23.01.2025
Practice Areas: Finance
Regulatory Updates on Organizational Culture and Internal Governance and Control Systems
Public Consultation by the Bank of Portugal No. 6/2024 – Regulatory Drafts Amending Notice No. 3/2020 and Instruction No. 18/2020
The regulatory drafts (the “Drafts”) were open for public consultation until December 31, 2024:
- Draft Notice to amend Bank of Portugal Notice No. 3/2020 (the “Draft Notice”), which regulates governance and internal control systems and sets minimum standards for the organizational culture of entities supervised by the Bank of Portugal;
- Draft Instruction to amend Instruction No. 18/2020 (the “Draft Instruction“), which regulates reporting duties to the supervisory authority concerning conduct, organizational culture, and governance and internal control systems.
Scope of Application:
- Credit institutions and financial companies based in Portugal;
- Branches of credit institutions, financial institutions, and investment firms headquartered outside the European Union;
- Financial holding companies, mixed financial holding companies, and management companies under the supervision of the Bank of Portugal.
The most relevant changes introduced by the Drafts do not establish new requirements but rather offer new options that supervised institutions may choose to adopt, such as:
- The possibility of splitting the risk management function across different structural units;
- The possibility of combining the risk management and compliance functions;
- The possibility of permanently outsourcing operational tasks of internal control, including the use of collaborative solutions.
On the other hand, new requirements have been introduced in certain areas, impacting the processes, procedures, and internal documentation of institutions.
Content of the Changes:
- Internal Governance, Organizational Structure, and Strategic Planning
New Obligations for Management and Supervisory Boards:
It is now mandatory for management and supervisory boards to approve internal regulations and implement their own training plans. Covered entities (excluding branches of institutions outside the EU) must establish a supervisory board or appoint a single auditor within 12 months after the Drafts come into effect.
Supervisory Board
The supervisory board must include in its internal regulations clear procedures to:
- Receive the necessary information required to fulfill its functions;
- Establish a formal reporting line with a defined minimum frequency of interaction with internal control functions.
Responsibilities of the Management Board
The management board is responsible for ensuring that the supervisory board has:
- Adequate information.
- Material, technical, and human resources.
- Access to external services, if necessary, to effectively carry out its duties.
Meeting Minutes
The minutes of collegiate body meetings must now identify the participants and specify which members were present for each agenda item.
- Internal Control and Risk Management
The concept of “deficiencies” has been updated to include “non-compliances,” replacing the previous term “shortcomings.” Institutions are now required to consolidate all deficiencies and non-compliances into a single, continuously updated database.
Updates to the Annexes of the Draft Instructions:
- Annex I: Updates the risk categories and subcategories, with an indicative nature, to reflect the standard risk taxonomy.
- Annex II: Aligns with the new concept of deficiencies, developing the methodology for their classification.
Organization and Flexibility of Control Functions
The organizational model for internal control functions has been made more flexible, allowing adaptation to the specific characteristics of each institution:
- Risk management functions may be split, provided one unit maintains a global view of all risks.
- The split must be communicated to the supervisory authority for prior evaluation.
- In the case of a split, the annual report must include a critical assessment of the interaction between the various structural units.
- The heads of the units hold essential functions, and all units report to a single executive director.
Internal control functions must maintain a direct reporting line to the management board, supervisory board, and related committees.
Cumulation of Risk Management and Compliance Functions
For institutions authorized to accept deposits with assets under €3,000,000,000 and that do not provide common services, the risk management and compliance functions can be combined, subject to prior approval from the competent supervisory authority.
- If the assets, on an individual basis, exceed the mentioned threshold for two consecutive years, this combination will no longer be permitted;
- In the case of cumulation, the independence assessment must include measures to prevent conflicts of interest and an evaluation of the sufficiency to ensure the independence of the combined function;
- The management board must include, in the Annual Self-Assessment Report (RAA), an evaluation of the continued combination of functions, considering the nature, scope, and complexity of the institution’s activities.
Exemption from the Internal Audit Function
Foreign exchange agencies with fewer than 30 employees (excluding members of the management and supervisory boards), and with operational revenues below €20,000,000 in the last fiscal year, may be exempt from maintaining the internal audit function.
Requirements for Annual Internal Control Reports
The reports must now include:
- Assessment of the organization’s adequacy in relation to existing and potential risks;
- Evaluation of the sufficiency of material, technical, and human resources, including the qualifications and training of its employees;
- Degree of execution of activity plans and identification of areas for improvement.
Management of Deficiencies and Correction Deadline
Deficiencies identified by Certified Public Accountants (ROCs), Certified Public Accountant Firms (SROCs), or supervisory authorities must be recorded in the updated database, with defined deadlines for correction.
- Related Parties and Conflicts of Interest
The aggregated approval of related-party transactions is now allowed, provided the applicable regulatory requirements are met.
Related-Party Transactions Policy
Policies must now include:
- Procedures:
- Identification of individual exposures to related parties and their total amounts.
- Compliance with obligations related to granting credit to qualified shareholders and members of governing bodies;
- Immediate reporting of regulatory breaches related to related-party transactions by the risk management and compliance functions, along with recommendations for correction;
- Communication to the competent supervisory authority.
- Responsibilities:
- Senior management of relevant organizational units must monitor these operations and report quarterly to the risk management, compliance functions, and the management and supervisory boards.
Declaration in the Annual Self-Assessment Report (RAA)
The RAA must include an explicit declaration from the risk management and compliance functions, confirming that all related-party transactions:
- Align with the institution’s risk profile;
- Comply with applicable laws, regulations, and the internal policy on related-party transactions.
- Deadlines for Whistleblower Analysis
The whistleblowing policy must now include a reasonable deadline, no longer than three months, for the completion of the analysis procedure of reported irregularities, whether anonymous or identified. Extensions are allowed, but only if properly justified.
- Outsourcing
Elimination of the Occasionality Requirement
Institutions are now allowed to permanently outsource operational tasks related to internal control functions, either:
- Within the same financial group; or
- Through external service providers outside the institution or its group.
Full Outsourcing of Internal Control Functions
- Allowed only for internal audit functions in entities not authorized to receive deposits;
- Outsourcing involving external service providers requires prior identification of potential conflicts of interest, along with appropriate measures for their management and mitigation.
Communication to the Supervisory Authority
- The intention to adopt collaborative solutions must be communicated in advance to the competent supervisory authority, which may express its opinion before implementation.
- 6. Selection and Appointment of the Statutory Auditor (“ROC”) or Statutory Audit Firms (“SROC”)
Inclusion of Reporting Requirements
Institutions authorized to receive deposits are now required to report any changes in their Statutory Auditor (ROC) or Statutory Audit Firms (SROC).
Selection and Appointment Policy
Institutions must adjust their policy for the selection and appointment of the Statutory Auditor (ROC) or Statutory Audit Firms (SROC) to include specific procedures that ensure compliance with the new reporting obligation.
- Remuneration Policies, Practices, and Performance Evaluation
Identification of Significant Risk Employees
The procedures have been clarified for identifying employees who have a significant impact on the risk profile of institutions and for reporting this to the competent supervisory authority.
The deadline for submitting this report has been changed from December 31 to January 31, giving institutions more time to prepare data for the previous year.
New Reporting Format
- An annex has been introduced to the Project of Instruction that defines the reporting format.
- The submission must be made via BPnet, in an editable format.
- Self-Assessment
Changes in Reference Periods and Reporting Deadlines
- Reference period: Changed from November 30 to September 30.
- Reporting deadline: Changed from December 31 to November 15.
Integration of External Assessments
The evaluations of the administrative and supervisory bodies must now include the results of independent external assessments.
Use of External Services
The supervisory body must use external services (ROC/SROC or auditors/consultants) at least once per term, covering all matters necessary for its evaluation.
Identified Deficiencies
The report should include information about deficiencies that were identified and corrected, allowing the supervisory authority to assess them in the context of internal governance risk evaluation.
ICT Risk Management
The report on the management of risks related to Information and Communication Technologies (ICT) must be submitted annually as an annex to the Annual Self-Assessment Report (RAA).
Reports in Financial Groups
- Only the group report, prepared by the parent company, will be submitted to the competent supervisory authority, although individual Annual Self-Assessment Reports (RAAs) will still be prepared for the subsidiaries;
- Some of the documents included in the RAA are simplified, particularly in cases where the common services regime is used for internal control functions within group entities;
- It is emphasized that the perspective to be considered in the RAA and related documents is that of the financial group.
Requirements for Entities Not Authorized to Accept Deposits
These entities must report information on deficiencies, even without prior request from the supervisory authority.
- Financial Conglomerates
Risk Management and Internal Control
It is now mandatory to integrate risk management processes and internal control mechanisms at the level of the financial conglomerate, ensuring a comprehensive and holistic approach.
Adaptation Period
Institutions have 6 months from the entry into force of the Drafts to implement the required changes.
We reiterate that the Projects were open for public consultation until December 31, 2024. The APDFin team from Abreu Advogados provides support to entities covered by the aforementioned regulation and is available to assist any interested party in participating in the public consultation.