The Basel Committee of the Bank for International Settlements (BIS), whose standards for the prudential supervision of banks are applied worldwide, recently published its revised Corporate Governance Principles. Although not legally binding, the Principles are important reference points for legislators and regulators. The revision emphasises the critical importance of effective corporate governance for the safe and sound functioning of banks and stresses the importance of risk governance as part of a bank's overall corporate governance framework. In particular, the revision was intended to increase the collective oversight and risk governance responsibilities of the board of directors (in a one-tier governance structure) or the supervisory board (in a two-tier governance structure) by means of, among other things, the "three lines of defence" model.


The Corporate Governance Principles were drawn up in 1998 by representatives of the central banks affiliated with BIS and were previously revised in 2006 and 2010. After a public consultation procedure (October 2014 - January 2015), the third revision was published on 8 July 2015.

The revised Corporate Governance Principles are part of a broader trend towards an increased focus on the governance of financial institutions. This is one of the pillars of CRR/CRD IV, the European project which as at 1 January 2014 raised the Basel III agreements to the level of legislation. In the Netherlands this subject is also prominent on the political and public agenda even apart from of the implementation of the European rules just mentioned. This is evidenced by the amendments in the Dutch Banking Code, effective 1 January 2015 (this is a code of conduct adopted by the Dutch Banking Association and applicable to banks in the Netherlands). It should be noted that the Minister of Finance has proposed that the obligation to include a statement in the bank's annual reports regarding compliance with the Code be abolished because, among other things, of the high degree of compliance with the Code.

Below we will analyse a number of important themes in the revised Principles to the extent they are relevant in the Dutch context.

Corporate governance

The revised Corporate Governance Principles reiterate the importance of effective corporate governance to the proper functioning of the banking sector and the economy as a whole. New in comparison to the previous version (and the consultation version) is the description of the primary objective of corporate governance:

"The primary objective of corporate governance should be safeguarding stakeholders’ interest in conformity with public interest on a sustainable basis. Among stakeholders, particularly with respect to retail banks, shareholders’ interest would be secondary to depositors' interest."

The Principles were inspired by the OECD's corporate governance principles, which are not directed specifically at banks. A revised version of the OECD principles, endorsed by G20, was published on 5 September 2015.

Risk governance and the "three lines of defence" model

One of the main goals of the revised Corporate Governance Principles is to strengthen the risk governance of banks. Borrowing the definition formulated by the Financial Stability Board (FSB), the Principles define "risk governance framework" as:

"the framework through which the board and management establish and make decisions about the bank’s strategy and risk approach; articulate and monitor adherence to risk appetite and risk limits vis-à-vis the bank’s strategy; and identify, measure, manage and control risks."

The revised Principles assign a central role to the "three lines of defence" model. This is not surprising because it has been the leading model used by supervisors around the world for some time, as the Basel Committee concluded in its 2011 publication "Principles of the Sound Management of Operational Risk". In connection with the revision of these Principles an extensive compliance investigation was carried out in 2014 into the degree of compliance with the "three-lines of defence" model. It would appear that not all of the findings and recommendations of that investigation have been incorporated in the revised Principles; at least for the time being there are thus multiple sources that should be consulted.

The first line of defence is the business line, which bears the primary responsibility for risks and their control. This line of defence is more or less ignored in the Principles; it is also on the outer limits of what can be called corporate governance.

This is otherwise for the second line of defence, the risk management and compliance function. New in the Principles is the obligation to appoint a chief risk officer (CRO), or group CRO (Principle 6), although in the guidelines elaborating on the Principles this obligation seems to be made dependent on, among other things, the relevant bank's risk profile. The description of the risk management and compliance function has been significantly expanded and attention has been given to safeguarding its independence, a point that is often wrestled with in practice.

In response to reactions received in the consultation phase, the Basel Committee has given more concrete guidance in two situations. The first is where employees are rotated between business line and risk management roles. Although it is acknowledged that this practice can have several benefits, the revised Principles provide that risk managers should not be charged with overseeing activities for which they previously held management responsibility or participated in strategic business decision-making. The second situation involves the risk that a CRO who sits on the bank's credit committee and voted to approve a credit, can be placed in a conflicted position if that credit subsequently becomes problematic; the Basel Committee points out that it could be better to provide the CRO with veto authority only (as opposed to approval authority) in such situations.

With respect to the third line of defence, the internal audit function (IAD), the board's responsibility is increased, among other things with regard to respecting and furthering the independence of that function and increasing its effectiveness. The importance of this final line of defence within the model is underlined by the requirement — introduced only after the consultation phase — that if the chief audit executive is removed from his or her position, this should be disclosed publicly and the bank should discuss the reasons for such removal with its supervisor.

The Dutch Central Bank (DNB) also keeps a close eye on risk governance. The new Principles will presumably cause risk governance to once again be placed on the agenda for the dialogue with the market.

Structure and practices of the board

Naturally, the revised Corporate Governance Principles devote a lot of attention to the structure and practices of the board, both classic corporate governance themes. As far as the terminology is concerned, the revised Principles are strongly oriented towards a one-tier board system but also apply in other governance structures. The necessary translation exercise can give rise to interpretation problems.

The revised Principles provide that the board should consist of a sufficient number of independent members; the 2010 version merely stated that independence could be achieved by including a sufficient number of non-executive members. In addition, the chair should be an independent or non-executive member and should not chair a committee (compare the Dutch Corporate Governance Code at III.5.6. and III.5.11).

With regard to board committees, the revised Principles again make a distinction based on size although using different categories compared to the 2010-text. Banks that are "systemically important" (presumably within the meaning of CRD IV and the further EBA guidance) should establish an audit committee, risk committee and remuneration committee. For other banks these committees are strongly recommended, depending on the size, risk profile and complexity. The status of the nomination committee remains somewhat ambivalent; it ("or its equivalent") is both prescribed and recommended at the same time. With respect to all committees, their duties have been expanded and there are additional rules on composition and membership.

Finally, the board is clearly expected to make a greater effort to evaluate the structure, size and composition of the board and the various committees, the suitability of individual board members (also in view of their functioning on the board) and the governance effectiveness as a whole, and to make any necessary adjustments.


Not surprisingly, the relationship between remuneration and risks is an important subject in the revised Corporate Governance Principles, as it was in the earlier versions. "Systemically important banks" should have a board compensation committee, "relevant banks" are subject to increased disclosure obligations regarding remuneration and the obligation to review the remuneration policy has been expanded to include the remuneration plans, processes and outcomes. The relatively strict rules on the granting of variable remuneration have been scrapped but in the meantime have been replaced by legislative rules: at EU level the CRD IV and in the Netherlands the Financial Undertakings (Remuneration Policy) Act (Wet beloningsbeleid financiële ondernemingen) and the Restrained Remuneration Policy Regulations (Financial Supervision Act) 2014 (Regeling beheerst beloningsbeleid Wft 2014).


An interesting aspect of the revised Corporate Governance Principles is the role assigned to supervisors and in particular their role in assessing governance effectiveness, an assessment based in large part on behaviour and culture. Evidently, the Basel Committee sees no further role in this for shareholders; it was previously up to them, together with the supervisor(s), to hold the board responsible for good governance practices. Under other noteworthy provisions, supervisors are expected to be particularly mindful of consistency of treatment across the banks they supervise and to ensure that their own employees have the skills necessary to make the judgements involved in assessing governance effectiveness.

An entirely new section is devoted to the interaction of supervisors with a bank's board, individual board members, senior management and those responsible for its risk management, compliance and internal audit functions. The frequency of this interaction may vary according to, among other things, the relevant bank's size, complexity, structure, economic significance and/or risk profile, its decision-making hierarchy and of course the circumstances of the case. The aim of these rules is to promote a timely and open dialogue on issues such as the bank's strategy, business model and risks, governance effectiveness, culture, management, succession, remuneration and incentives.

Finally, the revised Principles provide that supervisors should provide insights to a bank on its operations relative to its peers, market developments and emerging systemic risks; in the consultation version this was raised as a mere possibility.


Click here for a compare of the original version (2010) to the final version (2015); click here for a compare i) of the 2010-version to the consultation version and ii) of the consultation version to the final version.