Risk procedures

Regulatory framework

Knowledge of the operational structure

The members of the management body should have a clear understanding of the institution's legal and operational structure and of its activities, including the risks associated with the services and products offered. They must ensure that this structure and these activities are in line with the approved business and risk strategy and risk appetite. The framework functions (secretary general, legal affairs, human resources, communication) and the independent control functions should be given all the specific information they need to properly fulfil their respective tasks.

Credit institutions that offer a broad range of financial services and products (banking, insurance, investment products), propose complex services and products and/or develop cross-border activities, should set up adequate structures to follow up the risks arising from these activities.

Credit institutions that are part of a group should be able to inform their supervisory authority of the structure of the group they belong to, also as regards the group's governance and control mechanisms that apply to them. When an institution creates within its group a large number of legal entities, their number, and in particular any interconnections and transactions between them, should not constitute an obstacle for sound governance or efficient management and supervision of the group's risks. In this context, one should also refer to guidelines 82‑89 of EBA/GL/2017/11.

A credit institution that is itself at the head of a group should be able to give information on all the relevant entities of the group, including their possible risk impact on the group (see guidelines 73‑74 of EBA/GL/2017/11).


Policy as regards offshore centres and complex structures

Credit institutions sometimes make use of complex service schemes and company structures in their activities (setting up complex company structures, special-purpose vehicles, trust structures), be it for own account or to propose these schemes and structures to their customers. In addition, credit institutions often develop cross-border activities. The decision to develop activities in specific jurisdictions is dictated by a set of factors and circumstances relating to strategic, commercial or financial objectives that may be legitimate. However, complex structures or foreign activities, in particular in offshore financial centres or jurisdictions devoid of transparency, may lead to financial, legal and/or reputational risks.

Institutions should therefore avoid setting up complex and potentially non-transparent structures or activities. In taking their decisions, they should carry out a risk assessment to determine on the one hand whether such structures or activities could be used for money laundering or other financial crimes, and on the other hand what supervisory and regulatory provisions apply to such structures or activities. Guideline 75 of EBA/GL/2017/11 sets out the criteria to be taken into account by institutions in their risk assessment.


Where an institution nevertheless sets up complex structures or activities, the management body should understand those structures, their purpose and the specific risks associated with them and involve the internal control functions in an appropriate manner. In any case, institutions should not set up opaque or unnecessarily complex structures which have no clear economic or legal reason or purpose, or where there is concern that such structures might be abused.

According to the distribution of tasks between the management body and the management committee, the members of the management body should determine the policy on the use of foreign jurisdictions and the use for own account or the sale to customers of complex structures. The management body should define the objectives to be pursued and should ensure that the activities concerned are in compliance with the relevant legal provisions. Launching activities in foreign jurisdictions and/or setting up or selling new complex structures should be subject to a process of internal approval involving the compliance function.

The internal control measures relating to these activities should be proportionate to their importance and the associated risks. The independent control functions of the institution and the statutory auditor should have free access to the information and structures, as required by their respective tasks. They should be kept informed of any significant developments in the relevant activities.

In addition, institutions should also apply all precautionary measures set out in guidelines 77‑81 of EBA/GL/2017/11.


Conflicts of interest policy

Regulatory framework

  • Article 21, § 1, 3°, of the Banking Law
  • Handbook on assessment of fitness and propriety, points and
  • EBA/GL/2017/11: guidelines 103‑116
  • BCBS Principles: principle 3


The activity of a credit institution is characterized by a combination of various interests - often converging but just as often diverging or conflicting - which require appropriate rules.

Conflicts of interest may arise in - but are not limited to - the following relationships:

  • between shareholders and the institution;
  • between managers and the institution (cf the rules on personal commercial interests provided for in the Company Code);
  • between staff and the institution and, by extension, also the customers of the institution;
  • between the institution and its customers, as a result of the business model and/or the various services and activities offered by the institution;
  • between customers;
  • between the institution and its parent company, its subsidiary or other affiliated companies, in the context of intra-group transactions.

Staff has a duty to make immediate internal disclosure of any matter that may lead (or has led) to a conflict of interest.

Without prejudice to the application of the provisions of the Company Code or other specific applicable regulations (investment services; market abuse), the credit institution should determine a comprehensive policy, including organizational and administrative arrangements (including records on the enforcement of the said policy) as well as adequate procedures, to identify and prevent conflicts of interest or, where this is reasonably impossible, to manage these conflicts in such a manner as not to prejudice the interests of customers, and to provide customers with appropriate information in this respect. This policy should cover at least the situations and relationships set out in guideline 109 of EBA/GL/2017/11.

The institution's measures to manage or, as the case may be, mitigate conflicts of interest shall be documented. This shall include, inter alia, the following measures and procedures:

  • put in place information barriers or physically separate certain departments;
  • entrust conflicting activities within a chain of transactions or services to different persons;
  • entrust supervisory and reporting responsibilities relating to conflicting activities to different persons;
  • avoid any direct link between the remuneration of the relevant persons and the revenues generated by conflicting activities;
  • avoid any situation where persons from within or outside the institution with a conflict of interests have an inappropriate influence on an activity of the institution;
  • establish an appropriate policy and procedures for transactions with related parties. This could include requiring, for example, that transactions be conducted at arm's length terms, that a binding opinion be given by independent members of the management body, that exposure to such transactions be limited, etc.;
  • provide that the members of the management body have a responsibility to abstain from voting on matters where they have or may have a potential conflict of interest, or where the objectivity or ability of the person to perform the duties properly may be compromised;
  • limit the external activities of relevant persons.

It is a good practice to inform interested stakeholders of the general nature and sources of conflicts of interest and of the policy applied by the institution to identify, prevent or manage these conflicts.