INTERNAL AUDIT ACTIVITIES

With the Board of Directors authorization, the Audit Board carries out independent and objective assurance and consultancy activities by establishing a systematic, disciplined, and risk-based approach to improve and add value to the Bank's operations. Its primary purpose is to establish and operate the internal audit system, which is to assure the senior management regarding the effectiveness and adequacy of the governance, internal control, and risk management systems, as well as the fact that the Bank’s activities are carried out in line with the Banking Law and other relevant legislation and the Bank’s strategies, policies, principles, and objectives.

In addition to the units under internal systems, it conducts audits for the purposes of auditing the activities of the Bank’s Head Office units, domestic and overseas branches, subsidiaries and affiliates, as well as external service providers in terms of the compliance of their activities with the Banking Law, other laws and regulations, internal legislation, strategies, policies, principles and objectives. Audits are also conducted with a view to reviewing the effectiveness and sufficiency of practices for financial data accuracy and protection of resources, governance, internal control and risk management systems.

In addition, carrying out investigations regarding the personnel’s irregular and illegal transactions and the fraud and fraudulent transactions of third parties against the Bank.

Assurance work carried out by the Audit Board is conducted in two different ways: on-site Audit and centralized control. On-site auditing activities are carried out in departments, branches, subsidiaries, affiliates, and individuals and organizations from which support services are provided within the framework of the annual audit plan and prepared in line with the objectives and strategies of the Bank and with a focus on resource planning. Centralized control is carried out by applying information technology-supported remote auditing techniques to detect situations that may pose risks in branches and departments and take measures quickly in line with the risk scenarios established previously.

Internal controls on information systems and banking processes are assessed with a risk-oriented perspective, based on probability, impact, and materiality criteria, and reasonable assurance is given by obtaining audit evidence for the audited controls’ effectiveness and adequacy.

The accuracy of the data used in the Internal Capital Adequacy Assessment Process Report, the adequacy of the systems and processes, and whether or not the data, systems, and methods enable accurate information and analyses are audited within the framework of the procedures and principles determined by the Audit Board.

Compliance with the ISO 9001 Quality Management System, 14001 Environmental Management System, ISO 27001 Information Security Management System, and ISO 22301 Business Continuity Management System is assessed in the branches and Head Office departments that are audited within the scope of the annual audit plan.

In the light of the audits, examinations, and investigations conducted by the Audit Board; proposals are made for the correction of any detected issues, for taking measures to prevent similar errors, for improving the processes, and for enhancing the internal control system, while the actions taken regarding these issues are monitored at certain intervals.

The corrective actions taken by the business units on the action dates are checked; if the corrective action is sufficient to eliminate the finding, the finding is closed; if it is not sufficient, the action date is followed. The projects entered by the business units to eliminate the issues determined by the audits are evaluated as to whether the project’s scope is sufficient to eliminate the finding. In case of deficiencies or errors, the relevant business unit is informed to ensure its correction.

The auditors provide training to the Bank’s staff on various issues that are needed and requested.

Within the framework of the principle of continuous professional development, in-Bank, and non-Bank training that contribute to the professional and personal development of auditors is organized, and training is provided primarily to encourage the acquisition of international certificates.

The Audit Board was awarded the “Certification Awareness Award” for attaching importance to Internal Auditor Certification and the “Continuous Professional Development Awareness Award” for carrying out the work on creating the trained workforce needed by the internal audit profession and developing the profession at the “Awareness Award Ceremony” organized by the Turkish Institute of Internal Audit (TIDE) to raise awareness of internal audit for three consecutive years since 2019.

Auditors are delivered training courses before audits requiring expertise. This way, specialized and experienced teams of auditors are trained and the quality of the audit is raised.

As per the 2022 Internal Audit Program, following audits were conducted: the audit of 361 Branches and 47 Affiliated Branches and 3 Overseas Branches; the audit of 12 Head Office Business Units, 1 Internal Systems Unit, and Departments under these Units; the Audit of 3 Subsidiaries (one in overseas); the audit of 24 Information Systems Processes (pursuant to relevant provisions of the Regulation on Bank's Information Systems and Electronic Banking Services); the audit of 4 Head Office information systems units; the audit of information systems at 5 Subsidiaries (one in overseas); the audit of information systems at 20 service providers of outsourced services; the audit of all Banking Processes; the audit of Internal Capital Adequacy Assessment Process (ICAAP); Compliance Controls for Penetration Test Action Plan; BADES Action Plan Compliance Controls; Information Systems and Banking Processes Audit; Action Plan Compliance Controls; Management Statement Efforts (Information Systems Audit, Banking Processes Audit, Annual Assessment of Service Providers for Outsourced Services); Risk Center Audit; Information and Communication Security Guide Audit; SWIFT Audit; Audits to be Conducted under the Regulation on Determining the Service Level and Quality of Banks' Call Centers; Electronic Banking Services Audit; Audit of TFRS-9 Processes; Audit of the Processes linked with Personal Data Protection Law (General); Audit of Retrospective Vouchers; Audit of the Accuracy of Reports Presented to BRSA; Audit of the Premium Payments Made to SDIF; Audit of New Products-Apps and Services; Compliance Audit for the Bank and its Financial Subsidiaries (Compliance Program Audit); and the Audit of Compliance with ISO 14001 Environmental, ISO 27001 Information Security and ISO 22301 Business Continuity Management System.

INTERNAL CONTROL ACTIVITIES

The Internal Control function is structured to ensure establishment and coordination of a healthy internal control environment; protection of the Bank’s assets; effective and efficient performance of the activities in conformity with the Banking Law and relevant legislation, internal policies and rules as well as banking practices, reliability and integrity of the accounting and financial reporting system; and timely accessibility of information. Accordingly, the Bank’s domestic and foreign branches, head office departments, and consolidated partnerships are subject to the control plan based on a risk-centered approach.

According to risk conditions, domestic branch controls, carried out by Internal Control Department, are conducted on-site or from the Head Office within the control programs’ framework every year. In addition, real-time controls are performed as part of instant control activities for the transactions conducted at branches. Internal control activities in 2022 included all domestic branches of the Bank, three foreign branches and one foreign subsidiary, 35 Head Office units, and five consolidated partnerships.

As part of the Information Systems Internal Control Plan for 2022, the Internal Control Department carried out internal control activities regarding information systems at five units involved in information systems, three foreign branches, and one foreign subsidiary. Periodic controls were also conducted at 31 control points for continuous controls regarding risky activities carried out by information systems units.

Findings and recommendations under all these control activities are reported and shared with the relevant departments as the actions taken are monitored. Internal controls on information systems and banking processes are assessed with a risk-oriented perspective, based on materiality criteria, and reasonable assurance is given by obtaining audit evidence for the audited controls’ effectiveness and adequacy.

The Internal Control function controls the distribution of roles and responsibilities and the functional classification of tasks to identify, measure, and prevent the Bank’s risks; sets up auto-control mechanisms in all processes, procedures, and projects to be deployed in a manner that will cover potential risks; and establishes and enhances system controls. Activities are carried out to increase the effectiveness of control activities and minimize operational risks. In conformity with the objectives and strategies of the Bank, changing needs, risks, regulations, and technological developments are followed. Necessary adjustments and updates are made to ensure the effectiveness and functioning of the internal control system. Activities continue with the aim of enhancing the internal control culture in the Bank.

COMPLIANCE DEPARTMENT’S ACTIVITIES

Compliance and Regulation Department carries out activities to fulfill the responsibilities stipulated in the Financial Crimes Investigation Board (MASAK) legislation within the scope of the Prevention of Laundering Proceeds of Crime and Financing of Terrorism and Proliferation of Weapons of Mass Destruction, and to comply with international principles and rules on the same. In this context, pursuant to the “Regulation on Compliance with Obligations Related to the Prevention of Laundering Proceeds of Crime and Financing of Terrorism,” the necessary policies and procedures are established for the identification, classification based on risk categories, and monitoring of customers, and notification of suspicious customer transactions to ensure that the Bank fulfills its obligations. It is checked whether the policies and procedures in question have been implemented and opinions/approvals are given for the transactions of risky sectors and countries. Necessary investigations and evaluations are carried out within the framework of a risk-based approach about transactions that may be suspicious in the Bank that are transmitted through branch, etc. channels or detected within the scope of monitoring and control activities and the transactions that are deemed to be suspicious are reported to the Financial Crimes Investigation Board (MASAK). For the purpose of sound monitoring of international sanctions by the Bank, the Sanctioned List, which compiles the sanction decisions of international institutions and organizations such as the United Nations, the European Union, OFAC, etc., is used for queries and controls. Compliance-related duties and activities are performed in coordination to prevent the laundering of the proceeds of crime and financing of terrorism at domestic and foreign branches of the Bank. The follow-up of the compliance risks that may arise from the foreign regulations and the control of compliance with these regulations of the foreign branches that are subject to the compliance program established by the Bank in accordance with the legislation of the country in which they operate are carried out by a staff member in respect of each branch. The activities mentioned earlier are carried out in coordination with business units. In-class and online training courses are regularly provided to the Bank’s employees to constantly raise awareness and strengthen the culture of preventing the laundering of proceeds of crime and financing of terrorism.

Upon several amendments made in the Financial Crimes Investigation Board (MASAK) regulations, financial institutions operating under a parent institution have been gathered under the umbrella of the Parent Financial Institution, with the entire structure being re-defined as a "Financial Group". Obligations of all institutions under the financial group continue separately, while an additional set of group obligations have been introduced for "Financial Groups".

Under the Türkiye Vakıflar Bankası T.A.O. Financial Group established as per the regulations are our Bank, which is the parent financial institution, and other financial institutions including Vakıf Yatırım Menkul Değerler AŞ, Vakıf Faktoring AŞ, and Vakıf Finansal Kiralama AŞ. Oversight and coordination for the fulfillment of the obligations by the Financial Group rest with the Compliance Department of our Bank, which is the parent financial institution. In this respect, a Financial Group Compliance Policy has been released. Our Bank's Compliance Officer has also been appointed as the Financial Group's Compliance Officer, and the Bank's Deputy Compliance Officer has been appointed as the Financial Group's Deputy Compliance Officer. To act in line with joint, group-wide compliance standards in compliance efforts across the group, the Bank's Compliance Department carries out joint activities with the Compliance Department of the other three financial institutions. In addition, necessary guidance and instructions are provided and financial group compliance obligations are checked.

LEGISLATION MONITORING AND EVALUATION ACTIVITIES

The Compliance and Regulation Department carries out activities to effectively and efficiently monitor relevant legislation on banking activities and manages the compliance process.

Recent developments in legislation and banking practices related to banking activities are monitored; the impacts of legislative changes on banking activities are interpreted. Within this scope, the measures to be taken by the Bank and the affiliates of the Bank about the services provided by the Bank and the changes to be made in the Bank’s internal legislation and practices are identified, and written information is provided to the relevant departments and it is followed and requested that the necessary measures are taken. Furthermore, relevant departments are informed of draft banking regulations, and thus necessary procedures are initiated before they enter into force.

Tasks for regulatory compliance controls are carried out within the scope of the “Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process.” In this respect, efforts toward alignment with regulatory changes are coordinated. Measures are taken by the relevant department for such changes to be reflected in the Bank's internal procedures and practices. Changes in practices and revised procedures are also monitored and checked in terms of compliance with regulations. This way, revisions and changes deemed necessary are also made. Necessary measures are taken for timely and full compliance with regulations. In addition, controls are run for the compliance of new products and services with these regulations, while coordinated efforts are undertaken to keep internal procedures and instructions up to date.

Notification and coordination processes are run to ensure the Bank participates in the meetings held by the Banks Association of Türkiye. The Bank also joins, together with relevant functions, the Working Groups formed as part of regulatory compliance activities. Participation is ensured in the meetings of Working Groups. When the Association requests the Bank’s opinion on a specific subject, ideas are gathered from relevant business units and are evaluated to express a statement on behalf of the Bank. Information on the activities carried out before the Association, regulatory arrangements communicated by the Association, and instructions and information received from the Agency (BRSA) are all disseminated to relevant business units, and actions taken are monitored.

There are agreements in place on exchanging information between the Republic of Türkiye and the United States of America and with OECD countries to enhance international tax compliance. Legislation regarding these agreements is monitored. Relevant business units are assigned to ensure compliance with such legislation. The efforts undertaken by business units are monitored. Measures include those in compliance with the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS).

Within the scope of the obligation as part of which the detailed justifications to be prepared for complying with all the principles contained in the Good Practice Manuals and the principles which are partially implemented or not fully implemented are presented every year together with the submission of the Internal Capital Adequacy Assessment Process (İSEDES) reports to BRSA; the practices of the Bank which is designated as a “Systemically Important Bank” and its policy documents are monitored and controlled to ensure that they are in full compliance with all the principles specified in the Good Practice Manuals. The relevant business units are coordinated to make changes and corrections when necessary.

Besides, our employees assigned at those branches in charge of the matters mentioned earlier and reporting on compliance monitor compliance of foreign branches with the legislation in their respective countries.

In line with the activities of the Department, it is aimed to support the Bank’s compliance with the applicable laws and other relevant regulations, the Bank’s internal policies and procedures, organizational management and ethical standards, and to protect the Bank’s reputation and integrity through compliance with all legal regulations.

To ensure the Bank's full compliance with sustainability-related regulations, to prevent environmental problems such as climate change and uncontrolled waste, the legislative regulations published by the Ministry of Environment, Urbanization, and Climate Change and other relevant institutions and organizations are closely monitored, the relevant departments are informed about the issue, and contribution is made to the 2030 Sustainable Development Goals of the United Nations.

SUMMARY INFORMATION ON IMPORTANT LEGISLATIVE REGULATIONS PUBLISHED IN 2022

Communiqué on Encouraging Conversion to Turkish Lira Deposit and Participation Accounts as well as the Communiqué on Encouraging Conversion from Gold to Turkish Lira Deposit and Participation Accounts were published by CBRT and entered into force in 2021. These communiqués allowed customers who hold FX-denominated accounts to convert their balances to TL, open time-deposit accounts, and protect against FX risks. Initially covering only real persons, such Communiqués have been expanded in terms of scope in 2022 to include legal entities, as well.

The Presidential Decree No. 5206 on Supporting Deposit and Participation Accounts Vis-à-vis Rising FX established the principles and procedures for “FX-Protected TL Time-Deposit Accounts” intended to serve as a new financial alternative to be implemented until December 31, 2022, for those customers who wish to protect their savings against rising FX. An amendment introduced on December 17, 2022, extended the implementation period until December 31, 2023.

The Communiqué on the Deposit and Participation System Accounts for Turkish Citizens Abroad (YUVAM) was published to allow Turkish citizens residing abroad, who are real persons, to convert the FX transferred from abroad to TL, open a time-deposit account, protect against FX risks, and earn the additional returns to be paid by the Central Bank of Türkiye. With amendments introduced to the communiqué afterward, firms based abroad with Turkish citizens residing abroad as investors have been included in the scope of the Communiqué. Another amendment made lifted the requirement of citizenship for eligibility from the provisions of the Communiqué.

The Communiqué on Introducing Physical Assets in Gold to the Financial System was published to stipulate the principles and procedures allowing real and legal persons in Türkiye to, either via authorized jewelers and refineries or directly via the Bank’s branches, convert their physical gold assets in their gold accounts to TL-denominated deposit accounts and to benefit from the incentive to be provided to such account holders.

An income tax exception was introduced for the aforementioned deposit products as part of the Liraization Strategy announced by CBRT. The withholding tax applied to income obtained from these products has been set at zero.

A revision was made to the Export Circular obliging exporters to sell at least 40% of their export fees to the banks, and banks to sell these amounts to CBRT and pay, in return, to exporters in TL.

In addition, the Implementation Directive on Exports and FX Generating Services Rediscount Credits was revised. Accordingly, firms wishing to take out rediscount credits are obliged to undertake that they would sell at least 30% of their export income throughout the credit term to the banks and not re-purchase the FX amount sold for one month, provided that the export fee in FX corresponding to the credit amount at minimum is sold.

A revision was made to Corporate Tax Law no. 5520 according to which the exchange difference, derived as a result of conversion from FX and gold-denominated accounts to FX-protected deposit accounts, and earnings from interest income are exempt from taxation.

An amendment was made to the Regulation on the Definition, Qualifications, and Classification of Small and Medium-Sized Enterprises, according to which the turnover threshold set for SMEs was increased from TL 125 million to 250 million.

As for the transition to the Turkish Lira Overnight Reference Rate (TLREF), the Banks Association of Türkiye announced the termination of the Turkish Lira Interbank Offer Rate (TRLIBOR). Accordingly, the final release date for TRLIBOR is June 30, 2022; the announcement of the TRLIBOR/TLREF transition spread rate is July 1, 2022, and the transition of TRLIBOR-indexed transactions to TLREF is July 1, 2022.

An amendment was made to Decree No. 32 on the Protection of the Value of Turkish Lira, according to which payment obligations under FX-denominated property sales contracts, with the exception of vehicle sales, between persons residing in Türkiye shall be paid in TL.

Pursuant to the Communiqué on the Establishment of Securities as published and enacted by CBRT: banks and financial institutions identified by CBRT are now, obliged to keep securities before CBRT for the FX-denominated deposits and precious metal deposit accounts, as well as for the funds generated from FX-denominated repo transactions the qualities of which is to be determined by CBRT on the side of liabilities. On the side of assets, banks and financial institutions are obliged to do the same for securities and TL-denominated cash loans the procedures and principles of which are to be determined by the Central Bank. The obligation to hold securities before the Central Bank includes long-term Government Debt Securities and lease certificates issued by the Treasury Undersecretariat’s Asset Leasing Company.

Upon amendments to the Communiqué on Mandatory Provisions, banks, and financing companies were subjected to a mandatory provision corresponding to 10% of their TL-denominated commercial cash loans with the exceptions specified in the Communiqué. This ratio was then increased to 20% and then reduced to 0% for banks. This 0% provision for banks was replaced by 30% securities establishment as per the Communiqué on Securities Establishment.

The general maturity threshold for consumer loans was set to be 36 months for loans of up to TL 50 thousand; 24 months for loans of over TL 50 thousand and below TL 100 thousand; and 12 months for loans of over TL 100 thousand.

Maximum amounts and maturities of vehicle loans and loans extended in exchange for an auto pledge have been re-determined according to the final invoice value and motor insurance value of the vehicle for which the loan was extended.

A regulation was introduced regarding consumer loans to be extended for mortgage and mortgage-guaranteed loans whereby the amount of the loan would vary based on the appraisal value of the house obtained as a guarantee, whether it is new or second-hand, and its energy class.

Pursuant to the Advance Loan against Investment Commitment (ALIC) Implementation Directive as amended by CBRT, provisions that restricted the intermediation for ALICs only to development and investment banks were lifted. The total loan cap was increased to TL 150 billion, where the TL 50 billion portion of this cap was allocated to ALICs to be taken out by firms operating in tourism.

Under decisions passed by BRSA as part of macro-precautionary steps to strengthen financial stability:

A decision was passed to not extend a new TL-denominated commercial loan in cash to companies subject to independent audit with the exception of banks and financial institutions if their foreign currency (FX) cash assets correspond to over TL 10 million as of the date of their loan application and such companies’ FX cash assets exceed 5% of whichever is greater: their total assets or their net sales revenues in the past 12 months as of their most recent financial statements. Where a transaction that contradicts such a decision is made, the risk weight ratio applied shall be different than the standard ratio in capital adequacy calculation for all TL commercial cash loans extended to such companies, commercial cash loans to be extended as of May 1, 2022, as part of the Regulation on Measuring and Assessing the Capital Adequacy Ratio of Banks except the loans identified as an exemption by BRSA and commercial cash loans in FX and TL extended to persons residing in Türkiye except the banks and financial institutions carrying out derivative transactions with residents abroad.

Banking and insurance transaction tax was increased from 5% to 10% for the funds received in consumer loans.

With a revision made in the Consumer Protection Law no. 6502, a restriction was introduced regarding the offering of insurance and other secondary products and services as a condition for extension in consumer and mortgage loans.

Under the Law of the Istanbul Finance Center no. 7412, the activities to be conducted at Istanbul Finance Center and incentives, discounts, exemptions, and exceptions regarding such activities were regulated.

Pursuant to an amendment made to the Banking Law no. 5411, the scope of deposit insurance was expanded to cover saving deposits and all other deposits except deposits held by public institutions, credit institutions, and financial institutions (up to TL 200 thousand for 2022, TL 400 thousand for 2023).

Regarding Banks' outsourcing activities, BRSA was appointed as the official authority to grant power to support services enterprises and other service providers, as applicable to the nature of service to be procured, and to establish the principles and procedures that such providers shall comply with while delivering these services.

BRSA was appointed as the official authority to grant an operating permit by imposing limitations and restrictions based on banks' areas of activity.

With CBRT's regulation, banks whose total TL-denominated deposits remain below the ratio set by CBRT will be charged varying commission fees.

Pursuant to the amendment to the Regulation on Banks’ Consolidated and Unconsolidated Calculation and Implementation of Foreign Currency Net General Position/Equity Standard Ratio, the weekly simple arithmetic average of the absolute values of foreign currency net general position/equity standard ratio was set at 5% at maximum to be effective as of 2023.

Customers whose most recent financial statements audited by independent audit institutions and independent auditors’ reports shall be obtained at the stage of credit allocation have been specified by BRSA, to be effective from 2023, as those customers whose total risk in the banking sector is above TL 200 million including the loan requested.

Customers’ express and written statement on the nature of payment in all cash transfers from Türkiye to abroad is now mandatory. It is also mandatory for customers to present a supportive document to the bank regarding the nature of transfers the amount of which exceeds the figures specified by CBRT.

The implementation period for reduced withholding tax rates was extended from December 31, 2022, to June 30, 2023, for interest income generated from TL deposit accounts, as well as the income and revenues generated from bonds and bills.

BRSA released a Regulation on the Independent Audit of Information Systems and Business Processes which now govern the principles and procedures applicable for the audits to be conducted by independent audit institutions authorized under this Regulation for the information systems and business processes of those institutions who are subject to the oversight and supervision of BRSA. The Communiqué on the Report regarding Independent Audit of Information Systems and Business Processes established the principles and procedures for the content and form of the independent audit report to be issued under the Regulation on the Independent Audit of Information Systems and Business Processes.

Pursuant to the amendment made in the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism, the transaction cap was increased to TL 85 thousand from TL 75 thousand in identifying persons. The amount was increased from TL 85 thousand to TL 185 thousand in 2023.

Revisions made to Law no. 5520 re-established the corporate tax at 25% for banks, electronic payment, and monetary institutions, authorized foreign exchange agencies, asset management companies, capital market institutions, insurance and reinsurance companies, and pension firms.

The Banking Sector Good Practices Guide for Protection of Personal Data published by the Personal Data Protection Board provides procedures and principles that banks must observe for the protection of personal data, as well as general information on their obligations.

Circular no. 2022/1 Regarding the Regulation on Disclosure of Trade Secrets published by BRSA governs issues such as the obligation of keeping secrets, exceptions for keeping secrets, and general principles regarding the disclosure of confidential information.

According to the revisions made to the Law no. 5834 on Disregarding the Past Records of Bad Checks, Protested Bills and Loans and Other Credit Card Debts, if real persons and legal entities whose principal and/or installment due date was before October 1, 2022, and who failed to make timely payments, and if they later repay all of the remaining due amounts or restructure their debt by July 1, 2023, their records kept at the Risk Center of the Banks’ Association of Türkiye will not be taken into consideration by credit institutions and financial institutions in financial transactions conducted with such persons and entities.

CBRT announced the launch of the Safety Layer Service (SİPER) that can be used in all fund transfers. The Service allows information sharing on any illegal transaction risks involving the institution initiating the fund transfer and the receiving institution and helps inform all other participants of the system.

The “GEÇİT” infrastructure was established to enable financial service users to manage their accounts at different payment service providers from a single access point and place payment orders. The system will also help create secure, effective, low-cost, and innovative business models.

OTHER INFORMATION ON THE BANK AND ITS ACTIVITIES

There are no lawsuits filed against the Bank that could affect the Bank’s financial status and activities.

There have been no considerations that could lead to a conflict of interest between the Bank and the institutions from which it receives services such as investment consulting and rating.

There are no lawsuits filed against VakıfBank regarding environmental, social, and corporate governance issues.