www.pwc.lu Circular CSSF 12/552 on Central Administration, Internal Governance and Risk Management December 2012

www.pwc.lu Circular CSSF 12/552 on Central Administration, Internal Governance and Risk Management

Overview of the new CSSF Circular

The presentation may be found here: http://www.cssf.lu/fileadmin/files/lois_reglements/circulaires/hors_blanchiment_terrorisme/cssf12_552_elements_saillants.pdf

Key features of the new CSSF Circular and how to approach them?

Circular CSSF 12/552 Scope and timing Banks Investment firms Specialized PFS Support PFS Management companies e-money institutions Payment institutions Circular CSSF 12/552 on Governance: Circular IML 95/120 Circular IML 96/126 - Merger of some existing circulars Circular IML 98/143 - Transposition of EBA guidelines (GL44) Circular CSSF 04/155* Circular CSSF 05/178 09/2011 06/2012 07/2012 12/2012??? EBA guidelines GL 44 BCBS guidelines on internal audit function in banks Draft CSSF Circular on Governance Circular CSSF 12/552 on Governance New version already planned to include risk management * When applicable Requirements applicable as of:. 1 st July 2013 [All, except...]. 1 st January 2014 [BoD composition] 5

Circular CSSF 12/552 Board of Directors Main changes 1 st Jan 2014 Composition of the Board of Directors: - Sufficient in number - Sufficient time, no conflict of interest with other mandates => other mandates to be disclosed to others - fit and proper test => knowledge, experience and professional standing - Be and remain qualified => training - Member of Authorised Management = chairman of the Board - Cannot include a majority of executives (= Authorised Management and other employees of the bank) - Strong recommendation to include independent Board members in larger institutions [1st July 2013] - Can be assisted by specialized committees: Audit Committee Risk Committee Other Committees: eg. Remuneration Committee, HR Committee... 6

Circular CSSF 12/552 Board of Directors Responsibilities 1 st July 2013 1 st Jan. 2014 The BoD s objective is to protect the institution and its reputation (long) list of Board s responsibilities, to be put in writing: - Definition of commercial strategy - Definition of risk strategy - Definition of own funds and liquidity strategy - Principles relating to a clear and consistent group structure and to the management information systems - Principles relating to the internal control mechanisms, including the remuneration policy and the whistleblowing process - Principles relating to the central administration, the accounting and IT organisation, the new product approval policy and the non-usual or nontransparent activities - Principles relating to the business continuity planning and management of crisis - Principles relating to appointment, succession of Board members and functioning of the Board 7

Circular CSSF 12/552 Mandatory functions 1 st July 2013 Function Appointed by Can be outsourced? Can be done part-time? Can be performed by one member of the authorised management? Internal audit (CIA) BoD Yes 1 Yes No Compliance function (CCO) BoD No 2 Yes 1,3 Yes 1,2 Risk control function (CRO) BoD No 2 Yes 3,4 Yes 2,4 IT officer AM No 2 Yes Yes 2 Can be the Information Security Officer AM No 2 Yes Yes 2 same person 1 Based on the proportionality principle and with prior authorisation of the CSSF 2 They may rely upon external expertise for certain aspects 3 Can not be accumulated with operational functions 4 To be notified and justified to the CSSF As regards the three internal control functions (CIA, CCO, CRO): Appointment / replacement to be approved by the BoD and swiftly reported to the CSSF Must have theoretical knowledge and deep professional experience Report to both Authorised Management and BoD (dual reporting line) 8

Circular CSSF 12/552 Other main / new requirements 1 st July 2013 Proportionality principle applies Transparency and documentation - Strategies, policies and procedures, decisions made to be clearly and fully communicated to all (relevant) staff - Management information ( information de gestion ) to be clearly and fully communicated to BoD, authorised management and staff - Whistleblowing process to put in place Know-your-structure - Organisational structure (in terms of legal entities) must be appropriate in order to ensure an efficient, sound and prudent management of activities - Non-standard or non-transparent activities (eg. SPVs): acceptable if risks are efficiently managed, are authorised by BoD/ Management, are regularly controlled Risk management - Specific focus on concentration risk and credit risk in real estate financing - Private banking activities Annual confirmation to the CSSF in one single sentence by Authorised Management that the bank complies with all requirements of the circular 9

How to approach the new requirements?

Circular impacts on Luxembourg Banks and IF The new requirements generate three kinds of impacts: 1. Necessity to analyse all the gaps (and derive an action plan for implementation), 2. Obligation to document in writing all strategic, tactical and operational processes, 3. Enlarge the scope and carefully review the training plan (from Board to employee level). 11

1. GAP ANALYSIS

1.1 Gap analysis: A must The Authorised Management must confirm in one sentence to the CSSF, on an annual basis, that the institution complies with all aspects of the circular. The only way to be in a position to confirm is to perform a detailed gap analysis. 13

1.2. Gap analysis: Phasing the analysis Good news: The gap analysis can be phased since: The new circular will apply to all Luxembourg banks and investment firms (including Luxembourg branches of non-eea firms) as from 1st July 2013, Some of the requirements will be, however, only applicable as from 1st January 2014: (i) The general requirements relating to the Board of Directors composition and qualifications, (ii) the rules relating to the implementation of specialised committees (except the ones relating to the audit committee) and (iii) the need to establish certain written guidelines approved by the Board of Directors. Bad news: The gap analysis has to be performed during 2013. 14

2. FORMALISATION

Formalisation Board of Directors Ref. Circ. What Who Validation / Confirmation Distribution / Access By When New New 27 29 Guidelines for the appointment and succession of Board members Meeting agendas, minutes of meetings and the decisions and actions taken by the Board of Directors BoD - BoD - CSSF / Ext. Auditor CSSF / Ext. Auditor 01/01/2014 01/07/2013 Those are examples. This list is not comprehensive! 16

Formalisation Authorised Management Ref. Circ. What Who Validation / Confirmation Distribution / Access By When New 18, 104, 163 Strategies and guidelines for internal governance incl. (i) the establishment of three separate internal control functions - risk control, compliance and internal audit function - and their related intervention areas) and (ii) the guidelines relating to non-standard and non-transparent activities AM BoD Int. Ctrl. Fcts 01/07/2013 Those are examples. This list is not comprehensive! 17

Formalisation Internal control functions Ref. Circ. What Who Validation / Confirmation Distribution / Access By When New 57 (116) Procedure relating to prompt and effective corrective actions to address weaknesses (problems, deficiencies and irregularities) identified by the internal control functions and the external auditor Internal control functions BoD AM 01/07/2013 Those are examples. This list is not comprehensive! 18

Formalisation The institution Ref. Circ. What Who Validation / Confirmation Distribution / Access By When New Internal communication (easy & permanent access): Strategies, policies and procedures as well as the decisions 88, 94, 95 and actions taken by the BoD & AM are communicated in a clear and comprehensive manner to all staff, taking into The institution account their information needs and their responsibilities within the institution - All staff 01/07/2013 Those are examples. This list is not comprehensive! 19

Formalisation Authorised person in charge of the Administration, Accounting and IT Ref. Circ. What Who Validation / Confirmation Distribution / Access By When 63, 68 to 70 Organization chart and job descriptions Authorised person in charge of the Administration, Accounting and IT AM All staff 01/07/2013 Those are examples. This list is not comprehensive! 20

Formalisation Accounting and Finance Function Ref. Circ. What Who Validation / Confirmation Distribution / Access By When 78, 84 (12) Procedures relating to the Accounting and Finance Function Accounting and Finance Function - Accounting and Finance Function members 01/07/2013 Those are examples. This list is not comprehensive! 21

Formalisation IT function Ref. Circ. What Who Validation / Confirmation Distribution / Access By When 85 Duly documented own internal IT system (if outsourced 87 applies) IT function - IT function members 01/07/2013 Those are examples. This list is not comprehensive! 22

Formalisation Internal Audit function Ref. Circ. What Who Validation / Confirmation Distribution / Access By When 21, 42, Internal Audit AM, BoD Internal Audit plan 151 function Audit committee - 01/07/2013 Those are examples. This list is not comprehensive! 23

Formalisation Compliance function Ref. Circ. What Who Validation / Confirmation Distribution / Access By When 132, 134 Compliance Charter Compliance function AM, BoD Audit / Compliance committee(s) All staff (incl. branches and subsidiaries in and out Lux) 01/07/2013 Those are examples. This list is not comprehensive! 24

3. TRAININGS

Trainings Ref. Circ. What Who By When New 27 Board members have to be and remain qualified throughout their term. Obligation of vocational trainings which allow Board members to update and improve their skills BoD 01/01/2014 New 73 The institution has a program of continuous professional training that ensures both staff and BoD & AM are competent and understand the internal governance framework and their own roles and responsibilities in this regard The institution 01/07/2013 New 111 The internal control functions provide continuous professional training to all their employees Internal control functions 01/07/2013 139 The compliance function ensures staff awareness of the importance of compliance and related issues. The Compliance function develops a continuous training program and oversees its implementation Compliance function 01/07/2013 26

Contacts

Contacts Emmanuelle Henniaux Partner emmanuelle.henniaux@lu.pwc.com +352 49 48 48 2549 Thierry López Partner thierry.lopez@lu.pwc.com +352 49 48 48 5756 28

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers, Société coopérative, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2012 PricewaterhouseCoopers, Société coopérative. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers, Société coopérative Luxembourg, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.