ABBL, January 2013
Central administration, governance & risk management
What is new in CSSF Circular 12/552?
In the light of the financial crisis, the Committee of European Banking Supervisors (CEBS), the predecessor of the European Banking Authority (EBA), conducted a survey on the implementation of internal governance by credit institutions and competent authorities. Internal governance issues were not identified as a direct trigger for the financial crisis, but rather as a crucial underlying factor. Weaknesses were often the result of an insufficient implementation of existing guidelines. In September 2011, EBA issued its “Guidelines on Internal Governance” updating former CEBS guidelines. In June 2012, the Basel Committee on Banking Supervision (BCBS) further defined the role of “the internal audit functions in banks”.
In Luxembourg, the Law of 5 April 1993 on the financial sector, as amended, already required that credit institutions and investment firms shall have “robust internal governance arrangements, which include a clear organizational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks they are or might be exposed to, and adequate internal control mechanisms, including sound administrative and accounting procedures and remuneration policies and practices allowing and promoting a sound and effective risk management, as well as control and security arrangements for information processing systems.” Additional guidelines were laid down in various CSSF Circulars.
The CSSF has, in the past, sometimes adopted the CEBS guidelines of the European authority by making direct reference to the original CEBS source document in its own circulars. This time, prudential supervision in the EU is increasingly harmonized and following the transformation of CEBS into the EBA, the CSSF has transposed EBA’s guidelines by drafting its own text.
The new CSSF Circular 12/552 issued in December 2012 is a first step toward a comprehensive regulatory “Bible” of internal governance requirements, updating existing Circulars with the aforementioned EBA and BCBS guidelines. It replaces a number of existing Circulars.
The new Circular is applicable with from 1 July 2013, except certain specific provisions which must be applied from 1 January 2014.
The following entities (collectively referred as “institutions”) are in scope:
- Credit institutions and investment firms incorporated under Luxembourg Law:
- On an individual basis
- On a consolidated basis (i.e., parent company)
- Where the institution holds significant participations (between 20% and 50%), but is not the parent company
- Non-EU branches of credit institutions and investment firms in Luxembourg
- Luxembourg branches of credit institutions and investment firms (for matters where the CSSF has the supervisory responsibility) in the EU / European Economic Area
- Professionals carrying on lending operations
Overview of key requirements and changes
Although Circular 12/552 has been introduced by the CSSF without much ado, its rich content is worthy of close attention and likely to generate a more changes to governance practices than initially suggested. Among the key points addressed are:
- The composition, roles and responsibilities of the Board of Directors (BoD), supported by specialized committees
- The affirmation of Luxembourg as a center of decision in the context of consolidated supervision or participations
- The qualification, independence and prerogatives of internal control functions − risk management, compliance and internal audit
- The roles and responsibilities of the finance, accounting and IT departments as key contributors to appropriate internal governance
- The importance of transparent decision-making , risk culture and alert mechanisms, including whistleblowing
- Additional CSSF’s guidelines and expectations around the management of key matters such as:
- Unusual or non-transparent (“opaque”) activities
- Conflict of interests
- New products / change of activities
- IT outsourcing
- Credit risk, with a focus on real estate lending
- Risk transfer pricing
- Private banking
While it is beyond the scope of this article to provide an exhaustive review of all requirements and changes, we highlight what we believe are the main features that will impact institutions in scope.
Composition, role and responsibilities of the Board of Directors
Under Circular 11/552, the Board of Directors (BoD) sees its role and responsibilities reinforced. Consequently, greater attention is paid to the individual and collective skills of the BoD members, their effective involvement in the oversight of the institution and the documentation of all required policies and decisions adopted. A policy must be implemented on the nomination and succession of BoD members, as well as of all individuals with key functions, inter alia taking into consideration eligibility criteria and conflict of interests with other mandates.
The BoD cannot be composed of a majority of persons who have an executive role within the institution (Executive Director or employee, except representatives of the personnel). It will no longer be permitted to combine the function of authorized Executive Director with Chairman of the BoD. The CSSF explicitly recommends that large institutions nominate one or several independent, non-executive Directors.
Members of the BoD are also expected to consult with authorized management, control functions or external experts on a regular basis on all key aspects of the activities. To this end, the Circular sets clear expectations and objectives of specialized committees supporting the BoD, such as - subject to proportionality - the Audit Committee and the Risk Committee, with rules applying for their composition and the qualification of members.
This undeniably raises the bar for BoD members in terms of professional competences required, time and efforts devoted to their oversight duties.
Luxembourg as decision center
When the institution in scope is the parent of legal entities falling under its consolidated supervision or holds significant participations (between 20 to 50%), it is expected to exert adequate oversight and ensure that there is adequate internal governance in accordance with the rules of Circular 12/552, subject to proportionality, compatibility with applicable local regulations, and, in the case of minority interests, as far as possible.
While the principle that the role and responsibilities of the Luxembourg parent in a group should not be limited to those of an administrative center is not new, Circular 12/552 sets clearer targets for the level of oversight over subsidiaries and branches, emphasizing the capacity to continuously monitor activities from Luxembourg through adequate and complete management information systems. Beyond the access to data, it underlines the principle of subordination of all key functions (control functions in particular) to their Luxembourg counterpart, with explicit reference to on-site visits (e.g., for internal audit)and, in general, the responsibility to define – and possibly restrict - delegated authorities within all entities included in the group controlled by Luxembourg.
Where any broader group committee has decision power in relation to the Luxembourg institution or group, authorized Executive Management must sit on these committees and benefit from a veto right. This may have very significant implications for Luxembourg subsidiaries of foreign groups, where Executive Management is used to taking instructions from international committees (such as ALCO or credit committees).
Qualification, independence and prerogatives of internal control functions
The importance of having properly staffed and qualified internal control functions (“ICFs”) − risk management, compliance and internal audit is emphasized in Circular 12 /552. In particular, the possibility to outsource or combine these functions with other duties are now clearly limited. The CSSF’s expectation is that each ICF role is occupied at full time by a designated responsible person − a Chief Risk Officer, Chief Compliance Officer and a Chief Internal Auditor, not to be confused with the members of authorized Executive Management. Subject to proportionality, part-time roles may still be permitted, but justification must be provided to the CSSF. Internal audit is the only ICF where outsourcing is allowed, but still under strict independence conditions. Nominations and changes to ICFs must be subject to a written procedure, with BoD approval and must be promptly notified and explained to the CSSF. The importance of adequate segregation of duties and remuneration schemes for preserving objectivity is reaffirmed by explicitly laying down incompatible situations.
The individuals appointed to these functions for the first time following the entry into force of the Circular must also possess the necessary theoretical skills; however, there is no explicit reference to certification or degree. Most of all, they must possess objective and critical judgment and not be afraid to express their views. Circular 12/552 requires that ICFs have a direct access to BoD, in particular to the Audit Committee, but also to the external auditor and, if necessary, to the CSSF. An interesting feature is the importance placed by the CSSF in the risk management function issuing its own yearly report distinct from the ICAAP, allowing for a true independent opinion on the status of the institution’s risks at the cost of likely redundancy.
Roles and responsibilities of finance, accounting and IT
The Circular also emphasizes the shared responsibility of all staff and functions across the organization for appropriate internal governance, highlighting the importance of the first line of defense, human resources and a clear organizational chart. Finance, Accounting and IT see their specific roles detailed.
Finance and accounting should play a leading role in ensuring the timely availability of exhaustive, fair and reliable management information. Since it is also responsible for financial and prudential reporting, it is expected to operate under adequate segregation of duties from other commercial or administrative units.
An important role with regards to the support provided to internal controls and the necessary integrity of systems and data is assigned to IT, along with to core responsibility for system availability and continuity. The role of a designated IT Officer is completed by that of an Information Security Officer, more specifically in charge of IT security and data protection. The Information Security Officer should be independent from operational units, including from the implementation of security measures, and have access to Authorized Executive Management and BoD.
Alert mechanisms, including whistleblowing
The Circular underlines the importance of transparent decision-making and of developing risk awareness and critical judgment all across the organization. Applicable limits, alert thresholds and escalation must be communicated and understood consistently throughout the organization; exposures to related parties (e.g., intra-group transactions) should be treated in the same way as any other exposure.
As risk and controls concern all staff, the Circular introduce the requirement to implement a “whistleblowing” procedure − i.e., the possibility for any member of staff to raise legitimate concerns on risks and governance issues outside the hierarchical lines, up to the BoD level if necessary. Confidentiality must be preserved and the whistleblower acting in good faith should not be exposed to any sanction, backlash or detrimental consequence. While whistleblowing may be a common feature of corporate culture in other countries, it is a relatively new concept in Luxembourg.
Specific guidelines and recommendations
Circular 12/552 has been drafted in order to adapt the high-level recommendations of EBA and BCBS to local realities and experiences gained over the recent crisis. It thus contains specific guidelines on a number of issues which are perceived as particularly relevant for Luxembourg, such as:
- The “know your structure” principle requiring additional governance, oversight and appropriate management of inherent risks in relation to “unusual” or “non-transparent” activities − i.e., those involving special purpose vehicles or entities subject to lower regulatory standards, including in relation to transactions performed on behalf of clients
- Conflict of interests with related parties (e.g., intra-group) at all levels, which is subject to special attention
- A formal New Product Approval Process – the requirement to consult with all internal stakeholders involved before venturing into new activities, and to document that consultation, is highlighted. While it is a common feature of the procedure handbook of most large organizations, in the past, some small to medium-sized institutions present in Luxembourg may have fallen short in this respect
- Requirements on IT outsourcing which are clarified with regards to the preservation of data confidentiality, particularly when cross-border infrastructure is involved, and avoiding dependency on the provider
- Credit risk approval processes: the requirement for a documented credit risk approval processes with adequate follow-up and default management is underlined. The principles should be well-known for experienced lending professionals, but may be deficient in institutions where these activities are recent or occasional. The Circular focuses in particular on real estate lending, recognizing the risk of concentration on the Luxembourg domestic market and by amending risk weights applicable to residential mortgage in CSSF Circular 06/273 on definition of capital ratios in order to explicitly take into account the 80% loan to value (LTV) cap on eligible exposure which other countries had already implemented under Basel II. It further specifies the level of stressed probabilities of default (PDs) and loss given default (LGD) applicable to internal ratings based (IRB) model for these exposures
- Risk transfer pricing: the Circular requires the setup of risk transfer pricing mechanisms for all risks (i.e., not just limited to liquidity) but does not further detail the technical requirements. Risk transfer pricing is already applied by large institutions, but to a much lesser extent by Luxembourg institutions
- Private Banking: guidance is provided related to rules of conduct in Private Banking. The CSSF favors segregation between discretionary portfolio management activities, investment advice and execution only. The production of client reporting, record-keeping of MiFID information (e.g., client profiles) and collection or remittance of cash and securities need to be performed independently from commercial staff, obviously with the objective of fraud prevention. Margining mechanisms operating without delay and financial guarantee management with independent “early warning system” are now required for credits granted in the context of private banking services (e.g., Lombard credits and overdrafts) in order to avoid the insidious rise of uncovered exposure.
Whereas Circular 12/552 remains shy on the topic of risk measurement, it is not intended to supersede guidelines on these matters included in previous Circulars, such as Circular 06/273 on capital requirements, 07/301 on ICAAP or 11/506 on stress testing. In addition to laying down rules for risk transfer pricing, it also calls for regular reconciliation between ex-ante estimates of potential risks and ex-post, realized risks (i.e., backtesting).
3. Compliance deadline and future directions
The new Circular is applicable with from 1 July 2013, except the new requirements on BoD composition and qualification, the specialized committees and certain policies to be written by the BoD which are applicable from 1 January 2014.
In addition to reporting to the BoD at least once a year on the status of all aspects of internal governance, the authorized Executive Management must issue a simple and concise signed statement to the CSSF confirming the institution’s compliance to the Circular in its entirety or express its reservations on the points of non-compliance it has identified and the reasons thereof.
Circulars IML 93/94 and CSSF 10/466 will be repealed. Circulars IML 95/120, IML 96/126, IML 98/143, CSSF 04/155 and 05/178 will no longer be applicable to credit institutions and investment firms from the implementation date.
Interestingly, Circular 12/552 is presented as a first, intermediary step before additional guidance is provided in a more comprehensive version of the Circular. Hence, the Luxembourg financial community may see this supervisory initiative as quite possibly paving the way for further increases in scrutiny of internal governance.
By Christian Brüne, Partner, Simone Thiel and Vincent Galand, Senior Managers, EY, Luxembourg