INTERNAL AUDIT ACTIVITIES
The Audit Board, with the direct authorization granted to it by the Board, conducts independent and impartial assurance and advisory services by establishing a systematic, disciplined, and risk-based approach to improve and add value to the Bank’s operations. Its primary purpose is to establish and operate the internal audit system, which is to assure the senior management regarding the effectiveness and adequacy of the governance, internal control, and risk management systems, as well as the fact that the Bank’s activities are carried out in line with the Banking Law and other relevant legislation and the Bank’s strategies, policies, principles, and objectives.
The Audit Board reports to the Audit Committee. In this context, it fulfills its activities impartially and independently. The Audit Board is only responsible to the Board of Directors and the Audit Committee within the Bank. The Head of the Audit Board is authorized to communicate and interact directly with the Audit Committee, and it reports directly to the Audit Committee.
In addition to the units under internal systems, the Audit Board conducts audits for the purposes of auditing the activities of the Bank’s Head Office departments, domestic and overseas branches, subsidiaries and affiliates, as well as external service providers in terms of the compliance of their activities with the Banking Law, other laws and regulations, internal legislation, strategies, policies, principles and objectives. Audits are also conducted with a view to reviewing the effectiveness and sufficiency of practices for financial data accuracy and protection of resources, governance, internal control and risk management systems.
In addition, carrying out investigations regarding the personnel’s irregular and illegal transactions and the fraud and fraudulent transactions of third parties against the Bank.
Assurance work carried out by the Audit Board Presidency is conducted in two different ways: on-site inspection and centralized control. On-site auditing activities are carried out in departments, branches, subsidiaries, affiliates, and individuals and organizations from which support services are provided within the framework of the annual audit plan and prepared in line with the objectives and strategies of the Bank and with a focus on resource planning. Centralized control is carried out by applying information technology-supported remote auditing techniques to detect situations that may pose risks in branches and departments and take measures quickly in line with the risk scenarios established previously.
Internal controls on information systems and banking processes are assessed with a risk-oriented perspective, based on probability, impact, and materiality criteria, and reasonable assurance is given by obtaining audit evidence for the audited controls’ effectiveness and adequacy.
The accuracy of the data used in the Internal Capital Adequacy Assessment Process Report, the adequacy of the systems and processes, and whether or not the data, systems, and methods enable accurate information and analyses are audited within the framework of the procedures and principles determined by the Audit Board.
Compliance with the ISO 9001 Quality Management System, 14001 Environmental Management System, ISO 27001 Information Security Management System, and ISO 22301 Business Continuity Management System is assessed in the branches and Head Office departments that are audited within the scope of the annual audit plan.
In the light of the audits, examinations, and investigations conducted by the Audit Board; proposals are made for the correction of any detected issues, for taking measures to prevent similar errors, for improving the processes, and for enhancing the internal control system, while the actions taken regarding these issues are monitored at certain intervals.
The corrective actions taken by the business units on the action dates are checked; if the corrective action is sufficient to eliminate the finding, the finding is closed; if it is not sufficient, the action date is followed. The projects entered by the business units to eliminate the issues determined by the audits are evaluated as to whether the project’s scope is sufficient to eliminate the finding. In case of deficiencies or errors, the relevant business unit is informed to ensure its correction.
The auditors provide training to the Bank’s staff on various issues that are needed and requested.
Within the framework of the principle of continuous professional development, in-Bank and non-Bank trainings that contribute to the professional and personal development of auditors are organized, and training is provided primarily to encourage the acquisition of international certificates.
The Audit Board was awarded the “Certification Awareness Award” for attaching importance to Internal Auditor Certification and the “Continuous Professional Development Awareness Award” for carrying out the work on creating the trained workforce needed by the internal audit profession and developing the profession at the “Awareness Award Ceremony” organized by the Turkish Institute of Internal Audit (TIDE) to raise awareness of internal audit for three consecutive years since 2019.
Auditors are delivered training courses before audits requiring expertise. This way, specialized and experienced teams of auditors are trained and the quality of the audit is raised.
As per the 2024 Internal Audit Program, following audits were conducted: the audit of 365 Branches, 24 Affiliated Branches, and 4 Overseas Branches; the audit of 19 Head Office Business Units, 2 Internal Systems Unit, and Departments under these Units; the Audit of 3 Subsidiaries (1 in overseas); the audit of 24 Information Systems Processes (pursuant to relevant provisions of the Regulation on Bank’s Information Systems and Electronic Banking Services); the audit of 4 Head Office information systems units; the audit of information systems at 5 Subsidiaries (1 in overseas); the audit of information systems at 17 service providers of outsourced services; the audit of all Banking Processes; the audit of Internal Capital Adequacy Assessment Process (ICAAP); Compliance Controls for Penetration Test Action Plan; BADES Action Plan Compliance Controls; Information Systems and Banking Processes Audit; Action Plan Compliance Controls; Management Statement Efforts (Information Systems Audit, Banking Processes Audit, Annual Assessment of Service Providers for Outsourced Services); Risk Center Audit; Information and Communication Security Guide Audit; SWIFT Audit; Audits to be Conducted under the Regulation on Determining the Service Level and Quality of Banks’ Call Centers; Electronic Banking Services Audit; Audit of TFRS-9 Processes; Audit of the Processes linked with Personal Data Protection Law (General); Audit of Retrospective Vouchers; Audit of the Accuracy of Reports Presented to BRSA; Audit of the Premium Payments Made to SDIF; Audit of New Products-Apps and Services; Compliance Audit for the Bank and its Financial Subsidiaries (Compliance Program Audit); Prevention Plan Studies Audit, Remote Authentication Compliance Audit, Valuation Service Compliance Audit, Precious Metals Responsible Supply Chain Audit, Interest Rate Risk Audit, Quality Assurance-Internal Assessment Audit, Credit Risk Audit, Liquidity Risk Audit, Risk Group of the Bank Audit, Physical Archive Center Audit, Guidelines on Precautionary Plans to be Prepared by Banks Audit, Decentralized Cash Management (MONY) Audit; and the Audit of Compliance with ISO 14001 Environmental, ISO 27001 Information Security and ISO 22301 Business Continuity Management System.
INTERNAL CONTROL ACTIVITIES
The Internal Control function is structured to ensure establishment and coordination of a healthy internal control environment; protection of the Bank’s assets; effective and efficient performance of the activities in conformity with the Banking Law and relevant legislation, internal policies and rules as well as banking practices, reliability and integrity of the accounting and financial reporting system; and timely accessibility of information. Accordingly, the Bank’s domestic and foreign branches, head office departments, and consolidated partnerships are subject to the annual internal audit plan.
The Internal Control Department carries out control activities within the framework of control programs prepared according to the risk level. In 2024, internal control activities were carried out in domestic and foreign branches, 1 foreign subsidiary, 40 Head Office units, and 6 subsidiaries subject to consolidation.
Additionally, in order to control the Bank’s activities faster and more effectively from a risk-preventive approach, the central control team continuously checks the scenarios for transactions that are intensive in the Bank’s activities and susceptible to operational errors and the inventories created routinely and periodically by the central control team. Efforts to centralize internal control activities were focused in order to continuously carry out control activities for the Bank’s activities that vary periodically, to prevent risks that may arise, and to carry out control activities more quickly and effectively.
As part of the Information Systems Internal Control Plan for 2024, the Internal Control Department carried out internal control activities regarding information systems at 4 units involved in information systems, 4 foreign branches, 1 foreign subsidiary, and 6 subsidiaries subject to consolidation. Periodic controls were also conducted at 32 control points for continuous controls regarding risky activities carried out by information systems units.
It is aimed to ensure the efficiency and effectiveness of operational activities through the controls of the transactions for the performance of the activities carried out by the Internal Control Department and ensure that the information obtained within the Bank through the control of the Bank’s communication channels and information systems is reliable, complete, traceable, consistent, and in the appropriate form and quality to meet the needs and is accessible by the relevant units and personnel in a timely manner. In addition, it is aimed to ensure the integrity and reliability of the accounting and reporting systems through the control of financial reporting systems, and to ensure that all activities and new transactions and products that the Bank realizes and plans to realize are in compliance with the Law and other relevant legislation, internal policies, and rules, as well as banking customs through compliance controls.
In conformity with the objectives and strategies of the Bank, changing needs, risks, regulations, and technological developments are followed. Necessary adjustments and updates are made to ensure the effectiveness and functioning of the internal control system. Activities continue with the aim of enhancing the internal control culture in the Bank.
COMPLIANCE DEPARTMENT’S ACTIVITIES
Compliance and Regulation Department carries out activities to fulfill the responsibilities stipulated in the Financial Crimes Investigation Board (MASAK) legislation within the scope of the Prevention of Laundering Proceeds of Crime and Financing of Terrorism and Proliferation of Weapons of Mass Destruction, and to comply with international principles and rules on the same. In this context, pursuant to the “Regulation on Compliance with Obligations Related to the Prevention of Laundering Proceeds of Crime and Financing of Terrorism,” the necessary policies and procedures are established for the identification, classification based on risk categories, and monitoring of customers, and notification of suspicious customer transactions to ensure that the Bank fulfills its obligations. It is checked whether the policies and procedures in question have been implemented and opinions/approvals are given for the transactions of risky sectors and countries. Necessary investigations and evaluations are carried out within the framework of a risk-based approach about transactions that may be suspicious in the Bank that are transmitted through branch, etc. channels or detected within the scope of monitoring and control activities and the transactions that are deemed to be suspicious are reported to the Financial Crimes Investigation Board (MASAK). For the purpose of sound monitoring of international sanctions by the Bank, the sanctioned list, which compiles the sanction decisions of international institutions and organizations such as the United Nations, the European Union, OFAC, etc., is used for queries and controls.
Compliance-related duties and activities are performed in coordination to prevent the laundering of the proceeds of crime and financing of terrorism at domestic and foreign branches of the Bank. The follow-up of the compliance risks that may arise from the foreign regulations and the control of compliance with these regulations of the foreign branches that are subject to the compliance program established by the Bank in accordance with the legislation of the country in which they operate are carried out by a staff member in respect of each branch. The activities as mentioned earlier are carried out in coordination with business departments. In-class and online training courses are regularly provided to the Bank’s employees to constantly raise awareness and strengthen the culture of preventing the laundering of crime proceeds and financing terrorism.
Within the scope of the Financial Crimes Investigation Board (MASAK) regulations, financial institutions operating under a parent institution have been gathered under the umbrella of the Parent Financial Institution, with the entire structure being re-defined as a ‘Financial Group’. Obligations of all institutions under the financial group continue separately, while an additional set of group obligations have been introduced for “Financial Groups.” In this context, Türkiye Vakıflar Bankası T.A.O. Financial Group includes our Bank as the main financial institution and Vakıf Yatırım Menkul Değerler A.Ş., Vakıf Faktoring A.Ş., Vakıf Finansal Kiralama A.Ş., and Vakıf Elektronik Para ve Ödeme Hizmetleri A.Ş. as other financial institutions. Oversight and coordination for the fulfillment of the obligations by the Financial Group rest with the Compliance Department of our Bank, which is the parent financial institution. In this respect, a Financial Group Compliance Policy has been released. Our Bank’s Compliance Officer has also been appointed as the Financial Group’s Compliance Officer, and the Bank’s Deputy Compliance Officer has been appointed as the Financial Group’s Deputy Compliance Officer. To act in line with joint, group-wide compliance standards in compliance efforts across the group, the Bank’s Compliance Department carries out joint activities with the Compliance Units of the other four financial institutions. In addition, necessary guidance and instructions are provided and financial group compliance obligations are checked.
LEGISLATION MONITORING AND EVALUATION ACTIVITIES
The Compliance and Regulation Department carry out activities to effectively and efficiently monitor relevant legislation on banking activities and manage the compliance process.
Recent developments in legislation and banking practices related to banking activities are monitored; the impacts of legislative changes on banking activities are interpreted. Within this scope, the measures to be taken by the Bank and the affiliates of the Bank about the services provided by the Bank and the changes to be made in the Bank’s internal legislation and practices are identified, and written information is provided to the relevant departments and it is followed and requested that the necessary measures are taken. Furthermore, relevant departments are informed on draft banking regulations, and thus necessary procedures are initiated before they enter into force.
Tasks for regulatory compliance controls are carried out within the scope of the “Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process.” In this respect, efforts toward alignment with regulatory changes are coordinated. Measures are taken by the relevant department for such changes to be reflected in the Bank’s internal procedures and practices. Changes in practices and revised procedures are also monitored and checked in terms of compliance with regulations. This way, revisions and changes deemed necessary are also made. Necessary measures are taken for timely and full compliance with regulations. In addition, controls are run for the compliance of new products and services with these regulations, while coordinated efforts are undertaken to keep internal procedures and instructions up to date.
Notification and coordination processes are run to ensure the Bank participates in the meetings held by the Banks Association of Türkiye. The Bank also joins, together with relevant functions, the Working Groups formed within regulatory compliance activities. Participation is ensured in the meetings of Working Groups. When the Association requests the Bank’s opinion on a specific subject, ideas are gathered from business departments and are evaluated to express a statement on behalf of the Bank. Information on the activities carried out under the Association, regulatory arrangements communicated by the Association, and instructions and information received from the Agency are all disseminated to relevant business departments, and actions taken are monitored.
There are agreements in place to exchange information to enhance international tax compliance. Legislation regarding these agreements is monitored. Relevant business units are assigned to ensure compliance with such legislation. The efforts undertaken by business units are monitored. Measures include those in compliance with the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS).
Within the scope of the obligation that the detailed justifications to be prepared for complying with all the principles contained in the Good Practice Manuals and the principles which are partially implemented or not fully implemented are presented every year together with the submission of the Internal Capital Adequacy Assessment Process (İSEDES) reports to BRSA; the practices of the Bank which is designated as “Systemically Important Banks” and its policy documents are monitored and controlled to ensure that they are in full compliance with all the principles specified in the Good Practice Manuals. The relevant business departments are coordinated to make changes and corrections when necessary.
Besides, the compliance of the Bank’s foreign branches and foreign subsidiaries subject to consolidation with the legislation of the respective countries in which they operate is checked by the personnel assigned in the relevant branches/ subsidiaries in this context, and reporting on compliance is thus maintained.
In line with the activities of the Department, it is aimed to support the Bank’s compliance with the applicable laws and other relevant regulations, the Bank’s internal policies and procedures, organizational management and ethical standards, and to protect the Bank’s reputation and integrity through compliance with all legal regulations.
To ensure the Bank’s full compliance with sustainability-related regulations, to prevent environmental problems such as climate change and uncontrolled waste, the legislative regulations published by the Ministry of Environment, Urbanization, and Climate Change and other relevant institutions and organizations are closely monitored, the relevant departments are informed about the issue, and contribution is made to the 2030 Sustainable Development Goals of the United Nations.
Legislative Amendments that Might Affect the Bank’s Activities Materially
The CBRT regulated the fees to be charged by banks to commercial customers, introduced an upper limit on the reference rate used in the calculation of merchant fees, and amended the calculation method of the early repayment fee to be charged for early repayment of loans extended to commercial customers.
The BRSA has also regulated that banks cannot open any deposit account, with or without overdraft, increase the limit of the overdraft account, or make collections from these accounts without the consent of the customer, and introduced an obligation for banks to notify customers with overdraft accounts in the event that their limits are reduced.
The CBRT amended the Communiqué on Reserve Requirements and introduced an obligation for banks to maintain reserve requirements at the CBRT according to their cash loan growth rates.
The Communiqué on the Establishment of Securities, which had been in effect since 2022 and required banks to establish securities at the CBRT against specified assets and liabilities, has been repealed.
As part of the CBRT’s macroprudential framework adjustments, the total target for the transition to TL and renewal of FX-protected deposit accounts and the minimum interest rate for FX-protected deposit accounts were reduced, and the practice of paying interest on reserves that must be maintained for FX-protected deposit accounts was abolished for new and renewed FX-protected deposit accounts.
Various regulations have been made in the Personal Data Protection Law No. 6698 regarding the processing of special categories of personal data, their transfer abroad, and the sanctions to be applied in case of violation.
The regulation issued by the BRSA increased the maximum maturities and amounts of vehicle loans to be extended by banks for vehicles with electric engines produced in Türkiye.
The amendments to the Turkish Commercial Code No. 6102 removed the appointment of branch managers from the non-transferable powers of the board of directors in joint stock companies, amended the provisions regarding the board members’ calling the board of directors to a meeting, and introduced an obligation to increase the capital of joint stock and limited liability companies that fall below the minimum capital amounts set forth in the Law.
The regulation introduced by the CBRT reduced the amount of FX required to be sold by exporters to the CBRT through banks as per the Invisible Transactions Circular and the Export Circular.
The Capital Markets Law No. 6362 added provisions on crypto asset service providers, activities of crypto asset platforms, custody of crypto assets, crypto asset trading and transfer transactions that residents of Türkiye may conduct with crypto asset platforms, and criminal sanctions.
The CBRT decided to terminate the payment of additional return on deposit accounts converted from FX and lowered the lower limit of the interest rate to be paid to these accounts.
The CBRT terminated the Turkish lira-gold swap market, the foreign exchange-gold swap market, and the Turkish lira-foreign exchange swap market transactions, while deciding to start auctions for selling Turkish lira-gold swaps.
In order to strengthen the capital of public banks, various arrangements were made in the Law on the Regulation of Public Finance and Debt Management No. 4794 for the issuance of special order government domestic debt securities on credit in the fiscal year 2024.
The amendments made to the Law on Prevention of Laundering Proceeds of Crime No. 5549 included the provision that lawyers shall be deemed liable under this Law and that the court to hear disputes regarding administrative fines imposed by the Financial Crimes Investigation Board (MASAK) shall be the administrative courts instead of the court of peace.
Various regulations were made by MASAK to include crypto asset service providers within the scope of the definition of financial institution under MASAK regulations, to include electronic commerce intermediary service providers within the scope of the definition of obligor under the legislation, to make various changes in the identification methods for natural persons, and to allow the appointment of more than one deputy compliance officer.
The Law on the Amendments to Tax Laws and Certain Laws No. 7524 introduced a domestic minimum corporate tax, a local and global minimum complementary corporate tax, an increase in payments subject to income tax and corporate tax deductions, and an expansion of the scope of special irregularity penalties.
With the amendment made by the Ministry of Trade to the Regulation on the Trade of Motor Land Vehicles, the use of the Secure Payment System has become mandatory in the sale of second-hand motor land vehicles.
The BRSA decided to discontinue the application of high-risk weighting to general purpose loans, personal credit cards, vehicle loans, housing loans extended to those who own a house registered in their name in the land registry, and commercial cash loans in capital adequacy calculation by banks.
The CBRT regulated the differentiation of credit card annual interest rates based on the period debt.
The BRSA decided on 26.09.2024 to introduce the possibility of debt restructuring for credit cards with unpaid minimum payments due for the period and for retail loans and overdraft accounts with overdue installments for more than 30 days. In addition, the minimum amount to be paid for credit card debts has been amended.
Certain regulations were introduced to the Law on the Protection of Consumers No. 6502 on the establishment of distance retail loan and housing finance agreements to ensure the harmonization with the banking legislation.
The Enforcement and Bankruptcy Law No. 2004 has been amended with respect to the bids submitted in sales conducted through auctions in electronic environment, and certain arrangements have been made in some of the time periods stipulated in the Law.
Income tax withholding rates applied to Turkish lira time deposit accounts and some mutual funds were increased, and the withholding tax exemption for currency-hedged deposit accounts was abolished and withholding tax was imposed on these accounts as well.
The BRSA has decided not to apply inflation accounting to banks and financial leasing, factoring, financing, and saving financing and asset management companies in 2025.
Within the scope of the Regulation on Deposits and Participation Funds Subject to Insurance and Premiums to be Collected by the Savings Deposit Insurance Fund, the upper limit of deposits subject to insurance was set as TL 950 thousand, effective from the beginning of the calendar year 2025.
The Bank was among the 11 banks designated as market makers by the Ministry of Treasury and Finance.
With the decision taken by the SDIF, the lower limit for notifying depositors for time-barred accounts to be transferred to the SDIF was increased from TL 250 to TL 1000.
The Public Oversight Authority decided that the sustainability reports to be prepared in accordance with the Turkish Sustainability Reporting Standards will be subject to assurance audit starting from the first year they will be issued under the principles to be determined by the Authority.
The Banks Association of Türkiye published a “Guideline on Establishing Heat Map Methodologies” to guide all banks to effectively manage climate-related financial risks by creating heat maps showing the sensitivity of their loan portfolios to climate risks.
OTHER INFORMATION ON THE BANK AND ITS ACTIVITIES
GRI 2-15