EBA Amends Guidelines on Internal Governance
SÉRVULO PUBLICATIONS 28 Dec 2016
The European Banking Authority (from hereunder “EBA”) issued a Consultation Paper on the Amendment of the Guidelines on Internal Governance, dated of 28 October 2016, setting forward measures aiming to bolster a sounder risk culture within credit institutions and investments firms.
The Guidelines focus on the role of the management body and envisage a more effective oversight and robust risk management framework. The Consultation Paper delves into institutions’ offshore activities and introduces measures instrumental to transparency.
The Guidelines are supplemental to the Capital Requirements Directive IV and underline the importance of understanding the risks inherent to complex organizational structures, of having independent internal control functions, of imposing strong product approval policies and procedures and of safeguarding against risks within change processes.
They entail rules providing for the composition and role of committees, determining that its members must be independent and individually and collectively qualified with regard to risk management control practices as well as audit processes and practices, in the case of the audit committee.
With regard to the supervision of complex structures, the management body of consolidated institutions ought to possess a greater understanding of the groups’ specific operational risks and intra-group exposures as well as how the group’s funding, capital, liquidity and risk profiles may be influenced in different scenarios.
Credit institutions and investments firms are advised to avoid complex and potentially non-transparent structures. Where they do decide to set up one, they ought to conduct a risk assessment prior to the creation of a new legal entity in another jurisdiction. Said risk assessment should take into consideration whether the second jurisdiction observes international standards on tax transparency, money laundering and terrorism, if the new structure will entail an obvious economic and lawful purpose, whether it could be used to hide the identity of the ultimate beneficial owner and whether it prevents effective management oversight on the part of the institution’s management body as well as competent authorities.
The Guidelines also place the risks inherent to the new entity, notably, reputational risks, as well as the suitability of internal control functions on the shoulders of the management body. Notably, the management body is held accountable for assessing the potential impact of M&A and other complex transactions in the group’s overall risk profile.
Concerning the risk culture, the EBA Guidelines allocate the responsibility in establishing and monitoring said culture to the management body. Additional notes have been introduced detailing acceptable and inacceptable behaviours, and listing corporate values, ethical standards and expectations which should underlie the firm’s activity and code of conduct.
Moreover, risk undertaking should fall within the firm’s strategy and risk framework, be within the limits established and its decision subject to control. The management body ought to develop a scheme suitable for identifying, assessing and managing potential risks stemming from new business areas and change in existing products, procedures and systems.
The Guidelines further elaborate on the degree of group oversight and control over subsidiaries. They impose that where business activities be organized in a group, there ought to be schemes able to guarantee that the group’s internal governance policies are applied uniformly across the group and that the subsidiaries are compliant with the rules of the jurisdiction they are located. Additionally, the management body should ensure the existence of adequate governance mechanisms in each of the subsidiaries.
The Guidelines also account for the documentation of processes, notably, regarding certain policies, risk strategic decisions and whistle blowing. This may determine that firms will have to review their current internal procedures in order to comply with documentation obligations. For example, with regards to the creation of subsidiaries, institutions should document their decision and be able to justify it before the competent authorities.
Furthermore, the principle of proportionality is the cornerstone of the Guidelines and is ancillary to the list of criteria regarding size of the balance sheet, geographical presence, legal form, underlying business model, risk appetite, ownership and funding apparatus, client base, resort to outsourcing, IT systems etc.
Good governance practices concerning outsourcing are also tacked. The outsourcing policy should take into consideration the impact on the firm’s business and the risks it entails as well provide for monitoring schemes. The Guidelines point out the fact that the outsourcing policy does not relive the firm from its regulatory obligations.
The Guidelines also devote a chapter to conflicts of interest, focusing on the management body’s ability to identify, handle and document such situations. A duly approved written policy should identify the relationships, services, activities or transactions of an institution in which conflict of interest may arise. It should also state the procedure for managing said conflicts. Plus, said policy should encompass the relationship between the firm and its qualifying shareholders, members of the management body, staff, business partners, other related parties and persons closely linked to any of the above.
Moreover, firms should account for internal alert procedures for the sake of reporting breaches in regulatory requirements to competent authorities. They may also have whistle blowing arrangements which allow for managing the information anonymously and should have an active role in preventing retaliation or other types of unfair treatment.
The consultation on the Amendment of the Guidelines will close on 28.01.2017 and it is expected that the final document be implemented by mid 2017.