Senior management, control functions, Shariah compliance culture and transparency disclosure - The required expectation

Senior Management

The CEO, as the leader of senior management, holds primary responsibility for the day-to-day management of the IFI. This includes ensuring that all operations, business activities, and affairs of the IFI comply with Shariah requirements at all times. To fulfill this responsibility, the CEO and senior management must:

(a) Establish a management structure and reporting arrangement that clearly defines accountability between the business lines and the internal control functions responsible for managing Shariah non-compliance risks. The management structure and reporting arrangement of internal control functions such as Shariah review, Shariah risk, and Shariah audit have been outlined in their respective sections in the policy. Management must ensure that a clear scope of responsibility is defined in accordance with the requirements. Additionally, the CEO is expected to establish a management structure and reporting arrangement for the Shariah department, including the accountability of the senior officer leading it. The policy does not specify which senior officer should bear this accountability, and it will be determined by the IFI based on the appropriateness of such a senior officer.

(b) Implement effective Shariah governance policies, procedures, and practices in accordance with the directions provided by the board. Where applicable, the CEO must ensure that Shariah governance policies and procedures are effectively implemented, meeting the board's expectations, such as ensuring the proper functioning of the Shariah committee and Shariah control functions.

(c) Implement the rulings of the Shariah Advisory Council (SAC) and the decisions or advice of the Shariah committee, with due regard by the board. The CEO must ensure that the departments and business units responsible for implementing the SAC rulings and Shariah committee decisions establish appropriate controls to adhere to the Shariah rulings.

(d) Implement an effective communication policy that promotes a comprehensive understanding of Shariah matters throughout the IFI. The CEO must ensure that the communication policy supports a sound understanding of Shariah matters within their respective divisions or departments.

(e) Conduct regular assessments to evaluate the quality of operational support provided to the Shariah committee and address any identified inadequacies. The operational support to the Shariah committee refers to the functions of the Shariah department. This assessment can be conducted using risk tools such as risk control self-assessment or independently reviewed by the second and third lines of defense.

(f) Report any potential or actual Shariah non-compliance events to the board and Shariah committee in a timely manner. This should be done in accordance with the relevant policy on Shariah non-compliance reporting, such as the operational risk reporting policy.

Each member of the senior management of an IFI must continuously develop and enhance their knowledge and understanding of Islamic finance, as well as stay updated on developments that may impact Islamic financial business. This responsibility will be fulfilled by the Shariah review function, which is required to provide updates and information to the board, Shariah committee, and senior management.

Control functions

Effective management of shariah non-compliance risk relies heavily on two factors:

(a) A comprehensive and integrated approach to enterprise-wide risk management, which includes addressing risks from shariah non-compliances alongside other risks such as credit, market, operational, and liquidity.

(b) The effective integration of control functions under shariah governance and oversight arrangements for risk management, compliance, and internal audit at both the entity-level and group-level.

An Islamic financial institution (IFI) must ensure that the oversight and management of overall shariah non-compliance risk is structured in a way that senior officers responsible for control functions under shariah governance can exercise clear accountability over shariah non-compliance risk. An IFI must ensure effective management of shariah non-compliance risk by performing the following functions on an ongoing basis: (a) Shariah risk management (b) Shariah review (c) Shariah audit.

An IFI must allocate sufficient resources to the control functions, including appointing an adequate number of officers with the necessary competencies and experience. The requirement does not specify the need for a separate department for control functions. Instead, it emphasizes the importance of having officers who can perform these functions. Therefore, an IFI may group these functions with other functions in a department, such as having a shariah and credit audit department, or having shariah review within the compliance testing department, or having shariah risk as part of the operational risk department.

Senior officers responsible for control functions under shariah governance must have direct and unimpeded access to the shariah committee to effectively perform their control functions. This implies that the senior officers overseeing shariah risk, shariah review, and shariah audit should have direct access to the shariah committee. They may organize informal forums or sessions with the shariah committee, in addition to attending Shariah committee meetings.

While it is common for control functions to work closely with individual business units, they must maintain sufficient independence from the business lines and should not be involved in revenue generation activities. The term "business lines" refers to the first line of defense. Therefore, control functions cannot report to business lines to ensure independence. It is important to note that, as per the operational risk policy, financial institutions are required to establish embedded operational risk functions within the business line function, which is considered the first line of defense. Some financial institutions expand the scope of this function to include compliance functions, creating a "risk and compliance function" that serves as a bridge between business lines and the second line of defense. This function is not involved in risk-taking activities but focuses on risk and compliance and is placed within the first line of defense.

Control functions must have access to all business lines that are exposed to shariah non-compliance risk in order to perform their functions effectively. It is recommended that this statement be emphasized in the respective charters of the control functions.

Shariah compliance culture and remuneration

Shariah compliance culture encompasses the practices and values that an Islamic financial institution (IFI) adopts to foster and promote adherence to Shariah principles in its operations, business, affairs, and activities. This includes establishing an appropriate "tone from the top" to consistently communicate the significance of complying with Shariah requirements and integrating Shariah governance considerations into the IFI's business and risk strategies, internal policies, and overall conduct. The board of directors holds the responsibility of ensuring the implementation of an effective communication policy that advocates for the successful implementation of Shariah governance. For instance, this policy should address the communication channels and working relationships between the control function, senior management, Shariah committee, and the board to enhance their effectiveness in reporting and decision-making. Moreover, the board must also ensure that the remuneration policy and performance measures for senior officers, who are accountable for upholding Shariah compliance, align with the objectives of Shariah governance and reinforce a risk culture that is consistent with these objectives.

Disclosures by the board and Shariah committee

An Islamic financial institution (IFI) must provide disclosures in its annual report regarding its Shariah governance policies and practices. These disclosures should cover the following:

(a) The board's disclosure on its oversight accountability for Shariah governance implementation and the overall compliance of the IFI with Shariah.

(b) The Shariah committee's disclosure on its responsibilities related to Shariah governance and its opinion on the IFI's compliance with Shariah.

The Shariah committee's opinion on the IFI's compliance with Shariah should be expressed as follows:

(a) If nothing has come to the attention of the Shariah committee that suggests any significant Shariah non-compliances in the IFI's operations, business, affairs, and activities; or

(b) If the overall operations, business, affairs, and activities of the IFI are in compliance with Shariah, but the Shariah committee has identified one or more material Shariah non-compliance event(s) that have occurred and are being rectified or in the process of being rectified. The Shariah committee's disclosure must provide details about the nature, status, and measures taken to address the reported material Shariah non-compliance events.

An IFI operating as an Islamic window should include the disclosure as part of its financial institution annual report or financial group annual report. An IFI operating as a foreign branch in Malaysia should submit the disclosure to BNM or may also publish the required disclosures on its website.

The IFI must ensure that the disclosures accurately reflect the roles, responsibilities, and accountabilities of the board and Shariah committee. The board and Shariah committee should not disclose any false, misleading, inaccurate, or incomplete information in the IFI's annual report.

The disclosure must be signed by at least two (2) members of the Shariah committee.

To ensure effective and structured processes are followed by the Shariah committee in forming its opinion on the IFI's compliance with Shariah, the IFI must develop a written policy endorsed by the Shariah committee and approved by the board. This policy may include aspects such as planning, determination of materiality, obtaining evidence, consultation, formation of opinion, and the manner in which the opinion is to be published.