The definition of CEO is not completely clear and might not be in line with CRDIV. Pursuant to the draft Guidelines the CEO would be the person who is responsible for managing and providing steer to manage the overall business activities of an institution. However, if one is to consider the so-called four eyes principle inscribed in article 13 of the CRDIV (pursuant to which at least two persons are required to effectively direct the business of the credit institution) at least two CEOs would need to exist if the definition is applied as it currently stands. We consider that the definition should focus more on the coordination of the executive day to day management either by presiding the executive committee or a separate management committee which does not integrate the management body.
An additional definition of “closely linked legal or natural persons” should be included.
Portuguese law allows institutions to choose between three basic governance models which can include:
a) A board of directors (with or without an executive committee), plus a supervisory board and a statutory auditor (this is the so-called Traditional Model);
b) A board of directors with an executive committee, which must include an audit committee composed by non-executive directors and a statutory auditor (this is the so-called Anglo-Saxon Model);
c) Executive board of directors, plus a general and supervisory board and a statutory auditor (this is the so-called German Model and is similar to the German Vorstand/Aufsichtsrat model).
The most used model in Portugal is the Traditional Model but there are some institutions that have also elected to use the Anglo-Saxon Model.
The application of the Guidelines raises some problems when the Traditional Model has been elected.
In fact, both the Guidelines and the CRDIV make a distinction between the management body in the management function and the management body in the supervisory function.
In implementing the CRDIV, the Portuguese law maker took a mixed approach and replaced the references to the “management body in its supervisory function” with either (i) references to the “non-executive directors and supervisory board” not making a distinction between these two bodies or (ii) references to the “supervisory board”.
Even though it is not mandatory, most institutions that adopt the Traditional Model have the day to day management of the institution delegated to an executive committee (in line with international best practices and with the conclusions of the Banco de Portugal mandated working group on Governance, Control and Audit Practices and Models for Financial Institutions).
This means that in the Traditional Model there are potentially two corporate bodies in Portugal that can be considered as included in the definition of the management body in its supervisory function: the non-executive members of the board of directors and the members of the supervisory board.
This fact makes it extremely difficult to make the correspondence between the Guidelines and the actual corporate bodies that should assume the responsibilities described in the Guidelines in the Traditional Model.
Furthermore, we feel that this overlap creates a risk that the actual responsibilities and task end up not being applied.
As a result, it is our opinion that an additional paragraph should be included in the Guidelines that deals with these possible overlap situations and which provides guidance on how to allocate responsibilities within each institution and/or requires institutions to implement mechanisms that allow for the effective application of the Guidelines (such as joint meetings of the relevant corporate bodies, committees that include members from both corporate bodies, etc.) or that requires that institutions choose one of the corporate bodies to expressly assume the relevant responsibilities.
Pursuant to paragraph 18, the management body in its supervisory function and management function should interact effectively. In the circumstances where the supervisory function is a separate corporate body the information flow should be assured by joint meetings of the supervisory function and the management function or at least the members of the management body in its supervisory function should be required to attend (a significant number of) the meetings of the management body in its management function. The flow of information requirements should be more demanding with dual board structures.
In paragraph 19, subparagraph h), the reference to “(including minutes of the discussions and of the decisions taken)” is not clear. Should the arrangements ensure that proper minutes are recorded?
In addition, pursuant to paragraph 24 subparagraph g., the supervisory function should “ensure that the heads of internal control functions are able to act independently and, without prejudice to report to other internal bodies, can raise concerns and warn the management body in its supervisory function directly, where appropriate, when adverse risk developments affect or may affect the institution”. However, instead of this generic reference, we feel that more practical guidelines should be provided to comply with this principle. This could include, for example, a recommendation for meetings between the heads of internal control functions and the supervisory function (without the management function or the persons to which the relevant head reports to originally).
Paragraph 46 contains a reference to the nomination committee which is not immediately clear considering that the list contains information on risk.
Furthermore, on paragraph 53, it is not clear what is meant by enforceable reporting lines and allocation of responsibilities. We would suggest replacing this reference with enforced or effective.
It is not clear if the second sentence of paragraph 60 applies to the management body of a consolidating institution only or to all institutions. This should apply to consolidating institutions only as the other group institutions might not be legally entitled to demand this information from their consolidating institution. It should be the responsibility of the consolidating institution to ensure that all the institutions within the group (including the consolidating institution) are able to produce such information.
Paragraph 74 generically provides for the communication to the competent authority of the adoption of the governance policy and any significant changes. Article 10 of the CRDIV provides that the applications for the authorisation of credit institutions must contain a description of the structural organisation of the credit institution but does not contain any ongoing or ad-hoc information requirements on governance policy other than as a result of the description that must be included in compliance with the requirements pursuant to article 106 of the CRDIV. The requirement contained in paragraph 74 should be eliminated as it is very difficult to determine what should be considered as a significant change. Otherwise, further guidance should be provided in relation to the scope of the significant changes.
Additionally, paragraph 87 provides that policies should ensure that staff are aware of the potential sanctions that they might be subject. An important part of the application of any sanctions is the preventive impact they may have on other persons in terms of avoiding the relevant negative conducts in the future and also in helping demystify the (often wrong) perception that such behavior is generalized within the institution. We therefore suggest that the Guidelines consider disclosing internally any sanctions or disciplinary actions even if the name of the persons involved is omitted.
Paragraph 94, subparagraph g. provides that the conflict of interest policy should include procedures and mechanisms that prevent the members of the management body from holding directorships in competing institutions. Institutions within a group might be authorised to carry out similar activities that might be considered competing and therefore this requirement should not include directorships in other group companies.
It is not clear what is meant by the reference “if appropriate” in relation to the disclosure of any information to the management body in paragraph 99. Given the level of responsibilities of the management body we feel that all alert procedures should be disclosed to the management body.
It is not clear what is meant by “victimisation” in paragraph 100.
The rationale for paragraph 105 is not completely clear and appears to result merely from the fact that competent authorities may decide not to act on an alert.
The number of employees of an institution should also be a relevant criterion to be considered in the application of the principle of proportionality. For example, currently pursuant to the applicable Aviso issued by Banco de Portugal (Aviso n.º 5/2008) there are a number of internal governance requirements that are not applicable or are less demanding if the institution does not cross certain thresholds in terms of the number of employees. These provisions are extremely useful for small institutions in smaller countries such as Portugal.
In paragraph 120, the recommendations and corrective measures should also include a timeline for proposed implementation.
Further guidance should be included in relation to what is meant by “significant changes” to existing products and services in paragraphs 143 and 148. Any changes resulting from legal and regulatory changes or any court decisions or determinations from regulatory authorities should also be dealt within the NPAP.
Part of the information provided in paragraph 202 is not relevant from an information perspective and will most likely result in the institutions copying out any statutory provisions. This is at least the case of subparagraph g.. Additional concrete data should be included on the number of meetings, presences in the meetings, etc.