On 4 October 2010, the Basel Committee on Banking Supervision (“BCBS”) published a set of principles for enhancing corporate governance in banks (the “Principles”).1 The Principles are intended to provide targeted supervisory guidance. BCBS published initial guidance on corporate governance practices in 1999 and revised principles in 2006. BCBS launched a public consultation in March 2010,2 to address deficiencies which came to light since the financial crisis. The Principles should be considered in the context of the wider regulatory drive to strengthen corporate governance and restructure executive compensation practices for financial institutions.
Sound Corporate Governance Principles
BCBS’s guidance is designed both to reinforce basic governance principles and to identify good practices for implementing them.
Board’s overall responsibilities
Principle 1: The board has overall responsibility for the bank, including corporate governance and oversight of senior management. Responsibilities of the board include:
Ultimate responsibility for the bank’s business, risk strategy, and financial soundness, as well as its corporate governance and compensation system. Board members should exercise their “duty of care” and “duty of loyalty” to the bank under applicable national laws and supervisory standards. The board should review related party transactions to assess risk and attach appropriate restrictions.
Corporate values and code of conduct. The board should take the lead in setting professional standards and corporate values, including the avoidance of excessive risks, and communicate these throughout the bank.
Oversight of senior management.
Principle 2: Board members should be qualified for their positions, understand their role clearly, and exercise sound and objective judgment about the bank’s affairs. Members should be recruited from a sufficiently broad population and vetted for potential conflicts of interest to enable objective independent judgment. They should be provided with tailored ongoing education.
Board’s own practices and structure
Principle 3: The board should define appropriate governance practices for its own work and ensure that such practices are followed and continuously improved. The board should structure itself, in terms of size, meetings, and committees, to promote efficiency, in-depth reviews, and robust discussion of issues. The chairman of the board (“COB”) should provide effective leadership. Where the COB and chief executive officer (“CEO”) roles are vested in the same person, countervailing measures (e.g., appoint a lead board member or senior independent board member) should be implemented. An increasing number of banks require the COB to be a non-executive. Large or internationally active banks should have a risk committee to advise the board on overall risk strategy, including capital and liquidity. The risk committee should communicate with the risk management function and chief risk officer (“CRO”) (see Principle 6) and have access to external expert advice, particularly on strategic transactions. The board also should have a formal written conflicts of interest policy.
Principle 4: In a group structure, the parent company’s board has overall responsibility for corporate governance across the group.
Principle 5: Senior management should ensure that the bank’s activities are consistent with the business strategy, risk profile, and policies approved by the board. Management should promote accountability and transparency and implement proper risk management systems and internal controls (e.g., internal audit, compliance) (see Principles 6-7).
Risk Management and Internal Controls
Principle 6: Banks should have effective internal controls and a risk management function (including a CRO) with authority, independence, and access to the board. Internal controls should place checks on employee discretion and confirm the bank’s compliance with policies and procedures as well as laws and regulations. Large or internationally active banks should have an independent senior executive responsible for the risk management function (e.g., CRO). The risk management function should be independent of the business units, and encompass all risks, on- and off-balance sheet and at firmwide, portfolio, and business-line levels. The CRO should be distinct from other executive functions and not have responsibility for business operations. He should have direct access to the board and its risk committee.
Personnel and resources
Risk management personnel should be properly qualified, in market and product knowledge and risk disciplines. They must be capable of challenging the business lines on all aspects of risks arising from the bank’s activities. Adequate resources (e.g., personnel, information technology (“IT”) system) should be allocated to risk management and internal controls.
Principle 7: Risks should be monitored on a firmwide and individual entity basis and the risk management and internal control systems should be kept current.
Risk methodologies and activities
Banks should conduct forward-looking stress tests under various adverse scenarios, as well as back-test actual performance against risk estimates. A subsidiary bank’s portfolios should be stress-tested also on the potential risks to the parent. Internal risk measurements should include a qualitative assessment of risks relative to return and the external risk landscape. External assessments (e.g., credit rating, purchased risk models) can also be useful. There should be an approval process for new products and the risk management function should be actively involved in the due diligence for mergers and acquisitions. The bank’s treasury and finance functions should promote firmwide risk management through robust internal pricing of risk as well as financial controls. Business units should be accountable for managing risks arising from their own activities.
Principle 8: Effective risk management requires robust communication both across the organisation and through reporting to the board and senior management.
Principle 9: The board and senior management should effectively utilise the work of internal audit functions, external auditors, and internal control functions. The board and senior management are responsible for the financial statements and reporting. They should encourage internal auditors to adhere to national and international professional standards (e.g., Institute of Internal Auditors standards) and promote their independence. Non-executive board members should meet regularly with external auditors and the heads of internal audit and compliance.
Banks should implement the Financial Stability Board (“FSB”) Principles for Sound Compensation Practices and its Implementation Standards (the “FSB Principles”)4 or applicable national provisions that are consistent with the FSB Principles.
Principle 10: The board should actively oversee the compensation system and ensure that it operates as intended. Board members who are involved in the design and operation of the compensation system (e.g., the compensation committee) should be independent, non-executive members knowledgeable about such arrangements and the incentives and risks involved. Compensation of control functions (e.g., CRO, risk management) should be based on the achievement of their objectives without compromising their independence.
Principle 11: An employee’s compensation should be aligned with prudent risk-taking. Banks should align compensation with prudent risk-taking and adjust variable compensation to reflect all the risks an employee takes over a multi-year horizon (e.g., through deferred compensation arrangements with “claw-back” provisions). The mix of cash, equity, and other forms of compensation should be consistent with risk alignment. “Golden parachutes” (i.e., large payouts to terminated executives not based on performance) should be avoided. See our alert discussing incentive compensation practices for financial institutions, Incentive Compensation for Financial Institutions: Balancing Business Drivers and New Regulatory Oversight, which discusses a number of structuring alternatives that are consistent with the principles set forth in the BCBS consultative document on compensation.
Complex or Opaque Corporate Structures
Principle 12: The board and senior management should know the bank’s operational structure and the risks that it poses (i.e., “know-your-structure”). The board should set policies for establishing new entities or structures based on established criteria (e.g., regulatory, tax, financial reporting, governance) and avoid setting up unnecessarily complicated structures. When they establish business or product lines that do not match the legal entity structure (“matrix structures”), banks should ensure that all risks are captured and assessed on an individual entity and group-wide basis.
Principle 13: Where a bank operates non-transparent structures or in jurisdictions not meeting international banking standards, its board and senior management should understand and mitigate their risks (i.e., “understand-your-structure”). Operating in jurisdictions that are not transparent or compliant with international banking standards (e.g., prudential supervision, tax, anti-money laundering) or through complex or opaque structures (e.g., special purpose vehicles or trusts) may pose risks or impede business oversight. Moreover, providing certain services or structures for customers (e.g., company formation agent or trustee services, complex structured finance) may expose banks to indirect risks. The board and senior management should seek to mitigate such risks.
Disclosure and Transparency
Principle 14: The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders, and market participants.