Response to consultation on revised Guidelines on internal governance under CRD
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
N/A
Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?
Para 22 c(i): could the EBA explain why the term ‘independent’ has been removed from the second and third line of defence? We understand that to enable good governance the second and third line of defence must be independent from the risk-taking activities (first line of defence). The removal of this term might give the impression that the second and third lines of defence need not be independent from the risk-taking functions, reducing the effectiveness of adequate oversight and challenge.
Par. 23: Distinction is being made between third-party arrangements and outsourcing arrangements. We understand that with the introduction of the EBA Guidelines on the management of third-party arrangements, all types of third-party arrangements (bar a limited few) need to comply with the said guidelines without any distinction of whether the activity is deemed outsourcing or not. We would welcome greater harmonisation of terminology across various Guidelines (e.g., outsourcing, third-party risk, cloud arrangements). This would help mitigate confusion and reduce duplication in compliance efforts.
Par. 29a: could the EBA clarify what is meant by ‘…provided that the member does not have other mandates that would compromise the member’s internal control activities and the independence of the internal control functions’?
Par. 31: Although we note that this paragraph has not been amended, we would like to highlight that it is unclear as to why the requirement of identifying a director for AML/CFT is included in these Guidelines given that this requirement is catered for in other legislation. We therefore propose that governance requirements related to AML/CFT be addressed within sector-specific legislation (e.g., the AMLD), rather than within internal governance guidelines. This approach would help prevent regulatory overlap and enhance clarity in implementation.
Par. 51: We would like to enquire what knowledge, skills, experience is expected for members of the Remuneration Committee. Having said this, it is opined that the additional requirements on the suitability of the Remuneration Committee members is not required since the current suitability assessment should suffice. Accordingly, we request that proportionality be applied to suitability expectations and recommend that the EBA clarify that any additional requirements should be implemented in a proportionate manner, particularly in the context of smaller institutions.
Par. 61 c: the introduction of new risks such as ‘fundamental rights’ does not flow with the rest of the text. We understand that the ‘fundamental rights’ EBA is referring to is the fundamental human rights. We therefore propose a clearer categorisation framework under ESG: In particular, we recommend that “fundamental rights” be explicitly linked to relevant ESG risk categories, and that illustrative examples be provided to support consistent and effective implementation.
Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?
Para. 68a (b): we suggest that the mapping of duties should pertain to the identified members of the management body in management function, senior management and KFH as identified at consolidated level and applied to the entities within the scope of prudential consolidation. In the event that from the assessment of personnel, certain senior management located at subsidiary level are not deemed as having a significant influence over the direction of the institution, then we suggest that the statement of roles and the mapping of duties of these roles does not need to be carried out. Accordingly, we request clarification on the scope and thresholds for such requirements and recommend that the EBA define criteria for when mapping of duties is necessary at subsidiary level, including whether this applies to all senior managers or only those with significant influence.
Para. 68a (c): we understand that the obligation to outline duties pertains to the management body in management function and does not extend to the management body in supervisory function.
Para. 68a (g): For transparency purposes, the senior management should also be privy to the mapping of duties.
Para. 68b (d): In a move towards digital, we recommend that the EBA explicitly endorses the use of electronic signatures and digital recordkeeping for governance-related documentation, in alignments with the wider digitalisation initiatives across the EU.
Question 4: Are the changes made in Title III section 7 (third-country branches) appropriate and sufficiently clear?
N/A.
Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?
Prior to referring to Title IV – Risk Culture and Business Conduct, we refer to Title III Section 8 – Third Party Risk Management Policy
Par. 91: we suggest that the paragraph is amended so that it is clarified that the third-party risk management policy referred to therein is the one referred to in the currently proposed EBA Guidelines on sound management of third-party risk. Thus, a cross reference to such Guidelines should be included in such paragraph.
Title IV – Risk Culture and Business Conduct
Para. 107a (a): to better implement this obligation, we kindly request the EBA to provide examples of ‘significant professional conflict of interest’ or criteria for assessment, to ensure consistent interpretation.
Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?
Par. 171: Could the EBA explain the interaction between the requirement laid down in this paragraph and the requirement laid down in par. 31? Are these two different requirements?
Par. 174a: in light of this new requirement, in the unitary board, could the EBA clarify whether it is possible that the Head/Chief of an internal control function is also a member of the management body in its management function? The current text suggests that this may not be the case. Having a Head of an internal control function, particularly the second line, as an Executive Director within the Board of Directors promotes the debate and challenge of proposed matters, thereby allowing risk-mitigating or compliance views to be expressed at Board level. We therefore recommend that the EBA allows Heads of Internal Control Functions to serve as executive directors within unitary board structures, provided that appropriate safeguards are implemented to ensure their independence and capacity to effectively challenge. This stance complements EBA’s view that the Heads of Internal control function should have direct access to the Board of Directors to provide their views. We also view that in unitary boards, there should not be a distinction between management body in the management function and management body in supervisory function for Heads of Internal Control Function to express their views. This would create a sub-set within the Board of Directors. Rather, should sensitive matters need to be expressed at the Board, which should not be mentioned to the Executive Directors (ED), the NEDs should ask the ED to sit-out the meeting.
Para. 175 (d): we agree that the remuneration of the heads of internal control functions should be overseen by NEDs. However, in unitary board structures, having all NEDs oversee such remuneration is operationally cumbersome in view of the number of committees already set-up in large institutions and will create a new sub-set of the Board. We recommend that the oversight of remuneration for heads of internal control functions be delegated to the Remuneration committee, composed of a number of NEDs, rather than requiring the involvement of all NEDs.
Par. 204: Could the EBA clarify, possibly also by means of examples, what is meant by ‘legal risk stemming from non-compliance events’? We would also appreciate that the EBA provides examples to distinguish this ‘legal risk’ from ‘compliance risk’.
Question 7: Are the changes made in Title VI (business continuity managment) appropriate and sufficiently clear?
N/A.