Banking regulation: reporting, governance and risk management | Loyens & Loeff;
You are here:
02 April 2020 / news

Banking regulation Q&A: reporting, organisational requirements, governance and risk management

The banking regulation Q&A series provides a comprehensive overview of the rules governing the banking sector in Luxembourg. Today's chapter focuses on reporting, organisational requirements, governance and risk management.


What key reporting and disclosure requirements apply to banks in your jurisdiction?

Banks are subject to extensive reporting requirements, and in particular prudential reporting requirements under Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms, as amended (CRR). This includes reporting on own funds, financial information, large exposures, leverage, liquidity, losses stemming from lending collateralised by immovable property and asset encumbrance. The content and format of the reporting are harmonised by Commission Implementing Regulation (EU) No 680/2014 of 16 April 2014 laying down implementing technical standards with regard to supervisory reporting of institutions according to the CRR.

There are additional reporting requirements covered by Luxembourg provisions. Banks must, for instance, provide:

  • information on participating interests and subordinated loans;
  • information on staff expenses and taxes;
  • a list of their head offices, agencies, branches and representative offices;
  • an analysis of shareholdings; and
  • a list of persons responsible for certain functions and activities.

Ad hoc reports may also be requested by the Commission de Surveillance du Secteur Financier (CSSF).

In order to assist banks with their reporting obligations, the CSSF published Circular 14/593, as amended, on supervisory requirements applicable to credit institutions, as well as Circular 19/731, which lists the documents to be submitted to the CSSF and the European Central Bank on an annual basis, as well as the appropriate timing for submission. The CSSF also published a guide on reporting requirements for credit institutions.

Depending on their activities, banks may also be subject to specific reporting requirements under specific regulations. For instance, Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories requires settlement internalisers (ie, credit institutions which execute transfer orders on behalf of clients or on their own account other than through a securities settlement system) to report to the CSSF on a quarterly basis the aggregated volume and value of all securities transactions that they settle outside securities settlement systems. Likewise, Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories and Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse require banks that are counterparties to derivative contracts and securities financing transactions, respectively, to report the details of such contracts and transactions to trade repositories.

Banks have an obligation to publish their duly approved annual accounts together with the management reports and the reports from the persons responsible for auditing the accounts in accordance with the Accounts Law. Banks are further subject to periodic statistical reporting to the Banque Centrale du Luxembourg.

What key organisational and governance requirements apply to banks in your jurisdiction?

Generally, credit institutions must have in place effective policies and procedures to ensure compliance with their legal obligations and avoid conflicts of interest. From a systems perspective, credit institutions must invest appropriately to ensure continuity and regularity of services, and have appropriate risk management and security systems in place. Outsourcing is permitted; however, it must be contractualised and banks remain fully liable for any outsourced functions. Banks must ensure accurate recordkeeping for all services and transactions and ensure that, in respect of client assets, those assets' ownership rights are protected. Client financial instruments may not be used on own account, except where a client has provided express permission.

The Law of 5 April 1993 on the financial sector, as amended and the CRR require the management body of institutions to define, oversee and be accountable for the implementation of governance arrangements. The key accountabilities include the strategic objectives, risk strategy, and internal governance. In addition, the management body must ensure the integrity of the financial reporting system and exercise effective oversight of the daily management of the bank. There is a prohibition against combining the role of chair of the management body and chief executive officer. In respect of the composition of the management body, particular attention must be paid to the experience, skills, and knowledge of individual members, but also of the management body as a whole. There are detailed requirements in respect of time commitment and the number of directorships which may be held simultaneously. Credit institutions must also ensure that adequate human and financial resources are dedicated to the induction and training of members of the management body.

In addition, CSSF Circular 12/552 sets out detailed requirements relating to internal governance arrangements and specific requirements for the finance and IT functions. Banks must have appropriate internal communication and whistleblower arrangements and must also have put in place crisis management protocols, which have been tested. All governance arrangements must be documented in writing. Following the implementation of CSSF Circular 12/552 in late 2012, this was a major area of focus for banks in Luxembourg.

What key risk management requirements apply to banks in your jurisdiction?

Banks in Luxembourg must have adequate internal control systems in place to promote sound and effective risk management. The CSSF recommends that larger or more complex institutions have a risk committee to assist the management body in order to facilitate effective risk control at management body level. CSSF Circular 12/552 requires the management body to approve a risk policy which implements the risk strategy of the institutions. This policy must include:

  • the institution's risk tolerance determination;
  • an internal limits system with limits risk taking in accordance with the risk tolerance;
  • measures aimed to promote a sound risk culture;
  • the existence of a risk control function and management arrangements for limits breaches and corrective measures for such breaches;
  • the definition of a risk management information system; and
  • crisis management and business continuity arrangements.

Further, the management body must set a capital and liquidity policy which:

  • defines internal standards in relation to the management, scope and quality of the regulatory and internal own funds and liquidity reserves;
  • defines processes to ensure reliable management information;
  • ensures the permanent adequacy of the regulatory and internal own funds and liquidity reserves;
  • effectively manages stress situations; and
  • designates the functions in charge of the management, functioning and improvement of the processes, limit systems, procedures and internal controls.

CSSF Circular 12/552 requires the establishment of three distinct internal control functions (risk, internal audit and compliance). The risk and compliance functions form part of the second line of defence, while the internal audit function constitutes the third line of defence. Each of the three control functions shall be under the responsibility of a separate head of function (who, for the risk control function, is referred to as the 'chief risk officer'). The principle of proportionality applies and it is therefore possible to merge the risk management and compliance functions on a case-by-case basis. The risk management function (as well as the compliance and audit functions) must be permanent and independent, and hold sufficient authority. The chief risk officer must have direct access to the members of the management body or its chair (or chair of the risk committee), the external auditor and the CSSF. The bank shall ensure that individuals working within the risk management function have a high level of professional experience and that the function is appropriately resourced. It is not permissible to outsource the risk management function. Under the principle of proportionality, a full-time chief risk officer may not be required for smaller institutions and this is evaluated on a case-by-case basis.

There are a number of important tasks which fall within the remit of the risk management function:

  • monitoring risk limits and their compatibility with the strategies, activities and organisational and operational structure of the bank;
  • systematic production of accurate risk management information for authorised management to understand the risks to which the institution is or may be exposed;
  • the development of effective terminology, methods and technical resources to anticipate risk, as well as to identify, measure, report, manage, and monitor risks;
  • the development of conservative assumptions in particular regarding dependencies between risks; and
  • the anticipation and recognition of risks arising in a changing environment.

An annual risk management report relating to the tasks of the risk management function is prepared and submitted to the management body, in addition to regular and ad hoc reporting. Any serious problems, shortcomings or irregularities must be reported immediately by the risk management function to authorised management and the management body. It is also noteworthy that Luxembourg credit institutions must take risks into account when assessing new or expanded product offerings.

What are the requirements for internal and external audit in your jurisdiction?

External audit: Credit institutions must have their annual accounts audited by one or more approved statutory auditors. One of the 'Big Four' is typically appointed in order to perform this task. Any change in the approved statutory auditor must be authorised in advance by the CSSF.

The Accounts Law specifies the content that must be included in the report of the approved statutory auditors. The approved statutory auditors must also express an opinion concerning the consistency of the management report with the annual accounts and provide an audit opinion stating clearly whether the annual accounts give a true and fair view in accordance with the relevant financial reporting framework and whether the annual accounts comply with the applicable statutory requirements.

Internal audit: As mentioned under question 6.3, CSSF Circular 12/552 requires the establishment of three distinct internal control functions, which includes an internal audit function.

The internal audit function shall be under the responsibility of a specific head of function (the 'chief internal auditor'). The appointment and removal of the person in charge of the internal audit function must be approved by the board of directors of the bank and reported in writing to the CSSF. The 'chief internal auditor' must have direct access to the members of the management body or its chair, the external auditor and the CSSF.

The internal audit function must be permanent, independent and objective, and have sufficient authority. It must be able to express itself freely and access all relevant external and internal data in order to fulfil its mission. The members of the internal audit function must individually and collectively possess high professional skills in the field of banking and financial activities, and be able to cover all activities of the institution; ongoing training must be organised. The internal audit function must be appropriately resourced.

The main task of the internal audit function is to review and assess the central administration and the internal governance arrangements of the credit institution and to ensure that they are adequate and operate effectively. The internal audit function shall in particular assess:

  • the monitoring of compliance with applicable laws and regulations and the prudential requirements imposed by the CSSF;
  • the efficiency and effectiveness of internal controls;
  • the adequacy of the administrative, accounting and IT organisation;
  • the safeguarding of securities and assets;
  • the adequacy of the segregation of duties and of the execution of transactions;
  • the accurate and complete registration of transactions;
  • the provision of accurate, complete, relevant and understandable information to the board of directors, relevant committees, authorised management and the CSSF, as applicable;
  • the implementation of decisions taken by the authorised management and by the persons acting by delegation and under its responsibility;
  • compliance with the procedures governing the adequacy of the regulatory and internal own funds and liquidity (reserves);
  • the adequacy of the risk management; and
  • the operation and effectiveness of the compliance and risk management functions.

Each internal audit mission must be documented and subject to a written report. An annual internal audit report relating to the tasks of the internal audit function must also be prepared.

The internal audit function may be outsourced by smaller credit institutions whose risk profile is low and non-complex. Such outsourcing is subject to an assessment by the CSSF. The internal audit function may not be outsourced to the approved statutory auditor which is appointed as external auditor.

CSSF Circular 12/552 contains additional details on the organisation and responsibilities of the internal control functions, including the internal audit function, and the way in which they must execute their work.


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

This article was first published in Mondaq.

Professional payment guarantee - Business Meeting

Newest creditor-friendly tool ‘professional payment guarantee’

Luxembourg’s newest creditor-friendly tool Professional Payment Guarantee (PPG) has been assessed. read more

EU Whistleblower Directive Insights

Get all the information about the impact and how to comply with the new whistleblower directive read more

Approving whistleblower policy and develop communication plan

By the end of 2021, many companies in Luxembourg will need to have appropriate protocols in place to facilitate whistleblowing. read more