Changes in the selection and control of external auditing of financial entities
Notification no 3/2020 of the Bank of Portugal has been one of the most significant interventions in the regulation of the governance of credit institutions and financial entities in Portugal in recent times.
The notification came into force on 16th July 2020 and institutions have six months from that date to adapt to its provisions, a period which ends on 16th January 2021.
Notification 03/2020 regulates the organisational culture, internal governance, system of internal control and remuneration policies and practices of the institutions to which it applies, revoking Bank of Portugal notifications n.º 5/2008 and n.º 10/2011, as well as revoking the Bank of Portugal instruction n.º 20/2008. It’s supplemented by Bank of Portugal instruction no. 18/2020 that covers the reports to be carried out to the competent supervising authority relative to the subjects dealt with in the notification.
The notification is aimed at credit institutions and financial entities headquartered in Portugal, at branches of credit institutions, financial institutions and investment businesses which are headquartered in countries that aren’t member states of the European Union and at holding companies subject to the supervision of the Bank of Portugal.
With regard to its thematic areas, it distributes responsibility for the system of corporate governance on the subject of governance and internal control and deals with, among other themes (i) organisational culture, (ii) organisational structure, (iii) the system of internal control, including the role of risk management, compliance and auditing, regulation of conflicts of interest, (iv) policies of selection and appointment of external auditors, remuneration policies and practices, (v) outsourcing of particular essential activities and (vi) systematising of information and communication to the public.
Internal governance is one of the pillars of the process of analysis and evaluation carried out by the supervisor established by article 97 of CRD IV, that entails that supervising authorities proceed to revise the provisions, strategies, processes and mechanisms applied by credit institutions in order to fulfil the EU Directive and Regulations no. 575/2013. The process of analysis and evaluation is carried out annually by the Central European Bank together with the Bank of Portugal and follows the guidelines of the EBA and the methodologies of the SREP Methodology Booklet of the Single Supervisory Mechanism.
The specific arrangement of the topics targeted in notification 3/2020 will have a very direct repercussion in the area of capital requirements to which institutions are subject.
The attention given in notification 3/2020 to the theme of cultural organisation is highlighted – having special implications in the regulation of codes of conduct and the importance of the “tone from the top” – justified by the decisive influence that these matters have on the way in which supervising authorities manage their activity. The emphasis given to organs and agents of the institution in question who hold supervising roles is underscored, such as the organs of internal control and non-executive administrators.
The principal development in terms of internal control is in the enshrinement as Significant Institutions, so that the suitability for the exercise of the respective functions of those responsible for the roles of risk management, compliance and internal auditing are the object of evaluation and authorisation by the competent supervising authority before starting their roles, making this arrangement closer to the fit and proper process in place for boards of directors.
Clarification of the system of three lines of defence is added to this, in the same way as the guidelines of the EBA on internal governance (EBA/GL/2017/11) has as its base the mode of three lines of defence of the Institute of Internal Auditors. In this way the different responsibilities in the area of governance and risk management are distributed by different roles:
- The business development units and related areas, that generate risk for the institution and are the first ones responsible in the identification, evaluation, following up and control of risks that they run into;
- The support and control roles that include, namely, the roles of risk management and compliance, which interact with the roles mentioned in the previous point;
- The role of internal auditing, that undertakes independent and guided analysis
Having these three lines of defence in mind, the supervising entities must meet their specificities in the development of their systems of internal control, being able to, for example, separate the lines of defence in different roles within the entity under supervision.
Also, in relation to these roles, the notification establishes requisites to guarantee its organisational independence in line with what happened in notification 5/2008. In this way, these roles should be established in business units separate from those that they are responsible for monitoring. At the same time the roles of internal control must have direct access to the administration and auditing organs and to supporting committees, should they exist.
The notification at the same time establishes rules relating to the obligation of institutions to adopt policies of selection and appointment of certified public accountants or certified public accountancy firms, with a view to tightening the entry conditions for external auditors.
With regard to the production, handling and reporting of information by institutions, the notification took the opportunity to update the existing legal norm, imposing new rules, namely the elaboration of policies for this purpose.
In line with these obligations, the institutions are obliged to undertake a self-assessment of their suitability and the effectiveness of their organisational culture and of their systems of governance and internal control. This self-assessment is set out in the annual report. With regard to the content of these assessments, the demands that fall upon the audit body with regard to this topic are reviewed and clarified, with these evaluations coming to include organisational culture and the systems of governance and internal control.
With regard to the remuneration policies and practices, and also in line with the guidelines of the EBA with regard to healthy remuneration policies, publicised via the Circular of the Bank of Portugal n.º CC/2016/00000036, standards additional to those in the General Regime of Credit Institutions and Financial Entities are established in this notification and which are relevant for their practical implementation by the supervising entities, namely with regard to the remuneration of non-executive members of the management board and the members of the supervisory body, to the remuneration policy and to the remuneration committee.
The notification also enshrines the obligation of the supervising entities to specifically maintain an adequate documentary archive, ensuring that the documentation can provide unequivocal information on the basis for decisions taken and the respective stakeholders.
Instruction no. 8/2020 in turn regulates the duties of reporting to the competent supervising authority that are incumbent upon the entities covered by the Notification of the Bank of Portugal no.3/2020 with regard to the conduct of organisational culture and the systems of governance and internal control.
Thus the rules relative to the following are established:
- Self-assessment reporting of suitability and effectiveness of the organisational culture and of the systems of governance and internal control and respective associated entities, to the competent supervising authority;
- Content and reporting to the competent supervising authority of the report covered by no. 7 article 116 AA of the General Regime of Credit Institutions and Financial Entities;
- Content and reporting of staff that has a material impact in the credit risk profile of the institution;
- Reporting relative to the process of approval of a higher maximum level of the variable component of remuneration, covered in no. 5 of article 115 F of the General Regime of Credit Institutions and Financial Entities
Finally, it develops the risk categories that must be taken into consideration by the entities covered by the Bank of Portugal notification no.3./2020 for the purposes of identification, evaluation, monitoring and control of risks that are or could be exposed.