INTERNAL AUDIT ACTIVITIES
The Audit Board, with the direct authorization granted to it by the Board, conducts independent and impartial assurance and advisory services by establishing a systematic, disciplined, and risk-based approach to improve and add value to the Bank’s operations. Its primary purpose is to establish and operate the internal audit system, which is to assure the senior management regarding the effectiveness and adequacy of the governance, internal control, and risk management systems, as well as the fact that the Bank’s activities are carried out in line with the Banking Law and other relevant legislation and the Bank’s strategies, policies, principles, and objectives.
In addition to the units under internal systems, it conducts audits for the purposes of auditing the activities of the Bank’s Head Office units, domestic and overseas branches, subsidiaries and affiliates, as well as external service providers in terms of the compliance of their activities with the Banking Law, other laws and regulations, internal legislation, strategies, policies, principles and objectives. Audits are also conducted with a view to reviewing the effectiveness and sufficiency of practices for financial data accuracy and protection of resources, governance, internal control and risk management systems.
In addition, carrying out investigations regarding the personnel’s irregular and illegal transactions and the fraud and fraudulent transactions of third parties against the Bank.
Assurance work carried out by the Audit Board is conducted in two different ways: on-site Audit and centralized control. On-site auditing activities are carried out in departments, branches, subsidiaries, affiliates, and individuals and organizations from which support services are provided within the framework of the annual audit plan and prepared in line with the objectives and strategies of the Bank and with a focus on resource planning. Centralized control is carried out by applying information technology-supported remote auditing techniques to detect situations that may pose risks in branches and departments and take measures quickly in line with the risk scenarios established previously.
Internal controls on information systems and banking processes are assessed with a risk-oriented perspective, based on probability, impact, and materiality criteria, and reasonable assurance is given by obtaining audit evidence for the audited controls’ effectiveness and adequacy.
The accuracy of the data used in the Internal Capital Adequacy Assessment Process Report, the adequacy of the systems and processes, and whether or not the data, systems, and methods enable accurate information and analyses are audited within the framework of the procedures and principles determined by the Audit Board.
Compliance with the ISO 9001 Quality Management System, 14001 Environmental Management System, ISO 27001 Information Security Management System, and ISO 22301 Business Continuity Management System is assessed in the branches and Head Office departments that are audited within the scope of the annual audit plan.
In the light of the audits, examinations, and investigations conducted by the Audit Board; proposals are made for the correction of any detected issues, for taking measures to prevent similar errors, for improving the processes, and for enhancing the internal control system, while the actions taken regarding these issues are monitored at certain intervals.
The corrective actions taken by the business units on the action dates are checked; if the corrective action is sufficient to eliminate the finding, the finding is closed; if it is not sufficient, the action date is followed. The projects entered by the business units to eliminate the issues determined by the audits are evaluated as to whether the project’s scope is sufficient to eliminate the finding. In case of deficiencies or errors, the relevant business unit is informed to ensure its correction.
The auditors provide training to the Bank’s staff on various issues that are needed and requested.
Within the framework of the principle of continuous professional development, in-Bank, and non-Bank training that contribute to the professional and personal development of auditors is organized, and training is provided primarily to encourage the acquisition of international certificates.
The Audit Board was awarded the “Certification Awareness Award” for attaching importance to Internal Auditor Certification and the “Continuous Professional Development Awareness Award” for carrying out the work on creating the trained workforce needed by the internal audit profession and developing the profession at the “Awareness Award Ceremony” organized by the Turkish Institute of Internal Audit (TIDE) to raise awareness of internal audit for three consecutive years since 2019.
Auditors are delivered training courses before audits requiring expertise. This way, specialized and experienced teams of auditors are trained and the quality of the audit is raised.
As per the 2023 Internal Audit Program, following audits were conducted: the audit of 268 Branches, 38 Affiliated Branches, 4 Overseas Branches, and 30 Regional Directorate; the audit of 10 Head Office Business Units, 2 Internal Systems Unit, and Departments under these Units; the Audit of 9 Subsidiaries (one in overseas); the audit of 24 Information Systems Processes (pursuant to relevant provisions of the Regulation on Bank’s Information Systems and Electronic Banking Services); the audit of 3 Head Office information systems units; the audit of information systems at 2 Subsidiaries (one in overseas); the audit of information systems at 20 service providers of outsourced services; the audit of all Banking Processes; the audit of Internal Capital Adequacy Assessment Process (ICAAP); Compliance Controls for Penetration Test Action Plan; BADES Action Plan Compliance Controls; Information Systems and Banking Processes Audit; Action Plan Compliance Controls; Management Statement Efforts (Information Systems Audit, Banking Processes Audit, Annual Assessment of Service Providers for Outsourced Services); Risk Center Audit; Information and Communication Security Guide Audit; SWIFT Audit; Audits to be Conducted under the Regulation on Determining the Service Level and Quality of Banks’ Call Centers; Electronic Banking Services Audit; Audit of TFRS-9 Processes; Audit of the Processes linked with Personal Data Protection Law (General); Audit of Retrospective Vouchers; Audit of the Accuracy of Reports Presented to BRSA; Audit of the Premium Payments Made to SDIF; Audit of New Products-Apps and Services; Compliance Audit for the Bank and its Financial Subsidiaries (Compliance Program Audit); Prevention Plan Studies Audit, Remote Authentication Compliance Audit, Valuation Service Compliance Audit, Precious Metals Responsible Supply Chain Audit, Risk Group of the Bank Audit, Physical Archive Center Audit, Guidelines on Precautionary Plans to be Prepared by Banks Audit, Decentralized Cash Management (MONY) Audit; and the Audit of Compliance with ISO 14001 Environmental, ISO 27001 Information Security and ISO 22301 Business Continuity Management System.
INTERNAL CONTROL ACTIVITIES
The Internal Control function is structured to ensure establishment and coordination of a healthy internal control environment; protection of the Bank’s assets; effective and efficient performance of the activities in conformity with the Banking Law and relevant legislation, internal policies and rules as well as banking practices, reliability and integrity of the accounting and financial reporting system; and timely accessibility of information. Accordingly, the Bank’s domestic and foreign branches, head office departments, and consolidated partnerships are subject to the control plan based on a risk-centered approach.
According to risk conditions, domestic branch controls, carried out by Internal Control Department, are conducted on-site or from the Head Office within the control programs’ framework every year. In 2023, internal control activities have been carried out in all domestic branches, 4 foreign branches and 1 foreign subsidiary, 36 Head Office units, and 5 subsidiaries subject to consolidation.
As part of the Information Systems Internal Control Plan for 2023, the Internal Control Department carried out internal control activities regarding information systems at four units involved in information systems, four foreign branches, and one foreign subsidiary. Periodic controls were also conducted at 33 control points for continuous controls regarding risky activities carried out by information systems units.
The Internal Control function controls the distribution of roles and responsibilities and the functional classification of tasks to identify, measure, and prevent the Bank’s risks; sets up auto-control mechanisms in all processes, procedures, and projects to be deployed in a manner that shall cover potential risks; and establishes and enhances system controls. Activities are carried out to increase the effectiveness of control activities and minimize operational risks. In conformity with the objectives and strategies of the Bank, changing needs, risks, regulations, and technological developments are followed. Necessary adjustments and updates are made to ensure the effectiveness and functioning of the internal control system. Activities continue with the aim of enhancing the internal control culture in the Bank.
Findings and recommendations under all these control activities are reported and shared with the relevant departments as the actions taken are monitored. Internal controls on information systems and banking processes are assessed with a risk-oriented perspective, based on materiality criteria, and reasonable assurance is given by obtaining audit evidence for the audited controls’ effectiveness and adequacy.
COMPLIANCE DEPARTMENT’S ACTIVITIES
Compliance and Regulation Department carries out activities to fulfill the responsibilities stipulated in the Financial Crimes Investigation Board (MASAK) legislation within the scope of the Prevention of Laundering Proceeds of Crime and Financing of Terrorism and Proliferation of Weapons of Mass Destruction, and to comply with international principles and rules on the same. In this context, pursuant to the “Regulation on Compliance with Obligations Related to the Prevention of Laundering Proceeds of Crime and Financing of Terrorism,” the necessary policies and procedures are established for the identification, classification based on risk categories, and monitoring of customers, and notification of suspicious customer transactions to ensure that the Bank fulfills its obligations. It is checked whether the policies and procedures in question have been implemented and opinions/approvals are given for the transactions of risky sectors and countries. Necessary investigations and evaluations are carried out within the framework of a risk-based approach about transactions that may be suspicious in the Bank that are transmitted through branch, etc. channels or detected within the scope of monitoring and control activities and the transactions that are deemed to be suspicious are reported to the Financial Crimes Investigation Board (MASAK). For the purpose of sound monitoring of international sanctions by the Bank, the Sanctioned List, which compiles the sanction decisions of international institutions and organizations such as the United Nations, the European Union, OFAC, etc., is used for queries and controls. Compliance-related duties and activities are performed in coordination to prevent the laundering of the proceeds of crime and financing of terrorism at domestic and foreign branches of the Bank. The follow-up of the compliance risks that may arise from the foreign regulations and the control of compliance with these regulations of the foreign branches that are subject to the compliance program established by the Bank in accordance with the legislation of the country in which they operate are carried out by a staff member in respect of each branch. The activities mentioned earlier are carried out in coordination with business units. In-class and online training courses are regularly provided to the Bank’s employees to constantly raise awareness and strengthen the culture of preventing the laundering of proceeds of crime and financing of terrorism.
Within the scope of the Financial Crimes Investigation Board (MASAK) regulations, financial institutions operating under a parent institution have been gathered under the umbrella of the Parent Financial Institution, with the entire structure being re-defined as a “Financial Group.” Obligations of all institutions under the financial group continue separately, while an additional set of group obligations have been introduced for “Financial Groups.” In this context, Türkiye Vakıflar Bankası T.A.O. Financial Group includes our Bank as the main financial institution and Vakıf Yatırım Menkul Değerler A.Ş., Vakıf Faktoring A.Ş., Vakıf Finansal Kiralama A.Ş. as other financial institutions; Vakıf Elektronik Para ve Ödeme Hizmetleri A.Ş., which obtained an operating license in 2023, joined the Financial Group. Oversight and coordination for the fulfillment of the obligations by the Financial Group rest with the Compliance Department of our Bank, which is the parent financial institution. In this respect, a Financial Group Compliance Policy has been released. Our Bank’s Compliance Officer has also been appointed as the Financial Group’s Compliance Officer, and the Bank’s Deputy Compliance Officer has been appointed as the Financial Group’s Deputy Compliance Officer. To act in line with joint, group-wide compliance standards in compliance efforts across the group, the Bank’s Compliance Department carries out joint activities with the Compliance Units of the other four financial institutions. In addition, necessary guidance and instructions are provided and financial group compliance obligations are checked.
LEGISLATION MONITORING AND EVALUATION ACTIVITIES
The Compliance and Regulation Department carries out activities to effectively and efficiently monitor relevant legislation on banking activities and manages the compliance process.
Recent developments in legislation and banking practices related to banking activities are monitored; the impacts of legislative changes on banking activities are interpreted. Within this scope, the measures to be taken by the Bank and the affiliates of the Bank about the services provided by the Bank and the changes to be made in the Bank’s internal legislation and practices are identified, and written information is provided to the relevant departments and it is followed and requested that the necessary measures are taken. Furthermore, relevant departments are informed of draft banking regulations, and thus necessary procedures are initiated before they enter into force.
Tasks for regulatory compliance controls are carried out within the scope of the “Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process.” In this respect, efforts toward alignment with regulatory changes are coordinated. Measures are taken by the relevant department for such changes to be reflected in the Bank’s internal procedures and practices. Changes in practices and revised procedures are also monitored and checked in terms of compliance with regulations. This way, revisions and changes deemed necessary are also made. Necessary measures are taken for timely and full compliance with regulations. In addition, controls are run for the compliance of new products and services with these regulations, while coordinated efforts are undertaken to keep internal procedures and instructions up to date.
Notification and coordination processes are run to ensure the Bank participates in the meetings held by the Banks Association of Türkiye. The Bank also joins, together with relevant functions, the Working Groups formed as part of regulatory compliance activities. Participation is ensured in the meetings of Working Groups. When the Association requests the Bank’s opinion on a specific subject, ideas are gathered from relevant business units and are evaluated to express a statement on behalf of the Bank. Information on the activities carried out before the Association, regulatory arrangements communicated by the Association, and instructions and information received from the Agency (BRSA) are all disseminated to relevant business units, and actions taken are monitored.
There are agreements in place on exchanging information between the Republic of Türkiye and the United States of America and with OECD countries to enhance international tax compliance. Legislation regarding these agreements is monitored. Relevant business units are assigned to ensure compliance with such legislation. The efforts undertaken by business units are monitored. Measures include those in compliance with the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS).
Within the scope of the obligation as part of which the detailed justifications to be prepared for complying with all the principles contained in the Good Practice Manuals and the principles which are partially implemented or not fully implemented are presented every year together with the submission of the Internal Capital Adequacy Assessment Process (İSEDES) reports to BRSA; the practices of the Bank which is designated as a “Systemically Important Bank” and its policy documents are monitored and controlled to ensure that they are in full compliance with all the principles specified in the Good Practice Manuals. The relevant business units are coordinated to make changes and corrections when necessary.
Besides, our employees assigned at those branches in charge of the matters mentioned earlier and reporting on compliance monitor compliance of foreign branches with the legislation in their respective countries.
In line with the activities of the Department, it is aimed to support the Bank’s compliance with the applicable laws and other relevant regulations, the Bank’s internal policies and procedures, organizational management and ethical standards, and to protect the Bank’s reputation and integrity through compliance with all legal regulations.
To ensure the Bank’s full compliance with sustainability-related regulations, to prevent environmental problems such as climate change and uncontrolled waste, the legislative regulations published by the Ministry of Environment, Urbanization, and Climate Change and other relevant institutions and organizations are closely monitored, the relevant departments are informed about the issue, and contribution is made to the 2030 Sustainable Development Goals of the United Nations.
SUMMARY INFORMATION ON IMPORTANT LEGISLATIVE REGULATIONS PUBLISHED IN 2023
An arrangement has been done to pay foreign currency conversion support to companies that sell their foreign currency to the Central Bank and commit not to purchase foreign currency, and the additional rates of return paid by the Central Bank to the accounts of citizens residing abroad opened within the scope of the Deposit and Participation System (YUVAM) have been increased.
With the amendment performed by the CBRT to the Communique on the Incorporation of Physical Assets Denominated in Gold into the Financial System, the additional return rates paid to the accounts opened within this scope were increased.
The withholding tax rate applied to foreign currency deposit accounts was increased, and the effective date of the reduced withholding tax rates applied to TL-denominated deposits was extended to 30.04.2024.
With the amendment to the Corporate Tax Law No. 5520, the corporate tax exemption applied to foreign exchange difference/interest income from foreign currency conversion accounts has been extended to 30.06.2024.
On 06.02.2023, in order to eliminate the conditions that adversely affected the general life after the earthquakes, the epicenter of which was Kahramanmaraş province, it was regulated by Presidential Decree No. 124 that the donations and aids to be granted to the Disaster and Emergency Management Presidency by banks and institutions subject to consolidated audit during the state of emergency shall not be covered by the restrictions in Law No. 5411. In line with this decision, the BRSA amended the Regulation on Donations and Aids to be granted by Banks and Institutions Subject to Consolidated Audit and exempted donations to the Red Crescent and AFAD from the donation limits.
In order to eliminate the conditions that negatively affect the general life after the earthquakes, the BRSA has decided;
The BAT recommended banks to defer the debts of customers experiencing adverse impacts in the earthquake region upon their request.
In order to eliminate the conditions that adversely affected general life in the aftermath of the earthquakes, the CBRT extended the maturities of rediscount credits and advance credits with investment commitments of firms in the earthquake region, and also extended the deadlines for closing export and foreign currency-earning service commitments.
Within the scope of the amendments done by the CBRT to the Communique on Securities Establishment;
Within the scope of the amendments performed by the CBRT to the Communique on Reserve Requirements, reserve requirement ratios for Turkish lira deposits were set at 0 percent for accounts with maturities longer than three months, reserve requirement ratios for accounts that are provided with exchange rate/price hedging support by the Central Bank were also introduced, and reserve requirement ratios for foreign currency deposits were increased.
In order to comply with BASEL regulations, the BRSA made various amendments to the “Regulation on Banks’ Credit Transactions” and published the “Regulation on Determination of Risk Groups and Credit Limits” to set out the principles and procedures for determining risk groups and calculating credit limits on a consolidated and unconsolidated basis.
The Presidency has announced a low-interest housing finance program aimed at providing finance to first-time home buyers. The program was designed to support the purchase of newly constructed homes that have not been previously sold.
The BRSA differentiated the loan rates offered by banks for houses eligible for housing finance, based on factors including whether the house is newly built or second-hand, its appraised value, and energy efficiency rating. The BRSA also introduced a limitation on the maximum loan amount that can be extended in cases where the borrower, his/her spouse, or children under the age of 18 own at least one house.
The BITT exemption applied to new housing loans to be extended to persons with registered residences and to insurance contracts concluded within this scope was abolished.
The BRSA has set the maximum loan amounts and maturities for domestically produced electric motor vehicles.
The Small and Medium Enterprises Regulation was updated and the criteria for the definition of SMEs were changed. In this context, the BRSA updated the definition of SMEs and the retail loan limit in the Regulation on Measurement and Assessment of Capital Adequacy of Banks.
The Regulation on the Calculation of the Net Stable Funding Ratio was published to set out the principles and procedures for ensuring stable funding in order to prevent the funding risk that banks may be exposed to in the long term from causing deterioration in their liquidity levels.
In line with the decisions taken for capital adequacy calculations, it was decided to apply a high risk weight to general purpose loans, personal credit cards, vehicle loans to be extended to consumers, and housing loans extended to those who own, or their spouse or children under the age of 18 own, at least one house.
An amendment to Tax Procedure Law No. 213 has been made to exempt banks and financial institutions from inflation accounting. In addition, the BRSA has decided not to subject the financial statements of banks, financial leasing, factoring, financing, savings financing, and asset management companies as of 31.12.2023 to the inflation adjustment required under TAS 29.
The CBRT revised the definition of the reference rate used in the calculation of credit card interest rates and merchant commission rates and decided to differentiate the maximum contractual interest rate and cash withdrawal maximum contractual interest rates.
Law No. 7440 on the Restructuring of Certain Receivables and Amendments to Certain Laws introduced additional corporate tax.
Law No. 7456 increased the corporate tax rate for banks and other financial institutions from 25 percent to 30 percent.
By Presidential Decree No. 7345, the BITT rate for retail loans was increased from 10% to 15%.
Arrangements have been done for legal entities and persons with disabilities to become customers through remote customer acquisition methods.
With the amendment to the Regulation on Measures to Prevent Laundering Proceeds of Crime and Financing of Terrorism, the amount of transactions for which identification should be done has been increased.
In accordance with the amendment to Banking Law No. 5411, the timeframe for financial restructuring, originally set to expire on 19.07.2023, has been extended for an additional 2 years, commencing from 28.12.2023.
The CBRT decided to end the opening of foreign exchange protected deposit accounts as of 31.12.2023.
With the decisions taken by the CBRT as part of the simplification process, the conditions for access to rediscount credits were eased, the requirement to sell additional export value for rediscount credit utilization was eliminated, and FX purchases for import payments were exempted from the commitment to refrain from purchasing FX during the rediscount credit maturity period. It was decided to increase the share of SMEs in rediscount credits and to take into account export growth performance in disbursements, and daily rediscount credit limits were increased.
With Presidential Decree No. 7550, Treasury-backed credit guarantee fund (KGF) guarantee limits were increased for SMEs and non-SMEs.
The Regulation setting out the procedures and principles applicable to real estate sales contracts issued by notaries was published.
The scope of foreign currency position reporting that firms are obliged to make to the Central Bank regarding their foreign currency assets and liabilities was changed and the Summary Foreign Currency Position Reporting practice was discontinued. In addition, the CBRT updated the criteria for firms reporting their foreign currency positions under the Systemic Risk Data Monitoring System, which has been in effect since 2018.
To support sustainable banking, the BRSA introduced the possibility for cardholders and merchants, who do not wish to receive their expenditure, cash payment, and receivable documents on paper, to receive these documents electronically.
The Istanbul Finance Center Regulation was published to determine the procedures and principles regarding the implementation of the Istanbul Finance Center Law, the management and operation of the office areas and out-of-scope areas of the Istanbul Finance Center, the participant certificate, and the operation of the one-stop bureau.
OTHER INFORMATION ON THE BANK AND ITS ACTIVITIES
GRI 2-15