Response to consultation on revised Guidelines on internal governance under CRD
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
Yes
Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?
Yes
Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?
Yes
Question 4: Are the changes made in Title III section 7 (third-country branches) appropriate and sufficiently clear?
Yes
Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?
Yes
Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?
Regarding the implied definition of compliance risk.
In paragraph 206 it is described that the compliance function manages legal risk stemming from non-compliance events. This is a clarification of compliance risk as I understand it, and is also more aligned with the definition of legal risk (a sub set of operational risk) in CRRIII , meaning the risk of loss which an institution might incur as a consequence of events that result in legal proceedings, including i.e. supervisory actions, non-compliance with any requirement derived from national or international statutory or legislative provisions.
As I understand it, compliance risk is defined as a subset of legal risk, but more importantly, the non-compliance event is the trigger of compliance risk (it triggers legal risk=risk of loss). Therefore a regulatory breach for example (non-compliance event) can be the trigger of compliance risk, with the impact being the eventual loss that can result from it (meaning that the materialization of a compliance risk is not a breach but the resulting loss from it, for example due to damage to customer or enforcement actions). Is this a correct interpretation? If not, how shall the delineation between a breach and a compliance/legal risk occur? Observe the difference between a breach and an incident, as not all breaches may be considered to be incidents (for example known compliance deficiencies to be remedied over time).
In any case, it would be helpful to have clarity on what a non-compliance event means in this context.