Cross-Sectoral Issues on Internal Governance Ana Moitinho Byrne (Instituto de Seguros de Portugal) Malta, 09/04/2010 Page 1

CEIOPS Index  3L3 Task Force on Internal Governance  Cross-sectoral stock-take on internal governance issues  Main findings  Next steps 9 April 2010 Page 2

CEIOPS  3L3 Task Force on Internal Governance The “3L3 Task Force on Internal Governance” (TFIG) –Created according to the 3L3 Committees “Medium Term Work Programme” for Internal governance was one of the 6 priority areas identified for joint cross-sector work –Composed of experts from the banking, insurance and securities markets supervisors, members of the three Level 3 committees (CEIOPS, CEBS and CESR) 9 April 2010 Page 3

CEIOPS  3L3 Task Force on Internal Governance Mandate –Identify consequences of differences in internal governance requirements in sectoral legislation (both Level 1 and Level 2) which have significant practical consequences for institutions, and making recommendations for Level 3 measures to enhance convergence –Developing cross-sector guidance for institutions and conglomerates operating in different financial sectors in the area of internal governance, within the current legal framework 9 April 2010 Page 4 Work developed between September 2008 and December 2009 Scope (and timing) yet to be defined

CEIOPS  3L3 Task Force on Internal Governance Deliverables –Preliminary report in December 2008 –Final report “Cross-sectoral stock-take and analysis of internal governance requirements” ( governance/3L3-cross-sectoral-stock-take-and-analysis-internal-governance-v2.pdf) governance/3L3-cross-sectoral-stock-take-and-analysis-internal-governance-v2.pdf Under “Call for Evidence” until... today! ( governance/3L3-Call-for-evidence-internal-governance.pdf) governance/3L3-Call-for-evidence-internal-governance.pdf 9 April 2010 Page 5 This report will be the basis for this presentation. However, some adaptations were made to align the analyses made with the final advice from CEIOPS to the European Commission. This report will be the basis for this presentation. However, some adaptations were made to align the analyses made with the final advice from CEIOPS to the European Commission.

CEIOPS  3L3 Task Force on Internal Governance  Cross-sectoral stock-take on internal governance issues  Main findings  Next steps 9 April 2010 Page 6

CEIOPS  Cross-sectoral stock-take on internal governance issues Scope of the stock-take –Internal governance provisions applicable to entities in the areas of banking, insurance and securities Includes binding (Level 1 and Level 2) and non-binding (Level 3) provisions 9 April 2010 Page 7 Issues out of scopeReason Undertakings for Collective Investment in Transferable Securities directive (UCITS) Under revision Financial Conglomerates Directive (FCD)Under revision “Fit and proper” requirements Subject of a separate review by another 3L3 group Remuneration issues Subject of review by the EU Commission, a number of national supervisors, and by CEBS and CEIOPS

CEIOPS  Cross-sectoral stock-take on internal governance issues Material considered 9 April 2010 Page 8 Banking activities Capital Requirements Directive (CRD) (Directive 2006/48/EC) Capital Adequacy Directive (CAD) (Directive 2006/48/EC) CEBS’ Guidelines Insurance activities Draft Solvency II Level 1 text (as of 22 April 2009) CEIOPS’ Consultation Paper on Level 2 implementing measures for the System of Governance (CP 33) Securities activities Markets in Financial Instruments Directive (MiFID) (Directive 2004/39/EC) Implementing measures of MiFID (Directive 2006/73/EC) Level 1 directive Level 2 directive/regulation Level 3 guidance

CEIOPS  Cross-sectoral stock-take on internal governance issues Material considered –Assumptions Although the CRD and the CAD do not follow the Lamfalussy legislative architecture, they were compared to Level 1 requirements The annexes of the CRD were considered to be comparable to Level 2 requirements 9 April 2010 Page 9

CEIOPS  Cross-sectoral stock-take on internal governance issues Material considered –Interconnections between directives Article 34 of the CAD applies Article 22 of the CRD and respective Level 3 measures to every investment firm that is not an exempt CAD firm Article 1(2) of MiFID applies the organisational requirements in its Article 13 (and in the Level 2 implementing directive) to credit institutions that carry on one or more investment services or activities 9 April 2010 Page 10 Conclusion: every investment firm that is not an exempt CAD firm is subject to both MiFID and CAD/CRD governance requirements. Consequently, many banks are subject to both MiFID and CRD organisational requirements (at least in relation to the conduct of their securities business). But the purpose of the stock-take was to compare the requirements for each activity on a standalone basis.

CEIOPS  Cross-sectoral stock-take on internal governance issues Options to proceed –Challenge Maintain an appropriate balance between delivering harmonised standards, while maintaining justifiable sectoral differences Consider carefully the means of delivering effective harmonisation if that is “desirable” –Available possibilities Legislation – amendment of Level 1 directives and/or Level 2 directives or regulations where relevant, including the Level 2 implementing measures for Solvency II Guidance – production or amendment of Level 3 guidance either by individual committees (CEBS, CEIOPS and CESR) or by the 3L3 committees together 9 April 2010 Page 11

CEIOPS Options to proceed –“Desirable degree of harmonisation” The rating was attributed according to the following scale 9 April 2010 Page 12 Attributed where the requirements – or their consequences – are largely similar or justifiable by sectoral specificities, or where no harmonisation seems to be necessary for the time being Low Attributed where some work could be done in order to enhance harmonisation both in the interpretation and in the implementation of requirements Medium Would correspond to cases where existing requirements do not suffice or do not produce a similar effect (it was not attributed) High  Cross-sectoral stock-take on internal governance issues

CEIOPS  Cross-sectoral stock-take on internal governance issues Approach adopted – “building block approach” Page 13 Corporate structure and organisation (including management body) Risk management system Internal control system Supervisory review, internal reporting and public disclosure Group structures and group specific issues System of internal governance

CEIOPS  3L3 Task Force on Internal Governance  Cross-sectoral stock-take on internal governance issues  Main findings  Next steps 9 April 2010 Page 14

CEIOPS AreaMain findingsDDH *Rationale Lines of responsibility and accountability Banking: obligation to ensure that areas of responsibility and authority are sufficiently clear and transparent for any reporting lines that deviate from the entity's legal structure Banking and insurance: requirement to have an organisational structure with appropriate segregation of responsibilities or duties Securities: prevention of conflicts of interest Low Issues are essentially covered in the three sectors Lines of responsibility and accountability depend more on the characteristics of the entity than on the sectoral specificities Conflicts of interest Banking and insurance: adequate or appropriate “segregation of duties” or “segregation of responsibilities” Securities: MiFID explicitly states that an entity should put in place “effective organisational and administrative arrangements with a view to taking all reasonable steps designed to prevent conflicts of interest” MiFID requires entities to set out in a written policy the main conflicts they face and the measures adopted to manage them Medium An effective management of conflicts is a key element of any internal governance system, both to protect the interests of an entity’s clients and to maintain market confidence 9 April 2010 Page 15  Main findings Corporate structure and organisation * DDH = Desirable degree of harmonisation

CEIOPS AreaMain findingsDDHRationale Tasks and responsibilities of the management body For simplification, in the report this term encompasses both the management and the supervisory functions Banking: stress of the “ensuring a strategy” and “know-your-structure” requirements Banking and securities: requirements are similar in content, but vary from being addressed to the entities themselves or to the management body Insurance: Article 40 of Solvency II makes it clear that the management body of an undertaking is ultimately responsible for compliance with internal governance requirements Medium A similar provision as that of Article 40 of Solvency II could be introduced to the L1 text for the other two sectors The “know–your- structure” principle and the risk-alignment objective of Basel II should also be taken into account Record keeping and data quality aspects Banking: a visible emphasis is put on large exposures records Insurance: implementation of suitable processes and procedures to ensure the reliability, sufficiency and adequacy of both the statistical and accounting data Securities: keeping records of all services and transactions undertaken and set a business continuity policy concerning data Medium L3 guidance for the banking sector could be adopted regarding the maintenance of orderly records of the business and the internal organisation  Main findings Corporate structure and organisation 9 April 2010 Page 16

CEIOPS AreaMain findingsDDHRationale Accounting systems and procedures Banking: CRD stresses the concept of own funds to cover banking risk and that these should be properly registered in the internal accounting records Insurance: Solvency II includes this provision in the context of the implementation of an internal control system Securities: MiFID (L2) provides further detail on the accounting policies and procedures that should be established that enable investment firms to deliver financial reports in a timely manner Low The general provision stated in each sectoral directive is similar and is set in the context of high-level requirements regarding governance arrangements “Four eyes” composition Banking: the banking business must be effectively directed by at least two persons of sufficient good repute and experience – no exceptions are allowed Insurance: no explicit “four eyes” requirement Securities: same requirement as banking applies, although a securities entity may be a sole trader provided it has alternative arrangements in place which ensure sound and prudent management of the entity Low As a consequence of the TFIG’s work, the CEIOPS’ advice to the Commission on L2 implementing measures included a “four eyes” requirement 9 April 2010 Page 17  Main findings Corporate structure and organisation

CEIOPS AreaMain findingsDDHRationale Committees and subcommittees and their terms of reference Banking: L3 guidance for banks let these consider what committee structure is appropriate, if this facilitates the development and maintenance of good governance practices Insurance: The management body should consider whether a committee structure is appropriate in the context of the system of governance (“white text” of CP 33) Committee for the revision of the internal model, for undertakings that have one Low “Public-interest entities” are obliged to have an audit committee cf. Article 41 of Directive 2006/43/EC Some types of committees are sector- specific Other situations could be covered by L3 guidance Outsourcing Banking: notification requirement in L3 guidance Insurance: Solvency II requires that entities give prior notice when outsourcing material activities Securities: –Notification is only required under certain conditions laid down in MiFID (L2) related to service providers located in third countries –MiFID (L2) includes a list of exclusions for the concept of outsourcing Medium Harmonisation could be achieved by: extending the notification requirements to all sectors include in all cases a requirement for the availability on request to the supervisory authority of all relevant information on outsourced activities  Main findings Corporate structure and organisation

CEIOPS 9 April 2010 Page 19  Main findings Corporate structure and organisation

CEIOPS AreaMain findingsDDHRationale Implementation of a risk management system Banking and securities: the risk management system is explicitly embedded in the internal control activities Insurance: Solvency II describes this as a system per se Solvency II has more detail at L1 than either of the other two directives Low The provisions for implementing a risk management system are broadly similar for the three sectors – at least the outcome is almost the same Risk management function Banking: no mandatory general requirement to set a risk management function (only under sector-specific circumstances) Insurance and securities: establishment of a risk management function where this is proportionate “Risk management function” vs. “risk control function” Medium There are gaps and/or inconsistencies in the directives such as whether and how the risk management function should be independent from and/or interact with the other functions and their respective tasks 9 April 2010 Page 20  Main findings Risk management system

CEIOPS AreaMain findingsDDHRationale Risks covered by the risk management s ystem Banking: no explanation of which risks or risk types have to be covered Insurance: states explicitly that the risk management system should cover the risks that are included in the calculation of the SCR Securities: MiFID has no risk specific material, except for the general requirement to have “effective procedures for risk assessment” Medium Where the same risk is covered explicitly by different directives (e.g. operational risk), there may be grounds for harmonisation at L3 as to what the relevant policies, processes and procedures might be for those risks Risk assessment and stress testing Banking: specific L3 guidance exists dealing with the issue of stress tests, subject to the principle of proportionality Insurance: no specific reference at L1, but several Consultation Papers containing advice on L2 implementing measures that deal with the issue of risk assessment and stress testing Securities: no requirements exist Low The identified differences seem to be justifiable by the specificities of each sector – hence there does not seem to exist a case for harmonisation 9 April 2010 Page 21  Main findings Risk management system

CEIOPS AreaMain findingsDDHRationale Business continuity Banking: the only additional requirement (at L3) is related to the management of IT-related risks Insurance: CEIOPS CP 33 refers to the need of regularly testing and updating the existent business continuity plans Securities: the MiFID (L2) requires the definition of a business continuity policy Medium High-level requirements to implement contingency and/or business continuity plans are generically equivalent But the requirements to test and update the plan, as well as the definition of a business continuity policy seem to be sensible requisites that all sectors should have 9 April 2010 Page 22  Main findings Risk management system

CEIOPS 9 April 2010 Page 23  Main findings Risk management system

CEIOPS AreaMain findingsDDHRationale Implementation of an internal control system The provisions for implementing an internal control system are broadly similar Insurance: there is an explicitly stated obligation to have a written policy in relation to internal control Low Although not being a critical issue, given that the recent financial crisis has revealed the importance of effective internal controls, harmonisation could be pursued in a near future Compliance function The requirement to have a compliance function is defined across all three sectors Banking: L3 guidance includes specificities regarding the “head of the function”, including a requirement for the function to be “organisationally separate from the activities it is assigned to monitor and control” (subject to the principle of proportionality) Insurance: no requirement for independence regarding the compliance function exists (“appropriate standing” at L2) Securities: a dedicated officer must be appointed to the compliance function, not subject to proportionality considerations Medium One of the most relevant differences that exist between the requirements for each sector is the concept of “independence” The requirement to appoint a dedicated compliance officer could be important to the achievement of good governance  Main findings Internal control system

CEIOPS AreaMain findingsDDHRationale Internal audit function The important cornerstones of an effective internal audit function, such as independence and reporting requirements, are common to all three sectors Banking and securities: the requirement of independence is subject to the principle of proportionality Insurance: proportionality is not applicable in relation to the independence of the internal audit function Medium Important constituting elements of how an internal audit function should be established and operate in supervised entities, such as independence and scope of operation, are not always regulated in binding directives Recommendations related to the operational independence of the internal audit function in the cases where the principle of proportionality applies could be useful 9 April 2010 Page 25  Main findings Internal control system

CEIOPS 9 April 2010 Page 26  Main findings Internal control system

CEIOPS AreaMain findingsDDHRationale Supervisory review process There are requirements relating generally to the obligations of regulators to monitor compliance by entities with the relevant directive requirements, as well as to provide information to regulators to enable them to carry out that monitoring Insurance: Solvency II imposes a specific obligation on regulators to be satisfied that the entity’s system of governance is adequate and requires entities to provide information that would enable the regulator to make that assessment Securities: not so detailed requirements as banking (SREP) and insurance (SRP) Medium A whole analysis and review of the supervisory review process, as well as its consequences, is performed Provide supervisors with powers to assess: –The quality of the decision-making processes –The “fit and proper” requirements of the members of the management body and senior management –The effectiveness of the internal control procedures –The effectiveness of the risk management systems (including ORSA and ICAAP)  Main findings Supervisory review, internal reporting and public disclosure

CEIOPS 9 April 2010 Page 28  Main findings Supervisory review, internal reporting and public disclosure AreaMain findingsDDHRationale Internal reporting requirements Banking: the most relevant requirements relating to the reporting lines are defined at L3 Insurance: L1 (Art. 41) foresees “an effective system for ensuring the transmission of information”, but articles on the risk management system, internal control and internal audit provide further requirements on the reporting of these specific subjects Securities: effective internal reporting and communication of information focus more on the trading activity of the investment firms than on their financial standing and risk management Low All sectoral principles and rules recognise that effective governance and effective board decision- making depends on the quality and timeliness of the information received Disclosure, transparency and accountability issues Banking and insurance: disclosure focuses on the risks the entity is exposed to Securities: no requirements on the financial standing and risk management on the entities – focus is more on trading activities Low Differences identified in the different reporting requirements reflect the different purposes and objectives pursued by the directives and the relevant supervisors

CEIOPS 9 April 2010 Page 29  Main findings Supervisory review, internal reporting and public disclosure

CEIOPS 9 April 2010 Page 30  Main findings Group structures and group specific issues AreaMain findingsDDHRationale Corporate structure and organisation Banking and insurance entities are required to have a transparent corporate or organisational structure both at solo and group level Securities: the only specific requirement in this context refers to the conflicts of interest policy, which should take into account the situations where an entity is part of a group Low The reasons for the existing differences can be motivated by the different approaches of CRD, Solvency II and MiFID L3 future guidance could be useful on: –Know-Your-Structure –Matrix management –Plurality of functions Risk management system Banking and insurance: the provisions regarding risk management for solo level entities are also applicable to the group level (including ICAAP and ORSA) Insurance: a specific provision regarding the centralisation of risk management exists Securities: no specific provisions related to risk management at the level of a group exist Medium The objectives in the regulation for the sectors are different, but changes are needed at solo level

CEIOPS 9 April 2010 Page 31  Main findings Group structures and group specific issues AreaMain findingsDDHRationale Internal control system Banking and insurance: the provisions applicable to solo level entities also extend to the group level Securities: no specific provisions for the group level exist FCD*: establishes that the internal control mechanisms should consider the “capital adequacy to identify and measure all material risks incurred and to appropriately relate own funds to risks” and “sound reporting and accounting procedures to identify, measure, monitor and control the intra-group transactions and the risk concentration” Medium The objectives in the regulation for the sectors are different, but changes are needed at solo level Supervisory review, internal reporting and public disclosure Banking and insurance: provisions are similar (mainly extending the solo requirements to the level of the group), although for banking many are just implicit –Disclosure requirements are based on the consolidated financial situation –Reporting of intra-group transactions Securities: no specific requirements in this respect Low Some level of harmonisation for the high-level principles could be achieved (including the supplementary supervision of FiCos) – but this is not prioritary * FCD = Financial Conglomerates Directive

CEIOPS 9 April 2010 Page 32  Main findings Group structures and group specific issues

CEIOPS  Main findings Main differences and commonalities Existing internal governance requirements for the activities undertaken in the banking, insurance and securities sectors are generally similar and have the same intended outcomes or comparable outcomes For the majority of the internal governance aspects that were analysed, many requirements are set at different levels in different sectors –It was often observed that high-level principles for internal governance that e.g. are defined in the Level 1 directive for the insurance sector are only detailed in Level 3 for the banking sector 9 April 2010 Page 33

CEIOPS  Main findings Main differences and commonalities Some differences in the terminology used – or in its interpretation – were also identified, which the TFIG considers would benefit from some further standardisation to promote further convergence between sectors –Principle of proportionality – it is applicable to most of the requirements on internal governance entities are subject to Proportionality applies to internal governance policies Supervisory authorities will adapt their supervisory approach to ensure it is proportionate to the nature, scale and complexity of the activities of an entity Proportionality applies to internal governance policies Supervisory authorities will adapt their supervisory approach to ensure it is proportionate to the nature, scale and complexity of the activities of an entity The principle of proportionality does not justify the non- application of any sort of requirements The proportionality principle is dealt with slightly differently (wording is often “shall where appropriate and proportionate) Banking Insurance Securities

CEIOPS  Main findings Main differences and commonalities Some differences in the terminology used – or in its interpretation – were also identified, which the TFIG considers would benefit from some further standardisation to promote further convergence between sectors (cont.) –Concept of “independence” Does it always imply an organisationally separate unit? –Concept of “function” E.g. In Solvency II, it is “an administrative capacity to undertake particular governance tasks”

CEIOPS With regard to the differences between MiFID and CRD, further harmonisation of Level 1 and 2 provisions could be considered in order to reduce the number of different requirements for banks that also undertake investment activities 9 April 2010 Page 36  Main findings Main differences and commonalities

CEIOPS  3L3 Task Force on Internal Governance  Cross-sectoral stock-take on internal governance issues  Main findings  Next steps 9 April 2010 Page 37

CEIOPS  Next steps The TFIG considers that guidance would be beneficial on: –Management of conflicts of interest –Policies, processes and procedures related to the risks covered by the risk management systems –How the risk management, compliance and internal audit functions might be “independent” in the light of their different sectoral requirements –The supervisory review process 9 April 2010 Page 38

CEIOPS  Next steps The development of guidance in these areas would: –Contribute to a more harmonised interpretation of the requirements applicable to each type of activities –Complement the existing gaps between sectors in the cases where no specific requirements exist 9 April 2010 Page 39 Further work to be developed will depend on the results of the “Call for Evidence” process and the conclusions to be taken thereof.

CEIOPS QUESTIONS? 9 April 2010 Page 40

Thank you! Page 41