27.03.2025

Practice Areas: Finance

Update of the Supervision Rules of the Bank of Portugal (Notice No. 2/2025)

The Bank of Portugal has published Notice 2/2025, which introduces significant changes to Notice 3/2020, which regulates governance and internal control systems and defines the minimum standards on which the organizational culture of entities subject to supervision by the Bank of Portugal must be based. This Notice also repeals Instructions 17/2011 and 28/2007. Its publication aims to ensure the continuous adaptation of the rules to the evolution of the European legal framework, as well as to the needs of the financial sector, and is also a response to the lessons learned from supervision and the experience gained since the implementation of the previous version.

Notice 3/2020, approved on July 15, 2020, has been a milestone in defining the organizational and internal control parameters of credit institutions and financial companies. In order to ensure that the regulatory requirements are adequately aligned with European legislation, Banco de Portugal considers it essential to periodically review these regulations, thus allowing it to adapt to new market demands and ever-changing regulatory complexities.

One of the most substantial changes introduced by Notice 2/2025 refers to the possibility of supervised entities adopting collaborative solutions for operational tasks within their internal control functions. This change removes the previous restriction, allowing the subcontracting of these functions not to be merely occasional, but to be a permanent practice. This flexibility aims to give institutions, especially smaller ones, more leeway to efficiently manage risks and adapt to the demands of European regulation, in line with the principle of proportionality.

In addition, the organizational model for internal control functions has been adjusted to give institutions greater flexibility. The new wording allows entities to organize themselves in such a way as to split the risk management function into several units, with the aim of better executing overall responsibilities. However, one of these units must maintain an integrated view of all the risks to which the institution may be exposed, with the head of that unit being considered the main authority in terms of risk management.

With regard to the combination of risk management and compliance functions, the new Notice reflects the guidelines of the European Banking Authority (EBA) and considers the principle of proportionality, allowing deposit-taking institutions to combine these two functions under certain conditions. However, in order to do so, it is imperative that entities ensure that adequate material, human and technical resources are made available to carry out these combined functions.

 

The obligation to draw up training plans for members of the management and supervisory bodies of supervised institutions also stands out. These plans aim to ensure that managers are constantly updated on the emerging risks that institutions may face, ensuring that their knowledge is constantly evolving in order to mitigate risks and promote a culture of good governance.

In addition, the concept of “deficiencies” has been clarified, now encompassing situations of non-compliance. This revision aims to simplify and standardize the way institutions deal with deficiencies in their management and compliance, while establishing the obligation for institutions’ internal policies to include the necessary procedures for reporting transactions with related parties to the competent supervisory authority.

Regarding the selection and appointment of statutory auditors, Notice 2/2025 also introduces an adjustment, requiring institutions to ensure that the appointment is reported to the competent supervisory authority, a point previously detailed in the repealed Instructions.

Another important point is the change in the deadlines for drawing up and reporting the self-assessment report on organizational culture and internal control systems. From now on, the annual report must be drawn up with reference to September 30, and reported to the supervisory authority by November 15 of each year, instead of December 31, as was previously required.

In the case of financial groups, the new Notice simplifies the reporting obligation, requiring only the submission of the group’s self-assessment report, with individual reports being reported only when requested by the supervisory authority.

Finally, Notice no. 2/2025 takes the opportunity to incorporate the provisions of articles 10 and 11 of Instruction no. 28/2007, whose rules are now incorporated into European legislation and regulation, leading to the repeal of said Instruction. The republication of Notice 3/2020, with the changes now introduced, concludes this process of updating the rules.

As you can see, the changes now implemented aim to optimize the supervision of the financial sector and ensure better adaptation to new regulatory requirements, allowing greater flexibility and adaptation of entities to the needs of risk management and the growing complexity of the European regulatory environment.

Knowledge