I. General Purpose and Functions of the Committee
The purpose of the Audit and Risk Committee (the “Committee”) of BNY Mellon Government Securities Services Corp. (the “Corporation”) is to assist the Board of Directors (the “Board”) of the Corporation in fulfilling its oversight responsibilities with respect to the audit and risk functions of the Corporation.
The Committee's role is one of oversight, recognizing that the Corporation's management is responsible for executing the risk framework of the Corporation. In assisting the Board of Directors in fulfilling the Board’s oversight responsibilities, the Committee shall:
- Oversee the establishment and operation of the Corporation’s risk management framework, which shall be commensurate with the structure, risk profile, complexity, activities, and size of the Corporation, with such risk management framework incorporating:
- To The Corporation’s risk appetite statement;
- Assigned responsibilities and accountability for risk decisions and decision making in crises and emergencies;
- Risk management policies, procedures, and systems that enable the Corporation to identify, measure, monitor, and manage risks that arise in or are borne by the Corporation; and
- Processes and systems for implementing and monitoring compliance with such policies and procedures, including processes and systems to:
- Identify and report risks and risk management deficiencies, including emerging risks, and ensure effective and timely implementation of actions to address emerging risks and risk management deficiencies for the Corporation’s operations;
- Establish managerial and employee responsibility for risk management; and
- Ensure the independence of the risk management function.
- Oversee the Corporation’s material risk decisions;
- Oversee the implementation of the Corporation’s risk management policies;
- Regularly monitor the Corporation’s risk profile to ensure that it is consistent with the Corporation’s business strategy and risk appetite statement;
- Oversee compliance with the guidelines and reporting mechanisms established by the Board to ensure timely and comprehensive escalation of business issues, risks, and events;
- Review the Corporation’s risks relating to technology, including review of the Corporation's technology risk management programs; and
- Receive reports from management concerning the Corporation’s technology operations including, among other things, business continuity planning, information security, software development project performance, technical operations performance, technology architecture and significant technology investments and approve related plans or policies, or recommend such plans and policies to the Board for approval, as appropriate.
As part of these requirements, the Committee will have the responsibility to:
- Review and approve the Corporation’s risk appetite statement on an annual basis, and any material amendments thereto;
- Review significant risk exposures applicable to the Corporation and the steps, including policies and procedures, that management has taken to identify, measure, monitor, control, limit and report such exposures, including, without limitation, reputational, operational, fraud, strategic and technology (data-security, information, business-continuity risk, etc.);
- Review and evaluate the Corporation's practices with respect to risk assessment and risk management by reviewing reports and significant findings of the Operational Risk, Technology Risk and Compliance Groups and the Internal Audit Department with respect to the risk management and compliance activities of the Corporation, together with management's responses and follow-up to these reports;
- Review the scope of work of the Operational Risk and Technology Risk Groups and Compliance Group and their planned activities with respect to the risk management and compliance activities of the Corporation;
- Receive an annual report on compliance activities from the Chief Compliance Officer;
- Review any proposed appointment and replacement of the Chief Risk Officer;
- Review and provide input on the performance of the Chief Risk Officer on an annual basis; and
- Review guidelines and reporting mechanisms for escalation of business issues, risks, and events on an annual basis.
The Committee's audit function is one of oversight. In assisting the Board of Directors in fulfilling the Board’s oversight responsibilities, the Committee shall:
- Provide oversight of compliance with policies and procedures adopted by the Corporation relating to audit functions;
- Provide oversight of internal control functions in the first, second and third lines of defense, including ensuring appropriate independence and adequate resources;
- Confirm that the Corporation is subject to an audit program in which discrete audits are performed of each significant activity at intervals commensurate with the nature and risk of that activity;
- Provide general oversight of audit and examination activities conducted with respect to the Corporation;
- Review the results of SOC 1 reviews to assess the effectiveness of internal controls; and
- Receive reports on any issues deemed to be significant by the Corporation’s Chief Audit Executive.
As part of these requirements, the Committee will have the responsibility to:
- Conduct an annual review of the internal audit plan, including receipt from the Chief Audit Executive of periodic status updates on the annual audit plan, including all significant findings and the status of aged issues;
- Review with management and auditors significant proposed or contemplated changes to the Corporation’s auditing and accounting principles, policies, controls, procedures, and practices;
- Maintain open communication between the Committee, auditors, management, and the Board;
- Review any proposed appointment and replacement of the Chief Audit Executive; and
- Review and provide input on the performance of the Chief Audit Executive on an annual basis.
General Functions of the Committee
In carrying out its oversight responsibilities, each Committee member shall be entitled to rely on the integrity and expertise of those persons providing information to the Committee and on the accuracy and completeness of such information, absent actual knowledge of inaccuracy. In adopting this Charter, the Board acknowledges that the independent Committee members are not employees of the Corporation and are not providing any expert or special assurance as to the Corporation's financial statements, the auditing standards applied to such financial statements or the risk management functions of the Corporation.
II. Composition, Tenure and Operations
In accordance with the Bylaws of the Corporation, the Committee shall consist of two or more Board members. Committee members and the Committee Chair shall be reviewed annually by the Board of Directors. Each director appointed to serve on the Committee shall serve until the next annual meeting of the Board or until his or her respective successor is designated.
The Chief Risk Officer and Chief Audit Executive shall report directly to the Committee. The Committee shall receive and review regular reports, at least quarterly, from the Chief Risk Officer and Chief Audit Executive.
III. Oversight of Compliance with Laws and Regulations
The Committee shall review with management, the General Counsel of The Bank of New York Mellon Corporation, the Chief Compliance Officer, the Chief Audit Executive and the Chief Risk Officer the Corporation's compliance with laws and regulations and any significant litigation or investigation with respect to the Corporation.
The Committee shall receive annual reports from the Chief Compliance Officer on the Corporation's compliance with laws and regulations.
IV. Committee Minutes and Regular Reports to the Board of Directors
The Committee shall maintain minutes of meetings and report to the Board of Directors on at least a quarterly basis, including on any issues with respect to the quality or integrity of the Corporation's financial statements, the Corporation's compliance with legal and regulatory requirements, and the performance of internal audit and risk management functions.
Minutes of its meetings shall be approved by the Committee and maintained on behalf of the Committee by the Secretary of the Corporation. The Committee shall make such recommendations to the Board as it deems necessary or appropriate.
V. Whistleblower Complaints
The Committee shall follow the procedures established by BNY Mellon for the receipt, retention and treatment of complaints received by the Corporation regarding accounting, internal accounting controls or auditing matters, and for the confidential, anonymous submission by Corporation employees of concerns related to accounting or auditing matters.
The Committee shall meet as frequently as necessary to fulfill its duties and responsibilities, but not less than quarterly. A meeting of the Committee may be called by its chair or any two members of the Committee.
VII. Access to Personnel, Books and Records
At all times, the Committee shall have access to the books and records of the Corporation and to such management and other personnel as it deems necessary or helpful in discharging its duties.
VIII. Committee Charter
The Committee shall review and assess the adequacy of this written charter annually and recommend changes to the Board of Directors as necessary.
IX. Subcommittees and Delegation
Except as limited by law or regulation, the Committee may form subcommittees for any purpose that it deems appropriate and may delegate to such committees or to other committees of the Board such power and authority as it deems appropriate.
X. Annual Performance Evaluation
Annually, there shall be a performance evaluation of the Committee, which may be a self-evaluation or an evaluation employing such other resources or procedures as the Committee and the Board may deem appropriate.
Approved: June 4, 2018