The CSSF Circular 20/759 amending the CSSF Circular 12/552 on central administration, internal governance and risk management and the CSSF Circular 20/758 (together the “Circulars”) have been published on 7 December 2020. Both Circulars transpose the EBA Guidelines on Internal Governance (EBA/GL/2017/11) and the Joint EBA-ESMA Guidelines on the assessment of the suitability of members the Management Body and key function holders (EBA/GL/2017/12).
Both Circulars will enter into force on 1 January 2021. Banks and Investment Firms are therefore expected to be compliant with these obligations as of that date and be ready for any CSSF queries.
These Circulars explain the specific measures to be taken regarding central administration, internal governance and risk management. They reiterate the principles of European and international guidelines and recommendations applied in this area. They also reinforce the existing governance requirements at all levels of the organisation.
The newly issued Circulars apply as follows:
Credit institutions and non-EU Branches are subject to the CSSF Circular 20/759 amending the CSSF Circular 12/552. Professionals performing lending operations under Article 28-4 of the Law of 5 April 1993 on the financial sector (“LFS”) will still be partly subject to the Circular.
The CSSF Circular 20/758 has been specifically issued to the attention of Investment Firms.
Scope of both Circulars has also been extended to (mixed) financial holding companies.
In both Circulars, the definition of Significant Credit Institutions/Investment Firms has been reviewed, now referring to Systemically important Credit Institutions/Investment Firms as defined under Article 59-3 of the LFS and, where applicable, to other Credit Institutions/Investment Firms as determined by the CSSF. In this regard, Significant Institutions are subject to additional requirements, including the following (non-exhaustive list):
Chief Financial Officer now considered as a “key function holder”, appointed and revoked by the Board of Directors according to a written policy;
It is worth mentioning that other key function holders may be identified by the institutions (e.g. heads of significant business lines, branches, third country subsidiaries or other internal functions);
Set up an audit committee, a risk committee, a nomination committee and a remuneration committee subject to enhanced composition rules.
The Circular also specify the proportionality principle:
The CSSF confirms the possibility to combine the Compliance and Risk control functions, subject to the CSSF approval and without prejudice to the segregation of duties obligation;
The CSSF also restates the possibility to outsource internal audit “operational tasks”, partially or entirely. By doing so, the CSSF expects the Management Body to remain fully involved in the definition of the internal audit plan as well as in the oversight of the internal audit plan execution.
Highlights of key changes:
ESG (Environmental, Social and Governance) aspects are now considered as a central component of the internal governance:
Sustainability factors, including environment, social and governance aspects, and the related risks must be considered in the institution’s strategy definition.
Enhanced Management Body duties:
The suitability of members of the Management Body must be assessed in order to demonstrate their skills level, knowledge and experience to perform their duties, both individually and collectively;
Induction and training should ensure the initial and ongoing suitability of members of the Management Body;
Institutions are expected to further assess the potential risks arising from the different mandates held by the Board members.
Independence and diversity criteria:
Significant Institutions will ensure that their Board of Directors have a sufficient number of independent members, taking into account their organisation and the nature, scale and complexity of their activities;
Less Significant Institutions are required to appoint at least one independent Board member;
The Circulars also introduce the notion of “independence of mind”, further specifying the circumstances for being considered as non “independent”;
New diversity objectives must be set within the Board of Directors to achieve a variety of views and experiences and to facilitate independent opinions and sound decision-making.
Risk management, a key component of a sound and prudent governance:
A “risk culture”, solid and omnipresent, must be promoted by the Board, according to the “tone from the top” principle;
The Risk control function is granted new responsibilities and powers:
The Chief Risk Officer (“CRO”) must be able to challenge the decisions taken by the authorised management and, when necessary, escalate issues to the Board;
For Significant Institutions, the CRO will become part of the authorised management
Institution may decide to grant the CRO with a veto right on management’s decisions.
Increased responsibilities for the Compliance function:
The Compliance function must perform regular assessments and controls of the compliance risk as part of a structured control programme (i.e. establishment of a compliance risk assessment and a compliance monitoring plan).
Enhanced new product approval process:
The scope of the New Product Approval Process is extended to the development of new activities in terms of products, services, markets, systems and processes or clientele, as well as material changes and exceptional transactions;
New products must be in line with the institution’s risk appetite.
Managing outsourcing arrangements:
The CSSF decided not to include the recent EBA Guidelines on Outsourcing arrangements (EBA GL 2019/02) in the scope of the amendments of CSSF Circular 12/552. We expect a dedicated Outsourcing Circular to be published in the course of 2021. Nevertheless, the requirements related to the management of Outsourcing arrangements have been updated, the most significant changes being the following:
Outsourcing policies are subject to regular reviews and approvals by the Board of Directors. The policy should make references to different risk types including concentration risks and cover the requirements along the whole lifecycle of the Outsourcing arrangement;
Risk assessments related to Outsourcing arrangements should include a detailed due diligence on the service provider;
Contractual arrangements with service providers should allow for an adequate notice period in case of termination in order to allow the institution to take the necessary measures to ensure the continuity of its operations;
Any intervention by a service provider on the production environment requires an explicit approval by the institution unless the provider is acting in its role as IT systems operator. In addition, the institution needs to ensure compliance with professional secrecy obligations in case of third-party access to its IT systems.
Higher formalisation of governance mechanisms is expected by the CSSF:
The CSSF insists on the formalisation aspects: the minutes are an important instrument of a sound governance and shall be comprehensively documented and reflect the different positions, opinions and contradictory discussions within the Board;
The follow-up of the decisions taken by the Management Body shall be documented in the minutes.
Internal Governance is a major topic on the CSSF agenda and swift actions are recommended, including:
Impact assessment on current internal governance framework and mechanisms;
Update your existing internal governance documentation (e.g. Governance policy, Terms of reference, Outsourcing policy), and review and assess the quality of the decision-making process (minutes of the Management Body);
Perform an assessment of both the individual and collective suitability of the Management Body.
The PwC Regulatory Banking team is ready to support you in the following tasks:
Assessing the robustness and efficiency of your internal governance mechanisms (including the decision-making process) and reviewing your internal documentation;
Assessing the initial and ongoing, individual and collective, suitability of the Board members and authorised managers; assessing the initial suitability of key function holders;
Embedding ESG risk factors into the business model.
1. PwC Luxembourg (www.pwc.lu) is the largest professional services firm in Luxembourg with 2,800 people employed from 77 different countries. PwC Luxembourg provides audit, tax and advisory services including management consulting, transaction, financing and regulatory advice. The firm provides advice to a wide variety of clients from local and middle market entrepreneurs to large multinational companies operating from Luxembourg and the Greater Region. The firm helps its clients create the value they are looking for by contributing to the smooth operation of the capital markets and providing advice through an industry-focused approach.
2. The PwC global network is the largest provider of professional services in the audit, tax and management consultancy sectors. We are a network of independent firms based in 155 countries and employing over 284,000 people. Talk to us about your concerns and find out more by visiting us at www.pwc.com and www.pwc.lu.
Regulatory & Compliance Advisory Services - Banking - Partner, PwC Luxembourg
Tel: +352 49 48 48 2245
Regulatory & Compliance Advisory Services - Banking - Managing Director, PwC Luxembourg
Tel: +352 49 48 48 2469
Regulatory & Compliance Advisory Services - Banking - Managing Director, PwC Luxembourg
Tel: +352 49 49 48 4169