks to have independent members of the management governance body. • For all banks (i) formalize criteria a bank should follow to determine its minimum number of independent directors (as a share of Board members) or (ii) set a minimum level above the generally observed practice. • Organize regular exchanges between NBR and nonexecutive and independent members of the management body (and send direct communication to the management body in its supervisory capacity on material supervisory issues). • Include (i) an explicit provision for banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management and (ii) requirements regarding the nomination and appointment of Board members across the banking group. • Consider conducting qualitative analyses on corporate governance arrangements and practices at the industry level. 15. Risk management • Prepare a detailed internal methodology covering relevant risk process management aspects for on-site inspections (including criteria to be applied where judgment is needed, approaches to test specific aspects e.g., incorporation of risk in internal pricing, group risk management framework in the cases of subsidiaries etc.). • Introduce the following explicit requirements: bank Boards and senior management shall understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use, bank Boards and senior management shall understand the risks inherent in major management initiatives (such as changes in systems, processes, business model and major acquisitions) and uncertainties attached to risk measurement need to be recognized. 16. Capital adequacy • Devote further supervisory attention to risk models including advanced approach for regulatory capital calculation (e.g., establish a dedicated unit for more periodic and rigorous model reviews and validation). 19. Concentration risk • Conduct a thematic review on the large exposure limit across banks and large exposure (particularly focusing on banks that the large exposure limit is set at EUR limits 150 million or 100 percent of capital and banks that have high concentration risks), and review the suitability of EUR 150 million as an absolute limit. • Include explicit provision in the regulation that require that all material concentrations be regularly reviewed and reported to the bank’s Board; in practice require banks to manage de facto all concentration risk including sovereign risks. 20. Transactions with • Review and amend the regulation on affiliated party transactions in a more related parties prudent manner (e.g., expand the definition of affiliated parties to comprehensively capture the relevant transaction, include an explicit 247 ROMANIA Core Principle Recommendation presumption power in terms of identification of affiliated parties, require prior approval on write-off of RP exposures exceeding specified amounts, etc.). • Improve the prudential reporting template on RP transactions for more effective monitoring (e.g., include type of exposures, number of shares, asset classification, etc.). • Issue a guidance note/instruction that lays down more concrete requirements for monitoring and managing RP transactions and exposures. 21. Country and • Review and strengthen the regulation on country and transfer risks or transfer risks develop a guidance note for supervisors and banks. • Include explicit requirements in the regulation that banks include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis. • Ensure greater focus on oversight on risks stemming from country (including sovereign) risks and transfer risks on a regular basis during on- and off-site supervision. 22. Market risk • Build up supervisory capacity by having a dedicated market risk specialist. 23. IRRBB • Include explicit requirement that banks conduct independent (internal or external) validation of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions); • Update current regulation based on EU-wide regulatory amendment process reflecting new standards for IRRBB which were published in April 2016. 25. Operational risk • Introduce guidelines on a comprehensive information and communication technology risk as intended; • Enhance IT risk supervisory capacity (e.g., establish a specialized unit/ increase IT specialists); • Expand the scope and required items of reporting on operational risk events to keep the NBR apprised of developments affecting operational risk in a timelier and comprehensive manner. 26. Internal control and • Prepare an internal methodology to guide on-site inspections on internal audit control and audit (scope, criteria to assess specific areas, group approaches for subsidiaries, etc.). • Specifically require banks to ensure that the internal audit is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes. • Consider conducting industry level analyses on internal control and audit. 27. Financial reporting • Prepare an internal methodology defining criteria used by the NBR to and external audit assess the adequacy of banks’ policies on rotation of external auditors (and set a maximum time limit to guide supervisory assessments). 28. Disclosure and • Consider the opportunity to require, at least for significant banks, more transparency frequent disclosure (than on an annual basis). 248 ROMANIA Core Principle Recommendation • Consider conducting a review of disclosure practices on governance aspects across the industry. 29. Abuse of financial • Continue implementing a risk-based approach to AML/CFT supervision. services • Ensure that simplified due diligence is authorized only in instances of proven low ML/TF risks. • Ensure that banks are required to implement CDD measures with respect to foreign politically exposed persons in line with FATF Recommendation 12. • Ensure that the requirements related to correspondent banking relationships also apply to intra-EU correspondent banking relationships. B. Authorities’ Response to the Assessment 59. The NBR would like to thank the IMF, the World Bank and the entire FSAP mission team for the BCP assessment work. We recognize the importance of the FSAP not just as an independent peer review assessment but also as a collaborative process that provides learning opportunity to staff on both sides, and is of value for its policy advice. The Basel Core Principles for effective banking supervision introduced requirements that represent a challenge to supervisors worldwide and require adopting a long-term approach toward gradual compliance. In this regard, it is important that the IMF and World Bank continue to analyze different supervisory approaches and disclose the assessments results, in order to build a larger sample of practices, representative enough to outline the main tendencies or tools for reaching convergence with the Basel Core Principles. 60. Since the last FSAP mission to Romania in 2008–2009, substantial improvements have been made and are positively reflected in the report. The measures adopted by the Central Bank include strengthening of banks’ capital positions and setting medium-term targets for increasing minimum Capital Adequacy Ratios (CARs); strengthened NBR monitoring of banks’ loan portfolios and problem loans workout procedures and capacity; reviewed the bank resolution framework in order to facilitate rapid action and options for bank restructuring; strengthened deposit insurance funding arrangements and significantly lowered the payout period; introduced risk-based supervision; and fully implemented IFRS. One of the results of these measures is the plummeting NPL ratio from a peak of 21.9 percent in 2013, to 6.4 percent as of December 2017. 61. Regarding the outcome of the current assessment, we highly value the recommendations provided by the FSAP team with the aim to better align our practices to the highest standards in this field. The NBR Board, in its meeting from 28 February 2018, has thoroughly analyzed the FSAP recommendations. Three recommendations have already been implemented and six more will be implemented by end of May 2018. Furthermore, a detailed action plan and timeline for implementing the remaining recommendations have been approved. Accordingly, the responsible 249 ROMANIA NBR line departments have been tasked with specific steps to carry on the action plan within the approved timeline, and are providing weekly updates on the implementation status. 62. We wish to submit a number of general and specific comments on the Report’s recommendations and evaluations below: The NBR is a competent authority from an EU Member state and is bound to comply with all relevant and applicable EU legislation in the field of banking activity. In this regard, NBR strongly respects the principle of cross EU supervisory practices harmonization, through the implementation of the regulatory packages according to CRD4/CRR and all related European Commission binding technical standards, as well as the EBA Guidelines and Recommendations. These acts represent the best practices and approaches to follow for full supervisory convergence at the EU level. Therefore, there are parts of the Basel Core Principles and consequently, related FSAP recommendations, that are difficult to implement in the national regulatory framework, as they have a different EU level regulatory regime. Considering the above, the NBR will enter into a process of regulatory framework review to the fullest extent possible, given certain limitations imposed by the applicable EU legal and regulatory framework, in the context of the FSAP recommendations. Independence, accountability, resourcing and legal protection for supervisors (CP 2) 63. The independence of the NBR continued to be strong as part of a broader process in the context of Euro adoption. This involves ensuring compliance with the European Commission and the ECB recommendations included in the Convergence Reports. 64. Under the current Statute, NBR Board Members and personnel tasked with prudential supervision have legal protection against lawsuits while exercising their duties, in good faith, and their legal costs are covered by the NBR. The NBR fully welcomes the recommendation and will pursue this aim by seeking to build consensus among all policy makers to amend the NBR Statute in order to “Introduce a legal provision protecting the NBR as an institution against lawsuits for actions taken and/or omissions made while discharging its duties in good faith.” 65. The NBR is a powerful advocate of increased transparency and welcomes the recommendation to “Introduce a legal provision that the reason(s) for removal of a Board member have to be publicly disclosed”. Nevertheless, given the NBR Statute and the two Chambers of the Romanian Parliament’s Internal Regulation on joint activities which stipulates that the meetings of the joint parliamentary standing committees are generally open to the public, the causes for dismissal are supposed to be publicly-available, although this is not explicitly stated in the law. 66. The NBR has recently implemented a Code of Ethics, applicable to its staff and Board Members. Its enactment expressly regulates conflicts of interests and other cases of misconduct. The detection of conflict of interests is also promoted by an updated whistleblowing framework, in line with international best practices, aimed at encouraging staff to file reports. In order to “Adopt and implement a post-employment or cooling-off period framework covering situations where a 250 ROMANIA staff or Board member intends to take (or takes) a position in a bank supervised by NBR (or that it has directly supervised)”, the NBR will implement policies in line with this recommendation. Supervisory approach, techniques, tools (CP 8 and 9) 67. We appreciate the specific recommendations on supervisory practices as an opportunity for improvement as the FSAP mission brought forward essential value added to the effectiveness of the supervisory process. The NBR will adjust its supervisory practices in order to become as fully compliant as possible with the Basel Core Principles for effective banking supervision. 68. We agree that further development of the NBR’s supervisory approach will make supervision more effective and broadly in line with the requirements of the 2012 BCP. However, the NBR would like to note that, regardless of some internal processes not exhaustively formalized, all banks are adequately supervised within the current supervision framework, and that the NBR has a good understanding of both individual banks and banking industry as a whole. Accordingly, some of the key indicators have been maintained well above the EU banking system average. Furthermore, the NBR took important decisions, with good results, in order to decrease NPLs stock and strengthen the supervision of NPL. 69. The supervisory manuals and processes have been revised with a view to aligning them to international best practices as part of an established ongoing improvement framework. As a result of these actions, the following will be enhanced: • the consistency and objectivity in SREP score, findings and supervisory measures/sanctions, e.g., through an independent unit in charge with the quality review of SREP assessment outcomes and management of findings, measures, and follow-ups data base); • the forward-looking components of supervisory framework and more risk focused based approach (e.g., bottom up stress-testing tools, performing thematic reviews etc.); • the dialogue between supervisors and nonexecutive/independent banks board members through regular meetings after on-site examinations. Home-host relationships (CP 13) 70. The FSAP evaluation also contributes to our efforts to strengthen the bank resolution function and further develop our internal preparedness for dealing with failing banks. The NBR acknowledges the importance of continuous tests and has planned a simulation exercise for 2018, in order to test the resolution operational readiness/preparedness. Country and transfer risks (CP 21) 71. In regards to the statement according to which “There are no specific regulatory provisioning standards for country risk and transfer risk in Romania.”, the NBR reiterates that starting in 2018, EU Member States will no longer be allowed to impose additional deductions 251 ROMANIA from banks’ capital (according to Article 481 paragraph 1 of Regulation (EU) No. 575/2013 of the European Parliament and of the Council on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 648/2012). The prudential provisioning would have the effect of affecting the capital so that EC4 could not be implemented without harming the observance of the above-mentioned EU Regulation. Operational risk (CP 25) 72. In regards to building up supervisory capacity and improving current employees’ supervisory skills, the NBR acknowledges the necessity to enhance IT risk supervisory capacities as well as expertise in the area of internal risk models assessment and review, in a very fast-changing, high-demanding and competitive environment, either by recruitment process or by identifying proper training for the staff in charge with these tasks. Abuse of financial services (CP 29) 73. The legal shortcomings mentioned in the report for this CP are mainly due to the regime accepted and applicable at the EU level and are derived from the former EU Directives. The NBR would like to mention that the new Directive (EU) 2015/849 addresses these problems, and consequently its mandatory transposition in the national law, will solve the deficiencies revealed. 252