Appendix 87

RISK MANAGEMENT GUIDELINES FOR TRUST AND OTHER FIDUCIARY BUSINESS AND INVESTMENT MANAGEMENT ACTIVITIES
(Appendix to Sec. 401)

I. Introduction

Recent changes in the nature and complexity of fiduciary activities have underscored the need for an effective and sound risk management process. With the deepening of the capital market and the increasing complexity of the financial environment, the risk management practices and techniques employed by financial institutions should continuously improve and adapt to these evolving financial landscape.

These guidelines aim to provide principles- based guidance in the implementation of sound risk management practices for trust, other fiduciary business, and investment management activities. As such, the applicability of these guidelines shall depend on the size, complexity, and risk profile of the institution’s fiduciary activities.

II. Statement of Policy

It is the policy of the Bangko Sentral ng Pilipinas to support the development of the Philippine financial market and promote adequate level of protection to investors through, full and fair disclosure on financial instruments covering banking and fiduciary activities. With the continuous emergence of complex financial products, investor protection is a significant concern in building investors’ confidence in the Philippine financial market. It is in furtherance of this policy that Bangko Sentral prescribes risk management guidelines for fiduciary activities aligned with the basic standards in the administration of fiduciary products and services by trust entities.

III. Risk Management Principles for Fiduciary Activities

Risk management practices must be designed to ensure that exposures are well within trust entities capacity to manage and risks taken by the trust entity and its clients are consistent with their respective risk tolerance. Risk management practices shall also promote efficiency in the administration and operation of the fiduciary business; ensure adherence and conformity with the terms of the instrument or contract; and maintain absolute separation of property free from any intrusion of conflict of interest.

As fiduciary activities become more diverse and complex, an institutions’ ability to effectively identify, measure, monitor and control risks should keep pace and continue to evolve. There is no single risk management framework that would effectively work for all trust entities due to differing size, business model, complexity of activities, and risk profile. Nevertheless, regardless of the structure in place, the framework shall cover the following key elements of sound risk management system:

a. Active and appropriate oversight by the board of directors/Trust Committee or its functional oversight equivalent in case of foreign banks/institutions;

b. Adequate risk management processes, policies and procedures;

c. Appropriate risk measurement system, prudent risk limits, monitoring and management information system; and

d. Comprehensive and effective internal control system, audit, and compliance program.

IV. Risks Associated with Fiduciary Activities

For purposes of these Guidelines, the following definitions of risks are adopted:

a. Credit/counterparty risk is the current and prospective risk to client’s earnings or principal contribution arising from an obligor’s failure to meet the terms of any contract with the trust entity or otherwise perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer, or borrower performance. It arises anytime fiduciary funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, and reflected in the client’s financial statements. Credit/counterparty risk exists in the loan portfolio and other forms of credit accommodations.

b. Market risk is the current and prospective risk to client’s earnings or principal contribution arising from changes in the value of the trust entity’s holdings of investment portfolios. Market risk arises from dealing and position-taking activities in interest rate, foreign exchange and equity markets.

c. Liquidity risk is the current and prospective risk to client’s earnings or principal contribution arising from a trust entity’s inability to recognize or address unplanned changes in client’s and/or beneficiary’s needs thereby affecting the ability to liquidate assets quickly with minimal loss in value. The trust entity shall determine and maintain adequate level of liquidity in each accounts based on client-defined constraints/circumstances or product specifications.

d. Operational risk is the current and prospective risk to the bank’s earnings or capital arising from fraud or error, and the inability of the trust entity to deliver products or services, maintain a competitive position and manage information. Operational risk is evident in each fiduciary product and service offered. As the fiduciary products and services become sophisticated or volume of activities expands, so does the level of operational risk. This risk encompasses product development and delivery, operational processing, systems development, and the internal control environment. Operational risk is present in the day-to-day operations of trust entities and in all aspects of fiduciary activities.

A part of operational risk is legal risk which arises from non-adherence with the terms of the fiduciary agreement and the potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or otherwise negatively affect the operations of a trust entity.

e. Compliance risk is the current and prospective risk to the bank’s earnings or capital arising from violation of laws, rules and regulations of regulatory authorities, prescribed practices or sound fiduciary principles, internal policies and procedures, and prudent ethical standards. Compliance risk also arises in situations where the laws or rules governing certain fiduciary products or activities of the trust entity may be ambiguous or untested. This risk exposes the trust entity to fines, payment of damages, and the voiding of contracts. Compliance risk can lead to limited business opportunities, reduced expansionary potential, unenforceability of contract or even adversely affect trust entity’s reputation.

f. Strategic risk is the current and prospective risk to the bank’s earnings and capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. Strategic risk is a function of the compatibility of a financial institution’s strategic goals, the business strategies developed to achieve those goals, the resources deployed in support of these goals, and the quality of implementation. The trust entity’s internal characteristics must be evaluated against the impact of economic, technological, competitive, regulatory, and other environmental changes. Financial success requires a sound strategic planning process embraced by the board and senior management.

g. Reputation risk is the current and prospective risk to the bank’s earnings and capital arising from negative publicity regarding the financial institution’s fiduciary business practices. The negative public opinion can cause (a) clients to question or doubt the trust entity’s integrity to engage in fiduciary activities which can result in the termination of fiduciary relationships, (b) litigation costs to increase, or (c) revenues to decline. Reputation risk affects the trust entity’s ability to establish new fiduciary relationships or services, or continue servicing existing relationships. Since public’s perception is critical in the fiduciary business, trust entities should exercise an abundance of caution in dealing with clients and the public in general.

V. Risk Management Process

A trust entity shall develop and implement a formal, comprehensive, and effective risk management program that outlines, among other things, the risk management processes that effectively identify, measure, monitor and control risks affecting the clients and the trust entity. These processes shall also recognize and address the differences in the needs, objectives and risk tolerance of the clients and the trust entity. An effective risk management program can serve as an early warning system that enables the trust entity to anticipate and/or pro-actively identify potential problems from arising which may result in unanticipated loss to the clients and the trust entity. A risk management program should:

a. Identify risk. Trust entities shall recognize and understand existing exposures or those that may arise from new products/services, acceptance of new clients, and changes in operating environment. They shall establish procedures that identify and address such risks prior to initiation of the activities. Risk identification is a continuing process that should be embedded in all phases of trust entity’s activities and shall cover both the individual investment transactions and portfolio activities. Identifying risk also involves the determination of the desired level of exposures both for the trust entity and client after taking into account the willingness and the ability to absorb risks.

b. Measure risk. Trust entities shall have appropriate systems or tools in place that could adequately quantify or measure both their client and their own risk exposure/s. It shall be the trust entity’s responsibility to ensure that the risk measurement tools can adequately and reliably capture and quantify exposures. Risk measurement tools shall be subjected to independent and periodic validation and review to ensure that they remain reliable and appropriate. Effective risk measurement systems assess the risks of both individual transactions and portfolios and ensure that the sophistication of the risk measurement tools remains proportionate to the complexity of exposures.

c. Monitor risk. Trust entities shall monitor risk levels to ensure timely review of risk positions and exceptions. Monitoring reports should be frequent, timely, accurate, and informative and should be distributed to clients/individuals and appropriate level of management to ensure corrective action, when necessary.

d. Control risk. Trust entities shall establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. The types and sophistication of control processes shall be consistent with the risk tolerance standards defined by the board of directors/Trust Committee and the client. Trust entities shall implement a process for tracking and reporting exposures to monitor the trust entity‘s compliance with risk tolerance standards.

The risk management process for fiduciary activities should be structured and incorporated in the required basic standards in the administration of fiduciary products and services.

VI. Sound Risk Management System

Consistent with the guidelines on supervision by risk set forth under Appendix 69 (Appendix to Sec. 141), the Bangko Sentral shall assess the suitability and adequacy of a trust entity’s risk management system in accordance with the following elements:

A. Active Board and Senior Management Oversight

a. The board of directors (or its functional oversight equivalent which may include the country head in the case of foreign banks/ institutions) and the Trust Committee shall perform their responsibilities in accordance with the applicable provisions of this Manual.

b. Independent Risk Management Function. To uphold the principles of undivided loyalty and impartiality, and discourage possible conflicts of interest, the process of measuring, monitoring, and controlling risks shall be managed as independently as practicable by a body or personnel apart from those individuals who have the authority to initiate transactions. The Board- designated body or personnel performing independent risk management on fiduciary activities shall either be part of or directly report to the risk management unit/department of the bank proper to ensure holistic implementation of enterprise-wide risk management framework. Nevertheless, the Board-designated body or personnel tasked to perform risk management function for fiduciary activities is not precluded to freely communicate with the trust officer or relevant trust committee any information relative to the discharge of its function.

B. Adequate Risk Management Processes, Policies and Procedures

The trust entity shall have Board-approved written risk management policies and documentation standards which provide detailed guidance for the day-to-day implementation of the trust entity’s strategies and generally include risk limits, operating procedures and control processes designed to safeguard the trust entity and its clients from excessive and imprudent risks. Terminologies relevant to trust, other fiduciary and investment management activities shall be specifically defined and clearly described through appropriate sample documents/exhibits to avoid the likelihood of incomplete communication, ambiguities and misinterpretations.

Policies shall provide an outline on the formal process for the board of directors/Management’s review (at least annually), amendment and approval. In the case of personnel management, the policies and procedures shall provide for personnel recruitment, training, performance evaluation, and salary administration that must address staffing needs, and compensation programs. Effective risk management requires experienced and competent officers and supporting staff.

Policies and procedures shall delineate lines of responsibility and accountability. Copies of policies and procedures, including updates and changes, shall be promptly transmitted to all concerned personnel who are directly or indirectly involved in fiduciary activities. Policies and procedures shall, at the minimum, include:

1. Scope of fiduciary products and types of services offered to clients with clear description of each product and service

2. Organizational structure

3. Authorities and responsibilities of the:

(a) Board of directors

(b) Trust committee

(c) Trust investment committee and other related committees

(d) Trust officer1

(e) Trust Department/Branch/Unit Heads2

(f) Account officers/Marketing personnel, including those assigned in branches3

(g) Trading or Dealing officers and staff4

(h) Backroom officers and staff5

4. Basic standards in the administration of trust, other fiduciary business and investment management activities

5. Accounting and records maintenance

6. Policy review

7. System of financial and regulatory reporting

8. Client-oriented safety nets

C. Appropriate Risk Measurement System, Prudent Risk Limits, Monitoring and Management Information System

The process of measuring, controlling and monitoring fiduciary risks shall be carried out independently by personnel not directly involved in fiduciary activities. Results of this process shall be reported to the board of directors, or to the appropriate Board-level committee, thru the risk management unit/department of the bank/institution proper in a timely and comprehensive manner. In the same manner, the trust officer or relevant trust committee should be apprised of the results of these processes and relevant risk management issues.

Risk Measurement System

In formulating the risk measurement models and methodologies for its fiduciary risk-taking activities, the trust entities shall be guided by the minimum requirements prescribed in Appendices 70 (Appendix to Sec. 142) and 71 (Appendix to Sec. 144), and the guidelines provided under Appendix 22 (Appendix to Sec. 613) as applicable.

Trust entities are expected to adopt models/ methodologies commensurate to the size, complexity and nature of the fiduciary activities undertaken. In addition, the trust entity’s risk measurement system shall provide detailed guidelines on the:

a. Frequency of risk measurement

b. Sources of data, i.e., market prices

c. Appropriateness of risk measurement tools given the complexity and level of risk assumed (including the reasonableness and validity of assumptions)

d. Frequency of validation of risk measurement tools

e. Ability to measure risk at both transactional and portfolio levels

f. Frequency of review of the risk measurement system by the board of directors and the trust committee

Trust entities shall develop a liquidity contingency plan for its investment portfolios especially for the UITFs to demonstrate how liquidity funding needs will be handled in times of crises, as well as supplement their market and liquidity risk measurement models with periodic stress testing.

Prudent Risk Limits

Risk limits shall be established, approved and periodically reviewed by the board of directors or trust committee. In setting limits, the risk management policy shall include the determination of the experience, background and authority of individuals involved in setting portfolio limits, and the processes for setting and changing individual and portfolio limits; and shall recognize the restrictions/constraints that the client may impose on the trust entity. The risk management policy should also indicate when excess over approved limits may be allowed and the appropriate approving authority for such excess. Limits must be documented and promptly communicated to all concerned personnel. Portfolio limits must be reviewed at least annually, but client-set limits must be reviewed at least quarterly to ensure consistency with the investment objectives set by the client and conformity to the terms of the contract.

Risk Monitoring and Management Information Systems (MIS)

Effective risk monitoring and control is dependent on accurate, timely, reliable, and relevant information processing and reporting systems. Rapid technology advancements create new risk monitoring and control issues, thus, the board of directors should ensure that the impact of emerging technologies on fiduciary activities is properly considered. The board of directors and Trust Committee shall be afforded with adequate information on the trust and investment management activities to properly fulfill their responsibilities. Accordingly, the trust entities shall have policies and procedures in reporting information on fiduciary activities to the board of directors and trust committee specifying, among other things, the type, amount and timing of information reported; methodology to ensure all identified risks are monitored; frequency, timeliness, accuracy and clarity of monitoring reports; report distribution to management and staff; and comparability of output against predetermined limits.

The sophistication of MIS shall be commensurate with the complexity and diversity of the trust entity’s operations such that a complex trust entity shall have a more comprehensive MIS.

Because of the cost involved in developing technology, a trust entity may opt to purchase information technology rather than develop its own internal system. Nonetheless, regardless of the source of information system, the board of directors and Trust Committee shall exercise the proper level of control and oversight to appropriately fulfill their fiduciary duties. Service Agreements or vendor contracts shall be thoroughly reviewed by legal counsel to ensure that they include appropriate indemnification and recourse language. In addition, contracts shall contain specific language recognizing the authority of the trust entity’s regulators to conduct reviews of third- party vendors as part of their overall supervisory activities.

D. Comprehensive and effective internal controls, audit, and compliance program

Internal Control Systems

A comprehensive internal control is the foundation for the safe and sound functioning of a trust entity and its fiduciary risk management system. It shall form an integral part of the trust entity’s overall system of controls and shall promote effective fiduciary operations and reliable financial and regulatory reporting, safeguard assets and help ensure compliance with relevant laws, regulations, and institutional policies.

Effectiveness of the internal control system shall be periodically tested by an independent party (preferably the auditor, or at least an individual not involved in the process being reviewed) who shall submit a formal report on the results of such testing/review directly to the board of directors or the audit committee. The review shall cover all material controls and shall consider:

 • The change in the nature and extent of significant risks, and the trust entity’s ability to respond to such changes;

 • The scope and quality of management’s ongoing monitoring of risks and of the system of internal control, and the work of its internal audit function;

 • The extent and frequency of the communication of results of the monitoring to the board of directors or appropriate committee;

 • The incidence of significant control failings or weaknesses that have been identified, and the extent to which they have resulted in losses or potential losses; and

 • The effectiveness of the trust entity’s reporting processes.

Given the importance of appropriate internal controls to an organization, management’s response to results of the test/review should be documented.

The system of internal control shall set forth clear lines of authority and appropriate segregation of operational duties and functions to ensure independence of the control areas from the business lines. An organizational chart shall specify the reporting lines for risk management, compliance, and internal audit groups.

Audit Program

A well-designed and executed internal audit program is essential to effective risk management and provides an independent assessment of the efficiency and effectiveness of the internal control system.

An effective audit program shall be based on an appropriate risk assessment methodology that documents the trust entity’s significant fiduciary activities and their associated risks, and internal control systems. Such documentation shall be available for review by the Bangko Sentral. It shall describe the objectives of specific audit activities and list the procedures to be performed during the process.

While the frequency and extent of the internal audit review and testing shall be consistent with the nature, complexity and risk of the trust entity’s fiduciary activities, existing Bangko Sentral regulations require the conduct of periodic internal audits of the trust entity at least once every twelve (12) months. The board of directors may also require the adoption of a suitable continuous audit system to supplement or replace the periodic audit. In any case, the audit shall ascertain whether the trust entity’s fiduciary activities have been administered in accordance with laws, Bangko Sentral rules and regulations, and sound fiduciary principles.

There shall also be a system that allows sensitive findings (e.g., defined non-observance of the basic principles on fiduciary relationships, unsafe and unsound practices, operational lapses/deficiencies resulting to recognition of material losses) to be reported directly to the board of directors. Moreover, the audit committee and/or board of directors shall review the effectiveness of the internal audit and other control review activities on a regular basis.

Bangko Sentral regulations also require annual external audit of the fiduciary activities of trust entities and of each unit investment trust fund by an independent auditor acceptable to the Bangko Sentral.

Compliance Program

The trust entity shall develop and implement a compliance system for its trust, other fiduciary business and investment management activities, and appoint/designate a compliance officer to oversee its implementation in accordance with Section 161. The Board- designated body or personnel performing independent compliance function on fiduciary activities shall either be part of or directly report to the compliance unit/department of the bank proper to ensure holistic implementation of enterprise-wide compliance program. Nevertheless, the Board-designated body or personnel tasked to implement the compliance program for fiduciary activities is not precluded to freely communicate with the trust officer or relevant trust committee any information relative to the discharge of its function.

The compliance system must provide a written and comprehensive compliance program designed to monitor observance with relevant laws, rules and regulations, internal policies including risk limits, internal control systems, fiduciary principles, and agreements with clients. The compliance system shall be periodically reviewed for relevance, effectiveness and appropriate follow-up.

The board of directors must recognize the scope and implications of applicable laws; approve a compliance program that protects the trust entity from adverse litigation, increased regulatory oversight, and damage to reputation; and ensure that the compliance officer primarily undertakes to oversee and coordinate the implementation of the compliance system.

The extent of formality of the compliance program may vary from one trust entity to another. Nevertheless, an effective compliance programs have common elements that include:

a. A strong commitment from the board of directors and Trust Committee;

b. A formalized program coordinated by a designated compliance officer that includes periodic testing and validation process;

c. Responsibility and accountability from line management;

d. Comprehensive training programs; and

e. Timely reporting and follow-up process.

(Circular No. 972 dated 22 August 2017)

Footnotes

  1. Including minimum qualification standards.
  2. Including minimum qualification standards.
  3. Including minimum qualification standards.
  4. Including minimum qualification standards.
  5. Including minimum qualification standards.