PROJECT REPORT ON

Control System In Banks.

A PROJECT SUBMITTED TO

UNIVERSITY OF MUMBAI

FOR PARTIAL COMPLETION OF THE DEGREE OF

BACHELOR OF MANAGEMENT STUDIES

UNDER THE FACULTY OF COMMERCE

BY

SHAIKH SHAHIM

ROLL NO:- 27 SEAT NO :-

UNDER THE GUIDANCE OF

PROF.

STUYDING AT

Rizvi Education Society's

RIZVI COLLEGE OF ARTS, SCIENCE AND COMMERCE

RIZVI EDUCATIONAL COMPLEX, BANDRA (WEST), MUMBAI

ACADEMIC YEAR 2018-2019

1
 A Project On

Control System in Banks.

A PROJECT SUBMITTED TO

UNIVERSITY OF MUMBAI

FOR PARTIAL COMPLETION OF THE DEGREE OF

BACHELOR OF MANAGEMENT STUDIES

UNDER THE FACULTY OF COMMERCE

By

SHAIKH SHAHIM

Roll No: 27 Seat No:

Under The Guidance of

Prof.

Studying at

Rizvi Education Society's

Rizvi College of Arts, Science & Commerce

Rizvi Education Complex, Bandra (West), Mum

2
 Declaration by learner

I the undersigned Miss / Mr. Shaikh Shahim here by, declare that the work embodied in
this project work titled “Control system in banks” , forms my own contribution to the
research work carried out under the guidance of is a result of my
own research work and has not been previously submitted to any other University for any
other Degree/ Diploma to this or any other University.
Wherever reference has been made to previous works of others, it has been clearly
indicated as such and included in the bibliography.
I, here by further declare that all information of this document has been obtained and
presented in accordance with academic rules and ethical conduct.

Name and signature of the learner

Certified by
Name and signature of the Guiding Teacher

3
 CERTIFICATE

This is to certify that ______________________________________________ has

worked and duly completed his Project Work for the degree of Bachelor of Commerce
(Banking & Insurance) under the Faculty of Commerce and his project is entitled,
_________________________________________________________ under my
supervision
I further certify that the entire work has been done by the learner under my guidance and
that no part of it has been submitted previously for any Degree or Diploma of any
University.
It is his own work and facts reported are by his personal findings and investigations.

___________________________ _______________________
Prof. _______________________ Prof. Furqan Shaikh
(Project Guide) (BBI Co-ordinator)

___________________________ ___________________________
External Examiner Dr. (Mrs.) Anjum Ara Ahmad
(Principal I/c)

4
 Acknowledgement
To list who all have helped me is difficult because they are so numerous and the depth is
so enormous.
I would like to acknowledge the following as being idealistic channels and fresh
dimensions in the completion of this project.
I take this opportunity to thank the University of Mumbai for giving me chance to do this
project.
I would like to thank my Principal, Dr. (Mrs.) Anjum Ara Ahmad for providing the
necessary facilities required for completion of this project.
I take this opportunity to thank our Coordinator Mr. Furqan Shaikh, for moral support and
guidance.
I would also like to express my sincere gratitude towards my project guide
_____________________________ whose guidance and care made the project
successful.
I would like to thank my College Library, for having provided various reference books
and magazines related to my project.
Lastly, I would like to thank each and every person who directly or indirectly helped me
in the completion of the project especially my Parents and Peers who supported me
throughout my project.

5
 Index

Sr. No. Topic Page No

6
 INTRODUCTION
1. As part of its on-going efforts to address bank supervisory issues and enhance
supervision through guidance that encourages sound risk management practices, the
Basle Committee on Banking Supervision is issuing this framework for the evaluation of
internal control systems. A system of effective internal controls is a critical component of
bank management and a foundation for the safe and sound operation of banking
organisations. A system of strong internal controls can help to ensure that the goals and
objectives of a banking organisation will be met, that the bank will achieve long-term
profitability targets, and maintain reliable financial and managerial reporting. Such a
system can also help to ensure that the bank will comply with laws and regulations as
well as policies, plans, internal rules and procedures, and decrease the risk of unexpected
losses or damage to the bank’s reputation. The paper describes the essential elements of a
sound internal control system, drawing upon experience in member countries and
principles established in earlier publications by the Committee. The objective of the paper
is to outline a number of principles for use by supervisory authorities when evaluating
banks’ internal control systems. 2. The Basle Committee, along with banking supervisors
throughout the world, has focused increasingly on the importance of sound internal
controls. This heightened interest in internal controls is, in part, a result of significant
losses incurred by several banking organisations. An analysis of the problems related to
these losses indicates that they could probably have been avoided had the banks
maintained effective internal control systems. Such systems would have prevented or
enabled earlier detection of the problems that led to the losses, thereby limiting damage
to the banking organisation. In developing these principles, the Committee has drawn on
lessons learned from problem bank situations in individual member countries. 3. These
principles are intended to be of general application and supervisory authorities should use
them in assessing their own supervisory methods and procedures for monitoring how
banks structure their internal control systems. While the exact approach chosen by
individual supervisors will depend upon a host of factors, including their on-site and off-
site supervisory techniques and the degree to which external auditors are also used in the
supervisory function, all members of the Basle Committee agree that the principles set
out in this paper should be used in evaluating a bank’s internal control system. 4. The
Basle Committee is distributing this paper to supervisory authorities worldwide in the
belief that the principles presented will provide a useful framework for the Internal
control systems 2 effective supervision of internal control systems. More generally, the
Committee wishes to emphasise that sound internal controls are essential to the prudent
operation of banks and to promoting stability in the financial system as a whole. While
the Committee recognises that not all institutions may have implemented all aspects of
this framework, banks are working towards adoption. 5. The guidance previously issued
by the Basle Committee typically included discussions of internal controls affecting
specific areas of bank activities, such as interest rate risk, and trading and derivatives
activities. In contrast, this guidance presents a framework that the Basle Committee
encourages supervisors to use in evaluating the internal controls over all on- and off-
balance sheet activities of banks and consolidated banking organisations. The guidance
does not focus on specific areas or activities within a banking organisation. The exact
application depends on the nature, complexity and risks of the bank’s activities. 6. The
Committee provides background information is section I, sets out the objectives and role

7
of an internal control framework in Section II, and stipulates in sections III and IV of the
paper thirteen principles for banking supervisory authorities to apply in assessing banks’
internal control systems. In addition, Appendix I lists reference materials and Appendix II
provides supervisory lessons learned from past internal control failures. Principles for the
Assessment of Internal Control Systems Management oversight and the control culture
Principle 1: The board of directors should have responsibility for approving and
periodically reviewing the overall business strategies and significant policies of the bank;
understanding the major risks run by the bank, setting acceptable levels for these risks
and ensuring that senior management takes the steps necessary to identify, measure,
monitor and control these risks; approving the organisational structure; and ensuring that
senior management is monitoring the effectiveness of the internal control system. The
board of directors is ultimately responsible for ensuring that an adequate and effective
system of internal controls is established and maintained. Principle 2: Senior management
should have responsibility for implementing strategies and policies approved by the
board; developing processes that identify, measure, monitor and control risks incurred by
the bank; maintaining an organisational Internal control systems 3 structure that clearly
assigns responsibility, authority and reporting relationships; ensuring that delegated
responsibilities are effectively carried out; setting appropriate internal control policies;
and monitoring the adequacy and effectiveness of the internal control system. Principle 3:
The board of directors and senior management are responsible for promoting high ethical
and integrity standards, and for establishing a culture within the organisation that
emphasises and demonstrates to all levels of personnel the importance of internal
controls. All personnel at a banking organisation need to understand their role in the
internal controls process and be fully engaged in the process. Risk Recognition and
Assessment Principle 4: An effective internal control system requires that the material
risks that could adversely affect the achievement of the bank’s goals are being recognised
and continually assessed. This assessment should cover all risks facing the bank and the
consolidated banking organisation (that is, credit risk, country and transfer risk, market
risk, interest rate risk, liquidity risk, operational risk, legal risk and reputational risk).
Internal controls may need to be revised to appropriately address any new or previously
uncontrolled risks. Control Activities and Segregation of Duties Principle 5: Control
activities should be an integral part of the daily activities of a bank. An effective internal
control system requires that an appropriate control structure is set up, with control
activities defined at every business level. These should include: top level reviews;
appropriate activity controls for different departments or divisions; physical controls;
checking for compliance with exposure limits and follow-up on non-compliance; a
system of approvals and authorisations ; and, a system of verification and reconciliation.
Principle 6: An effective internal control system requires that there is appropriate
segregation of duties and that personnel are not assigned conflicting responsibilities.
Areas of potential conflicts of interest should be identified, minimized , and subject to
careful, independent monitoring. Internal control systems 4 Information and
communication Principle 7: An effective internal control system requires that there are
adequate and comprehensive internal financial, operational and compliance data, as well
as external market information about events and conditions that are relevant to decision
making. Information should be reliable, timely, accessible, and provided in a consistent
format. Principle 8: An effective internal control system requires that there are reliable

8
information systems in place that cover all significant activities of the bank. These
systems, including those that hold and use data in an electronic form, must be secure,
monitored independently and supported by adequate contingency arrangements. Principle
9: An effective internal control system requires effective channels of communication to
ensure that all staff fully understand and adhere to policies and procedures affecting their
duties and responsibilities and that other relevant information is reaching the appropriate
personnel. Monitoring Activities and Correcting Deficiencies Principle 10: The overall
effectiveness of the bank’s internal controls should be monitored on an ongoing basis.
Monitoring of key risks should be part of the daily activities of the bank as well as
periodic evaluations by the business lines and internal audit. Principle 11: There should
be an effective and comprehensive internal audit of the internal control system carried out
by operationally independent, appropriately trained and competent staff. The internal
audit function, as part of the monitoring of the system of internal controls, should report
directly to the board of directors or its audit committee, and to senior management.
Principle 12: Internal control deficiencies, whether identified by business line, internal
audit, or other control personnel, should be reported in a timely manner to the appropriate
management level and addressed promptly. Material internal control deficiencies should
be reported to senior management and the board of directors. Internal control systems 5
Evaluation of Internal Control Systems by Supervisory Authorities Principle 13:
Supervisors should require that all banks, regardless of size, have an effective system of
internal controls that is consistent with the nature, complexity, and risk inherent in their
on- and off-balance-sheet activities and that responds to changes in the bank’s
environment and conditions. In those instances where supervisors determine that a bank's
internal control system is not adequate or effective for that bank’s specific risk profile
(for example, does not cover all of the principles contained in this document), they should
take appropriate action. I. Background 1. The Basle Committee has studied recent
banking problems in order to identify the major sources of internal control deficiencies.
The problems identified reinforce the importance of having bank directors and
management, internal and external auditors, and bank supervisors focus more attention on
strengthening internal control systems and continually evaluating their effectiveness.
Several recent cases demonstrate that inadequate internal controls can lead to significant
losses for banks. 2. The types of control breakdowns typically seen in problem bank cases
can be grouped into five categories: • Lack of adequate management oversight and
accountability, and failure to develop a strong control culture within the bank. Without
exception, cases of major loss reflect management inattention to, and laxity in, the control
culture of the bank, insufficient guidance and oversight by boards of directors and senior
management, and a lack of clear management accountability through the assignment of
roles and responsibilities. These cases also reflect a lack of appropriate incentives for
management to carry out strong line supervision and maintain a high level of control
consciousness within business areas. • Inadequate recognition and assessment of the risk
of certain banking activities, whether on- or off-balance sheet. Many banking
organisations that have suffered major losses neglected to recognise and assess the risks
of new products and activities, or update their risk assessments when significant changes
occurred in the environment or business conditions. Many recent cases highlight the fact
that control systems that function well for traditional or simple products are unable to
handle more sophisticated or complex products. • The absence or failure of key control

9
structures and activities, such as segregation of duties, approvals, verifications,
reconciliations, and reviews of operating performance. Internal control systems 6 Lack of
segregation of duties in particular has played a major role in the significant losses that
have occurred at banks. • Inadequate communication of information between levels of
management within the bank, especially in the upward communication of problems. To
be effective, policies and procedures need to be effectively communicated to all
personnel involved in an activity. Some losses in banks occurred because relevant
personnel were not aware of or did not understand the bank’s policies. In several
instances, information about inappropriate activities that should have been reported
upward through organisational levels was not communicated to the board of directors or
senior management until the problems became severe. In other instances, information in
management reports was not complete or accurate, creating a falsely favourable
impression of a business situation. • Inadequate or ineffective audit programs and
monitoring activities. In many cases, audits were not sufficiently rigorous to identify and
report the control weaknesses associated with problem banks. In other cases, even though
auditors reported problems, no mechanism was in place to ensure that management
corrected the deficiencies. 3. The internal control framework underlying this guidance is
based on practices currently in place at many major banks, securities firms, and non-
financial companies, and their auditors. Moreover, this evaluation framework is
consistent with the increased emphasis of banking supervisors on the review of a banking
organisation’s risk management and internal control processes. It is important to
emphasise that it is the responsibility of a bank’s board of directors and senior
management to ensure that adequate internal controls are in place at the bank and to
foster an environment where individuals understand and meet their responsibilities in this
area. In turn, it is the responsibility of banking supervisors to assess the commitment of a
bank’s board of directors and management to the internal control process. II. The
Objectives and Role of the Internal Control Framework 4. Internal control is a process
effected by the board of directors,1 senior management and all levels of personnel. It is
not solely a procedure or policy that is performed 1 This paper refers to a management
structure composed of a board of directors and senior management. The Committee is
aware that there are significant differences in legislative and regulatory frameworks
across countries as regards the functions of the board of directors and senior
management. In some countries, the board has the main, if not exclusive, function of
supervising the executive body (senior management, general management) so as to
ensure that the latter fulfils its tasks. For this reason, in some cases, it is known as a
supervisory board. This means that the board has no executive functions. In other
countries, by contrast, the board has a broader competence in that it lays down the
general framework for the management of the bank. Owing to these differences, the
notions of the board of directors and senior management are used in this paper not to
identify legal constructs but rather to label two decision-making functions within a bank.
Internal control systems 7 at a certain point in time, but rather it is continually operating
at all levels within the bank. The board of directors and senior management are
responsible for establishing the appropriate culture to facilitate an effective internal
control process and for monitoring its effectiveness on an ongoing basis; however, each
individual within an organisation must participate in the process. The main objectives of
the internal control process can be categorised as follows:2 1. efficiency and effectiveness

10
of activities (performance objectives); 2. reliability, completeness and timeliness of
financial and management information (information objectives); and 3. compliance with
applicable laws and regulations (compliance objectives). 5. Performance objectives for
internal controls pertain to the effectiveness and efficiency of the bank in using its assets
and other resources and protecting the bank from loss. The internal control process seeks
to ensure that personnel throughout the organisation are working to achieve its goals with
efficiency and integrity, without unintended or excessive cost or placing other interests
(such as an employee’s, vendor’s or customer’s interest) before those of the bank. 6.
Information objectives address the preparation of timely, reliable, relevant reports needed
for decision-making within the banking organisation. They also address the need for
reliable annual accounts, other financial statements and other financial-related disclosures
and reports to shareholders, supervisors, and other external parties. The information
received by management, the board of directors, shareholders and supervisors should be
of sufficient quality and integrity that recipients can rely on the information in making
decisions. The term reliable, as it relates to financial statements, refers to the preparation
of statements that are presented fairly and based on comprehensive and well-defined
accounting principles and rules. 7. Compliance objectives ensure that all banking
business complies with applicable laws and regulations, supervisory requirements, and
the organisation’s policies and procedures. This objective must be met in order to protect
the bank’s franchise and reputation. III. The Major Elements of an Internal Control
Process 8. The internal control process, which historically has been a mechanism for
reducing instances of fraud, misappropriation and errors, has become more extensive,
addressing all the various risks faced by banking organisations. It is now recognised that
a sound internal control process is critical to a bank's ability to meet its established goals,
and to maintain its financial viability. 2 These include internal controls over safeguarding
of assets and other resources against unauthorised acquisition, use or disposition, or loss.
Internal control systems 8 9. Internal control consists of five interrelated elements: 1.
management oversight and the control culture; 2. risk recognition and assessment; 3.
control activities and segregation of duties; 4. information and communication; and 5.
monitoring activities and correcting deficiencies. The problems observed in recent large
losses at banks can be aligned with these five elements. The effective functioning of these
elements is essential to achieving a bank’s performance, information, and compliance
objectives. A. Management Oversight and the Control Culture 1. Board of directors
Principle 1: The board of directors should have responsibility for approving and
periodically reviewing the overall business strategies and significant policies of the bank;
understanding the major risks run by the bank, setting acceptable levels for these risks
and ensuring that senior management takes the steps necessary to identify, measure,
monitor and control these risks; approving the organisational structure; and ensuring that
senior management is monitoring the effectiveness of the internal control system. The
board of directors is ultimately responsible for ensuring that an adequate and effective
system of internal controls is established and maintained. 10. The board of directors
provides governance, guidance and oversight to senior management. It is responsible for
approving and reviewing the overall business strategies and significant policies of the
organisation as well as the organisational structure. The board of directors has the
ultimate responsibility for ensuring that an adequate and effective system of internal
controls is established and maintained. Board members should be objective, capable, and

11
inquisitive, with a knowledge or expertise of the activities of and risks run by the bank. In
those countries where it is an option, the board should consist of some members who are
independent from the daily management of the bank. A strong, active board, particularly
when coupled with effective upward communication channels and capable financial,
legal, and internal audit functions, provides an important mechanism to ensure the
correction of problems that may diminish the effectiveness of the internal control system.
11. The board of directors should include in its activities (1) periodic discussions with
management concerning the effectiveness of the internal control system, (2) a timely
review of evaluations of internal controls made by management, internal auditors, and
external auditors, (3) periodic efforts to ensure that management has promptly followed
up on recommendations and concerns expressed by auditors and supervisory authorities
on internal control Internal control systems 9 weaknesses, and (4) a periodic review of
the appropriateness of the bank’s strategy and risk limits. 12. One option used by banks in
many countries is the establishment of an independent audit committee to assist the board
in carrying out its responsibilities. The establishment of an audit committee allows for
detailed examination of information and reports without the need to take up the time of
all directors. The audit committee is typically responsible for overseeing the financial
reporting process and the internal control system. As part of this responsibility, the audit
committee typically oversees the activities of, and serves as a direct contact for, the
bank’s internal audit department and engages and serves as the primary contact for the
external auditors. In those countries where it is an option, the committee should be
composed mainly or entirely of outside directors (i.e., members of the board that are not
employed by the bank or any of its affiliates) who have knowledge of financial reporting
and internal controls. It should be noted that in no case should the creation of an audit
committee amount to a transfer of duties away from the full board, which alone is legally
empowered to take decisions. 2. Senior management Principle 2: Senior management
should have responsibility for implementing strategies and policies approved by the
board; developing processes that identify, measure, monitor and control risks incurred by
the bank; maintaining an organisational structure that clearly assigns responsibility,
authority and reporting relationships; ensuring that delegated responsibilities are
effectively carried out; setting appropriate internal control policies; and monitoring the
adequacy and effectiveness of the internal control system. 13. Senior management is
responsible for carrying out the directives of the board of directors, including the
implementation of strategies and policies and the establishment of an effective system of
internal control. Members of senior management typically delegate responsibility for
establishing more specific internal control policies and procedures to those responsible
for a particular business unit. Delegation is an essential part of management; however, it
is important for senior management to oversee the managers to whom they have
delegated these responsibilities to ensure that they develop and enforce appropriate
policies and procedures. 14. Compliance with an established internal control system is
heavily dependent on a well documented and communicated organisational structure that
clearly shows lines of reporting responsibility and authority and provides for effective
communication throughout the organisation. The allocation of duties and responsibilities
should ensure that there are no Internal control systems 10 gaps in reporting lines and that
an effective level of management control is extended to all levels of the bank and its
various activities. 15. It is important that senior management takes steps to ensure that

12
activities are conducted by qualified staff with the necessary experience and technical
capabilities. Staff in control functions must be properly remunerated. Staff training and
skills should be regularly updated. Senior management should institute compensation and
promotion policies that reward appropriate behaviours and minimise incentives for staff
to ignore or override internal control mechanisms. 3. Control culture Principle 3: The
board of directors and senior management are responsible for promoting high ethical and
integrity standards, and for establishing a culture within the organisation that emphasises
and demonstrates to all levels of personnel the importance of internal controls. All
personnel at a banking organisation need to understand their role in the internal controls
process and be fully engaged in the process. 16. An essential element of an effective
system of internal control is a strong control culture. It is the responsibility of the board
of directors and senior management to emphasise the importance of internal control
through their actions and words. This includes the ethical values that management
displays in their business dealings, both inside and outside the organisation. The words,
attitudes and actions of the board of directors and senior management affect the integrity,
ethics and other aspects of the bank’s control culture. 17. In varying degrees, internal
control is the responsibility of everyone in a bank. Almost all employees produce
information used in the internal control system or take other actions needed to effect
control. An essential element of a strong internal control system is the recognition by all
employees of the need to carry out their responsibilities effectively and to communicate
to the appropriate level of management any problems in operations, instances of non-
compliance with the code of conduct, or other policy violations or illegal actions that are
noticed. This can best be achieved when operational procedures are contained in clearly
written documentation that is made available to all relevant personnel. It is essential that
all personnel within the bank understand the importance of internal control and are
actively engaged in the process. 18. In reinforcing ethical values, banking organisations
should avoid policies and practices that may inadvertently provide incentives or
temptations for inappropriate activities. Examples of such policies and practices include
undue emphasis on performance targets or other operational results, particularly short-
term ones that ignore longer-term risks; compensation schemes that overly depend on
short-term performance; ineffective segregation Internal control systems 11 of duties or
other controls that could allow the misuse of resources or concealment of poor
performance; and insignificant or overly onerous penalties for improper behaviours. 19.
While having a strong internal control culture does not guarantee that an organisation will
reach its goals, the lack of such a culture provides greater opportunities for errors to go
undetected or for improprieties to occur. B. Risk Recognition and Assessment Principle 4:
An effective internal control system requires that the material risks that could adversely
affect the achievement of the bank’s goals are being recognised and continually assessed.
This assessment should cover all risks facing the bank and the consolidated banking
organisation (that is, credit risk, country and transfer risk, market risk, interest rate risk,
liquidity risk, operational risk, legal risk and reputational risk). Internal controls may
need to be revised to appropriately address any new or previously uncontrolled risks. 20.
Banks are in the business of risk-taking. Consequently it is imperative that, as part of an
internal control system, these risks are being recognised and continually assessed. From
an internal control perspective, a risk assessment should identify and evaluate the internal
and external factors that could adversely affect the achievement of the banking

13
organisation’s performance, information and compliance objectives. This process should
cover all risks faced by the bank and operate at all levels within the bank. It differs from
the risk management process which typically focuses more on the review of business
strategies developed to maximise the risk/reward trade-off within the different areas of
the bank. 21. Effective risk assessment identifies and considers internal factors (such as
the complexity of the organisation’s structure, the nature of the bank’s activities, the
quality of personnel, organisational changes and employee turnover) as well as external
factors (such as fluctuating economic conditions, changes in the industry and
technological advances) that could adversely affect the achievement of the bank’s goals.
This risk assessment should be conducted at the level of individual businesses and across
the wide spectrum of activities and subsidiaries of the consolidated banking organisation.
This can be accomplished through various methods. Effective risk assessment addresses
both measurable and non-measurable aspects of risks and weighs costs of controls against
the benefits they provide. 22. The risk assessment process also includes evaluating the
risks to determine which are controllable by the bank and which are not. For those risks
that are controllable, the bank must assess whether to accept those risks or the extent to
which it wishes to mitigate the risks through control procedures. For those risks that
cannot be controlled, the bank must decide Internal control systems 12 whether to accept
these risks or to withdraw from or reduce the level of business activity concerned. 23. In
order for risk assessment, and therefore the system of internal control, to remain
effective, senior management needs to continually evaluate the risks affecting the
achievement of its goals and react to changing circumstances and conditions. Internal
controls may need to be revised to appropriately address any new or previously
uncontrolled risks. For example, as financial innovation occurs, a bank needs to evaluate
new financial instruments and market transactions and consider the risks associated with
these activities. Often these risks can be best understood when considering how various
scenarios (economic and otherwise) affect the cash flows and earnings of financial
instruments and transactions. Thoughtful consideration of the full range of possible
problems, from customer misunderstanding to operational failure, will point to important
control considerations. C. Control Activities and Segregation of Duties Principle 5:
Control activities should be an integral part of the daily activities of a bank. An effective
internal control system requires that an appropriate control structure is set up, with
control activities defined at every business level. These should include: top level reviews;
appropriate activity controls for different departments or divisions; physical controls;
checking for compliance with exposure limits and follow-up on noncompliance; a system
of approvals and authorisations; and, a system of verification and reconciliation. 24.
Control activities are designed and implemented to address the risks that the bank
identified through the risk assessment process described above. Control activities involve
two steps: (1) the establishment of control policies and procedures; and (2) verification
that the control policies and procedures are being complied with. Control activities
involve all levels of personnel in the bank, including senior management as well as front
line personnel. Examples of control activities include: • Top level reviews - Boards of
directors and senior management often request presentations and performance reports that
enable them to review the bank’s progress toward its goals. For example, senior
management may review reports showing actual financial results to date versus the
budget. Questions that senior management generates as a result of this review and the

14
ensuing responses of lower levels of management represent a control activity which may
detect problems such as control weaknesses, errors in financial reporting or fraudulent
activities. Internal control systems 13 • Activity controls - Department or division level
management receives and reviews standard performance and exception reports on a daily,
weekly or monthly basis. Functional reviews occur more frequently than top-level
reviews and usually are more detailed. For instance, a manager of commercial lending
may review weekly reports on delinquencies, payments received, and interest income
earned on the portfolio, while the senior credit officer may review similar reports on a
monthly basis and in a more summarised form that includes all lending areas. As with the
top-level review, the questions that are generated as a result of reviewing the reports and
the responses to those questions represent the control activity. • Physical controls -
Physical controls generally focus on restricting access to tangible assets, including cash
and securities. Control activities include physical limitations, dual custody, and periodic
inventories. • Compliance with exposure limits - The establishment of prudent limits on
risk exposures is an important aspect of risk management. For example, compliance with
limits for borrowers and other counterparties reduces the bank’s concentration of credit
risk and helps to diversify its risk profile. Consequently, an important aspect of internal
controls is a process for reviewing compliance with such limits and follow-up on
instances of non-compliance. • Approvals and authorisations - Requiring approval and
authorisation for transactions over certain limits ensures that an appropriate level of
management is aware of the transaction or situation, and helps to establish accountability.
• Verifications and reconciliations - Verifications of transaction details and activities and
the output of risk management models used by the bank are important control activities.
Periodic reconciliations, such as those comparing cash flows to account records and
statements, may identify activities and records that need correction. Consequently, the
results of these verifications should be reported to the appropriate levels of management
whenever problems or potential problems are detected. 25. Control activities are most
effective when they are viewed by management and all other personnel as an integral part
of, rather than an addition to, the daily activities of the bank. When controls are viewed as
an addition to the day-to-day activities, they are often seen as less important and may not
be performed in situations where individuals feel pressured to complete activities in a
limited amount of time. In addition, controls that are an integral part of the daily activities
enable quick responses to changing conditions and avoid unnecessary costs. As part of
fostering the appropriate control culture within the bank, senior management Internal
should ensure that adequate control activities are an integral part of the daily functions of
all relevant personnel. 26. It is not sufficient for senior management to simply establish
appropriate policies and procedures for the various activities and divisions of the bank.
They must regularly ensure that all areas of the bank are in compliance with such policies
and procedures and also determine that existing policies and procedures remain adequate.
This is usually a major role of the internal audit function. Principle 6: An effective
internal control system requires that there is appropriate segregation of duties and that
personnel are not assigned conflicting responsibilities. Areas of potential conflicts of
interest should be identified, minimised, and subject to careful, independent monitoring.
27. In reviewing major banking losses caused by poor internal controls, supervisors
typically find that one of the major causes of such losses is the lack of adequate
segregation of duties. Assigning conflicting duties to one individual (for example,

15
responsibility for both the front and back offices of a trading function) gives that person
access to assets of value and the ability to manipulate financial data for personal gain or
to conceal losses. Consequently, certain duties within a bank should be split, to the extent
possible, among various individuals in order to reduce the risk of manipulation of
financial data or misappropriation of assets. 28. Segregation of duties is not limited to
situations involving simultaneous front and back office control by one individual. It can
also result in serious problems when there are not appropriate controls in those instances
where an individual has responsibility for: • approval of the disbursement of funds and
the actual disbursement; • customer and proprietary accounts; • transactions in both the
"banking" and "trading" books; • informally providing information to customers about
their positions while marketing to the same customers; • assessing the adequacy of loan
documentation and monitoring the borrower after loan origination; and, • any other areas
where significant conflicts of interest emerge and are not mitigated by other factors. 29.
Areas of potential conflict should be identified, minimised, and subject to careful
monitoring by an independent third party. There should also be periodic reviews of the
responsibilities and functions of key individuals to ensure that they are not in a position
to conceal inappropriate actions. Internal control systems 15 D. Information and
Communication Principle 7: An effective internal control system requires that there are
adequate and comprehensive internal financial, operational and compliance data, as well
as external market information about events and conditions that are relevant to decision
making. Information should be reliable, timely, accessible, and provided in a consistent
format. 30. Adequate information and effective communication are essential to the proper
functioning of a system of internal control. From the bank’s perspective, in order for
information to be useful, it must be relevant, reliable, timely, accessible, and provided in
a consistent format. Information includes internal financial, operational and compliance
data, as well as external market information about events and conditions that are relevant
to decision making. Internal information is part of a record-keeping process that should
include established procedures for record retention. Principle 8: An effective internal
control system requires that there are reliable information systems in place that cover all
significant activities of the bank. These systems, including those that hold and use data in
an electronic form, must be secure, monitored independently and supported by adequate
contingency arrangements. 31. A critical component of a bank's activities is the
establishment and maintenance of management information systems that cover the full
range of its activities. This information is usually provided through both electronic and
non-electronic means. Banks must be particularly aware of the organisational and internal
control requirements related to processing information in an electronic form and the
necessity to have an adequate audit trail. Management decision-making could be
adversely affected by unreliable or misleading information provided by systems that are
poorly designed and controlled. 32. Electronic information systems and the use of
information technology have risks that must be effectively controlled by banks in order to
avoid disruptions to business and potential losses. Since transaction processing and
business applications have expanded beyond the use of mainframe computer
environments to distributed systems for mission-critical business functions, the
magnitude of risks also has expanded. Controls over information systems and technology
should include both general and application controls. General controls are controls over
computer systems (for example, mainframe, client/server, and end-user workstations) and

16
ensure their continued, proper operation. General controls include in-house back-up and
recovery procedures, software development and acquisition policies, maintenance
(change control) procedures, and physical/logical access security controls. Application
controls are computerised steps within software applications and other manual procedures
that control the processing of transactions and business activities. Application controls
include, for Internal control systems 16 example, edit checks and specific logical access
controls unique to a business system. Without adequate controls over information systems
and technology, including systems that are under development, banks could experience
loss of data and programs due to inadequate physical and electronic security
arrangements, equipment or systems failures, and inadequate in-house backup and
recovery procedures. 33. In addition to the risks and controls above, inherent risks exist
that are associated with the loss or extended disruption of services caused by factors
beyond the bank’s control. In extreme cases, since the delivery of corporate and customer
services represent key transactional, strategic and reputational issues, such problems
could cause serious difficulties for banks and even jeopardise their ability to conduct key
business activities. This potential requires the bank to establish business resumption and
contingency plans using an alternate off-site facility, including the recovery of critical
systems supported by an external service provider. The potential for loss or extended
disruption of critical business operations requires an institution-wide effort on
contingency planning, involving business management, and not focused on centralised
computer operations. Business resumption plans must be periodically tested to ensure the
plan’s functionality in the event of an unexpected disaster. Principle 9: An effective
internal control system requires effective channels of communication to ensure that all
staff fully understand and adhere to policies and procedures affecting their duties and
responsibilities and that other relevant information is reaching the appropriate personnel.
34. Without effective communication, information is useless. Senior management of
banks need to establish effective paths of communication in order to ensure that the
necessary information is reaching the appropriate people. This information relates both to
the operational policies and procedures of the bank as well as information regarding the
actual operational performance of the organisation. 35. The organisational structure of the
bank should facilitate an adequate flow of information - upward, downward and across
the organisation. A structure that facilitates this flow ensures that information flows
upward so that the board of directors and senior management are aware of the business
risks and the operating performance of the bank. Information flowing down through an
organisation ensures that the bank’s objectives, strategies, and expectations, as well as its
established policies and procedures, are communicated to lower level management and
operations personnel. This communication is essential to achieve a unified effort by all
bank employees to meet the bank’s objectives. Finally, communication across the
organisation is necessary to ensure that information that one division or department
knows can be shared with other affected divisions or departments. Internal control
systems 17 E. Monitoring Activities and Correcting Deficiencies Principle 10: The
overall effectiveness of the bank’s internal controls should be monitored on an ongoing
basis. Monitoring of key risks should be part of the daily activities of the bank as well as
periodic evaluations by the business lines and internal audit. 36. Since banking is a
dynamic, rapidly evolving industry, banks must continually monitor and evaluate their
internal control systems in the light of changing internal and external conditions, and

17
must enhance these systems as necessary to maintain their effectiveness. In complex,
multinational organisations, senior management must ensure that the monitoring function
is properly defined and structured within the organisation. 37. Monitoring the
effectiveness of internal controls can be done by personnel from several different areas,
including the business function itself, financial control and internal audit. For that reason,
it is important that senior management makes clear which personnel are responsible for
which monitoring functions. Monitoring should be part of the daily activities of the bank
but also include separate periodic evaluations of the overall internal control process. The
frequency of monitoring different activities of a bank should be determined by
considering the risks involved and the frequency and nature of changes occurring in the
operating environment. 38. Ongoing monitoring activities can offer the advantage of
quickly detecting and correcting deficiencies in the system of internal control. Such
monitoring is most effective when the system of internal control is integrated into the
operating environment and produces regular reports for review. Examples of ongoing
monitoring include the review and approval of journal entries, and management review
and approval of exception reports. 39. In contrast, separate evaluations typically detect
problems only after the fact; however, separate evaluations allow an organisation to take
a fresh, comprehensive look at the effectiveness of the internal control system and
specifically at the effectiveness of the monitoring activities. These evaluations can be
done by personnel form several different areas, including the business function itself,
financial control and internal audit. Separate evaluations of the internal control system
often take the form of self-assessments when persons responsible for a particular function
determine the effectiveness of controls for their activities. The documentation and the
results of the evaluations are then reviewed by senior management. All levels of review
should be adequately documented and reported on a timely basis to the appropriate level
of management. Principle 11: There should be an effective and comprehensive internal
audit of the internal control system carried out by operationally independent,
appropriately trained and competent staff. The internal audit function, as part of the
monitoring of the system Internal control systems 18 of internal controls, should report
directly to the board of directors or its audit committee, and to senior management. 40.
The internal audit function is an important part of the ongoing monitoring of the system
of internal controls because it provides an independent assessment of the adequacy of,
and compliance with, the established policies and procedures. It is critical that the
internal audit function is independent from the day-to-day functioning of the bank and
that it has access to all activities conducted by the banking organisation, including at its
branches and subsidiaries. 41. By reporting directly to the board of directors or its audit
committee, and to senior management, the internal auditors provide unbiased information
about line activities. Due to the important nature of this function, internal audit must be
staffed with competent, welltrained individuals who have a clear understanding of their
role and responsibilities. The frequency and extent of internal audit review and testing of
the internal controls within a bank should be consistent with the nature, complexity, and
risk of the organisation’s activities. 42. It is important that the internal audit function
reports directly to the highest levels of the banking organisation, typically the board of
directors or its audit committee, and to senior management. This allows for the proper
functioning of corporate governance by giving the board information that is not biased in
any way by the levels of management that the reports cover. The board should also

18
reinforce the independence of the internal auditors by having such matters as their
compensation or budgeted resources determined by the board or the highest levels of
management rather than by managers who are affected by the work of the internal
auditors. Principle 12: Internal control deficiencies, whether identified by business line,
internal audit, or other control personnel, should be reported in a timely manner to the
appropriate management level and addressed promptly. Material internal control
deficiencies should be reported to senior management and the board of directors. 43.
Internal control deficiencies, or ineffectively controlled risks, should be reported to the
appropriate person(s) as soon as they are identified, with serious matters reported to
senior management and the board of directors. Once reported, it is important that
management corrects the deficiencies on a timely basis. The internal auditors should
conduct follow-up reviews or other appropriate forms of monitoring, and immediately
inform senior management or the board of any uncorrected deficiencies. In order to
ensure that all deficiencies are addressed in a timely manner, senior management should
be responsible for establishing a system to track internal control weaknesses and actions
taken to rectify them. Internal control systems 19 44. The board of directors and senior
management should periodically receive reports summarising all control issues that have
been identified. Issues that appear to be immaterial when individual control processes are
looked at in isolation, may well point to trends that could, when linked, become a
significant control deficiency if not addressed in a timely manner. IV. Evaluation of
Internal Control Systems by Supervisory Authorities Principle 13: Supervisors should
require that all banks, regardless of size, have an effective system of internal controls that
is consistent with the nature, complexity, and risk inherent in their on- and off-balance-
sheet activities and that responds to changes in the bank’s environment and conditions. In
those instances where supervisors determine that a bank's internal control system is not
adequate or effective for that bank’s specific risk profile (for example, does not cover all
of the principles contained in this document), they should take appropriate action. 45.
Although the board of directors and senior management bear the ultimate responsibility
for an effective system of internal controls, supervisors should assess the internal control
system in place at individual banks as part of their ongoing supervisory activities. The
supervisors should also determine whether individual bank management gives prompt
attention to any problems that are detected through the internal control process. 46.
Supervisors should require the banks they supervise to have strong control cultures and
should take a risk-focused approach in their supervisory activities. This includes a review
of the adequacy of internal controls. It is important that supervisors not only assess the
effectiveness of the overall system of internal controls, but also evaluate the controls over
high-risk areas (e.g., areas with characteristics such as unusual profitability, rapid growth,
new business activity, or geographic remoteness from the head office). In those instances
where supervisors determine that a bank’s internal control system is not adequate or
effective for that bank’s specific risk profile, they should take appropriate action. This
would involve communicating their concerns to senior management and monitoring what
actions the bank takes to improve its internal control system. 47. Supervisors, in
evaluating the internal control systems of banks, may choose to direct special attention to
activities or situations that historically have been associated with internal control
breakdowns leading to substantial losses. Certain changes in a bank’s environment should
be the subject of special consideration to see whether accompanying revisions are needed

19
in the internal control system. These changes include: (1) a changed operating
environment; (2) new personnel; (3) new or revamped information systems; (4) Internal
control systems 20 areas/activities experiencing rapid growth; (5) new technology; (6)
new lines, products, activities (particularly complex ones); (7) corporate restructurings,
mergers and acquisitions; and (8) expansion or acquisition of foreign operations
(including the impact of changes in the related economic and regulatory environments).
48. To evaluate the quality of internal controls, supervisors can take a number of
approaches. Supervisors can evaluate the work of the internal audit department of the
bank through review of its work papers, including the methodology used to identify,
measure, monitor and control risk. If satisfied with the quality of the internal audit
department’s work, supervisors can use the reports of internal auditors as a primary
mechanism for identifying control problems in the bank, or for identifying areas of
potential risk that the auditors have not recently reviewed. Some supervisors may use a
self-assessment process, in which management reviews the internal controls on a
business-by-business basis and certifies to the supervisor that its controls are adequate for
its business. Other supervisors may require periodic external audits of key areas, where
the supervisor defines the scope. And finally, supervisors may combine one or more of
the above techniques with their own on-site reviews or examinations of internal controls.
49. Supervisors in many countries conduct on-site examinations and a review of internal
controls is an integral part of such examinations. An on-site review could include both a
review of the business process and a reasonable level of transaction testing in order to
obtain an independent verification of the bank's own internal control processes. 50. An
appropriate level of transaction testing should be performed to verify: • the adequacy of,
and adherence to, internal policies, procedures and limits; • the accuracy and
completeness of management reports and financial records; and • the reliability (i.e.,
whether it functions as management intends) of specific controls identified as key to the
internal control element being assessed. 51. In order to evaluate the effectiveness of the
five internal control elements of a banking organisation (or a unit/activity thereof)
supervisors should: • identify the internal control objectives that are relevant to the
organisation, unit or activity under review (e.g., lending, investing, accounting); •
evaluate the effectiveness of the internal control elements, not just by reviewing policies
and procedures, but also by reviewing documentation, discussing operations with various
levels of bank personnel, observing the operating environment, and testing transactions; •
share supervisory concerns about internal controls and recommendations for their
improvement with the board of directors and management on a timely basis, and; Internal
control systems 21 • determine that, where deficiencies are noted, corrective action is
taken in a timely manner. 52. Banking supervisory authorities that have the legal basis or
other arrangements to direct the scope of and make use of the work of external auditors
often or always do so in lieu of on-site examinations. In those instances, the external
auditors should be performing the review of the business process and the transaction
testing described above under specific engagement arrangements. In turn, the supervisors
should assess the quality of the auditors’ work. 53. In all instances, bank supervisors
should take note of the external auditors' observations and recommendations regarding
the effectiveness of internal controls and determine that bank management and the board
of directors have satisfactorily addressed the concerns and recommendations expressed
by the external auditors. The level and nature of control problems found by auditors

20
should be factored into supervisors’ evaluation of the effectiveness of a bank's internal
controls. 54. Supervisors should also encourage bank external auditors to plan and
conduct their audits in ways that appropriately consider the possibility of material
misstatement of banks' financial statements due to fraud. Any fraud found by external
auditors, regardless of materiality, must be communicated to the appropriate level of
management. Fraud involving senior management and fraud that is material to the entity
should be reported by the external auditors to the board of directors and/or the audit
committee. External auditors may be expected to disclose fraud to certain supervisory
authorities or others outside the bank in certain circumstances (subject to national
requirements). 55. In reviewing the adequacy of the internal control process at individual
banking organisations, home country supervisors should also determine that the process
is effective across business lines, subsidiaries and national boundaries3 . It is important
that supervisors evaluate the internal control process not only at the level of individual
businesses or legal entities, but also across the wide spectrum of activities and
subsidiaries within the consolidated banking organisation. For this reason, supervisors
should encourage banking groups to use common auditors and common accounting dates
throughout the group, to the extent possible. 3 The Joint Forum on Financial
Conglomerates has published a document entitled ”Framework for supervisory
information sharing paper”. This document addresses the issue of information sharing
among supervisors in different jurisdictions. Internal control systems 22 V. Roles and
Responsibilities of External Auditors 56. Although external auditors are not, by
definition, part of a banking organisation and therefore, are not part of its internal control
system, they have an important impact on the quality of internal controls through their
audit activities, including discussions with management and recommendations for
improvement to internal controls. The external auditors provide important feedback on
the effectiveness of the internal control system. 57. While the primary purpose of the
external audit function is to give an opinion on the annual accounts of a bank, the
external auditor must choose whether to rely on the effectiveness of the bank’s internal
control system. For this reason, the external auditors have to obtain an understanding of
the internal control system in order to assess the extent to which they can rely on the
system in determining the nature, timing and scope of their own audit procedures. 58. The
exact role of external auditors and the processes they use vary from country to country.
Professional auditing standards in many countries require that audits be planned and
performed to obtain reasonable assurance that financial statements are free of material
misstatement. Auditors also examine, on a test basis, underlying transactions and records
supporting financial statement balances and disclosures. An auditor assesses the
accounting principles and policies used and significant estimates made by management
and evaluates the overall financial statement presentation. In some countries, external
auditors are required by the supervisory authorities to provide a specific assessment of
the scope, adequacy and effectiveness of a bank’s internal control system, including the
internal audit system. 59. One consistency among countries, however, is the expectation
that external auditors will gain an understanding of a bank’s internal control process to
the extent that it relates to the accuracy of the bank’s financial statements. The extent of
attention given to the internal control system varies by auditor and by bank; however, it is
generally expected that material weaknesses identified by the auditors would be reported
to management in confidential management letters and, in many countries, to the

21
supervisory authority. Furthermore, in many countries external auditors may be subject to
special supervisory requirements that specify the way that they evaluate and report on
internal controls. Internal control systems 23 Appendix I Reference Materials Bank of
England, “Banks Internal Controls and the Section 39 Process”, February 1997 Canadian
Deposit Insurance Corporation, “Standards of Sound Business and Financial Practices:
Internal Control”, August 1993 Canadian Institute of Chartered Accountants, “Guidance
on Control”, November 1995 The Committee of Sponsoring Organisations of the
Treadway Commission (COSO), “Internal Control – Integrated Framework”, July 1994
European Monetary Institute, “Internal Control Systems of Credit Institutions”, July 1997
Internal control systems 24 Appendix II Supervisory Lessons Learned from Internal
Control Failures A. Management Oversight and the Control Culture 1. Many internal
control failures that resulted in significant losses for banks could have been substantially
lessened or even avoided if the board and senior management of the organisations had
established strong control cultures. Weak control cultures often had two common
elements. First, senior management failed to emphasise the importance of a strong system
of internal control through their words and actions, and most importantly, through the
criteria used to determine compensation and promotion. Second, senior management
failed to ensure that the organisational structure and managerial accountabilities were
well defined. For example, senior management failed to require adequate supervision of
key decision-makers and reporting of the nature and conduct of business activities in a
timely manner. 2. Senior management may weaken the control culture by promoting and
rewarding managers who are successful in generating profits but fail to implement
internal control policies or address problems identified by internal audit. Such actions
send a message to others in the organisation that internal control is considered secondary
to other goals in the organisation, and thus diminish the commitment to and quality of the
control culture. 3. Some banks with control problems had organisational structures in
which accountabilities were not clearly defined. As a result, a division of the bank was
not directly accountable to anyone in senior management. This meant that no senior
manager monitored the performance of these activities closely enough to notice unusual
activities, financial and otherwise, and no senior manager had a comprehensive
understanding of the activities and how profits were being generated. If management had
understood the activities of the division, they may have been able to recognise warning
signs (such as an unusual relationship of profit to levels of risk), investigate the
operations and take steps to reduce the eventual losses. These problems could also have
been avoided if line management had reviewed transactions and management information
reports and held discussions with appropriate personnel about the nature of business
transacted. Such approaches provide line management with an objective look at how
decisions are being made and ensures that key personnel are operating within the
parameters set by the bank and within the internal control framework. B. Risk
Recognition and Assessment 4. In the recent past, inadequate risk recognition and
assessment has contributed to some organisations’ internal control problems and related
losses. In some cases, the potential Internal control systems 25 high yields associated
with certain loans, investments, and derivative instruments distracted management from
the need to thoroughly assess the risks associated with the transactions and devote
sufficient resources to the ongoing monitoring and review of risk exposures. Losses have
also been caused when management has failed to update the risk assessment process as

22
the organisation’s operating environment changed. For example, as more complex or
sophisticated products within a business line were developed, internal controls may not
have been enhanced to address the more complex products. A second example involves
entry into a new business activity without a full, objective assessment of the risks
involved. Without this assessment of risks, the system of internal control may not
appropriately address the risks in the new business. 5. As discussed above, banking
organisations will set objectives for the efficiency and effectiveness of activities,
reliability and completeness of financial and management information, and compliance
with laws and regulations. Risk assessment entails the identification and evaluation of the
risks involved in meeting those objectives. This process helps to ensure that the bank’s
internal controls are consistent with the nature, complexity and risk of the bank’s on- and
off-balance sheet activities. C. Control Activities and Segregation of Duties 6. In
reviewing major banking losses caused by poor internal control, supervisors typically
find that these banks failed to observe certain key internal control principles. Of these,
segregation of duties, one of the pillars of sound internal control systems, was most
frequently overlooked by banks that experienced significant losses from internal control
problems. Often, senior management assigned a highly regarded individual responsibility
for supervising two or more areas with conflicting interests. For example, in several
cases, one individual supervised both the front and back offices of a trading desk. This
permitted the individual to control transaction initiation (e.g., buying and selling
securities or derivatives) as well as the related bookkeeping function. Assigning such
conflicting duties to one individual gives that person the ability to manipulate financial
data for personal gain or to conceal losses. 7. Segregation of duties is not limited to
situations involving simultaneous front and back office control by one individual. It can
also result in serious problems when an individual has responsibility for: • approval of the
disbursement of funds and the actual disbursement; • customer and proprietary accounts;
• transactions in both the "banking" and "trading" books; • informally providing
information to customers about their positions while marketing to the same customers;
Internal control systems 26 • assessing the adequacy of loan documentation and
monitoring the borrower after loan origination; and • any other areas where significant
conflicts of interest emerge and are not mitigated by other factors.4 8. Shortcomings in
control activities, however, reflect the failure of a variety of efforts to determine that
business is being conducted in the expected manner, from high-level reviews to
maintenance of specific checks and balances in a business process. For example, in
several cases management did not appropriately respond to information they were
receiving. This information took the form of periodic reports on the results of operations
for all divisions of the organisation that informed management of each division’s progress
in meeting objectives, and allowed them to ask questions if the results were different
from their expectations. Often, the divisions that later reported significant losses at first
reported profits-- far in excess of expectations for the apparent level of risk--that should
have concerned senior management. Had thorough top level reviews occurred, senior
management may have investigated the anomalous results and found and addressed some
of the problems, thus limiting or preventing the losses that occurred. However, because
the deviations from their expectations were positive (i.e., profits), questions were not
asked and investigations were not started until the problems had grown to unmanageable
proportions. D. Information and Communication 9. Some banks have experienced losses

23
because information in the organisation was not reliable or complete and because
communication within the organisation was not effective. Financial information may be
misreported internally; incorrect data series from outside sources may be used to value
financial positions; and small, but high-risk activities may not be reflected in
management reports. In some cases, banks failed to adequately communicate employees’
duties and control responsibilities or disseminated policies through channels, such as
electronic mail, that did not ensure that the policy was read, understood and retained. As a
result, for long periods of time, major management policies were not carried out. In other
cases, adequate lines of communication did not exist for the reporting of suspected
improprieties by employees. If channels had been established for communication of
problems upward through the organisational levels, management would have been able to
identify and correct the improprieties much sooner. 4 To illustrate a potential conflict of
interest that is mitigated by other controls, an independent loan review, through its
monitoring activities of a bank’s credit grading system, may compensate for the potential
conflict of interest that arises when a person who is responsible for assessing the
adequacy of loan documentation also monitors the creditworthiness of the borrower after
loan origination. Internal control systems 27 E. Monitoring Activities and Correcting
Deficiencies 10. Many banks that have experienced losses from internal control problems
did not effectively monitor their internal control systems. Often the systems did not have
the necessary built-in ongoing monitoring processes and the separate evaluations
performed were either not adequate or were not acted upon appropriately by
management. 11. In some cases, the absence of monitoring began with a failure to
consider and react to day-to-day information provided to line management and other
personnel indicating unusual activity, such as exceeded exposure limits, customer
accounts in proprietary business activities, or lack of current financial statements from
borrowers. In one bank, losses associated with trading activities were being concealed in
a fictitious customer account. If the organisation had a procedure in place that required
statements of accounts to be mailed to customers on a monthly basis and that customer
accounts be periodically confirmed, the concealed losses would likely have been noticed
long before they were large enough to cause major problems for the bank. 12. In several
other cases, the organisation’s division or activity that caused massive losses had
numerous characteristics indicating a heightened level of risk such as unusual
profitability for the perceived level of risk and rapid growth in a new business activity
that was geographically distant from the parent organisation. However, due to inadequate
risk assessment, the organisations did not provide sufficient additional resources to
control or monitor the high-risk activities. In fact, in some instances, the high risk
activities were operating with less oversight than activities with much lower risk profiles
and several warnings from the internal and external auditors regarding the activities of
the division were not acted upon by management. 13. While internal audit can be an
effective source of separate evaluations, it was not effective in many problem banking
organisations. A combination of three factors contributed to these inadequacies: the
performance of piecemeal audits, the lack of a thorough understanding of the business
processes, and inadequate follow-up when problems were noted. The fragmented audit
approach resulted primarily because the internal audit programs were structured as a
series of discrete audits of specific activities within the same division or department,
within geographic areas, or within legal entities. Because the audit process was

24
fragmented, the business processes were not fully understood by internal audit personnel.
An audit approach that would have allowed the auditors to follow processes and
functions through from beginning to end (i.e., follow a single transaction through from
the point of transaction initiation to financial reporting phase) would have enabled them
to gain a better understanding. Moreover, it would have provided the opportunity to
verify and test the adequacy of controls at every step of the process. 14. In some cases,
inadequate knowledge and training of internal audit staff in trading products and markets,
electronic information systems, and other highly sophisticated areas Internal control
systems 28 also contributed to internal audit problems. Because the staff did not have the
necessary expertise, they were often hesitant to ask questions when they suspected
problems, and when questions were asked, they were more likely to accept an answer
than to challenge it. 15. Internal audit may also be rendered ineffective when
management does not appropriately follow-up on problems identified by auditors. The
delays may have occurred because of a lack of acceptance by management of the role and
importance of internal audit. In addition, the effectiveness of internal audit was impaired
when senior management and members of the board of directors (or audit committee, as
appropriate) failed to receive timely and regular tracking reports that indicated critical
issues and the subsequent corrective actions taken by management. This type of periodic
tracking device can help senior management confront important issues in a timely
manner.

25
Internal control, as defined in accounting and auditing, is a process for assuring of an
organization's objectives in operational effectiveness and efficiency, reliable financial
reporting, and compliance with laws, regulations and policies. A broad concept, internal
control involves everything that controls risks to an organization.
It is a means by which an organization's resources are directed, monitored, and measured. It
plays an important role in detecting and preventing fraud and protecting the organization's
resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or
intellectual property such as trademarks).
At the organizational level, internal control objectives relate to the reliability of financial
reporting, timely feedback on the achievement of operational or strategic goals, and
compliance with laws and regulations. At the specific transaction level, internal controls
refers to the actions taken to achieve a specific objective (e.g., how to ensure the
organization's payments to third parties are for valid services rendered.) Internal control
procedures reduce process variation, leading to more predictable outcomes. Internal control
is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–
Oxley Act of 2002, which required improvements in internal control in United States public
corporations. Internal controls within business entities are also referred to as operational
controls.

Definitions[edit]
There are many definitions of internal control, as it affects the various constituencies
(stakeholders) of an organization in various ways and at different levels of aggregation.
Under the COSO Internal Control-Integrated Framework, a widely used framework in not
only the United States but around the world, internal control is broadly defined as a process,
effected by an entity's board of directors, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives relating to
operations, reporting, and compliance.
COSO defines internal control as having five components:

1. Control Environment-sets the tone for the organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal
control.
2. Risk Assessment-the identification and analysis of relevant risks to the achievement
of objectives, forming a basis for how the risks should be managed
3. Information and Communication-systems or processes that support the identification,
capture, and exchange of information in a form and time frame that enable people to
carry out their responsibilities
4. Control Activities-the policies and procedures that help ensure management
directives are carried out.
5. Monitoring-processes used to assess the quality of internal control performance over
time.

The COSO definition relates to the aggregate control system of the organization, which is
composed of many individual control procedures.
Discrete control procedures, or controls are defined by the SEC as: "...a specific set of
policies, procedures, and activities designed to meet an objective. A control may exist within
a designated function or activity in a process. A control’s impact...may be entity-wide or
specific to an account balance, class of transactions or application. Controls have unique
characteristics – for example, they can be: automated or manual; reconciliations; segregation

26
of duties; review and approval authorizations; safeguarding and accountability of assets;
preventing or detecting error or fraud. Controls within a process may consist of financial
reporting controls and operational controls (that is, those designed to achieve operational
objectives)."[1]

Context[edit]
More generally, setting objectives, budgets, plans and other expectations establish criteria
for control. Control itself exists to keep performance or a state of affairs within what is
expected, allowed or accepted. Control built within a process is internal in nature. It takes
place with a combination of interrelated components – such as social environment effecting
behavior of employees, information necessary in control, and policies and procedures.
Internal control structure is a plan determining how internal control consists of these
elements.[2]
The concepts of corporate governance also heavily rely on the necessity of internal controls.
Internal controls help ensure that processes operate as designed and that risk responses
(risk treatments) in risk management are carried out (COSO II). In addition, there needs to
be in place circumstances ensuring that the aforementioned procedures will be performed as
intended: right attitudes, integrity and competence, and monitoring by managers.

Roles and responsibilities in internal control[edit]

According to the COSO Framework, everyone in an organization has responsibility for
internal control to some extent. Virtually all employees produce information used in the
internal control system or take other actions needed to affect control. Also, all personnel
should be responsible for communicating upward problems in operations, non-compliance
with the code of conduct, or other policy violations or illegal actions. Each major entity in
corporate governance has a particular role to play:

Management[edit]
The Chief Executive Officer (the top manager) of the organization has overall responsibility
for designing and implementing effective internal control. More than any other individual, the
chief executive sets the "tone at the top" that affects integrity and ethics and other factors of
a positive control environment. In a large company, the chief executive fulfills this duty by
providing leadership and direction to senior managers and reviewing the way they're
controlling the business. Senior managers, in turn, assign responsibility for establishment of
more specific internal control policies and procedures to personnel responsible for the unit's
functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is
usually more direct. In any event, in a cascading responsibility, a manager is effectively a
chief executive of his or her sphere of responsibility. Of particular significance are financial
officers and their staffs, whose control activities cut across, as well as up and down, the
operating and other units of an enterprise.

Board of directors[edit]
Management is accountable to the board of directors, which provides governance, guidance
and oversight. Effective board members are objective, capable and inquisitive. They also
have a knowledge of the entity's activities and environment, and commit the time necessary
to fulfil their board responsibilities. Management may be in a position to override controls and
ignore or stifle communications from subordinates, enabling a dishonest management which
intentionally misrepresents results to cover its tracks. A strong, active board, particularly
when coupled with effective upward communications channels and capable financial, legal
and internal audit functions, is often best able to identify and correct such a problem.

27
Auditors[edit]
The internal auditors and external auditors of the organization also measure the
effectiveness of internal control through their efforts. They assess whether the controls are
properly designed, implemented and working effectively, and make recommendations on
how to improve internal control. They may also review Information technology controls, which
relate to the IT systems of the organization. There are laws and regulations on internal
control related to financial reporting in a number of jurisdictions. In the U.S. these regulations
are specifically established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance
on auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC
guidance, further discussed in SOX 404 top-down risk assessment. To provide reasonable
assurance that internal controls involved in the financial reporting process are effective, they
are tested by the external auditor (the organization's public accountants), who are required to
opine on the internal controls of the company and the reliability of its financial reporting.

Audit committee[edit]
The role and the responsibilities of the audit committee, in general terms, are to: (a) Discuss
with management, internal and external auditors and major stakeholders the quality and
adequacy of the organization’s internal controls system and risk management process, and
their effectiveness and outcomes, and meet regularly and privately with the Director of
Internal Audit; (b) Review and discuss with management and the external auditors and
approve the audited financial statements of the organization and make a recommendation
regarding inclusion of those financial statements in any public filing. Also review with
management and the independent auditor the effect of regulatory and accounting initiatives
as well as off-balance sheet issues in the organization’s financial statements; (c) Review and
discuss with management the types of information to be disclosed and the types of
presentations to be made with respect to the Company's earning press release and financial
information and earnings guidance provided to analysts and rating agencies; (d) Confirm the
scope of audits to be performed by the external and internal auditors, monitor progress and
review results and review fees and expenses. Review significant findings or unsatisfactory
internal audit reports, or audit problems or difficulties encountered by the external
independent auditor. Monitor management's response to all audit findings; (e) Manage
complaints concerning accounting, internal accounting controls or auditing matters; (f)
Receive regular reports from the Chief Executive Officer, Chief Financial Officer and the
Company's other Control Committees regarding deficiencies in the design or operation of
internal controls and any fraud that involves management or other employees with a
significant role in internal controls; and (g) Support management in resolving conflicts of
interest. Monitor the adequacy of the organization’s internal controls and ensure that all fraud
cases are acted upon.

Personnel benefits committee[edit]

The role and the responsibilities of the personnel benefits, in general terms, are to: (a)
Approve and oversee administration of the Company's Executive Compensation Program;
(b) Review and approve specific compensation matters for the Chief Executive Officer, Chief
Operating Officer (if applicable), Chief Financial Officer, General Counsel, Senior Human
Resources Officer, Treasurer, Director, Corporate Relations and Management, and Company
Directors; (c) Review, as appropriate, any changes to compensation matters for the officers
listed above with the Board; and (d)Review and monitor all human-resource related
performance and compliance activities and reports, including the performance management
system. They also ensure that benefit-related performance measures are properly used by
the management of the organization.

28
 Operating staff[edit]
All staff members should be responsible for reporting problems of operations, monitoring and
improving their performance, and monitoring non-compliance with the corporate policies and
various professional codes, or violations of policies, standards, practices and procedures.
Their particular responsibilities should be documented in their individual personnel files. In
performance management activities they take part in all compliance and performance data
collection and processing activities as they are part of various organizational units and may
also be responsible for various compliance and operational-related activities of the
organization.
Staff and junior managers may be involved in evaluating the controls within their own
organizational unit using a control self-assessment.

Limitations[edit]
Internal control can provide reasonable, not absolute, assurance that the objectives of an
organization will be met. The concept of reasonable assurance implies a high degree of
assurance, constrained by the costs and benefits of establishing incremental control
procedures.
Effective internal control implies the organization generates reliable financial reporting and
substantially complies with the laws and regulations that apply to it. However, whether an
organization achieves operational and strategic objectives may depend on factors outside
the enterprise, such as competition or technological innovation. These factors are outside the
scope of internal control; therefore, effective internal control provides only timely information
or feedback on progress towards the achievement of operational and strategic objectives,
but cannot guarantee their achievement.

Describing internal controls[edit]

Internal controls may be described in terms of:
a) the pertinent objective or financial statement assertion
b) the nature of the control activity itself.

Objective or assertions categorization[edit]

Assertions are representations by the management embodied in the financial statements.
Example: If a Financial Statement shows a balance of $1,000 worth of Fixed Assets, it
implies that the management asserts that fixed assets actually exist as on the date of the
financial statements, the valuation of which is worth exactly $1000 (based on historical cost
or fair value depending on the reporting framework and standards) and the entity has
complete right/obligation arising from such assets (e.g. if they are leased, it must be
disclosed accordingly). Further such fixed assets must be disclosed and represented
correctly in the financial statement according to the financial reporting framework applicable
to the company.
Controls may be defined against the particular financial statement assertion to which they
relate. There are five such assertions forming the acronym, "PERCV," (pronounced,
"perceive"):

1. Presentation and disclosure: Accounts and disclosures are properly described in the
financial statements of the organization.
2. Existence/Occurrence/Validity: Only valid or authorized transactions are processed.

29
 3. Rights and obligations: Assets are the rights of the organization and the liabilities are
its obligations as of a given date.
4. Completeness: All transactions are processed that should be.
5. Valuation: Transactions are valued accurately using the proper methodology, such as
a specified means of computation or formula.

For example, a validity control objective might be: "Payments are made only for authorized
products and services received." A typical control procedure would be: "The payable system
compares the purchase order, receiving record, and vendor invoice prior to authorizing
payment." Management is responsible for implementing appropriate controls that apply to all
transactions in their areas of responsibility.

Activity categorization[edit]
Control activities may also be explained by the type or nature of activity. These include (but
are not limited to):

 Segregation of duties – separating authorization, custody, and record keeping roles

to prevent fraud or error by one person.
 Authorization of transactions – review of particular transactions by an appropriate
person.
 Retention of records – maintaining documentation to substantiate transactions.
 Supervision or monitoring of operations – observation or review of ongoing
operational activity.
 Physical safeguards – usage of cameras, locks, physical barriers, etc. to protect
property, such as merchandise inventory.
 Top-level reviews – analysis of actual results versus organizational goals or plans,
periodic and regular operational reviews, metrics, and other key performance
indicators (KPIs).
 IT general controls – Controls related to: a) Security, to ensure access to systems
and data is restricted to authorized personnel, such as usage of passwords and review
of access logs; and b) Change management, to ensure program code is properly
controlled, such as separation of production and test environments, system and user
testing of changes prior to acceptance, and controls over migration of code into
production.
 IT application controls – Controls over information processing enforced by IT
applications, such as edit checks to validate data entry, accounting for transactions in
numerical sequences, and comparing file totals with control accounts.

Control precision[edit]
Control precision describes the alignment or correlation between a particular control
procedure and a given control objective or risk. A control with direct impact on the
achievement of an objective (or mitigation of a risk) is said to be more precise than one with
indirect impact on the objective or risk. Precision is distinct from sufficiency; that is, multiple
controls with varying degrees of precision may be involved in achieving a control objective or
mitigating a risk.
Precision is an important factor in performing a SOX 404 top-down risk assessment. After
identifying specific financial reporting material misstatement risks, management and the
external auditors are required to identify and test controls that mitigate the risks. This
involves making judgments regarding both precision and sufficiency of controls required to
mitigate the risks.

30
Risks and controls may be entity-level or assertion-level under the PCAOB guidance. Entity-
level controls are identified to address entity-level risks. However, a combination of entity-
level and assertion-level controls are typically identified to address assertion-level risks. The
PCAOB set forth a three-level hierarchy for considering the precision of entity-level controls.
[3]
Later guidance by the PCAOB regarding small public firms provided several factors to
consider in assessing precision.[4]

Fraud and internal control[edit]

Internal control plays an important role in the prevention and detection of fraud.[5] Under the
Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess
related controls. This typically involves identifying scenarios in which theft or loss could occur
and determining if existing control procedures effectively manage the risk to an acceptable
level.[6] The risk that senior management might override important financial controls to
manipulate financial reporting is also a key area of focus in fraud risk assessment. [7]
The AICPA, IIA, and ACFE also sponsored a guide published during 2008 that includes a
framework for helping organizations manage their fraud risk. [8]

Internal controls and process improvement[edit]

Controls can be evaluated and improved to make a business operation run more effectively
and efficiently. For example, automating controls that are manual in nature can save costs
and improve transaction processing. If the internal control system is thought of by executives
as only a means of preventing fraud and complying with laws and regulations, an important
opportunity may be missed. Internal controls can also be used to systematically improve
businesses, particularly in regard to effectiveness and efficiency.

Continuous controls monitoring[edit]

Advances in technology and data analysis have led to the development of numerous tools
which can automatically evaluate the effectiveness of internal controls. Used in conjunction
with continuous auditing, continuous controls monitoring provides assurance on financial
information flowing through the business processes.
A bank is a financial institution that accepts deposits from the public and creates credit.
[1]
Lending activities can be performed either directly or indirectly through capital markets.
Due to their importance in the financial stability of a country, banks are highly regulated in
most countries. Most nations have institutionalized a system known as fractional reserve
banking under which banks hold liquid assets equal to only a portion of their current
liabilities. In addition to other regulations intended to ensure liquidity, banks are generally
subject to minimum capital requirements based on an international set of capital standards,
known as the Basel Accords.
Banking in its modern sense evolved in the 14th century in the prosperous cities
of Renaissance Italy but in many ways was a continuation of ideas and concepts
of credit and lending that had their roots in the ancient world. In the history of banking, a
number of banking dynasties – notably, the Medicis, the Fuggers, the Welsers,
the Berenbergs, and the Rothschilds – have played a central role over many centuries.
The oldest existing retail bank is Banca Monte dei Paschi di Siena, while the oldest
existing merchant bank is Berenberg Bank.
The concept of banking may have begun in ancient Assyria and Babylonia, with merchants
offering loans of grain as collateral within a barter system. Lenders in ancient Greece and
during the Roman Empire added two important innovations: they

31
accepted deposits and changed money. Archaeology from this period in ancient
China and India also shows evidence of money lending.
More modern banking can be traced to medieval and early Renaissance Italy, to the rich
cities in the centre and north like Florence, Lucca, Siena, Venice and Genoa.
The Bardi and Peruzzi families dominated banking in 14th-century Florence, establishing
branches in many other parts of Europe.[2] One of the most famous Italian banks was
the Medici Bank, set up by Giovanni di Bicci de' Medici in 1397.[3] The earliest known state
deposit bank, Banco di San Giorgio (Bank of St. George), was founded in 1407
at Genoa, Italy.[4]
Modern banking practices, including fractional reserve banking and the issue of banknotes,
emerged in the 17th and 18th centuries. Merchants started to store their gold with
the goldsmiths of London, who possessed private vaults, and charged a fee for that service.
In exchange for each deposit of precious metal, the goldsmiths issued receipts certifying the
quantity and purity of the metal they held as a bailee; these receipts could not be assigned,
only the original depositor could collect the stored goods.

Sealing of the Bank of EnglandCharter (1694), by Lady Jane Lindsay, 1905.

Gradually the goldsmiths began to lend the money out on behalf of the depositor, which led
to the development of modern banking practices; promissory notes (which evolved into
banknotes) were issued for money deposited as a loan to the goldsmith. [5] The goldsmith paid
interest on these deposits. Since the promissory notes were payable on demand, and the
advances (loans) to the goldsmith's customers were repayable over a longer time period, this
was an early form of fractional reserve banking. The promissory notes developed into an
assignable instrument which could circulate as a safe and convenient form of money backed
by the goldsmith's promise to pay,[6] allowing goldsmiths to advance loans with little risk
of default.[7] Thus, the goldsmiths of London became the forerunners of banking by creating
new money based on credit.
The Bank of England was the first to begin the permanent issue of banknotes, in 1695.
[8]
The Royal Bank of Scotland established the first overdraft facility in 1728.[9] By the
beginning of the 19th century a bankers' clearing house was established in London to allow
multiple banks to clear transactions. The Rothschilds pioneered international finance on a
large scale, financing the purchase of the Suez canal for the British government.

A 640 BC one-third stater electrumcoin from Lydia, where gold and silver coins were used for the first
time

32
Etymology[edit]
The word bank was taken Middle English from Middle French banque, from
Old Italian banco, meaning "table", from Old High Germanbanc, bank "bench, counter".
Benches were used as makeshift desks or exchange counters during
the Renaissance by Jewish[10]Florentine bankers, who used to make their transactions atop
desks covered by green tablecloths.[11][12]

Definition[edit]
The definition of a bank varies from country to country. See the relevant country pages under
for more information.
Under English common law, a banker is defined as a person who carries on the business of
banking by conducting current accounts for his customers, paying cheques drawn on him/her
and collecting cheques for his/her customers.[13]

Banco de Venezuela in Coro.

Branch of Nepal Bank in Pokhara, Western Nepal.

In most common law jurisdictions there is a Bills of Exchange Act that codifies the law in
relation to negotiable instruments, including cheques, and this Act contains a statutory
definition of the term banker: banker includes a body of persons, whether incorporated or
not, who carry on the business of banking' (Section 2, Interpretation). Although this definition
seems circular, it is actually functional, because it ensures that the legal basis for bank
transactions such as cheques does not depend on how the bank is structured or regulated.
The business of banking is in many English common law countries not defined by statute but
by common law, the definition above. In other English common law jurisdictions there are
statutory definitions of the business of banking or banking business. When looking at these
definitions it is important to keep in mind that they are defining the business of banking for
the purposes of the legislation, and not necessarily in general. In particular, most of the
definitions are from legislation that has the purpose of regulating and supervising banks
rather than regulating the actual business of banking. However, in many cases the statutory
definition closely mirrors the common law one. Examples of statutory definitions:

33
 "banking business" means the business of receiving money on current or deposit
account, paying and collecting cheques drawn by or paid in by customers, the making of
advances to customers, and includes such other business as the Authority may
prescribe for the purposes of this Act; (Banking Act (Singapore), Section 2,
Interpretation).
 "banking business" means the business of either or both of the following:

1. receiving from the general public money on current, deposit, savings or other similar
account repayable on demand or within less than [3 months] ... or with a period of
call or notice of less than that period;
2. paying or collecting cheques drawn by or paid in by customers. [14]

Since the advent of EFTPOS (Electronic Funds Transfer at Point Of Sale), direct
credit, direct debit and internet banking, the cheque has lost its primacy in most banking
systems as a payment instrument. This has led legal theorists to suggest that the cheque
based definition should be broadened to include financial institutions that conduct current
accounts for customers and enable customers to pay and be paid by third parties, even if
they do not pay and collect cheques .[15]

Standard business[edit]

Large door to an old bank vault.

Banks act as payment agents by conducting checking or current accounts for customers,
paying cheques drawn by customers in the bank, and collecting cheques deposited to
customers' current accounts. Banks also enable customer payments via other payment
methods such as Automated Clearing House (ACH), Wire transfers or telegraphic
transfer, EFTPOS, and automated teller machines (ATMs).
Banks borrow money by accepting funds deposited on current accounts, by accepting term
deposits, and by issuing debt securities such as banknotes and bonds. Banks lend money by
making advances to customers on current accounts, by making installment loans, and by
investing in marketable debt securities and other forms of money lending.
Banks provide different payment services, and a bank account is considered indispensable
by most businesses and individuals. Non-banks that provide payment services such as
remittance companies are normally not considered as an adequate substitute for a bank
account.
Banks can create new money when they make a loan. New loans throughout the banking
system generate new deposits elsewhere in the system. The money supply is usually
increased by the act of lending, and reduced when loans are repaid faster than new ones are
generated. In the United Kingdom between 1997 and 2007, there was an increase in the
money supply, largely caused by much more bank lending, which served to push up property
prices and increase private debt. The amount of money in the economy as measured by M4
in the UK went from £750 billion to £1700 billion between 1997 and 2007, much of the
increase caused by bank lending.[16] If all the banks increase their lending together, then they

34
can expect new deposits to return to them and the amount of money in the economy will
increase. Excessive or risky lending can cause borrowers to default, the banks then become
more cautious, so there is less lending and therefore less money so that the economy can
go from boom to bust as happened in the UK and many other Western economies after
2007.

Range of activities[edit]
Activities undertaken by banks include personal banking, corporate banking, investment
banking, private banking, transaction banking, insurance, consumer finance, foreign
exchange trading, commodity trading, trading in equities, futures and options
trading and money market trading.

Channels[edit]

An American bank in Maryland.

Banks offer many different channels to access their banking and other services:

 Branch, in-person banking in a retail location

 Automated teller machine banking adjacent to or remote from the bank
 Bank by mail: Most banks accept cheque deposits via mail and use mail to
communicate to their customers
 Online banking over the Internet to perform multiple types of transactions
 Mobile banking is using one's mobile phone to conduct banking transactions
 Telephone banking allows customers to conduct transactions over the telephone with
an automated attendant, or when requested, with a telephone operator
 Video banking performs banking transactions or professional banking consultations
via a remote video and audio connection. Video banking can be performed via purpose
built banking transaction machines (similar to an Automated teller machine) or via
a video conference enabled bank branch clarification
 Relationship manager, mostly for private banking or business banking, who visits
customers at their homes or businesses
 Direct Selling Agent, who works for the bank based on a contract, whose main job is
to increase the customer base for the bank

Business models[edit]
A bank can generate revenue in a variety of different ways including interest, transaction fees
and financial advice. Traditionally, the most significant method is via charging intereston the
capital it lends out to customers.[17] The bank profits from the difference between the level of
interest it pays for deposits and other sources of funds, and the level of interest it charges in
its lending activities.

35
This difference is referred to as the spread between the cost of funds and the loan interest
rate. Historically, profitability from lending activities has been cyclical and dependent on the
needs and strengths of loan customers and the stage of the economic cycle. Fees and
financial advice constitute a more stable revenue stream and banks have therefore placed
more emphasis on these revenue lines to smooth their financial performance.
In the past 20 years, American banks have taken many measures to ensure that they remain
profitable while responding to increasingly changing market conditions.

 First, this includes the Gramm–Leach–Bliley Act, which allows banks again to merge
with investment and insurance houses. Merging banking, investment, and insurance
functions allows traditional banks to respond to increasing consumer demands for "one-
stop shopping" by enabling cross-selling of products (which, the banks hope, will also
increase profitability).
 Second, they have expanded the use of risk-based pricing from business lending to
consumer lending, which means charging higher interest rates to those customers that
are considered to be a higher credit risk and thus increased chance of default on loans.
This helps to offset the losses from bad loans, lowers the price of loans to those who
have better credit histories, and offers credit products to high risk customers who would
otherwise be denied credit.
 Third, they have sought to increase the methods of payment processing available to
the general public and business clients. These products include debit cards, prepaid
cards, smart cards, and credit cards. They make it easier for consumers to conveniently
make transactions and smooth their consumption over time (in some countries with
underdeveloped financial systems, it is still common to deal strictly in cash, including
carrying suitcases filled with cash to purchase a home).

However, with the convenience of easy credit, there is also increased risk that
consumers will mismanage their financial resources and accumulate excessive debt.
Banks make money from card products through interest charges and fees charged to
cardholders, and transaction fees to retailers who accept the bank's credit and/or
debit cards for payments.
This helps in making a profit and facilitates economic development as a whole. [18]
Recently, as banks have been faced with pressure from fintechs, new and additional
business models have been suggested such as freemium, monetization of data, white-
labelling of banking and payment applications, or the cross-selling of complementory
products.[19]

Capital and risk[edit]

Banks face a number of risks in order to conduct their business, and how well these risks are
managed and understood is a key driver behind profitability, and how much capital a bank is
required to hold. Bank capital consists principally of equity, retained
earnings and subordinated debt.
After the 2007-2009 financial crisis, regulators force banks to issue Contingent convertible
bonds (CoCos).These are hybrid capital securities that absorb losses in accordance with
their contractual terms when the capital of the issuing bank falls below a certain level. Then
debt is reduced and bank capitalization gets a boost. Owing to their capacity to absorb
losses, CoCos have the potential to satisfy regulatory capital requirement. [20][21]
Some of the main risks faced by banks include:

36

Credit risk: risk of loss arising from a borrower who does not make payments as
promised.[22]

Liquidity risk: risk that a given security or asset cannot be traded quickly enough in
the market to prevent a loss (or make the required profit).

Market risk: risk that the value of a portfolio, either an investment portfolio or a
trading portfolio, will decrease due to the change in value of the market risk factors.

Operational risk: risk arising from execution of a company's business functions.

Reputational risk: a type of risk related to the trustworthiness of business.

Macroeconomic risk: risks related to the aggregate economy the bank is operating in.
[23]

The capital requirement is a bank regulation, which sets a framework within which a bank or
depository institution must manage its balance sheet. The categorization of assets and
capital is highly standardized so that it can be risk weighted.

Banks in the economy[edit]

SEB main building in Tallinn, Estonia

See also: Financial system
Economic functions[edit]
The economic functions of banks include:

1. Issue of money, in the form of banknotes and current accounts subject to cheque or
payment at the customer's order. These claims on banks can act as money because
they are negotiable or repayable on demand, and hence valued at par. They are
effectively transferable by mere delivery, in the case of banknotes, or by drawing a
cheque that the payee may bank or cash.
2. Netting and settlement of payments – banks act as both collection and paying agents
for customers, participating in interbank clearing and settlement systems to collect,
present, be presented with, and pay payment instruments. This enables banks to
economize on reserves held for settlement of payments, since inward and outward
payments offset each other. It also enables the offsetting of payment flows between
geographical areas, reducing the cost of settlement between them.

37
 3. Credit intermediation – banks borrow and lend back-to-back on their own account as
middle men.
4. Credit quality improvement – banks lend money to ordinary commercial and personal
borrowers (ordinary credit quality), but are high quality borrowers. The improvement
comes from diversification of the bank's assets and capital which provides a buffer to
absorb losses without defaulting on its obligations. However, banknotes and
deposits are generally unsecured; if the bank gets into difficulty and pledges assets
as security, to raise the funding it needs to continue to operate, this puts the note
holders and depositors in an economically subordinated position.
5. Asset liability mismatch/Maturity transformation – banks borrow more on demand
debt and short term debt, but provide more long term loans. In other words, they
borrow short and lend long. With a stronger credit quality than most other borrowers,
banks can do this by aggregating issues (e.g. accepting deposits and issuing
banknotes) and redemptions (e.g. withdrawals and redemption of banknotes),
maintaining reserves of cash, investing in marketable securities that can be readily
converted to cash if needed, and raising replacement funding as needed from
various sources (e.g. wholesale cash markets and securities markets).
6. Money creation/destruction – whenever a bank gives out a loan in a fractional-
reserve banking system, a new sum of money is created and conversely, whenever
the principal on that loan is repaid money is destroyed.

Bank crisis[edit]

OTP Bank in Prešov (Slovakia)

Banks are susceptible to many forms of risk which have triggered occasional systemic
crises.[24] These include liquidity risk (where many depositors may request withdrawals in
excess of available funds), credit risk (the chance that those who owe money to the bank will
not repay it), and interest rate risk (the possibility that the bank will become unprofitable, if
rising interest rates force it to pay relatively more on its deposits than it receives on its loans).
Banking crises have developed many times throughout history when one or more risks have
emerged for a banking sector as a whole. Prominent examples include the bank run that
occurred during the Great Depression, the U.S. Savings and Loan crisis in the 1980s and
early 1990s, the Japanese banking crisis during the 1990s, and the sub-prime mortgage
crisis in the 2000s.

Size of global banking industry[edit]

Assets of the largest 1,000 banks in the world grew by 6.8% in the 2008/2009 financial year
to a record US$96.4 trillion while profits declined by 85% to US$115 billion. Growth in assets
in adverse market conditions was largely a result of recapitalization. EU banks held the
largest share of the total, 56% in 2008/2009, down from 61% in the previous year. Asian
banks' share increased from 12% to 14% during the year, while the share of US banks

38
increased from 11% to 13%. Fee revenue generated by global investment banking totalled
US$66.3 billion in 2009, up 12% on the previous year.[25]
The United States has the most banks in the world in terms of institutions (5,330 as of 2015)
and possibly branches (81,607 as of 2015). [26] This is an indicator of the geography and
regulatory structure of the US, resulting in a large number of small to medium-sized
institutions in its banking system. As of November 2009, China's top 4 banks have in excess
of 67,000 branches (ICBC:18000+, BOC:12000+, CCB:13000+, ABC:24000+) with an
additional 140 smaller banks with an undetermined number of branches. Japan had 129
banks and 12,000 branches. In 2004, Germany, France, and Italy each had more than
30,000 branches – more than double the 15,000 branches in the UK.[25]

Mergers and Acquisitions[edit]

Between 1985 and 2018 banks engaged in around 28,798 mergers or acquisitions, either as
the acquirer or the target company. The overall known value of these deals cumulates to
around 5,169 bil. USD.[27] In terms of value, there have been two major waves (1999 and
2007) which both peaked at around 460 bil. USD followed by a steep decline (-82% from
2007 until 2018).
Here is a list of the largest deals in history in terms of value with participation from at least one bank:

Date Acquiror Target Value of

Acquiror Acquiror Target Target
Announc Mid Mid Transactio
Name Nation Name Nation
ed Industry Industry n ($mil)

RFS Other
04/25/200 Netherland ABN-AMRO Netherland
Holdings Financial Banks 98,189.19
7 s Holding NV s
BV s

04/06/199 Travelers United United

Insurance Citicorp Banks 72,558.18
8 Group Inc States States

09/29/201 Switzerlan Switzerlan

UBS AG Banks UBS AG Banks 65,891.51
4 d d

NationsBan
04/13/199 k Corp, United BankAmeric United
Banks Banks 61,633.40
8 Charlotte, States a Corp States
NC

JPMorgan Bank One

01/14/200 United United
Chase & Banks Corp, Banks 58,663.15
4 States States
Co Chicago, IL

39
 Bank of FleetBoston
10/27/200 United United
America Banks Financial Banks 49,260.63
3 States States
Corp Corp, MA

Bank of Merrill
09/14/200 United Brokerag United
America Banks Lynch & Co 48,766.15
8 States e States
Corp Inc

10/13/199 Sumitomo Sakura

Banks Japan Banks Japan 45,494.36
9 Bank Ltd Bank Ltd

Royal Bank
02/26/200 HM National United United
of Scotland Banks 41,878.65
9 Treasury Agency Kingdom Kingdom
Group

Mitsubishi
02/18/200 Tokyo UFJ
Banks Japan Banks Japan 41,431.03
5 Financial Holdings Inc
Grp

Regulation[edit]
Main article: Banking regulation
See also: Basel II
Currently, commercial banks are regulated in most jurisdictions by government entities and require a special
bank license to operate.

Bank regulation and standards

 Bank for International Settlements

 Basel Accords (Basel I, Basel II, Basel III, Basel IV)
 Financial Stability Board

Background

 Banking (Regulation)
 Monetary policy
 Central bank
 Risk
 Risk management
 Regulatory capital

40
  Tier 1
 Tier 2

Pillar 1: Regulatory capital

 Credit risk
 Standardized
 IRB Approach
 F-IRB
 A-IRB
 PD
 LGD
 CCF
 EAD
 Operational risk
 Basic
 Standardized
 AMA
 Market risk
 Duration
 Value at risk

Pillar 2: Supervisory review

 Economic capital
 Liquidity risk
 Legal risk

Pillar 3: Market disclosure

 Disclosure

Business and Economics Portal

 v
 t
 e

Usually, the definition of the business of banking for the purposes of regulation is extended to
include acceptance of deposits, even if they are not repayable to the customer's order –
although money lending, by itself, is generally not included in the definition.
Unlike most other regulated industries, the regulator is typically also a participant in the
market, being either a publicly or privately governed central bank. Central banks also
typically have a monopoly on the business of issuing banknotes. However, in some countries
this is not the case. In the UK, for example, the Financial Services Authority licenses banks,

41
and some commercial banks (such as the Bank of Scotland) issue their own banknotes in
addition to those issued by the Bank of England, the UK government's central bank.

Global headquarters of the Bank for International Settlements in Basel

Banking law is based on a contractual analysis of the relationship between the bank (defined
above) and the customer – defined as any entity for which the bank agrees to conduct an
account.
The law implies rights and obligations into this relationship as follows:

 The bank account balance is the financial position between the bank and the
customer: when the account is in credit, the bank owes the balance to the customer;
when the account is overdrawn, the customer owes the balance to the bank.
 The bank agrees to pay the customer's checks up to the amount standing to the
credit of the customer's account, plus any agreed overdraft limit.
 The bank may not pay from the customer's account without a mandate from the
customer, e.g. a cheque drawn by the customer.
 The bank agrees to promptly collect the cheques deposited to the customer's
account as the customer's agent, and to credit the proceeds to the customer's account.
 The bank has a right to combine the customer's accounts, since each account is just
an aspect of the same credit relationship.
 The bank has a lien on cheques deposited to the customer's account, to the extent
that the customer is indebted to the bank.
 The bank must not disclose details of transactions through the customer's account –
unless the customer consents, there is a public duty to disclose, the bank's interests
require it, or the law demands it.
 The bank must not close a customer's account without reasonable notice, since
cheques are outstanding in the ordinary course of business for several days.

These implied contractual terms may be modified by express agreement between the
customer and the bank. The statutes and regulations in force within a particular jurisdiction
may also modify the above terms and/or create new rights, obligations or limitations relevant
to the bank-customer relationship.
Some types of financial institution, such as building societies and credit unions, may be
partly or wholly exempt from bank license requirements, and therefore regulated under
separate rules.
The requirements for the issue of a bank license vary between jurisdictions but typically
include:

42
 Minimum capital
 Minimum capital ratio
 'Fit and Proper' requirements for the bank's controllers, owners, directors, or senior
officers
 Approval of the bank's business plan as being sufficiently prudent and plausible.

Types of banking[edit]
Banks' activities can be divided into:

 retail banking, dealing directly with individuals and small businesses;

 business banking, providing services to mid-market business;
 corporate banking, directed at large business entities;
 private banking, providing wealth management services to high-net-worth
individuals and families;
 investment banking, relating to activities on the financial markets.

Most banks are profit-making, private enterprises. However, some are owned by
government, or are non-profit organizations.

Types of banks[edit]

National Bank of the Republic, Salt Lake City 1908

ATM Al-Rajhi Bank

43
National Copper Bank, Salt Lake City 1911

A branch of Union Bank in, Visakhapatnam


Commercial banks: the term used for a normal bank to distinguish it from an
investment bank. After the Great Depression, the U.S. Congress required that banks
only engage in banking activities, whereas investment banks were limited to capital
market activities. Since the two no longer have to be under separate ownership, some
use the term "commercial bank" to refer to a bank or a division of a bank that mostly
deals with deposits and loans from corporations or large businesses.

Community banks: locally operated financial institutions that empower employees to
make local decisions to serve their customers and the partners.

Community development banks: regulated banks that provide financial services and
credit to under-served markets or populations.

Land development banks: The special banks providing long-term loans are
called land development banks (LDB). The history of LDB is quite old. The first LDB was
started at Jhang in Punjab in 1920. The main objective of the LDBs are to promote the
development of land, agriculture and increase the agricultural production. The LDBs
provide long-term finance to members directly through their branches. [28]

Credit unions or co-operative banks: not-for-profit cooperatives owned by the
depositors and often offering rates more favourable than for-profit banks. Typically,
membership is restricted to employees of a particular company, residents of a defined
area, members of a certain union or religious organizations, and their immediate
families.

Postal savings banks: savings banks associated with national postal systems.

Private banks: banks that manage the assets of high-net-worth individuals.
Historically a minimum of US$1 million was required to open an account, however, over
the last years many private banks have lowered their entry hurdles to US$350,000 for
private investors.[citation needed]

44

Offshore banks: banks located in jurisdictions with low taxation and regulation. Many
offshore banks are essentially private banks.

Savings bank: in Europe, savings banks took their roots in the 19th or sometimes
even in the 18th century. Their original objective was to provide easily accessible
savings products to all strata of the population. In some countries, savings banks were
created on public initiative; in others, socially committed individuals created foundations
to put in place the necessary infrastructure. Nowadays, European savings banks have
kept their focus on retail banking: payments, savings products, credits and insurances
for individuals or small and medium-sized enterprises. Apart from this retail focus, they
also differ from commercial banks by their broadly decentralized distribution network,
providing local and regional outreach – and by their socially responsible approach to
business and society.

Building societies and Landesbanks: institutions that conduct retail banking.

Ethical banks: banks that prioritize the transparency of all operations and make only
what they consider to be socially responsible investments.

A direct or internet-only bank is a banking operation without any physical bank
branches, conceived and implemented wholly with networked Banking in India

Structure of the organised banking sector in India. Numbers of banks are in brackets.

Types of investment banks[edit]

 Investment banks "underwrite" (guarantee the sale of) stock and bond issues, trade
for their own accounts, make markets, provide investment management, and advise
corporations on capital market activities such as mergers and acquisitions.
 Merchant banks were traditionally banks which engaged in trade finance. The
modern definition, however, refers to banks which provide capital to firms in the form of
shares rather than loans. Unlike venture caps, they tend not to invest in new companies.

Both combined[edit]

A branch of Banco de Oro in Metro Manila, Philippines

 Universal banks, more commonly known as financial services companies, engage in

several of these activities. These big banks are very diversified groups that, among other
services, also distribute insurance – hence the term bancassurance, a portmanteau
word combining "banque or bank" and "assurance", signifying that both banking and
insurance are provided by the same corporate entity.

45
 Other types of banks[edit]
 Central banks are normally government-owned and charged with quasi-regulatory
responsibilities, such as supervising commercial banks, or controlling the cash interest
rate. They generally provide liquidity to the banking system and act as the lender of last
resort in event of a crisis.
 Islamic banks adhere to the concepts of Islamic law. This form of banking revolves
around several well-established principles based on Islamic canons. All banking activities
must avoid interest, a concept that is forbidden in Islam. Instead, the bank earns profit
(markup) and fees on the financing facilities that it extends to customers.

Capital and risk[edit]

Banks face a number of risks in order to conduct their business, and how well these risks are
managed and understood is a key driver behind profitability, and how much capital a bank is
required to hold. Bank capital consists principally of equity, retained
earnings and subordinated debt.
After the 2007-2009 financial crisis, regulators force banks to issue Contingent convertible
bonds (CoCos).These are hybrid capital securities that absorb losses in accordance with
their contractual terms when the capital of the issuing bank falls below a certain level. Then
debt is reduced and bank capitalization gets a boost. Owing to their capacity to absorb
losses, CoCos have the potential to satisfy regulatory capital requirement. [20][21]
Some of the main risks faced by banks include:


Credit risk: risk of loss arising from a borrower who does not make payments as
promised.[22]

Liquidity risk: risk that a given security or asset cannot be traded quickly enough in
the market to prevent a loss (or make the required profit).

Market risk: risk that the value of a portfolio, either an investment portfolio or a
trading portfolio, will decrease due to the change in value of the market risk factors.

Operational risk: risk arising from execution of a company's business functions.

Reputational risk: a type of risk related to the trustworthiness of business.

Macroeconomic risk: risks related to the aggregate economy the bank is operating in.
[23]

The capital requirement is a bank regulation, which sets a framework within which a bank or
depository institution must manage its balance sheet. The categorization of assets and
capital is highly standardized so that it can be risk weighted.

46
Banks in the economy[edit]

SEB main building in Tallinn, Estonia

See also: Financial system
Economic functions[edit]
The economic functions of banks include:

1. Issue of money, in the form of banknotes and current accounts subject to cheque or
payment at the customer's order. These claims on banks can act as money because
they are negotiable or repayable on demand, and hence valued at par. They are
effectively transferable by mere delivery, in the case of banknotes, or by drawing a
cheque that the payee may bank or cash.
2. Netting and settlement of payments – banks act as both collection and paying agents
for customers, participating in interbank clearing and settlement systems to collect,
present, be presented with, and pay payment instruments. This enables banks to
economize on reserves held for settlement of payments, since inward and outward
payments offset each other. It also enables the offsetting of payment flows between
geographical areas, reducing the cost of settlement between them.
3. Credit intermediation – banks borrow and lend back-to-back on their own account as
middle men.
4. Credit quality improvement – banks lend money to ordinary commercial and personal
borrowers (ordinary credit quality), but are high quality borrowers. The improvement
comes from diversification of the bank's assets and capital which provides a buffer to
absorb losses without defaulting on its obligations. However, banknotes and
deposits are generally unsecured; if the bank gets into difficulty and pledges assets
as security, to raise the funding it needs to continue to operate, this puts the note
holders and depositors in an economically subordinated position.
5. Asset liability mismatch/Maturity transformation – banks borrow more on demand
debt and short term debt, but provide more long term loans. In other words, they
borrow short and lend long. With a stronger credit quality than most other borrowers,
banks can do this by aggregating issues (e.g. accepting deposits and issuing
banknotes) and redemptions (e.g. withdrawals and redemption of banknotes),
maintaining reserves of cash, investing in marketable securities that can be readily

47
 converted to cash if needed, and raising replacement funding as needed from
various sources (e.g. wholesale cash markets and securities markets).
6. Money creation/destruction – whenever a bank gives out a loan in a fractional-
reserve banking system, a new sum of money is created and conversely, whenever
the principal on that loan is repaid money is destroyed.

Bank crisis[edit]

OTP Bank in Prešov (Slovakia)

Banks are susceptible to many forms of risk which have triggered occasional systemic
crises.[24] These include liquidity risk (where many depositors may request withdrawals in
excess of available funds), credit risk (the chance that those who owe money to the bank will
not repay it), and interest rate risk (the possibility that the bank will become unprofitable, if
rising interest rates force it to pay relatively more on its deposits than it receives on its loans).
Banking crises have developed many times throughout history when one or more risks have
emerged for a banking sector as a whole. Prominent examples include the bank run that
occurred during the Great Depression, the U.S. Savings and Loan crisis in the 1980s and
early 1990s, the Japanese banking crisis during the 1990s, and the sub-prime mortgage
crisis in the 2000s.

Size of global banking industry[edit]

Assets of the largest 1,000 banks in the world grew by 6.8% in the 2008/2009 financial year
to a record US$96.4 trillion while profits declined by 85% to US$115 billion. Growth in assets
in adverse market conditions was largely a result of recapitalization. EU banks held the
largest share of the total, 56% in 2008/2009, down from 61% in the previous year. Asian
banks' share increased from 12% to 14% during the year, while the share of US banks
increased from 11% to 13%. Fee revenue generated by global investment banking totalled
US$66.3 billion in 2009, up 12% on the previous year.[25]
The United States has the most banks in the world in terms of institutions (5,330 as of 2015)
and possibly branches (81,607 as of 2015). [26] This is an indicator of the geography and
regulatory structure of the US, resulting in a large number of small to medium-sized
institutions in its banking system. As of November 2009, China's top 4 banks have in excess
of 67,000 branches (ICBC:18000+, BOC:12000+, CCB:13000+, ABC:24000+) with an
additional 140 smaller banks with an undetermined number of branches. Japan had 129
banks and 12,000 branches. In 2004, Germany, France, and Italy each had more than
30,000 branches – more than double the 15,000 branches in the UK.[25]

Mergers and Acquisitions[edit]

Between 1985 and 2018 banks engaged in around 28,798 mergers or acquisitions, either as
the acquirer or the target company. The overall known value of these deals cumulates to
around 5,169 bil. USD.[27] In terms of value, there have been two major waves (1999 and

48
2007) which both peaked at around 460 bil. USD followed by a steep decline (-82% from
2007 until 2018).
Here is a list of the largest deals in history in terms of value with participation from at least one bank:

Date Acquiror Target Value of

Acquiror Acquiror Target Target
Announc Mid Mid Transactio
Name Nation Name Nation
ed Industry Industry n ($mil)

RFS Other
04/25/200 Netherland ABN-AMRO Netherland
Holdings Financial Banks 98,189.19
7 s Holding NV s
BV s

04/06/199 Travelers United United

Insurance Citicorp Banks 72,558.18
8 Group Inc States States

09/29/201 Switzerlan Switzerlan

UBS AG Banks UBS AG Banks 65,891.51
4 d d

NationsBan
04/13/199 k Corp, United BankAmeric United
Banks Banks 61,633.40
8 Charlotte, States a Corp States
NC

JPMorgan Bank One

01/14/200 United United
Chase & Banks Corp, Banks 58,663.15
4 States States
Co Chicago, IL

Bank of FleetBoston
10/27/200 United United
America Banks Financial Banks 49,260.63
3 States States
Corp Corp, MA

Bank of Merrill
09/14/200 United Brokerag United
America Banks Lynch & Co 48,766.15
8 States e States
Corp Inc

10/13/199 Sumitomo Sakura

Banks Japan Banks Japan 45,494.36
9 Bank Ltd Bank Ltd

02/26/200 HM National United Royal Bank Banks United 41,878.65

49
 of Scotland
9 Treasury Agency Kingdom Kingdom
Group

Mitsubishi
02/18/200 Tokyo UFJ
Banks Japan Banks Japan 41,431.03
5 Financial Holdings Inc
Grp

Regulation[edit]
Main article: Banking regulation
See also: Basel II
Currently, commercial banks are regulated in most jurisdictions by government entities and require a special
bank license to operate.

Bank regulation and standards

 Bank for International Settlements

 Basel Accords (Basel I, Basel II, Basel III, Basel IV)
 Financial Stability Board

Background

 Banking (Regulation)
 Monetary policy
 Central bank
 Risk
 Risk management
 Regulatory capital
 Tier 1
 Tier 2

Pillar 1: Regulatory capital

 Credit risk
 Standardized
 IRB Approach
 F-IRB
 A-IRB
 PD
 LGD
 CCF

50
  EAD
 Operational risk
 Basic
 Standardized
 AMA
 Market risk
 Duration
 Value at risk

Pillar 2: Supervisory review

 Economic capital
 Liquidity risk
 Legal risk

Pillar 3: Market disclosure

 Disclosure

Business and Economics Portal

 v
 t
 e

Usually, the definition of the business of banking for the purposes of regulation is extended to
include acceptance of deposits, even if they are not repayable to the customer's order –
although money lending, by itself, is generally not included in the definition.
Unlike most other regulated industries, the regulator is typically also a participant in the
market, being either a publicly or privately governed central bank. Central banks also
typically have a monopoly on the business of issuing banknotes. However, in some countries
this is not the case. In the UK, for example, the Financial Services Authority licenses banks,
and some commercial banks (such as the Bank of Scotland) issue their own banknotes in
addition to those issued by the Bank of England, the UK government's central bank.

Global headquarters of the Bank for International Settlements in Basel

51
Banking law is based on a contractual analysis of the relationship between the bank (defined
above) and the customer – defined as any entity for which the bank agrees to conduct an
account.
The law implies rights and obligations into this relationship as follows:

 The bank account balance is the financial position between the bank and the
customer: when the account is in credit, the bank owes the balance to the customer;
when the account is overdrawn, the customer owes the balance to the bank.
 The bank agrees to pay the customer's checks up to the amount standing to the
credit of the customer's account, plus any agreed overdraft limit.
 The bank may not pay from the customer's account without a mandate from the
customer, e.g. a cheque drawn by the customer.
 The bank agrees to promptly collect the cheques deposited to the customer's
account as the customer's agent, and to credit the proceeds to the customer's account.
 The bank has a right to combine the customer's accounts, since each account is just
an aspect of the same credit relationship.
 The bank has a lien on cheques deposited to the customer's account, to the extent
that the customer is indebted to the bank.
 The bank must not disclose details of transactions through the customer's account –
unless the customer consents, there is a public duty to disclose, the bank's interests
require it, or the law demands it.
 The bank must not close a customer's account without reasonable notice, since
cheques are outstanding in the ordinary course of business for several days.

These implied contractual terms may be modified by express agreement between the
customer and the bank. The statutes and regulations in force within a particular jurisdiction
may also modify the above terms and/or create new rights, obligations or limitations relevant
to the bank-customer relationship.
Some types of financial institution, such as building societies and credit unions, may be
partly or wholly exempt from bank license requirements, and therefore regulated under
separate rules.
The requirements for the issue of a bank license vary between jurisdictions but typically
include:

 Minimum capital
 Minimum capital ratio
 'Fit and Proper' requirements for the bank's controllers, owners, directors, or senior
officers
 Approval of the bank's business plan as being sufficiently prudent and plausible.

Types of banking[edit]
Banks' activities can be divided into:

 retail banking, dealing directly with individuals and small businesses;

 business banking, providing services to mid-market business;
 corporate banking, directed at large business entities;
 private banking, providing wealth management services to high-net-worth
individuals and families;
 investment banking, relating to activities on the financial markets.

52
Most banks are profit-making, private enterprises. However, some are owned by
government, or are non-profit organizations.

Types of banks[edit]

National Bank of the Republic, Salt Lake City 1908

ATM Al-Rajhi Bank

National Copper Bank, Salt Lake City 1911

53
A branch of Union Bank in, Visakhapatnam


Commercial banks: the term used for a normal bank to distinguish it from an
investment bank. After the Great Depression, the U.S. Congress required that banks
only engage in banking activities, whereas investment banks were limited to capital
market activities. Since the two no longer have to be under separate ownership, some
use the term "commercial bank" to refer to a bank or a division of a bank that mostly
deals with deposits and loans from corporations or large businesses.

Community banks: locally operated financial institutions that empower employees to
make local decisions to serve their customers and the partners.

Community development banks: regulated banks that provide financial services and
credit to under-served markets or populations.

Land development banks: The special banks providing long-term loans are
called land development banks (LDB). The history of LDB is quite old. The first LDB was
started at Jhang in Punjab in 1920. The main objective of the LDBs are to promote the
development of land, agriculture and increase the agricultural production. The LDBs
provide long-term finance to members directly through their branches. [28]

Credit unions or co-operative banks: not-for-profit cooperatives owned by the
depositors and often offering rates more favourable than for-profit banks. Typically,
membership is restricted to employees of a particular company, residents of a defined
area, members of a certain union or religious organizations, and their immediate
families.

Postal savings banks: savings banks associated with national postal systems.

Private banks: banks that manage the assets of high-net-worth individuals.
Historically a minimum of US$1 million was required to open an account, however, over
the last years many private banks have lowered their entry hurdles to US$350,000 for
private investors.[citation needed]

Offshore banks: banks located in jurisdictions with low taxation and regulation. Many
offshore banks are essentially private banks.

Savings bank: in Europe, savings banks took their roots in the 19th or sometimes
even in the 18th century. Their original objective was to provide easily accessible
savings products to all strata of the population. In some countries, savings banks were
created on public initiative; in others, socially committed individuals created foundations
to put in place the necessary infrastructure. Nowadays, European savings banks have
kept their focus on retail banking: payments, savings products, credits and insurances
for individuals or small and medium-sized enterprises. Apart from this retail focus, they
also differ from commercial banks by their broadly decentralized distribution network,
providing local and regional outreach – and by their socially responsible approach to
business and society.

Building societies and Landesbanks: institutions that conduct retail banking.

Ethical banks: banks that prioritize the transparency of all operations and make only
what they consider to be socially responsible investments.

A direct or internet-only bank is a banking operation without any physical bank
branches, conceived and implemented wholly with networked Banking in India

Structure of the organised banking sector in India. Numbers of banks are in brackets.

Types of investment banks[edit]

 Investment banks "underwrite" (guarantee the sale of) stock and bond issues, trade
for their own accounts, make markets, provide investment management, and advise
corporations on capital market activities such as mergers and acquisitions.

54
 Merchant banks were traditionally banks which engaged in trade finance. The
modern definition, however, refers to banks which provide capital to firms in the form of
shares rather than loans. Unlike venture caps, they tend not to invest in new companies.

Both combined[edit]

A branch of Banco de Oro in Metro Manila, Philippines

 Universal banks, more commonly known as financial services companies, engage in

several of these activities. These big banks are very diversified groups that, among other
services, also distribute insurance – hence the term bancassurance, a portmanteau
word combining "banque or bank" and "assurance", signifying that both banking and
insurance are provided by the same corporate entity.

Other types of banks[edit]

 Central banks are normally government-owned and charged with quasi-regulatory
responsibilities, such as supervising commercial banks, or controlling the cash interest
rate. They generally provide liquidity to the banking system and act as the lender of last
resort in event of a crisis.
 Islamic banks adhere to the concepts of Islamic law. This form of banking revolves
around several well-established principles based on Islamic canons. All banking activities
must avoid interest, a concept that is forbidden in Islam. Instead, the bank earns profit
(markup) and fees on the financing facilities that it extends to customers.

55