The EBA summarised its observations on the convergence of supervisory practices across the EU in 2019 in a report which it issued on 29 May 2020 (the “Report”). While the main focus of the Report is the extent of convergence of supervisory practices on the key topics and the progress that has been achieved by competent authorities (“CAs”) in the implementation of the SREP Guidelines, the Report sheds light on common governance weaknesses identified by the CAs.
The CAs performed the assessment primarily through a combination of on-site and off-site supervisory activities. CAs reported holding regular periodic meetings with members of the management and supervisory bodies, committees and key function holders, including staff members of the second and third line of defence and conducting regular evaluations of the reports submitted by the external auditor, Board committees or the internal control function on the assessment of the effectiveness of the requirements imposed by law and any measures taken to tackle shortcomings. CAs also conducted an analysis of the of the ICAAP and ILAAP reports with an emphasis on the internal governance sections and the organisational aspects. Another supervisory tool was the evaluation of self-assessment and completed questionnaires submitted by the banks. These latter measures were combined with onsite inspections and thematic reviews.
Internal governance was considered primarily in terms of credit institutions’ compliance with the revised EBA Guidelines on internal governance and the EBA-European Securities and Markets Authority (ESMA) joint Guidelines on the assessment of the suitability of members of the management bodies and key function holders, both of which entered into force on 30 June 2018.
In its Report, the EBA touched upon the following aspects in relation to compliance with the EBA Guidelines on internal governance.
1. The periodic assessment of the effectiveness of the internal governance framework by the management body in its supervisory function (“the Board of Directors”)
In this area, CAs were mainly tasked with considering how the Board of Directors assesses the activities of the management board (executive management) as well as identifying the existence of mechanisms for a Board to perform self-assessment. Additionally, CAs were to report on whether management conducted assessments of how the institution’s core values and risk appetite framework are understood and cascade them down the organisation, and how core values and risk appetite are embedded in decision-making and operations. It was generally observed that there was an improvement in the internal control framework of the majority of the targeted institutions and that there was overall a heightened awareness of the significance of the internal control framework. CAs did however identify some common weaknesses in connection with the oversight function of the Board of Directors. The Report primarily highlighted the extent of the regularity of the assessment of the internal control framework by the Board of Directors, the lack of adequate segregation of duties and responsibilities, and the structure and efficiency of the Committees.
2. The level of detail of the minutes of the Board of Directors
As part of their review, the CAs checked the minutes of Board and Committee meetings for the level of detail, the quality of discussions and members’ involvement in the decision-making process. Credit institutions were asked to submit minutes of Board and Committee meetings on an ongoing basis or as part of the SREP review. The Report also refers to occasional supervisory presence at Board meetings in order to supplement the desk-based review of the meeting minutes and gain further insights into the Board’s dynamics. For some institutions, the CAs noted an improvement in the quality of Board discussions and the related minutes. However, other reviews revealed a lack of detail and content in the minutes or even an absence of minutes. On very few occasions, the minutes also exposed the inadequate and ineffective supervision of the Board. When the level of detail was insufficient to reflect the content of the discussions and debates, banks were requested by the CAs to elaborate further in the minutes.
3. Organisational arrangements of the three lines of defence and resources allocated to internal control functions
The assessment focused on how institutions’ organisational structure, including the three lines of defence is designed, their independence and the main reporting lines. It was reported that the independence of the second and the third lines of defence and the direct access of the internal control functions to the Board of Directors is ensured by a large majority of institutions. The Report however notes certain shortcomings in the resources dedicated to the internal control functions with this comment being particularly made with respect to smaller institutions. It is interesting to note that in this area the EBA resorted to benchmarking of resources allocated to the control functions across institutions so as to be able to pinpoint discrepancies more easily. The Report speaks of a “strain on resources allocated to the internal control functions” as well as the “lack of adequately qualified staff in the internal control areas”. As a result, some controls were either not of the desired standards or else impacted on the extent of the independence of the internal control functions. ICT risk was an area singled out as “an example of where better coverage by auditors is vital”.
4. The implementation of a risk culture across the organisation
The EBA Guidelines on Internal Governance require institutions to develop a sound and consistent risk culture which should enable institutions to make sound and informed decisions. Underpinning one’s risk culture is a full understanding and holistic view of the risks faced by an institution and how they are managed. A risk culture can be developed amongst others, through policies, communication and staff training regarding the institutions’ activities, strategy and risk profile. Closely linked to the notion of a risk culture is the acknowledgement that risk is not the sole domain of risk specialists or internal control functions. Business units, under management oversight, should be primarily responsible for managing risks on a day-to-day basis in line with the institution’s policies, procedures and controls and within the parameters of the institution’s risk appetite.
The Report found that the level of risk awareness of staff across the organisation overall seems to be adequate in the EU, but “at the individual institution’s level the poor management of conflict of interest by the management board or the lack of an institution-wide risk culture framework were noted.” This observation was not developed further in the Report and it would have been interesting to have more visibility on what led to this conclusion.
The EBA has identified five ambitious topics for supervisory attention for 2020, namely ICT risk and operational resilience, loan origination standards, profitability, capital and liability management, money laundering and terrorism financing (ML/TF) risk and other conduct risks for prudential supervisors. Considering the broad and critical nature of these topics, one expects that internal governance will feature again throughout, if not as a topic in its own right, as a fundamental aspect which should permeate decisions taken by credit institutions.
 The other topics assessed by the EBA were ICT risk and operational resilience, non-performance exposures and benchmarking of internal models.
 Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP) EBA/GL/2014/13.
 When weaknesses were detected, different approaches were taken by CAs depending on the severity of the shortcoming ranging from requesting mitigation or remedial actions to a Pillar 2 quantitative requirement being imposed in the SREP to the imposition of a sanction in the most serious cases.
 Internal Capital Adequacy Assessment Process.
 Internal Liquidity Adequacy Assessment Process.
 The independent risk management and the compliance function.
 The internal audit function.