Assessment of the Internal Systems and 2021 Operations

INTERNAL AUDIT ACTIVITIES

With the Board of Directors’ authorization, the Board of Audit carries out independent and objective assurance and consultancy activities to improve the Bank’s activities and add value. Its primary purpose is to establish and operate the internal audit system, which is to assure the senior management regarding the effectiveness and adequacy of the governance, internal control, and risk management systems, as well as the fact that the Bank’s activities are carried out in line with the Banking Law and other relevant legislation and the Bank’s strategies, policies, principles, and objectives.

From this point of view;

Assessing the compliance of the activities of the Bank’s Head Office Departments, domestic and foreign branches, affiliates, and subsidiaries, including the departments within the scope of internal systems, and the activities of individuals and organizations from which support services are received, with the Banking Law and other legal regulations and internal legislation, strategy, policy, principles, and targets,

Conducting audits within the framework of the practices aimed at the accuracy of financial data, the protection of resources, and the effectiveness and adequacy of governance, internal control, and risk management systems.

In addition, carrying out investigations regarding the personnel’s irregular and illegal transactions and the fraud and fraudulent transactions of third parties against the Bank.

Assurance work carried out by the Audit Board Presidency is conducted in two different ways: on-site Audit and centralized control. On-site auditing activities are carried out in departments, branches, subsidiaries, affiliates, and individuals and organizations from which support services are provided within the framework of the annual audit plan and prepared in line with the objectives and strategies of the Bank and with a focus on resources. Centralized control is carried out by applying information technology-supported remote auditing techniques to detect situations that may pose risks in branches and departments and take measures quickly.

Internal controls on information systems and banking processes are assessed with a risk-oriented perspective, based on materiality criteria, and reasonable assurance is given by obtaining audit evidence for the audited controls’ effectiveness and adequacy.

The accuracy of the data used in the Internal Capital Adequacy Assessment Process Report, the adequacy of the systems and processes, and whether or not the data, systems, and methods enable accurate information and analyses are audited within the framework of the procedures and principles determined by the Audit Board.

Compliance with the ISO 9001 Quality Management System, 14001 Environmental Management System, ISO 27001 Information Security Management System, and ISO 22301 Business Continuity Management System is assessed in the branches and headquarters departments that are audited within the scope of the annual audit plan.

In the light of the audits, Audits, and investigations conducted by the Audit Board; proposals are made for the correction of any detected issues, for taking measures to prevent similar events, for improving the processes, and for enhancing the internal control system, while the actions taken regarding these issues are followed up.

The corrective actions taken by the business departments on the action dates are checked; if the corrective action is sufficient to eliminate the finding, the finding is closed; if it is not sufficient, the action date is followed.

The projects entered by the business departments to eliminate the issues determined by the audits are evaluated as to whether the project’s scope is sufficient to eliminate the finding. In case of deficiencies or errors, the relevant business department is informed to ensure its correction.

The audittors provide training to the Bank’s staff on various issues that are needed and requested.

Within the framework of the principle of continuous professional development, in-Bank and non-Bank trainings that contribute to the professional and personal development of auditors are organized, and training is provided primarily to encourage the acquisition of international certificates.

The Board of Auditors was awarded the “Certification Awareness Award” for attaching importance to Internal Auditor Certification and the “Continuous Professional Development Awareness Award” for carrying out the work on creating the trained workforce needed by the internal audit profession and developing the profession at the “Awareness Award Ceremony” organized by the Turkish Institute of Internal Audit (TIDE) to raise awareness of internal audit.

Other than that, training of Auditors are provided before Audit activities that require expertise.

Within the scope of the 2018 Internal Audit Program; the audit of 372 Branches and 40 Affiliated Branches and the Audit of Compliance with ISO 14001 Environmental Management System in these Branches; the audit of 21 Head Office Business Departments and 2 Head Office Information Systems Departments, and their affiliated Directorates, information system in 1 Subsidiary, information system in 21 Persons and Organizations from which Support Service is purchased, Internal Capital Adequacy Assessment Process (İSEDES); the audit of 3 Subsidiaries; the audit of the Penetration Test Action Plan Compliance Controls, Bades Action Plan Compliance Controls, BS Audit Action Plan Compliance Controls, information systems processes along with the provisions of the Regulation on Banks’ Information Systems and Electronic Banking Services; the audit of Risk Center; the audit of Annual Evaluation of Persons and Institutions from which Support Services are Received; the ISO 22301 Business Continuity Management System and ISO 27001 Information Security Management System Audit; the Swift Control Audit; the Remote Authentication Compliance Audit; the Identity Sharing System Audit; the Electronic Banking Services Audit; the Valuation Service Compliance Audit and Call Center Processes Audit; the Information and Communication Security Guide Audit; and Prevention Plan Studies have been completed. 

INTERNAL CONTROL ACTIVITIES

The Internal Control function is structured to ensure establishment and coordination of a healthy internal control environment; protection of the Bank’s assets; effective and efficient performance of the activities in conformity with the Banking Law and relevant legislation, internal policies and rules as well as banking practices, reliability and integrity of the accounting and financial reporting system; and timely accessibility of information. Accordingly, the Bank’s domestic and foreign branches and head office departments are subject to internal control activities based on a risk-centered approach. As part of the measures taken due to the Covid-19 pandemic, which has affected the entire world in 2021, control activities have been carried out remotely and on-site.

According to risk conditions, domestic branch controls, carried out by Internal Control Department, are conducted on-site or from the Head Office within the control programs’ framework every year. Additionally, real-time controls are carried out for transactions performed at branches. In 2021, internal control activities were carried out in all existing domestic branches of our Bank, in 5 subsidiaries subject to consolidation, in 31 Head Office departments.

Periodic checks are carried on 30 control points within the scope of the continuous checks carried out by the Information Systems Internal Control Department regarding the activities carried out by the information system departments of our Bank. In addition, within the scope of department controls, information systems control activities were carried out in 5 information systems departments and 5 partnerships of our Bank subject to consolidation, which were included in 2021 Information Systems Internal Control Plan for information systems departments.

Findings and recommendations under all these control activities are reported and shared with the relevant departments as the actions taken are monitored. Internal controls on information systems and banking processes are assessed with a risk-oriented perspective, based on materiality criteria, and reasonable assurance is given by obtaining audit evidence for the audited controls’ effectiveness and adequacy.

The Internal Control function controls the distribution of roles and responsibilities and the functional classification of tasks to identify, measure, and prevent the Bank’s risks; sets up auto-control mechanisms in all processes, procedures, and projects to be deployed in a manner that will cover potential risks; and establishes and enhances system controls. Activities are carried out to increase the effectiveness of control activities and minimize operational risks. In conformity with the objectives and strategies of the Bank, changing needs, risks, regulations, and technological developments are followed. Necessary adjustments and updates are made to ensure the effectiveness and functioning of the internal control system. Activities continue with the aim of enhancing the internal control culture in the Bank.

COMPLIANCE DEPARTMENT’S ACTIVITIES

Compliance and Regulation Department carries out activities to fulfill the responsibilities stipulated in the Financial Crimes Investigation Board (MASAK) legislation within the scope of the Prevention of Laundering Proceeds of Crime and Financing of Terrorism and Proliferation of Weapons of Mass Destruction, and to comply with international principles and rules on the same. In this context, pursuant to the “Regulation on Compliance with Obligations Related to the Prevention of Laundering Proceeds of Crime and Financing of Terrorism,” the necessary policies and procedures are established for the identification, classification based on risk categories, and monitoring of customers, and notification of suspicious customer transactions to ensure that the Bank fulfills its obligations. It is checked whether the policies and procedures in question have been implemented and opinions/approvals are given for the transactions of risky sectors and countries. Necessary investigations and evaluations are carried out within the framework of a risk-based approach about transactions that may be suspicious in the Bank that are transmitted through branch, etc. channels or detected within the scope of monitoring and control activities and the transactions that are deemed to be suspicious are reported to the Financial Crimes Investigation Board (MASAK). For the purpose of sound monitoring of international sanctions by the Bank, the Sanctioned List, which compiles the sanctions decisions of international institutions and organizations such as the United Nations, the European Union, OFAC, etc., is used for queries and controls. Compliance-related duties and activities are performed in coordination to prevent laundering the proceeds of crime and financing of terrorism at domestic and foreign branches of the Bank. The follow-up of the compliance risks that may arise from the foreign regulations and the control of compliance with these regulations of the foreign branches that are subject to the compliance program established by the Bank in accordance with the legislation of the country in which they operate are carried out by a staff member in respect of each branch. The activities as mentioned earlier are carried out in coordination with business departments. In-class and online training courses are regularly provided to the Bank’s employees to constantly raise awareness and strengthen the culture of preventing the laundering of crime proceeds and financing terrorism.

LEGISLATION MONITORING AND EVALUATION ACTIVITIES

The Compliance and Regulation Department carry out activities to effectively and efficiently monitor relevant legislation on banking activities and manage the compliance process.

Recent developments in legislation and banking practices related to banking activities are monitored; the impacts of legislation changes on the banking activities are interpreted. Within this scope, the measures to be taken by the Bank and the affiliates of the Bank in relation to the services provided by the Bank and the changes to be made in the Bank’s internal legislation and practices are identified, and written information is provided to the relevant departments and it is followed and requested that the necessary measures are taken. Furthermore, relevant departments are informed on draft banking regulations, and thus necessary procedures are initiated before they enter into force.

Tasks for regulatory compliance controls are carried out within the scope of the “Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process.” Accordingly, compliance with regulatory changes are coordinated; measures taken, practices changed, and internal procedures formulated to align the Bank’s internal policies and practices with such regulatory changes are monitored and controlled in terms of regulatory compliance; necessary corrections and changes are made; essential measures are taken to ensure prompt and full compliance with laws; controls are performed for regulatory compliance of new products and services, and the process of updating the internal procedures and guidelines are coordinated within the Bank.

Notification and coordination processes are run to ensure the Bank participates in the meetings held by the Banks Association of Turkey. The Bank also joins, together with relevant functions, the Working Groups formed within regulatory compliance activities. Participation is ensured in the meetings of Working Groups. When the Association requests the Bank’s opinion on a specific subject, ideas are gathered from business departments and are evaluated to express a statement on behalf of the Bank. Information on the activities carried out under the Association, regulatory arrangements communicated by the Association, and instructions and information received from the Agency are all disseminated to relevant business departments, and actions taken are monitored.

There are agreements in place on exchanging information between the Republic of Turkey and the United States of America and with OECD countries to enhance international tax compliance. Legislation regarding these agreements is monitored. Relevant business departments are assigned to ensure compliance with such legislation. The efforts undertaken by business departments are followed up. Measures include those in compliance with the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS).

Within the scope of the obligation that the detailed justifications to be prepared for complying with all the principles contained in the Good Practice Manuals and the principles which are partially implemented or not fully implemented are presented every year together with the submission of the Internal Capital Adequacy Assessment Process (İSEDES) reports to BRSA; the practices of the Bank which is designated as “Systemically Important Banks” and its policy documents are monitored and controlled to ensure that they are in full compliance with all the principles specified in the Good Practice Manuals. The relevant business departments are coordinated to make changes and corrections when necessary.

Besides, our employees assigned at those branches in charge of the matters mentioned earlier and reporting on compliance monitor compliance of foreign branches with the legislation in their respective countries.

In line with the activities of the Department, it is aimed to support the Bank’s compliance with the applicable laws and other relevant regulations, the Bank’s internal policies and procedures, organizational management and ethical standards, and to protect the Bank’s reputation and integrity through compliance with all legal regulations.

In order to ensure the Bank’s full compliance with sustainability-related regulations, to prevent environmental problems such as climate change and uncontrolled waste, the legislation regulations published by the Ministry of Environment, Urbanization, and Climate Change and other relevant institutions and organizations are closely followed, the relevant departments are informed about the issue, and the United Nations contributes to the 2030 Sustainable Development Goals. 

SUMMARY INFORMATION ON IMPORTANT LEGISLATION REGULATIONS PUBLISHED IN 2021

The arrangements have been made for not collecting any kind of funds for the benefit of persons or organizations within the scope of the Law No. 7262 on the Prevention of Financing the Proliferation of Weapons of Mass Destruction and the decisions taken by the United Nations Security Council or the persons or organizations controlled directly or indirectly by them, or for not allowing them to enter into business partnerships or other business relationships in Turkey.

The regulations on the concept of “Financial Group” have been made in the Law on the Prevention of Laundering of Proceeds of Crime No. 5549.

In addition, the procedures and principles regarding the regulations made by the Law are determined with the Regulation on the Application of the Law on the Financing of the Proliferation of Weapons of Mass Destruction, the Regulation Amending the Regulation on the Procedures and Principles on the Application of the Law on the Financing of Terrorism, the Regulation Amending the Regulation on Compliance Program with Obligations for the Prevention of Laundering Proceeds of Crime and Financing of Terrorism, and the Regulation Amending the Regulation on the Measures on the Laundering of Proceeds of Crime and the Prevention of the Financing of Terrorism subsequently published by the by the Ministry of Treasury and Finance.

The Law on Amendments to the Financial Leasing, Factoring and Financing Companies and Some Other Laws No. 7292 has amended the name of the Law on Financial Leasing, Factoring and Financing Companies No. 6361 has been changed to the Law on Financial Leasing, Factoring, Financing, and Savings Financing Companies, and savings and financing companies have also been included within the scope of Law no. 6361, and in this context, a number of regulations have been introduced for savings and financing companies on issues such as the minimum amount of capital, the field of activity, the minimum amount of capital for leasing companies, factoring companies and financing companies has been increased from TL 20 million to TL 50 million, those who carry out saving financing activities have been provided time to comply with the regulations introduced by applying to the Banking Regulation and Supervision Agency.

In addition, for the purpose of implementing the provisions on savings financing companies introduced by this Law, the Regulation on the Foundation and Operating Principles of Savings Financing Companies was published by the Banking Regulation and Supervision Agency within the period.

The Law on the Restructuring of Some Receivables and Amendments to Some Laws No. 7326 introduced the possibility of restructuring the taxes, official duties and tax fines, customs duties and administrative fines, insurance premiums, community insurance premiums, pension deduction and its corporate provision, unemployment insurance premium, social security support premium, various administrative fines, and all kinds of accessories thereof, such as interests, hikes, delay hikes, delay interests, penal interests, delay penalties related to the said receivables.

The Law Amending the Law on the Procedure for the Collection of Public Receivables and Some Other Laws No. 7316 increased the corporate tax rate to 25% for 2021 and to 23% for 2022, starting with the declarations due from 01.07.2021 and being valid for corporate earnings for the taxation period starting from 01.01.2021.

-With Presidential Decree No. 4299, it was decided to extend the implementation period of the provisional Article 32 for two years, which regulates the procedures and principles related to financial restructuring that were added to the Banking Law No. 5411 by Law No. 7186 dated 17.07.2019.

The Regulation on Remote Identification Methods to be Used by Banks and Establishing a Contractual Relationship in Electronic Environment determines the procedures and principles for establishing a contractual relationship in such a way that it replaces the written form via an IT or electronic communication device, whether it is remote or not, for remote identification methods that can be used by Banks to acquire new customers, as well as for banking services that will be offered after the identification of the customer.

The Regulation on the Sharing of Confidential Information determines the scope, form, procedures, and principles related to the sharing and transfer of information that is a Bank secret and a customer secret.

The Guide on Credit Allocation and Monitoring Processes describes the best practices expected from banks on credit risk management and identifies the issues related to internal management regulations and procedures of banks, risk management practices, policies, processes, and procedures related to credit allocation and monitoring of live loans, as well as their integration into general management and risk management systems during the life cycle of loans and credit allocation processes.

The Problematic Receivables Resolution Guide provides explanations for the expected good practices from Banks to determine, monitor, and analyze their restructured and frozen receivables within the scope of risk management systems and to manage assets acquired due to receivables.

The General Communiqué of Financial Crimes Investigation Board (No: 19) regulates the procedures and principles regarding remote identification methods to be used for the purpose of verifying the identity of the customer in order to implement the Law on the Prevention of Laundering of Proceeds of Crime No. 5549.

Presidential Decree No. 3941, amending the Regulation on Measures to Prevent Laundering of Proceeds of Crime and Financing of Terrorism, adds crypto asset service providers and saving financing companies as obligation holders in the Regulation on the implementation of the Law on Prevention of Laundering of Proceeds of Crime No. 5549.

The Regulation on Prohibition of Use of Crypto Assets in Payments establishes the procedures and principles on the prohibition of the use of crypto assets in payments, the prohibition of the direct or indirect use of crypto assets in the provision of payment services and the export of electronic money, and the prohibition of payment and electronic money institutions to mediate the purchase, storage, transfer or export of crypto assets to platforms offering services or the fund transfers to be made through these platforms.

The Communiqué on Supporting the Transfer of Turkish Lira Deposits and Participation Accounts and the Communiqué on Supporting the Transfer of Turkish Lira Deposits and Participation Accounts from Gold Accounts determine the procedures and principles related to the support to be provided to depositors if the foreign currency and gold denominated deposit accounts of a real person residing in Turkey are converted into Turkish lira term deposit accounts. The Presidential Decrees numbered 4970 and 5046 set the withholding rate to be applied on the deposit accounts in question as 0% (zero percent).

-The Presidential Decree No. 2021/15 on the Green Reconciliation Action Plan states that the “Green Reconciliation Action Plan” will be prepared by the Ministry of Commerce in cooperation with public and private sector institutions and organizations for the purpose of contributing to the transition of our country to a sustainable, resource-efficient, and green economy and ensuring compliance with the changes envisaged by the European Green Agreement in a way that protects and further the integration provided for under the Turkish-EU Customs Union, and the aforementioned Plan was published by the Ministry of Commerce on its website.

The Sustainable Banking Strategic Plan has been published by the Banking Regulation and Supervision Agency in relation to the action “3.2.5. Defining a roadmap for the development of sustainable banking” of the Green Reconciliation Action Plan.

The Fifth Strategic Plan (2022-2024) has been published by BRSA within the framework of the main objectives of increasing the effectiveness of regulation, audit, and implementation activities, implementing policies related to maintaining trust and stability in financial markets, strengthening the corporate structure, and strengthening practices for those who use financial products and services. 

OTHER INFORMATION RELATED THE BANK AND ITS ACTIVITIES

There are no lawsuits filed against the Bank that could affect the Bank’s financial status and activities.