Response to consultation on Guidelines on internal governance (revised)
Go back
According to the last sentence of para. 23 the management body in its supervisory function should “ensure” the integrity of financial information and reporting. While it is questionable what exactly is intended by the term “ensure”, this could be interpreted as the supervisory functions exercising a more active role than would be allowed by law. For example, the Austrian Banking Act requires (§ 63a para. 4) the Audit Committee of the Supervisory Board to “evaluate” the independence of the external auditor as well as the annual financial statements and to “supervise” the accounting process, the effectiveness of the internal control system, internal audit and risk management as well as the audit of the financial statements. In our view, “evaluate” and “supervise” are not necessarily the same as “ensure” and we suggest aligning the wording, in order to ensure that these are in line with the applicable legal provisions.
Section 3: Role of the chair of the management body
The entire Section 3 is ambiguous as to its application. In particular, all paragraphs of Section 3 other than para. 27 simply mention the chair, without any indication as to whether this applies to the management body in its management or supervisory function (or both). This should be clarified.
In addition, para. 29 only applies to one-tier board structures (in two-tier boards, the allocation of responsibilities between executive and non-executive members results from the board structure with Management Board and Supervisory Board). This should be made clear in the text.
According to para 42 of the Guidelines on internal governance the specialised committees should be composed of a sufficient number of independent members to be able to ensure that they can perform their duties in an effective manner. In particular, the risk committee should include a majority of members who are independent.
On the basis of the too far reaching definition of independence (in most subsidiaries supervisory boards by now are composed in a way that literally no member would be independent, if the criteria of para 124 were applied) members are inappropriately forced to leave certain committees of the institution. Furthermore, the controlling shareholder would have no possibility to exercise his influence properly in this important committee.
In addition, especially the members of the risk committee should be rather “insiders” and fully acquainted with the business activities, risks and the specific situation of the institution/the group in order to ensure full compliance with the strict regulatory requirements. It would cause significant practical problems to find “external” persons who have the appropriate insight, knowledge and experience to fulfill the duties of committee members. Therefore, the requirement of a majority of independent members in the risk committee has to be cancelled.
Furthermore, also in this context institutions should be given the possibility to prove the independence of a member and/or take mitigating measures to resolve conflicts of interests.
This should be clarified by inserting the following last three sentences in para 42 of the Guidelines on internal governance:
“42. The risk and nomination committees should be composed of members of the management body in its supervisory function who do not perform executive functions in the institution concerned. Further, the specialised committees should be composed of a sufficient number of independent members to be able to ensure that they can perform their duties in an effective manner. In particular, the risk committee should include a majority of members who are independent. Where there are not a sufficient number of qualified independent members, institutions should implement other measures to limit conflicts of interest in decisions related to risk management and nomination. Where the member is not considered independent, the institutions can prove the independence of a member and/or decide on measures to mitigate possible conflicts of interests so that the member is independent afterwards. For example, the member should abstain from voting on any matter where a conflict of interest exists. This process and decisions should be documented.”
According to para 44 of the Guidelines on internal governance each committee should have a chair who is an independent member of the management body in its supervisory function. However, this independence requirement of the EBA/ESMA with regards to the chair of a committee goes far beyond the corporate governance principles for banks of the Basel Committee.
Apart from that when taking into account international governance principles (see para 23) the EBA/ESMA has to bear in mind that the regulatory framework of the BCBS and the FSB is provided for global systemically important banks (G-SIBs) and not for small and medium-sized banks. It is not appropriate to copy the regulatory concept that is designed for G-SIBs one to one also for small banks.
Pursuant to para 68 and 71 of the BCBS principles only the audit committee and the risk committee should have a chair who is independent and who is not the chair of the board of any other specialized committee . This requirement shall not apply to the chair of the compensation committee and other specialized committees such as the nomination or human resources committee (see para 76 and 77) .
Beside the BCBS principles, requiring an independent chair for every committee (see para 67) goes too far: Actually there is no reason at all, why for example a representative of the controlling shareholder should not be the chair of the compensation committee. The interests of the shareholders are completely in line with the interests for the institution when questions of remuneration are discussed. As provided for in Directive 2006/43/EC only independence of the institution (and of the members of the executive board) is needed for that chair; not independence of a controlling shareholder.
Section 5.4. Role of the risk committee
Referring to para. 47 g we would like to point out that the requirement to “examine the alignment of all financial products and services offered to clients and the business model as well as the risk strategy” is impractical, as the risk committee will not review each product individually. Rather, the risk committee should review the policies and procedures in place to ensure that products and services are aligned to business and risk strategies as well as the risk appetite (e.g. the new product approval policies) and satisfy itself that these policies consider all relevant aspects, are implemented throughout the organisation and function as intended (e.g. through a review of internal audit reports and supervisory examination reports related to the implementation of the policies). The risks associated with the offered products as well as the alignment of prices and profits can again not be examined at the granular level of each individual product. Rather, the risk committee should receive aggregate analytic information providing it with the necessary detail to decide whether the required alignment is in fact in place.
Section 6.2. Know-your-structure
Para. 60 requires in its last sentence the management body to “ensure … that the institutions within the group comply with all supervisory reporting requirements”. Firstly, we have the same reservations as to the use of the wording “ensure” as already outlined under our comment to para. 23 above. Thus, the wording needs to be reviewed and amended as appropriate. More importantly, however, is the fact that in our view it is rather the responsibility of the local management bodies of the subsidiaries within the group to ensure that supervisory reporting requirements are met. The management body of the consolidating institution is in our opinion responsible for supervising if adequate internal controls and sign-off procedures are implemented in its subsidiaries.
Role of the management body (Section 2, 3 and 5.5)
We would appreciate further clarifications regarding issues and/or terms that are discussed in the following paragraphs:
• 28, 31 and 32: Definition of the term “strategy” (e.g. strategic issues"). It needs to be clarified whether it can be understood as defined in para 33 as business activities, risk management/risk taken, etc., or should other issues be incorporated in the meeting agenda?
• 24 i: The clarification of the term “audit plan”, which has been used as a subject to implementation monitoring. A further specification whether the internal audit or statutory auditor is meant or not is needed.
• 24, 50a: The scope of “monitoring of effectiveness of internal control, risk management and internal audit”. It needs to be clarified if it is limited to financial reporting.
• 24, 50h: The scope of audit reports review. It needs to be specified which reports (statutory auditor or also internal audits) are meant."
Para. 70 requires the implementation of a governance policy establishing “a clear organisational and operational structure with well-defined, transparent and consistent lines of responsibility”. Annex I establishes further the aspects to be taken into account when developing the internal governance policy. Most of these aspects are already implemented and laid down in the internal regulations and policies of the institutions. For example, the composition and functioning of the management body and the specialized committees of the management body in its supervisory function are already laid down in the Articles of Association and the Internal Rules of the committees. Aspects regarding key function holders are laid down in the Suitability Policy. The internal control framework is set in the internal regulations and policies of the internal control divisions (Audit, Compliance, Risk Management). We therefore do not consider necessary to establish an internal governance policy to cover all these aspects mentioned in Annex I. We do believe that it would make more sense to require the institutions adapting their existing policies and regulations to the new aspects of the Internal Governance Draft Guidelines.
Section 8: governance policy in a group context
According to para 75 to 79 all subsidiaries within the scope of prudential consolidation, including those not subject to CRD IV should implement such governance arrangements, processes and mechanisms. Article 74 (1) CRD IV requires robust governance arrangements including remuneration policies and practices that promote sound and effective risk management; but the application on subsidiary and group level is only explicitly required with respect remuneration policies (see Article 92 (1) CRD IV).
The requirement of a group-wide governance policy incl. the application of the governance rules in all group subsidiaries of the group (i.e. including non-credit institutions) would result in an inappropriate administrative, documentation and cost burden, in particular in complex groups with many subsidiaries. This would result in unnecessary documentation, reporting and monitoring efforts and further could result in competitive disadvantages for EU banking groups. Based on the proportionality principle the application of the governance rules should at least be limited to “material subsidiaries” from a group risk perspective.
Section 9.3: Conflicts of interest
Paragraph 89 stipulates the requirement of a regular review of the implementation and compliance with the ethical and professional standards without clarifying by which department the review has to be performed. Therefore, we believe that the allocation of this responsibility has to be done by the institution itself.
Para. 95 requires institutions to issue a statement in case of any identified conflict of interest. The Austrian legal framework (the Stock Corporation Act and the Corporate Governance Code but also the Banking Act) contains clear and sufficient provisions for dealing with conflicts of interests at the level of the management body (e.g. voting abstention of the concerned member, disclosure requirements). We do not see the necessity of any additional legal requirements in this regard.
Section 11: Outsourcing policy
We would appreciate a further clarification of the criteria used for the purpose of the application of the principle of proportionality described in para. 112a.
According to the Guidelines, both terms “the balance sheet total” and “the quantity of assets” are considered as one criterion of the size in regard to the evaluation of proportionality. Therefore, a further description is required, especially in terms of balance sheet total and off-balance business.
In para. 122 the term “accountable to” has been used several times when describing the hierarchical level of the heads of internal control functions. We would appreciate a further specification of the scope of use, especially the difference between internal audit and other control functions.
Section 14: New product and significant changes
Para. 144 makes reference to the compliance function ensuring internal compliance with policies. We do not believe that this is the responsibility of compliance but rather of internal audit. The compliance function is responsible for ensuring compliance with all applicable laws and regulations (which is set out in para. 181) and as such has a role in the product approval process, alongside risk management, which has to ensure all risks related to the products are appropriately addressed. However, compliance with internal policies is a core responsibility of the internal audit function, which has to ensure that all required parties performed their duty during the product approval process, i.e. they also have to ensure that compliance undertook the relevant checks with respect to applicable laws and regulations.
Moreover, the following amendment in paragraph 144 second sentence should be made:
“They should, on an annual basis, check that the policies remain appropriate…...”
Further, we would like to mention that para. 145 seems to mix different concepts. The specific procedures for assessing compliance with policies should be part of the duties of internal audit. The assessment and approval by compliance needs to be part of the product approval process as set out under the previous comment. Para. 145 should be amended to clearly differentiate between these two aspects.
Additionally, the wording in paragraph 145, second sentence should be changed as follows:
“This should include a systematic prior assessment by the compliance function and a written
approval from the head of compliance…..”.
This proposed amendment aims at reducing any unnecessary burden which could result from the currently chosen wording. While “opinion” could be interpreted as a detailed statement, the word “approval” would undermine that a simple written statement is sufficient in terms of this requirement.
Section 15.1.1: RMF´s role in risk strategy and decisions
With regard to para. 156 it is unclear how the RMF would “test” the robustness and sustainability of the risk strategy and appetite. Additional guidance should be provided to clarify this requirement.
Cost-benefit analysis (accompanying documents)
A group wide implementation on each subsidiary level (see our remarks on para 75 to 79) would result in high administrative burden with potentially significant cost impact (additional staff costs).
Question 1: Are the guidelines regarding the subject matter, scope, definitions and implementation appropriate and sufficiently clear?
For the avoidance of any divergent interpretation it is necessary to add a definition for “Chief Risk Officer” to the list of definitions.Question 2: Are there any conflicts between the responsibilities assigned by national company law to a specific function of the management body and the responsibilities assigned by the Guidelines, in particular within paragraph 23, to either the management or supervisory function?
Section 2: Supervisory function of the management bodyAccording to the last sentence of para. 23 the management body in its supervisory function should “ensure” the integrity of financial information and reporting. While it is questionable what exactly is intended by the term “ensure”, this could be interpreted as the supervisory functions exercising a more active role than would be allowed by law. For example, the Austrian Banking Act requires (§ 63a para. 4) the Audit Committee of the Supervisory Board to “evaluate” the independence of the external auditor as well as the annual financial statements and to “supervise” the accounting process, the effectiveness of the internal control system, internal audit and risk management as well as the audit of the financial statements. In our view, “evaluate” and “supervise” are not necessarily the same as “ensure” and we suggest aligning the wording, in order to ensure that these are in line with the applicable legal provisions.
Section 3: Role of the chair of the management body
The entire Section 3 is ambiguous as to its application. In particular, all paragraphs of Section 3 other than para. 27 simply mention the chair, without any indication as to whether this applies to the management body in its management or supervisory function (or both). This should be clarified.
In addition, para. 29 only applies to one-tier board structures (in two-tier boards, the allocation of responsibilities between executive and non-executive members results from the board structure with Management Board and Supervisory Board). This should be made clear in the text.
Question 3: Are the guidelines in Title I regarding the role of the management body appropriate and sufficiently clear?
Section 5.2. Composition of committeesAccording to para 42 of the Guidelines on internal governance the specialised committees should be composed of a sufficient number of independent members to be able to ensure that they can perform their duties in an effective manner. In particular, the risk committee should include a majority of members who are independent.
On the basis of the too far reaching definition of independence (in most subsidiaries supervisory boards by now are composed in a way that literally no member would be independent, if the criteria of para 124 were applied) members are inappropriately forced to leave certain committees of the institution. Furthermore, the controlling shareholder would have no possibility to exercise his influence properly in this important committee.
In addition, especially the members of the risk committee should be rather “insiders” and fully acquainted with the business activities, risks and the specific situation of the institution/the group in order to ensure full compliance with the strict regulatory requirements. It would cause significant practical problems to find “external” persons who have the appropriate insight, knowledge and experience to fulfill the duties of committee members. Therefore, the requirement of a majority of independent members in the risk committee has to be cancelled.
Furthermore, also in this context institutions should be given the possibility to prove the independence of a member and/or take mitigating measures to resolve conflicts of interests.
This should be clarified by inserting the following last three sentences in para 42 of the Guidelines on internal governance:
“42. The risk and nomination committees should be composed of members of the management body in its supervisory function who do not perform executive functions in the institution concerned. Further, the specialised committees should be composed of a sufficient number of independent members to be able to ensure that they can perform their duties in an effective manner. In particular, the risk committee should include a majority of members who are independent. Where there are not a sufficient number of qualified independent members, institutions should implement other measures to limit conflicts of interest in decisions related to risk management and nomination. Where the member is not considered independent, the institutions can prove the independence of a member and/or decide on measures to mitigate possible conflicts of interests so that the member is independent afterwards. For example, the member should abstain from voting on any matter where a conflict of interest exists. This process and decisions should be documented.”
According to para 44 of the Guidelines on internal governance each committee should have a chair who is an independent member of the management body in its supervisory function. However, this independence requirement of the EBA/ESMA with regards to the chair of a committee goes far beyond the corporate governance principles for banks of the Basel Committee.
Apart from that when taking into account international governance principles (see para 23) the EBA/ESMA has to bear in mind that the regulatory framework of the BCBS and the FSB is provided for global systemically important banks (G-SIBs) and not for small and medium-sized banks. It is not appropriate to copy the regulatory concept that is designed for G-SIBs one to one also for small banks.
Pursuant to para 68 and 71 of the BCBS principles only the audit committee and the risk committee should have a chair who is independent and who is not the chair of the board of any other specialized committee . This requirement shall not apply to the chair of the compensation committee and other specialized committees such as the nomination or human resources committee (see para 76 and 77) .
Beside the BCBS principles, requiring an independent chair for every committee (see para 67) goes too far: Actually there is no reason at all, why for example a representative of the controlling shareholder should not be the chair of the compensation committee. The interests of the shareholders are completely in line with the interests for the institution when questions of remuneration are discussed. As provided for in Directive 2006/43/EC only independence of the institution (and of the members of the executive board) is needed for that chair; not independence of a controlling shareholder.
Section 5.4. Role of the risk committee
Referring to para. 47 g we would like to point out that the requirement to “examine the alignment of all financial products and services offered to clients and the business model as well as the risk strategy” is impractical, as the risk committee will not review each product individually. Rather, the risk committee should review the policies and procedures in place to ensure that products and services are aligned to business and risk strategies as well as the risk appetite (e.g. the new product approval policies) and satisfy itself that these policies consider all relevant aspects, are implemented throughout the organisation and function as intended (e.g. through a review of internal audit reports and supervisory examination reports related to the implementation of the policies). The risks associated with the offered products as well as the alignment of prices and profits can again not be examined at the granular level of each individual product. Rather, the risk committee should receive aggregate analytic information providing it with the necessary detail to decide whether the required alignment is in fact in place.
Section 6.2. Know-your-structure
Para. 60 requires in its last sentence the management body to “ensure … that the institutions within the group comply with all supervisory reporting requirements”. Firstly, we have the same reservations as to the use of the wording “ensure” as already outlined under our comment to para. 23 above. Thus, the wording needs to be reviewed and amended as appropriate. More importantly, however, is the fact that in our view it is rather the responsibility of the local management bodies of the subsidiaries within the group to ensure that supervisory reporting requirements are met. The management body of the consolidating institution is in our opinion responsible for supervising if adequate internal controls and sign-off procedures are implemented in its subsidiaries.
Role of the management body (Section 2, 3 and 5.5)
We would appreciate further clarifications regarding issues and/or terms that are discussed in the following paragraphs:
• 28, 31 and 32: Definition of the term “strategy” (e.g. strategic issues"). It needs to be clarified whether it can be understood as defined in para 33 as business activities, risk management/risk taken, etc., or should other issues be incorporated in the meeting agenda?
• 24 i: The clarification of the term “audit plan”, which has been used as a subject to implementation monitoring. A further specification whether the internal audit or statutory auditor is meant or not is needed.
• 24, 50a: The scope of “monitoring of effectiveness of internal control, risk management and internal audit”. It needs to be clarified if it is limited to financial reporting.
• 24, 50h: The scope of audit reports review. It needs to be specified which reports (statutory auditor or also internal audits) are meant."
Question 4: Are the guidelines in Title II regarding the internal governance policy, risk culture and business conduct appropriate and sufficiently clear?
Section 7: Internal governance policyPara. 70 requires the implementation of a governance policy establishing “a clear organisational and operational structure with well-defined, transparent and consistent lines of responsibility”. Annex I establishes further the aspects to be taken into account when developing the internal governance policy. Most of these aspects are already implemented and laid down in the internal regulations and policies of the institutions. For example, the composition and functioning of the management body and the specialized committees of the management body in its supervisory function are already laid down in the Articles of Association and the Internal Rules of the committees. Aspects regarding key function holders are laid down in the Suitability Policy. The internal control framework is set in the internal regulations and policies of the internal control divisions (Audit, Compliance, Risk Management). We therefore do not consider necessary to establish an internal governance policy to cover all these aspects mentioned in Annex I. We do believe that it would make more sense to require the institutions adapting their existing policies and regulations to the new aspects of the Internal Governance Draft Guidelines.
Section 8: governance policy in a group context
According to para 75 to 79 all subsidiaries within the scope of prudential consolidation, including those not subject to CRD IV should implement such governance arrangements, processes and mechanisms. Article 74 (1) CRD IV requires robust governance arrangements including remuneration policies and practices that promote sound and effective risk management; but the application on subsidiary and group level is only explicitly required with respect remuneration policies (see Article 92 (1) CRD IV).
The requirement of a group-wide governance policy incl. the application of the governance rules in all group subsidiaries of the group (i.e. including non-credit institutions) would result in an inappropriate administrative, documentation and cost burden, in particular in complex groups with many subsidiaries. This would result in unnecessary documentation, reporting and monitoring efforts and further could result in competitive disadvantages for EU banking groups. Based on the proportionality principle the application of the governance rules should at least be limited to “material subsidiaries” from a group risk perspective.
Section 9.3: Conflicts of interest
Paragraph 89 stipulates the requirement of a regular review of the implementation and compliance with the ethical and professional standards without clarifying by which department the review has to be performed. Therefore, we believe that the allocation of this responsibility has to be done by the institution itself.
Para. 95 requires institutions to issue a statement in case of any identified conflict of interest. The Austrian legal framework (the Stock Corporation Act and the Corporate Governance Code but also the Banking Act) contains clear and sufficient provisions for dealing with conflicts of interests at the level of the management body (e.g. voting abstention of the concerned member, disclosure requirements). We do not see the necessity of any additional legal requirements in this regard.
Section 11: Outsourcing policy
We would appreciate a further clarification of the criteria used for the purpose of the application of the principle of proportionality described in para. 112a.
According to the Guidelines, both terms “the balance sheet total” and “the quantity of assets” are considered as one criterion of the size in regard to the evaluation of proportionality. Therefore, a further description is required, especially in terms of balance sheet total and off-balance business.
Question 5: Are the guidelines in Title III regarding the principle of proportionality appropriate and sufficiently clear?
It should be clarified that the principle of proportionality should be considered in terms of quality and quantity. We believe that for the avoidance of doubt it could be helpful to add a non-exhaustive list of internal governance related issues which could be subject to the principle of proportionality.Question 6: Are the guidelines in Title IV regarding the internal control framework appropriate and sufficiently clear?
Section 12.2: Head of internal control functionsIn para. 122 the term “accountable to” has been used several times when describing the hierarchical level of the heads of internal control functions. We would appreciate a further specification of the scope of use, especially the difference between internal audit and other control functions.
Section 14: New product and significant changes
Para. 144 makes reference to the compliance function ensuring internal compliance with policies. We do not believe that this is the responsibility of compliance but rather of internal audit. The compliance function is responsible for ensuring compliance with all applicable laws and regulations (which is set out in para. 181) and as such has a role in the product approval process, alongside risk management, which has to ensure all risks related to the products are appropriately addressed. However, compliance with internal policies is a core responsibility of the internal audit function, which has to ensure that all required parties performed their duty during the product approval process, i.e. they also have to ensure that compliance undertook the relevant checks with respect to applicable laws and regulations.
Moreover, the following amendment in paragraph 144 second sentence should be made:
“They should, on an annual basis, check that the policies remain appropriate…...”
Further, we would like to mention that para. 145 seems to mix different concepts. The specific procedures for assessing compliance with policies should be part of the duties of internal audit. The assessment and approval by compliance needs to be part of the product approval process as set out under the previous comment. Para. 145 should be amended to clearly differentiate between these two aspects.
Additionally, the wording in paragraph 145, second sentence should be changed as follows:
“This should include a systematic prior assessment by the compliance function and a written
approval from the head of compliance…..”.
This proposed amendment aims at reducing any unnecessary burden which could result from the currently chosen wording. While “opinion” could be interpreted as a detailed statement, the word “approval” would undermine that a simple written statement is sufficient in terms of this requirement.
Section 15.1.1: RMF´s role in risk strategy and decisions
With regard to para. 156 it is unclear how the RMF would “test” the robustness and sustainability of the risk strategy and appetite. Additional guidance should be provided to clarify this requirement.
Cost-benefit analysis (accompanying documents)
A group wide implementation on each subsidiary level (see our remarks on para 75 to 79) would result in high administrative burden with potentially significant cost impact (additional staff costs).
Upload files
STN EBA Internal Gov GL.docx
(42.57 KB)