1. A clear statement on the weaknesses in the governance of banks that have been highlighted since the financial crisis
Several failures of banks with respect to governance practices were identified during the financial crisis. These flawed practices, while not a direct trigger of the financial crisis, were closely associated with it and were subsequently challenged. In some cases, during the financial crisis, the lack of effective checks and balances within banks led to a lack of effective oversight of management decision-making. This led to short-term oriented and excessively risky management strategies.
Weak oversight by the management body in its supervisory function was identified as a contributing factor to the amplification of the crisis. Some management bodies, both in their management and supervisory functions, did not sufficiently understand the complexity of the business and the risks involved. This has resulted in omissions in identifying risks and limiting excessive risk-taking. Internal governance frameworks, including internal control mechanisms and risk management, were often not sufficiently integrated within banks or groups. Internal control functions often lacked appropriate resources, status and/or expertise.
Finally, there are currently various conduct-related deficiencies, including compliance with the AML/CFT framework for offshore financial centres.
2. The importance of an EFFECTIVE governance framework within banks
Confidence in the reliability of the financial system is crucial for its proper functioning and is a prerequisite for contributing to the economy as a whole. Sound internal governance arrangements are fundamental to the proper functioning of banks. Directive 2019/878/EU, strengthens governance requirements for banks and highlights:
- The management body’s responsibility for good governance.
- The importance of a strong supervisory function within the governing body, capable of challenging the decision-making of senior management.
- The need to establish and implement an effective risk management strategy.
- A strong risk appetite framework.
3. The framework of the EBA’s mission in improving internal banking governance
The EBA’s mission is to further harmonise the internal governance arrangements, processes and mechanisms of banks in the EU.
The guidelines apply to all banks regardless of their governance structures without advocating or preferring a specific structure, taking into account the principle of proportionality, which means that they should be applied in an appropriate manner, depending on the size, internal organisation, nature of the bank and complexity of its activities
In addition, the guideline aligns the terminology used regarding risk appetite and risk tolerance with the EBA SREP guideline and the Basel Committee.
Published on 2 July 2021, this new guideline applies from 31 December 2021.
4. the content of the guideline
4.1. Internal governance requirements
The guideline defines the scope of internal governance. This includes all the standards and principles relating to the bank’s objectives, strategies and risk management framework:
- The organization of the activity.
- Responsibilities and authority defined and clearly assigned.
- The hierarchical lines set up and the information conveyed.
- The organization of the internal control framework including accounting procedures and compensation policies.
- Robust computer systems.
- The outsourcing arrangement.
- Business continuity management.
- The system for combating money laundering and the financing of terrorism.
- The inclusion of environmental, social and governance (ESG) aspects in their risk management framework.
Thus the guideline aims to :
- Ensure that banks have strong governance including a clear organisational structure with well-defined, transparent elements and consistent lines of accountability.
- Enable the competent authorities to supervise and monitor the adequacy of internal governance arrangements.
4.2. The role of the governing body
The guideline clarifies the expectations of the governing body. The management body has the authority to set strategy and objectives.
In his management role, he supervises and monitors the decision-making of the Executive Board. The Executive Board manages the bank. The Executive Board is responsible to the Board of Directors for the day-to-day management of the bank.
The governing body in its oversight function supervises and challenges senior management and provides appropriate guidance. The oversight roles include reviewing the performance of management functions and the achievement of objectives. The governing body should challenge strategy, monitor and scrutinize systems that ensure the integrity of financial reporting and the soundness and effectiveness of risk management and internal controls.
The independent directors in the oversight function of the management body help to ensure that the interests of all internal and external stakeholders are taken into account and that independent judgment is exercised in the event of actual or potential conflicts of interest.
In particular, the guideline aims to :
- Promote a healthy risk culture implemented by the management body.
- Specify the tasks, responsibilities and organization of the governing body in both its leadership and oversight roles.
- Strengthen the management body’s control over the bank’s activities :
- Definition of the responsibilities of the governing body with regard to governance arrangements, including the segregation of duties within the organisation and the prevention of conflicts of interest.
- Controls on the data of loans granted to members of the management body and their relatives. These must be duly documented and made available to the competent authorities on request.
- The introduction of a call for candidates within the major banks for the right to sit on the board of directors, unless, under national law, the governing body has no competence in the selection and appointment process of one of its members.
- Assessing the suitability of members of the management body and holders of key positions.
- Ensure effective oversight by the management body, including its oversight function through its participation in the risk management process, the establishment of a risk committee for banks, and the tasks
4.3. A three-level internal control system in line with the recommendations of the Basel Committee
The guideline is consistent with the “three lines of defence” model for identifying the functions within banks responsible for addressing and managing risk.
4.3.1. The first line of defense
As part of the first line of defence, the business lines take risks and are responsible for their direct and ongoing operational management. To this end, the business lines must have in place appropriate processes and controls to ensure that risks are identified, analysed, measured, monitored, managed, reported and maintained within the bank’s risk appetite and that business activities comply with internal requirements.
Business units, operational units and support functions (e.g. HR, legal or IT) are responsible for managing their risks and implementing appropriate controls.
The other functions are primarily exposed to operational and reputational risks which should be considered by the compliance function and the risk management function in the risk mapping exercise in a holistic enterprise-wide approach. All other functions should be subject to monitoring and oversight by the independent risk management and compliance function on a risk-based approach.
4.3.2. The second line of defence
The risk management function and the compliance function are the second line of defence. Banks may establish additional specific control functions (e.g. IT security control or AML/CFT, compliance function).
The risk management function facilitates the sound implementation of the risk management framework throughout the bank and is responsible on an individual and consolidated basis for:
- To identify.
- To monitor.
- To analyze.
- To measure.
- To manage.
- To report risks.
- To form a holistic view of all risks.
- Challenge and assist in the implementation of risk management measures by the business to ensure that the process and controls in place at the first line of defense are properly designed and effective.
The compliance function
- Monitors compliance with legal requirements and internal policies.
- Provides advice on compliance to the management body and other relevant personnel.
- Establishes policies and processes to manage compliance risks and ensure compliance.
Both risk management and compliance functions can intervene to ensure the modification of internal control and management systems within the first line of defence if necessary
The guideline will among other things:
- clarify the requirements for good risk management in the three lines of defence
- Outline the detailed elements of the second line of defence and the third line of defence.
- Ensure the organization of the risk management function. This will include ensuring that the head of the risk management function is a senior manager with separate responsibility for the risk management function.
- Strengthen the risk management framework of banks, including the aspect of AML/CFT risk factors.
- Promote a strong risk culture at all levels of the banks.
4.3.3. The third line of defence
The independent internal audit function as a third line of defence :
- Conducts various audits using a risk-based approach.
- Reviews internal governance arrangements, processes and mechanisms to ensure that they are :
- Solid and efficient.
- Systematically respected.
- Is responsible for the independent review of the first two lines of defence, including other support functions and the commercial and operational lines.
- Performs its tasks completely independently of other lines of defence.
4.3.4. The conditions for the proper functioning of the various lines of defence
To ensure their proper functioning, all internal control functions :
- Must be independent of the teams they control.
- Have adequate financial and human resources for their tasks.
- Report directly to the governing body.
Within the three lines of defence, appropriate internal control procedures, mechanisms and processes must be designed, developed, maintained and regularly evaluated.
4.4. The governance framework for the new products and activities process
Risks must be analysed within a well-defined framework in line with the bank’s risk strategy and risk appetite. This involves the definition of and compliance with a system of limits and controls.
Risks associated with new products and new business areas, but also risks that may result from changes to existing products, processes and systems, must be properly identified, assessed, managed and monitored.
The risk management function and compliance should be involved in the process of approving these changes to ensure that all material risks are addressed and that the bank is in compliance with all internal and external requirements.
4.5. Prevention of conflicts of interest
Banks should implement a conflict of interest policy and internal whistleblowing procedures to prevent conflicts of interest. This will ensure objective decision-making, oversight and compliance with external and internal requirements, including bank strategies and risk limits.
The management body should ensure that a framework for the identification and mitigation of conflicts of interest is in place. The bank, its organisational sub-structures, its staff and its shareholders have interests that need to be taken into account in such a framework in order to ensure that decisions are made objectively. Sources of conflicts of interest are, for example, the divergent economic interests of the various parties involved or the close links between decision-makers.
The management body has the highest decision-making powers, therefore the identification and management of conflicts of interest of members of the management body and parties closely related to members of the management body is the cornerstone of good internal governance practice.
Therefore, banks need to carefully manage conflicts of interest that may arise from lending and other transactions with members of the management body or their relatives.
Abbreviations and glossary
EBA: European Banking Authority
SREP: Supervisory Review Evaluation Process