Actualidad European Union

Final guidelines on internal governance

European Banking Authority

In September, the European Banking Authority (EBA) published its Final Report on its Guidelines (GL) on internal governance, updating those issued in September 2011 (GL 44), to further harmonize internal governance mechanisms and arrangements, promote transparent structures and reinforce the risk management framework of European Union institutions.

The Guidelines supplement several provisions made for governance contained in the Directive 2013/36/EU, article 74 of which mandated the EBA with making recommendations designed to help institutions build solid internal governance systems; clear organizational structures and well-defined lines of reporting; processes that make it possible to identify, manage, monitor and report risks to which they are, or may be, exposed; appropriate internal monitoring mechanisms; together with remuneration procedures, policies and practices adapted to each institution’s risk profile.

The main recommendations in these Guidelines are:

The board and its committees

The governing body will be in charge of supervision and accountable for the implementation of good governance practices that promote effective and prudent management of the entity. Its functions must be clearly defined, and for this reason a distinction will be made between its more interventionist job, as when it takes business decisions, and the supervisory role, when it monitors and reviews the institution’s strategy.

  • Chair of the board

The Guidelines pay particular attention to the role of the administrative body’s Chair, although there are no major changes. (S)he holds primary responsibility for the effectiveness of its operations (setting the agenda for meetings, defining priority strategic matters, ensuring that information is received with sufficient notice, etc.) and of encouraging the efficient flow of information between its members so that well-informed decisions can be taken.

The guidelines recommend that the Chair be a non-executive director. Nevertheless, if executive functions are also held, the entity should have measures in place to mitigate any adverse impact, for example by appointing an independent member of the governing body, or by having more non-executive members than executive ones. Specifically, article 88.1 of the EU Directive states that the Chair of this body should not carry out the functions of Chief Executive Officer (CEO) at the same time, unless there is good reason and the relevant body has authorized it.

  • Committees

The Guidelines establish that entities considered significant because of their size, internal organization and nature, scope and complexity of their activities*, should have a risk committee, an appointments committee and a remunerations committee, to support the governing body in its supervisory function; non-systemic institutions are not required to comply with this provision.

With respect to the composition of the different committees:

  • They should be chaired by a non-executive member of the governing body and have at least three members, and the occasional rotation of chairs and members should be considered, taking into account their specific experience, knowledge and skills
  • The risk and appointments committees should be made up of non-executive directors
  • Applicable to all institutions, systemic or not, the risk committee may not be chaired by the Chair of the governing body or of any other committee

There is a new recommendation: that committees should not share members, which means that institutions will have to have enough governing-body members to enable them to make up the numbers of the committees with delegates from that body on an exclusive basis.

Organizational framework and structure

The management body’s accountability is broadened to guarantee an organizational and structural framework that is adapted to the organization; this framework should be publicly known and transparent, with well-defined, consistent and properly documented lines of reporting and assignation of roles.

Furthermore, it should know and understand the legal, organizational and operational structure –know your structure-, and ensure that it is aligned with strategy and risk appetite as defined. Institutions must avoid setting up complex, opaque structures; it is the management body that must ensure that appropriate measures have been adopted to, if applicable, avoid or mitigate the risks arising from activities carried out in such structures.

Risk culture and business conduct

  • Risk culture

A great deal of attention is paid to risk culture, to ensure that decision taking is based on full understanding of the risks being faced and how these are managed. The Guidelines understand a solid risk culture as one in which, at least:

  • The management body is directly responsible for setting and communicating the institution’s core values at all levels of the organization;
  • Relevant staff are aware of and understand the entity’s values and its risk appetite and capacity, being accountable for their actions
  • There is an environment of open communication, that encourages a broad range of views in the decision-making process
  • Incentives align the risk-taking behavior with the institution’s risk profile


  • Corporate values

The Guidelines state that the management body should develop, adopt and promote high ethical and professional standards in the institution, bearing in mind its specific needs and characteristics, to reduce the risks to which it may be exposed and that could impact on its profitability or sustainability. To do this, it will have put in place policies to promote these standards, which in any event must:

  • Remind staff that all activities must be conducted in compliance with legislation and the company’s values
  • Promote risk awareness through a strong risk culture
  • Define acceptable and unacceptable behaviors
  • Clarify that staff must conduct themselves with honesty and integrity
  • Ensure that staff are aware of internal and external disciplinary measures


  • Conflict of interest policy

The Guidelines cover the policy for managing conflicts of interest, indicating that institutions must have a policy to identify, manage and mitigate potential and actual conflicts of interest; the management body is responsible for establishing, approving and supervising its implementation and maintenance.

At institutional level, measures to manage or mitigate potential conflicts may consist of, among others: i) an appropriate segregation of duties; ii) information barriers, and iii) procedures for transactions between related parties.

Turning to the institution’s staff, these measures should bear in mind situations that might generate a conflict of interest, such as: i) economic interests, ii) personal or professional relationships, iii) political influence, iv) previous employment, etc.

The document expects institutions to have effective mechanisms in place for staff to report potential or actual breaches of regulatory or internal requirements, guaranteeing at all times the confidentiality both of the whistle-blower and of the natural person who is allegedly responsible for the breach. These mechanisms should i) be documented, ii) guarantee that the conflicts reported are assessed and escalated appropriately; iii) ensure appropriate record keeping.

Internal control

The Guidelines give ample space to the internal control policies, mechanisms and procedures that apply throughout the organization, which should be supervised and regularly updated by the governing body.

This body will also be in charge of ensuring that the internal control functions (risk management, internal audit and compliance) are separate from the business lines they monitor, that they have sufficient human and financial resources to operate effectively, and that they report directly to the governing body.

Proportionality and openness

The Guidelines specify that they should be applied with the principle of proportionality, that is, taking into account, the size, internal organization and nature and complexity of the institution’s activities, such that systemic institutions and larger groups should have more sophisticated governance systems.

Those companies so required by the competent authorities, pursuant to article 106.2 of the EU Directive, should publish an annual description of their legal, governance and organizational structure. This information should contain, at least:

  • The institution’s internal organization and the group structure, including lines of reporting and responsibilities
  • Any material change to this information since it was last published
  • New legal, governance and organizational structures
  • Responsibilities of the management body
  • The structure, organization and members of the management body: number of members, classification, gender and duration of their term of service
  • Support committee
  • The policy on conflicts of interest
  • The internal control system and the management of business continuity


The Final Guidelines are designed for financial institutions and investment services firms and will come into effect on 30 June 2018, date on which the earlier ones (GL 44) will be repealed. These institutions will have to report to the European authority whether they comply with, or intend to comply with the Guidelines; if they are not compliant, they must explain the reasons for this.


*Articles 88.2, 95.1 and 109.1 of the EU Directive