Supervision of corporate governance and internal control system
Corporate governance involves the staff, structures, systems, rules and procedures used to ensure the management and control of an institution.
Institutions must ensure, at an individual and consolidated level, that their corporate governance has governance structures, incentive structures and staff that promote sound and prudent management.
Institutions may choose from the three governance models set out in the Code of Commercial Companies: classical, Germanic and Anglo-Saxon.
Institutions must be able, at all times, to account for their governance model, from a prudential point of view, as well as for any possible decision to replace it.
Any change in the governance model is subject to prior authorisation by Banco de Portugal. For this purpose, in addition to stating that the new model is one of those typified in the Code of Commercial Companies, the institution must also justify, from a prudential point of view, the reason why it considers that the new model will better promote sound and prudent management, taking into account the actual situation of the institution.
Any governance model to be adopted shall include:
- A deliberative function;
- An administrative function;
- An internal supervision function.
The institution shall be responsible for ensuring that the bodies responsible for each governance function and the governance model as a whole work properly, promoting sound and prudent management.
The institution shall ensure, in particular, that there is an appropriate flow of information between the different bodies. These, in turn, must ensure that the decision-making process follows clear procedures, duly documented and formalised.
Management and internal supervision functions have overall responsibility for the institution. They shall:
- Approve and oversee, according to their competences, the implementation of the institution’s strategic objectives, risk strategy and internal governance;
- Ensure the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and regulations applicable to the institution;
- Oversee the process of disclosure and compliance with reporting requirements to Banco de Portugal;
- Monitor and control senior management.
Banco de Portugal continues to supervise the operation of the governance model as a whole and the operation of each function in particular, taking into account the principle of proportionality.
Banco de Portugal checks whether the governance structures projected are, both formally and significantly, in line with the regulations and evaluates the actual operation of the governance model adopted. This has an impact on the annual supervisory review and evaluation process (SREP).
Banco de Portugal’s supervision does not in any way exempt the institutions from their responsibility to ensure sound and prudent management through their governance model and respective operation.
Institutions must regularly assess their governance model in order to identify opportunities for improvement and shall adopt the measures necessary to correct any deficiencies detected.
In the exercise of supervision, taking into account the principle of proportionality, Banco de Portugal maintains regular contact with the board members of the institutions under its supervision. If deemed necessary, it may attend the meetings of these boards.
The deliberative function decides on fundamental issues of the institution, such as the election of corporate bodies, changes to the share capital or amendments to the articles of association.
The deliberative function, in all governance models, is the responsibility of the general meeting, where all shareholders are represented.
All the institutions’ shareholders, especially qualified shareholders (i.e. holding 10% or more of the share capital or voting rights of the institution or with possible significant influence on its management), are responsible for the strict exercise of their rights and full compliance with their duties.
Banco de Portugal or the European Central Bank assesses the suitability of qualified shareholders, either direct or indirect, as regards the setting up of new institutions and the acquisition of qualified shareholdings. In the cases provided for in the law, the voting rights of a qualified shareholder may be waived, in order to prevent any influence that may compromise the sound and prudent management of the institution.
The qualified shareholder and the institution must inform Banco de Portugal or the European Central Bank of the effective beneficiary/beneficiaries of the qualified shareholding concerned, as well as of any subsequent changes to that shareholding. The complete exercise of the prudential supervision function by Banco de Portugal or the European Central Bank cannot be prevented through opaque shareholding links.
Considering the principle of proportionality, Banco de Portugal meets, when necessary, with the institutions’ qualifying shareholders, and requests the information deemed pertinent for supervision purposes.
The adequacy of the general meeting board members to carry out functions is not assessed in any way. However, they are subject to special registry with Banco de Portugal.
The management function, or the day-to-day running, is the responsibility of the executive members of the management body of the institution, i.e. on the:
- Executive members of the board (in the classical and Anglo-Saxon models);
- Members of the executive board (in the German model).
The members responsible for the management function must fully comply with their fiduciary duties, the duty of loyalty and the duty of care, promoting the sound and prudent management of the institution and a solid risk culture, reflected in a sound, responsible and prudent attitude towards risk, in strict compliance with ethics rules and (substantively and not only formally) all legal provisions and applicable regulations.
Their analysis and decisions must take into account the institution’s long-term interests, considering, neutrally, the interests of their internal and external stakeholders, according to clear procedures, duly documented and formalised.
The management function must maintain close cooperation with the other corporate governance functions, ensuring their access to all means and information required for the full exercise of their functions.
As regards the treatment of risks, the management function must:
- Approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks that the institution is or might be exposed to, including those posed by the macroeconomic environment in which it operates, in relation to the status of the business cycle;
- Allocate adequate resources to the management of risks inherent in the institution’s business;
- Devote sufficient time to consideration of risk issues;
- Be actively involved in the valuation of assets and the use of external credit ratings and internal models related to those risks.
Institutions must have in place a set of internal processes allowing the management function regular access to the information required for full compliance with their functions.
The management body shall be composed of at least three members, two of which shall be responsible for the day-to-day management of the institution. In any case, the institution shall be responsible for defining the number of members in the management body. The institution must be able to fully justify to Banco de Portugal, from a prudential point of view, the need and appropriateness of that number.
The institution must ensure, at all times, that the members of the institution’s management body are suitable for the exercise of their functions, and meet the legal requirements for that purpose.
The internal supervision function shall be the responsibility of the non-executive members of the management body and/or the members of the supervisory body, i.e.:
- Non-executive members of the management body (in the classical and Anglo-Saxon models), including the members of the Audit Committee (in the Anglo-Saxon model);
- Members of the board of auditors (in the classical model);
- Members of the general and supervisory body (in the German model).
Public-interest entities must have a collective supervisory body.
The exercise of the internal supervision function implies full compliance with the fiduciary duties of members of the supervisory and management bodies (the duty of loyalty and the duty of care), as well as the exercise of the post in an ethical manner, promoting the sound and prudent management of the institution, and maintaining close cooperation with the other governance functions.
The supervisory body’s function is not limited to merely accounting and financial monitoring of the management body’s activity. It is responsible for monitoring, in a diligent and informed manner, the operation of the management body, making sure that its analysis and decision are based on the principles underlying sound and prudent management, in strict compliance with its ethical and fiduciary duties.
Non-executive members of the management bodies are full members of the management bodies to which no executive functions have been assigned.
Non-executive members of the management bodies must monitor the activity of the executive members in a critical, diligent and informed manner, fully exercising the duty of general supervision of their activity. They must also play a critical role in the decisions made by the management body as a whole.
Non-executive members of the management bodies shall effectively carry out all the powers entrusted to them, with a view to promoting the sound and prudent management of the institution.
They must collaborate well with the supervisory body or, where they are members of an audit committee, they must carry out effectively the specific powers resulting from that membership.
The internal supervision function must maintain a close relationship with the institution’s internal control system.
Direct reporting lines must be established between the internal control functions and the supervisory body, so that the latter may have regular access to the information required for the full exercise of its functions, with no need for the management body’s intervention.
The audit committee, in the Anglo-Saxon model, must ensure its own impartiality in view of the management function.
The supervisory body must be composed of at least three members. Nevertheless, the institution is responsible for defining the number of members of the supervisory body, as well as whether or not there will be non-executive members of the management body. The institution must be able to fully justify to Banco de Portugal, from a prudential point of view, the need and appropriateness of those choices.
The institution must ensure, at all times, that those responsible for the institution’s internal supervision function are fit and proper for the exercise of their functions, meeting the legal requirements for the purpose, including a majority of formally independent members.
Chairman of the management body and chief executive officer
Separating the functions of the chairman of the management body and the chief executive officer is deemed good practice in terms of corporate governance.
In particular, this separation facilitates the replacement of the chief executive officer, where necessary for promoting the sound and prudent management of the institution.
Therefore, the institutions must be able to justify, from a prudential point of view, the existence of a chairman of the management body with executive functions, as well as any other measures adopted to mitigate possible risks inherent in this option.
The setting up of specialised committees to assist the management and supervisory bodies in the exercise of their management functions is deemed good practice.
Institutions may set up, inter alia, the following committees:
- Risk committee;
- Remuneration committee;
- Nomination committee (always voluntary).
The setting-up of a risk committee is mandatory for institutions identified as other systemically important institutions (O-SIIs).
The setting-up of a remuneration committee is mandatory for the following institutions:
- credit institutions identified as other systematically important institutions (O-SIIs);
- institutions which, not having been identified as other systematically important institutions (O-SIIs), have staff members, including members of the management and supervisory bodies, who receive a particularly high income, resulting in an annual income of 1 million euros or above per financial year.
Institutions are responsible for establishing the committees to be set up, taking into account criteria of rationality and organisational efficiency. Institutions must be able to justify the usefulness and the functions of these committees to the Banco de Portugal.
The committees’ distribution of competences and reporting lines must be clear and their operation must be duly regulated and documented.
When institutions decide to create a committee envisaged in the law, even if not due to legal obligation, the committee in question must have the competences set out in the law.
The internal control system enables the institution to appropriately manage the risks inherent in the exercise of its business, taking into account the institution’s risk profile, risk appetite and risk tolerance.
It must promote a strong risk culture, i.e. a sound, responsible and prudent attitude towards risk.
Institutions must have an internal control system:
- that is adequately resourced to fulfil its functions completely;
- in which the control functions are operationally independent of the operational units under their control;
- with the necessary internal statutes to significantly influence the institution’s analysis and decision-making process.
The independence of the control functions must be reflected in the organisation and reporting lines within the institution.
The remuneration of staff allocated to the functions must depend on the performance of their functions and cannot be related to the performance of the units under their supervision.
Institutions must organise their internal control system in three lines of defence, in accordance with best practice, as follows:
- 1st line: business line;
- 2nd line: risk management and compliance;
- 3rd line: internal audit.
Transaction risks are taken by the institution through the business line. For that reason, the business line must defend the institution from taking risks that are not duly mitigated nor in line with the institutional rules adopted for risk-taking.
Risk management and compliance functions, in the second line of defence, must develop the methodologies used for the management of risks inherent in the institution’s business. They must play a key role in the analysis and decision regarding risk-taking in certain transactions and the definition of the institution’s risk profile, risk appetite and risk tolerance.
Internal audit, as the third line of defence, should ensure that the other functions within the institution operate as expected. Its functions must be totally independent of any other functions within the institution. Institutions must ensure that internal audit contributions are duly reviewed and that an action plan is devised in order to effectively close any gaps identified.
Those responsible for risk management, compliance and internal audit functions are legally categorised as key function holders and, as such, are subject to suitability criteria.
Institutions must ensure that those responsible for risk management, compliance and internal audit functions meet, at all times, the applicable adequacy requirements.
In credit institutions classified as other systemically important institutions (O-SIIs), the suitability of the heads of the risk management, compliance and internal audit functions is subject to authorisation for the performance of functions by the competent supervisory authority, prior to any member taking up the post.
In addition to these three traditional lines of defence, other entities within or outside the institution must act as ‘line of defence’.
Management and supervisory functions must intervene with a view to ensuring that there is a strong risk culture, and also that, in specific transactions, the risk arising from the transaction in question is being appropriately managed, within the parameters institutionally set for the purpose.
The external auditor intervenes as an additional line of defence, due to its chief function of auditing the accounts, including its role in the drafting of the internal control report.
The Banco de Portugal intervenes as a final line of defence, monitoring and promoting compliance with the prudential rules, at financial level and also at staff level, incentive structures, governance structures, systems and procedures.
The Bank’s intervention does not release the institution from the responsibility of ensuring sound and prudent management and compliance with the prudential rules.
The Banco de Portugal maintains regular contact with the institution’s internal control functions and external auditors. Institutions and external auditors must cooperate with the supervisor in the exercise of its functions, and must provide full, clear, and timely information for the purpose.
External auditors providing services to a credit institution or a financial corporation must promptly communicate to Banco de Portugal:
- The facts or decisions relating to that entity of which they become aware in the exercise of their functions;
- The facts or decisions of which they became aware in the course of carrying out an identical function in an undertaking having close links with the institution where those functions are exercised.
The facts in question must be reported to Banco de Portugal where they are liable to:
- Constitute a serious breach of the laws, regulations or provisions which lay down the conditions governing authorisations or which specifically govern pursuit of the activity of institutions;
- Affect the ongoing functioning of the institution;
- Lead to refusal to certify the accounts or to the expression of reservations.
The duty to provide information prevails over any restrictions on the dissemination of legal or contractual information. Compliance with this duty does not involve a responsibility to the auditor.
Banco de Portugal monitors the information flows and the quality of the services provided by the auditors, requesting, where necessary, explanations on issues under their competence.
Banco de Portugal is not be responsible for authorising the exercise of functions by auditors or audit firms that are not part of the institutions’ supervisory body.
Financial groups are organised in a transparent manner, avoiding complex and opaque structures. The management and supervisory bodies of the parent undertaking and other entities of the group must be fully aware of and understand the structure of the group, including the significance, purpose and risks associated with each of its integrating entities.
Parent undertakings are responsible for ensuring full compliance with prudential rules, which comprise rules on governance and internal control systems, across all entities within the group, including, to the extent legally possible, outside the European Union.
Institutions must submit to the Banco de Portugal an annual self-assessment report on the adequacy and effectiveness of the organisational culture in force in the institution and its internal control and governance systems. They must also submit an irregularities report and, in the case of credit institutions and investment firms, they must report on the staff population with a material impact on their risk profile.
The group’s parent company must annually submit to the Banco de Portugal an annual self-assessment report on the group’s internal control system.
The aforementioned documentation must be submitted by 31 December of each year and must contain all information provided for in Notice of the Banco de Portugal No 3/2020 and Instruction of the Banco de Portugal No 18/2020.
The institution is responsible for having in place a robust reporting process, enabling it to provide true, accurate, full, updated, consistent and reliable information.
Institutions must ensure that the self-assessment report and other documents to be submitted under said Notice and Instruction are the result of a substantial and specific analysis of the issues addressed and provide an effective opportunity to reflect and thereby improve their organisation and operation.
Inappropriate treatment of the information to be reported to the Banco de Portugal may indicate that such information is not duly used by the institution to identify and mitigate risks inherent in its activity.
Flaws in the analysis and processing of the information to be reported are a source of risk for the institution and may, ultimately, warrant the intervention of the Banco de Portugal.
Self-assessment reports must include assessments of the management and supervisory bodies, pursuant to Notice of the Banco de Portugal No 3/2020. These assessments must contain a full review of the information requested and take a clear, complete and positive position about the information, instead of presenting a mere allegation of compliance or non-compliance.
Institutions must post on their websites information showing compliance with the rules on corporate governance.