The draft guidelines define responsibilities and tasks for dedicated functions. Beside the management body as a whole, in its supervisory or executive function, this is true especially for the three control functions and their heads (Compliance, Internal Audit and Risk Management [including the Chief Risk Officer]). In addition, the CEO and the CFO are named. We have concerns related to the inclusion of the latter two and in particular with the CFO function in the draft guidelines. As paragraph 11 of the draft guidelines states, the usage of the two roles is not intended to introduce them but for functional aspects only.
CRD IV and its national implementation foresee a clear responsibility for the management body in its entirety, i.e. the board as a whole (partially being broken down to the executive or supervisory function respectively). Irrespective of this, we assume that the role of a Chairman of the Board is implemented in all EU jurisdictions. However, the function of a “chief executive officer” or “CEO” is not mandatory or at least not recognised (in full) for regulatory purposes in order to secure an “equal rights” approach for the management body in its executive function. Despite the fact, that Article 88 paragraph 1 lit. e CRD IV clearly mentions the “function of the chief executive officer”, the role as such is not defined or described for regulatory purposes.
We appreciate the EBA approach to define the CEO and CFO function as a good step. However, we disagree to the definition of the CEO and we fail to understand the definition of the CFO and the need to introduce a CFO function in the context of the proposed guideline.
A CEO role in a 2-tier structure is usually the role as chairman of the management board and as such responsible to coordinate the work of the management board and the dialogue with the supervisory board. According to the common responsibility of the board as a whole, he is however not “providing steer to the manage the overall business activities”. This in our view is too strong for the role of a CEO in a 2-tier structure. On the other hand, this may be true in a 1-tier structure. Overall, the details of the role are irrelevant for the purpose of the guideline and we propose to frame the role as follows “means the person who is chairing the management body in its executive function or who is acting as the responsible person to coordinate the work of the persons who effectively direct the business of an institution.”
The tasks described for a CFO in case not being under the responsibility of one or more dedicated members of the management body in its executive function may be under the responsibility of one or more senior managers. There is no clear definition of a “CFO” in the regulatory legislative framework to our best knowledge. Furthermore, it is unclear to us why the artificial function of one “CFO” is addressed while there is no clear role of the function defined and it is specifically stated in paragraph 11 of the draft guidelines that no need to appoint a CFO is intended to be introduced. Like for a CFO, also the function of the Chief Treasurer, the Head of the “Human Resources Function”, or other functional positons holders with a high likelihood to be a risk taker or key function holder could be named. We cannot see any reason for a dedicated treatment of a vague defined function. On top of that we also as-sume that the CFO function to a large degree will reside within the management body in its executive function anyway. As such, we clearly propose not to define rules on a theoretical function (as the CFO) without also clearly defining the roles and responsibilities assumed for such a function. As we currently do not see the need to define dedicated tasks, roles and responsibilities of a CFO-function, we clearly favour to take out any reference to the CFO in the proposed guidelines.
Having said this and in case our proposal is not followed, we fail to understand why “record-keeping” is listed as a dedicated task of the CFO and what exactly is meant by this in the given context.
Beside our general concern, mentioned within the “General comments”, according to the aspect that the treatment of the 2-tier structure is not fully taken into account, we have some further comments. Our comments below are to a certain extent also valid within a 1-tier structure.
In a 2-tier structure the supervisory board (the management body in its supervisory function) is not responsible for day-to-day management and therefore in general not responsible to “ensure” certain things but rather to oversee or moni-tor the company and the activities of the executive board (the management body in its executive function) for validation of compliance with the identified needs. The management body in its supervisory function is therefore more in the role of a “sounding board” and consequently commonly known as the “supervisory board”.
This is in particular true for ensuring the integrity of the financial information and reporting. Therefore, we see a need to avoid to some degree the term “ensure” in the context of the duties of the management body in its supervisory function. Consequently, the last sentence within paragraph 23 of the draft guideline should be rephrased like follows:
“The management body in its supervisory function should also monitor and oversee the integrity of the financial information and reporting, and internal control framework, including effective and sound risk management.”
Similarly, this applies to paragraph 24 (g) and (h) of the draft guidelines where “ensure” should be replaced by the wording “monitor and oversee”. In the same vain also EBA should adjust the wording of paragraph 46 (d) of the draft guidelines.
The requirements of paragraph 34 of the draft guidelines target on “significant” institutions regardless of the size of the management body in its supervisory function and requirements of corporate law. E.g., the German Stock Corporation Act requires a supervisory board consisting of at least three members. There is no direct relationship between the size of the supervisory board and the “significance” which would lead to a mandatory higher size of the supervisory board. Moreover, under the German Stock Corporation Act committees of the supervisory board may only have members which are members of the supervisory board itself (this does not prevent external experts being guests or advisors) and the committees must be made up of at least three persons.
Consequently, in case a “significant” institution has a supervisory board of exactly three members and is forced to set up a committee, this would consist of all members of the supervisory board. This does not seem appropriate. As such, the guidelines should take up the possibility for significant institutions – potentially subject to approval of the competent authority – not to set up the required committees in case
(1) the size of the total board is limited and
a. there would be an identity with the full management body in its supervisory function or
b. a substantial portion of the members of the management body in its supervisory function would be required by law to be members of the majority or even all of the committees.
In such cases, in addition to the general requirement for the management body in its supervisory function as a whole of being responsible to deal with the matters otherwise being delegated to the committees, it should potentially be requested to include the topics to the ordinary agenda of the regular board meetings and devote a substantial amount of time to the matters concerned.
The implementation of a committee consisting by national law of all members of the management body in its supervisory function should not be mandatory irrespective of the significance of the institution.
The wording of paragraph 47 of the draft guidelines creates some doubts whether or not the tasks listed are really in scope of the management body in its supervisory function or are not only in the responsibility of the management body in its executive function. In order to avoid possible misinterpretations, we propose to rephrase the introductory part of paragraph 47 as follows:
“Where established, the risk committee should, within the scope of the management body in its supervisory function:”
We agree in principle to the proposal on the internal governance policy as laid out in chapter 7 of the draft guidelines. However, in our view paragraph 73 of the draft guidelines is too prescriptive in requiring a periodical review by the management body in its supervisory function of the design, implementation and effectiveness of the governance policy taking into account the recommendation from the relevant internal committees or the internal audit function. Therefore, DBG asks to delete this requirement.
Moreover, policies are only general guidelines, which set up the framework for any implementation measure. Hence, the outsourcing policy can only set risk considerations and overall risk appetite and other general risk guidelines. The policy cannot consider the impact of any given (specific) outsourcing on the risk of the company. As such, in our view, the first sentence of paragraph 107 is going beyond the content of a policy. Therefore, we propose to rephrase the sentence as follows:
“The outsourcing policy should set the appropriate guidelines for the consideration of the impact of outsourcing on an institutions’ business and the risks it faces (such as operational, reputational and concentration risk).”
No specific comment.
The head of the internal audit function in general is accountable to the man-agement body. However, according to national law this may be either the man-agement body in its executive or in its non-executive function. The mandatory accountability to the management body in its supervisory function as proposed in paragraph 122 of the draft guidelines therefore cannot be accepted. At least it should be put under a condition like “as far as allowed under national law”. Similarly, we have doubts that the direct access of the RMF to the management body in its supervisory functions and to the committees as outlined in paragraph 150 of the draft guidelines is compatible with national law in all cases and espe-cially in a 2-tier structure. Again, at least a reference to the limitations of national law should be made. The same holds true related to the communication of the management body in its supervisory function and the head of the risk manage-ment function as requested by paragraph 174 of the draft guidelines and related to the Compliance Officer or Head of Compliance in paragraph 175 of the draft guidelines.
We strongly disagree to the magnitude of the proposed rights of the head of risk management in regards to challenging decisions taken by the management body as proposed in paragraph 173 of the draft guidelines. The management body in its executive function is ultimately responsible for the management of the company and it is liable towards shareholders and competent authorities. As such, a veto right of a senior manager not being part of the management body or a single member of the management body in its executive function does not seem to be appropriate. Especially with regard to situations where the Chief Risk Officer is not part of the management body this is most likely in conflict with national law. We even doubt that a dedicated veto in this regard for a CRO being part of the management body is a suitable approach. The EBA may consider other approaches to strengthen the role of the CRO in this regard, e.g. the possibility to require an adequate involvement of the management board in its supervisory function in such case. However, EBA should keep in mind that es-pecially with regards to risk decisions there may be not much time to extend the decision process on the timeline and as such, any additional step considered should be carefully weighted out against the additional risk it creates as such and should also be made under the caveat that this is allowed under national law. As this is a very strong change, we furthermore express our concerns that such strong change can be introduced by an EBA guideline but rather recommend to make this a level 1 consideration and take it out of the guidelines.
Finally, the requirement in paragraph 178 of the draft guidelines seems to be too prescriptive. In our view, it is in general and especially in most 2-tier structures not the management body in its supervisory function who should oversee the implementation of a well-documented compliance policy, which should be communicated to all staff. This is more a day-to-day business and as such rather under the responsibility of the management board in its executive function.
We consider the listed topics of the publication of the annually description of the legal structure and governance and organisational structure of the group of institutions within paragraph 202 of the draft guidelines as overshooting. Especially the required overview on outsourcing seems to be excessive. In general, we see the risk with the exhaustive list of items to be published to disclose key ele-ments of business success with the risk of disclosing items which would in gen-eral be deemed as business secrecy and therefore disagree to the disclosures on outsourcing (point d), and also in essence on close links (point e). Furthermore, the requirement under point (a) to disclose an overview of the organisation also seems to be burdensome and not really adding value. Finally, there are already disclosure requirements under the accounting framework and the disclosure requirements should only be requested in case it goes beyond what is needed to be published with the annual accounts anyway.