CSSF updates corporate governance requirements for credit institution

On 7 December 2020, the Luxembourg regulator, the CSSF, published a major update to its Circular 12/552 (the Circular) on central administration, internal governance, and risk management. The requirements are founded on the principle of proportionality and relate notably to independence and diversity, ESG factors and introducing a "risk culture" with more responsibility for the CRO.

Compliance with these requirements has been required since January 2021 and must be documented in the annual report submitted to the CSSF.

What does it mean for Luxembourg banks?

An internal review of the policies procedures and risk management practice will need to have taken place, or in some cases, must still be done. The diversity and ESG factor requirements were in many cases already implemented by the players evidencing their understanding of how the market is developing. However, for those who had left this to one side whilst dealing with other priorities, this needs to be brought back to the top of the to-do-list. It is clear that there is a focus on finding key people able to fulfil the criteria of knowledge, skills and experience and with the obligation to appoint independent directors Luxembourg will undoubtedly become an even more competitive market.

In this article, we focus on the key changes introduced to the Circular by CSSF Circular 20/759, which entered into force on 1 January 2021. The amendments reflect the most recent thinking on corporate governance best practices and ensures the comprehensive transposition of six different sets of EBA guidelines; but most notably, the EBA's guidelines on internal governance and the joint ESMA/ EBA guidelines on the assessment of suitability of members of the management body and key function holders.

The amendments also reinforce existing governance requirements applicable at all levels of the covered entities. It will be important for supervised entities in scope to review the requirements in detail.

Scope of application

The Circular as most recently amended by Circular CSSF 20/759 applies in its entirety to

• credit institutions incorporated under Luxembourg law (including their branches),

• Luxembourg branches of credit institutions authorised in another Member State and

• Luxembourg branches of third-country credit institutions

on an individual, sub-consolidated and consolidated basis, as well as in part to professionals performing lending operations, as defined in Article 28-4 of the Law of 5 April 1993 on the financial sector (LFS).

In addition, significant institutions (as defined under Article 59-3 of the LFS) are subject to the Circular, since European Central Bank (ECB) governance is a topic addressed in the Capital Requirements Directive (CRD).

With respect to banks qualifying as less significant institutions (as defined in the Single Supervisory Mechanism Framework Regulation) which fall under the remit of the CSSF's supervision, it was specified in a 9 February 2021 Q&A of the ABBL Webinar dedicated to the Circular (the Q&A), that the CSSF will accept a tolerance period of maximum one year with respect to the amendments made to the Circular.

The Circular does not apply to investment firms. The CSSF decided to distinguish regulatory requirements applicable to investment firms on one hand through Circular 20/758, and credit institutions and professionals performing lending operations on the other through Circular 20/759. This split is justified by the increasing divergence between the regulatory frameworks applicable to credit institutions versus investment firms, as evidenced by the forthcoming application of the Investment Firm Directive and Regulation (IFR/IFD) which will introduce a dedicated prudential regime for investment firms, departing from the CRD and the Capital Requirements Regulation (CRR) framework. In addition, the scope of the Circular was extended to cover financial holding companies and mixed financial holding companies.

Principle of proportionality

The new rules implemented in the Circular reinforce the principle of proportionality by linking it to the notion of 'systemic institutions' within the meaning of the LFS. This means that the size, nature and complexity of an institution's activities (including the type of clients, the complexity of the products/contracts, its organisational and operational structure as well as its information technology and continuity systems) are to be taken into consideration in defining the robustness of the rules it needs to put in place regarding central administration, internal governance and risk management arrangements. Specific factors to be taken into account include the legal form of the institution, its ownership and funding structure and its business model and risk strategy. In addition, institutions must document their proportionality analysis in writing and have their conclusions approved by the Supervisory Body (as defined below).

The Supervisory Body - setting the tone from the top

In the Circular, the notion of a board of directors is replaced by that of the management body in its supervisory function (the Supervisory Body) and the management body in its management function (the Authorised Management).

The Supervisory Body must set the "tone from the top" and it is for the Authorised Management to ensure implementation of the strategies and compliance with the internal written policies and procedures. The Supervisory Body must approve guiding principles relating to, among other things, remuneration policy, professional conduct, corporate values and management of conflicts of interest.

To this end, measures such as specific initiation to understand the institution's structure, business model, risk profile and governance arrangements as well as vocational training must be put in place to ensure that its members remain qualified throughout their mandate. While the CVs of the management of credit institutions have always been scrutinised by the CSSF, there is a strict requirement to assess the suitability of members to demonstrate their skills level, knowledge and experience to perform their duties, both individually and collectively.

In addition, the Supervisory Body's organisation and functioning as well as the objectives and responsibilities of each of its members must now be documented in writing and decisions documented by way of minutes. This is something which will have frequently been done in practice but the requirement to document compliance with the requirements is important, especially in case of CSSF inspections. In accordance with the principle of proportionality, significant institutions must put in place an audit, risk, nomination and remuneration committee, whereas less significant institutions may put in place dedicated committees combining different areas of responsibility.

Criteria of independence and diversity

The Circular imposes significant changes when it comes to the composition of the Supervisory Body and requirements of diversity and independence. It emphasises that, in line with good practice, each institution should appoint at least one independent member to its Supervisory Body.

Significant institutions whose shares are admitted to trading on a regulated market (within the meaning of MiFID) must have a sufficient number of independent members in their Supervisory Body, including the chairperson. It is down to each institution to assess and determine what the appropriate number will be in light of its size. Moreover, the Supervisory Body must now have written procedures for appointments and succession based on the principles of non-discrimination and equal opportunity and must take into consideration aspects such as age, gender, geographical origin and educational/professional background. Significant institutions must set quantitative objectives and must document their compliance with the set goals on an annual basis.

Risk management framework

Another important new aspect which the Circular reinforces is the concept of 'general culture of risk and compliance' in the context of internal governance arrangements, while it introduces the notion of risk appetite when business orientations and capacities are being defined. In particular, the Circular provides that the CRO may be entitled to a veto right against management decisions.

Moreover, regarding the approval of an institution's business model, the Circular speaks for the first time of a 'sustainable' business model, requiring that account be taken of all material risks, including environmental, social and governance risks to ensure its viability. The CSSF Q&A explains that ESG risks must be accounted for in an institution's risk management frameworks when they impact financial stability. Furthermore, the CSSF stressed that the enhanced sustainability test under MiFID and transparency rules under the SFDR must be complied with.

The Circular states that

"the institutions shall put in place an institution-wide risk management framework, which covers all their activities and operational units and allows for control over all the risks to which the institution is or may be exposed, including concentration risks and credit risk, risks associated with the custody of financial assets by third parties, as well as private wealth management which is especially exposed to money laundering and terrorist financing risks".

In addition, the Circular provides for enhanced say by Luxembourg parent undertakings over control functions in the subsidiaries and branches of Luxembourg banks. Luxembourg parent undertakings must now ensure that effective arrangements are in place throughout their subgroup, extending beyond the perimeter of consolidation as per CRR where necessary.

Internal control functions and new product approval

The Circular also clarifies certain rules regarding internal control functions which are divided into the risk control function, the compliance function, and the internal audit function. In particular, in relation to the partial or full outsourcing of internal audit 'operational tasks' The CSSF has clarified that the management body is expected to remain actively involved in the definition of the internal audit plan and in the oversight of internal audit plan execution.

Finally, the Circular enhances the 'new product approval process" in that its scope is extended to cover "the development of new activities in terms of products, services, markets, systems and processes or clientele, as well as material changes and exceptional transactions". Furthermore, it is specified that new products must remain consistent with the risk appetite of the institution.