Like every year, the regulated players have begun the difficult exercise of drawing up their Annual Internal Control Report (AICR). This document, which presents prudential, accounting and organizational information on their organization over the past year, must be submitted to the ACPR (Autorité de Contrôle Prudentiel et de Résolution) before April 30*.

Last July, the authority provided two models for credit institutions, finance companies and investment firms on the one hand, and for payment institutions, account information service providers and electronic money institutions on the other.

These models enable reporting institutions to meet their respective requirements, by facilitating the preparation, structuring and justification of the report. The ACPR reminds that they have only an indicative value and that, while they have the advantage of providing a framework of expected answers, the reporting institution is free to adapt its RACI to its own risks and organization, provided that it is exhaustive.

Both models integrate the European and French regulatory requirements published or updated in 2021, applicable to companies subject to the RACI, allowing them to describe the way they intend to respond to them. The guidelines of the EBA (European Banking Authority) on major incidents (EBA/2021/03), and on IT risk management (Article 270 et seq. of the decree of November 3, 2014) and, for financial institutions - credit and investment - the guidelines on internal governance (EBA/2021/05), the criteria for evaluating exceptional cases of exceeding the limits for large exposures as well as the deadlines and measures to be taken for a return to compliance (EBA/2021/09) and the conditions for the application of the alternative treatment of exposures related to "tripartite repurchase agreements" (EBA/2021/01).

The RACI is completed by an autonomous annex intended for one of the authorities in charge of the security of non-cash means of payment and access to payment accounts**. The purpose of this annex is to provide information on the fraud risk control system and the security measures implemented for cashless payment instruments issued or managed by the institution, including, as of this year, checks, as well as on access to payment accounts and their information within the framework of providing payment initiation and account information services. This appendix has also been marginally revised to ensure consistency with the definitions and typologies of fraud provided by the European Banking Authority and included in national statistical data collections on payment instruments.

The elaboration of the RACI is always a complex exercise due to its multidisciplinary nature requiring the involvement of multiple actors (Governance, Risks, Permanent/Periodic Control, Compliance, IS, etc.), the level of detail and justification expected by the supervisory authorities. The use of this framework is therefore a guarantee of time savings and exhaustiveness.

In order to facilitate its implementation, we recommend organizing the preparation of this RACI in the form of a project, by bringing together and coordinating the players involved, under the supervision of the function in charge (generally Risk and Permanent Control). It is also relevant to define and follow a timetable for the submission and review of elements, taking into account the time required for validation by senior management. Capitalizing on previous years is also an asset in the success of the project.

‍

^{*By March 31 for groups and institutions subject to the direct supervision of the ECB, with the exception of the section on remuneration policy and practices, which may be submitted by April 30 following the end of each financial year.}

^{**Bank of France or the Institut d'Émission d'Outre-Mer (IEOM) if the institution has its head office in the French Pacific communities.}

‍