Risk Management, Internal Audit, Internal Control and Compliance

Balance Sheet Risks

Ziraat Bank aims to effectively manage the risks arising from assets, liabilities and off-balance sheet accounts within the scope of balance sheet risks.
‍
In this regard, the Bank carries out definition, measurement, analysis, monitoring and reporting activities regarding liquidity risk and interest rate risk arising from banking book. The Bank also supports these studies, the results of which are taken into account in strategic decision-making, with stress tests and scenario analyses.
‍
There are two components of liquidity risk: funding liquidity risk and market liquidity risk. Funding liquidity risk refers to the possibility of loss as a result of the Bank’s inability to meet all foreseeable or unforeseeable cash flow requirements without affecting the daily operations or financial structure.
‍
Market-related liquidity risk pertains to the potential for the Bank to incur financial losses as it is unable to close out or balance its positions at prevailing market prices due to insufficient market depth or excessive volatility.
‍
Interest rate risk consists of the possibility of sustaining losses on risk-sensitive assets, liabilities, and off-balance sheet items owing to changes taking place in interest rates.
‍
Ziraat Bank calculates the consolidated and unconsolidated Liquidity Coverage Ratio and Net Stable Funding Ratio for liquidity and interest rate risks arising from banking book and the unconsolidated Interest Rate Risk Ratio Arising from Banking Book within the BRSA regulations and reports to the BRSA and monitors them internally regularly.

In addition, within the scope of liquidity risk, the Bank closely monitors

• maturity mismatches between sources and uses,

• the level of liquidity buffer that will allow the Bank to continue its normal daily activities or that may be needed in unexpected situations

For the management of the interest rate risk arising on banking business accounts,

• attention is given to monitoring and analyzing such issues,

• as rate and maturity mismatches between fixed- and variable-interest fundings and lendings,

• assets’ and liabilities’ behavioral as well as contractual maturities, both upward/downward and ordinary/extraordinary movements in interest rates, and the impact of interest rate income on the current value of assets and liabilities.

Internal Audit Board takes a risk-focused approach in the fulfillment of its responsibilities to ensure that the activities and operations of the Bank’s headquarters units, domestic and international branches, and subsidiaries comply with the requirements of laws and regulations and are compatible with the Bank’s own strategies, policies, principles, and objectives. The board conducts its activities in such a way as both to keep the Bank’s senior management informed and to contribute to their decision-making processes.
‍
The board conducts its activities in line with internationally-accepted internal auditing standards. Besides checking the Bank’s operations for their compliance with statutorily mandated procedures, in 2024 the board also reviewed and assessed the effectiveness and efficiency of the transaction procedures involved in both primary and secondary processes. In addition, processes governed by the BRSA regulations pertaining to information systems and banking processes were also audited in line with the Bank’s own practices.
‍
Activities of the Internal Audit Board in 2024 are presented below:

• The Central Audit Team continued its intensive operations in 2024 by performing scenario analyses which are influential in preventing irregularities from being committed. Reviewing the effectiveness of existing scenarios against possible abuses, the team continued its systemic developments to minimize the manual processes used during the audit. Work to integrate Artificial Intelligence (AI) technology into the Central Audit processes continues. Accordingly, the transaction types sent to the branches will be included in machine learning, and the probability of fraud will be calculated with more cases that may be subject to abuse being detected more quickly and more effectively.

• The R&D Team completed work on updating the audit model with a dynamic approach, ensuring the follow-up of international standards and practices in auditing. Under the new audit structure, scenario-based dynamic audits started to be carried out, in addition to on-site branch audits, in order to centralize the audit process and include new situations arising within the scope of audit without wasting time. These activities were geared towards detecting risk before the risk grew, enabling more branches to be reached compared to those currently contacted. The team closely monitored legislation, BRSA decisions and changes foreseen by the Bank’s senior management and Head Office units and undertook necessary changes at the audit points.

• Inquiry rules used in branch audits were revised, and new rule sets were created in which customers’ CTR data was included in the analysis. Accordingly, a sample reflecting risk more accurately was determined where inquiry rules were designed in a dynamic structure and instant actions were taken according to the conjuncture and the Bank’s risk appetite.

• The effectiveness, adequacy, and compliance of the controls established over the information systems and business processes of the Bank, its domestic and international subsidiaries subject to consolidation, overseas branches, and service providers/external service providers are periodically assessed each year from a risk-based perspective by the Information Systems Team. These assessments are conducted in consideration of relevant internal and external regulations, international standards, and best practices. The activities continued in 2024 as well.

• The Data Security Team, which is tasked with protecting the confidential information of customers and the Bank, continued its activities in 2024.

• The Data Science Team, which was established to make auditing more efficient in parallel with the technological transformation brought about by digitalization, identifies deficiencies in the Bank’s processes, generates scenarios to measure the risk spread across the Bank, improve processes and increase efficiency, and presents these scenarios to the relevant business unit to ensure fast and effective solutions for the Bank in general, accelerated its work in 2024, and the outputs of many studies were shared with the relevant Head Office units. The team also aims to create a profile of the transactions subject to findings, inefficiencies, ineffectiveness or irregularities through scenario studies based on previously conducted audits/investigations, and to detect findings, inefficiencies, ineffectiveness and irregularities more quickly and effectively in the coming years through machine learning of the profile. In cases where historical profiling or prediction is not possible, similar items in the targeted dataset are clustered or anomaly detection is performed.

• In 2024, the Inspection Scenario Unit continued its activities by identifying systemic deficiencies/malpractices encountered throughout the Bank and developing solutions for their elimination, filtering data from the Bank’s data pool that is considered to contain risk and preparing Spot Inspection Reports. The reports prepared by the Unit are shared with the relevant business units of the Bank, contributing to the development/ modification of business processes and increasing the efficiency of the Bank’s products.

• To enable the Internal Audit Board to use analytical tools more effectively and efficiently, members of the Inspection Board were provided with training in this area. In this context, Inspectors were provided with training on Oracle SQL and Python applications.

• In 2024, 20 Assistant Inspectors who were successful in the Assistant Inspector Entrance Examination held in December 2023 and 31 Assistant Inspectors who were successful in the Assistant Inspector Entrance Examination held in August 2024 started to work in 2024

• In 2024, the function of providing qualified human resources to the Bank was maintained by ensuring the transition of 26 inspectors to administrative duties.

In keeping with its strong sense of responsibility and awareness of its duties, the Internal Audit Board will continue to execute the internal auditing plan in line with goals and policies set forth by Ziraat Bank’s senior management, to report its findings to the Board of Directors through the Audit Committee, and to observe what action is taken on the basis of its reports.

Internal control activities at Ziraat Bank are designed so as to embrace the operations of all headquarters units, all domestic and international branches and subsidiaries subject to consolidation as required by Article 9 Paragraph 3 of “Regulation on bank internal system and intrinsic capital adequacy assessment processes” which states “Internal control system is structured to include the bank’s domestic and overseas branches, business processes and information systems, subsidiaries subject to consolidation and all of their operations.”
‍
Such activities are conducted so as to be compatible with the Bank’s primary objectives and strategies from the standpoint of their scope and methodology.
‍
This more proactive structure helps ensure that Ziraat Bank’s operations exceed sectoral norms and that they are conducted in a manner that is compatible with both internal and external regulations as well as with the demands of competition.
‍
Domestic branch controls are carried out locally and centrally within the framework of control programs prepared according to the conjunctural risk situation with a dynamic structure for each quarterly activity period. Control functions, which for the most part are structured so as to be technology-intensive and centralized, are intended to ensure that commonly-occurring mistakes are quickly corrected at the appropriate business-unit level.
‍
With the Instant Control system operational transactions, accounting records and lending operations in real time are checked. Transactions within the determined risk scenarios are audited during the day and erroneous transactions are corrected. Real-time transaction checking allows increased efficiency through preventive actions and embeds the internal control system within the Bank’s day-to-day operations instead of retrospective transaction controls.
‍
For this purpose, EVAM scenarios developed by internal controllers are used to detect anomalies by using instant event and action management tools, and various criteria of credit appraisal reports issued for customers are checked by integrating artificial intelligence/machine learning solutions into control processes. Accordingly, it is adopted as a basic principle to avoid possible errors and omissions in recording assets and liabilities and capturing them in financial reports. These control practices prevent the use of additional costs and manpower and contribute to the development of control activities with a focus on sustainability.
‍
As of 2024, the integration of the control of accounting/operational transactions carried out by the branches into robotic processes and the reporting in this regard by the robot have started to be implemented. As a result of the studies carried out in this context and the improvements planned to be realized in the future, the need for processes such as physical reporting and documentation maintained with real persons will be reduced, and thus branch control activities will continue to be structured on the route of economic sustainability. As robotic processes reduce the need for human resources, they will also reduce human-induced environmental impact factors, which will also be beneficial in terms of reducing the potential carbon footprint.
‍
Within the scope of the project carried out for robotic control activities, 9 different scenarios were created. At the decision-making stage of the project, it was calculated that all branches of the Bank could be controlled in 21 days in line with the determined scenarios. During the pilot implementation of the project, 21 branches were checked in one day and 444 findings were identified as a result of the checks. In the same period, branches that were controlled with the traditional method saved 21 man/day in terms of the number of controls and the cost of reaching a finding.
‍
Preliminary examination activities are carried out in relation to records in the nature of complaints/notifications, damaging transactions, and issues deemed risky or suspicious according to customary practices, which are identified by internal controllers or communicated to the Internal Control Department through any channel.
‍
Analytical Control activities are carried out by internal controllers to centrally identify Bank-wide errors or systemic deficiencies. In the controls and analyses performed, scenarios are developed using database programs and various analytical tools. Some of the activities carried out in this context have also been awarded by global organizations.
‍
Business unit control programs are prepared taking into account the units’ functions, potential risks, terms of reference, and impact on the Bank’s balance sheet. These programs are revised as needs may require. Business units are controlled by a sufficient number of internal controllers in line with these programs.
‍
The internal control activities of the Bank’s overseas branches are carried out and monitored in accordance with the control plans prepared annually. After the reports issued for overseas branches are reviewed by the relevant internal controllers, the findings in the reports are forwarded to the relevant Head Office units according to the subject matter.
‍
The findings of all these activities and the details of the controls performed are periodically shared with the Bank’s relevant business units and senior management.
‍
Besides performing their internal control functions, internal control personnel also share their suggestions of ways to improve existing processes at the Bank and to mitigate the risks inherent in them. The aim of this practice is to preclude risks by spotting them in advance, to make the Bank more competitive by improving its business processes, and to increase customer satisfaction while also taking measures to cut costs.
‍
Within the framework of Article 18 of the Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks, regulatory compliance controls are also carried out within internal control. In the course of these reviews, all operations conducted or planned by the Bank as well as new transactions and products are checked to be sure that they comply with laws and regulations, with the Bank’s own policies and rules, and with generally-accepted banking practices. During such compliance reviews, existing Bank-internal rules and proposed changes in them are also examined and views concerning them are circulated among appropriate units.
‍
In 2024, on-site branch control activities decreased with the development of projects such as real-time (instant) control of retail and corporate loans from the center, commissioning of robotic controls, and diversification of scenario-based analytical control studies. This resulted in a reduction in greenhouse gas emissions due to the elimination of the need for flights, road vehicle use and hotel stays for business trips.
‍
Another important project was the integration of physical reports containing the issues examined and findings identified within the scope of internal control activities at the TRNC Country Management into the internal control modules in the main banking application. As a result, consumption of paper was reduced, saving resources as well as reducing emissions. On the other hand, as a result of the project, internal controllers’ reporting and finding follow-up process has become more efficient, and the transition to identification/finding correction and process improvement activities of the controlled units has become easier.

Operations of the Bank to prevent the laundering of proceeds of crime, the financing of terrorism, and the proliferation of weapons of mass destruction are conducted in strict compliance with national and international regulations.
‍
In accordance with the “Regulation on the Compliance Program on the Prevention of Laundering Proceeds of Crime,” updated in line with changes in Law No. 5549 on the Prevention of Laundering Proceeds of Crime, as the main financial institution within the Ziraat Finance Group, the Bank follows the compliance program and the Ziraat Finance Group Compliance Policy on a financial group basis together with the financial institutions operating within the country. In this regard, the Bank’s Principles of Practice and Procedures for Prevention of Laundering Proceeds of Crime and Proliferation of Terrorism and Weapons of Mass Destruction was fully updated in order to ensure that the responsibilities imposed by the relevant laws and regulations may be effectively fulfilled. Care is taken to allocate personnel and resources with due regard to the structural characteristics of the group.
‍
With the rapid digitalization brought about by technological developments in banking processes, criminal organizations have also increased the use of technology and started to turn to more complex tools in order to use banks to finance their illegal activities. Along with its investments in innovations and new products in financial services, the Bank has developed preventive control mechanisms to ensure that the products and services it offers are not used as an instrument for illegal activities, and are structured in such a way that situations which cannot be prevented through preventive controls are detected in a timely manner, with the Bank able to take quick action in the fight against the proceeds from crime with proactive measures.
‍
In addition to the knowledge and analytical skills of specialized personnel to better identify potential risks in the field of laundering proceeds of crime, financing terrorism and the proliferation of weapons of mass destruction, and to effectively manage and control risks, the Bank is focusing on projects to create a system that can effectively respond to the requirements of combating laundering proceeds of crime and terrorist financing, with an emphasis on the use of digital solutions based on artificial intelligence and machine learning.
‍
In this context, the Bank will continue to focus on developing technology-based and innovative processes in the upcoming period, as well as investing in this area in order to ensure that the measures and obligations in place to combat money laundering and the financing of terrorism are more effective and faster.
‍
Systematic improvements continue to be made in order to adapt the Bank’s customer acquisition process to the current conjuncture and to minimize the compliance risks that this process may pose.
‍
In order to effectively combat the laundering of proceeds of crime and the financing of terrorism and the proliferation of weapons of mass destruction, all domestic and foreign financial institutions operating within Ziraat Finance Group follow an effective risk-based approach, identify and classify the risks subject to combat, and establish effective and proportionate controls based on the identified risks. New typologies developed by crime and terror groups in all countries and areas of operation are closely monitored, trend analyzes are made, and resource planning is made in accordance with the risk-based approach model. In this context, projects aimed at the more efficient use of technological opportunities are rapidly implemented besides the increase in human resources. In this field, studies are carried out to provide efficiency and speed with machine learning structures.
‍
In this context, necessary measures in the form of written policies and procedures, which are created by the Group and updated with the changes in the regulations and in these matters, are taken in order to prevent the use of the products and services provided by the Bank and the Ziraat Finance Group with the purpose of money laundering, terrorism and the proliferation of weapons of mass destruction, and controls are carried out in a way that the Bank does not expose to any operational risk, reputational risks and sanctions in these matters.
‍
Checks have been put in place to eliminate the risk of sanctions by preventing the bank from entering into business relations with individuals and organizations which are included in the programs of sanctions followed by the Bank, while also ensuring that the bank does not provide any services for sanctioned activities and halting any banking service which violates the sanctions.
‍
Within the scope of the compliance program regulation, thanks to the system developed to ensure information sharing within Ziraat Finance Group and supported by the Bank’s technology infrastructure, information continues to be shared securely within the Group within the framework of Ziraat Finance Group’s information sharing policy.
‍
In addition to the domestic subsidiaries of the Bank within Ziraat Finance Group, there are regular contacts with overseas branches and subsidiaries within the framework of the coordinated strategy carried out for compliance activities, joint studies are carried out in terms of compliance with national and international legislation and practices, especially SGA/TFO, and remote or on-site support and trainings are provided to the relevant branches or subsidiaries when necessary, and the support provided by the Bank will continue to increase in the coming period. Ziraat Pay and Ziraat Dinamik, the subsidiaries established by the Bank, are leading the adaptation of the systematic structures required for compliance controls at the Bank, and the systematic adaptation work required for the compliance controls of the Algeria Branch is ongoing. In the process of opening the Dubai Representative Office, support was provided in the preparation of harmonization legislation.
‍
In-house training continues to be provided in order to develop common standards on “Prevention of Laundering Proceeds of Crime and Financing of Terrorism and Weapons of Mass Destruction,” to create common processes, to exchange information in line with the common policy goal.
‍
In addition, trainings are continued to be organized to raise the awareness and consciousness of all personnel on the prevention of laundering proceeds of crime and financing of terrorism.
‍
The Bank will continue to strengthen its checks by taking into account existing laws and regulations regarding the timely detection, minimization and prevention of compliance risks within the Group.
‍
With their expert staff structure and analytical infrastructure, Ziraat Bank’s compliance units, both as the main financial institution and the financial institutions operating within the Ziraat Finance Group continued to closely follow new trends and best practices in the field of SGA/TFP, as in past years. They will continue their activities with a risk-based approach aimed at maximizing efficiency and effectiveness by achieving the maximum use of technological opportunities.

Ziraat Bank’s risk management activities are conducted in accordance with “Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks” and other pertinent regulations, as well as BRSA Good Practice Guidelines, with the aim of cultivating a risk culture throughout the Bank and bringing the risk management function closer to best practices by continuously improving the system and human resources. The activities carried out within the framework of the risk management system include credit risk, market risk, operational risk, balance sheet risks (interest rate risk arising from banking book and liquidity risk), internal rating-based modeling and validation. In addition, the Bank’s overseas branches and subsidiaries comply with local regulations on risk management and monitor their risk management ratios. Care is taken to ensure that each risk type is carried out in coordination with the contributions of the units included in the line of activity to which it is related.
‍
Within the framework of credit risk management activities, efforts are carried out to define, measure, monitor and report credit risk using methods in line with Basel III. Credit risk limits approved by the Board of Directors are monitored, scenario analysis and stress tests are performed by applying various shocks to credit risk factors. Counterparty Credit Risk measurements are performed for counterparty risk.
‍
In addition, the models created with the Internal Ratings Based (IRB) approach and the validation studies and model outputs of these models are used in TFRS-9 calculations, allocation and pricing processes.
‍
Within the scope of market risk management activities; risk identification, measurement, analysis, monitoring and reporting activities are carried out and the analysis is supported by stress testing. Risk measurements are performed through internally reported value-at-risk measurement methods as well as legal calculations to be included in the capital adequacy ratio. Value at risk results are monitored through back test analysis. The amounts subject to market risk are periodically monitored through Board of Directors approved limits and the internal limits are shared with the Bank’s Senior Management.
‍
Within the scope of operational risk management activities, operational risks are defined, classified, measured and analyzed, and operational risk signal and limit values approved by the Board of Directors are periodically monitored. The amount subject to operational risk is calculated using the Basic Indicator Method in accordance with the Regulation on Measurement and Assessment of Banks’ Capital Adequacy. The Bank’s operational risk loss database, which is integrated with the Bank and is compatible with the accounting system, was established in line with a classification covering the loss event type and activity lines of the Basel Banking Supervision and Audit Committee, and includes data obtained from overseas and domestic branches and subsidiaries. Effective methods are applied to monitor the company’s operational risk outlook. In addition, a self-assessment study covering the Bank’s organization is conducted, risks arising from information technologies and the actions taken are monitored in coordination with the relevant units, and risk assessments are made for the organizations from which support services are received. On the other hand, reputation risk studies are also carried out within the scope of operational risk and the analyses made are subject to reports.
‍
Within the scope of balance sheet risks, the Bank carries out definition, measurement, analysis, monitoring and reporting activities regarding liquidity risk and interest rate risk arising from banking book. The consolidated and unconsolidated Liquidity Coverage Ratio and Net Stable Funding Ratio and Interest Rate Risk Ratio Arising from Unconsolidated Banking Book are reported periodically to the BRSA. In addition, the interest rate risk signal and limit values approved by the Board of Directors for liquidity and interest rate risk arising from banking book are monitored periodically.

In addition to the stress test analyses that are subject to periodic internal reports, Stress Test and ICAAP Reports are prepared for submission to the BRSA as of the end of each year, and the Bank’s internal capital and liquidity adequacy level is analyzed.
‍
Activities are carried out by the validation unit in order to evaluate the accuracy, consistency and adequacy of the rating models and other measurement methodologies used internally in order to accurately measure and manage the risks to which the Bank is exposed, the stability of the risk models and the output (risk estimates, ratings) performances and to report the results to the Senior Management at regular intervals. In this way, it is aimed to carry out validation studies of the internal models used in decision-making processes so that necessary actions can be taken as a result of the findings and to ensure full compliance with legal requirements.
‍
The results of the analysis carried out within the scope of risk management activities and risk indicators are submitted to the Audit Committee and the Board of Directors at six-month intervals, to the Audit Committee on a monthly basis and to the Senior Management on a monthly, weekly or daily basis.
‍
In the new operating period, the Bank will continue to carry out activities for all risk types based on internationally recognized advanced risk management techniques and to carry out these activities as an integral part of the Bank’s strategic decision-making processes.

In line with our Bank’s Sustainability Policy, our activities that create added value with the principle of banking that respects people and the environment are listed below.
‍
Within the scope of the Sustainable Banking Process Audit, which was included in the audit plan in 2024 by the Internal Audit Board in order to evaluate the work carried out by our Bank within the framework of the concept of sustainability, which has been one of the main agenda items of both governments and institutions in recent years; sustainability performance criteria (Key Performance Indicator (KPI)) in line with syndicated loan requirements, our Bank’s environmental loan products within the scope of sustainability, the Draft Communiqué on Green Asset Ratios published by the BRSA on 01.10.2023, the Draft Communiqué on Green Asset Ratios published by the BRSA on 01.01.2023, the legislation published by the Public Oversight Authority on sustainability in the financial sector, and the Bank’s overall level of compliance with the strategies and policies of national and international authorities in the field of sustainable banking were examined. In addition, within the scope of the audit, the integrated annual reports published since 2019, which include the Bank’s sustainability policies on an annual basis, and the general strategies and policies of national and international authorities in the field of sustainable banking were also examined.
‍
Within the scope of the supervision model implemented by the Board, all branch reports were issued through the system, thus eliminating the need to send physical documents/reports. In addition to branch audits, audit reports for all Head Office Units were prepared and monitored through the system.
‍
In addition, with the e-signature and virtual archive application in use, all audit and inspection/investigation reports are digitally archived on the main banking software without the need for a physical document archive.
‍
The transfer of audit and investigation reports to the system and the virtual archive application, resulted in a saving of 32,000 sheets of A4.