insight featured image
New internal governance and risk management framework
Contents

The regulatory framework that applies to Credit Institutions is increasingly diverging from the one that applies to Investment Firms. Published in December 2020, the released Circular CSSF 20/758 on Central Administration, Internal Governance and Risk Management repeals CSSF Circular 12/552 and has been specifically issued to the attention of Investment Firms.

The purpose of this Circular is to transpose into the Luxembourg regulatory framework, multiple EBA (European Banking Authority) guidelines, in particular (EBA/GL/2017/11) on internal governance and the joint EBA-ESMA guidelines on the assessment of the suitability of the management body members and key function holders (EBA/GL/2017/12).

In regards to the scope of this Circular, the requirements for Credit Institutions and Investment Firms will no longer be the same. Therefore, as separate frameworks are now applicable since January, 2021, it is instrumental that Investment Firms take action to rapidly comply with changes introduced by Circular 20/758, particularly as updates have been made in the areas of internal governance and risk management, which represent key areas of inspection by the CSSF.

Among others we want to draw your attention on four main aspects of the Circular:

1. The Environmental, Social and Governance (ESG) factors become a key component of the internal governance. Consequently, the identification of sustainability aspects and the related risks shall be considered by the board of directors and be well documented in the institution’s commercial strategy.

2. Investment Firms must document their proportionality analysis in writing and have their findings approved by the Board of Directors. The Circular clarifies the implementation of this principle, which takes into account the following elements:

  • Legal form and financing structure of the institution,
  • Its business and risk model,
  • Its size and the nature and complexity of activities including geographic footprint, distribution channels and outsourced activities, and
  • The nature and condition of information systems and continuity plans.

3. Board of Directors:  At least one member of the Board of Directors of a Capital Requirements Regulation (CRR) Investment Firm must be "independent”, and in institutions of significant importance a sufficient number of independent members of the Board of Directors is required. The Circular also enforces stronger diversity within the board. The mandates of authorised Director and Chairman of the Board of Directors are not cumulative, and the Chairman of the Board of Directors cannot be another member of the staff of the institution.

4. The Circular reminds of all the requirements of outsourcing (regarding which the policy must take into account the risk of concentration in the hands of a single supplier) and recalls the importance of compliance with “cloud computing” Circulars (CSSF 17/654) and ICT and security risk management (CSSF 20/750). It also stresses the necessity to comply with GDPR regulation.

How we can help

Grant Thornton performs regulatory watch services and delivers on-site operational compliance. Our team of experts in financial regulations, governance, GDPR, ESG and IT security supports Investment PFS through tailor-made and structured professional services to ensure their compliance.

For further guidance regarding Circular CSSF 20/758, please contact Gilles Millard.