Order on the Management and Control of Credit Institutions and Other Financial Undertakings

Order on the Management and Control of Credit Institutions and Other Financial Undertakings 1)

Pursuant to Section 65, Paragraph 2, Section 70, Paragraph 6, Section 71, Paragraph 2, Section 152, Paragraph 2, and Section 373, Paragraph 4, of the Act on Financial Business, cf. Act Consolidation No. 406 of 29 March 2022, Section 67, Paragraph 5, Section 68, Paragraph 2, Section 94, Paragraph 2, and Section 270, Paragraph 1, of Act No. 1155 of 8 June 2021 on Securities Firms and Investment Services and Activities, Section 21, Paragraph 5, and Section 39, Paragraph 3, of the Act on Mortgage Loans and Mortgage Bonds etc., cf. Act Consolidation No. 315 of 11 March 2022, Section 180 g, Paragraph 3, and Section 255 of the Act on Capital Markets, cf. Act Consolidation No. 2014 of 1 November 2021, as amended by Act No. 2382 of 14 December 2021, it is hereby ordered:

Chapter 1 Scope of Application

Section 1. This Order applies to the following undertakings, subject to Paragraphs 4-9:

1. Credit institutions.
2. Mortgage credit institutions.
3. Danmarks Skibskredit A/S.
4. Securities firms, subject to Paragraph 7.
5. Investment management companies, excluding the administration of Danish UCITS by investment management companies.
6. Financial holding companies, with the adaptations necessitated by the group relationship.
7. Branches in this country of credit institutions, investment firms, and administration companies authorized in a country outside the European Union, with which the Union has not concluded an agreement in the financial sector, with the deviations necessitated by the branch relationship or as set out in or pursuant to international agreements.

Paragraph 2. Undertakings covered by Paragraph 1, which are only authorized to perform certain narrowly defined services, shall follow the provisions of this Order in the areas in which the undertaking is authorized.

Paragraph 3. Section 2, Paragraph 1, Section 3, Paragraph 1, items 5-7, 10, and 12, and Paragraph 2, Section 4, Paragraph 2, items 6 and 8, Section 16, Annex 5, and Annex 7, items 1-9, 11, 12, 14, 16-19, 22, and 24, shall apply to common data centers.

Paragraph 4. Section 4, Paragraph 2, item 7, Section 5, Paragraph 3, item 4, and Annex 8 shall not apply to undertakings covered by Paragraph 1, items 5-7.

Paragraph 5. Annex 5, item 70, shall apply to branches of credit and mortgage institutions designated as operators of essential services pursuant to Section 307 a, Paragraph 1, second sentence, of the Act on Financial Business.

Paragraph 6. Section 16 shall not apply to financial holding companies.

Paragraph 7. Sections 16 and 17 shall not apply to undertakings that are authorized solely as securities firms.

Paragraph 8. Section 25 shall apply only to undertakings covered by Paragraph 1, items 1, 2, 4, 6, and 7, and special purpose securitization entities, cf. Article 2, Paragraph 1, item 2, of Regulation (EU) No 2017/2402 of the European Parliament and of the Council of 12 December 2017.

Paragraph 9. Section 5, Paragraph 3, item 5, shall not apply to undertakings covered by Section 1, Paragraph 1, items 5 and 6.

1. Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC, OJ 2013, No L 176, p. 338, parts of Directive 2019/878/EU of the European Parliament and of the Council of 20 May 2019 amending Directive 2013/36/EU, in so far as it concerns exempted entities, financial holding companies, mixed financial holding companies, remuneration, supervisory measures and powers, and capital conservation measures, OJ 2019, No L 150, p. 253, parts of Directive 2016/1148/EU of the European Parliament and of the Council of 6 July 2016 on measures for a high common level of security of network and information systems across the Union, OJ 2016, No L 194, p. 1, and parts of Directive 2019/2034/EU of the European Parliament and of the Council of 27 November 2019 on the prudential supervision of investment firms, amending Directives 2002/87/EC, 2009/65/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU and 2014/65/EU, OJ 2019, No L 314, p. 64. Certain provisions from Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, and amending Regulation (EU) No 648/2012, OJ 2013, No L 176, p. 1, Regulation (EU) 2019/630 of the European Parliament and of the Council of 17 April 2019 amending Regulation (EU) No 575/2013, in so far as it concerns requirements for minimum coverage of losses for non-performing exposures, OJ 2019, No L 111, p. 4, and certain provisions from Regulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending Regulation (EU) No 575/2013, in so far as it concerns leverage ratio, net stable funding ratio, requirements for own funds and eligible liabilities, counterparty credit risk, market risk, exposures to central counterparties, exposures to collective investment undertakings, large exposures, and reporting and disclosure requirements, and Regulation (EU) No 648/2012, OJ 2019, No L 150, p. 1, have been included in the Order. According to Article 288 of the TFEU, a regulation is directly applicable in each Member State. The reproduction of these provisions in the Order is thus solely justified by practical considerations and does not affect the direct validity of the regulation in Denmark.

Act Gazette A 2022 Published on 1 July 2022 30 June 2022. No. 1103. Ministry of Industry, Business and Financial Affairs, Danish Financial Supervisory Authority, ref. no. 21-011962 CQ002286

Paragraph 10. Section 26, Paragraph 1, second sentence, Section 26, Paragraph 2, and Annex 5 shall apply to IT operators of retail payment systems' IT operations and IT risk management of retail payment systems, in so far as the part of their business is covered by their authorization as IT operators.

Chapter 2 Prudent Measures

Section 2. The board of directors or the management of the undertakings covered by Section 1, Paragraphs 1 and 3, shall take measures sufficient to ensure that the undertaking is managed prudently. The board of directors or the management shall, among other things, determine which measures are sufficient to ensure compliance with this Order. Which measures are sufficient will depend on the undertaking's business model and:

1. the size of the undertaking,
2. the structure of the undertaking and the structure of the group in which the undertaking may be included,
3. the business and geographical areas in which the undertaking operates,
4. the financial services offered by the undertaking, and
5. the financial products traded by the undertaking.

Paragraph 2. The board of directors or the management of the undertakings covered by Section 1, Paragraph 1, items 1-6, which have subsidiaries, shall take measures sufficient to ensure that the group is managed prudently.

Paragraph 3. The board of directors or the management of the undertakings covered by Section 1, Paragraph 1, items 1 and 2, which are designated as systemically important financial institutions (SIFI) or globally systemically important financial institutions (G-SIFI) pursuant to Sections 308 or 310 of the Act on Financial Business, shall, in the assessment under Paragraph 1, take into account the need to maintain a stable financial sector when assessing the risk management area and the need to maintain a stable financial infrastructure when assessing the IT security area.

Chapter 3 Tasks and Responsibilities of the Board of Directors

Section 3. The board of directors, as part of exercising overall and strategic management of the undertaking, shall:

1. make decisions on the undertaking's business model, including objectives for the matters mentioned under Section 2, Paragraph 1, items 1-5,
2. based on the business model, make decisions on the undertaking's policies, cf. Section 4,
3. continuously, but at least once a year, assess the undertaking's individual and overall risks, cf. Section 5, including determining whether the risks are acceptable,
4. assess and make decisions on the undertaking's budgets, capital, liquidity, significant dispositions, specific risks, and overall insurance matters,
5. assess whether the management performs its tasks in a prudent manner and in accordance with the established risk profile, the established policies, and the guidelines to the management,
6. assess whether the undertaking has a clear organizational structure with a well-defined division of responsibilities, taking into account the undertaking's business model and risk profile,
7. make decisions on the frequency and scope of the management's reporting and information to the board of directors, such that the board of directors has a thorough overview of the undertaking and its risks, and that the reporting is otherwise comprehensive for the board's work,
8. continuously and at least once a year make decisions on the undertaking's individual solvency needs, cf. Section 124, Paragraph 2, and Section 126 a, Paragraph 1, of the Act on Financial Business and Section 120, Paragraph 2, of the Act on Securities Firms and Investment Services and Activities,
9. organize its work such that the management of the undertaking is prudent, cf. Annex 6,
10. assess whether the undertaking has a prudent disclosure and communication process,
11. approve the report that the management is obliged to prepare with an estimate and assessment of the undertaking's liquidity position and liquidity risks, cf. Section 8, Paragraph 9, and
12. assess and approve the undertaking's IT strategy, cf. Annex 5.

Paragraph 2. The board of directors shall ensure that it has the necessary information basis to make decisions as mentioned in Paragraph 1.

Section 4. The undertaking's policies, cf. Section 3, Paragraph 1, item 2, shall include the undertaking's overall strategic objectives for the relevant risk areas, including identification and delimitation of the risks the undertaking wishes to take on in the relevant areas, and instructions on how the strategic objectives are achieved.

Paragraph 2. The policies shall, where relevant, include the following:

1. Credit policy, cf. Annex 1.
2. Market risk policy, cf. Annex 2.
3. Operational risk policy, cf. Annex 3.
4. Policy for insurance coverage of risks.
5. Liquidity policy, including a contingency plan in the event of insufficient or missing liquidity, cf. Annex 4.
6. IT strategy, IT risk management policy, and IT security policy, cf. Annex 5.
7. Policy for the risk of excessive leverage, cf. Annex 8.
8. Other risk areas that the board of directors considers significant for the undertaking.

Paragraph 3. The undertaking's policies, cf. Paragraph 2, items 1-3, and to the relevant extent items 4-8, shall, in addition to the undertaking's overall strategic objectives for the relevant risk areas, contain guidelines for the risks arising from environmental, social, and governance matters that the undertaking wishes to take on.

Paragraph 4. The undertaking's policies shall be sound in relation to the undertaking's earnings and capital base.

Section 5. In fulfilling Section 3, Paragraph 1, item 3, the board of directors shall continuously assess whether the undertaking's policies, cf. Section 4, and the guidelines to the management, cf. Sections 6 and 7, are prudent in relation to the undertaking's business activities, organization, and resources, as well as the market conditions under which the undertaking's activities are conducted.

Paragraph 2. The assessment under Paragraph 1 shall be made in relation to:

1. which risks the undertaking is exposed to, including the business model's influence on risks and risk levels,
2. which activities the relevant risks are linked to,
3. the extent of the individual risks, and
4. how the risk types affect each other, if this is relevant.

Paragraph 3. The assessment under Paragraph 1 shall, to the necessary extent, additionally include a determination regarding:

1. whether the undertaking has a prudent number of employees and competencies in risk-bearing activities,
2. whether the undertaking has prudent IT systems,
3. whether the undertaking has prudent procedures for fast and effective communication across the undertaking and the group,
4. whether the undertaking has prudent processes for identifying, managing, and monitoring excessive leverage risk, cf. Annex 8, and
5. whether the undertaking has a prudent number of employees, competencies, policies, guidelines, and processes for managing non-performing exposures and exposures with credit concessions, cf. Article 47a and Article 47b of Regulation (EU) No 2019/630 of the European Parliament and of the Council of 17 April 2019, in so far as it concerns requirements for minimum coverage of losses for non-performing exposures, including whether the undertaking has an adequate contingency plan to handle a possible significant deterioration in the quality of the credit portfolio.

Paragraph 4. The chief risk officer's report, cf. Annex 7, shall be part of the board of directors' overall assessment basis, cf. Paragraph 1.

Section 6. Based on the risk assessment, cf. Section 5, and in accordance with the policies adopted pursuant to Section 4, the board of directors shall issue written guidelines to the management.

Paragraph 2. The guidelines under Paragraph 1 shall specify which dispositions the management may make as part of its position, and which decisions the management may possibly make with subsequent notification to the board of directors.

Paragraph 3. The board of directors may not delegate powers to the management that belong to the board's overall management tasks, cf. Sections 3-5, or are otherwise of an unusual nature or of great significance to the undertaking, including the following powers:

1. Decision on the framework and conditions for outsourcing of critical and important processes, services, or activities.
2. Approval of unusual or significant exposures, subject to Section 117, Paragraph 1, third and fourth sentences, of the Companies Act, and exposures covered by Section 78 of the Act on Financial Business and Section 88 of the Act on Securities Firms and Investment Services and Activities.
3. The annual review of major assets and liabilities, cf. the principles in Section 115, item 1, of the Companies Act.
4. Appointment of management and chief audit executive.
5. Decision on principles for calculating risks, cf. Section 7, Paragraph 1, item 2, including the use of internal models not covered by item 6.
6. Decision on application for approval of IRB, VaR, AMA, and EPE models and other internal models for calculating the undertaking's solvency, cf. Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and Regulation (EU) 2019/2033 of the European Parliament and of the Council of 27 November 2019 on prudential requirements for investment firms.
7. Decision on the undertaking's individual solvency needs, cf. Section 124, Paragraph 2, and Section 126 a, Paragraph 1, of the Act on Financial Business and Section 120, Paragraph 2, of the Act on Securities Firms and Investment Services and Activities.

Section 7. The guidelines under Section 6 shall:

1. contain controllable limits for the size of the risks that the management is authorized to take on behalf of the undertaking, and
2. establish the principles for how the utilization of limits for each type of risk is calculated, including how risk from financial instruments and funds managed by external portfolio managers on behalf of the undertaking is included in the overall risk calculation.

Paragraph 2. The guidelines' limits on credit risk, market risk, and liquidity risk areas, cf. Annexes 1, 2, and 4, shall unequivocally specify the size of the individual set risk limit, for example as absolute figures, or by relating the risk to the undertaking's capital base.

Paragraph 3. The guidelines may only exceptionally provide for the possibility that the management may dispose of risks in a magnitude that lies outside the established risk profile and the guidelines' limits, and only if the prerequisites for this are stated in the guidelines. If these prerequisites cannot be established, prior authorization to exceed the guidelines' limits cannot be given to the management.

Paragraph 4. The board of directors, when formulating the guidelines to the management, shall be satisfied that the director or the management members collectively possess the necessary knowledge and experience to use the powers contained in the guidelines in a manner prudent for the undertaking.

Paragraph 5. It shall be stated in the guidelines how and how frequently reporting to the board of directors shall take place. This includes how and how frequently the management shall report on the areas where the board of directors has set limits for the management, or where limits are set in legislation.

Chapter 4 Tasks and Responsibilities of the Management

Section 8. The management shall oversee the daily management of the undertaking in accordance with the provisions of legislation, including the Companies Act and the Act on Financial Business or the Act on Securities Firms and Investment Services and Activities, and the policies and guidelines adopted and given by the board of directors, cf. Sections 4, 6, and 7, as well as any other oral or written decisions and instructions from the board of directors.

Paragraph 2. The management shall ensure that the policies and guidelines adopted by the board of directors are implemented in the undertaking's daily operations.

Paragraph 3. The management is obliged to pass on information to the board of directors that the board has requested, as well as information that the management considers may be significant for the board's work.

Paragraph 4. The management is obliged to pass on information to the chief risk officer and the compliance officer that the management considers may be significant for the chief risk officer's and the compliance officer's work.

Paragraph 5. The management has the daily managerial responsibility for ensuring that the undertaking only makes dispositions that the management and employees can, to the necessary extent, assess the risks and consequences of.

Paragraph 6. The management shall ensure that there are business routines for documenting significant decisions in the organization, including information on who made a given decision, when it was made, and under which authority and on what basis it was made.

Paragraph 7. The management shall approve the undertaking's business routines, cf. Section 13, Paragraph 1, or appoint one or more persons or organizational units with the necessary professional knowledge to do so.

Paragraph 8. The management shall ensure that there are instructions on which measures shall be taken in connection with serious operational disruptions, IT outages, other operational disruptions, and the departure of key employees.

Paragraph 9. The management shall approve the undertaking's guidelines for the development and approval of new services and products that may cause significant risks for the undertaking, counterparties, or customers, including changes to existing products where the product's risk profile changes significantly.

Paragraph 10. The management of undertakings covered by Section 1, Paragraph 1, items 1-3, shall at least once a year prepare a report with an estimate and assessment of the undertaking's liquidity position and liquidity risks.

Paragraph 11. The management shall at least once a year assess the quality of data that is significant for the undertaking's management, and take necessary measures if the management finds the quality insufficient.

Paragraph 12. The management shall continuously monitor, challenge, and supervise that the work of leading employees in the organization is performed in accordance with the guidelines given, including that prudent reporting takes place, cf. Sections 20 and 21.

Paragraph 13. The management shall conduct a sufficient investigation of the circumstances if it suspects employees' cooperation with customers, suppliers, or other external parties in participation in crime, or suspects employees' knowledge of customers', suppliers', or other external parties' crime. The management shall in this situation assess the allocation of tasks to the relevant employees.

Chapter 5 Organization and Division of Responsibilities

Tasks and Resources

Section 9. The undertaking shall be organized into organizational units with clearly defined tasks, including all employees having clear authorities, areas of responsibility, and lines of reporting. It shall be clear to the individual units and employees which tasks are to be performed and how the tasks are to be performed.

Paragraph 2. The organizational units shall be staffed in terms of resources and competencies such that the units can, in a prudent manner, solve the tasks that the units are responsible for performing.

Paragraph 3. The undertaking shall have measures that ensure that any failure to comply with policies and business routines is included in management's assessment of the organizational units' and employees' solution of their respective tasks.

Information to the Board of Directors and Other Management Levels etc.

Section 10. The undertaking shall be organized such that the information that must be available to the board of directors, management, and leadership at other organizational levels, as well as the chief risk officer and the compliance officer, can be available to them in a truthful and comprehensive form for their work, including within time limits and in a form that ensures that any measures can be implemented without unnecessary delay.

Conflicts of Interest and Separation of Functions

Section 11. The undertaking shall ensure that:

1. there are procedures for the prevention, identification, and handling of conflicts of interest,
2. the undertaking is organized such that there is a prudent separation of functions, including that disposing employees, employees performing settlement, and employees performing profit and risk calculations as well as control and reporting, report to their own leaders, and
3. the undertaking is organized such that there are clearly defined reporting lines.

Paragraph 2. The undertaking's settlement, preparation of profit and risk calculations, control, and reporting may be performed in the same unit, if this can be considered prudent, cf. Section 2, and taking into account the nature of the unit's other tasks.

Paragraph 3. In undertakings where separation of functions is not maintained in accordance with Paragraph 1, item 2, prudent compensating measures shall be introduced, cf. Section 2, which shall ensure that the undertaking is not exposed to unnecessary risks or losses.

Chapter 6 Administrative and Accounting Practices

Administrative Practices

Section 12. The undertaking shall be organized such that the individual units and employees have the business routines, manuals, contingency plans, systems, and other tools available that are necessary for the performance of their tasks.

Section 13. The undertaking shall have business routines in all significant activity areas. Activities relating to the undertaking in its capacity as a financial undertaking are considered significant as a starting point.

Paragraph 2. The business routines shall as a minimum:

1. be easily accessible and understandable,
2. in a comprehensive manner describe the activities that are to be performed, including ensuring that legislation and other relevant regulation as well as the policies and guidelines adopted by the undertaking's management are followed and complied with,
3. specify which organizational unit, persons, or groups of persons are to perform the individual tasks or sub-tasks, and
4. be updated continuously in the event of changes in internal conditions or in relevant regulation.

Paragraph 3. The business routines may be electronic. However, the management shall ensure that they are accessible in the event of system outages in the undertaking.

Section 14. The management shall ensure that there is adequate documentation for the undertaking's activities, including that there are business routines for:

1. to what extent decisions, authorities, performed tasks, and businesses as well as events that have occurred shall be documented, ...