Internal control system and risk management

The internal control system comprises the rules, procedures and organisational structures that aim to guarantee compliance with corporate strategies, the effectiveness and efficiency of processes, and the conformity of transactions with the regulatory framework and corporate regulations.

The internal control system

The internal control system plays a key role in the organisation of Banca Ifis. It plays a fundamental role in monitoring corporate risks and favours the dissemination of a correct culture of risk, legality and corporate values.

The internal control system consists of the set of regulations, functions, structures, resources, processes and procedures aimed at ensuring, in compliance with a sound and prudent management, the achievement of the following objectives:

  • The implementation of corporate strategies and policies;
  • Risk containment within the limits set forth in the reference framework for determining the Group’s risk appetite (Risk Appetite Framework – “RAF”);
  • Safeguarding asset value and protection against losses;
  • The effectiveness and efficiency of business processes;
  • The reliability and security of company information and IT procedures;
  • Prevention of the risk that the group be involved, even involuntarily, in illegal activities (with specific reference to those related to money laundering, usury and terrorist financing);
  • Compliance of transactions with the law and supervisory regulations, and with internal policies, regulations and procedures.

Role of the company’s bodies:

  • The Board of Directors approves the document of the “Group Guidelines on the Internal Control System”, updated last in December 2020.
  • It verifies that the guidelines are consistent with the established strategic guidelines and risk appetite and that they can follow the evolution of business risks and the interaction between them. Approves the Risk Appetite Framework and risk management policies;
  • The Risk Management and Internal Control Committee  is responsible for supporting, the Board of Directors in making assessments and decisions relating to the internal control and risk management system;
  • The Board of Statutory Auditors plays a fundamental role in supervising the adequacy and functionality of the internal control system;
  • The CEO is the director in charge of overseeing the functionality of the internal control and risk management system.

The proper function of the internal control system is based on fruitful interaction between the company’s bodies, the persons tasked with auditing and the control departments.

In particular, the Risk Management and Internal Control Committee and the Board of Statutory Auditors interact frequently during their meetings, and, as needed, with the CEO, the Manager responsible for drafting accounting and corporate documents, the Auditing Firm, the Chief Risk Officer, the Head of Compliance and the Head of Anti-Money Laundering. They also systematically interact with the Head of Internal Audit who, usually, attends the meetings of both bodies.

All corporate activities are subject to controls, articulated in three levels:

  • Line controls (first level):business areas, owners of the various processes and activities;
  • Second levels controls: Risk Management, Compliance and Anti-Money Laundering corporate functions;
  • Third level controls: Internal Audit.

The heads of the control organisational units liaise with each other, coordinating and collaborating, to avoid overlapping, to develop synergies and to optimise partnership.

Taxonomy of Risks

Banca Ifis has defined a Risk Taxonomy which describes the logic followed in identifying the current and/or potential risks to which the Group could be exposed in reaching its strategic objectives and, for each type, the planned prevention and mitigation instruments.

The identification of risks and the periodic updating of the Risk Taxonomy are the result of a joint job performed by the Control Functions (Risk Management, Compliance, Anti-Money Laundering, Internal Audit) and the Executive in Charge and is approved, at the proposal of the Chief Executive Officer, by the Board of Directors of the Parent Company, after consulting the Risk Management and Internal Control Committee.

The Chief Executive Officer reports any need for updating that may be necessary for changes to the regulatory, strategic and organizational context to the Board of Directors of the Parent Company, on the recommendation of the Control Functions, the Manager in Charge, and the Organization.

Risk Management

Risk Management identifies the risks the Parent and the Group companies are exposed to and measures and monitors these risks on a regular basis through specific indicators, planning potential actions to mitigate material risks. The goal is to provide a holistic and comprehensive view of the risks the Group is exposed to, ensuring an adequate reporting to governance bodies.

The overall governance and risk management structure at Group level is governed by the Risk Appetite Framework.


The control activities carried out by Compliance, identified on the basis of planning approved by the Board of Directors, aim to verify the effectiveness of the organizational measures required, proposed and implemented to manage the risk of non-compliance.

The audit findings are formally presented in reports shared with the relevant business structures, which must provide feedback on the remedial actions identified and the relevant implementation time line.

Anti-Money Laundering

A specific Anti-Money Laundering function carries out systematic second-level controls in relation to the risk of money laundering and terrorist financing, to ensure correct application of procedures to the operating processes.

Internal Audit

The audit work performed by the Internal Audit department concerns all processes and consists in regularly monitoring the application of all the Bank’s operational policies, procedures and practices to identify potential anomalies or violations of internal rules as well as evaluate the effectiveness of the internal control system as a whole.

Internal Audit operates on the basis of planning approved by the Board of Directors,and carries out unplanned audits for specific needs. Audit results are shared with the reference organizational unit and with the second level control functions, and are sent to the Board of Statutory Auditors and the Risk Management and Internal Control Committee.

Credit risk

Given the particular business of the Group’s companies, credit risk is the most important element to consider as far as the general risks assumed by the Group are concerned. Maintaining effective credit risk management is a strategic objective for the Group, pursued by adopting integrated tools and processes that ensure correct credit management in all stages (investigation, granting, monitoring and management, intervention on problem loans).

Credit risk is continuously monitored with the help of procedures and tools that allow for the timely identification of positions that present particular anomalies. Over time, the Banca Ifis Group has implemented instruments and procedures allowing to specifically evaluate and monitor risks for each type of customer and product.

The Banca Ifis Group pays particular attention to the concentration of credit risk with reference to all Group companies, at both individual and consolidated level. Banca Ifis’s Board of Directors has mandated the Top Management to take action to contain major risks.

With the suspension of amortization plan payments, control of the overdue over 30 days to allocate to Stage 2 is also no longer valid.

This led the Group to introduce, during the second half of 2020, a collective prudential corrective action aimed at relations with counterparties belonging to specific sectors considered to have a high Covid-19 impact risk (transport, tourism, catering, automotive). This prudential measure was adopted in order to identify the expected risk increase in those economic sectors most impacted by the current pandemic crisis and the ongoing economic crisis.

Further lump-sum corrections were also added for those exposures related to some specific types of medium and long-term loans, currently regular, but which are believed to be more at risk in complying with the amortization plan envisaged following the expected post-Covid-19 economic impacts.

Credit risk mitigation techniques

Credit risk mitigation techniques include those instruments that help limit the loss the Group would suffer should the counterparty default; specifically, these are the collateral and personal guarantees pledged by customers, and any agreements that could potentially reduce credit risk.

In general, as part of the credit granting and management process, for certain types of credit lines, customers are encouraged to provide suitable guarantees in order to reduce their risk. These may consist of collateral, such as liens on financial assets, mortgages on residential or non-residential property, and/or personal guarantees (usually sureties) provided by a third party, where an individual or legal entity takes responsibility for the customer’s obligations in the event of insolvency.

In particular:

  • As part of factoring operations, when the type and/or quality of factored receivables do not fully satisfy requirements or, more generally, the invoice seller is not sufficiently creditworthy, the bank’s established practice is to hedge the credit risk assumed by the Group by obtaining additional surety bonds from the shareholders or directors of the invoice seller. As regards the assigned debtors in factoring relationships, where it is believed that the evaluation elements available on the assigned debtor do not enable a correct evaluation/assumption of the credit risk connected to the debtor counterparty, or that the risk amount proposed exceeds limits identified when assessing the counterparty, the default risk of the assigned debtor is suitably hedged. Guarantees issued by correspondent factors and/or insurance policies underwritten with specialised operators are the main hedge against non-domestic account debtors in non-recourse operations;
  • In the area of loans to companies, where possible, suitable guarantees are acquired from the Central Guarantee Fund or from other companies within the public sphere such as SACE S.p.A .;
  • In relation to the Special Situations and Structured Finance operations, guarantees are acquired according to counterpart standing, the duration and type of loan. Said collateral includes mortgage guarantees, liens on plant and equipment, pledges, surety bonds, credit insurance, and collateral deposits;
  • In relation to financial leases, it should be noted that the credit risk is mitigated by the presence of the leased asset. The Lessor maintains the ownership until the final purchase option becomes available, thus ensuring for itself a greater recovery rate in case of a default by the customer;
  • In relation to transactions involving non-performing loans and the purchase of tax receivables from insolvency proceedings, and the related business model, no actions are normally taken to hedge against credit risks;
  • Salary-backed loans undoubtedly have a low-risk technical form, considering the characteristics of this product which necessarily requires insurance coverage against the risk of death and/or loss of employment and the constraint, as a greater guarantee of the loan, on the Severance Pay accrued by the customer;
  • Pharmacy financing transactions provide for an advance accompanied by a sale or a mandate to collect receivables.

In line with the provisions of the Liquidity Decree (D.L. no. 23 of 8 April 2020) the Group took advantage of the guarantees offered by the state Guarantee Fund for the type of customers and loans provided for by the Decree, with coverage that can reach up to 100%. This guarantee allows for a reduction in RWAs relating to credit risk, in proportion to the amount of exposure covered by the Fund.

The acquired NPL portfolios include positions secured by mortgages on properties that present a lower risk than the overall acquired portfolio.

When calculating the overall credit limit for an individual customer and/or legal and economic group, the Bank considers specific criteria when weighing the different categories of risks and guarantees. Specifically, when measuring collateral, it applies prudential ‘spreads’ differentiated by type of guarantee.

The Group continuously checks the quality and adequacy of guarantees acquired on the loan portfolio, with second-level controls carried out by the Parent Company’s Risk Management function and performed in the Single File Review area.

For further information, please refer to the 2020 Reports and consolidated financial statements.

Market risk

Interest rate risk and price risk – supervisory trading book 

In 2020, the proposed investment strategy governed by ‘the Portfolio Management Policy of Banca Ifis, is consistent with the risk appetite formulated in 2020 by the Board of Directors as part of the Risk Appetite Framework process and set out in the ‘Group Market Risks Management Policy’ and with the system of objectives and limits.

Within this process, the overall investment strategy continued to focus on the conservative “stance”, consisting mainly of a bond portfolio whose main component is made up of Italian government bonds, characterized overall by high liquidity and a strategy of constant returns in the medium term.

The related assets making up this portfolio are therefore mainly valued at amortized cost or using the FVOCI method; they fall within the perimeter of the banking portfolio and therefore do not represent market risk.

In this context, the component relating to the ‘trading portfolio’ from which the market risk in question originates was marginal both in absolute terms of the risk values recorded and with respect to the established limits. The trading portfolio is mainly composed of options and futures deriving from hedging and enhancement transactions ancillary to the investment strategy for the assets in the ‘banking portfolio’ and the ‘Principal-discretionary trading’ portfolio, which takes a short-term speculative approach. There is also a capital security for residual amounts.

Within the trading portfolio, there are also residual transactions deriving from Corporate activities in which derivative contracts were offered to customers to hedge the financial risks assumed by the latter; all outstanding transactions are hedged, for the purpose of eliminating market risk, with ‘back to back’ transactions, in which external market counterparties have assumed an opposite position to that sold to corporate customers.

Interest rate risk and price risk – banking book

The assumption of significant interest rate risks is in principle unrelated to the management of the Group. In terms of composition of the Assets and Liabilities Statement and consequent sources that generate interest rate risk, where liabilities are concerned the prevalent technical form of funding continues to be made up of the online deposit account “Rendimax Conto Deposito”. Customer deposits on “Rendimax Conto Deposito” and “Rendimax Conto Corrente” products are at a fixed rate for the fixed-term component, and at a non-indexed floating rate, which can be reviewed unilaterally by the Group in compliance with regulations and contracts, for demand and call deposits. The other main funding components concern mainly fixed rate bond deposits, a variable rate self-securitisation transaction and loans with the Eurosystem (TLTRO).

With regard to assets, customer loans remain mainly at variable rates, both with regard to the commercial credit component and to corporate loans.

As part of the non-performing loans transactions (carried out by the subsidiaries Ifis Npl SpA and Ifis Npl Servicing SpA), characterized by a business model focused on the purchase of receivables at lower than nominal values, there is a potential interest rate risk interest connected to the uncertainty over collection times.

At 31 December 2020, the overall bond portfolio was mainly composed of government bonds for a percentage of approximately 85%. The average duration of this portfolio is approximately 2.6 years.

The corporate function responsible for ensuring interest rate risk management is the Central Capital Markets Department which, in line with the risk appetite established, defines the actions necessary to pursue it. The Risk Management function is responsible for proposing the risk appetite, identifying the most appropriate risk indicators and monitoring the performance of assets and liabilities in relation to the set limits. Each year, the Top Management proposes to the Bank’s Board of Directors its lending and funding policies and its interest rate risk management policies. It also suggests any appropriate action to ensure that it carries out its activities in accordance with the risk policies approved by the Bank.

The Risk Management function periodically reports to the Bank’s Board of Directors on the interest rate risk position by means of a quarterly Dashboard prepared for the Bank’s management.

For further information, please refer to the 2020 Reports and consolidated financial statements.

Currency risk

The assumption of currency risk is currently foreign to Group policies. Banca Ifis’s foreign currency operations largely involve collections and payments associated with factoring operations. In this perspective, the advances in foreign currency granted to customers are generally hedged by deposits and/or loans acquired from other banks in the same currency, substantially eliminating the risk of losses associated with exchange rate fluctuation. In some cases, synthetic instruments are used as hedging instruments.

Transactions on the Polish market, through the subsidiary Ifis Finance Sp. Z o. o., are no exception to the aforementioned approach: assets denominated in zloty are financed by funding in the same currency.

With the purchase of the Polish subsidiary, Banca Ifis took on the exchange risk represented by the initial investment in the capital of Ifis Finance Sp. Z o. or. for 21.2 million zloty and the subsequent share capital increase of 66 million zloty.

In 2020, the Romanian subsidiary Ifis Finance I.F.N S.A. was established, with a capital of 14.7 million Romanian leu (RON). The company was not yet operational as at 31 December 2020 so the approach previously described does not change.

For further information, please refer to the 2020 Reports and consolidated financial statements.

Liquidity risk

The liquidity risk refers to the possibility that the Group fails to service its payment commitments due to the inability to raise funds or the inability to sell assets on the market to meet liquidity needs. The liquidity risk also refers to the inability to secure new adequate financial resources, in terms of amount and cost, to meet its operating needs and opportunities, hence forcing the Group to either slow down or stop its operations, or incur excessive funding costs in order to service its obligations, significantly affecting its profitability.

During 2020, in line with the strategy adopted, there was a reduction in the retail funding component, in particular referable to the on demand and call components, and a significant increase in access to the form of financing, via Eurosystem, inherent in the TLTRO III operation.

At 31 December 2020 the main funding sources were the Bank’s equity, online retail funding-consisting of on-demand and term deposits— medium/long-term bonds issued as part of the EMTN programme, funding from the Eurosystem (TLTRO), medium/long-term securitisation transactions, and the Abaco channel with the Bank of Italy.

The Group is constantly engaged in the harmonious development of its financial resources, both in terms of size and costs, in order to have available liquidity reserves adequate for the current and future business volumes.

The Parent’s business functions responsible for ensuring correct application of the liquidity policy refer to the Central Capital Markets Department, with reference to direct management of liquidity, to the Risk Management function, which is responsible for proposing the risk appetite, identifying the more appropriate risk indicators and monitor their performance in relation to pre-established limits, and support the activity of Top Management which is responsible, supported by the Central Capital Markets Department, for proposing funding policies annually to the Board of Directors and liquidity risk management and to suggest any appropriate actions during the year to ensure that the activity is carried out in full consistency with risk policies approved.

For further information, please refer to the 2020 Reports and consolidated financial statements.

Impacts resulting from the Covid-19 pandemic

Upon the occurrence of the Covid-19 pandemic, in relation to liquidity risk, the Group promptly established a strengthening of the internal controls both by increasing the frequency (from monthly to weekly) of calling the ALM Technical Committee, regardless of any reports situations of alert or crisis detected through the Contingency Funding Plan, as well as with a further enhancement of the tools and processes for monitoring and controlling the liquidity position.

In the period of greatest crisis, the available and readily usable liquidity reserves remained largely sufficient with respect to the Group’s bonds, constantly recording, for the LCR and NSFR regulatory indicators, values significantly higher than the required thresholds. Also in terms of the survival period, which considers the occurrence of a severe combined stress scenario, values were found in line with the established risk appetite.

With regards to the evolution of the volumes of funding during 2020 attributable to the effects of the pandemic, there was a reduction in the stock of securitized deposits with trade receivables as collateral, which occurred as a result of the reduction in the amounts of underlying credits and resulting from the economic slowdown. Also in order to make up for potential further reductions in these forms of funding and, in consideration of the freezing of the wholesale funding market at the time, in June 2020 the Group joined the new extraordinary loan operation for a significant amount (so-called TLTRO 3) promoted by the ECB, thus financing itself in the medium-long term at a competitive cost.

In February 2020 (pre-pandemic) a bond issue was carried out as required by the funding plan.

In line with the aforementioned strategy in terms of management and risk appetite, despite the exceptional nature of the pandemic event, no violations of the risk thresholds assigned internally were detected during the 2020 financial year.

During 2020, a methodological and technological improvement project was launched concerning, among other things, the measurement and control of liquidity risk, which requires for the adoption of an ALM suite by the relevant departments provided for by an external vendor.

For further information, please refer to the 2020 consolidated reports and financial statements.

Operational risks

The operational risk is defined as the risk of suffering losses resulting from inadequate or dysfunctional processes, human resources, internal systems or external events. This definition does not include strategic risk and reputational risk, but it does include legal risk (i.e. the risk of losses deriving from failure to comply with laws or regulations, contractual or extra-contractual liability, or other disputes), IT risk, risk of non- compliance, fraud risk, risk of money laundering and terrorist financing, and the risk of financial misstatement.

The main sources of operational risk are operational errors, the inefficiency or inadequacy of operational processes and of related controls/safeguards, internal and external fraud, lack of internal regulation compliance with external regulations, the outsourcing of company functions, quality level of physical and logical security, inadequacy or unavailability of hardware and software systems, increasing use of automation, insufficient number of personnel compared to the size of operations and lastly inadequacy of personnel management and training policies.

Banca Ifis Group has for some time now defined – in line with the appropriate regulatory requirements and best practices in the sector – the overall framework for the management of operational risk, represented by a set of rules, procedures, resources (human, technological and organisational) and control activities aimed at identifying, assessing, monitoring, preventing or mitigating and communicating to the appropriate hierarchical levels all the operational risks assumed or that can be assumed in the various organisational units. The key processes for correct management of operational risk are also represented by the collection of operational loss data (Loss Data Collection) and the prospective self-assessment of the exposure to operational risk (Risk Self Assessment) and the self-assessment of the degree of exposure to model risk, i.e. the risk of incurring financial losses or incorrect strategic decisions deriving from improper or incorrect use of the results and reports produced by the models used (Model Risk Self Assessment).

The Loss Data Collection process has now been consolidated, also thanks to Risk Management’s constant efforts to disseminate a culture of pro-actively managing operational risks among the various structures, and therefore to raise awareness about the Loss Data Collection process.

Please note that in the first half of 2020 the periodic Risk Self Assessment campaign launched in the last quarter of 2019 was completed and included the corporate scope in place at the end of the year with the exception of the subsidiary Ifis Npl Servicing SpA (formerly Fbs SpA) . Following the campaign, the main operational issues were identified and consequently specific mitigation measures were defined and launched aimed at further strengthening the safeguards against operational risks.

In the same period, the Model Risk Self Assessment campaign was also completed, conducted considering the organizational units as Model Owners present at the Parent Company and at the Subsidiary Ifis Npl, as the responsibility for the development and maintenance of the models is attributed to the Parent Company’s Risk Management. Following the campaign, the models most exposed to risk were identified and reported to the Validation department for the definition of appropriate mitigation actions.

These measures are continuously monitored and disclosed in periodic reports that are shared with the competent structures and bodies: events such as the breach of certain thresholds or the emergence of anomalies trigger specific escalation processes aimed at defining and implementing appropriate mitigation actions. These indicators are continuously monitored and disclosed in periodic reports that are shared with the competent structures and bodies: events such as the breach of certain thresholds or the emergence of anomalies trigger specific escalation processes aimed at defining and implementing appropriate mitigation actions.

For further information, please refer to the 2020 Reports and consolidated financial statements.

Impacts resulting from the Covid-19 pandemic

With reference to the impacts deriving from the Covid-19 emergency, the operational and reputation risk management strategies have undergone changes both as a result of specific requests by the regulator, and to recalibrate the internal control system in order to make the monitoring activities more responsive to the changed methods of carrying out some business activities following the restrictions imposed. Specifically, dedicated initiatives have been implemented to minimize the impacts on the ordinary performance of operations as well as to reduce the risk of interruption or deterioration of the quality of customer services. To this end, the methods for carrying out monitoring and reporting activities in the Loss Data Collection areas (including impact on the Group’s information systems) and disputes were reviewed and integrated. For both areas, the scope of the analysis was contained and the scope of application of the same was made more in-depth by taking into account and providing specific disclosure of the consequences deriving from the health emergency in terms of operational losses and complaints received.

In addition, steps were taken to significantly increase the frequency of carrying out the surveys and sharing the results. The periodical monitoring has in fact passed from quarterly to fortnightly, making it possible to intervene in a timely manner with specific mitigation actions in the presence of particular critical situations linked to the current emergency period.

With reference to the NPL Sector, in particular the methods of out-of-court credit recovery, during the health emergency period the recovery activities were strengthened through the telephone method (phone collection) due to the temporary suspension of the agent network door-to-door activities. Specific Key Risk Indicators have been defined to monitor compliance with the maximum threshold of customers / debtors entrusted for each single recovery agent. Following the pandemic, this threshold was raised in consideration of the fact that the monthly charges entrusted to the officials of the internal network were integrated with positions for which it was possible to proceed with phone collection, leaving those pending (without termination) for home collection.

For further information, please refer to the 2020 Reports and consolidated financial statements.