New European Guidelines for Internal Governance
Sarah Jane Leake | Bloomberg Law
The Capital Requirements Directive1 requires all credit institutions to have
robust governance arrangements in place, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, adequate internal control mechanisms, including sound administrative and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management.2
In the midst of the financial crisis, however, a number of weaknesses in banks’ internal governance systems emerged.
A survey3 conducted in 2009 by the Committee of European Banking Supervisors (CEBS)4 on the implementation by supervisory authorities and institutions of its Internal Governance Guidelines5 (CEBS’ Guidelines) revealed that, while the regulatory and supervisory national frameworks for governance were broadly complete, they had been implemented in a fragmented fashion.
As to corporate structure and organisation, CEBS found that institutions’ structural and organisational complexity is rarely counterbalanced sufficiently by appropriate internal governance arrangements. Further, the corporate structure is usually neither transparent nor organised in a manner that promotes ineffective and prudent management.
The survey also revealed that the management body,6 acting in its supervisory capacity, provides unsatisfactory oversight. In CEBS’ view, the management body, in both its management and supervisory function, usually does not understand the full complexity of the business and the risks that the company faces. As a result, it fails to correctly identify and constrain excessive risk-taking. CEBS attributes this particular failing to the time constraints indirectly imposed on members of the management body.
CEBS also found that risk management and internal control frameworks are usually insufficiently integrated. In many cases, methodology and terminology are inconsistently applied, making it impossible to take a holistic view on all risks facing the company. Further, control functions were found to be lacking in terms of appropriate standing and sufficient resource, status, expertise, etc.
All of these problems, opines CEBs, have been caused by institutions insufficiently implementing existing guidelines.
Consolidation & Revision
CEBS has already addressed the more serious problems arising out of the financial crisis through its High Level Principles for Remuneration Policiespublished in 2009, and in its High Level Principles on Risk Management published in 2010 (together, the HLPs). However, in view of the long-standing problems identified by the 2009 survey, and to acknowledge recent work undertaken by other European and international bodies on corporate governance (in particular, the Basel Committee on Banking Supervision (BCBS)), CEBS last year decided to consolidate and update of its guidelines on internal governance.
Last winter, CEBS published a proposed draft7 of the revised guidelines for public consultation. Generally, respondents were in favour of CEBS’ proposals, in particular the use of proportionality. In their view, a key issue during the crisis was not a lack of governance rules, but rather a lack of effective implementation of these rules, driven primarily by the inability to apply them on a proportionate basis.
On 27 September 2011, the EBA published the final version of the Internal Governance Guidelines (EBA Guidelines), organised into six sections (see below). CEBS’ Guidelines have been reviewed, updated, and merged with the HLPs into a new Guidebook. As a consequence, they, together with the HLPs, have been repealed.
Besides a number of minor enhancements, new chapters have been added regarding the transparency of the corporate structure, IT and business continuity management, and the role, tasks, and responsibilities of the supervisory function.
As the guidance is focused solely on internal governance, it therefore excludes other aspects of corporate governance, such as the roles of external auditors and other stakeholders.
Three Lines of Defence
The EBA Guidelines are consistent with the “three lines of defence” model.
Under the first line of defence, an institution should establish and maintain effective processes to identify, review, mitigate and report on risks (i.e. risk management).
As a second line of defence, an institution should have an appropriate internal control framework in place to develop and maintain systems that ensure: efficient and effective operations; adequate risk control; prudent conduct of business; reliable reporting of financial and non-financial information; and, compliance with all relevant legal and regulatory requirements.
The third, and final, line of defence relies on internal audit, which provides an independent audit on the first two lines of defence.
Areas of Internal Governance
— Corporate Structure & Organisation
This section discusses the concept of checks and balances in group structures in more detail. It also introduces a “know-your-structure” principle in order to remedy some of the weaknesses identified involving complex structures that are typically not properly understood or counterbalanced.
— Management Body
The EBA has enhanced this section by introducing a number of guidelines on the composition, appointment and succession, and qualifications of the management body. Particular emphasis is placed on the use of committees and conflicts management.
Lack of oversight was identified as a key failing during the crisis. To address this problem, the EBA Guidelines seek to ensure that members of the management body devote sufficient time to their role which, also, has been enhanced. For the sake of completeness, the EBA Guidelines explicitly discuss the responsibilities of the management body regarding risk outsourcing and remuneration policies.
— Risk Management
The third chapter contains large parts of CEBS’ High Level Principles on Risk Management (i.e., on governance and risk culture, risk models and integration of risk management areas, and new product approval policy and process).
— Internal Control
Seeking to ensure that the control function is appropriately resourced, this part includes a section on the role of the chief risk officer and the risk management function. The text is in large part derived from CEBS’ High Level Principles on Risk Management.
— Systems & Continuity
The fifth part sets out new guidelines on communication systems and business continuity management. Rather than prescribing extensive requirements concerning IT systems, the guidance instead refers to generally accepted standards in this area. The EBA’s guidance on business continuity has been drafted to complement the BCBS’ High Level Principles for Business Continuity, published in 2006.
The final chapter contains the text from the CEBS’ Guidelines on public disclosure and transparency. The EBA has made only minor amendments to the text, in view of the fact that CEBS’ survey identified no major problems in this area.
Member States’ competent authorities are required to incorporate the EBA Guidelines into their supervisory procedures by 31 March 2012.
While implementation will initially trigger “moderate” one-off costs for institutions and authorities alike, the ongoing costs for an improved governance framework will be relatively low. In the EBA’s view, the implementation of the Guidelines is “expected to result in a more resilient banking system.” As institutions across the EU will benefit from better governance, they will engage in less risk-taking, which, in turn, will lead to a reduction of losses. The benefits of the new regime are therefore likely to far outweigh the costs.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
©2011 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.