On 23 February, Banco Nacional de Angola (BNA) published Notice 3/26. This notice regulates corporate governance and the internal control system, defining the minimum standards on which financial institutions' organisational culture should be based.
Notice 3/26 repeals Notice 1/22 of 28 January, with the aim of aligning the rules and procedures relating to corporate governance and internal control of financial institutions with best practices. It also seeks to enhance the stability of the Angolan financial system.
Scope of application
The Notice applies to banking and financial institutions under the supervision of the BNA, as well as holding companies, payment system operators, microfinance institutions, and payment service providers with assets totalling AOA 4 billion or more for three consecutive years.
Main changes to the previous rules
Among the various changes to the previous rules, the following are highlighted:
Corporate governance policies
The new Notice significantly expands the governance model policies. These now include:
All of these policies have legally defined minimum content requirements. Implementation of the cybersecurity and sustainability policies must be delegated to an executive director.
The Code of Conduct now includes mandatory rules on transactions with related parties, the duty of confidentiality, the prohibition of insider trading, the duty of loyalty, and the accumulation of activities. It is subject to an annual review by the management body, and the supervisory body must provide an opinion.
Conflicts of interest and related parties
The conflict of interest policy now applies to members of the management and supervisory bodies, holders of relevant management positions, and other employees. The policy has a minimum content requirement and requires prior approval by the supervisory body.
Related parties must be identified in a complete list that is updated at least quarterly. Approval of transactions with related parties requires a two-thirds majority of the management body after receiving opinions from the risk management, compliance, and supervisory bodies.
Composition and functioning of governing bodies
The maximum number of terms of office for independent non-executive directors has increased from one to two (non-renewable), and the same limit applies to members of the supervisory body. In public banks, the number of non-executive directors must always exceed the number of executive directors. There must also be gender and knowledge diversity in the composition of corporate bodies.
The management body is responsible for promoting an organisational culture of ethics, compliance and transparency, and for matters relating to strategy, risk policy and periodic independent assessments. The management body must conduct an annual self-assessment and an independent external assessment every three years. Matters that cannot be delegated to the executive committee are defined.
Each independent non-executive director must submit an individual report on the performance of their duties by 30 April of the following year, containing a minimum defined amount of information.
The supervisory body must submit an annual performance report to the BNA by 30 April of the following year.
Internal control system
Cybersecurity is now part of the second line of defence in the internal control system, alongside the risk management and compliance functions.
Non-executive directors must sit on and chair the internal control and audit committees (which may be combined). The chair of the internal control committee must have proven training and experience in auditing, accounting, or risk management. The committee must draw up an annual activity plan for approval by the management body.
The replacement of individuals responsible for control functions requires the prior approval of the supervisory body.
The internal audit function must undergo independent external evaluation at least once every four years.
Risk management
The areas of responsibility of the units that comprise the risk management function must be assigned to the same executive director. The risk management system must take climate and cyber risks into account.
Training
Members of the management and supervisory bodies must attend training courses at the beginning of their term of office and renew them every two years. Multi-annual training plans must cover risk management, compliance, organisational culture, ethics, cybersecurity, regulation and governance, and must be reviewed annually.
Information, documentation and reporting
The minutes of all meetings of the management and supervisory bodies, the executive committee and the committees must be recorded and archived in a computerised document management system.
Detailed requirements are introduced regarding the processes of production, processing and information flows.
The management body must approve an annual self-assessment report on the adequacy and effectiveness of the organisational culture and the governance and internal control systems, with a minimum defined content.
By 31 January each year, a corporate governance and internal control report must be submitted to the BNA on an individual basis, with reference to 31 December of the previous year.
Policies, code of conduct, governance structure, committee composition and annual corporate governance report must be published on the institution's website within 30 days of approval. All published information must remain available for 10 years (previously five).
New chapters
The Notice introduces new chapters on the reporting of irregularities and on the principles of transparency and consistency of internal control of financial groups. These include minimum requirements and specific duties of the parent company's management body.
Entry into force and transitional arrangements
The Notice came into force on 24 February 2026. However, the Notice establishes the following transition periods for financial institutions to adapt to the new rules: (i) banking financial institutions with shares admitted to trading on a regulated market and banking financial institutions with exclusively public capital: 180 days from the date of publication. (ii) payment service providers: 12 months from the date of publication (iii) other financial institutions: 90 days.
The Notice also stipulates that independent non-executive directors whose term of office ends after the Notice comes into force may only continue in the same role for one additional term.