Legal and Regulatory Risk Management Policy

INTRODUCTION

    • This Legal and Regulatory Risk Management Policy (“Policy”) sets out the framework which VFD Microfinance Bank Limited (VFD MFBor the Company) shall apply in identifyingand mitigating the Legal Risks and Regulatory Risks associated with its operations.
    • This Policy applies to all VFD MFB Personnel. You must read, understand and comply with this when processing transactions with customers and agents. This Policy sets out what the Company expects from you to ensure the Company achieves its RiskManagement objectives and complies with all Applicable Laws.
    • This Policy is an internal document and cannot be shared with third parties, customers or regulators without prior written authorisation from the Chief Risk Officer of the Company.

 

SCOPE

    • This Policy applies to all departments and functions of the Company.
    • Adherence must be observed by all Personnel.

 

DEFINITIONS

Applicable Law(s) means any national, supranational, regional or local government or governmental, administrative, statute, law (including common law), regulation, rule, ruling, order, writ, injunction, decree or guidelines issued by any authority in Nigeria and any data processing statute, law (including common law), regulation, rule, ruling, order, writ, injunction, decree or guidelines applicable to the Company;

Approval Authority is the member of the Risk Cell with the authority required to make a decision on the Risk Response required for a given Risk;

Criticality is a function of Risk Impact and Probability (Impact * Probability)

Impact is the consequence of a Risk event materializing;

Legal Risk meansthe uncertainty of the occurrence ofan event that may result in loss to be suffered by the Company as a result of factors including but not limited to: (a) defective transaction; or (b) a claim that results in a liability; (c) failure to adequately protect assets (d) change in law;

Legal and Regulatory Risk means Legal Risk and Regulatory Risk;

Personnel means all employees, workers, [contractors, agency workers, consultants,] directors and members of the Company;

Probability is the likelihood that a Risk will occur (per year);

Regulatory Risk meansthe Risk of having the ‘licence to operate’ withdrawn by a regulator, incurring sanctions or having conditions applied (retrospectively or prospectively) that adversely impact the economic value of the Company;

Risk means the uncertainty of the occurrence of an event that may negatively impact the achievement of a Company’s objectives;

Risk Acceptance is the amount of Risk that the Approval Authority is willing to take at the individual Risk level, within the Risk Tolerance of the Company. Risk Acceptance thresholds are determined by the Approval Authority for the most critical risks for which action is required.

Risk Assessment meansthe overall process of Risk analysis and evaluation;

Risk Cell means all the members of the Company’s Risk organisational chain;

Risk Description meansa comprehensive collection of information about a particular Risk recorded;

Risk Incident means any materialisation of a Legal and Regulatory Risk and breakdown of a Risk control;

Risk Management means the process of identifying, prioritizing and responding to risks across an organisation;

Risk Register means a tool for recording the Risks encountered at various locations and levels in astandardised format of Risk Description;

Risk Response means theresponse to the Risk as determined by the Approving Authority;

Risk Strategy means the Company’s standpoint towards dealing with variousrisks associated with the business. It includes the Company’s decision on the Risk Tolerance,and Risk Acceptance, avoidance or transfer of risks faced by the Company;

Risk Tolerance means the maximum quantum of Risk which the Company is willing to take as determined from time to time in accordance with the Risk Strategy of the Company.

 

OBJECTIVE

    • The objectives of thisPolicy are to:
      • ensure that the Legal and Regulatory Risk exposure of the Companyareidentified, assessed, quantified, appropriately mitigated and managed;
      • establish a framework for the Company’s RiskManagement process and ensureCompany-wide implementation;
      • enable compliance with all Applicable Laws;
      • state the principles ofVFD MFB’s RiskManagement;
      • determineaccountability for RiskManagement and define roles and responsibilities in dealing with Legal and Regulatory Risk;and
      • specify Riskmonitoring and reporting requirements.

 

PRINCIPLES OFVFD MFB’S RISK MANAGEMENT

    • VFD MFB’s RiskManagement approach is guided by the following principles:
      • RiskManagement must be a systematic iterative process that remains responsive to change, continuously sensing and reporting changes related to both external and internal events that shape the context of VFD MFB’s operations;
      • decision on Legal and Regulatory Risks shall be made on a timely basis;
      • decisions on Risk must be made at the level of Approving Authority. Where the authority needed to address a Risk has not been assigned, the Risk must be escalated to the Chief Risk Officer (CRO) of the Company;
      • all business decisions must be made with the prior analysis and acceptance of the Legal and Regulatory Risks involved;
      • all Personnel shall be made aware of Legal and Regulatory Risks in their respective domainsand their mitigation measures;
      • Risk Tolerance levels will be regularly reviewed and decided upon depending on thechange in Company’sRisk Strategy; and
      • the occurrence, progress and status of all Legal and Regulatory Risks will be promptly reported and appropriateactions shall be taken.

 

RISK ASSESSMENT

    • Risk Assessment will comprise the following:
      • Risk Identification and Categorisation: the process of identifying the Risk and determiningwhether it falls within the category of Legal Risk or Regulatory Risk;
      • Risk Description: the method of systematically capturing and recording the identified Risks in a structured format;
      • Risk Analysis: involves the calculation of the Risk based on the impact andprobability; and
      • RiskTreatment/Response:involves identifying and implementing mitigating controls to treat the Risk to an acceptable level.

UNDERSTANDINGAND IDENTIFYING LEGAL RISKS

    • Legal Risk encompasses the following:
      • Contractual Risks:risks arising out of contracts entered into by the Company and a counterparty. This may include liability for breach of contract, or liability arising out of the failure of the contracting party to fulfil their end of the bargain;
      • Proprietary Risks: risks arising from disputes involving the Company which are of a proprietary nature. Thisincludes disputes arising: due to failure to adequately protect a proprietary interest of the Company; as a result of the unlawful conversion of property belonging to the Company; or from an action against the Company alleging that it has infringed upon the proprietary interest of another party;
      • Employment Risks: are risks arising from the Company’s failure to satisfyemployment law obligations and/ortrade and labour based disputes, strikes or actions against the Company;
      • Conduct Risks:are risks arising from liability occasionedby the unlawful or improper action of Personnel or the Company itself;
      • Risk of Criminal Liability: is the Risk that the actions or inactions of Personnel in the course of executing their duties to the Company will result in the imposition of criminal liability on Personnel or the Company; and
      • Legislative Risk: is theRisk that a change in or enactment of a new Applicable Law will adversely affect the Company.