In recent years, internal governance issues have received increasing attention of various international bodies. In fact, their main effort has been to correct the institution’s weak or superficial internal governance practices as these faulty practices, while not a trigger for the financial crisis, were closely associated with it and were questionable.

According to the CRD IV, the EBA is mandated to further harmonise institutions’ internal governance arrangements, processes and mechanisms within the EU. In this regard, in September 2011, the EBA published its Guidelines on internal governance (GL 44) with the objective of enhancing and consolidating supervisory expectations and improving the internal governance framework.


Final Guidelines on Internal Governance

Watch video

In 2017, the EBA updated GL 44 in order to further harmonising institutions’ internal governance arrangements, processes and mechanisms across the EU. These GL put more emphasis on the duties and responsibilities of the management body in its supervisory function in risk oversight.

In this context, the EBA published Final Guidelines on internal governance under CRD which update the previous ones and take into account gender diversity, money laundering, financing terrorist risk and the management of conflicts of interest, including in the context of loans and other transactions with members of the management body and their related parties. The Guidelines include a risk management framework that takes ESG risk factors into account.

The technical note prepared by the Management Solutions’ R&D department analyses the requirements arising from the Final GL on internal governance and sets out the implications for institutions and competent authorities (CAs).

Executive Summary

These GL provide guidance on: i) role of the management body and committees; ii) governance framework; iii) risk culture and business conduct; iv) internal control; v) business continuity management; and vi) principles applied to the internal governance framework.

Area of application

These GL are addressed to credit institutions and investment firms, as defined in the CRR.

Main content

  • Management body and committees. These GL determine the duties and responsibilities of the management body, its supervisory and management function, the management body’s chair, organisational framework and structure and on the management body’s committees, and ensure compliance with anti-money laundering regulation, and a risk management framework that considers ESG risk factors.
  • Governance framework. It is integrated by a suitable and transparent organisational and operational structure (that should comply among others with international standards on tax transparency, anti-money laundering, and terrorism financing), organisational framework in a group context and outsourcing policy considering the impact of outsourcing on an institution's business and the risks it faces.
  • Risk culture and business conduct. It includes an institution-wide risk based on, among other, the risk they face, conflicts of interest, internal alert procedures, reporting of breaches to CAs. It also stated that institutional policies should be gender neutral and avoid any form of discrimination.
  • Internal control framework and mechanisms. It covers an internal control framework and risk management framework, new products, internal control functions (heads and resources), as well as risk management functions, compliance and internal audit. These mechanisms should comply with the obligation of combating money laundering and terrorist financing.
  • Business continuity management. It is focused on the implementation of a Business Continuity Management to reduce the consequences from a disaster or extended interruption.
  • Principles applied to the internal governance framework. These GL includes the principle of proportionality (according to their size, internal organization and the nature, scale and complexity of their activities) and transparency when defining their internal governance framework.

Download the technical note by clicking here (also available in Spanish).