Annual Report 2014 Corporate governance system in BBVA Compliance system Internal control model Standards of conduct

Internal control model

Based on best operational risk management practices, BBVA Group has established and maintains an internal control model organized around three lines of defense (3LoD), as well as a governance scheme called Corporate Assurance. The Group's internal control model has two components.

1. The first one is the model based on three lines of defense, which guarantees compliance with the most advanced internal control standards and is organized as follows:

  • The Group's business units constitute the first line of defense. They are responsible for managing current and emerging risks and implementing control procedures.
  • The second line of defense is made up of the units specializing in control (Compliance, Global Accounting & Information Management -GA&IM- / Internal Financial Control, Internal Risk Control and Business Process Assurance). This line of defense identifies current and emerging risks, defines the control policies within the scope of its cross-sector specialty, ensures that they are implemented correctly, provides training and advice to the first line and is responsible for reporting to the management team.
  • The third line of defense is made up of the Internal Audit unit, for which the Group assumes the guidelines of the Basel Committee on Banking Supervision and of the Institute of Internal Auditors. Its function is that of providing independent and objective assurance and consulting activity designed to add value and improve the Organization's operations. The duties and lines of work of this unit are described below.
A model based on best practices, organized around three lines of defense and with a well-designed governance scheme


2. The second component is the Corporate Assurance scheme, which is tasked with providing a comprehensive and standardized approach to the Board of Directors and the management bodies on the Group's internal control situation. This provides timely information on the main control weaknesses that may arise in the different assurance processes and makes it possible to prioritize their solution and monitor the implementation of measures for mitigating them more effectively.

To perform its duties, the model is provided with an orderly mechanism for reporting to management. The mechanism is made up of a number of committees that meet every four months, in which members of the senior management of the Group and its subsidiaries take part. The committees seek to understand control issues and make decisions that will have a significant impact on the objectives of the various units, both at the local level and for the consolidated Group.

This Corporate Assurance scheme includes an orderly mechanism for reporting to management

Internal Audit

The functions of the Internal Audit unit are universal in scope and include all activities and entities in BBVA Group, with no exceptions and irrespective of geographic location or reporting situation. Its scope also extends to the activities and services the Group has outsourced.

This unit has unrestricted access to employees, workplaces, systems, IT and physical records and, in general, any information required to perform its functions effectively.

The main focus of the work of Internal Audit in 2015 has been as follows:

  • Regulatory work, which is particularly relevant given the new demands made by the different regulators and as it serves to address the new supervisory environment in Europe. Worth mentioning in this respect are: the work carried out to guarantee that the global information submitted to the regulator has the required integrity and quality, such as FinRep and CoRep; the review on compliance with the Volcker Rule and regulations governing loans and deposits in the United States; and the policies on the prevention of money laundering and terrorist financing.
  • Security of information, which is essential in an increasingly complex digital environment. Cybertests have been conducted in this area, reproducing in the most reliable way real scenarios for cyberattacks. This work has enabled BBVA to accurately assess both the risk exposure and the response capabilities. The results have been used to define security plans for all Group with the aim of improving the defense in the event of cyberattacks.
  • Digital Banking, through the review of processes, infrastructures and applications that support the Group's digital business. Of particular note is the work on digital contracting, digital channels such as Bancomer Móvil and Netcash, the Nimble application and the NBA-AMEX card.
  • Customer experience, to assess customer satisfaction in several countries where the Group operates.
  • Operational risk associated with various Bank processes, such as the acquiring business in several countries, operations in branch offices through on-site reviews and data analytics work.
  • Suppliers, to guarantee control of outsourced processes, through a review of the existing policy and control mechanisms for outsourcing processes.
  • Fraud prevention, through forensic work and post-mortem event analysis. Additionally, monitoring of fraud indicators continues through the review of branch offices.  
Internal Audit: universal scope and unrestricted access to all required information

BBVA Group (1). Main Internal Audit activities by line of activity 

Innovation and technology 54
Customer- centric 17
Banking processes 39
Suppliers 12
Fraud prevention 323
Regulatory 220

(1) Except Garanti.