Response to consultation on revised Guidelines on internal governance under CRD

Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?

The scope of application and the general definitions are overall appropriate and consistent with the objectives of the Guidelines

To avoid potential ambiguity, it may be advisable to further clarify the treatment of AI-related risks, which are mentioned in the text, to avoid overlaps with other sectoral regulations (e.g. AI Act, DORA) and to ensure consistency of expectations. This would help institutions integrate such risks without creating duplications or uncertainty.

Finally, as far as the date of application is concerned, a phased application might be beneficial, especially for smaller institutions and third country branches, to adapt internal processes and documentation appropriately.

In the interest of overall consistency, we respectfully draw the Authority’s attention to the European Central Bank Guide on Governance and Risk Culture, which was the subject of consultation in July 2024 and is not yet finalized, as it addresses several matters raised in the present consultation (see https://www.bankingsupervision.europa.eu/press/pr/date/2024/html/ssm.pr240724~af95040adc.en.html).

Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?

The elements that qualify the different dimension of financial institutions are fully described and well-integrated with the new relevance of the role of third-party services providers (§ 18k.) and third country branches (§ 18n.). 

For the Authority’s kind consideration, we note that in §18k. and §18l., it could be beneficial to supervisory clarity to expand the list of drivers mentioning third party concentration and sub-contracting chains explicitly (not only “use of third party providers”), given their impact on operational, conduct and ICT risks.

Title II clarifies the characterizing aspects of functioning and composition of management body and committees. Concerning management body, the added specification is clear and appropriate (§ 20). Nevertheless, to avoid potential ambiguity, we recommend specifying in § 22c. i(a) and § 22n., if the enlargement is solely referred to ESG risks. Should the widening pertain only to ESG risks, it would still be beneficial to bring ICT risk as well as culture risk within scope.

With reference to § 29a., to enhance a clear allocation of responsibilities and, consequently, setting adequate time commitment and remuneration, it could be of particular utility to specify if the mentioned “member of the management body” is an independent and non-executive director and the actual duty to be assigned to. In this respect, if the responsibility for an internal control function may be assigned to a board member, it would be advisable to specify in greater detail (i) the compatibility of the director’s time commitment and remuneration, and (ii) the nature and scope of the powers conferred on the director. 

As to (i), where the responsibility is that of a Chief Officer (e.g., Audit, Risk or Compliance) as seems according to § 172, it should be recognised that the director holds a part‑time appointment, whereas the Chief Officer role is a full‑time position, with at least different remuneration profiles.

As to (ii), if the powers do not coincide with those of a Chief Officer, it would be helpful to clarify whether the role assigned to the director is analogous to that of a committee – albeit constituted in a single‑member form – and therefore limited to advisory, fact‑finding and preparatory tasks, or whether it entails more detailed duties, as in the case of the board member designated for AML ( § 31). In the latter case, it would also be important to clarify whether assuming such a role would entail the loss of independent director status, which is a technical prerequisite both for taking on responsibilities in substitution for a board‑level internal control committee and for the role described in § 31 (see also answers to Questions 5 and 6).

In addition, it would be relevant to clarify with some examples the mandate that can compromise the internal control function. Institutions might benefit from this to take their choice in implementing this line. 

The statement of the chair of the management body as a non-executive member (§ 37) avoid conflict of interest and sound fully appropriate to avoid risks. Nevertheless, it could be useful to state whether it is deemed appropriate that the chair also hold independent status, especially in cases where the role of Chief Executive Officer is in place, consistent with the rationale of § 107a §107b.

Concerning § 51 the consideration of ESG risks is surely in line with the need of the management body of being aware of these new risks and their impact of traditional one, but it should be important to consider also other emerging risk such as ICT risk and culture risk, notably in the case of smaller institutions that consistently resort to third-party outsourcing arrangements. The integration of ICT risk has a sound relevance if compared with the required “knowledge, skills and experience” to assess the impact of this kind of risk on the institution’s risk appetite. 

Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?

For the Authority’s kind consideration, we propose specifying some main aspects in relation to the Organisation framework, according to the paragraph structure.

• We note that the rationale for removing the guidance on reporting lines is not evident; we would welcome clarification “reporting lines and the allocation of responsibilities, in particular among key function holders, within an institution should be clear, well-defined, coherent, enforceable and duly documented. The documentation should be updated as appropriate”. In this respect, we would also welcome the inclusion of a minimum review frequency (at least annually and upon any material change).
• Mapping of duties is complete and understandable allowing the application of principles of proportionality, considering that duties may be defined by the institution at high level and not particularly detailed. Though, we respectfully propose clarifying, together with the mapping of duties, the architecture of information flows and requiring formal approval by the management body, including the designation of specific addresses (directors with particular mandates, board committees and, where applicable, the board of statutory auditors), so as to preclude information gaps potentially conducive to risk.
• Further, enhancement could be achieved by explicitly linking reporting lines with the use of measurable indicators (KPI/KRI). The Guidelines might encourage institutions to integrate quantitative metrics into their governance framework (e.g., timeliness of escalation, effectiveness of control remediation, frequency of breaches), thereby transforming reporting from a purely formal exercise into a practical tool for monitoring governance quality and risk management effectiveness. This would also improve comparability across institutions and support supervisory review.
• As far as §68a – 68c are concerned, we suggest explicit links to ICAAP/ILAAP and recovery–resolution roles, (ii) identification of key function holders, including the statutory financial reporting officer where applicable (e.g., Italy “Dirigente Preposto”), and (iii) data governance owner(s).
• For the Authority’s kind consideration, we note that § 68 already guards against ‘letter‑box’ entities; we would welcome an explicit expectation that institutions evidence minimum in‑house capabilities where critical or important functions rely on third parties, together with regular reporting to the management body on third‑party concentration and performance.
• Finally, the principle of proportionality could be more explicitly operationalized in relation to reporting and documentation duties. For large and complex groups, detailed mapping and structured KPI/KRI reporting should be expected, while for smaller or less complex institutions a simplified framework may suffice. Such differentiation would avoid unnecessary burdens, promote efficiency, and focus supervisory attention where risks are more material.

For the avoidance of any doubt, it could be useful to add an eventual note in § 92 confirming that “third‑party arrangements include (i) outsourcing, (ii) other ICT third‑party services under DORA, and (iii) non‑ICT services that can affect critical or important functions”

Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?

The changes made in Title IV are appropriate and clear and the amendments are positive overall, especially the broader scope including ESG, ICT and operational resilience risks, but also for the consideration of equality as expression of a sound risk culture, reducing diversity and/or gender gap. 

Nevertheless, for the Authority’s kind consideration we propose some refinements that could enhance clarity and effective implementation:

• separate definition of “risk culture” vs “corporate culture” and an explicit statement regarding the culture risk management via indicators, actions and decisions;
• practical examples of behaviours providing robust evidence of a sound risk culture and eventually ‘red flags’ that can be taken into consideration. The rationale for this specification lies in the recognition that the absence of an adequate risk culture gives rise to culture risk, which in turn constitutes a principal driver of conduct risk;
• fostering the adoption of KPIs/KRIs and eventually a simple risk‑culture dashboard (e.g. escalation timeliness; training participation; survey results; training completion; speak‑up volumes & closure times; breaches/near‑misses; model overrides; customer detriment; third‑party incidents; control‑function turnover; inclusion and gender pay gap) to make culture measurable and culture risk amenable to mitigation;
• clarification of the proportionality principle, operationalised through simplified tools for smaller and less complex institutions and, where appropriate, more targeted expectations, recognising that such institutions may display a lower level of risk‑culture awareness and maturity;
• enhancing the relevance of the Internal Control System, with reference to the role and the action timing of Compliance Function, Risk Management Function and Audit Function as far as culture risk is concerned;
• specifying that an appropriate organisational structure and defined (formally mapped and traceable) information flows constitute the foundation for the effective oversight and control of culture risk;
• consolidation of the link between risk culture and incentive systems (remuneration, performance evaluation) with specific attention to the remit of the Human Resources function;
• stating that variable pay KPIs should be established in connection with strategy & RAF (not merely “considered”) and that consequence management for misconduct is part of accountability, not only incentives.

The amended Guidelines recommend that institutions use indicators to monitor the development of representation and equal treatment of staff of different genders and take the results of such monitoring into account within their approach to staff management (§ 101a). Some suggested indicators could be misleading if used without proper contextualization. In particular, the following alternatives and explanation should be considered concerning:

• percentage of part-time employees by gender: a high percentage of women working part-time may reflect personal choices, but also structural or cultural barriers. Without understanding the context, this could lead to incorrect conclusions;
• average gender pay gap: if factors such as seniority, role, type of contract, and experience are not fully considered, the gap may appear larger or more unfair than it actually is;
• number of reports of discrimination or harassment: a low number could indicate a healthy environment, but it could also reflect a climate where people do not feel safe to report;

It would be necessary to specify the objective of each indicator to avoid misinterpretations of the data.

Conflict of interests are clear enough, even if in the conclusion of § 107b some practical examples should be provided for institutions to implement appropriate measures as we noticed also answering to Question 2 and 6

Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?

The changes made in Title V are appropriate and clear and the amendments are positive overall. Nevertheless, for the Authority’s kind consideration we propose some refinements that could enhance clarity and effective implementation:

1. Risk Spectrum. In line with recent regulatory developments, particularly concerning ESG issues, and given the growing innovations in the digital field that expose the financial system to increasingly complex cybersecurity and IT threats, the Guidelines on Internal Governance explicitly broaden the range of risks that financial institutions must manage and monitor. Specific reference is made to:

• ESG Risks: Institutions must consider environmental, social, and governance risks (including climate and biodiversity risks) across the short, medium, and long term (at least 10 years) and develop plans with quantifiable objectives to address them (§ 152). In respect to the proposed changes:

  § 152.(…) The risk management framework should pay particular attention to ESG risks in the short and medium term and over a longterm horizon of at least 10 years, and to the channels through which they may drive their prudential risks, in particular through environmental physical and/or transition risks, and be compliant with the requirements set out in the EBA Guidelines on the management of ESG risks (EBA GL/2025/01).

  Consistently with the previously cited EBA Guidelines, it would be beneficial to provide a clearer explanation of how long-term environmental risk scenario analyses—covering periods of at least ten years—should be incorporated into prudential risk assessments. Further clarification on the channels through which these scenarios may influence prudential risks, including their consideration within ICAAP or RAF frameworks, would also be valuable.

• Digital Operational Resilience (DORA): Regarding the management of ICT risks, business continuity management should be consistent with the DORA regulatory framework, particularly with the adopted ICT business continuity policy (§ 225).
• Artificial Intelligence (AI): The document now refers to the new AI regulation, indicating that risks related to artificial intelligence systems must be considered (§ 6).
• AML/CFT: The importance of having adequate governance mechanisms is reaffirmed to manage money laundering and terrorist financing risks, establishing a separate AML/CFT compliance function as an independent control function (§ 171).

Consequently, it is required to clearly specify that institutions must adopt a more holistic and forward-looking approach to risk management, integrating non-financial risks (such as ESG and ICT) into their main frameworks. This requires a fundamental shift in how risks are identified, measured, and mitigated, moving beyond traditional categories of financial risk.

2. Regarding internal control functions, further clarity would be required. 

   1. § 172. (…) Where an internal control function is headed by a member of the management body in its management function, the institution should carefully ensure that appropriate safeguards and mitigants are in place to avoid conflicts of interest as referred to in paragraph 116, such as but not limited to, an independent mindset of the individual and appropriate key performance indicators, including objective appraisal and remuneration determination. This also applies to cases where the head of an internal control function performs other functions pursuant to section 19.3. 

      The possibility that a member of the management body can become the head of one of the internal control functions should be considered carefully. If this scenario occurs within a second-level control function, the dialogue between the third-level control function and the management body may be affected whenever internal audit reviews either the relevant second-level control function or any element within its scope. The same problems might occur if a member of the management body were the head of the internal audit function. Should this arrangement remain in place, it is essential to clearly define the mechanisms established to prevent any potential conflicts of interest.

   2. The Guidelines reiterate the importance of guaranteeing independent control functions endowed with adequate powers to carry out their activities (§ 174a). A more precise and extensive explanation would be required, because the Risk Management Function plays a crucial role in effective risk management: while accountability in the decision-making phase remains with the business units, the Risk Management Function supports the business by offering stimulation, challenge, and information in the case of significant risk-related decisions. To this end, the correct placement of the function, ensuring both independence and business partnering with the operational functions, is important. 

      § 174a. In accordance with Article 76 paragraphs 5 and 6 of Directive 2013/36/EU, institutions should have internal control functions independent of the operational functions and of the members of the management body in its management function and of senior management, allowing them to have direct access and report directly, as appropriate, to the management body in its supervisory function. This independence should be achieved by having appropriate and sufficient authority and stature, the ability to access directly and escalate any issue to the management body in its supervisory function where appropriate to fulfil their mission.

      It would be useful to evaluate the requirements stated in this paragraph in relation to what is contained in § 172, in particular referring to the possibility that a member of the management body is the head of one of the internal control functions. Such an arrangement poses a risk to the effectiveness of what is stated in § 174a. 

   3. Additionally, the principle that the decision to combine second-line control functions under a single individual must be justified on the basis of the principle of proportionality (§ 176) is reinforced. A more precise and extensive explanation would be required. Should the institution opt for the combination of second-line control functions under a single head, it must, in fact, demonstrate, firstly, that the nature, size, and complexity of its activities do not justify the appointment of separate figures for the Risk Management function and the Compliance function. Secondly, it must show that potential conflicts of interest have been evaluated, addressed, and, finally, that suitable measures have been de facto adopted to manage any identified conflicts. Furthermore, this decision must be adequately documented, specifying that the individual appointed to coordinate the second-line control functions has sufficient and adequate time (time commitment) and resources to effectively fulfill their duties. 

   4. With reference to § 210, in our view, while respecting the independence of each Internal Control Function, it is essential to define and formalize the methods of interaction and coordination between them. This collaboration is implemented through the definition of various elements: Formalized information flows: These must concern the outcomes of the activities performed, the action plans identified following the recommendations, and the critical issues or irregularities found. Specific coordination moments: Providing for committees or other specific moments to facilitate both information exchange and the integrated planning of respective activities, thereby ensuring synergies in work and coverage of all relevant risks. Widespread knowledge dissemination: Clearly identifying and publicizing the duties and responsibilities of the FACs throughout the company structure. Integrated reporting: Preparing a unified summary report for the benefit of corporate bodies. Rotation programs: Implementing rotation programs. The exchange of information and moments of sharing allow for the activation of synergies in thought and action on common and cross-cutting themes, the assumption of shared and structured decisions, and the identification of control objectives and relevant areas to be overseen in an integrated plan. To achieve an integrated risk assessment and a unified summary report for the Board of Directors, a constructive dialogue is necessary to define unambiguous, or at least reconcilable, taxonomies (concerning both processes and risks). Likewise, alignments must be established for representation rules, value scales, risk mapping, and common databases. Ultimately, fostering integration in the governance of the Internal Control System naturally enhances the risk culture; consequently, the degree of coordination among the Internal Control Functions could itself serve as an indicator of the risk culture.

      § 210. (…). The compliance function should report to the management body and communicate as appropriate with the RMF on the institution’s legal risk stemming from noncompliance risk events and its management. The compliance function and the RMF should cooperate and exchange information as appropriate to perform their respective tasks. 

      In the event the subdivision between the compliance and the risk management function is foreseen within the prudential supervision perimeter, it could be useful to clarify whether it is possible to expect that the compliance-risk management framework weighing on said perimeter is uniform with respect to the more general framework created by the compliance function. Similarly, it is requested to clarify whether RAF indicators regarding non-compliance risk must be uniform among all perimeters related to different control functions and whether an indicator summarizing the two perimeters should exist.

    

3. In respect to the other proposed changes in Title V, further clarity would be required:

4. RMF Role in Strategy Implementation: § 187. The RMF should be actively involved at an early stage in elaborating the institution’s risk strategy and in ensuring that the institution has effective risk management processes in place. and should monitor the effective implementation of the risk strategy.

   It would be useful to further clarify the ways in which the RMF “should monitor the effective implementation of the risk strategy”, specifying whether this requirement can be considered fulfilled through the monitoring of RAF indicators, as a tool for strategic and managerial guidance. Otherwise, it is requested to provide more detailed indications on the areas of control.

   Make explicit that RMF does not re‑perform first‑line underwriting (e.g., CLO role) but challenges and opines on portfolio/RAF impacts, with power to escalate and, where adopted by policy, to veto at levels below the Management Board recording both the negative opinion and the MB’s rationale if overriding.

5. ICT Risk Communication: § 195. The RMF should regularly monitor the actual risk profile of the institution and scrutinise it against the institution’s strategic goals and risk appetite and ensure that ICT-related information is conveyed on a timely manner to enable decision-making by the management body in its management function and challenge by the management body in its supervisory function

   It is requested to clarify the terms under which the RMF “should (…) ensure that ICT-related information is conveyed on a timely manner”, explaining whether such information should be understood as relating to ICT risk or, alternatively, whether the function should also be considered responsible for the frequency of information underlying the measurement of risks in scope.

6. Internal Audit Function (IAF) Independence: § 215. The IAF should be independent of the audited activities. Therefore, the IAF should not be combined with other function.

   Considering the new possibility of combining the IAF with a second-level control function, it is requested to specify under which limitations such an arrangement would be permitted, as well as the expected safeguards.

7. IAF Review of Risk Strategy: § 218. The IAF should perform an independent review of the effective implementation of the institution’s risk strategy. 

   It is requested to specify the methods by which "The IAF should perform an independent review of the effective implementation of the institution’s risk strategy", indicating whether the assessment of proper monitoring and compliance with RAF limits can be considered adequate. Otherwise, it is requested to specify the expected controls.

   Encourage a three‑year baseline coverage cycle (risk‑based) and annual auditing of (i) RAF design/effectiveness (Title V links to Title IV and Title I), (ii) DORA/third‑party registers, and (iii) AML/CTF key controls.

Name of the organization