Key issues of the guidelines on corporate governance principles for banks:
Within the Capital Requirements Directive IV (CRD IV) (Directive 2013/36/EU) the European Legislator stipulates its ideas on guidelines for corporate governance principles for institutions covered by article 3 CRD IV. In recital 54 CRD IV the legislator states: "In order to address the potentially detrimental effect of poorly designed corporate governance arrangements on the sound management of risk, Member States should introduce principles and standards to ensure effective oversight by the management body, promote a sound risk culture at all levels of credit institutions and investment firms and enable competent authorities to monitor the adequacy of internal governance arrangements. Those principles and standards should apply taking into account the nature, scale and complexity of institutions' activities. Member States should be able to impose corporate governance principles and standards additional to those required by this Directive."
In response to recital 54 CRD IV the Financial Stability Board ("FSB") published its "Guidance on Supervisory Interaction with Financial Institutions on Risk Culture" in April 2014. In July 2015, the Basel Committee on Banking Supervision ("BCBS") published its "Guidelines on Corporate Governance Principles for Banks".
In conjunction with the FSB guidelines, the BCBS´ corporate governance principles define the term risk culture: "A bank´s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during the day-to-day activities and has an impact on the risks they assume."
1. Three lines of defence:
According to this definition, the BCBS has developed the idea that every obliged entity should increase its focus on developing three "lines of defence" to implement an internal functioning risk culture:
The first "line of defence" is the business line, which shall have "ownership" of the risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities.
The second "line of defence" consists of the risk management and compliance functions, which are responsible for identifying, measuring, monitoring and reporting risk on an enterprise-wide basis.
The third "line of defence" is the internal audit, which has to conduct risk-based and general audits and reviews to provide assurance to the board that the overall governance framework, including the risk governance framework, is effective and that policies and processes are in place and consistently applied.
2. 13 principles:
In order to implement and realise these three lines of defence, BCBS has identified 13 principles that can support a satisfactory risk culture:
- Board´s overall responsibilities
- Board qualifications and composition
- Board´s own structure and practices
- Senior management
- Governance of group structures
- Risk management function
- Risk identification, monitoring and control
- Risk communication
- Internal audit
- Disclosure and transparency
- The role of supervisors
According to BCBS, these 13 principles can be incorporated into four main indications of a healthy risk culture: tone at the top, accountability, effective communication and challenge, incentives.
a) Tone at the top:
The term "tone at the top" describes the behaviour of the management, e.g. the board and management members.
The board should set the "tone at the top" and oversee management´s role in fostering and maintaining a sound corporate risk culture. Management should develop a written code of ethics or a code of conduct. Either code is intended to foster a culture of honesty and accountability to protect the interests of its customers and shareholders.
Additionally, senior management should contribute substantially to a bank´s sound corporate governance through personal conduct. They should provide adequate oversight of those they manage, and ensure that the bank´s activities are consistent with the business strategy, risk appetite and the policies approved by the board.
The senior management and every employee of the institution should be responsible for complying with the rules set out by the board and senior management. Everybody is charged with observing those rules. Every person in a bank has to be consistent with the business strategy, the risk appetite, and the remuneration and other policies set out by the board or senior management.
Every single employee has to be aware of the consequences that will arise if they do not observe the rules: they may have to accept shortening of margins, warnings, or even termination of their contracts.
c) Effective communication and challenge
To maintain the envisaged risk culture within the institution, the board and the senior management have to ensure that there is necessary transparency and communication within all hierarchic levels at every time. Employees should have the chance to communicate their observations of possible breaches of the risk culture without consequences.
Remuneration systems form a key component of the governance and incentive structure through which the board and senior management may promote good performance, convey acceptable risk-taking behaviour and reinforce the bank´s operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management´s implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly
monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity.
3. Jurisdictional implementation
The effective implementation of these corporate governance principles requires relevant legal, regulatory and institutional frameworks. Nevertheless, the guidelines intend to guide the actions of board members, senior managers, control function heads and supervisors of a diverse range of banks in a number of countries with varying legal and regulatory systems. There are significant differences in the legislative and regulatory frameworks across countries which may restrict the application of certain principles or provisions therein. Therefore, it is recommended by the BCBS, that each jurisdiction applies the provisions as the national authorities see fit. In some cases, this may involve legal changes. In other cases, a principle may require slight modification in order to be implemented.
In Germany, some of these corporate governance principles have already been implemented into German law.
Primarily, section 25a German Banking Act (Kreditwesengesetz (KWG)) addresses special organisational duties in relation to the institutions to which the KWG applies (e.g. credit institutions and financial services institutions). Section 25a (1) KWG stipulates that an institution must have a proper business organisation which ensures compliance with the legal provisions to be adhered to by the institution. The managing directors are responsible for the proper business organisation of the institution and must take the necessary measures for developing the respective institution-specific requirements. According to section 25a (1) KWG, a proper business organisation must comprise, in particular, an appropriate and effective risk management on the basis of which an institution must continuously ensure its risk tolerance.
Secondly, sections 25c and 25d KWG extend such duties to the managing directors and the supervisory body of an institution: the managing directors of an institution must be professionally qualified and reliable and devote sufficient time to the performance of their duties. The members of the management have to have adequate theoretical and practical knowledge of the business concerned as well as managerial experience. Section 25c KWG also states that with a view to their overall responsibility for the proper business organisation of the institution according to section 25a KWG, the managing directors of an institution have to ensure that the institution has the statutory strategies, processes, procedures, functions and concepts in place. According to section 25d KWG the members of the administrative or supervisory body must be reliable, have the expertise required for exercising the control function and for assessing and supervising the business conducted by the institution and devote sufficient time to the performance of their duties.
Additionally, BaFin is planning to import some ideas of the BCBS into German regulatory law by extending the requirements set out in the "Minimum requirements for Risk Management".