Internal governance

The implementation of robust and efficient internal governance arrangements is fundamental to the proper functioning of any financial institution and the financial system as a whole.

The management body of a financial institution must have ultimate and overall responsibility to the financial institution. It shall define, oversee and be accountable for the implementation of the governance arrangements which ensure a sound and prudent management of the institution.

As for the role and fundamental responsibilities of the management body of a financial institution and in order to ensure a sound and prudent management of the institution, the members of the management body must comply with the conditions of good repute, have adequate knowledge, skills and experience, and devote sufficient time to the performance of their responsibilities.

According to the national and European laws, the financial institutions shall have robust governance arrangements which include, in particular, a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks to which they are or might be exposed, policies and principles aiming at establishing objectives, strategies and risk management arrangements, also clarifying how the activities are organised, how the responsibilities and reporting lines are defined and allocated, as well as adequate internal control mechanisms, including administration and accounting procedures, and remuneration policies. This internal governance also covers the IT systems, outsourcing arrangements and continuity management.

The relevant internal governance arrangements, processes, procedures and mechanisms must be proportionate to the nature, scale and complexity of the financial institution.

When implementing robust internal governance arrangements, the investment firms are required to comply with the legal provisions set out in the Law of 5 April 1993 on the financial sector, as amended, (“LFS”) and, in particular, with Articles 17, 19, 38-1 and 38-2 for all the investment firms and with Articles 38-5, 38-6 and 38-7 for CRR investment firms¹.

The aforementioned legal provisions are supplemented by the following main CSSF circulars applicable to investment firms:

• Circular CSSF 06/240 (as amended by Circulars CSSF 13/568 and CSSF 17/657) on the administrative and accounting organisation; IT outsourcing and details regarding services provided under the status of support PFS, Articles 29-1, 29-2, 29-3, 29-4, 29-5 and 29-6 of the Law of 5 April 1993 on the financial sector, as amended;
• Circular CSSF 13/577 on the introduction of table EI “Responsible persons for certain functions and activities” (as amended by Circular CSSF 18/699);
• Circular CSSF 17/654 (as amended by Circular CSSF 19/714) on IT outsourcing relying on a cloud computing infrastructure;
• Circular CSSF 17/658 on the adoption of the EBA Guidelines on sound remuneration policies (only applicable to CRR investment firms);
• Circular CSSF 20/750 on the requirements regarding information and communication technology (ICT) and security risk management;
• Circular CSSF 20/758 on central administration, internal governance and risk management;
• Prudential procedure for the appointment of directors, authorised managers and key function holders in investment firms.

The Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders specify the eligibility criteria and requirements. These guidelines provide guidance on the scope of the suitability assessment, the assessment process for investment firms and competent authorities as well as the related policies.

As regards the appointment of members of the management body and key function holders, the investment firms must follow the prudential procedure for the appointment of directors, authorised managers and key function holders in investment firms as set out below.