Substantial governance-reform targets have been set for banks and investment firms by the CSSF. Some quick changes are required, but otherwise the regulator’s circular letter 20/759 seeks to drive long-term culture change on boards of directors regarding risk, diversity, and sustainability.
Combating group-think among decision makers, while building sensitivity to risk management and sustainability across financial institutions are the ambitious goals of a new regulatory update by the Financial Sector Surveillance Commission (CSSF). The circular works to ensure that financial institutions take clear positions on risk and ESG sustainability, while increasing board of directors’ diversity and independence.
There are some new rules, most notably the requirement for at least one independent director. However, mostly this is soft regulation designed to nudge organisations to adopt ‘the correct tone from the top principle,’ noted Cecile Liegeois (photo), banking regulatory advisory partner of PwC. ‘There needs to be evidence of boards and management being challenged,’ said Bertrand Parfait, partner risk advisory with Deloitte. ‹The CSSF expects to see minutes of these topics having been discussed, and they want to see policies, codes of governance, and so on, applied with a risk-oriented approach.’
Seeking culture change
‘One of the most important circular letters,’ is how CSSF CEO Claude Marx described this reform of Circular 12/552. It relates to the central administration, internal governance and risk management of banks and investment companies: businesses defined as ‘Mifid firms’ under EU regulation. This includes financial holding companies and depositary banks, but excludes the likes of fund administration, transfer agents and the like. The broad approach is to align Luxembourg regulation with European Banking Authority guidelines and terminology.
Running through the circular are moves to strengthen a ‘general culture of risk and compliance’, which must be ‘strong and omnipresent.’ There is greater definition and strengthening of the role of corporate governance supervisory bodies (normally the board of directors) regarding internal governance and risk management. The principle of proportionality is reinforced, meaning the complexity and the size of the bank or organisation must be taken into account regarding internal governance and risk management obligations.
ESG risks
For the management of risk, there need to be clear definitions required of risk appetites across the business. There will be clear guidance on risk management, concentration risk and credit risk, with specific rules for the likes of sub-custodians. Initial and on-going due diligence will be required. ‘Risk culture needs to be omnipresent and promoted by the board,’ said Liegeois. ‘Understanding the risks and the time board members must spend monitoring these is key,’ she added.
For the first time, the need to assess environmental, social and governance sustainability risks is required when setting strategy. ‘It is important that institutions clearly document their risk appetite framework in line with their business model,’ said Parfait. The board also has new responsibilities to set principles on ethics and corporate values, while managing conflicts of interests. Also mentioned is the need to move towards board ‘diversity’ in terms of age, gender, geography, background, education and so on. There is also a new requirement to train board members about the structure, business model and risk profile of the company.
Independent board member
A major step up is that all banks and investment firms are now required to have at least one independent board member, with larger more complex institutions needing a ‘sufficient’ number. As well, the board risk committee of ‘significant’ banks must have a majority of independent members, including its chairperson. A two-page annex of the circular describes what is meant by ‘independent’. The objectives and responsibilities of each board member also need to be well documented.
As for executive functions, appointments and revocations of the heads of risk, compliance and internal audit will require prior board approval. The chief risk officer will be given increased support to challenge management decisions. For significant institutions, there are new rules on the procedures for the appointment and dismissal of the CFO, including the board’s role in this.
How to become compliant
So how and when to make these changes? Legally speaking, boards should have been compliant from 1 January, but the CSSF is likely to be lenient if they can see a direction of travel. ‘In the short term, launch a gap assessment, paying particular attention to internal governance and the supervisory function of the management body, and identify the mitigation actions to be taken,’ recommends Anne-Sophie Minaldo, partner and head of regulatory services, KPMG Luxembourg.
The next phase is about embedding a risk and compliance culture across the organisation. Then in the first half of next year boards are able to ‘assess the performance of the management body in a structured and documented way, measuring the level of compliance against specific indicators,’ Minaldo said.
Regarding the drive for diversity there is recognition that this is a challenge. ‘We shouldn’t expect a revolution, but a sustained, long-term evolution. Boards will continue to perform their duties and will have to adapt progressively,’ says Parfait.
The first step though is for directors and managers to read the new circular. Many of the ideas are not new, but important details have been added and enhanced.