LogoRegulatory Alerts
2014-12-15

Regulations amending governance, risk management and control at credit institutions

Finansinspektionen issued regulations amending its guidelines on governance, risk management, and control for credit institutions to align with EU directives. The rules mandate the establishment of risk committees for significant institutions, require comprehensive recovery plans, and impose strict due diligence and monitoring obligations for material outsourcing arrangements. Additionally, the amendments introduce new requirements for board member training, diversity policies, and enhanced internal audit and control function reporting.

Finansinspektionen logo

Sweden

Finansinspektionen

Click to view thumbnail

Finansinspektionen’s Regulatory Code Publisher: Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 This translation is furnished for information purposes only and is not itself a legal document. 1 Regulations amending Finansinspektionen’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and control at credit institutions; decided on 26 June 2014. Finansinspektionen prescribes1 pursuant to Chapter 5, section 2, points 5 and 6 of the Banking and Financing Business Ordinance (2004:329) in respect of Finansinspektionen’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and control at credit institutions in part that current Chapter 10, section 2 shall be designated Chapter 10, section 2 a, in part that Chapter 1, sections 1 and 3, Chapter 2, sections 6 and 10, Chapter 4, section 5, Chapter 5, section 5, Chapter 6, section 7, Chapter 9, section 5 and Chapter 10, sections 5, 7 and 9 shall have the following wording, in part that nine new sections, Chapter 2, sections 12–14, Chapter 5, sections 12– 16 and Chapter 10, section 2 shall be inserted and shall have the following wording, and new headings immediately preceding Chapter 5, sections 12 and 13 shall have the following wording: Chapter 1 Section 1 These regulations apply to the following undertakings:

  1. banking companies,
  2. savings banks,
  3. members’ banks,
  4. credit market companies, and
  5. credit market associations. The regulations shall also apply to the securities operations of such undertakings. The regulations shall, in accordance with what is set forth in Chapter 3, section 4 of the Special Supervision of Credit Institutions and Investment Firms Act (2014:968), be applied at group or subgroup level. Section 3 In these regulations and general guidelines, terms and expressions shall have the following meaning:

1 Cf. Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338, Celex 32013L0036). FFFS 2014:30 Published on 9 July 2014

FFFS 2014:30 2

  1. EEA: European Economic Area
  2. Remuneration committee: The same as in Finansinspektionen’s regulations (FFFS 2011:1) regarding remuneration systems in credit institutions, investment firms and fund management companies licensed to conduct discretionary portfolio management.
  3. Function: a unit or a department comprising one person or several people upon whom it is incumbent to perform one or several tasks within the operations.
  4. Capital Requirements Regulation: Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012.
  5. Internal rules: policy and governance documents, guidelines, instructions or other written documents through which an undertaking governs its operations.
  6. Control function: a function for risk management, compliance or internal audit.
  7. Limit: an established limit for risk exposure pertaining to e.g. a specific customer, customer group, market or product.
  8. Risk management framework: the undertaking’s strategies, processes, procedures, internal rules, limits, controls and reporting procedures that constitute a framework for the undertaking’s risk management.
  9. Risk appetite: level and orientation of the undertaking’s risks that are acceptable for achieving the strategic goals of the undertaking.
  10. Risk exposure: a measure of the risk to which an undertaking is exposed at a certain point in time.
  11. Risk culture: professional values, attitudes and behaviour that are of crucial significance to how an undertaking manages its risks.
  12. Risk strategy: a strategy for assuming, steering and exercising control of the risks to which the undertaking is or could become exposed.
  13. Outsourcing agreement: an agreement between an undertaking and a service provider according to which the service provider performs a process, a service or an activity which would otherwise have been performed by the undertaking itself.
  14. Senior management: the same as in Finansinspektionen’s regulations (FFFS 2011:1) regarding remuneration systems in credit institutions, investment firms and fund management companies licensed to conduct discretionary portfolio management. Chapter 2 Section 6 An undertaking shall have IT systems and reporting procedures that ensure that information regarding its operations and risk exposure are current and relevant, and that external reporting is reliable, current, complete and timely.

FFFS 2014:30 3 Section 10 an undertaking shall ensure that it has procedures for separation of duties and preventing conflicts of interest. The undertaking shall also ensure that no person single-handedly processes a transaction throughout the entire processing chain. The undertaking need not meet the provisions of the first paragraph, second sentence if the transaction is negligible. Section 12 An undertaking shall devote sufficient resources to train the board members. Section 13 An undertaking shall, when appointing board members, take into account a broad spectrum of qualities and expertise and, to this end, have a policy for promoting diversity in the board of directors. Section 14 An undertaking shall, on its website, explain how it organises and manages the operations. The undertaking shall on the website also explain how the board of directors, board members and the managing director meet the requirements of sufficient knowledge, insight, experience and suitability. If the undertaking does not have a website, it shall be able to provide the information to the public in a different manner. Chapter 4 Section 5 If an undertaking is part of a consolidated situation in accordance with Article 18 of the Capital Requirements Regulation, it shall, in the internal rules regarding conflicts of interest set forth in section 4, also take account of the circumstances which, due to the structure or operations of other undertakings in the group, could give rise to a conflict of interest. Chapter 5 Section 5 An undertaking shall have a procedure for regularly reporting the risks that exist or which could perceivably arise in the operations to the board of directors and the risk committee, if such has been appointed, the managing director and other functions that require such information, so that they receive reliable, current and complete reports in a timely manner. The board of directors and the risk committee, if such has been appointed, shall determine the nature, volume, format and frequency of the risk information they are to receive. Recovery plan Section 12 An undertaking shall have a recovery plan for restoring its financial position following a sharp deterioration. The undertaking shall have procedures for regularly updating the recovery plan. The plan shall be decided by the board of directors. The recovery plan shall be devised with due consideration for the nature, scope and complexity of the operations and the nature and scope of the undertaking’s services and operations.

FFFS 2014:30 4 Risk committee Section 13 An undertaking that is significant with respect to size, internal organisation and the nature, scope and complexity of its activities shall ensure that the board of directors has a risk committee. The risk committee shall consist of board members who are not members of senior management of the undertaking. The members of the risk committee shall have appropriate knowledge and skills for understanding and monitoring the risk strategy and risk appetite of the undertaking. Section 14 The risk committee shall serve as an advisor to the board of directors with respect to the overall present and future risk appetite and risk strategy of the undertaking, and assist the board of directors in its monitoring of the senior management’s implementation of the strategy. The board of directors shall maintain overall responsibility for risk. Section 15 The risk committee shall ensure that the price of liabilities and assets offered to customers takes into consideration the business model and risk strategy of the undertaking. If prices do not accurately reflect risks in accordance with the business model and risk strategy, the risk committee shall prepare an action plan for the board of directors. Section 16 In order to assist in the preparation of a sound remuneration policy and sound remuneration practice, the risk committee shall, without affecting the duties and responsibility held by the remuneration committee of the undertaking, explore whether incentives in the remuneration system take account of risk, capital, liquidity and the probability and timing of the undertaking’s earnings. Chapter 6 Section 7 A control function as in section 1 shall regularly, at least once a year, report on material deficiencies and risks to the board of directors, the risk committee if such has been appointed, and the managing director. The reports shall follow up on previously reported deficiencies and risks, and describe each new identified material deficiency and risk. The report shall also include a consequence analysis and a recommendation for measures. The board of directors, risk committee and managing director shall, as soon as possible, take appropriate measures ensuing from the control function’s report. Chapter 9 Section 5 The internal audit function shall

  1. work according to a current and risk-based audit plan adopted by the board of directors,
  2. review and regularly evaluate whether the undertaking’s organisation, governance processes, IT systems, models and procedures are appropriate and efficient,
  3. review and regularly evaluate whether the undertaking’s internal controls are appropriate and efficient,

FFFS 2014:30 5 4. review and regularly evaluate whether the operations are conducted in accordance with the undertaking’s internal rules, 5. review and regularly evaluate the undertaking’s risk management based on the decided risk strategy and risk appetite, 6. review and evaluate whether the undertaking’s internal rules are suitable and consistent with laws, statutes and other regulations, 7. review and evaluate the reliability of the undertaking’s financial reporting, including commitments not included in the balance sheet, 8. review and regularly evaluate the reliability and quality of the work performed in the other control functions of the undertaking, 9. provide recommendations to the people concerned, based on the observations made by the function, and 10. perform follow-up to ensure that the measures as in point 9 are executed. Chapter 10 Section 2 Provisions stipulating that an institution shall notify Finansinspektionen if it wishes to engage another party to perform any of the services described in Chapter 7, section 1 of the Banking and Financing Business Act (2004:297) and submit the outsourcing agreement are provided in Chapter 6, section 7 of the same act. General guidelines If the undertaking engages another party in work and functions of material significance to the operations, beyond the provisions of Chapter 7, section 1 of the Banking and Financing Business Act (2004:297), the undertaking should provide to Finansinspektionen advance notification thereof and submit the outsourcing agreement. Section 5 An undertaking shall exercise due skill, care and diligence when entering into, managing and terminating outsourcing agreements relating to work or functions of material significance to the operations. The undertaking shall ensure that

  1. the service provider has the skills, capacity and authorisations required by law to reliably and professionally perform the outsourced operations,
  2. the service provider performs the outsourced operations efficiently and the undertaking shall to this end establish methods for assessing the performance of the service provider,
  3. the service provider appropriately monitors its performance of the outsourced functions and management of associated risks,
  4. the undertaking takes suitable measures if the service provider fails to perform the outsourced operations in an efficient manner and in accordance with applicable laws and other provisions,

FFFS 2014:30 6 5. the undertaking shall have the requisite knowledge for efficiently monitoring the outsourced operations and managing the risks that could arise in connection with the outsourcing, and monitor the outsourced operations and manage such risks, 6. the service provider has an obligation to inform the undertaking of events that could materially affect the ability of the service provider to efficiently perform the outsourced operations according to applicable laws, statutes or other regulations, 7. the undertaking informs Finansinspektionen of material changes in the outsourced operations, 8. the continuity and quality of the services offered by the undertaking to its customers are not affected by the termination of the outsourcing agreement, 9. the undertaking, its auditors and Finansinspektionen have access to information regarding the outsourced operations and access to the premises of the service provider, 10. the service provider protects all confidential information relating to the undertaking or its customers, and 11. the service provider maintains appropriate plans for re-establishing operations after unforeseen events, and for periodic testing of back-up procedures, if necessary with account taken of the parts of the operations that were outsourced. Section 7 If an undertaking and a service provider are part of the same consolidated situation as in Article 18 of the Capital Requirements Regulation, for the purposes of sections 5, 6, 8 and 9, the undertaking must take account of the extent to which it controls, or has the ability to influence, the service provider. Section 92 An undertaking that does not meet the provisions of section 8 may only engage a service provider in a non-EEA country in investment services if

  1. the undertaking gives prior notification of the outsourcing agreement to Finansinspektionen, and
  2. Finansinspektionen has no objections to the agreement after receiving the notification.

These regulations shall enter into force on 2 August 2014. ANNIKA ZERVENS Markus Ribbing

2 The change entails that the general guidelines are repealed.

Share