Internal Audit and Risk Management

Internal Control Center and Compliance Department

Reporting directly to the Board of Directors/Audit Committee, the Internal Control Center and Compliance Department is in charge of making sure that the Group's activities are carried out efficiently and productively in compliance with national legislation and in-house regulations, reducing operational and other risks, and ensuring the reliability and integration of accounting, financial reporting and IT systems.

The internal control and compliance efforts consist of control and reporting activities carried out independently at certain intervals by internal control and compliance employees at the Head Office and/or at branches, with a view to assessing the compliance, adequacy and efficiency of operations. The units are also responsible for ensuring coordination with domestic and foreign subsidiaries regarding internal control and compliance and routine report flow.

The Internal Control Center and Compliance Department performs its activities within the framework of national legislation, regulations, communiqués, as well as in-house codes. Once every three months, the Audit Committee is informed about the activities, agenda and organization of the Internal Control Center and Compliance Department.

Internal Control Activities

The Branches Financial Control Department carries out the accounting analysis and control of activities that have an impact on the Bank's profit and loss by transaction and customer. Besides, the department controls the reports prepared by various departments to be sent to public agencies such as the Banking Regulation and Supervision Agency, the Central Bank of Turkey and the Savings Deposit Insurance Fund.

The Branches Internal Control Department produces six-monthly control plans with a risk-focused perspective, and carries out control activities concerning all business lines across the branches. By way of branch visits, the Branches Internal Control Department controls the compliance of transactions with laws and in-house regulations, searches for any deficiencies in the internal control function, shares its findings with the relevant branches and business lines, and follows up future developments.

In accordance with the type of control planned at each branch, the Central Controls Department carries out centralized controls concerning possible abuses and transactions of the Private Banking Centers.

The Fund Management Internal Control Department is in charge of controlling transactions carried out by Fund Management and relevant operational departments, in financial and operational terms.

The Basic Controls and Support Department organizes the processes of reporting and coordination inside the Internal Control Center and Compliance Department, and executes the controls of support activities and subsidiaries during the performance of administrative and organizational duties.

The Control Assessment and IT Control Department carries out information technology controls over IT activities supporting the Bank's operations, communication channels, IT systems, and IT security policies, and oversees the harmony between IT security policies, standards and guides in accordance with the Cobit framework.

Finally, the Loans and Credit Cards Control Department performs periodical controls to ensure that the loan and credit card payment transactions undertaken by the Bank are in compliance with laws, regulations and the Bank's internal procedures.

Compliance Activities

The Compliance Group performs its duties via the following departments:

• Corporate Compliance Department
• Anti-Money Laundering Department

The Corporate Compliance Department is responsible for setting basic compliance rules, overseeing the coordination of compliance risk management, ensuring compliance with the Group standards and local regulations, organizing compliance-related information flow and reporting procedures among the subsidiaries, as well as integrating DenizBank subsidiaries within the current Corporate Compliance system.

The Anti-Money Laundering Department’s duties include monitoring customer transactions within the scope of Law No. 5549 on the Prevention of the Laundering of Proceeds of Crime and Law No. 6415 on the Prevention of the Financing of Terrorism, giving its opinion or approval for transactions concerning risk-bearing sectors and countries, controlling correspondent banks, identifying and monitoring suspicious transactions, reporting these to the public authorities and organizing classroom and online training seminars among Bank personnel on the “Prevention of Laundering of Criminal Proceeds and Financing Terrorism”.

Internal Audit Department

The auditors of the Internal Audit Department inspect the level of compliance of the Bank’s operations with legislation, Articles of Association, in-house regulations and banking principles. The promotion of auditors is based on examination results and job performance. Recruited following a very stringent selection process and an intensive training program, internal auditors conduct their activities in an impartial, independent and meticulous fashion, in line with their professional code of ethics. Additionally, the Internal Audit Department also actively informs and trains the Bank personnel.

The Internal Audit Department performs its functions under the following five organizational categories:

1-Audit of Head Office Processes and Subsidiaries

The department audits the processes of Head Office units, and the processes and activities of domestic and foreign subsidiaries in accordance with legislation and regulations, and also monitors its findings in line with an action plan, and analyzes relevant processes.

2- Branch Audits

The risk assessments of the branches are conducted, annual branch audit plans are prepared, branch activities are audited, and the findings are shared with relevant branches and Head Office departments and monitored.

3- Investigations and Inquiries

Bank losses are investigated to uncover the underlying reasons and employees responsible, and inquiries are carried out to mitigate losses and correct errors, while initiatives are taken for the early detection and prevention of misconduct, with Bank employees briefed and trained on this topic.

4-Audit of Information System Processes

Audits are conducted to ensure that DenizBank Financial Services Group's IT system processes are structured to support the Bank’s policies, and are managed in compliance with the applicable legislation.

5-Audit Management Office

Activities consist of making necessary plans and arrangements regarding all of DFSG’s internal audit activities; contributing to the identification of the best instruments and methods, and generating relevant reports; preparing operational procedures and updating existing procedures under the supervision of the General Auditor.

Risk Management Group

The Risk Management Group carries out comprehensive risk management activities which play a critical role in the identification of DenizBank’s operational strategies. The Group is responsible for creating, auditing and reporting necessary policies and procedures to identify, measure, analyze and monitor risks, which are primarily real or potential risks including the risk/return ratio of cash flows. These policies and procedures follow the principles set by the Bank’s executive management and Risk Management Group and approved by the Board of Directors.

Depending on the type of process involved the Risk Management Group works in collaboration with the Audit Committee, Assets and Liabilities Committee, Credit Committee, Risk Committee, and the Internal Control and Compliance, and Internal Audit Committees as regards both policies and practices.

• The Group periodically reports all risk analyses to the Audit Committee and Assets and Liabilities Committees so as to guide them in determining and monitoring risk limits and developing risk management strategies.
• Monitoring, analysis, assessment and modeling of credit risk are conducted, based on credit type, by the credit allocation departments of the related groups, namely the Credit Committee, Risk Committee and Risk Management Group. Results pertaining to credit risk are reported to the Board of Directors.
• While each business unit is responsible for managing its own operational risk, the Risk Management Group sets policies and monitors and reports activities in coordination with the Internal Control, Compliance, and Internal Audit Department. Assessments are performed by the Risk Committee and the Audit Committee.

Risk management policies consist of risk identification, measurement and management processes. Within this scope, DenizBank conducts its banking activities by strictly adhering to risk management policies that aim to analyze risks and manage them within acceptable limits. DenizBank has adopted this as an integral principle in all of its operations to develop systems that comply with Basel II, and other guiding international risk management principles.

Risk Management policies are based on the following types of risk:

• Market Risk,
• Basel II/Credit Risk,
• Liquidity Risk,
• Operational Risk,
• Structural Interest Rate Risk

Market Risk

DenizBank conducts its activities in the money and capital markets in accordance with its risk policies and limits. DenizBank measures market risk using the internationally-accepted Value at Risk (VaR) method, which is known for its dynamic structure that adapts easily to changing market conditions. VaR quantifies the loss of value that the portfolio of the Bank and its financial subsidiaries might suffer at a given time and confidence interval as a result of price fluctuations in risk factors. VaR analyses are supported by scenario analyses and stress tests. This method allows for adaptation to changing market conditions when the risk level is determined. The reliability of the model used in calculating VaR is periodically tested through back testing.

DenizBank has formulated risk policies and established risk-based limits with regards to its trading activities in money and capital markets.

Basel II/Credit Risk

In line with BRSA’s regulations on Basel II, the Risk Management Group manages the calculation of legal credit risk weighted assets in the 1. Structural Block, in coordination with the Financial Affairs Group. Within the scope of the 2. Structural Block, the Bank calculates the annual general stress test according to its plans and scenarios; whereas the Internal Capital Assessment Process Report is prepared by Bank management and other departments in coordination. In order to ensure compliance with Basel II credit risk internal assessment methods, the Group participates in the development of the necessary credit risk models and coordinates efforts to integrate these with the data infrastructure. The Group is also in charge of the quality control and reporting of the credit levels yielded by the current internal credit assessment models .

Liquidity Risk

DenizBank monitors liquidity adequacy within defined limits to ensure that it has sufficient liquidity and reserves under any condition. While analyzing liquidity adequacy, any negative developments that may arise as a result of a change in market conditions or customer behavior are taken into account. The adequacy of existing liquidity and reserve opportunities are tested against these worst-case scenarios.

Operational Risk

All activities bearing operational risk for DenizBank and its subsidiaries are recorded in a manner that captures the causes and impacts of events, collections, and measures taken to prevent the repetition of such events, and are periodically reported to the executive management and updated as needed. Potential risk is assessed by means of Risk and Control Self-Assessment, with risk mitigation measures taken before events occur. The Business Continuity Program is coordinated to cover the design, implementation and testing stages of these policies.

Structural Interest Rate Risk

DenizBank monitors the structural interest rate risk that the Bank is exposed to due to its balance sheet structure by using advanced models, and controls assumed risks through defined limits. Interest sensitivity analyses are conducted to measure the impact of the Bank’s maturity mismatch on net present value and income.