Internal systems activities at Ziraat Bank are performed by the Board of Inspectors, the Internal Control Department, the Risk Management Department, and the Compliance Department. These units’ duties and responsibilities, which are strictly segregated from one another, are coordinated by the Group Head for Internal Systems.
This organization is structured so as to embrace all Bank units and branches as well as Bank-owned subsidiaries subject to the Bank’s oversight. Its purpose is to minimize any risks that might adversely affect the thoroughgoing and secure conduct of banking operations, the fulfillment of long-term profit targets, the reliability of financial and administrative reporting, and/or the Bank’s reputation and financial stability.
RISK MANAGEMENT SYSTEM
Ziraat Bank risk management activities are conducted subject to the requirements of the Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process and other relevant regulations and BRSA Best Practice Guides.
In these activities, the Bank aims to embed the risk culture throughout its business processes and to bring the risk management function closer to good practices by constantly improving the system and human resources.
The principal risk categories are defined as “Credit Risk”, “Market Risk”, “Operational Risk”, “Model and Process Validation”, and “Balance Sheet Risks”, the last including the interest rate risks and liquidity risks to which the Bank is exposed on account of its banking business accounts.
Policies and implementation procedures regarding the management of risks are carried out on the basis of risk type, in accordance with the regulations and decisions approved by the Board of Directors, and care is taken to ensure that the units included in the line of activity associated with each risk type also contribute to the process.
In addition, the Bank carries out activities to ensure that its foreign branches and subsidiaries comply with local regulations regarding risk management, and closely monitors their risk management ratios.
Within the framework of the “Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process”, the Internal Capital Adequacy Assessment Process was set up to determine the capital required to meet the risks which the Bank is exposed to or may be exposed to, and to establish and maintain a system that will evaluate the capital requirements and levels in line with its strategies. The models designed in this context and the model outputs along with the validation activities for these models are used in the TFRS-9 calculations. Work is being carried out to roll out the model outputs to other areas of activity of the Bank.
Analyses are performed in line with BRSA principles and are further supported by means of risk-specific stress tests and scenario analyses. Year-end Stress Test and Internal Capital Adequacy Assessment Process (ICAAP) reports are prepared and are sent to BRSA with the approval of the Board of Directors.
The results of the analysis carried out within the scope of risk management activities and risk indicators are submitted to the Audit Committee and the Board of Directors at six-month intervals, to the Audit Committee on a monthly basis and to the senior management on a monthly, weekly or daily basis.
Ziraat Bank will continue to carry out its activities for all types of risks based on internationally accepted advanced risk management techniques and to turn these activities into an integral part of the strategic decision-making processes in the coming periods.
INFORMATION ABOUT RISK MANAGEMENT POLICIES AND ACTIVITIES ACCORDING TO TYPE OF RISK
Credit Risk
Credit risk is an expression of the likelihood of the Bank’s suffering a loss because a debtor fails to fulfill, in a timely manner, some or all of his obligations under an agreement that he has entered into.
Within the framework of credit risk management activities, Ziraat Bank’s carries out work on the definition, measurement, monitoring and reporting of credit risk using methods compatible with the Basel-3 criteria.
The Bank follows the credit risk limits approved by the Board of Directors and conducts scenario analysis and stress tests by applying internal and external shocks to credit risk factors. Credit risk measurement is carried out using the Standard Approach method within the framework of the “Regulation on Measurement and Evaluation of Capital Adequacy Ratios of Banks”. Counterparty Credit Risk is measured by using the Standard Approach (SA-CCR) method. In parallel with this, the results of the amount subject to credit risk calculated using the Standard Approach and Internal Rating Based (IDA) Approach continue to be monitored.
The amount subject to credit risk is reported to the BRSA each month on a solo and consolidated basis. In addition, monthly Internal Rating Notifications are submitted to the TBB Risk Center in accordance with the “Internal Rating Notification Circular” that entered force in January 2014.
Ziraat Bank monitors the credit risk limit and signal values determined on a monthly basis. The Bank bases the data in question on customer segments approved by the Board of Directors and the counterparty credit risk portfolio arising from banking and trading accounts. The risk-weighted assets which the bank can carry on a segment and portfolio basis are maintained within these limits.
Market Risk
Market risk is an expression of the possibility of loss that the Bank may be exposed to on account of its on- or off-balance sheet exchange rate, commodity, interest rate and stock position risk, which are subject to the Bank’s trading activities and followed up under the Bank’s accounts and positions valued at fair value, and which arise from the movements in market prices.
Within the scope of market risk management activities, Ziraat Bank carries out risk identification, measurement, analysis, monitoring and reporting activities, which are supported by stress testing. The results of these activities are taken into account in the Bank’s strategic decision-making process.
In order to manage market risk, market movements that affect the present value of the portfolios which expose the Bank to market risk in line with its trading strategies are kept track of on a daily basis and the impact that both upward/downward and ordinary/extraordinary movements may have on these portfolios is analyzed.
In the conduct of its day-to-day operations, trigger values are monitored as part of the early-warning process that is carried out to protect the Bank’s financial strength from being seriously affected by increases in market volatility. Risk exposure levels are kept within prescribed limits.
The Standardized Approach methodology is used to calculate the Bank’s exposure to market risk, the amount of which is included in its mandatory capital adequacy ratio. Market risk is also calculated on a daily basis using a VaR-based internal model. The effectiveness of the models being used is also analyzed regularly by means of backtesting.
Operational Risk
Operational risk” is an expression of the likelihood of the Bank’s suffering a loss because of changes in value caused by the fact that the actual losses which are incurred on account of inadequate or failed internal processes, people, or systems or on account of external events (including legal risk) differ from expected losses.
Within the scope of operational risk management activities, Ziraat Bank carries out work to define, classify, measure and analyze operational risks, and monitors the operational risk signal and limit values approved by the Board of Directors on a periodic basis. The amount subject to operational risk in the Bank is calculated using the Basic Indicator Method in accordance with the “Regulation on Measurement and Evaluation of Capital Adequacy Ratio of Banks”.
The Bank’s operational risk loss database, which is integrated with the Bank and is compatible with the accounting system, was established in line with a classification covering the loss event type and activity lines of the Basel Banking Supervision and Audit Committee, and includes data obtained from foreign and domestic branches and subsidiaries. Effective methods are applied to monitor the company’s operational risk outlook.
Additionally, a self-evaluation study covering the Bank’s organization is carried out.
Ziraat Bank employees perform their duties taking into account the operational risk-related principles and procedures set forth in the Bank’s internal regulations and in a manner that is both sensitive to the operational risks that may be incurred and mindful of Bank policies intended to create an operational environment that will reduce the likelihood of losses.
Signals and limits approved by the Board of Directors related to operational risks have been established within the scope of internal regulations and are monitored periodically.
Risks and actions taken within the scope of IT are monitored and reported to the senior management regarding operational risk.
In order to ensure the continuity of outsourced support services, the risks that might arise from their procurement are assessed in light of BRSA Regulation on the outsourcing of support services by banks.
As part of the Business Continuity Plan, “business impact analyses” are carried out in order both to identify the risks that might arise if the Bank’s operations are interrupted and to determine their potential consequences. Analyses are also conducted into the portfolio custody service database.
Reputation risk management activities are included in operational risk activities. Within the scope of reputation risk studies, various factors are monitored in terms of the Bank’s reputation and reputation risk analyzes are reported regularly.
Balance Sheet Risks
Ziraat Bank aims to effectively manage the risks arising from assets, liabilities and off-balance sheet accounts within the scope of balance sheet risks.
In this regard, the Bank carries out definition, measurement, analysis, monitoring and reporting activities regarding liquidity risk and interest rate risk arising from banking accounts. The Bank also supports these studies, the results of which are taken into account in strategic decision-making, with stress tests and scenario analyses.
There are two components of liquidity risk: funding liquidity risk and market liquidity risk. The first is an expression of the likelihood of the Bank’s suffering a loss because it is unable to satisfy all of its foreseeable/unforeseeable cash flow requirements without otherwise impairing its day-to-day operations and/or financial structure; the second is an expression of the likelihood of the Bank’s suffering a loss because the Bank is unable to close or cover a particular position at the market price owing to insufficient market depth or to excessive market volatility. Interest rate risk consists of the possibility of sustaining losses on risk-sensitive assets, liabilities, and off-balance sheet items owing to changes taking place in interest rates.
Compliance with mandatory ratios pertaining to liquidity and interest rate risks arising from banking business accounts is also monitored. In addition to the foregoing, matters with the potential to affect liquidity risk management are monitored funding and lending maturity mismatches, assets’ and liabilities’ behavioral as well as contractual maturities, the level of primary (cash and cash-equivalent) liquidity reserves needed to conduct the Bank’s normal day-to-day operations, Central Bank liquidity facilities to which recourse may be had in order to cope with unexpected liquidity requirements, secondary reserves whose potential to be converted to cash is exposed to the risk of their being underpriced, and the ability to borrow from conventional markets are monitored. Additionally, within the content of scenario and sensitivity analyses stress test is conducted to assess the Bank’s liquidity needs in the worst case scenario.
For the management of the interest rate risk arising on banking business accounts, attention is given to monitoring and analyzing such issues as rate and maturity mismatches between fixed- and variable-interest fundings and lendings, assets’ and liabilities’ behavioral as well as contractual maturities, both upward/downward and ordinary/extraordinary movements in interest rates, and the impact of interest rate income on the current value of assets and liabilities.
The consolidated and unconsolidated Liquidity Coverage Ratio and Net Stable Funding Ratio and Interest Rate Risk Ratio Arising from Unconsolidated Banking Accounts are reported periodically to the BRSA.
In addition, the Bank periodically monitors interest rate risk signal and limit values arising from liquidity and banking accounts through the early warning process application. Risk limits are determined by taking into account the liquidity situation, targeted return level and risk appetite, and enter force upon the approval of the Board of Directors.
In addition to the stress test analysis included in the Bank’s periodic internal reports, stress test and ICAAP reports are prepared for referral to the BRSA at the end of the year, and capital and liquidity adequacy levels are determined for the following three years in base-case, negative and extreme negative scenarios, in addition to the scenario sets given by the BRSA.
Validation
Ziraat Bank evaluates the accuracy, consistency and adequacy of the internally used rating models and other measurement methodologies in order to accurately measure and manage the risks the Bank is exposed to, while it evaluates the stability of risk models and output (risk estimates, rating grades) performances, and the reporting of the results of the activities to the senior management at regular intervals.
In this context, the Bank aimed to carry out validation studies of IRB models, especially the integration between IRB models and TFRS-9 standards, administrative models, internal models used in the Bank’s decision-making processes such as ICAAP, operational risk and market risk models and to take necessary actions in view of the findings.
Validation activities are carried out under two main headings; initial and periodic validation. Models and methodologies are evaluated qualitatively and quantitatively in both validation types. Models and methodologies, especially data quality controls, performance analyses, evaluation of basic working logic, compliance with legal and internal regulations, documentation and implementation are comprehensively addressed in the validation process. In addition, the preparation of the final validation reports, the evaluation and follow-up of the findings and actions are also included in the validation processes.
The initial validation of the developed IRB-compliant TFRS 9 models has been completed, and the initial validation studies of the newly developed market risk and IRRBB behavior models have got underway. Periodic validation studies of the completed models will be carried out going forward.
INTERNAL AUDIT SYSTEM
The Board of Inspectors takes a risk-focused approach in the fulfillment of its responsibilities to ensure that the activities and operations of the Bank’s headquarters units, domestic and international branches, and subsidiaries comply with the requirements of laws and regulations and are compatible with the Bank’s own strategies, policies, principles, and objectives. The board conducts its activities in such a way as both to keep the Bank’s senior management informed and to contribute to their decision-making processes.
The board conducts its activities in line with internationally-accepted internal auditing standards. Besides checking the Bank’s operations for their compliance with statutorily mandated procedures, in 2023 the board also reviewed and assessed the effectiveness and efficiency of the transaction procedures involved in both primary and secondary processes. In addition, processes governed by the BRSA regulations pertaining to information systems and banking processes were also audited in line with the Bank’s own practices.
The activities of the Board of Inspectors in 2023 are as follows:
- The Central Audit Team continued its intensive operations in 2023 by performing scenario analyses which are influential in preventing irregularities from being committed. Reviewing the effectiveness of existing scenarios against possible abuses, the team continued its systemic developments to minimize the manual processes used during the audit. Work to integrate Artificial Intelligence (AI) technology into the Central Audit processes continues. Accordingly, the transaction types sent to the branches will be included in machine learning, and the probability of fraud will be calculated with more cases that may be subject to abuse being detected more quickly and more effectively.
- The R&D Team completed work on updating the audit model with a dynamic approach, ensuring the follow-up of international standards and practices in auditing. Under the new audit structure, scenario-based dynamic audits started to be carried out, in addition to on-site branch audits, in order to centralize the audit process and include new situations arising within the scope of audit without wasting time. These activities were geared towards detecting risk before the risk grew, enabling more branches to be reached compared to those currently contacted. The team closely monitored legislation, BRSA decisions and changes foreseen by the Bank’s senior management and Head Office units and undertook necessary changes at the audit points.
- Inquiry rules used in branch audits were revised, and new rule sets were created in which customers’ PD data was included in the analysis. Accordingly, a sample reflecting risk more accurately was determined where inquiry rules were designed in a dynamic structure and instant actions were taken according to the conjuncture and the Bank’s risk appetite.
- The recommendations that inspectors in the field included in their reports or made with respect to a particular transaction or practice were also circulated among the business units concerned and the outcomes of such recommendations were observed.
- Systematic developments on the Web Audit Module enabling generation of web-based reports issued following information systems and processes audits continued in 2023, and revisions were made on the module in order to meet various needs and comply with legal regulations.
- The Inspection Scenario Team that was set up and charged with formulating scenarios both to identify and measure the general spread of shortcomings in Bank processes and to develop and improve the effectiveness of such processes and with submitting these scenarios to the appropriate business unit so as to ensure that speedy and effective solutions for dealing with them are devised throughout the Bank continued to operate in 2023.
- The Data Security Team, which is tasked with protecting the confidential information of customers and the Bank, continued its activities in 2023.
- The Data Science Team, established to increase the efficiency of the auditing process in parallel with the technological transformation brought about by digitalization, accelerated its work in 2023, and the outputs of a range of activities were shared with the relevant General Directorate units. The team also flagged the branches exhibiting anomalies in certain issues and contributed to keeping the audit plan up-to-date.
- To enable the Board of Inspectors to use analytical tools more effectively and efficiently, members of the Inspection Board were provided with training in this area.
- 23 Assistant Inspectors, who were successful in the “Assistant Inspector Entrance Exam” organized by the Bank, started to work in January 2023.
- In 2023, the function of providing qualified human resources to the Bank was maintained by ensuring the transition of 13 inspectors to administrative duties.
In keeping with its strong sense of responsibility and awareness of its duties, the Board of Inspectors will continue to execute the internal auditing plan in line with goals and policies set forth by Ziraat Bank’s senior management, to report its findings to the Board of Directors through the Audit Committee, and to observe what action is taken on the basis of its reports.
INTERNAL CONTROL SYSTEM
Internal control activities at Ziraat Bank are designed so as to embrace the operations of all headquarters units, all domestic and international branches and subsidiaries subject to consolidation as required by Article 9 Paragraph 3 of “Regulation on bank internal system and intrinsic capital adequacy assessment processes” which states “Internal control system is structured to include the bank’s domestic and foreign branches, business processes and information systems, subsidiaries subject to consolidation and all of their operations.”
Such activities are conducted so as to be compatible with the Bank’s primary objectives and strategies from the standpoint of their scope and methodology.
This more proactive structure helps ensure that Ziraat Bank’s operations exceed sectoral norms and that they are conducted in a manner that is compatible with both internal and external regulations as well as with the demands of competition.
Domestic branch checks are performed both on location and centrally within the framework of a program that is prepared taking into account branches’ current levels of risk exposure. Control functions, which for the most part are structured so as to be technology-intensive and centralized, are intended to ensure that commonly-occurring mistakes are quickly corrected at the appropriate business-unit level.
With the Instant Control system operational transactions, accounting records and lending operations in real time are checked. Transactions are evaluated in light of specific scenarios and if a transaction is deemed to be in error, it can be corrected the same day. Real-time transaction checking allows increased efficiency through preventive actions and embeds the internal control system within the Bank’s day-to-day operations instead of retrospective transaction controls.
To this end, instant incident and action management tools such as EVAM scenarios that are developed by the internal controllers themselves are also employed effectively. Accordingly, it is adopted as a basic principle to avoid possible errors and omissions in recording assets and liabilities and capturing them in financial reports.
Business unit control programs are prepared taking into account the units’ functions, potential risks, terms of reference, and impact on the Bank’s balance sheet. These programs are revised as needs may require. Business units are controlled by a sufficient number of Internal Controllers in line with these programs.
Internal control operations at Ziraat Bank branches located outside Turkey are carried out in line with control programs that are prepared for each year.
The findings ascertained as a result of all of these activities are periodically circulated among appropriate business units and the members of senior management.
Besides performing their internal control functions, internal control personnel also share their suggestions of ways to improve existing processes at the Bank and to mitigate the risks inherent in them. The aim of this practice is to preclude risks by spotting them in advance, to make the Bank more competitive by improving its business processes, and to increase customer satisfaction while also taking measures to cut costs.
Employment of internal controllers and continuity of employment have been ensured by the method of utilizing the Bank’s own human resources. With the participation of the human resources who worked in the Bank for a certain period of time to the Internal Control team, the adaptation of the team to the internal control processes has accelerated, the training period has been shortened and the team has started to get efficiency in a short time. On another front, banking and field experiences of the team contributed remarkably to internal control processes.
The practice of recruiting qualified human resources for the Bank’s administrative staff by allowing internal control personnel to transfer to such positions continued in 2023.
In addition to such matters, compliance reviews were also carried out by internal control personnel as required by article 18 of BRSA Regulation on bank internal system and intrinsic capital adequacy assessment processes. In the course of these reviews, all operations conducted or planned by the Bank as well as new transactions and products are checked to be sure that they comply with laws and regulations, with the Bank’s own policies and rules, and with generally-accepted banking practices. During such compliance reviews, existing Bank-internal rules and proposed changes in them are also examined and views concerning them are circulated among appropriate units.
Ziraat Bank contributed significantly to sustainability with a number of major projects aimed at saving resources and labor, implemented in 2023. A total of 16 different scenarios were created within the scope of the project, one being carried out for centralized real-time (instant) monitoring of individual and corporate loans. At the decision stage of the project, a 3-month reference interval was determined and 399 critical findings were reached at a cost of 126 person days.
In the same period, it was understood that reaching this number of findings in loans required 1,053 person-days if monitored under the traditional method, and it was observed that findings with a much higher level of importance could be achieved with just one eighth of the human resources.
With the progress of central real-time (instant) control projects of individual and corporate loans, the Bank’s on-site branch monitoring activities decreased in 2023, paving the way for a decrease in greenhouse gas emissions with no need for flights or hotel accommodation associated with business travel.
Another important project for Ziraat Bank was the integration of physical reports containing the issues examined and findings within the scope of internal auditing activities at the Turkish Republic Of Northern Cyprus Country Management into the internal control modules in the main banking application. As a result, consumption of paper was reduced, saving resources as well as reducing emissions.
In addition, the project raised the efficiency of internal controllers’ reporting and finding tracking process, simplifying the detection finding correction of the controlled units and easing the transition to process improvement activities.
COMPLIANCE SYSTEM
Activities aimed at “Preventing Laundering of the proceeds of Crime and the Financing of Terrorism and Weapons of Mass Destruction” at Ziraat Bank were carried out in accordance with national and international regulations.
In accordance with the “Regulation on the Compliance Program on the Prevention of Laundering Proceeds of Crime”, updated in line with changes in Law No. 5549 on the Prevention of Laundering Proceeds of Crime, as the main financial institution within the Ziraat Finance Group, the Bank follows the compliance program and the Ziraat Finance Group Compliance Policy on a financial group basis together with the financial institutions operating within the country.
In this regard, the Bank’s “Principles of Practice and Procedures for Prevention of Laundering Proceeds of Crime and Proliferation of Terrorism and Weapons of Mass Destruction” was fully updated in order to ensure that the responsibilities imposed by the relevant laws and regulations may be effectively fulfilled. Care is taken to allocate personnel and resources with due regard to the structural characteristics of the group.
With the rapid digitalization brought about by technological developments in banking processes, criminal organizations have also increased the use of technology and started to turn to more complex tools in order to use banks to finance their illegal activities.
Along with its investments in innovations and new products in financial services, the Bank has developed preventive control mechanisms to ensure that the products and services it offers are not used as an instrument for illegal activities, and are structured in such a way that situations which cannot be prevented through preventive controls are detected in a timely manner, with the Bank able to take quick action in the fight against the proceeds from crime with proactive measures.
In addition to the knowledge and analytical skills of the specialized personnel in the Bank, regarding the better definition of potential risks in the field of “Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction”, and effective management and control of risks, projects are put in place which are focused on creating a system which focuses on the use of digital solutions based on artificial intelligence and machine learning, effectively responding to the needs of combating money laundering and the financing of terrorism.
In this context, the Bank will continue to focus on developing technology-based and innovative processes in the upcoming period, as well as investing in this area in order to ensure that the measures and obligations in place to combat money laundering and the financing of terrorism are more effective and faster.
Work carried out to adapt the Bank’s customer acquisition process to the current conjuncture and keep the risks presented by this process to a minimum, along process developments to protect the Bank from possible compliance and risks of money laundering and terrorist financing in remote identification of real persons, which is the crucial part of the process, were completed successfully.
In order to effectively combat “Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction” by all domestic and international financial institutions operating within the Ziraat Finance Group, an effective risk-based approach is followed, the risks subject to combat are identified, classified, and effective and proportional controls are established based on the identified risks.
New typologies developed by crime and terror groups in all countries and areas of operation are closely monitored, trend analyzes are made, and resource planning is made in accordance with the risk-based approach model. In this context, projects aimed at the more efficient use of technological opportunities are rapidly implemented besides the increase in human resources. In this field, studies are carried out to provide efficiency and speed with machine learning structures.
In this context, necessary measures in the form of written policies and procedures, which are created by the Group and updated with the changes in the regulations and in these matters, are taken in order to prevent the use of the products and services provided by the Bank and the Ziraat Finance Group with the purpose of money laundering, terrorism and the proliferation of weapons of mass destruction, and controls are carried out in a way that the Bank does not expose to any operational, reputational risks and sanctions in these matters.
Checks have been put in place to eliminate the risk of sanctions by preventing the bank from entering into business relations with individuals and organizations which are included in the programs of sanctions followed by the Bank, while also ensuring that the bank does not provide any services for sanctioned activities and halting any banking service which violates the sanctions.
The regulation drafted in the compliance program regulation has enabled the sharing of information within the Ziraat Finance Group with rules introduced on how this sharing can be carried out. In this context, a system supported by the Bank’s technological infrastructure was developed in order to ensure information sharing within the Ziraat Finance Group, with the group’s information sharing policy established and necessary measures taken regarding the secure sharing of information within the Group.
In addition to the domestic subsidiaries within the Ziraat Finance Group, the Bank is in regular contact with foreign branches and subsidiaries within the framework of the coordinated strategy regarding compliance activities. Remote or on-site support is provided to the relevant branches or affiliates.
The necessary systemic structures are being adapted to carry out compliance checks at the Bank’s subsidiaries, ZiraatPay and Ziraat Dinamik Banka, which are currently in the process of establishment.
In-house training continues to be provided in order to develop common standards on “Prevention of Laundering Proceeds of Crime and Financing of Terrorism and Weapons of Mass Destruction”, to create common processes, to exchange information in line with the common policy goal and to increase the level of consciousness and awareness among all personnel.
The Bank strengthens its checks by taking into account existing laws and regulations regarding the timely detection, minimization and prevention of compliance risks within the Group.
With their expert staff and analytical infrastructure, Ziraat Bank’s compliance units, both as the main financial institution and the financial institutions operating within the Ziraat Finance Group continued to closely follow new trends and best practices in the field of SGA/TFP, as in past years. They will continue their activities with a risk-based approach aimed at maximizing efficiency and effectiveness by achieving the maximum use of technological opportunities.
