EBA Guidelines on Internal Governance – Overview and Summary of Requirements

The new guidelines are organized into the following sections:

A) Corporate Structure and Organization

The management body of an institution should ensure a suitable and transparent corporate structure
The management body should assess how the various elements of the corporate structure complement and interact with each other.
In a group structure, the management body of an institution's parent company should have the complete responsibility for adequate internal governance across the group.
The management body should ensure that the operational structure of the institution is in line with its approved business strategy and risk profile.
In institutions that operate through special-purpose structures or in jurisdictions that do not meet international banking standards, the management body should understand their purpose and structure and the particular risks associated with them. The management should take sufficient steps to mitigate the risks of such activities.

B) Management Body

The management body should have the overall responsibility for the institution and the responsibilities should be clearly defined in a written document and approved.
Management should conduct an annual review of the effectiveness of the internal governance framework and its implementation.
The management body should have an appropriate composition and policies for selecting, monitoring and planning the succession of its members.
Members of the management body should engage actively in the business of institution and should be able to make their own sound, objective and independent decisions and judgements.
The management body should have a written policy on managing conflicts of interests for its members.
The management body in its supervisory function should consider, taking into account the size and complexity of an institution, setting up specialized committees comprising members of the management body.
These can include an audit committee, a risk committee, a remuneration committee, a nomination or human resources committee and/or a governance/ethics/compliance committee.

C) Risk Management

An institution should develop an integrated and institution-wide risk culture based on a full understanding of the risks it faces and how they are managed, taking into account its risk tolerance.
An institution's overall remuneration policy should be in line with its values, business strategy, and risk tolerance.
Regular and transparent reporting mechanisms should be established so that the management body is provided with reports in a timely, accurate, and meaningful manner.

D) Internal Control

An institution should maintain a strong and comprehensive internal control framework, including specific independent control functions with appropriate standing to fulfil their mission.
There should be a comprehensive Risk Control Function and a Chief Risk Officer to ensure that each key risk the institution faces is identified and properly managed by the relevant units and reports are submitted to the management body.

E) Information systems and business continuity

An institution should have effective and reliable information and communication systems covering all its significant activities.
These systems should be secure, independently monitored and supported by adequate contingency arrangements.
The institution should also establish a sound business continuity management to ensure its ability to operate on an on-going basis and limit losses in the event of severe business disruption.

F) Transparency

Strategies and policies concerning internal governance should be communicated to all staff in the institution.
The internal governance framework of an institution should be transparent and institution should present its current position and future prospects in a balanced, accurate and timely way.

Additional Resources