Credit Union and Co-operation with Overseas Regulators Act 2012

26.

Additional requirements for credit unions.

26.— Part IV of the Principal Act is amended by inserting the following after section 76:

Additional requirements for credit unions

Strategic plan.

76A.— (1) The board of directors of a credit union shall cause to be prepared and shall adopt a plan (in this Act referred to as a ‘strategic plan’) which documents the strategy and objectives of the credit union (in this Act referred to as the ‘strategic objectives’) and indicates how those strategic objectives are to be achieved.

(2) A strategic plan shall include—

(a) the objectives of the credit union’s activities for a specified period of at least 3 years,

(b) the nature and scope of the activities to be undertaken,

(c) the strategies and policies for achieving those objectives,

(d) the targets and criteria for assessing the performance of the credit union,

(e) the financial projections for the credit union for a specified period of at least 3 financial years from, and including, the current financial year together with the supporting financial analysis and assumptions made,

(f) the funding strategy proposed to support the projected balance sheet structure, and

(g) such other matters as may be prescribed by the Bank.

(3) A credit union shall maintain adequate resources, both financial and non-financial, in relation to the nature, scale, complexity and risk profile of the activities being undertaken or to be undertaken in accordance with the strategic plan.

Risk management systems and systems and control.

76B.— (1) In this section—

‘compliance programme’, in relation to a credit union, means the policies, procedures, systems and plans the credit union puts in place to monitor compliance, on an ongoing basis, with its obligations including requirements under all legal and regulatory requirements;

‘risk management system’, in relation to a credit union, means the sum of those components that provide the basis (including organisational arrangements) for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the credit union;

‘systems and controls’, in relation to a credit union, means a set of arrangements designed to provide reasonable assurance regarding the achievement of objectives in relation to the effectiveness and efficiency of operations, reliability of financial reporting and compliance with all legal and regulatory requirements.

(2) A credit union shall develop, implement, document and maintain a risk management system with such governance arrangements and systems and controls to allow it to identify, assess, measure, monitor, report and manage the risks which it is, or might reasonably be, exposed to.

(3) The risk management system—

(a) shall be clearly set out and documented, and

(b) shall clearly set out the related tasks and responsibilities within the credit union.

(4) A credit union shall develop, adopt, implement, monitor, document and maintain systems and controls to manage and mitigate the risks identified by the risk management system.

(5) A credit union shall develop, implement, document and maintain a compliance programme that allows it to evaluate compliance with its obligations under this section including compliance with all legal and regulatory requirements.

Risk management officer.

76C.— (1) The board of directors of a credit union shall appoint a person (in this Act referred to as a ‘risk management officer’) with the necessary authority and resources to manage the risk management function within the credit union.

(2) Except where subsection (3)(a) applies or where otherwise prescribed by the Bank under subsection (3)(b), nothing in this section shall be read as preventing the appointment of a person as risk management officer of a credit union who—

(a) holds another position as an officer in the credit union, or

(b) is the risk management officer for one or more than one other credit union.

(3) The risk management officer of a credit union shall not—

(a) be a director, a member of the board oversight committee or the auditor of the credit union, or

(b) hold such other position (whether within the credit union or otherwise) that the Bank may prescribe as being inappropriate to hold while being a risk management officer.

(4) The risk management officer of a credit union shall be responsible for identifying, assessing, reporting and monitoring all internal and external risks that could affect the credit union to which the risk management system referred to in section 76B relates, including risks to its employees, members, reputation and assets, and assisting the manager with managing and mitigating those risks.

(5) The board of directors of a credit union shall ensure that the risk management officer—

(a) has clearly documented reporting lines to the board,

(b) has access to the board,

(c) is independent in the exercise of his or her functions and, subject to paragraph (d), shall be free from influence, and

(d) is subject to internal oversight by the internal audit function.

(6) The board of directors of a credit union shall ensure that the role and functions of the risk management officer are documented in writing and include any role or function that may be prescribed by the Bank or be otherwise duly provided for by the Bank under any other enactment.

Compliance officer.

76D.— (1) The board of directors of a credit union shall appoint a person (in this Act referred to as a ‘compliance officer’) with the necessary authority and resources to manage the compliance programme, as provided for by section 76B, within the credit union.

(2) Except where subsection (3)(a) applies or where otherwise prescribed by the Bank under subsection (3)(b), nothing in this section shall be read as preventing the appointment of a person as compliance officer of a credit union who—

(a) holds another position as an officer in the credit union, or

(b) is the compliance officer for one or more than one other credit union.

(3) The compliance officer of a credit union shall not—

(a) be a director, a member of the board oversight committee or the auditor of the credit union, or

(b) hold such other position (whether within the credit union or otherwise) that the Bank may prescribe as being inappropriate to hold while being a compliance officer.

(4) The compliance officer of a credit union shall be responsible for managing compliance at all levels in the credit union including—

(a) ensuring that the credit union complies with all statutory and regulatory requirements, and

(b) monitoring such compliance to ensure that no conflict of interest arises.

(5) A credit union shall ensure that the compliance officer—

(a) has clearly documented reporting lines to the board,

(b) has access to the board,

(c) is independent in the exercise of his or her functions and, subject to paragraph (d), shall be free from influence, and

(d) is subject to internal oversight by the internal audit function.

(6) The board of directors of a credit union shall ensure that the role and functions of the compliance officer are documented in writing and include any role or function that may be prescribed by the Bank or be otherwise duly provided for by the Bank under any other enactment.

Operational risk.

76E.— (1) In this Act ‘operational risk’, in relation to a credit union, means the risk of loss (financial or otherwise) resulting from—

(a) inadequate or failed internal processes or systems of the credit union,

(b) any failure by persons connected with the credit union,

(c) legal risk (including exposure to fines, penalties or damages as well as associated legal costs), or

(d) external events,

but does not include reputational risk.

(2) A credit union shall identify the operational risks it is exposed to, or is likely to be exposed to, and provide for the management and mitigation of those risks in the credit union’s risk management system as provided for by section 76B.

Records management.

76F.— (1) Without prejudice to sections 108 and 109, a credit union shall ensure—

(a) that it makes, maintains and retains in books and documents proper and secure records of all matters that are required to enable the credit union, including the board of directors, board committees, nomination committee and officers and its board oversight committee and auditor to discharge their respective functions and as required by law,

(b) that those records are made in a timely, accurate and consistent manner so that—

(i) they contain the information necessary to enable persons discharging functions to which paragraph (a) relates to discharge their respective functions and that those records are sufficiently accurate and available with sufficient regularity and sufficient promptness for the purpose of so discharging, and

(ii) any information furnished or caused to be furnished by or on behalf of the credit union to the Bank is sufficiently accurate for the purposes for which it was so furnished and is available as and when required by the Bank,

and

(c) that those records are produced when duly called upon—

(i) by or under this Act, or

(ii) for the purposes of any other statutory obligation to produce them.

Information systems.

76G.— (1) In this section ‘information systems’, in relation to the business of a credit union, means all the technical and non-technical methods of establishing, implementing, documenting and maintaining data and information within the credit union in a coherent and informative way which is in, or capable of being reproduced in, a legible form.

(2) For the purpose of supporting the strategic plan and enabling the board of directors of a credit union and other persons involved in the management of the credit union to control, direct and manage its affairs, a credit union shall, taking account of the nature, scale and complexity and risk profile of its business but without prejudice to any other statutory obligation to the like effect as this section—

(a) develop, prepare, implement and maintain secure and reliable information systems, or

(b) where such systems already exist within the credit union, continue to implement and maintain such systems.

Management information.

76H.— Without prejudice to any other statutory obligation to the like effect as this section, a credit union shall ensure that its information systems (within the meaning of section 76G) produce management information and other reports that are accurate, reliable, consistent, and timely so as to enable the board of directors and management team to—

(a) direct, control and manage the credit union’s business efficiently and effectively,

(b) make informed strategic and operational decisions, and

(c) provide accurate information to the Bank on a timely basis, as and when required.

Business continuity plan.

76I.— (1) In this section—

‘business continuity’, in relation to the occurrence of one or more abnormal events which could cause a material interruption to the business of a credit union, means the continuation of its business during and after such an occurrence;

‘business continuity plan’, in relation to a credit union, means the contingency arrangements put in place to ensure that its essential functions can continue during and after the occurrence of one or more abnormal events which could cause a material interruption to the business of the credit union.

(2) A credit union shall put in place a business continuity plan—

(a) to ensure its business continuity if there occurs one or more abnormal events which could cause a material interruption to its business, and

(b) to enable it to continue to meet all requirements imposed on it under the Credit Union Acts 1997 to 2012 and other financial services legislation if any such interruption occurs,

and such plan shall include, where appropriate, comprehensive testing at regular intervals of recovery procedures by officers of the credit union and testing of backup facilities.

Outsourcing.

76J.— (1) Subject to the other provisions of this section, a credit union may by an agreement in writing entered into with any person (in this section referred to as a ‘service provider’) and upon such terms and conditions as may be specified in the agreement, provide for the performance by that person, subject to such terms and conditions (if any) as may be so specified, of such process, service or activity (in this section referred to as ‘outsourced activities’) of the credit union as may be so specified.

(2) The respective rights and obligations of the credit union and of the service provider shall be clearly allocated and set out in a written agreement.

(3) A credit union shall exercise due skill, care and diligence when entering into, managing or terminating any outsourced activities with a service provider.

(4) A credit union shall not enter into an agreement with a service provider for the performance of any of the functions exercisable by the board of directors of the credit union under section 55(1) but, subject to any matter that may be prescribed by the Bank, this shall not prevent the credit union from entering into an agreement under subsection (1) with a service provider for the provision of services in respect of any business activity (other than any such function) that is preliminary to or consequential upon the exercise by that board of the function concerned.

(5) The following conditions shall form part of every agreement to provide outsourced activities between a credit union and a service provider:

(a) the service provider has the ability, capacity and any authorisation required by law to perform those activities reliably and professionally;

(b) the service provider will carry out those activities effectively;

(c) the service provider shall properly supervise the carrying out of those activities, and adequately manage the risks associated with the outsourcing;

(d) appropriate action shall be taken by the credit union if it appears to it or to the Bank that the service provider may not be carrying out those activities effectively and in compliance with any applicable laws and regulatory requirements;

(e) the service provider shall disclose to the credit union any development that may have a material impact on its ability to carry out the outsourced activities effectively and in compliance with applicable laws and regulatory requirements;

(f) the credit union may terminate the arrangement for outsourcing, where necessary, without detriment to the continuity and quality of its provision of services to members;

(g) the service provider shall, when required, co-operate with the Bank in connection with the outsourced activities;

(h) the credit union, its auditors and the Bank shall have effective access to data related to the outsourced activities, as well as to the business premises of the service provider;

(i) the Bank shall have without notice the right of access to the business premises of the service provider for the purposes of paragraph (g);

(j) the service provider shall keep any confidential information relating to the credit union or its members in a safe and secure manner.

(6) For the purposes of every agreement to provide outsourced activities between a credit union and a service provider, the credit union shall—

(a) ensure that the service provider has no conflicts of interest in relation to the outsourced activity,

(b) retain the necessary expertise to supervise the outsourced activities effectively, manage the risks associated with the outsourcing and supervise those activities and manage those risks,

(c) establish methods for assessing the standard of performance of the service provider, and

(d) be capable of resuming direct control over any outsourced activity or ensure that alternative arrangements are in place to provide the outsourced activities without detriment to the proper operation and functioning of the credit union or the continuity and quality of its provision of services to members.

(7) Where—

(a) an agreement under this section has been entered into between a credit union and a service provider, and

(b) it is necessary having regard to the activities that have been outsourced,

then the credit union and the service provider shall both establish, implement and maintain a business continuity plan and the credit union shall ensure that such plan is integrated, as necessary, within the business continuity plan referred to in section 76I.

(8) An outsourced activity shall not impair—

(a) the orderliness of the conduct of the credit union’s business,

(b) the credit union’s ability to manage and monitor its business,

(c) the ability of the board of a credit union to undertake its functions,

(d) the ability of the credit union to comply with requirements imposed under financial services legislation,

(e) the supervision of the credit union by the Bank, and

(f) the quality of the credit union’s internal controls.

(9) Where a credit union has outsourced activities, the credit union remains legally responsible for compliance with requirements imposed under financial services legislation in respect of those activities.

(10) Nothing in this section shall be construed—

(a) as applying to any person in his or her capacity as an officer of the credit union, or

(b) as affecting any contract (whether oral or in writing) entered into between the credit union and any person for the performance by that person of any minor non-business activity where a defect or failure in its performance could not impair—

(i) the continuing compliance with the conditions and obligations of the credit union’s registration or its other obligations under the financial services legislation,

(ii) the credit union’s financial performance,

(iii) the soundness or continuity of the credit union’s financial performance, or

(iv) the soundness or continuity of the credit union’s business.

(11) (a) A credit union shall notify the Bank, in writing—

(i) when it is proposed to outsource to a service provider a material business activity, or

(ii) of any material development affecting the service provider and his or her ability to fulfil its obligations.

(b) In this subsection and subsection (12) ‘material business activity’ means an activity where a defect or failure inits performance would materially impair—

(i) the continuing compliance with the conditions and obligations of its registration or its other obligations under the financial services legislation,

(ii) its financial performance,

(iii) the soundness or continuity of its financial performance, or

(iv) the soundness or continuity of its business.

(12) (a) The Bank may prescribe the matters that a credit union shall have regard to when selecting a service provider.

(b) Without prejudice to the generality of paragraph (a), requirements for the purposes of that paragraph may include any of the following:

(i) the formalities to be involved in engaging a service provider for the purposes of a proposed outsourced activity including, for the purposes of subsections (1) and (2), the nature and content of written agreements to be entered into between the credit union and the service provider prior to commencement of the outsourcing activity;

(ii) the arrangements for notifying the Bank in writing when a material business activity is proposed to be outsourced;

(iii) the arrangements for notifying the Bank in writing of a material development affecting a service provider and what constitutes a material development.

(13) In prescribing matters for the purposes of this section, the Bank shall have regard to the need to ensure that the requirements imposed by the regulations made by it are effective and proportionate having regard to the nature, scale and complexity of credit unions, or the category or categories of credit unions, to which the regulations will apply.

Internal audit.

76K.— (1) The board of a credit union shall appoint a person (in this Act referred to as the ‘internal audit function’)—

(a) to provide for independent internal oversight, and

(b) to evaluate and improve the effectiveness,

of the credit union’s risk management, internal controls and governance processes.

(2) The internal audit function shall prepare, implement and maintain a document (in this Act referred to as the ‘internal audit charter’) which, subject to subsection (4), shall define—

(a) the activities of the internal audit function within the credit union, and

(b) the scope of those activities,

and, relevant to the performance of its audits, shall authorise the access by the internal audit function to records, personnel and physical properties of the credit union. The internal audit charter shall be reviewed and modified in accordance with section 55(8).

(3) There shall be prepared by the internal audit function and approved by the board of a credit union or, where an audit committee exists for the credit union, by the audit committee with the agreement of that board, a written plan (in this Act referred to as an ‘internal audit plan’) detailing the scope and objectives of audits, setting priorities as regards areas to be audited and determine the necessary resources required to implement the plan. The internal audit plan shall be reviewed and modified in accordance with section 55(8).

(4) The internal audit function shall be separate from other functions and activities of the credit union, and be capable of operating independently of management and without undue influence over its activities.

(5) The internal audit function shall report the results of its evaluations and recommendations to the audit committee, where one exists, or otherwise to the board of directors, on a regular basis, and at least quarterly.

(6) (a) The Bank may prescribe the form and content of the internal audit charter and internal audit plan, and related matters.

(b) Without prejudice to the generalityof paragraph (a), regulations may prescribe—

(i) the frequency and timing at which an examination of the records of the credit union is to be undertaken by the internal audit function, and

(ii) the nature of the records to be inspected for the purposes of subparagraph (i).

(7) The internal audit function shall have access, at all times, to the books and documents (including draft documents) of the credit union to enable it to carry out its functions under the Act.”.