Response to consultation on draft Guidelines on internal governance arrangements for issuers of ARTs under MiCAR
Go back
Bearing this in mind, we kindly ask the regulator to clarify whether such a “management body” also encompasses a “supervisory board” or if the regulator wishes to make a distinction.
Concerning the Organisational framework in a group context, we suggest applying the principle of proportionality. Namely, this makes sense if the business of the group is of such nature that this unified organisational framework makes sense; however, in case the business of the subsidiaries is of a different nature/industry, then it might be the application does not make sense, this to be evaluated within the risk assessment. In any case, the rules to apply the requirements to the group level should be based on the nature of the business of other group members rather than automatically, and in all cases, again based on the principle of proportionality.
Adding this additional wording might prove beneficial: "For SMEs, internal control frameworks should be scalable and adaptable, reflecting smaller issuers' unique challenges and resource limitations. This may include simplified risk assessment procedures, tailored internal control mechanisms, and more flexible reporting requirements. Additionally, guidelines could recommend
specific tools or methodologies suitable for SMEs to efficiently implement these frameworks without compromising the effectiveness of risk management."
Further, we suggest that it be clarified if the control function is a requirement for a stand-alone function as or in parallel with internal audit (if existent) or if this can be managed within managerial functions and their responsibility to supervise compliance and with processes that predict a different set of checks. We suggest providing a descriptive definition of the control function and its relationship with internal audit.
Question 1: Is the background section providing the needed context with regard to the mandate to issue GL on internal Governance under MiCAR?
The background section provides the necessary context under MiCA.Question 2: Is the subject matter, scope, and definitions section appropriate and sufficiently clear?
These sections are well-defined, offering a clear framework. However, more clarity might prove to be beneficial for the better implementation of the Guidelines, for example, regarding operational resilience, which is currently defined vaguely as the ability of an issuer of ARTs to deliver critical or important functions through disruption.Question 3: Is the Title on proportionality appropriate and sufficiently clear?
It would be beneficial if the guidelines could offer more concrete examples or criteria for applying proportionality in diverse scenarios.Question 4: Are the provisions in Title II regarding the management body appropriate and sufficiently clear?
These provisions seem generally clear and appropriate. Our members, however, expressed concern regarding the definition of the “management body in its supervisory function” as it is unclear whether this encompasses both the supervisory function of the management body and the potentially existing functions of a separate supervisory body. Some companies may adhere to a two-tier system where the management body and supervisory board are separated.Bearing this in mind, we kindly ask the regulator to clarify whether such a “management body” also encompasses a “supervisory board” or if the regulator wishes to make a distinction.
Question 5: Are the provisions in Title III regarding the governance framework appropriate and sufficiently clear?
These provisions seem clear. However, additional and more concrete guidance on implementing these frameworks would be needed to improve the understanding of the practical implementation. We suggest a further clarification concerning the requirement described in point 40.: Issuers of ART should document their decisions and be able to justify their choices to competent authorities. In particular, what type of decisions we consider the requirement needs to be more precise and narrowed to not unjustly affect the management body's fundamental right to manage the company.Concerning the Organisational framework in a group context, we suggest applying the principle of proportionality. Namely, this makes sense if the business of the group is of such nature that this unified organisational framework makes sense; however, in case the business of the subsidiaries is of a different nature/industry, then it might be the application does not make sense, this to be evaluated within the risk assessment. In any case, the rules to apply the requirements to the group level should be based on the nature of the business of other group members rather than automatically, and in all cases, again based on the principle of proportionality.
Question 6: Are the provisions in Title IV – Risk culture and business conduct appropriate and sufficiently clear?
We also suggest adopting international good industry standards, such as ISO 9001 Quality Management System, ISO 37301 Compliance Management Systems, etc. Such standards include risk and process-based approaches and are helpful tools for a company to embed the best standards, similar to DORA. Furthermore, the standards have internal audit requirements that significantly contribute to implementing internal control functions.Question 7 Are the provisions in Title V – Internal control framework and mechanisms appropriate and sufficiently clear?
The provisions are clear and mostly appropriate. However, the guidelines could offer more nuanced approaches for different scales of operations, particularly regarding SMEs acting as ART issuers.Adding this additional wording might prove beneficial: "For SMEs, internal control frameworks should be scalable and adaptable, reflecting smaller issuers' unique challenges and resource limitations. This may include simplified risk assessment procedures, tailored internal control mechanisms, and more flexible reporting requirements. Additionally, guidelines could recommend
specific tools or methodologies suitable for SMEs to efficiently implement these frameworks without compromising the effectiveness of risk management."
Further, we suggest that it be clarified if the control function is a requirement for a stand-alone function as or in parallel with internal audit (if existent) or if this can be managed within managerial functions and their responsibility to supervise compliance and with processes that predict a different set of checks. We suggest providing a descriptive definition of the control function and its relationship with internal audit.