The Bangko Sentral ng Pilipinas (BSP) is amending the guidelines for banks’ operational risk management particularly on “people risk” and is proposing to adopt more rigid rules on human resource-related risk.
The BSP wants stricter recruitment and selection of banks’ personnel as well as to ensure that directors, managers and employees will be subjected to tighter evaluation process when undergoing performance management review.
Based on proposed guidelines, the central bank is keen on adopting a “risk-focused pre-screening process” for pre-employment background screening to have a better handle on an applicant’s personal background and character, conflict of interest, and more importantly -- “susceptibility to collusion, fraud or illegal activities.”
The BSP wants all banks to screen its people based on factors such as reputational risk implication and responsibilities associated with a particular position. Based on the sensitivity of bank position, the BSP said “certain positions” particularly in bank branches or the “access level" of an employee may require additional background screening, which the BSP said should include, among others, verification of character references, criminal records, experience, education and professional qualifications.
The BSP also wants banks to screen applicants and verify background checks against the BSP’s own records for “querying” as part of the stricter selection process. “Pre-employment screening shall likewise extend beyond the records of (the BSP) particularly if the applicant held positions in other financial institutions,” said the BSP in the draft circular. “Management shall also have a policy that addresses appropriate actions when a pre-employment or subsequent screening detects information contrary to what the applicant provided.”
As for improving the way banks assess performance, the BSP is proposing the establishment of effective mechanism that “leverages on existing controls or reports to facilitate assessment of continuing fitness and propriety of personnel” such as taking into consideration the “financial circumstances” of an employee whose job is cash-related transactions.
The draft circular added this provision, that this mechanism should be “able to detect suspicious behaviors of personnel such as reluctance or refusal to take vacation leaves, or frequent overrides of internal controls, established limits or approving authorities, high incidents of circumventions of policy, changes in employees’ conduct, unusual activities in operations, and sudden or significant changes in lifestyle, standard of living and spending habits that are inconsistent with the salary, financial position, and level of indebtedness of the personnel concerned.”
The BSP also wants to change minimum internal control measures in the confirmation of accounts, in that “any request from clients for confirmation of accounts maintained in the bank shall be centralized in the bank’s head office” and issued certification will be number-controlled and signed by authorized officers “depending on the type of accounts and level of amounts involved.”
“Designation or position of the signing officers shall be publicly disclosed thru any available means,” said the BSP while the board of directors “shall hold accountable the officers concerned when actions are not aligned with the authority granted to them. Management shall develop an efficient process in accepting this type of requests and ensure that the information is delivered securely to its clients and/or intended users.”
The draft circular is currently being circulated in the banking community for comments and other suggestions.
The “people risk” concerns have been clearly established since the 2016 BSP circular on the operational risk management guidelines where the BSP directed banks to “embed in their enterprise-wide risk management framework measures to identify, measure, monitor, and control human resource related risks.”
Risk identification and assessment allow all BSP monitored banks to have a deeper take on its risk profile and deploy risk management resources and strategies more effectively. These operational risks include internal fraud such as intentional misreporting of positions, employee theft, and insider trading on an employee’s own account. External fraud, in the meantime, is robbery, forgery, check kiting, and damage from computer hacking.
Risk-monitoring process also include the following: employment practices and workplace safety; clients, products and business practices; damage to physical assets (terrorism, vandarism, earthquakes, fires and floods); business disruption and system failures (hardware and software failures, telecommunication problems, and utility outages); and execution, delivery, and process management (data entry errors, collateral management failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty misperformance, and vendor disputes).