Ziraat Bank 2021 Integrated Annual Report

AUDIT COMMITTEE’S ASSESSMENT OF THE OPERATION OF THE INTERNAL AUDIT, INTERNAL CONTROL, COMPLIANCE, AND RISK MANAGEMENT SYSTEMS IN 2021

Internal systems activities at Ziraat Bank are performed by the Board of Inspectors, the Internal Control Department, the Risk Management Department, and the Compliance Department. These units’ duties and responsibilities, which are strictly segregated from one another, are coordinated by the Group Head for Internal Systems.

This organization is structured so as to embrace all Bank units and branches as well as Bank-owned subsidiaries subject to the Bank’s oversight. Its purpose is to minimize any risks that might adversely affect the thoroughgoing and secure conduct of banking operations, the fulfillment of long-term profit targets, the reliability of financial and administrative reporting, and/or the Bank’s reputation and financial stability.

INTERNAL AUDIT SYSTEM

The Board of Inspectors takes a risk-focused approach in the fulfillment of its responsibilities to ensure that the activities and operations of the Bank’s headquarters units, domestic and international branches, and subsidiaries comply with the requirements of laws and regulations and are compatible with the Bank’s own strategies, policies, principles, and objectives. The board conducts its activities in such a way as both to keep the Bank’s senior management informed and to contribute to their decision-making processes.

The board conducts its activities in line with internationally-accepted internal auditing standards. Besides checking the Bank’s operations for their compliance with statutorily mandated procedures, in 2021 the board also reviewed and assessed the effectiveness and efficiency of the transaction procedures involved in both primary and secondary processes. In addition, processes governed by Banking Regulation and Supervision Agency (BRSA) regulations pertaining to information systems and banking processes were also audited in line with the Bank’s own practices.

The activities of the Board of Inspectors in 2021 are as follows:

The Central Audit Team continued its intensive operations in 2021 by performing scenario analyzes which are influential in preventing irregularities from being committed. The team reviewed the effectiveness of its existing scenarios and developed new ones to cope with the possible abuses made possible by newly-introduced business processes. It has also continued to develop systematic procedures aimed at minimizing risks arising from the remaining manually-conducted processes involved in internal audit, and to work for the integration of artificial intelligence technology into the Central Audit processes. Additionally, the instant follow-up of the transactions examined on the day (t-1) in 2020, through EVAM, continued in 2021.
The R&D Team kept a close watch on all of the Bank’s other business units, revised and kept the auditing module up to date in light of changes in business processes and the regulatory framework, and modified auditing points as made necessary by laws, BRSA decisions, and changes demanded by Bank’s senior management and headquarters units.
Improvements also continued to be made in all processes from the development of an auditing index to the determination of the significance level of audit findings. Systemic changes that make it possible for inspection findings concerning critically important transactions to be drawn to the attention of business units increased the effectiveness of the finding follow-up process and had a beneficial impact on the overall percentage of findings subjected to corrective action.
The recommendations that inspectors in the field included in their reports or made with respect to a particular transaction or practice were also circulated among the business units concerned and the outcomes of such recommendations were observed.
As a result of efforts for the Global Auditing Module that is aimed to be implemented at all Ziraat Finance Group members, the processing system to be used in this module and its application to various banking systems, the module was implemented at Ziraat Bank BH d.d. in 2018, and ad Ziraat Participation Bank in 2020. Studies are ongoing for the use of the module in other subsidiaries of the Bank.
Systematic developments on the Web Audit Module enabling generation of web-based reports issued following Information Systems and Banking Processes audits continued in 2021, and revisions were made on the module in order to meet the needs of the Board of Inspectors and comply with legal regulations.
The Inspection Scenario Team that was set up and charged with formulating scenarios both to identify and measure the general spread of shortcomings in bank processes and to develop and improve the effectiveness of such processes and with submitting these scenarios to the appropriate business unit so as to ensure that speedy and effective solutions for dealing with them are devised throughout the Bank continued to operate in 2021. System improvements were made to increase efficiency in sharing the scenario results with business units and following up on the actions taken.
During 2021, the Central Inspection Team that was set up to increase the frequency and effectiveness of inspections by constantly and centrally monitoring designated branch groups performed centralized inspections on 281 of the Bank’s branches in accordance with the same criteria employed for on-site inspections. Thus, 38% of the branch inspections carried out within the scope of the audit plan was completed centrally.
The Data Security Team, which operates with the intention of protecting the confidential information of customers and the Bank, continued to work in 2021 as well.
The practice of recruiting qualified human resources for the Bank’s administrative staff by allowing inspectors to transfer to such positions continued in 2021.
27 Assistant Inspectors, who were successful in the “Assistant Inspector Entrance Exam” organized by the Bank, started to work in August 2021.
Within the scope of combating Covid-19, a new type of coronavirus that affected our country as it did the whole world, the Board carefully followed the measures taken both in the country and the Bank in its studies within the scope of the 2021 audit plan and took the necessary measures.

In keeping with its strong sense of responsibility and awareness of its duties, the Board of Inspectors will continue to execute the internal auditing plan in line with goals and policies set forth by Ziraat Bank’s senior management and within the framework of current auditing approaches, to report its findings to the Board of Directors through the Audit Committee, and to observe what action is taken on the basis of its reports.

INTERNAL CONTROL SYSTEM

Internal control activities at Ziraat Bank are designed so as to embrace the operations of all headquarters units, all domestic and international branches and subsidiaries subject to consolidation as required by Article 9 Paragraph 3 of “Regulation on bank internal system and intrinsic capital adequacy assessment processes” which states “Internal control system is structured to include the bank’s domestic and foreign branches, headquarters units, subsidiaries subject to consolidation and all of their operations.”

In accordance with Article 30, Paragraph 1 of the “Regulation on Information Systems and Electronic Banking Services of Banks”, entitled “The activities related to IT management of the bank and its external service providers, the processes supporting these activities and the IT controls established must comply with the legislation and in-bank policies, procedures and procedures, in line with IT internal control function”, the information systems internal control function was established to monitor compliance with the standards.

Such activities are conducted so as to be compatible with the Bank’s primary objectives and strategies from the standpoint of their scope and methodology.

This more proactive structure helps ensure that Ziraat Bank’s operations exceed sectoral norms and that they are conducted in a manner that is compatible with both internal and external regulations as well as with the demands of competition.

Domestic branch checks are performed both on location and centrally within the framework of a program that is prepared taking into account branches’ current levels of risk exposure. Control functions, which for the most part are structured so as to be technology-intensive and centralized, are intended to ensure that commonly-occurring mistakes are quickly corrected at the appropriate business-unit level.

With the Instant Control system operational transactions, accounting records and lending operations in real time are checked. Transactions are evaluated in light of specific scenarios and if a transaction is deemed to be in error, it can be corrected the same day. Real-time transaction checking allows increased efficiency through preventive checks and embeds the internal control system within the Bank’s day-to-day operations instead of retrospective transaction controls. To this end, instant incident and action management tools such as EVAM scenarios that are developed by the internal controllers themselves are also employed effectively. Accordingly, it is adopted as a basic principle to avoid possible errors and omissions in recording assets and liabilities and capturing them in financial reports.

Artificial intelligence/machine learning models, the foundations of which were laid in 2019 by the internal control unit, which reflects its focus on technology to all of its processes, started to be used effectively in credit and accounting controls. Providing orientation to transactions with high probability of finding, machine learning algorithms support the risk-oriented control model, and thus mediate more effective controls with less resources. In addition, it is aimed to detect new risk areas early by performing anomaly analyzes with artificial intelligence/machine learning algorithms.

Headquarters unit control programs are prepared taking into account the units’ functions, potential risks, terms of reference, and impact on the Bank’s balance sheet. These programs are revised as needs may require. Business units are controlled by a sufficient number of Internal Controllers in line with these programs.

Internal control operations at Ziraat Bank branches located outside Turkey are carried out in line with control programs that are prepared for each year.

The findings ascertained as a result of all of these activities are periodically circulated among appropriate business units and the members of senior management.

Besides performing their internal control functions, internal control personnel also share their suggestions of ways to improve existing processes at the Bank and to mitigate the risks inherent in them. The aim of this practice is to preclude risks by spotting them in advance, to make the Bank more competitive by improving its business processes, and to increase customer satisfaction while also taking measures to cut costs.

Employment of internal controllers and continuity of employment have been ensured by the method of utilizing the Bank’s own human resources since 2015. With the participation of the human resources who worked in the Bank for a certain period of time to the Internal Control team, the adaptation of the team to the internal control processes has accelerated, the training period has been shortened and the team has started to get efficiency in a short time. On another front, banking and field experiences of the team contributed remarkably to internal control processes.

The practice of recruiting qualified human resources for the Bank’s administrative staff by allowing internal control personnel to transfer to such positions continued in 2021.

In addition to such matters, compliance reviews were also carried out by internal control personnel as required by article 18 of BRSA Regulation on bank internal system and intrinsic capital adequacy assessment processes. In the course of these reviews, all operations conducted or planned by the Bank as well as new transactions and products are checked to be sure that they comply with laws and regulations, with the Bank’s own policies and rules, and with generally-accepted banking practices. During such compliance reviews, existing Bank-internal rules and proposed changes in them are also examined and views concerning them are circulated among appropriate units.

COMPLIANCE SYSTEM

Activities in the Bank to prevent money laundering, financing of terrorism and proliferation of weapons of mass destruction; carried out in accordance with national and international regulations.

In accordance with the “Regulation on the Compliance Program on the Prevention of Laundering Proceeds of Crime” updated in line with the changes to Law No. 5549 on the Prevention of Laundering Proceeds of Crime, the Ziraat Finance Group - as the main financial institution - formed the financial group together with the financial institutions operating in the country, and accordingly, a group-based compliance program and Ziraat Finance Group Compliance Policy was prepared, the Bank Compliance Policy was updated and the organizational structure was strengthened. Sufficient personnel and resources have been allocated to ensure that the responsibilities imposed by the relevant laws and regulations can be fulfilled effectively, taking into account the structural characteristics of the group.

With the rapid digitalization brought about by technological developments in banking processes, criminal organizations have also increased the use of technology and started to turn to more complex tools in order to use banks to finance their illegal activities. Along with its investments in innovations and new products in financial services, the Bank has developed preventive control mechanisms to ensure that the products and services it offers are not used as an instrument for illegal activities, and are structured in such a way that situations which cannot be prevented through preventive controls are detected in a timely manner, with the Bank able to take quick action in the fight against the proceeds from crime with proactive measures.

In addition to the knowledge and analytical skills of the specialized personnel in the Bank, regarding the better definition of potential risks in the field of money laundering, financing of terrorism and proliferation of weapons of mass destruction, and effective management and control of risks, projects are put in place which are focused on creating a system which focuses on the use of digital solutions based on artificial intelligence and machine learning, effectively responding to the needs of combating money laundering and the financing of terrorism. In this context, we will continue to focus on developing technology-based and innovative processes in the upcoming period, as well as investing in this area in order to ensure that the measures and obligations in place to combat money laundering and the financing of terrorism are more effective and faster.

Work carried out to adapt the Bank’s customer acquisition process to the current conjuncture and keep the risks presented by this process to a minimum, along process developments to protect the bank from possible compliance and risks of money laundering and terrorist financing in remote identification of real persons, which is the crucial part of the process, were completed successfully.

In order to effectively combat money laundering, financing of terrorism and proliferation of weapons of mass destruction by all domestic and international financial institutions operating within the Ziraat Finance Group, an effective risk-based approach is followed, the risks subject to combat are identified, classified, and effective and proportional controls are established based on the identified risks. New typologies developed by crime and terror groups in all countries and areas of operation are closely monitored, trend analyzes are made, and resource planning is made in accordance with the risk-based approach model. In this context, projects aimed at the more efficient use of technological opportunities are rapidly implemented besides the increase in human resources. In this field, studies are carried out to provide efficiency and speed with machine learning structures.

In this context, necessary measures in the form of written policies and procedures, which are created by the Group and updated with the changes in the regulations and in these matters, are taken in order to prevent the use of the products and services provided by the Bank and the Ziraat Finance Group with the purpose of money laundering, terrorism and the proliferation of weapons of mass destruction, and controls are carried out in a way that the Bank does not expose to any operational, reputational risks and sanctions in these matters.

The regulation drafted in the compliance program regulation has enabled the sharing of information within the financial group with rules introduced on how this sharing can be carried out. In this context, a system supported by the Bank’s technological infrastructure was developed in order to ensure information sharing within the Ziraat Finance Group, with the group’s information sharing policy established and necessary measures taken regarding the secure sharing of information within the group.

In addition to the domestic subsidiaries within the financial group, we are in regular contact with foreign branches and subsidiaries within the framework of the coordinated strategy regarding compliance activities. Remote or on-site support is provided to the relevant Branches or Affiliates, and we will maintain and expand our support in the coming period.

Internal training programs, which are designed to exchange information regarding the development of joint standards, creation of joint processes, and acting in line with the shared policy target related to “Prevention of Laundering Proceeds of Crime and Financing of Terrorism”, are carried on.

In addition, training programs continue to be provided to increase the level of awareness of all personnel on the prevention of money laundering and financing of terrorism.

With their expert staff and analytical infrastructure, Ziraat Bank’s compliance units, both as the main financial institution and the financial institutions operating within the Ziraat Finance Group continued to closely follow new trends and best practices in the field of SGA/TFP, as in past years.

They will continue their activities with a risk-based approach aimed at maximizing efficiency and effectiveness by achieving the maximum use of technological opportunities.

RISK MANAGEMENT SYSTEM

Ziraat Bank risk management activities are conducted subject to the requirements of BRSA’s Regulation on bank internal system and intrinsic capital adequacy assessment processes and other pertinent regulations as well as of BRSA Best Practices Guidelines. They are carried out with the aim of aligning the Bank’s risk management functions with best practices by fostering a risk culture throughout the entire and constantly improving system and human resources. The principal risk categories are defined as “Credit Risk”, “Market Risk”, “Operational Risk”, “Model and Process Validation”, and “Balance Sheet Risks”, the last including the interest rate risks and liquidity risks to which the Bank is exposed on account of its banking business accounts. Care is given to ensure that all activities related to risk management system are coordinated through the involved participation of the operational units with which each type of risk is associated.

Under the heading of credit risk management, Basel III-compatible methods are used to define, measure, monitor, and report credit risk. The Bank has been calculating its core credit risk exposure and reporting it monthly on the basis of its solo and consolidated accounts to BRSA ever since this practice was mandated by law as of 1 July 2012. The credit limits approved by the Board of Directors are monitored and scenario analysis and stress tests are carried out by applying various shocks to credit risk factors. Counterparty Credits are measured for counterparty risk.

In addition, with the participation of different units within the scope of Credit Risk Management Project with Advanced Methods, studies are being carried out to calculate credit risk based on internal rating and to use its outputs in different areas. Within the scope of this project, model validations evaluating the compatibility, accuracy and durability of IRB model studies carried out within the framework of internal rating-based approach, creating macroeconomic models, making IRB models compatible with TFRS-9 and implementation of the results are carried out.

In the first quarter of 2021, a Credit Risk Control Unit was established under the Risk Management Department, and all activities managed based on the Internal Rating were included in the scope of duty of the relevant unit. Once the model development activities were completed and the models were passed through the validation processes, studies were initiated to calculate the amount subject to credit risk and expected credit loss with the newly created model parameters.

After the completion of all model outputs and IRB model validation tests, the amount based on credit risk calculated with the Basic and Advanced IRB methods can be retrieved from the system together with the results of the standard approach.

At the same time, the accuracy, consistency and adequacy of the internally used rating models and other measurement methodologies, carried out in order to accurately measure and manage the risks the Bank is exposed to, as well as to evaluate the stability of risk models and output (risk estimates, rating grades) performances is reported to the senior management at regular intervals. Activities under the responsibility of the validation unit are also carried out for this purpose. Accordingly, the unit aims to perform the validation studies of the internal models used in the decision-making processes and to take the necessary actions as a result of the findings determined and to ensure full compliance with the legal requirements.

Under the heading of market risk management, such risk is defined, measured, analyzed, monitored, and reported. Analyses are supported by conducting stress tests. Risk measurements are performed on all accounts whose inclusion in the Bank’s capital adequacy ratio calculation is mandatory as well as by means of the “value-at-risk” (VaR) methodology. The results of VaR measurements are validated by means of backtest analyzes. The values on which market risk is calculated are periodically reviewed and compared with of Board of Directors-approved limits while senior management is kept informed about the results of internal limit monitoring.

Under the heading of operational risk management, the operational risks to which the Bank is exposed are defined, classified, quantified, and analyzed. Operational risk signal and limit values approved by the Board of Directors are also monitored at regular intervals. Amount subject to Operational Risk is calculated using the Basic Indicator Approach pursuant to the Regulation on the Measurement and Assessment of Capital Adequacy of Banks.

Operational risk incidents as a result of the lost data base in the banking software are being followed and a self-evaluation study covering the bank’s organization is carried out. Information technology risks and associated actions are followed up in coordination with the related units. Activities for business continuity plans and portfolio custodian services along with risk assessments for companies providing outsourced support services are being carried out.

Under the heading of balance sheet risk management, liquidity and interest rate risks arising from banking business accounts are identified, measured, analyzed, monitored, and reported. Analyses are also supported by means of stress tests and scenario analyzes. Consolidated and unconsolidated Liquidity Coverage Ratio and the Interest Rate Risk Ratio Arising from the unconsolidated Banking Accounts are periodically reported to the BRSA. Liquidity risk as approved by the Board of Directors and signals and limits of the interest rate risk resulting from banking accounts are also monitored at regular intervals.

Besides the stress test analysis subjected to in-bank periodic reports, Internal Capital Adequacy Assessment Process (ICAAP) reports are also prepared and sent to BRSA at year-end. In the latter reports, the Bank’s capital and liquidity adequacy is analyzed over the following three-year period on the basis of a set of Base/Negative/Overly Negative scenarios not supplied by BRSA.

The results of the risk management analyzes and the associated risk indicators are reported to the Board of Directors and to the Audit Committee at six-month intervals and to the Senior Management on a daily, weekly, and monthly basis.

Ziraat Bank will continue to make use of internationally-recognized advanced risk management techniques in order to carry out its risk management activities for all risk categories and to make such risk management an integral part of its strategic decision-making processes in the future as well.

Ziraat Bank defines its targets as consistent growth, creditweighted balance sheet structure, sustainable profitability, and productivity. In 2021 the Bank continued to sustain the strength of its equity-compatible balance sheet structure through the asset & liability management strategies that it adhered to. The Bank’s capital adequacy ratio was 16.5%.

Within the framework of the strategy of having a customer-weighted balance sheet, total cash loans increased by 30% to TL 778 billion at the end of 2021, and its share in assets was 57%. The share of securities portfolio in assets is approximately 25%.While Ziraat Bank makes its balance sheet increasingly customer-oriented, it proactively manages credit quality through effective credit processes, prioritizes effective use of resources and expense management through its sellective credit policy.

The Bank’s non-performing loans ratio stood at 1.9% in 2021. The Bank’s consistent ability to maintain an NPL ratio below the sectoral average without selling off any of its assets is an indication of the high quality of its asset structure.

Despite the low follow-up ratio compared to the sector, the bank’s asset quality was strengthened during the year, with a high reserve ratio of 80%.

It plans its interaction with its customers in line with customer expectations and habits, and constantly develops its customer-oriented business model. Ziraat Bank continued to contribute to the real sector and the country’s savings balance with the resources it provided, while continuing to develop the right solutions by correctly understanding the financial needs of its customers, and continued to offer products and services which bring ease to the lives of its customers with its investments in digital banking and increased productivity.

In line with Ziraat Bank’s approach of contributing to the country’s overall level of saving and of having recourse to broadly-based sources, total deposits reached TL 949 billion. Ziraat Bank maintained its sector leadership in deposits in 2021 as well as in loans. Deposits and non-deposit sources account for 69% and 21% shares respectively of total liabilities. In keeping with the Bank’s ongoing efforts to diversify and deepen its sources of funding, in 2021 Ziraat Bank continued to seek out and tap alternatives such as international agency and financial institution lines of credit, post-financing, syndicated loan, TL – FC repo, Eurobond issuance, funds obtained from domestic and foreign banks.

The Bank’s most important income item in 2021 was interest income, which amounted to TL 102 billion. The share of interest received from loans in total interest income was 71% as a result of the credit activities carried out during the year. Net fee commission income-another important income item-was increased significantly in 2021 and the incomes were diversified.