By April 30* of this year, reporting credit institutions, payment institutions, account information providers and e-money issuers must prepare their annual internal control report for the year 2021 (ICR).

The purpose of this report is to report to the supervisory body and to the supervisory authorities (ECB and/or ACPR and BanquedeFrance) on the internal control activities (i.e., permanent and periodic controls) carried out within the organization during the past year.

This report aims to provide a global and cross-functional view of all the risks, both banking and non-banking, incurred by the company - and, where applicable, by its customers and the market - as a result of its activities.

These risks may therefore be of different kinds: non-compliance, financial, accounting, operational, security and, more recently, IT risk, which must be taken into account in the 2022 report for the 2021 financial year.

The organization must justify the implementation of measures, monitoring and control of the risks to which it is exposed, including its outsourcing policy.

This report must also include an appendix whose purpose is to assess the level of security of the non-cash means of payment made available or managed by the institution and of access to payment accounts and their information.

This appendix therefore covers in particular the fraud risk specific to each cashless payment method issued or managed and the associated risk control measures; compliance with the recommendations related to the security of payment methods issued by external bodies (OSCP, OSMP, SecuRePay, EBA), the results of the periodic control on the scope of cashless payment methods and access to accounts carried out for the past year, as well as the implementation of the security measures included in the #RTSs under the PSD2

To establish this annual report, the reporting companies can rely on the ROI template established and communicated by the ACPR.

Two models have been established, one for credit institutions, finance companies and investment firms, the other for payment institutions, account information service providers and electronic money institutions.

The elements included in the outline are provided for information purposes only. The content of the report must be adapted to the activity and organization of the institution and must include all information likely to allow an assessment of the functioning of the internal control system and an evaluation of the actual risks of the institution.

In addition, these templates are based on a "merged" version of the various reports to be prepared pursuant to articles 258 to 266 of the Order of November 3, 2014 as amended. However, the organization may continue to submit separate reports to the ACPR as long as they cover all the expected elements.

*By March 31 for groups and institutions subject to the direct supervision of the ECB, with the exception of the section on remuneration policy and practices, which may be submitted by April 30 following the end of each financial year.

‍

‍