Last update: 4 May 2020

Internal governance

Summary

Sound and effective corporate governance arrangements are fundamental to the proper functioning of any financial institution and for the financial system they form as a whole.

A financial institution’s management body must have ultimate and overall responsibility for their financial institution and define, oversee and be accountable for the implementation of any governance arrangements within their institution that ensure effective and prudent management of the institution.

Considering the fundamental role and responsibilities of the management body in any financial institution and in view of ensuring sound and prudent management of any financial institution, members of the management body shall be of good repute, possess sufficient knowledge, skills and experience and commit sufficient time to the performance of their functions.

EU and national legislation require that financial institutions have robust governance arrangements, which include a clear organisational structure, well defined lines of responsibility, effective risk management processes, control mechanisms as well as all standards and principles concerned with setting an institution’s objectives, strategies and risk management framework; how its business is organised; how responsibilities and authority are defined and clearly allocated; how reporting lines are set up and what information they convey; and how the internal control framework is organised and implemented, including accounting procedures and remuneration policies. Internal governance also encompasses sound information technology systems, outsourcing arrangements and business continuity management.

These governance arrangements should in that respect be appropriate to the nature, scale and complexity of the financial institution.

While implementing robust internal governance arrangements, support PFS shall comply with the legal provisions of the Law of 5 April 1993 on the financial sector and in particular Article 17(2).

Legal and regulatory framework applicable to support PFS’s internal governance arrangements

Those legal requirements are completed by the following main CSSF circulars applicable to support PFS:

Circular IML 95/120 on central administration
Circular IML 96/126 related to the administrative and accounting organisation
Circular IML 98/143 on internal control
Circular CSSF 20/750 on the requirements regarding information and communication technology (ICT) and security risk management;
Circular CSSF 22/806 on outsourcing arrangements;
Circular CSSF 24/847 on ICT-related incident reporting framework;
Circular CSSF 24/850 on the practical rules concerning the descriptive report and the self-assessment questionnaire to be submitted on an annual basis by support PFS and the engagement of the réviseurs d’entreprises agréés (approved statutory auditors) of support PFS and practical rules concerning the management letter and the separate report to be drawn up on an annual basis.

Suitability assessment of members of management body and of control functions

In line with the legal requirements, members of a support PFS management body shall be authorised by the CSSF and produce evidence of adequate professional experience as well as of their professional standing.

Such professional standing shall be assessed on the basis of police records and of any evidence tending to show that the persons concerned are of good standing and are offering a guarantee of irreproachable conduct. Any proposed member of support PFS management body needs in that respect to provide the CSSF with the following information:

an up-to-date and detailed curriculum vitae;
a copy of an identification document;
evidence of reputation, honesty and integrity which among others include criminal records and/or relevant equivalent information, issued less than 3 months ago, as well as the duly completed and signed declaration of honour.

The persons to be appointed by a support PFS to be responsible for managing the internal audit function (i.e. internal auditor) shall be notified to the CSSF. This notification to the CSSF must include an up-to-date and detailed curriculum vitae of the person appointed to be responsible for the management of the internal audit function.

Documentation

Laws, regulations and directives

5 April 1993 - Updated on 23 March 2023

Law of 5 April 1993 (coordinated version)

on the financial sector

PDF (2.55Mb)

PDF (2.12Mb)

Circulars

19 January 2024

Circular CSSF 24/850

Practical rules concerning the descriptive report and the self-assessment questionnaire to be submitted on an annual basis by support PFS. Engagement of the réviseurs d’entreprises agréés (approved statutory auditors) of support PFS and practical rules concerning the management letter and…

PDF (287.59Kb)

PDF (290.59Kb)
5 January 2024

Circular CSSF 24/847

on ICT-related incident reporting framework

PDF (202.28Kb)

PDF (213.33Kb)
25 August 2020 - Updated on 29 December 2022

Circular CSSF 20/750 (as amended by Circular CSSF 22/828)

Requirements regarding information and communication technology (ICT) and security risk management

PDF (410.75Kb)

PDF (1.62Mb)
28 July 1995 - Updated on 30 June 2022

Circular IML 95/120 (as amended by Circular CSSF 22/806)

Central administration

PDF (119.1Kb)

PDF (118.49Kb)
11 April 1996 - Updated on 30 June 2022

Circular IML 96/126 (as amended by Circular CSSF 22/806)

Administrative and accounting organisation

PDF (138.52Kb)

PDF (135.39Kb)
1 April 1998 - Updated on 30 June 2022

Circular IML 98/143 (as amended by Circulars CSSF 04/155 and 22/806)

Internal control

PDF (192.05Kb)

PDF (350.73Kb)
22 April 2022

Circular CSSF 22/806

on outsourcing arrangements

PDF (661.79Kb)
22 March 2006 - Updated on 17 May 2017

Circular CSSF 06/240 (as amended by Circulars CSSF 13/568 and 17/657)

Administrative and accounting organisation; IT outsourcing and details regarding services provided under the status of support PFS, Articles 29-1, 29-2, 29-3, 29-4, 29-5 and 29-6 of the Law of 5 April 1993 on the financial sector as amended

PDF (53.23Kb)

PDF (46.38Kb)

Other reference texts

30 November 2010 - Updated on 15 June 2021

FAQ (Part II) on the statuses of PFS (being updated)

PDF (593.47Kb)

PDF (518.62Kb)
5 May 2010 - Updated on 24 October 2018

FAQ (Part I) on how to obtain authorisation as PFS (being updated)

PDF (268.06Kb)

PDF (252.21Kb)
3 June 2016

FAQ in relation to the acceptability of external experts to exercise the function of internal audit of a supervised entity of the financial sector (only in French)

PDF (78Kb)

Forms

11 April 2016 - Updated on 7 February 2022

Declaration of honour for natural persons

PDF (89.19Kb)

PDF (91.36Kb)
11 April 2016 - Updated on 12 January 2022

Declaration of honour for legal persons

PDF (76.02Kb)

PDF (88.57Kb)

Contact

psfsupport@cssf.lu

Name	Description	Duration
cssf_cookies	Saves information regarding the user's consent to the use of cookies for each optional category.	1 year
ROUTEID	Technical cookie allowing load distribution.	Deleted when the browsing session ends
TBMCookie*	Security: This cookies protects the website against automated attacks.	Deleted when the browsing session ends
__utmvc	These first party cookies are set by a third party service to filter out malicious requests.	Deleted when the browsing session ends
__utmvm*	These first party cookies are set by a third party service to filter out malicious requests.	15 minutes

Name	Description	Duration
cssf_profile	This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers).	1 year
pll_language	This cookie saves the user’s language choice.	1 year

Name	Description	Duration
_pk_id.#	Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party.	1 year
_pk_ses.#	Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party.	30 minutes