opening page. I had to translate what I would call the cover letter in a different way
Greetings...

Based on Board of Directors Resolution No. (242) of 2025, we are attaching the supervisory controls under discussion. In this regard, we would like to inform you of the following:

First: Scope of Application

All commercial and Islamic banks, as well as branches of foreign banks operating in Iraq, are required to comply with the supervisory controls as specified therein.

Second: Organizational and Administrative Procedures

The report must be submitted electronically only. A letter, approved by the Board of Directors, confirming the information contained therein, will be sent in both hard copy and electronically.

The pilot testing period will begin on December 31, 2025, and the deadline for submitting the required report is April 30, 2026.

The first actual implementation will be based on data from December 31, 2029, and the deadline for submitting the required report is April 30, 2027. Consideration is required for the information listed in the Frequently Asked Questions (FAQ) section of Appendix (2) of the research guidelines.

For any further inquiries, please contact the Performance Analysis, Risk, and Corporate Governance Department via email at analysis@cbiraq.info.

Attachments //

Sincerely,

Control Guidelines for Internal Assessment of Capital Adequacy Standard (ICAAP)

6:50 PM

Supervisory Controls for Internal Assessment of Capital Adequacy Standard (ICAAP)

pg2

Central Bank of Iraq / Banking Supervision Department

- 2 -

Introduction:

These controls are part of the ongoing efforts of this bank to address supervisory issues in the banking sector in accordance with the Basel Committee's decisions on best international practices in banking supervision and oversight. These efforts aim to strengthen supervisory and oversight systems in this field, as well as to keep pace with developments in the banking industry.

The Internal Capital Adequacy Assessment Process (ICAAP) represents one of the fundamental pillars of the requirements outlined in Pillar Two of the Basel Committee's Banking Supervision and Oversight Framework. This framework aims to ensure that banks possess sufficient and appropriate capital to address the risks associated with their various operations and activities, in addition to ensuring the enhancement and improvement of corporate governance processes and business strategies. Therefore, this process includes a continuous review of the bank's capital needs and how these requirements are financed.

In managing the risks facing institutions,

a key factor

Therefore, the internal assessment process of the capital adequacy ratio plays a crucial role in

a comprehensive approach to managing the risks that the bank may face, in addition to

the bank itself, as it relies on a sound and effective assessment process to determine

the necessary governance mechanisms to mitigate risks, and to develop effective risk management strategies

in a comprehensive manner, in the supervisory review process implemented by

The internal assessment process of the capital adequacy ratio is a key factor in the management of the Central Bank of Iraq.

It is worth noting that banks are required to adhere to the following:

1. Banks are required to have effective, comprehensive, and continuous strategies and procedures for assessing and determining the internal capital required to cover the type and level of potential future risks.

2. These controls provide the minimum requirements for this bank regarding the practices that each bank must consider in order to conduct the internal capital adequacy assessment process in a comprehensive and effective manner, including responsibilities, processes, content, results, and their applications.

3. These controls do not provide specific methodologies, but rather a framework within which the bank can conduct research, analysis, and draw appropriate conclusions regarding risk profiles, and be fully responsible for the methodology and procedures that support the internal capital adequacy assessment process. 4. The assessment process aims to ensure the availability of capital that aligns with the overall risk framework, taking into account the effectiveness of risk management procedures, the adequacy of internal control systems, and the strength of the bank's strategic planning and business model. It should be noted in this regard that the internal assessment of capital adequacy, a fundamental management criterion, should be an integral part of the organizational process and not merely an independent procedure. Rather, it is a process that includes an evaluation of the policies and procedures of all activities.

pg 3

Table of Abbreviations and Terms

Abbreviation or Term Explanation

Bank: The Central Bank of Iraq.

Bank: Banks licensed by the Central Bank of Iraq.

Internal Capital Adequacy Assessment Process (ICAAP)

Internal Capital Adequacy Assessment

Risk Profile (Risk Framework)

Risk Appetite Statement

Scope of Application:

The Internal Capital Adequacy Assessment Process (ICAAP) ensures that the capital adequacy ratio is adequate at the levels relevant to the aggregate data level and to subsidiaries within the banking group.

These controls apply to all branches of foreign banks, taking into account the specific characteristics of each branch. When referring to these controls, this means the Regional Manager and/or the highest supervisory committee in the branch, provided that the Regional Manager reports to the bank's Board of Directors and is the Chairman of this committee.

Periodic Review:

This bank will review these controls periodically (every two years) or whenever necessary.

Documents and information submitted to this bank:

The self-assessment process for capital adequacy is based on the application of governance principles. Risk management and monitoring within the bank necessitate continuous monitoring and annual approval and review by the bank's board of directors.

Banks must adhere to the following, in addition to notifying this bank of any material changes that may occur during the year to the content of this report. The report must clearly explain how the internal capital adequacy assessment process is applied to all bank activities, the acceptable level of risk, and the amount of capital allocated to cover those risks.

Document Name: Internal Capital Adequacy Assessment (ICAAP)

Disclosure Period: April 30th of each year

Disclosure Conditions: Approved by the bank's board of directors in Iraq or the regional manager of the foreign branch and/or the parent bank.

pg 4

- 4 -

Section One: General Framework of Controls

The purpose of this guide is to achieve transparency by publishing the requirements of the internal capital adequacy assessment process.

The guide aims to assist the banking sector in enhancing self-assessment processes and encourages the use of best practices in the effectiveness of the internal capital adequacy assessment process, leading to faster and more sophisticated oversight. One of the most important objectives of this process is to identify the risks facing the bank and assess their impact on capital by determining capital needs to ensure risk coverage and achieve financial stability. The self-assessment process also helps the bank develop effective capital management strategies and achieve a balance between risks and returns. The implementation of internal capital adequacy assessment procedures appropriate to the bank's specific circumstances remains the bank's responsibility. The Central Bank of Iraq will evaluate the bank's internal capital adequacy assessment procedures. The basis for each individual case.

The purpose of the Internal Capital Adequacy Assessment Process (ICAAP) can be defined as follows:

1. The bank operates according to a sufficiently sophisticated risk management system that identifies, measures, and appropriately manages all material risks.

2. The bank possesses, according to internal regulations, a sufficient amount of capital to cover these exposures, as defined in the bank's structure, including:

a. The primary responsibility for developing and implementing the ICAAP rests with the bank.

b. The level and complexity of the ICAAP process are commensurate with the nature, size, and complexity of the bank.

c. The ICAAP process is a continuous and integrated process within the bank's internal operations.

d. It is an integral part of the bank's risk management framework. The Internal Capital Adequacy Assessment Process (ICAAP) is a forward-looking process that considers potential and planned changes in the risk profile and business strategies, as well as changes in the external environment, and integrates them into capital planning.

E. The ICAAP must be fully compliant.

F. The regulatory authority must be informed that the ICAAP must be maintained by the bank in a manner appropriate to its risk profile.

The ICAAP is comprehensive, and the target capital level and

pg 5

- 5 -

The internal capital adequacy assessment process must include at least the following components:

1. The role of the Board of Directors, the Risk Committee, and the Executive Management (Section Two).

2. Comprehensive risk identification and assessment (Section Three).

3. Risk measurement methodology (Section Four).

4. Capital adequacy assessment and capital planning (Section Five).

5. Stress testing (Section Six).

6. Data quality, monitoring, and reporting (Section Seven).

7. Independent review of the internal capital adequacy assessment process (Section Eight).

Section Two: The Role of the Board of Directors, the Risk Committee, and the Executive Management of the Bank

First: The Role of the Board of Directors

1. The primary responsibility for approving the general framework of the internal capital adequacy assessment process rests with the bank's Board of Directors.

However, in the case of branches of foreign banks operating in Iraq, it must be approved by the Regional Manager and/or the Board of Directors of the bank, depending on the specific circumstances of each bank.

2. The Board of Directors must be aware of the following: A complete understanding of the nature and level of risks the bank bears, and how these risks relate to capital adequacy levels.

3. The Board of Directors must fully understand the concept and framework of the internal capital adequacy assessment process, promote it, and disseminate its principles within the bank.

4. Responsibilities

The Board of Directors must assume any of the following responsibilities related to the internal capital adequacy assessment process:

a. Define and approve all key elements of the internal capital adequacy assessment process, particularly the risk acceptance statement and risk strategy, capital targets, and stress testing framework, ensuring all elements are integrated.

b. The Board of Directors is responsible for approving the internal capital adequacy assessment report and ensuring it is comprehensive and flexible, taking into account the bank's risk management framework.

c. Approve the governance framework for the internal capital adequacy assessment process, with a clear and transparent allocation of responsibilities, without overlapping tasks.

d. Increase awareness, understanding, and promote the principles of the internal capital adequacy assessment process.

pg 6

- 5 -

The internal capital adequacy assessment process must include at least the following components:

1. The role of the Board of Directors, the Risk Committee, and the Executive Management (Section Two).

2. Comprehensive risk identification and assessment (Section Three).

3. Risk measurement methodology (Section Four).

4. Capital adequacy assessment and capital planning (Section Five).

5. Stress testing (Section Six).

6. Data quality, monitoring, and reporting (Section Seven).

7. Independent review of the internal capital adequacy assessment process (Section Eight).

Section Two: The Role of the Board of Directors, the Risk Committee, and the Executive Management of the Bank

First: The Role of the Board of Directors

1. The primary responsibility for approving the general framework of the internal capital adequacy assessment process rests with the bank's Board of Directors.

2. The Board of Directors must be aware of the following: A complete understanding of the nature and level of risks borne by the bank, and how these risks relate to capital adequacy levels.

3. The Board of Directors must fully understand the concept and framework of the internal capital adequacy assessment process, promote it, and disseminate its principles within the bank.

4. Responsibilities

The Board of Directors must assume any of the following responsibilities related to the internal capital adequacy assessment process:

c. Approve the governance framework for the internal capital adequacy assessment process, with a clear and transparent allocation of responsibilities, without overlapping tasks.

d. Increase awareness, understanding, and promote the principles of the internal capital adequacy assessment process.

---------

- 6 -

Second: The Role of the Risk Committee emanating from the Board of Directors

1. Evaluating the periodic reports of the internal capital adequacy assessment process at least once a year, and submitting recommendations regarding appropriate actions.

2. Assessing the level and direction of tangible and intangible risks and their impact on capital levels.

3. Assessing future capital requirements in accordance with the bank's business plan, risk appetite statement, and the level of risk tolerable, in accordance with the bank's internal standards.

4. Establishing or developing internal control systems to ensure follow-up on implementation and compliance.

5. Communicating the internal capital adequacy assessment process within the bank.

Third: The Role of the Bank's Executive Management

1. Establishing and adopting appropriate policies, procedures, and methods for risk assessment, in addition to monitoring tools to ensure that operations are conducted within the approved risk appetite statement and risk strategy.

2. Defining the methodology for identifying, measuring, managing, and reporting material risks. 3. The Managing Director must ensure that all relevant information and data are shared with the Risk Management Department and executive departments to enable the identification and definition of all tangible and intangible risks to which the bank is exposed.

4. Assess the level and direction of tangible risks and their impact on capital.

5. Determine whether capital is sufficient to support risks exceeding capital requirements.

Establish and develop a regulatory risk management system (Pillar 1).

6. Assess future capital requirements based on the business plan, risk acceptance statement, and risk level.

7. Disseminate the internal capital adequacy assessment process within the bank, promote awareness, and foster understanding of it.

--------

- 7 -

Section Three: Identifying and Assessing the Risks Mentioned in Pillars One and Two

First: General Requirements for Risk Measurement Methodologies:

1. The bank must provide the bank with complete data. It must be able to ensure that the risk assessment process aligns with the requirements of the Central Bank of Iraq, and that all material aspects, indeed all group (of potential risks), including intervention risks, are included in the internal capital adequacy assessment process.

2. The bank is responsible for implementing risk measurement methodologies that are appropriate to its individual and economic circumstances and business model, and that reflect the size, nature, and complexity of the bank. A bank exposed to high and sensitive risks is expected to use more sophisticated and complex risk measurement methodologies. 3. The assessment process must be comprehensive, risk-based, forward-looking, and consider the bank's strategic plans and external changes. The criteria and underlying assumptions used in the models must be interconnected (encompassing all types of risks) and based on the principle of prudence.

4. The bank should not rely solely on quantitative methods to assess its risk exposure and internal capital adequacy, as these are not easily measurable. Qualitative methods are required for assessment and mitigation, for example, reputational and strategic risks.

5. The bank is expected to implement appropriate control mechanisms and processes to ensure the quality of the data used in the models.

6. The methodologies for measuring risk within the internal capital adequacy assessment process are expected to be subject to independent and periodic review by internal and/or external audit, as appropriate.

7. A distinction must be made between types of risk. The bank must clearly define the concept of inherent risks associated with its operations and activities, both in terms of their impact on Decreased profits or losses affecting capital, as well as non-essential risks related to the bank's activities and markets, can be clarified in the internal assessment of the adequacy of any capital adequacy ratio. This classification does not include all risks exclusively; each bank should consider them.

Other risks affecting the bank's operations

-------------

- 8 -

8. The internal capital adequacy assessment process is based on measuring the minimum capital requirements for the bank.

This assessment is a product of credit, market, and operational risks within the scope of Pillar 1, and all relevant risks of Pillar 2.

9. Additional capital may be required based on the results of stress tests and infrastructure expenditures.

Additional human resources and other resources may also be needed.

The internal capital adequacy assessment process requires banks to adopt a broader approach and perspective to assess other risks.

It also includes conditions that affect the bank's overall risk profile, which management must analyze and draw conclusions about their impact on the overall capital requirements.

Types of risks considered during the assessment:

Second:

-1 Pillar One Risks:

These include credit, market, and operational risks, the definition and methods of which are included in the instructions for the minimum capital adequacy requirements, as well as the risk management controls and International Financial Reporting Standard (IFRS) No. (9), in addition to other relevant controls and instructions.

A. Credit Risk:

The bank is required to identify and analyze the volume of performing and non-performing loans according to the criteria stipulated in IFRS No. (9), as well as the controls for assessing customer creditworthiness, in order to determine the size of the gap for calculating the provisions required against all credit facilities, in addition to studying the details of the size of the collateral taken against granting cash and non-cash credit facilities.

B. Market Risk:

All types of risks are studied, including foreign exchange transactions, investment in financial instruments, interest rates for the trading portfolio, and inventory holdings.

C. Risks Operations:

The bank is required to be able to assess the risks associated with the inadequacy or failure of internal processes, activities, systems, and personnel, as well as to compile information and data on various operational losses according to core processes.

-----------

- 9 -

-2 Pillar Two Risks:

This includes all types of material risks covered within the framework of other risks that must be considered in the internal assessment of capital adequacy.

It includes, for example, liquidity risk, concentration risk, interest rate risk of the bank's portfolio, strategic risks, reputational risks, capital risks, profitability risks, risks related to information technology and communications, including cybersecurity, climate risks, and any other risks related to external factors that may arise as a result of developments in the regulatory, economic, or business environment.

Regarding the methods for measuring Pillar 2 risks, which include risks not covered by Pillar 1, such as concentration risk, liquidity risk, and interest rate risk for the bank's portfolio, it is possible to refer to the measurement methods adopted by this bank and/or the working papers and documents issued by the Basel Committee on Banking Supervision, provided that the following are observed as a minimum:

1. Clarify the assumptions underlying the internal methods and the mechanism for applying those methods.

2. Explain the relationship between the use of internal methods and the decision-making process, and the extent to which they constitute a fundamental part of it.

3. Explain the reasons that led to the difference between the internal methods used by the bank and the methods issued by this bank.

4. Explain the reasons that led to the difference between the internal methods used by the bank and the methods issued by this bank. For example, but not limited to:

2. The bank must have a mechanism for assessing qualitative risks that are difficult to quantify, such as reputational risks. In this case, the bank must explain how it will mitigate these risks through qualitative methods, such as the internal controls implemented by the bank's management.

The management's judgment and experience play a significant role in this regard.

The bank may choose to maintain an appropriate capital surplus to cover these risks if it cannot control them through other measures.

3. Banks should consider a set of procedures for assessing risks, including ensuring that the process is comprehensive and timely. This involves identifying all material risks to which the bank is exposed or may be exposed, and assessing them, as well as considering the risks that the bank must bear, wishes to bear, and/or wishes to avoid in order to minimize their impact.

--------

- 10 -

Section Four: Allocating the Required Capital to Support the Bank's Capital Base

First: Strategic Planning and Capital Planning in the Internal Assessment Process of the Capital Adequacy Standard

The Board of Directors and the Executive Management must define clear long-term objectives and integrate capital formation as an element of the bank's strategic planning. They must also be prepared to deal with unforeseen events that may negatively affect the bank's capital adequacy. Therefore, the bank must have a process for assessing capital adequacy that is closely aligned with its capital policy and risk strategy. In this regard, the design of the ICAAP (Internal Capital Adequacy Assessment Process) must be consistent with the bank's needs.

The initial step in the bank's capital requirements and strategic plans should be identifying all the risks it faces that may be significant. The goal is to make a clear and well-informed decision on how to manage these risks. This includes an assessment that requires an approach to the points listed below as a minimum: - • The different markets in which the bank operates. • The products it offers.

• The organizational structure.

• Its financial position.

• Its experience with various past challenges and problems, and an assessment of what might happen to banks if risks materialize.

• Consideration of strategies, plans, and ideas related to entering new markets, sectors, or banking products.

• Review and analysis of data, in addition to qualitative assessments.

• Identifying the interrelationship between different types of risks, leading the bank to incorporate additional control measures within its capital requirements.

Complex operations involving multiple business branches may present difficulties in achieving a comprehensive understanding of the overall risk structure, as well as all the factors that influence it. With regard to more limited operations, the downside is that risks arise from over-reliance on a single product or a small number of products, perhaps on a limited number of customers, and possibly within a limited geographic area. For such operations, it may be

-------

- 11 -

The future outlook is a key element in the internal capital adequacy assessment process.

The bank determines the required capital level not only based on the current situation but also over the course of the bank's strategic plan, taking into account the study of harsh but probable scenarios. The internal capital adequacy assessment process should not be conducted solely as a regulatory requirement, as it can help the bank, if done correctly, to implement a range of risk management and monitoring tools and to plan for and address future risks.

For the first and second pillars, an assessment should be conducted.

Banks should also, when planning their capital requirements, consider all other risks included in the internal capital adequacy assessment process, taking into account both the quantitative and qualitative aspects of those risks, and the development of forecasts/estimates according to the plan. Banks should consider the strategic, capital gains, dividend distributions, potential capital increases through new share issuances, subordinated capital, and the capital required to meet anticipated business growth that could lead to changes in the overall risk framework within the first pillar, in addition to the potential emergence of new risks.

The first pillar requires an assessment of the overall risk framework.

The second pillar requires an assessment of the potential emergence of new risks.

The third pillar requires an assessment of the potential emergence of new risks.

The fourth pillar requires an assessment of the potential emergence of new risks.

The second pillar requires an assessment of the potential emergence of new risks.

The third pillar requires an assessment of the potential emergence of new risks.

The fourth pillar requires an assessment of the potential emergence of new risks.

The fifth ...

The fourth pillar requires an assessment of the potential emergence of new risks.

The fifth pillar requires an assessment of the potential emergence of new risks.

The fourth pillar requires an assessment of the potential emergence of new risks.

When planning their capital requirements, banks should also consider all other risks included in the internal Secondly, during the comprehensive risk assessment, the following are among the most important conditions to be considered:

1. Adequate Capital

The bank must possess a high quantity and quality of capital to support its financial position. That is, it must ensure that it has sufficient capital to cover risks exceeding regulatory capital requirements (Pillar 1).

2. Long-term financial and capital projections (minimum 3 years) must be assessed from two perspectives: (Pillar 1: The bank's ability to meet all regulatory and supervisory capital requirements; Pillar 2: The bank's ability to meet capital requirements exceeding regulatory requirements). Both perspectives must be based on the bank's business plan, and the Pillar 2 perspective must consider a more accurate and detailed measurement of the bank's risks, appropriate to its nature.

3. The bank is expected to identify, assess, and maintain internal capital from an internal perspective, i.e., within Framework

Internal Assessment Process for the ICAAP Capital Adequacy Standard and Not

----------

Central Bank of Iraq / Banking Supervision Department

- 13 -

6. The logic and validity of the scenarios used in stress tests must be subject to regular independent review.

7. The results of the stress tests conducted by the bank, along with a brief definition of the assumptions, must be part of the internal assessment process for the ICAAP capital adequacy standard submitted to that bank.

The bank must implement stress tests as an essential part of risk management and monitoring. Stress tests provide the bank with warnings about any unexpected negative outcomes arising from the various risks surrounding the bank, as well as providing an indication of the amount of additional capital required to absorb losses that may occur as a result of shocks the bank may face.

Stress tests play an important role in:

• Establishing a unified approach to risk management across the entire bank.

• Providing forward-looking risk assessments. • Reducing shortcomings in the models and historical data used.

• Facilitating future planning for both capital and liquidity levels.

• Developing risk mitigation methods and contingency plans to be implemented during various adverse conditions.

Section 6: Reporting and Disclosure of Information.

The bank must submit an Internal Capital Adequacy Assessment Process (ICAAP) report to this bank in the form of an annual report, as per the disclosure date specified in Appendix 1. The bank must adhere to the following minimum requirements:

1. Ensure the quality of data and information presented in all instruments and methods used within the monitoring and reporting framework.

The data used in the ICAAP must be comprehensive, timely, and subject to continuous review.

2. Comply with the minimum requirements stipulated in the Risk Management Controls and the Capital Adequacy Standard.

-------

- 14 -

3. The Board of Directors, through the Risk Management Committee, must receive information and reports related to the internal assessment process of the ICAAP capital adequacy standard in order to analyze, evaluate, and take appropriate action regarding the information detailed below:

a. Levels and trends of major risks and their impact on capital adequacy in both normal (business as usual) and stress scenarios.

b. The validity of the assumptions used to assess the impact of risks on capital adequacy, and the timeliness and accuracy of the information used in the ICAAP (Internal Capital Adequacy Assessment Process).

c. Capital adequacy through a comparison between current capital and additions to support the overall risk profile (Pillar 2) under normal and stress conditions.

d. Adjusting the business plan and risk acceptance statement to align with current funding adequacy and the required level of future capital adequacy (see Usage Test).

4. Submitting all relevant documentation and any additional documents requested by this bank.

Section VII: Independent Review of the ICAAP (Internal Capital Adequacy Assessment Process).

1. The ICAAP framework must be subject to regular independent review by individuals or departments not responsible for the design and implementation of the ICAAP.

2. The audit team or relevant personnel must possess the necessary intellectual and technical capabilities to conduct this audit.

3. The frequency of the audit depends on the nature, size, and complexity of the bank, but it should be conducted at least once a year, or in the event of any significant change in the bank's risk profile, strategy, business plan, operating environment, or any other factors that warrant an independent audit (after the implementation of these changes).

4. The audit should cover the following: a) The suitability of the risk identification process. b) The accuracy, integrity, and completeness of the data inputs.

c) The adequacy of the risk measurement methodologies.

d) The logic, adequacy, and suitability of the stress tests, their assumptions, inputs, and results.

5. The results of the independent audit should be submitted to the Board of Directors.

------

Central Bank of Iraq / Banking Supervision Department

- 15 -

Section Eight: Internal Capital Adequacy Assessment Process Report Submitted to the Central Bank of Iraq

1. Banks must submit their annual Internal Capital Adequacy Assessment Process (ICAAP) report to the Central Bank of Iraq by April of each year, according to the report template specified in the Appendix (General Structure of the ICAAP Report and Key Indicators Report).

2. All relevant documents or attachments must be included with all sections outlined in the Appendix. The Central Bank of Iraq reserves the right to request additional specific documents as needed.

Section Nine: Supervisory Review of the Internal Capital Adequacy Assessment Process

1. The Central Bank of Iraq is responsible for conducting a supervisory review and a comprehensive evaluation of the ICAAP framework and its implementation within the bank. The ICAAP review is an essential and integral part of the Supervisory Review Process. SRP (Comprehensive Supervisory Review)

2. The Central Bank of Iraq applies the principle of proportionality when evaluating the internal assessment process for the capital adequacy ratio in smaller and less complex banks. However, these banks are not exempt from conducting a comprehensive risk assessment or from supervisory reporting requirements. Conversely, the Central Bank expects larger banks and/or those with complex risk profiles to adopt more sophisticated risk management frameworks. 3. If the Central Bank of Iraq deems that the overall risk or a specific type of risk in a bank is excessive and/or inadequately managed, or not covered by sufficient internal capital, or if it observes significant deficiencies in risk management or governance within the internal capital adequacy assessment process and the internal capital adequacy assessment report, it may require the bank to take one or more of the following actions (or a combination thereof): a. Reassess the system's risk appetite statement limits.

b. Address the current situation/reduce the level of excessive risk within a specified timeframe.

c. Increase additional capital/maintain additional equity.

d. Impose restrictions on the internal standards used by the bank.

e. Improve/amend the bank's adopted risk management framework.

f. Restrict board member bonuses or require the replacement of executive officers.

g. Impose restrictions on the dividend policy.

4. Banks must The Central Bank of Iraq must be notified without delay of the implementation of corrective measures or plans for their implementation. If implementation takes longer, banks must submit periodic reports – for example, every three months – detailing the progress made in implementing the approved measures.

5. If the deficiency cannot be addressed or the risks mitigated, the Central Bank of Iraq will take further measures as necessary.

------

- 16 -

Appendix No. (1) General Structure of the Internal Capital Adequacy Assessment Report

1. Executive Summary

This summary should provide an overview of the methodology and results of the Internal Capital Adequacy Assessment Process (ICAAP), such as:

a) Confirmation that the bank has assessed its capital (on a consolidated or individual basis) as adequate considering the size and complexity of its business.

b) A brief description of the bank's structure, its financially active subsidiaries, and their business activities, and a definition of the scope of business for which the ICAAP assessment is conducted.

c) Commentary on the most significant risks facing the bank, why the level of risk is considered acceptable or not, and what mitigation measures are planned.

d) A summary of the key findings of the ICAAP analysis, including: - The level and structure of internal capital, capital adequacy, and the allocation of capital by type of risk.

Pillar 1 (Including)

(From the perspective of Pillar 2), and comparing it to regulatory capital requirements accordingly

Under stress (-) (Key Indicators Report - Appendix 2).

- Whether the bank has sufficient capital resources to cover its three-year planning horizon, whether from the perspective of Pillar 1 or Pillar 2, under normal and stressful conditions.

- Summary of the target capital indicators approved by the Board of Directors, which should include:

• Common Equity Tier 1 (CET) ratio,

• Tier 1 capital ratio,

• Total capital ratio,

• Leverage ratio. c) Self-assessment of the adequacy of the bank's risk management processes.

h) Evaluation of the bank's corporate governance system.

i) Summary of the bank's current and future financial position, its business plans and strategy, balance sheet growth structure, and expected profits, including, at a minimum:

- The bank's strategic business plan for the current year and future projections for the next three years.

------------

Central Bank of Iraq / Banking Supervision Department

- 17 - Review the effectiveness of the main revenue-generating business lines, broken down by main products, services, other activities, geographic areas, and market position.

(h) Describe the governance framework for the ICAAP (Internal Capital Adequacy Assessment Process), covering stakeholders, the assessment process, the review process, and the validation process.

(i) Describe significant changes and events related to the ICAAP process, the results of the ICAAP process, and plans to enhance/improve the ICAAP process in the future.

2. Background

This section will cover relevant regulatory and historical financial data for the bank, e.g., the group's (legal and operating) structure, operating profit, pre-tax profit, after-tax profit, dividends, shareholders' equity, capital held against regulatory requirements, customer deposits, deposits with other banks, total assets, and any conclusions that can be drawn from trends in the data that may have implications for the bank's future.

3. Key Risks, Risk Acceptance Statement, and Acceptable Risk Limits

a. Describe the process for identifying The bank's risks.

b. A description of the key risks that should be part of the internal assessment process for the ICAAP capital adequacy standard.

c. Information on how the bank assesses risks, specifying whether it uses both quantitative and qualitative methods, along with a brief description of the methodology used to assess each type of risk.

d. An overview of the bank's risk appetite statement, ensuring its alignment with the business plan.

e. Information on how often the risk appetite statement is reviewed by the board of directors (including in cases of severe market changes).

f. An overview of the acceptable risk limits that are consistent with the risk appetite statement.

---------

Central Bank of Iraq / Banking Supervision Department

- 18 -

4. Capital Planning (Current and Future Position)

A. The bank's current capital position compared to the minimum capital requirements, covering the ratios of:

A. Common Tier 1 (CET) and Additional Tier 1 (AT) capital, based on the most recent annual data approved by the bank.

Tier 2 (Tier 2) capital, according to the bank's projected financial plan.

B. A future analysis of the bank's financial position in terms of capital over the next three to five years, taking into account current and expected economic conditions (normal operations), with projections related to profit distribution, from both Pillar 1 and Pillar 2 perspectives.

C. A description of the bank's capital planning and management process, highlighting how the internal assessment process for the ICAAP capital adequacy standard is integrated into this process.

D. Summary For the target capital metrics approved by the Board of Directors (these ratios must include the Common Equity Tier 1 (CET) ratio, Tier 1 capital ratio, total capital ratio, and leverage ratio).

5. Stress Testing and Scenario Analysis

a. A brief description of how the bank's stress testing program (including sensitivity analysis) is used to support the assessment and management of capital adequacy.

b. Information on the quantitative results of the stress tests and scenario analyses conducted by the bank, confidence levels, and key assumptions adopted.

c. Information on the set of adverse scenarios applied, how they were calculated, and the resulting capital requirements.

d. An explanation of the scenarios developed and applied (assumptions and criteria).

e. The impact of these scenarios on the bank's current and future performance (3-year projections), capital (e.g., dividend policy), capital adequacy, and risk management system.

6. Testing and Approval of the Internal Assessment Process for the Capital Adequacy Standard (ICAAP)

This section includes the testing and control processes applied to the models and calculations of the Internal Capital Adequacy Assessment (ICAAP) process. It must include the following: a) A review of the ICAAP report, which must include, at a minimum:

• Review of internal controls

• Suitability of the bank's capital assessment process in light of the nature, scope, and complexity of its activities

• Identification of significant exposures and risk concentrations

• Accuracy and completeness of the data inputs in the bank's assessment process.

-------

Central Bank of Iraq / Banking Supervision Department

- 19 -

• Reasonableness and validity of the scenarios used in the evaluation process.

• Stress testing and analysis of assumptions and inputs.

B. Board of Directors approval of the final Internal Capital Adequacy Assessment Report.

C. Attach copies of any relevant reports submitted to the Risk Management Department, the Risk Management Committee, or the Board of Directors of the bank pertaining to the Internal Capital Adequacy Assessment document.

7. Integrating the Internal Capital Adequacy Assessment into Risk Management

A. A summary of how the bank utilizes the Internal Capital Adequacy Assessment and how it is integrated into the decision-making process at various management levels.

B. An explanation of how the results of the Internal Capital Adequacy Assessment are integrated into the process of identifying and monitoring risk limits, thereby enhancing the bank's ability to make decisions based on an accurate assessment of capital and risk.

C. A description of the mechanism for reporting the results of the Internal Capital Adequacy Assessment to the Board of Directors and how these results are circulated within the bank, including the involvement of stakeholders from different departments, and ensuring their integration into the corporate risk management culture.

8. Using the Internal Capital Adequacy Assessment Money (Internal Bank)

This section should explain the extent to which capital management is integrated into the bank's operational and strategic planning, and how the ICAAP findings and recommendations are used in the bank's strategy, operations, and capital planning. Key elements of the ICAAP report, including growth and profitability targets, scenario analysis, and stress tests, can be used in the process of developing business plans, management policy, dividend policy, and pricing decisions.

-------

skipped pg 20 it was an empty table

------

Central Bank of Iraq / Banking Supervision Department

- 21 -

Frequently Asked Questions (FAQs) (Appendix 3):

This list aims to answer frequently asked questions that come to mind for individuals working in banks regarding the Internal Capital Adequacy Assessment (ICAAP):

1. Question: What is the role of the bank's internal and external auditors, executive departments, and board committees in reviewing the methodologies and framework adopted in preparing the internal assessment of the capital adequacy standard?

Answer: The role of the internal auditor: Requires reviewing the methodologies and framework for implementing the internal assessment of the capital adequacy standard, and the results after their preparation by the Risk Management Department and other executive departments, before proceeding with their presentation to the Risk Management Committee and the Board of Directors. The internal audit department can also manage the audit team, which includes, but is not limited to, the Compliance Department and other functions that do not interfere with the assessment process.

The role of the external auditor: The bank can obtain the external auditor's opinion before Sending the evaluation results to the Central Bank of Iraq.

Executive Departments of the Bank: All executive departments within the bank submit the outputs of their operations to the Risk Management Department and the executive departments that participate in the preparation and conduct of the comprehensive evaluation of the bank's operations and activities.

Board of Directors Committees: The Risk Management Committee is required to consider the parameters mentioned in Section (2/Paragraph 2) and may contact the Audit Committee to discuss any information or data related to the preparation of the internal assessment of the capital adequacy standard.

2. Question: What is the mechanism adopted to strengthen the additional buffers for the bank's capital base?

Answer: In addition to strengthening the procedures, consideration must be given to the parameters mentioned in Section (4/Paragraph 2) and the qualitative indicators that contribute to reducing the risks to which the bank's capital base is exposed.

------------

- 22 -

Question

Regarding the evaluation results:

Does updating and revising the bank's strategic plan require reliance on the bank's internal capital adequacy ratio?

Answer

Yes, the evaluation results are taken into consideration in the process of preparing and defining the objectives and initiatives included in the bank's strategic plan. The updating process includes the corrections planned for implementation during the current plan and/or ensuring they are considered in the subsequent strategic plan.

Question

What are the key determinants in preparing the report related to the internal evaluation of the capital adequacy ratio?

Answer:

This requires consideration of the information included in Appendices (1) and (2), which are based primarily on the information contained in the internal audit controls.

5. Question:

Can an external party be engaged to conduct the audit, or is the process carried out internally only?

Answer:

Conducting the audit internally requires engaging an external auditor to provide technical advice and consultation on the methodologies and evaluation mechanisms adopted within the bank.

6. Question:

What documents and papers must be attached to the internal audit report for the capital adequacy standard?

Answer:

All documents and papers relied upon by the Risk Management Department and other executive departments that participated in the assessment of the risks of Pillar 1 and Pillar 2 must be attached, in accordance with the controls and instructions issued by this bank and/or the working papers and documents issued by the Basel Committee on Banking Supervision. The information included must be clarified according to the specified guidelines. Included in the regulations

-----------

Central Bank of Iraq / Banking Supervision Department

- 23 -

Question

What are the key determinants for identifying business model risks and linking them to the inputs and results of the internal capital adequacy assessment report?

Answer

The business model is linked to a number of fundamental determinants of a bank's operations, including, but not limited to, the bank's strategy, activities and processes, financial statements, profit and loss statement, and actual and targeted acceptable and tolerable risk levels. Therefore, any conflict or incompatibility between the above determinants will expose the bank to risks in its adopted business model.

Question

What is the procedure for newly established banks, banks placed under the guardianship of the Central Bank of Iraq, banks with supervisory committees, or banks that have opted for a merger, regarding the preparation of an internal assessment of the capital adequacy ratio?

Answer

Newly established banks: Requires preparing the internal assessment based on the information and data available to them.

Banks under the guardianship of this bank: Are exempt from preparing the internal assessment until the guardianship is lifted.

Banks with a supervisory committee: Require the preparation of the bank's internal assessment.

Banks that have opted for a merger Merger: This requires preparing internal evaluations for each bank separately, pending the completion of the merger process.

9. Question: Can the required disclosure date for branches of foreign banks that rely on the parent bank's report be amended after obtaining approval from the Central Bank of Iraq?

Answer: No, the approved disclosure date cannot be amended, as this process affects the audit and supervisory operations carried out by this bank.

-----------

Central Bank of Iraq / Banking Supervision Department

- 24 -

Question: What is the next step if the Central Bank's assessment is lower than the internal assessment?

What is the bank's procedure? Answer:

The procedure followed by this bank includes identifying the required areas for improvement and enhancement, based on the results of the assessment through qualitative and quantitative procedures, which include, but are not limited to, the risk management system, corporate governance, business models, and capital base.

11. Question:

What are the key determinants in the process of measuring reputational and climate risks within the ICAAP process, considering them as qualitative and intangible risks?

Answer:

For example, but not limited to, reviewing and examining the information available in the complaints system, legal claims, environmental and social risks, media and reports, and other determinants that the bank can consider when designing and preparing the examination models for analyzing and examining reputational and climate risks.

12. Question:

How are the required reverse stress tests carried out within the internal assessment process for the capital adequacy standard?

Answer:

Reverse stress tests are carried out within the internal assessment process for capital adequacy by identifying extreme scenarios that could lead to exceeding the specified regulatory minimum. By the Central Bank of Iraq or the bank itself, through the development of realistic scenarios illustrating the impact of severe credit or operational shocks, among others.

13. Question: Can the evaluation results be adopted and approved by the internal audit team in the event of exceptional working circumstances affecting the Board of Directors during a re-election and restructuring process?

Answer: Yes, the evaluation can be adopted by the internal audit team within the executive management, given the exceptional circumstances affecting the Board of Directors.

end

Want to Support My FX Buddies?