Skip to main content
European Banking Authority logo
  • Extranet
  • Log in
  • About us
    Back

    About us

    The EBA is an independent EU Authority.  We play a key role in safeguarding the integrity and robustness of the EU banking sector to support financial stability in the EU.

    Learn more
      • Mission, values and tasks
      • Organisation and governance
        • Governance structure and decision making
        • EBA within the EU institutional framework
        • Internal organisation
        • Accountability
      • Legal and policy framework
        • EBA regulation and institutional framework
        • Compliance with EBA regulatory products
      • Sustainable EBA
      • Diversity and inclusion
      • Careers
        • Vacancies
        • Meet our team
      • Budget
      • Procurement
    Close menu panel
  • Activities
    Back

    Activities

    To contribute to the stability and effectiveness of the European financial system, the EBA develops harmonised rules for financial institutions, promotes convergence of supervisory practices, monitors, and advises on the impact of financial innovation and the transition to sustainable finance.

    Start here
      • Single Rulebook
      • Implementing Basel III in Europe
      • Supervisory convergence
        • Supervisory convergence
        • Supervisory disclosure
        • Peer Reviews
        • Mediation
        • Breach of Union Law
        • Colleges
        • Training
      • Direct supervision and oversight
        • Markets in Crypto-assets
        • Digital operational resilience Act
      • Information for consumers
        • National competent authorities for consumer protection
        • How to complain
        • Personal finance at the EU level
        • Warnings
        • Financial education
        • National registers and national authorities responsible for handling complaints related to credit servicers
        • Frauds and scams
      • Research Workshops
      • Ad hoc activities
        • Our response to Covid-19
        • Brexit
    Close menu panel
  • Risk and data analysis
    Back

    Risk and data analysis

    To ensure the orderly functioning and stability of the financial system in the European Union, we monitor and analyse risks and vulnerabilities relevant for the regulation of banks and investment firms. We also facilitate information sharing among authorities and institutions through supervisory reporting and data disclosure.

    Learn more
      • Risk analysis
        • 2024 EU wide transparency exercise
        • EU-wide stress testing
        • Risk monitoring
        • Thematic analysis
      • Remuneration and diversity analysis
      • Reporting frameworks
        • Reporting Time Traveller
        • DPM data dictionary
      • Data
        • Registers and other list of institutions
        • Guides on data
        • Aggregate statistical data
        • Secondary reporting: data from Competent Authorities to the EBA
        • Data analytics tools
    Close menu panel
  • Publications and media
    Back

    Publications and media

    Communicating to all our audiences in the most effective way and using the most appropriate channels is crucial for us. Through our publications, announcements, and participation in external events, we are committed to reaching out to all our stakeholders to report about our policies, activities, and initiatives.

    Learn more
      • Publications
        • Guidelines
        • Regulatory Technical Standards
        • Implementing Technical Standards
        • Reports
        • Consultation papers
        • Opinions
        • Decisions
        • Staff papers
        • Annual reports
      • Press releases
      • Speeches
      • Interviews
      • Events
      • Media centre
        • Media gallery
        • Media resources
    Close menu panel

Breadcrumb

  1. Home
  2. Single Rulebook Q&A
  3. 2021_5731 Composition of the first and second lines of defence
Question ID
2021_5731
Legal act
Directive 2013/36/EU (CRD)
Topic
Internal governance
Article
74
Paragraph
1
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
EBA/GL/2021/05 - Guidelines on internal governance under CRD - repealing EBA/GL/2017/11
Article/Paragraph
Background and rationale / paragraph 29 and 30
Type of submitter
Competent authority
Subject matter
Composition of the first and second lines of defence
Question
What are the units composing respectively the first line of defence and the second line of defence?
Background on the question
(i) Paragraph 29 of the “Background and rationale” part of the EBA Guidelines on internal governance (EBA/GL/2017/11) refers to the first line of defence as being the “business lines”. However, other paragraphs in the guidelines also refer to “business lines and internal units”. Although the words “internal units” are not defined, we understand that they designate all other units than the business lines that perform operations and are therefore exposed to operational risks including legal risk. This is particularly the case of the support functions of a credit institution (e.g. IT function, human resources, purchasing, etc.). This seems to be confirmed by the EBA GL on ICT and security risk management (EBA/GL/2019/04), which state in paragraph 5 of their “Background and rationale” part that “The guidelines are compatible with the three lines of defence model, with the ICT operational units being the first line of defence”; Could you confirm that all units conducting business, but also performing operations in general such as the support functions, are included in the first line of defence? (ii) Considering the second line of defence, Paragraph 30 of the Rationale of the EBA Guidelines on internal governance only mentions the risk management function and the compliance function. However, we do not understand that it prohibits credit institutions to designate on their own choice additional independent units as control functions of the second line of defence (e.g. functions such as Legal, Tax or Finance), providing that they contribute to risk management and compliancy check. The question therefore is whether the composition of the LoD2 is limited to the risk and compliance functions only or an institution could make the choice to add also other functions exercising risk management and/or controls. Besides, we would like to have confirmation that this is possible for any kind of credit institution, be they small or complex ones.
Submission date
09/02/2021
Rejected publishing date
31/05/2022
Rationale for rejection

This question has been rejected because the issue it deals with is already explained or addressed in paragraphs 97, 172, 183 and 206 of Guidelines on internal governance under Directive 2013/36/EU (EBA/GL/2021/05), 

 

For further information on the purpose of this tool and on how to submit questions, please see “Additional background and guidance for asking questions”.

Status
Rejected question

Footer

EUROPEAN BANKING AUTHORITY

Our mission is to contribute to the stability and effectiveness of the European financial system through simple, consistent, transparent, fair regulation and supervision that benefits all EU citizens.


UE logoAn agency of the EU

EU Agencies Network logoEU Agencies Network

EMAS logoSustainable EBA

Contact us

  • Contacts
  • Ask a general question
  • Send a press query
  • Ask a regulatory question
  • File a complaint
  • Whistleblower reports

Stay up to date with our work

  • Subscribe to our email alerts
  • News & press RSS feed

Follow us on Social media

  • Bluesky
  • LinkedIn
  • X
  • YouTube

Find out about us

  • The EBA at a glance
  • Vacancies
  • Privacy policy
  • Legal notice
  • Cookies policy
  • Frauds and scams

Explore related sites

  • EIOPA
  • ESMA
  • ESRB
  • CEBS archive