Governance

Sound and effective corporate governance arrangements are fundamental to the proper functioning of any financial institution and for the financial system they form as a whole.

A financial institution’s management body must have ultimate and overall responsibility for their financial institution and define, oversee and be accountable for the implementation of any governance arrangements within their institution that ensure effective and prudent management of the institution.

Considering the fundamental role and responsibilities of the management body in any financial institution and in view of ensuring sound and prudent management of any financial institution, members of the management body shall be of good repute, possess sufficient knowledge, skills and experience and commit sufficient time to the performance of their functions.

EU and national legislation require that financial institutions have robust governance arrangements, which include a clear organisational structure, well defined lines of responsibility, effective risk management processes, control mechanisms as well as all standards and principles concerned with setting an institution’s objectives, strategies and risk management framework; how its business is organised; how responsibilities and authority are defined and clearly allocated; how reporting lines are set up and what information they convey; and how the internal control framework is organised and implemented, including accounting procedures and remuneration policies. Internal governance also encompasses sound information technology systems, outsourcing arrangements and business continuity management.

These governance arrangements should in that respect be appropriate to the nature, scale and complexity of the financial institution.

While implementing robust internal governance arrangements, payment and e-money institutions shall comply with the legal provisions of the Law of 10 November 2009 on payment services (“PSL”) and in particular Articles 11, 13 for payment institutions (PI) respectively Articles 24-7 and 24-9 for e-money institutions (EMI).

Those legal requirements are completed by the following main CSSF circulars applicable to PI and EMI:

• Circular IML 95/120 on central administration
• Circular IML 96/126 related to the administrative and accounting organisation
• Circular IML 98/143 on internal control
• Circular CSSF 04/155 on the Compliance function
• Circulars CSSF 06/240, CSSF 22/806 on outsourcing
• Circular CSSF 18/692 related to product oversight and governance arrangements for retail banking products
• Circular CSSF 19/713 on security measures for operational and security risks of payment services under PSD2

With a view to optimising processes, the CSSF developed a dedicated notification form for updating payment institutions/electronic money institutions information. Any of the updates/changes subject to prior authorisation or notification and listed below must henceforth be communicated to the CSSF using the duly completed dedicated Excel-based notification form.

The following updates / changes shall be submitted using the Excel-based notification form:

• Update of the general entity information (e.g. company name, date of the general meeting, address, method for safeguarding of customer funds, etc.);
• Request to change / appoint any member of the institution’s management or supervisory bodies;
• Request to change / appoint persons responsible for internal control functions.

The Excel-based notification form contains dedicated tabs for the various types of notification. Payment institutions/electronic money institutions shall duly complete the information requested in the tab corresponding to their request to change or update the information. Any supporting documents, where appropriate, shall be inserted in PDF format in the notification form. Supervised entities shall submit the completed notification form to the CSSF via MFT.

The CSSF reserves the right to not process notifications which are not submitted using the correct form/channel or which are incomplete.