In general, DBG welcomes the revision of the guidelines on internal governance and agrees with the proposals made by EBA to reflect the changes resulting from the publication of Directive (EU) 2019/878 (CRD V). Notwithstanding this, we see the need for selected adjustments and clarification.
In terms of scope of application (paragraph 7), we agree that the identification and reporting of all risks should be included in the institution’s governance arrangements. However, we do not agree that the governance arrangements, including their organizational structure and corresponding lines of responsibility are responsible for managing and monitoring all risks they are or might be exposed to. Credit institutions regularly conduct risk analyses to identify all risks they might be exposed to (in line with Paragraph 93). However, an essential principle of risk management is the clustering of risks according to their relevance or materiality, e.g. into material and non-material risks. Monitoring and managing of all risks, including non-material risks is contrary to the principle of proportionality. Instead, the monitoring and management of risks should correspond to the materiality of respective risk types. Therefore, we suggest amending the scope of application as following:
“These guidelines apply in relation to credit institutions’ governance arrangements, including their organisational structure and the corresponding lines of responsibility, processes to identify all risks they are or might be exposed to and manage and monitor material risks on a regular basis, and internal control framework.”
Paragraph 15 sets the application date for the revised guidelines on internal governance in line with the date of application of Regulation (EU) 2019/2033 (Investment Firm Regulation; IFR) and Directive (EU) 2019/2034 (Investment Firm Directive; IFD) to 26 June 2021. We would like to point out that paragraph 129 of the draft guidelines requires credit institutions to implement appropriate processes and procedures to comply with the requirements of Directive (EU) 2019/1937 (Whistleblower-Directive). However, the implementation in national law of the Whistleblower-Directive provides a deadline as of 17 December 2021. While we fully understand the reasoning for setting the date of application of the revised guidelines in line with the date of application of the IFD, amending CRD, compliance with paragraph 129 should not be required earlier that its national transposition into binding law. Furthermore, as credit institutions are still dealing with the consequences of the COVID-19 crisis, we recommend a uniform date of application as of 17 December 2021. In case our proposal is not followed, we recommend excluding paragraph 129 from the revised guidelines’ general date of application. Compliance with paragraph 129 shall only be required from December 2021 onwards.
Although the section on “Background and rational” (p.7-14) formally does not constitute a part of the guidelines, we would like to point to paragraph 33 ibid, which we consider too broad and prescriptive when outlining the Compliance function’s scope of responsibility. Paragraph 33 states that “the compliance function monitors compliance with legal and regulatory requirements and internal policies […]”. While we generally agree that Compliance is a crucial function for ensuring compliance with laws and regulations, it should not be responsible for compliance with all applicable laws and regulation but rather with those related to the Compliance function as such. Compliance should be responsible for ensuring adherence to internal policies that do relate to core-compliance themes as anti-bribery or corruption. Making Compliance responsible to ensure adherence to all policies is disproportionate. The responsibility for monitoring compliance with policies lies rather with the policy maker / owner. As the background section of the guidelines introduces the guidelines and sets the scope on a high level, we ask EBA to consider revising the background section respectively.
Furthermore, on the section "Background and rationale" we welcome the indication that the guidelines should be read in conjunction with further EBA publications. However, we believe that the wording "publications" is too broad. If all EBA publications, such as presentations, keynotes and discussion papers, were to be included, the scope would be excessive. A limitation by type of publication (e.g., guidelines, Q&A’s, opinions) would provide credit institutions with increased security during the implementation and reduce unnecessary implementation effort.
We welcome the fact that the EBA is addressing the prevention of money laundering and terrorist financing in this revised version and understand the particular importance of this topic. However, we understand that the requirements mentioned here are already covered by the 5th Anti-Money Laundering Directive (Directive (EU) 2015/849 as amended by Directive (EU) 2018/843; AMLD V). We would therefore welcome adding a reference to AMLD V or the respective applicable requirements to provide additional clarity.
Furthermore, we would like to comment on the amendments of the composition of committees. We can not agree on the proposed amendment (paragraph 61a) to provide the risk and nomination committees specific access to AML/CTF compliance information and data. We understand that the decision-making process of risk and nomination committees relies on a solid information and data basis. Nevertheless, AML/CTF information can be strictly confidential. This is especially true for suspicious activities reports (SARs). The extension of the paragraph to include AML/CTF information increases the risk of the prohibited dissemination of SARs (Tipping-off risk). The disclosure of SAR reports to third parties is for instance explicitly prohibited by German law (Paragraph 47 (1) of the German Money Laundering Act). To avoid any conflicting regulatory requirements, we recommend deleting the wording "including AML/CTF compliance".
If our proposal is not followed, we kindly ask the EBA to exclude SARs explicitly from the information access of the committees.
Finally, to increase consistency between point c and d of paragraph 23, we suggest adding the reference to Title V of the guidelines on internal governance and internal control framework to point c as well.
While we support consideration of ESG factors in the banking sector, we seek further clarification on the targeted implementation of paragraph 24 of the draft guidelines. Particularly, we see the need for further explanation of the definition of a sustainable business model. Together with the increasing focus on ESG risks and sustainability, also in the financial industry, the need for a clear definition is increasing as diverging interpretations might jeopardize a successful integration of sustainability aspects within a credit institution’s internal governance framework. It should be noted that the management body might not be able to set, approve and oversee the items under paragraph 23 considering a sustainable business model, without a proper definition or clear supervisory expectations related to a sustainable business model.
We generally appreciate the reference to risks, including environmental, social and governance, when considering the sustainability of the business model. Notwithstanding this, we seek further clarification on related supervisory expectations. It is not clear whether it is being expected that ESG risk shall be considered as a separate risk category or rather serve as a driver for common risk categories. With reference to publications from the national competent authority in Germany, BaFin* , and EBA** , we share the view that ESG risks are a driver of common risks categories, e.g., credit risk or operational risk. A mandatory separate assessment of ESG risk would moreover lead to difficulties in quantifying risks, as it might require artificially separating the realization of risks into different categories, i.e. in case of an evolving client default due to environmental circumstances. Such case would typically be managed as part of credit risk with environmental risk as a risk driver.
Particularly, we fail to understand what the consequences for the assessment of a sustainable business model are if the risk analysis reveals that ESG risks are not material for a credit institution- is it still possible to ensure a sustainable business model? How is the management body expected to comply with paragraph 24, if no ESG risks could be identified? To follow the aforementioned suggestions and provide clarity, we propose to amend the paragraph as follows:
“When setting, approving and overseeing the implementation of the aspects listed in paragraph 23 the management body should aim at ensuring a sustainable business model that takes into account material risks (drivers), including environmental, social and governance risk (drivers).”
Furthermore, we suggest limiting the management body’s responsibility to consider a sustainable business model to such points, where it is appropriate, i.e. to points a, b, c, k and l of paragraph 23. Considering a sustainable business model when setting, approving and overseeing e.g. a conflict of interest policy (point m) might lead to confusion and diverging interpretations without corresponding positive effects on sustainability.
Finally, we would like to point to the changed references (due to the new structure of the draft guidelines) in points k (section 8 instead of 9), l (section 9 instead of 10) and m (section 10 instead of 11) of paragraph 23.
* BaFin (2019) p.18, Merkblatt zum Umgang mit Nachhaltigkeitsrisken, retrieved under https://www.bafin.de/SharedDocs/Downloads/DE/Merkblatt/dl_mb_Nachhaltigkeitsrisiken.html
** Eley, Slavka (2020) p. 4, EBA discussion paper on ESG in risk management and supervision
Regarding the implementation of an appropriate organizational framework within a group context, paragraph 84 highlights the consideration of subsidiaries established in offshore financial centers. We are of the opinion, that particular emphasis of offshore financial centers is obsolete as it does not amend the scope of affected entities. The wording to date included all subsidiaries within the scope of prudential consolidation, irrespective of the jurisdiction they are established in.
It is unclear why highlighting subsidiaries in offshore financial centers is necessary and whether potential future requirements might focus further on subsidiaries in offshore financial centers. To get a clearer understanding of the purpose of this amendment as well as to potentially re-assess group-wide implementation of the respective arrangements and processes with particular focus on offshore financial centers as part of the revised guidelines, we would welcome a definition or list of offshore financial centers.
We fully support the explicit emphasis on non-discriminating and gender-neutral policies as included in CRD V but would welcome further clarification on related supervisory expectations.
Paragraph 98 requires credit institutions to “have policies that ensure that there is no discrimination of staff […]”. It is our understanding that credit institutions are not required to maintain dedicated policies on non-discrimination. Instead, credit institutions might want to choose that all policies are written such that they are non-discriminating in any possible regard or include a statement on non-discriminating behavior in any form.
Similarly, we understand the requirement in paragraph 99 to “implement measures that ensure equal opportunities for all genders” such that primarily any kind of discrimination based on gender must be prevented, i.e. through the implementation of non-discriminating policies, structures and arrangements. Notwithstanding this, paragraph 99 requires credit institutions to “improve the representation of the underrepresented gender in management positions.”, which rather seems to indicate that credit institutions shall implement measures to actively strive for a more balanced gender composition of management positions.
Within this particular context, we would welcome further clarification on when a gender shall be considered “underrepresented”, what the term “representation” refers to and what positions shall be considered “management positions”.
While we fully support equal opportunities across genders, it is our view, that measures to improve the representation of the underrepresented gender shall always be in line with any other regulatory requirements, particularly requirements related to the suitability of the management. We ask EBA to consider including such specification in paragraph 99 to avoid potentially conflicting requirements.
We would moreover like to highlight, that the requirements as outlined in paragraphs 98 and 99 of the draft guidelines go beyond the respective requirements of CRD V, which focus on gender – neutral remuneration policies but do not touch upon the composition of management positions. The additional requirements, although potentially paving the way to more balanced gender compositions, might lead to misinterpretations not leading to the desired results. We therefore ask EBA to generally reconsider broadening the scope of concrete application of gender neutrality (compared to the respective requirements in CRD V) to management positions’ compositions for the time being. Alternatively, we would expect EBA to provide further clarification on the points mentioned above.
In addition to our comments outlined above, we would like to express our disagreement with a particular change in paragraph 92. Following the amendment to paragraph 92, a risk culture shall be “righteous” in addition to sound and consistent. Although we assume that EBA is aiming to foster an integral risk culture across the credit institution, we object the term “righteous” in this context, as it comprises judgemental elements that might not fit to a culture but rather to preventive and corrective structures and processes. We therefore ask EBA kindly to reassess the changes made to paragraph 92 of the draft guidelines.
Already as of today, the code of conduct shall contain principles and examples on acceptable and unacceptable behavior. This includes particularly potential fraudulent actions. Generally, we consider tax offences through illicit dividend schemes as being one potential form of fraudulent actions, which have gained increasing attention due to recent incidents.
The code of conduct is typically maintained by Compliance as the responsible function to prevent fraudulent behavior, while tax issues, including offences, typically lay with a dedicated function, namely Tax. It is our understanding, that preventing illicit dividend arbitrage schemes would be a joint effort of primarily Compliance and Tax. We would welcome further clarification on to what extent EBA sees the responsibility to prevent tax offences, including illicit dividend arbitrage schemes, with Compliance and whether the prevention of tax offences should be considered as a dedicated category along with existing anti-fraud and anti-money-laundering measures.
We generally consider the inclusion of changes to CRD regarding loans and other transactions with the management board as sufficiently clear and appropriate expect for two points.
Point g of paragraph 112 introduces a documentation obligation for loans above an absolute threshold of EUR 200.000 which does not seem to correspond to the principle of proportionality. Instead of referring to an absolute value, we would recommend considering adjusting the threshold to relative values, e.g. in relation to the ratios requested under lit. i) and ii) of point g of paragraph 112.
Regarding paragraph 115, it is our understanding that the requirement to “make available annually” appropriate aggregated information on loans and other transactions with members of the management board is met by providing the respective information on respective shareholders’ request. Should EBA’s understanding be different, we kindly ask to provide further clarification on this point.