What are the organisational requirements for banks, including with respect to corporate governance?
Banking & Finance
The BoI issued "Proper Management of Banking" directives ("PMB") which impose corporate governance and organizational requirements on bank.
PMB 301 deals with the board of directors and, among others, addresses the following matters: functions of the Board of Directors and its powers; issues that the board must consider and decide on; supervisory and monitoring role; board committees; frequency of board meetings including presence requirements for board members; certain meetings without the management of the bank; chairman of the board; practices for effective functioning of the board; reports to the BoI etc. As to the composition of the board, the directive sets out among others: limitation on the minimal and maximal number of members, eligibility to serve as a director and conflict of interests, at least third of directors should be independent (external directors); at least third of directors should have “banking experience”, at least a fifth of directors should have “accounting and financial expertise”, at least half of directors should have general professional qualification, and at least one director will have proven knowledge and experience in information technology.
Other PMBs address different organs and functions in the bank such as the chief accountant, the external auditor, the internal auditor function, the compliance functions, the risk management, the ombudsman etc.
Organizational requirements are to be distinguished whether required by the rules of Act V of 2013 on the Hungarian Civil Code (the “Hungarian Civil Code”) applicable on the operation form of banks i.e. on companies limited by shares, or by the Hungarian Banking Act
Based on the Hungarian Civil Code the organization of a company limited by shares consists of
- the founder /general meeting of the shareholders;
- board of directors;
- supervisory board;
- audit committee and
Based on the Hungarian Banking Act credit institutions are obliged to have an effective and creditable corporate governance structure and initiative control function in place appropriate to the nature, order of magnitude and complexity of the provided financial services and applied business model of the respective credit institution.
The Hungarian Banking Act distinguishes between
- controlling management body;
- risk exposure and risk management committee;
- comprehensive and independent business unit responsible for the risk management function covering all material risks of the credit institution; and
- nomination committee
in case of credit institutions having a market share exceeding 5%.
As well as any other JSC, a bank is governed by a meeting of shareholders, a council and a board of directors.
The meeting of shareholders has certain exclusive rights, e.g., to make decisions concerning the annual financial statements of the bank, the use of the profit from the previous year of activities, amending the articles of association of the banks and others.
The council is the supervisory institution of the bank, which represents the interests of shareholders during the time periods between the meetings of shareholders and supervises the activities of the board of directors. The council has certain duties, e.g., to monitor that the business of the bank is conducted in accordance with law, the articles of association and the decisions of the meeting of shareholders. The council can consist of not more than 20 members.
The board of directors is the executive institution of the bank, which manages and represents the bank. It shall supervise and manage the affairs of the bank. It shall be responsible for the commercial activities of the bank, as well as for accounting, in compliance with law. The board of directors shall administer the property of the bank and shall act with its means according to the requirements of law, the articles of association and decisions of meetings of shareholders.
Regarding the organisational structure of the banks, the law stipulates certain additional requirements in terms of qualification and suitability of the relevant officers. For instance, only the following persons may act as a chairperson of the board of directors, member of the board of directors, head of the internal audit service, risk manager, person responsible for compliance control, person responsible for compliance with the requirements of the prevention of money laundering (ML) and terrorism financing (TF), company controller, head and procurator of a branch of a foreign bank or of a branch of a bank in a foreign country:
- who are competent in the financial management issues; person responsible for compliance with the requirements of the prevention of ML and TF may be competent in business administration issues;
- who have the necessary education and three years professional work experience in an undertaking, organisation or institution of relevant size;
- who have an impeccable reputation;
- who have not been deprived of the right of engaging in commercial activities.
Moreover, the law obliges the banks to ensure the establishment and operation of a comprehensive and efficient internal control system, which is suitable to the nature, volume and complexity of the activities thereof. The internal control system shall include the following basic elements:
- an organisational structure conforming to the size and operational risks of the bank, in which there is a clearly determined, unambiguous and systematic division of duties, authorisations and responsibilities in relation to the performance and control of transactions between the structural units and responsible employees of the bank;
- a system for the identification, management, supervision and reporting of inherent and potential risks for activities of the bank;
- internal control procedures;
- remuneration system.
The organizational requirements for a bank are typical to EU approach and following the EU law.
With respect to corporate governance, a bank must have the following bodies: a general meeting of shareholders, a supervisory board, the board and a head of administration. The management bodies of a bank shall be the bank’s board and the head of the administration.
On the basis of the provisions of legal acts regulating the activities of banks and inter-institutional recommendations, the list of management and structural bodies/officers of the bank includes:
- Board (consisting of not less than 3 members);
- Supervisory Board (consisting of not less than 3 members);
- Head of the administration and Deputy Head (Chair of Board has to be the Head of the administration or the Deputy Head);
- Head of the Internal Audit Service;
- Audit Committee;
- Risk Committee;
- Credit Committee;
- Chief Technical Officer (for the exclusion of business execution, organisation and supervision it is recommended to not appoint a member of the Board or Supervisory Board to CTO position);
- Chief Risk Officer (should be a Member of the Board);
- Chief Legal Officer (for the exclusion of business execution, organisation and supervision it is recommended to not appoint a member of the Board or Supervisory Board to the position of CLO);
- Chief Financial Officer (should be a Member of the Board).
The bank’s articles of association and other corporate bank documents must clearly establish and define the powers and functions of the above listed bodies and officers.
The bank has to ensure effective functioning of internal control system, including the following functions/areas: compliance, risk management, internal audit, conflict of interest management, complaint handling, market abuse prevention, management remuneration, AML, operational risk.
The Lithuanian laws, including Resolution No. 03-181 of 2014 of the Board of the BoL, follows EU approach in setting fitness and propriety requirements for management and owners.
The organizational requirements are as follows:
- a bank must be established by no fewer than three founders (either natural persons or legal entities) unless the founder is a bank, a credit institution, an international financial institution, an insurer, etc;
- the share capital must be equal to at least EUR 5,000,000;
- the supervisory board must be composed of at least five members;
- the management board must be composed of at least three members, of which at least two must speak Polish;
- the members of the management board and the supervisory board must have the knowledge, skills and experience sufficient to operate a bank;
- the bank must have adequate premises, with technical equipment allowing for the safekeeping of valuables.
In accordance with article 74 of EU Directive 2013/36/EU, the Romanian legislator has enacted various pieces of legislation, to ensure that banks in Romania have robust governance arrangements (including clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks they are or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management).
Each of the members of the board of administration and the directors or, where applicable, the members of the supervisory board and the directorate of a credit institution, as well as the persons designated to manage the structures related to the risk management and control activities, internal audit, legal compliance, treasury, credit and any other activities that may expose the credit institution to significant risks must at all times have a good reputation, knowledge, aptitude and experience appropriate to the nature, scale and complexity of the credit institution's activity and the responsibilities entrusted to it. to operate in accordance with the rules of prudent and sound banking practice.
If the bank opts for a unitary management system, the management of the bank shall be delegated by the board of administration to at least two directors, while, if the bank opts for a dual management system, the board of directors shall be formed of at least three members.
Management and/or administration responsibilities can only be exercised by individuals (as opposed to legal persons).
The RBI supervises the Indian banking system and is making continuous efforts to see that the banks maintain the highest standard of corporate governance. The measures taken by the RBI include:
- establishing standards of conduct for directors and senior management by prescribing qualification requirements and other such requirements under the BR Act;
- regulating the terms of appointment of key managerial personnel;
- conducting regular checks to evaluate the effectiveness of the management and operation of the banks and issues direction as appropriate;
- engaging with the banks executives (including service executive) on issues emerging from analysis of off-site surveillance and annual inspection;
- allowing the RBI to supervise and oversee the risk management and capital adequacy requirement by prescribing appropriate procedures and compliance requirement for banks.
The guidelines issued for the purpose of setting up and identifying the nature of activities that can be undertaken by the small finance banks and payments banks also put in place similar corporate governance measures to give certain degree of supervision and control to the RBI to identify potential issues with the management of the banks at an earlier stage.
In addition to the above, the corporate governance structures put in place under the new company law regime are also applicable to a bank as company laws in India which treats both financial and non financial entities at par. Once the bank is listed, the corporate governance standards set out in the SEBI (Listing Obligations and Disclosure Requirements), 2015 become applicable.
With respect to corporate governance, a bank must have:
(i) a board of directors;
(ii) a board of statutory auditors (kansa-yaku); and
(iii) an accounting auditor.
In lieu of a board of statutory auditors, the bank may elect to have alternative corporate governance structures and establish:
(i) an audit and supervisory committee (kansa-tou iinkai); or
(ii) a nominating committee (shimei iinkai), an audit committee (kansa iinkai) and a compensation committee (houshuu iinkai).
The bank must also have risk control, compliance and internal audit oversight structures as required by the FSA’s Supervisory Guidelines.
The MFSA expects that an authorised credit institution conducts its business in a prudent manner. Additionally, credit institutions are required to have robust governance arrangements, including a clear organisational structure, well defined lines of responsibility, effective risk management processes, control mechanisms and remuneration policies. The internal governance arrangements should be appropriate to the nature, scale and complexity of the credit institution. The main responsibility for internal governance lies with the Board of Directors. In this respect, local credit institutions are required to abide by the EBA Guidelines on Internal Governance (GL44) as well as Guidelines on the Assessment of the Suitability of Members of the Management Body and Key Function Holders (EBA/GL/2012/16).
The CBN Code of Corporate Governance for Banks and Discount Houses 2014 (CBN Code) which is mandatory for all banks provides that all banks must have the following organizational policies in place: risk management framework aimed at monitoring and controlling of the operation risks; code of conduct policies which require the management and other stakeholders to maintain the highest standards of professional behavior and best practices; conflict of interest policies; carry out quarterly stress tests of their capital and liquidity under the CBN’s review; and a whistle-blowing policy containing procedures that encourage stakeholders to report any unethical conduct to the bank or the CBN. The CBN Code also sets out guidelines on the number of director, independent directors, the qualification of directors, separation of powers of the managing director and chief executive officer (MD/CEO), the maximum tenure for CEO and the board of directors, the establishment of board committees etc.
In addition to the requirements to the organisational ownership structure mentioned under question 2, a bank must have a general meeting, a board of directors, and a CEO. The board of directors must be composed so that it meets a general requirement of versatility, and both the members of the board of directors and the CEO must meet certain requirements on education and professional experience as well as having showed good conduct over a period. A bank must be organised in a way that enables it to monitor and control risks and comply with all regulations. Ultimately, the responsibility lies with the board of directors.
A bank licensed in Norway is required to have articles of association approved by the NFSA.
Pursuant to the Financial Undertakings Act, banks are required to have in place an audit committee, a remuneration committee and a risk committee, consisting of members of the board of directors. The remuneration committee shall in addition have at least one employee representative. The purpose of the audit committee is to support and advise the board of directors with respect to, for example, internal control systems, risk management and auditing of the bank's financial statements. The purpose of the risk committee is to support and advise the board in its role as supervisor and governing body of risk and risk control. The remuneration committee shall prepare all matters that the board of directors is required to resolve pursuant to the remuneration policy. Furthermore a bank must establish independent control functions such as internal audit and risk and compliance functions.
The Norwegian Code of Practice for Corporate Governance applies to banks with securities listed on a regulated market in Norway. The Code is based on the "comply-or-explain" principle, where companies must comply with the Code of Practice or explain why they have chosen not to.
As a general rule, credit institutions shall have, at least, management and supervisory bodies, who, within the scope of their competences, shall oversee and be responsible for the implementation of governance arrangements that ensure effective and prudent management of the credit institution, including the segregation of duties in the organisation and the prevention of conflicts of interest.
Credit institutions that are significant in terms of their size, internal organisation and the nature, scope and complexity of their activities shall establish a nomination committee composed of members of the management body who do not perform any executive function, or members of the supervisory body.
A report on corporate governance shall be anually prepared by the management body and published alongside with the credit institutions’ financial statements.
The board of directors of a bank has overall responsibility to the bank, including approving and overseeing the implementation of the bank’s strategic objectives, policies, risk profile, governance framework and corporate culture. The board is also responsible for oversight of senior management.
To increase its supervisory efficiency and allow deeper focus in specific areas and risks exposed, a board may establish certain specialized board committees. The number and nature of such committees depends on many factors, including the size of the bank and its board, the nature and structure of the business areas of the bank, and its risk profile.
Main Committees of the Board: 1- Audit Committee 2- Risk Committee. 3- Nominations and Governance Committee. 4- Compensation and Remuneration Committee.
In addition to the board of directors and the committees, there is the Senior Management which includes senior employees of the bank, including the CEO, whose authority shall include management and operation of bank and implementation of board’s decisions in accordance with the approved strategies and policies, and the bank’s risk profile.
The board of directors may delegate the CEO to act in the name of the bank generally and represent the bank’s interest while concluding transactions with third parties. The board shall also specify the restrictions of powers delegated to the CEO or other senior management, such as ceiling for financial transactions that may exceed the approval set for the board.
Senior managers should possess personal characteristics of honesty and integrity, and acquire sufficient qualifications and experience to fulfil their roles in the bank.
Senior managers along with the board should participate in implementation and development of a sound corporate governance system.
The Senior Management should prepare the bank’s organizational structure to be approved by the board which should include appropriate distribution of responsibilities, delegation of authority, and limits to responsibility and accountability. The organizational structure should include, but not limited to the following: • Departments, units, and divisions in such a way that ensures independent implementation, audit and reconciliation, and prevents conflict of interests. • Designations and professional levels. • Communication channels and mechanism of reporting. • Dual Control • Assessment and accountability.
The Banking Act, Banking Ordinance and FINMA Circulars require a certain governance structure. For example, the members of a bank's governing body for its guidance, supervision and control (e.g., the board of directors) are not allowed to be members of the bank's management and must meet fit and proper requirements, at least 1/3 of the board must meet certain criteria of independence, and banks generally must have an audit committee on the board level, as well as an independent risk control function, compliance function and an internal audit. The bank's risk management needs to be carried out on the appropriate organisational level, using adequate methods, and must reflect the particularities of the specific bank.
Turkish banks are required to establish following bodies, committees and units as a result of organizational requirements under Turkish law:
- Board of Directors;
- Audit Committee;
- Corporate Governance Committee;
- Remuneration Committee;
- Internal Systems Units consisting of (i) internal control; (ii) internal audit; and (iii) risk management units;
- Compliance Unit in relation to compliance with anti-money laundering legislation;
- Credit Committee (if the Board of Directors delegates its credit-related duties).
Pursuant to the Regulation on Corporate Governance Principles of Banks (the “CG Regulation”), the main corporate governance principles that banks should comply with by taking into consideration the size of their activities and their organizational types, are, amongst others, (i) establishment of corporate values and strategic goals; (ii) explicit determination of the scope of authorities and responsibilities within the bank; (iii) competency of board members and the senior management required for effective performance of their duties; (iv) efficient use of internal and independent auditors’ operations; (v) establishment of remuneration policies compliant with the ethical values and strategic goals and (vi) transparency.
Additionally, the Corporate Governance Communiqué No. II-17.1 issued by the CMB sets forth further requirements applicable to publicly held banks related to, inter alia, (i) composition of the board of directors and appointment of independent board members, (ii) establishment of a corporate governance committee, and (iii) transactions with related parties other than those arising from ordinary activities.
The FMA has published a detailed set of guidelines and circular letters (Rundschreiben) on the application and the scope of the organizational regulations, which depend on the type of business activities envisaged by the entity. An institution has to implement and monitor a comprehensive set of organizational requirements on an ongoing basis e.g., organizational structure, clear decision-making processes, documentation and reporting obligations as well as responsibilities. Furthermore the management shall define and oversee the internal principles of proper business management, guaranteeing the requisite level of care when managing the institution, and in particular, focus on the segregation of duties in the organization and the prevention of conflicts of interest and therefore establish mechanisms to safeguard security and confidentiality of information (in particular pursuant to the Austrian Banking Secrecy [sec 38 BWG]).
The corporate bodies of banks are (i) general meeting of shareholders (GMS) and (ii) board of directors (in case of one-tier system) or supervisory board and management board (in case of two-tier system).
A bank is required to be managed and represented jointly by at least two individuals of whom at least one speaks Bulgarian. They are to manage and represent the bank by personally attending its management address. These representatives may not entrust the full management and representation of the bank to one of them, but may authorize third parties to perform separate actions.
A legal entity may not be a member of the board of directors or of the management board of a bank.
There are specific requirements to the education, qualification and professional experience of the banks’ board members and procurators. Specific requirements apply also to their clear criminal record, non-participation in insolvent companies, their family or other similar relations with another board member, to their reliability, to the lack of conflict of interest, etc.
A bank’s board members and procurators can be elected only following the prior approval of BNB.
8.1. Organizational requirements
COMF states that financial entities, including banks, must be organized as stock corporations with at least two shareholders. The name of the entity shall be previously authorized by the Superintendence of Banks and must include the denominations "bank", "financial corporation", "general deposit entity", "exchange house", "ancillary services of the financial system", "savings and credit cooperatives", " associations of savings and credit for housing", and any other authorized by the Monetary and Financial Policy and Regulation Board.
The requirements to be filed before the Superintendence of Banks for the financial entity’s incorporation are:
(i) Application signed by the promoters (founding shareholders), their agent or representative;
(ii) Documents certifying the identity, suitability, responsibility and solvency of the promoters;
(iii) Document that demonstrates the reservation of the financial entity’s name;
(iv) A technical analysis that contains at least the following: economic-financial feasibility of the private entity to be incorporated and market analysis that demonstrates the viability of its creation and insertion according to the capacity and specialization and its impact on the other entities of the financial system;
(v) The draft of the incorporation deed, which must include the corporate by-laws, specific corporate purpose, in accordance with the regulations issued by the Superintendence of Banks; and,
(vi) Capital integration account, evidencing a payment of at least 50% of the minimum capital required for the incorporation. The minimum subscribed and paid-in capital for the incorporation of a private financial sector entity is: a) for banks USD 11,000,000.00 (eleven million US dollars); and, b) for other entities providing other financial services the minimum capital will be the amount determined by the Monetary and Financial Policy and Regulation Board.
8.2. Corporate governance
The entities of the private financial sector are considered incorporated as legal entities under private law. In the exercise of their operations and the provision of financial services, they will be governed by its own regulations and the regulations applicable to the financial institutions. Private financial entities must have at least two shareholders at all times.
The governance of financial entities will be formed by:
(i) General Shareholders' Meeting;
(ii) Board of Directors; and,
(iii) Legal Representative
Board members and legal representatives will be considered the administrators of the financial entity.
The board of directors will be made up of an odd number of members, with a minimum of 5 and a maximum of 14 directors, elected by the General Shareholders' Meeting for a period of up to 2 years, they may be re-elected indefinitely. The General Shareholders' Meeting will also appoint as many alternate directors as they have, for an equal period of time.
The Superintendence of Banks shall issue the resolution for guarantee the participation of minority shareholders at the Board of Directors. However, this resolution is pending of issuance. There are no legal restrictions for shareholders to become members of the Board of Directors, however, this may be regulated at the by-laws.
The General Shareholders´ Meeting must take place at least once a year, until March 31th, for approving: 1. The reports of the Board of Directors; 2. the financial statements, 3. The profit sharing to the shareholders; 4. Submit to the public bodies the annual reports; 5. To appoint the internal and external auditors.
Every financial institution must have an internal and external auditor, that must be qualified by the Superintendence of Banks. The internal auditor only can be an individual; the external auditor could be an individual or a legal person. The external auditors cannot be appointed for more than three (3) consecutive years, by the same financial institution.
A report and qualification issued by an authorized Risk Rating Agency is also mandatory. This report must be issued on December 31st of each year, and will be reviewed in an quarterly basis.
(a) organisational requirements
In the case of an incorporated entity (DAC or PLC), its constitution sets out the rules governing the operation of the company. It defines the relationship between the company, its shareholders, directors and other officers of the company. The constitution determines the company’s objects and powers as well as internal regulation.
(b) corporate governance
The CBI’s Corporate Governance Requirements for Credit Institutions 2015 (CGR) sets out strin-gent corporate governance obligations which apply to credit institutions. Minimum core stand-ards apply to all credit institutions in the interests of promoting effective governance with additional requirements imposed on credit institutions designated as ‘high impact’ by the CBI under its Probability Risk and Impact SysteM (PRISM).
The requirements set out in CGR include:
- boards must have at least five directors or for credit institutions designated as high impact under PRISM at least seven directors. Directors shall not participate in decisionn making where there is a potential conflict of interest;
- separating the chief executive officer (CEO) and chair role.
- the board shall oversee all committees. At a minimum audit and risk committees shall be establsihed. The audit committee must have relevant financial experience and one member must have an ‘appropriate qualification’; and
- a credit institution subject to CGR must disclose this in its annual report and submit an annual compliance statement to the CBI.
The governance structure to be put in place by each credit institution must ensure that there is effective oversight of activities appropriate to the complexity of the activities of that credit institution. Each credit institution shall have a clear organisational structure with consistent lines of responsibility. The board sets the risk appetite for its institution and oversees compliance. The board retains primary responsibility for governance but senior management is responsible for implementing oversight in line with board policy. Credit instituions shall appoint a chief risk officer (CRO) with distinct responsibility for risk management and a risk committee must be established, other than where they are not designated as high impact under PRISM and the CBI agrees to another pre-approved control function.
CGR confirms that significant institutions designated as high impact under PRISM are subject to CRDIV requirements instead of CGR requirements. CRDIV applies additional rules in respect of:
(a) composition of the board;
(b) composition of the risk committee;
(c) establishment and composition of independent remuneration and nomination committees.
At any time, the institutions must ensure that:
- at least two people are in charge of effectively running the business;
- the nature and scope of the functions performed by persons effectively running the undertaking enable that person to have a comprehensive and in-depth view of the whole business and related risks;
- persons effectively running the undertaking comply with applicable regulatory re-quirements.
The appointment of a member of the supervisory body of a credit institution, finance company or in-vestment firm must be notified to the ACPR, providing the information required for the authority to as-sess the fitness, propriety, knowledge, experience and availability of the person in question.
At any time, the institutions must ensure that the supervisory body is independent with respect to effec-tive management. For this purpose, the general manager in charge of effectively running the business can not add the function of chairman of the board of directors.
Important institutions must comprise several committees to assist the supervisory body as:
- the risks committee;
- the remuneration committee;
- the appointments committee;
- the audit committee.
In Particular, the appointment of the persons called on to take charge of the effective running of the business of the institution must be notified to the ACPR, providing the information required for the au-thority to assess the fitness, propriety, knowledge, experience and availability of the concerned persons.
Banking institutions must adopt a strong governance package including:
- a clear organisation ensuring a defined, transparent and consistent division of re-sponsibilities,
- effective procedures for the detection, management, monitoring and reporting of risks,
- an adequate internal control system,
- sound administrative and accounting procedures,
- remuneration policies and practices that enable and promote sound and effective risk management.
The Banking Act introduced for the first time a full set of binding corporate governance rules. Regarding a credit institution’s organization, Belgium opted for a dual system in which a clear division exists between the senior management of the institution and the supervision of this management. In practice, the statutory governing body (often the board of directors) holds the general responsibility for the credit institution while all residual management powers of this statutory governing body shall be transferred to the management committee, as far as allowed by law. Within the statutory governing body, four specialised committees have to be established to strengthen the internal audit function: a) an audit committee, b) a risk committee, c) a remuneration committee, and d) a nomination committee. Each of their members shall possess the necessary knowledge, expertise and experience. Non-significant banks are excluded from the obligation to establish a remuneration committee and a nomination committee.
CIA regulates the management and organisational structure of credit institutions and includes requirements for members of directing bodies and members of staff of credit institutions. Only the persons who have the necessary expertise, skills, experience, education, professional qualifications and an impeccable business reputation may be elected or appointed managers of a credit institution, parent financial holding company of a credit institution and mixed financial holding company. A person whose earlier activities have caused the bankruptcy or compulsory liquidation or revocation of the activity licence of a company cannot be elected or appointed manager of a credit institution.
The supervisory board of a credit institution is a directing body of the credit institution which plans the activities of the credit institution, gives instructions to the management board for organisation of the management of the credit institution, and supervises the activities of the credit institution and the activities of the management board in managing the credit institution. Meetings of the board shall be held when necessary but not less frequently than once every three months.
The management board of a credit institution is a directing body of the credit institution, which directs the day-to-day activities thereof pursuant to the strategies and general principles of activities approved by the supervisory board, and monitors the day-to-day activities of the members of staff of the credit institution.
The organisational structure and organisation of management of a credit institution have to ensure sound and prudent management of the credit institution, including separation of functions in the organisation and prevention of the conflict of interests.
A credit institution is required to provide for a risk management function if it is proportional to the nature, extent and level of complexity of the activities of the credit institution. In the absence of the risk management function the credit institution is required to prove that the risk management policy of the credit institution and the procedure of the implementation thereof are in compliance with the requirements provided for in the CIA and they are being implemented continuously and efficiently.
A credit institution or a company belonging to the consolidation group of a credit institution must have a constantly functioning internal control system which is proportionate to the nature, extent and level of complexity of their activity. It has to ensure the performance of the functions of risk management, adherence to the good practices of management of the association and internal audit.
Credit institutions must establish a rigorous corporate governance scheme. The board of directors determines, supervises and is held accountable for the implementation of corporate governance arrangements, ensuring the efficient and prudent management of the institution.
Depending on their significance in terms of size as well as range and complexity of activities undertaken, credit institutions may be under the obligation to establish internal governance committees, to assist the board of directors in discharging its above duties. Such committees include:
- the internal audit committee
- the risk management committee, entrusted with monitoring risk, liquidity and capital incentives,
- the remunerations committee, which scrutinizes the compensation paid to the board of directors and remuneration policies,
- the nominations committee, which recommends candidates for the board of directors, and
- other ad hoc committees (eg IT security).
Credit institutions must also adopt a corporate governance code and designate a special section in their website, in which they publish all information that is relevant to ensuring compliance with corporate governance obligations and remuneration policies.
Pursuant to section 25a KWG, a credit institution needs to implement a business organisation that safeguards compliance with all applicable laws. In more detail sentence 3 of section 25a KWG says: A proper business organisation shall comprise, in particular, appropriate and effective risk management on the basis of which an institution shall continuously safeguard its internal capital adequacy. Such risk management shall comprise, in particular:
- The definition of strategies, in particular the definition of a business strategy geared to the institution’s sustainable development and a risk strategy that is consistent therewith, as well as the establishment of processes for planning, implementing, assessing and adjusting the strategies.
- Processes for determining and safeguarding internal capital adequacy, which shall be based on a conservative determination of risks and of the available financial resources to cover these.
- The establishment of internal control mechanisms consisting of an internal control system and an internal audit function.
- Risk management that is geared to the nature, scope, complexity and riskiness of the institution's business activities.
- A proper business organisation also comprising (i) appropriate rules by means of which the institution’s financial situation can be gauged with sufficient accuracy at all times, and (ii) complete documentation of business operations permitting seamless monitoring by BaFin for its area of responsibility.
- A procedure which enables employees, whilst ensuring that their identity is kept confidential, to report to competent agencies breaches of Regulation (EU) No 575/2013 or of the KWG or of statutory orders issued on the basis of the KWG as well as any criminal actions committed within the undertaking.
- Processes for identifying, assessing, managing as well as monitoring and reporting risks in accordance with the criteria laid down in Title VII, Chapter 2 Section II Sub-Section 2 of Directive 2013/36/EU.
- A risk control function and a compliance function.
- Adequate staffing and technical and organisational resources. And
- the definition of an adequate contingency plan, especially for IT systems.
BaFin has published a detailed catalogue of minimum requirements for the risk management of a credit institution that has to be followed.
Banks are subject to corporate governance requirements similar to other corporations, though the specific requirements applicable to a given bank depend on its charter. Banking organisations are required to establish and maintain internal policies and processes sufficient to identify, measure and assess potential operational, legal, compliance and financial risks, including without limitation, asset quality, earnings, liquidity, cash flow and other elements of capital and liquidity positions. Consolidated oversight and risk management on a company-wide basis is expected, though there are some limitations on the supervision or management of separate legal entities.
As stated in question 7 above, banks must be incorporated under the form of Corporations (Sociedad Anónima), Cooperative Associations (Asociaciones Cooperativas) or as a branch of a foreign financial institution in order to operate in Colombia. The main corporate body of the bank must be: a Shareholders General Assembly, a Board of Directors with a minimum of five (5) members and a maximum of ten (10) members, an auditor and a manager who needs to be previously authorized by the Superintendence of Finance to hold such position.
Also, a financial institution under surveillance of the Superintendence of Finance operating in Colombia must have a Compliance Officer designated by the Board of Directors, in accordance with Circular Letters 29 of 2014 and 55 of 2016. This means that regardless of the form under which a bank is incorporated (Corporation, Cooperative Association or branch), the institution must have a Compliance Officer. In addition to the above, when operating as a branch, the bank must appoint an authorized officer as the legal representative.
In accordance with article 18.104.22.168.1 of Decree 2555 of 2010, credit institutions under which banks are categorized, must have a Financial Consumer Defender. The Financial Consumer Defender is responsible of mediating any controversies between the institution and a financial consumer.
It is relevant to note that with the purpose of implemented good governance policies, designating an audit committee is viewed as a good practice. Financial institutions are invited to implement internal control mechanisms and good governance codes.
Corporate governance arrangements and guidance systems of Finnish credit institutions must be sufficient in relation to the quality, scale and diversity of the business operations in order to ensure effective and prudent management of the institution, including the segregation of duties in the organisation and the prevention of conflicts of interest. The organisational structure must:
- be well defined, transparent and consistent with lines of responsibility;
- be effective to processes;
- identify, manage, monitor and report the risks they are or might be exposed to;
- maintain adequate internal control mechanisms, including sound administration and accounting procedures; and
- maintain remuneration policies and practices that are consistent with and promote sound and effective risk management.
Members of the management body must at all times be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties.
A credit institution must have a board of directors responsible for establishing an internal governance framework in the company. The board can set up various committees or other bodies to assist in fulfilling its tasks. The senior management, that is, the managing director and members of a management group, run the credit institution’s everyday operations. A management group is not a mandatory corporate body, but is recommended to assist the managing director. The management group can be either an advisory or a preparatory body.
The credit institution must be managed in a professional manner and in accordance with sound business practices. It must have an effective risk management system in order to avoid risks that could jeopardise the bank's capital adequacy or liquidity. In supervising the bank's corporate governance procedures, the FFSA currently pays particular attention to:
- the use of high professional and ethical standards in all business operations;
- the control and definition of the responsibilities and powers within the company, and the identification of conflicts of interest;
- the existence of a strategy and business plan, as approved by the board of directors;
- whether the management is competent, fit and proper, and reliable;
- the independence of the board of directors in evaluating the operations of the company and of the managing director and other management;
- the composition of the management;
- the existence of effectively arranged internal control and risk management;
- internal audit arrangements;
- compliance with external rules and regulations, and internal guidelines;
- the existence of a duly organised remuneration system that does not encourage undesirable behaviour;
- the appropriate amount of personnel;
- the management of customer assets and data storage in a reliable and safely manner; and
- the procedures for handling customer complaints.
Institutions that qualify as systemically important institutions must establish a remuneration committee and a nomination committee composed of members of the management body who do not perform any executive function in the institution concerned.
Corporate governance determines the allocation of authority and responsibilities by which the business and affairs of a bank are carried out by its board and senior management, including how they:
- set the bank’s strategy and objectives;
- select and oversee personnel;
- operate the bank’s business on a day-to-day basis;
- protect the interests of depositors, meet shareholder obligations, and take into account the interests of other recognised stakeholders;
- align corporate culture, corporate activities and behaviour with the expectation that the bank will operate in a safe and sound manner, with integrity and in compliance with applicable laws and regulations; and
- establish control functions.