Internal governance improvements for banks and PFS

The current pandemic’s unprecedented impact on the global economy reminds us that trust in the financial system’s reliability is crucial for its proper functioning—and a prerequisite for it to contribute to the economy as a whole.



Bertrand Parfait - Partner - Risk Advisory - Deloitte

Julien Wolff - Director - Risk Advisory - Deloitte

Published on 18 February 2021

Share this article


The Commission de Surveillance du Secteur Financier (CSSF) recently published an update to its circular 12/552 dealing with internal governance and risk management through circulars 20/758 and 20/759, which respectively applies to investment firms and professionals performing lending operations (including credit institutions). This update incorporates the principles of the European Banking Authority (EBA) regarding internal governance, as well as the regulatory requirements of the Capital Requirement Regulation (CRR).

In an economic landscape shaken by the current COVID-19 crisis, more than ever, sound governance, internal control and risk management arrangements are key for institutions to better understand, anticipate and address financial and operational (including non-financial) risks resulting from this unexpected situation. It requires institutions to implement robust central administration, internal governance and risk management arrangements that ensure the sound execution of business models, while complying with a risk appetite tailored to the institution’s strategy and environment.

This pandemic allows market players to test the soundness of their governance and internal control systems and, if needed, to review and enhance some arrangements in the context of the new circular. Circular CSSF 20/759 now applies to financial holding companies and mixed financial holding companies as well as to groups with a head office located in Luxembourg. The principle of proportionality is clarified depending on the institution’s level of complexity. The management body must ensure the analysis of the principle’s application is effective and documented, and also to validate it in

light of the institution’s activities, volume and complexity to ensure sound and prudent monitoring of its risks. The circular now explicitly refers to European regulations (including the Single Supervisory Mechanism framework) and is aligned with EBA publications and European Central Bank common terminologies. In this context, the management body designates both a supervisory function (board of directors or supervisory board) and a management function (authorized management or management board).

Management body

On the one side, the management body’s supervisory function must define the strategy and guiding principles that support the internal governance arrangements and the monitoring and management of inherent risks that arise from the business model. This overall framework should consist of people with the diversity, skills and independence required, who possess the principles of commitment, availability, objectivity and critical thinking, and who have a clear vision of their duties and responsibilities. The management body’s supervisory function must regularly assess the operating effectiveness of the internal governance arrangements. In this context, the topics discussed and the debates and decisions made should be adequately documented in the minutes.

The principles of independence of mind and availability must also be continuously assessed to identify and monitor any potential conflicts of interest. The supervisory body’s members must also remain fully qualified for the duration of their mandate to fulfill their duties and manage the inherent risks linked to the organization's activities. The supervisory board can (if not required by law) and will, generally, be supported in its tasks by specialized committees. On the other side, the management body’s management function must strive to implement and deploy the business strategy and guidance established by its supervisory function. The management function should particularly focus on conduct risk and related reputational risks.

This should be, of course, in line with the risk and compliance culture that the supervisory function infuses throughout the organization to ensure sound and appropriate business conduct, including a special focus on conflict of interest, non-performing loans, and forborne exposures. In this context, institutions must develop and implement guiding principles (including aspects relating to ethics, corporate values and management of conflicts of interest), strategies, risk appetite framework, policies and procedures that support "the development and maintenance of a sustainable business model"1, which also includes environmental, social and governance (ESG) factors and complies with the diversity principle.

Three lines of defense model

The three lines of defense model remains the “must-have” internal control framework. Its robustness depends on several factors, including: 1) A well-structured management information system; 2) A sound and well applied permanent control framework;

3) Risk and compliance functions that effectively play their role of second line of defense; and 4) An internal audit function with the necessary skills to assess the entire model’s quality and robustness.

This model integrates a solid risk management framework that covers

all the institution's activities and risks, such as credit risks (including non-performing and restructured exposures), concentration, information and communications technology (ICT), money laundering/terrorism financing (ML/FT), financial assets under custody, etc.

Specific requirements

  • Avoiding opacity in the monitoring of complex, non-transparent or unusual activities remains an important topic.
  • The subject of conflicts of interest is sensitive and shall be addressed through a dedicated policy covering all types of conflicts for "economic, personal, professional or political purposes"2 for the entire staff, including the management bodies.
  • The approval process for new products and activities

should be effective and involve all departments to manage the related risks and operational constraints. Institutions must have the technical and human infrastructure to manage innovation appropriately.

  • Outsourcing remains a point of attention, in line with EBA guidelines. This must be duly documented in a policy for both material and non-material activities. Institutions must also deploy a specific framework dealing with information technology (IT) outsourcing.


1 Circular CSSF 20/759 – Point 11 2 Circular CSSF 20/759 – Point 165


Internal governance arrangements remain a key regulatory topic. Specific domains of importance that institutions must regularly review and challenge are a sustainable business model, a well-structured risk appetite framework, a robust three lines of defense model, and strong management body oversight. This new circular is an opportunity for market players to re-assess their internal governance model’s compliance and soundness in the light of new concepts such as diversity, complete risk appetite frameworks, and ESG factors.

Share #DeloitteInsideNow


Regulatory Risk

Organizations must meet the demands of the complex regulatory landscape, but be flexible enough that the regulatory program keeps pace with a rapidly changing environment– all with an industry-focus. Is your approach to regulatory risk designed to preserve value and power performance?

© 2021. See Terms of Use for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see to learn more about our global network of member firms. The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at