Three lines of defence

The relationships between, on the one hand, the commercial and business units, and, on the other, the independent control functions, are sometimes referred to as the three lines of defence model:

• the commercial and operational units (including the front office) are the institution’s first line of defence. This line of defence is responsible for identifying the risks associated with each operation and should observe the procedures and limits laid down;
• the second line of defence includes the risk management function and the compliance function, which should ensure that the risks are identified and managed by the operational units, according to the rules and procedures laid down;
• the third line of defence is the internal audit, which, inter alia, monitors compliance with the procedures by the first and second lines of defence.

For the statutory governing body in its supervisory function, the risk management, compliance and internal audit functions are the necessary instruments for the optimal fulfilment of their supervisory tasks. They form a coherent set of transversal control functions between which coordination is required. Given that these control functions are connected, they should harmonise their activities and ensure sufficient sharing of relevant information. The risk management and compliance functions are monitored by the internal audit function.

None of the institution's areas of activity (e.g. offshore activities) may, for personal, commercial or financial reasons, fall out of the scope of the control functions.

As regards the prevention of money laundering and terrorist financing (AML/CFT), the Anti-Money Laundering Law stipulates that institutions should appoint one or more persons tasked with implementing and steering the AML/CFT policy (the "AMLCO"). For further information on this subject, please refer to the EBA Guidelines on the role and responsibilities of the AMLCO (EBA/GL/2022/05) and the NBB’s AML website^[1].

Persons responsible for control functions

Persons responsible for independent control functions should be appointed at an adequate hierarchical level that provides them with the appropriate authority and stature needed to fulfil their responsibilities. Without prejudice to the specific characteristics of the position of Chief Risk Officer (see the section on the composition of the management committee above and the section “Risk management function” below), the persons responsible for independent control functions are at "N-1" level in relation to the management committee.

Independence of control functions

The three control functions should be independent, which should at least be reflected in their status, their prerogatives, the arrangements for the remuneration of the persons responsible for these functions and of the staff made available for the performance of these functions, and their direct access to the statutory governing body (which entails that they do not first have to go through the management committee).

Notwithstanding the overall responsibility of the statutory governing body, the persons responsible for the independent control functions should be independent of the operational lines or units they control. Although the persons responsible for the risk management, compliance and internal audit functions report functionally to a member of the management committee^[2], they report directly to and are directly accountable for their activities to the statutory governing body. Their performance is also reviewed by the statutory governing body.

For further information, please refer to paragraph 175 of Guidelines EBA/GL/2021/05, which specifies the conditions to be met for control functions to be considered independent.

Resources of the control functions

Independent control functions should have sufficient (human and IT) resources to be able to carry out their tasks in an appropriate and independent manner. The persons responsible for these functions should ensure that their staff possess the necessary qualifications and skills. For further information, please refer to paragraphs 177 and 178 of Guidelines EBA/GL/2021/05.

Methodology and access

The method and procedures used by the three control functions should be commensurate with the nature, scale and complexity of the institution’s activities, and should be explained in writing.

The control functions should have access to all business lines and all internal units that have the potential to generate risk, as well as to relevant subsidiaries and affiliated undertakings. They interact with the operational units and this interaction must help to achieve the objective of all the institution’s staff being made aware of the importance of risk management.

Reporting

Regular reporting to the statutory governing body

The persons responsible for the risk management, compliance and internal audit functions should report at least once a year directly to the statutory governing body on the performance of their task, and should inform the management committee. This direct access, which entails that they do not first have to go through the management committee, is necessary to enable the statutory governing body to more strictly exercise its supervisory function as regards the execution of the strategy mapped out and the institution's operation.

This reporting of activities to the statutory governing body can be done through the risk committee for the risk management function and the compliance function^[3] and through the audit committee for the internal audit function.

The (at least) annual activity report of the independent control functions should:

1° document all tasks performed by the independent control function during the preceding period;

2° clearly indicate all shortcomings identified;

3° provide recommendations to remedy these shortcomings.

Own-initiative reports

Article 38 of the Banking Law provides that, when justified by specific circumstances, the persons responsible for the risk management function and the compliance function can, of their own accord and without needing to refer the matter to the management committee, inform the statutory governing body of their concerns, and where applicable alert it where specific developments related to risk have or could have a negative influence on the institution, or in particular, could be damaging to its reputation.

Periodic assessment

In its supervisory function, the statutory governing body should periodically, and at least once a year, verify whether the independent control functions operate properly. To that effect, it should regularly receive a report from the senior management, without prejudice to any direct examination of any relevant information provided by the functions concerned, where applicable through the specialised advisory committees set up for this purpose by the statutory governing body. For its assessment of the operation of the compliance function, the statutory governing body relies on a predetermined model that is described in Circular NBB_2019_15 and observes the deadline specified in the NBB’s communications on qualitative reporting.

Removal

In accordance with Article 61, § 2 of the Banking Law, the persons responsible for the independent control functions may not be removed from their functions without the prior approval of the statutory governing body in its supervisory function. If it would be envisaged to remove a person responsible for an independent control function from office, the institution should first inform the supervisory authority, so that it can examine whether the reasons for dismissal are justified, and, where appropriate, whether or not special measures should be taken based on the institution's governance.

The risk management function should ensure that all significant risks are detected, measured and duly reported. It should have access to all operational units and other internal units that have the potential to generate risk, as well as to subsidiaries and affiliated undertakings. It should have an appropriate status and corresponding central position in the institution’s organisation. The risk management function should be actively involved in elaborating the institution's risk strategy as well as in all management decisions that have a significant influence on the risks, and should be able to deliver a complete view of the whole range of risks the institution is exposed to.

The tasks of the risk management function are described in detail in Guidelines EBA/GL/2021/05. For further information on its role in (i) risk strategy and decisions, (ii) material changes, (iii) identifying, measuring, assessing, managing, mitigating, monitoring and reporting risks, and (iv) unapproved exposures, please refer to paragraphs 179 to 199 of Guidelines EBA/GL/2021/05. Please also refer to paragraphs 63 to 71 of Guidelines EBA/GL/2020/06 on loan origination and monitoring, which describe the role of the risk management function in the lending decision process.

In accordance with Article 37, § 3 of the Banking Law, the person responsible for the risk management function should in principle be a member of the management committee, and the risk management function should be the only specific function for which he is individually responsible. However, if the credit institution is not a significant credit institution as defined in Article 3, 30° of the Banking Law, the supervisory authority may, based on the principle of proportionality, allow the risk management function to be exercised by a senior member of staff ("N-1"), provided there is no conflict of interest on the part of this person. Furthermore, Article 37, § 3, second paragraph allows for a derogation from the principle that a CRO who is a member of the management committee should only be individually responsible for the risk management function. The supervisory authority may authorise a CRO who is a member of the management committee to also be responsible for the compliance function, provided that these two functions are performed separately.

For further information, please refer to paragraphs 200 to 203 of Guidelines EBA/GL/2021/05.