4.4.3.1. General aspects

4.4.3.1.1. Three lines of defence

4:149 The relations between, on the one hand, the commercial and business units, and, on the other, the independent control functions, are sometimes referred to as the three lines of defence model:

  • the commercial and operational units (including the front office) are the firm’s first line of defence, which is responsible for identifying the risks associated with each operation and observing the applicable procedures and limits;
  • the second line of defence includes the risk management function and the compliance function, which are responsible for ensuring that risks are identified and managed by the operational units, in accordance with the applicable rules and procedures;
  • the third line of defence is the internal audit, which, inter alia, monitors compliance with the applicable procedures by the first and second lines of defence.

4:150 The risk management, compliance and internal audit functions are necessary to ensure optimal performance of the supervisory role entrusted to the statutory governing body.  They form a coherent group of cross-cutting control functions between which coordination is necessary. As these control functions are contiguous, they harmonise their activities and ensure an adequate exchange of relevant information. The risk management and compliance functions are supervised by the internal audit function.

4:151 None of the firm’s areas of activity may, for personal, commercial or financial reasons, fall outside the scope of the control functions (e.g. offshore activities).

4:152 As regards the prevention of money laundering and terrorist financing (AML/CFT), the Anti-Money Laundering Act stipulates that firms should appoint one or more persons tasked with implementing and steering the AML/CFT policy (the “AMLCO”).  For more information on this subject, please see the EBA Guidelines on the role and responsibilities of the AMLCO (EBA/GL/2022/05) and the NBB’s website.[1]

4.4.3.1.2. Heads of independent control functions and the combining of control functions

4:153 The heads of the independent control functions should be at a hierarchical level that ensures they have the appropriate authority and stature needed to fulfil their responsibilities.

4:154 In general, the head of a control function should perform only this function, meaning it should not be combined with another control function (certainly not with an operational role or function). However, for small stockbroking firms and stockbroking firms that can justify a derogation from this rule based on the principle of proportionality, the NBB allows the same person to perform the risk management function and the compliance function provided (i) the performance of these two functions by the same person does not give rise to a conflict of interest (specifically, there is no “maker/checker” or “developer/inspector” situation), (ii) the person in question has the necessary knowledge and experience in both areas, and (iii) the person in question can devote the necessary time to the correct performance of both functions.

4.4.3.1.3. Independence of the control functions

4:155 The three control functions should be independent, which should at least be reflected in their status, their prerogatives, the arrangements for the remuneration of the heads of these functions and of the staff made available for the performance thereof, and their direct access to the statutory governing body (meaning they do not have to go through senior management).  Notwithstanding the overall responsibility of the statutory governing body, the heads of the independent control functions should be independent from the business lines or units they oversee. Although the heads of the risk management, compliance and internal audit functions report to a member of senior management or, where applicable, the management committee,[2] they are directly accountable and answerable to the statutory governing body. Their performance is also reviewed by the latter.

4:156 For more information, please see paragraph 156 of EBA/GL/2021/14, which specifies the conditions control functions must meet in order to be considered independent.

4.4.3.1.4. Resources of the control functions

4:157 The independent control functions should dispose of sufficient (human and IT) resources to be able to carry out their tasks in an appropriate and independent manner. The heads of these functions should ensure that their staff possess the necessary qualifications and skills. For more information, please see paragraphs 157 and 158 of EBA/GL/2021/14.

4.4.3.1.5. Methods and access

4:158 The methods and procedures used by the independent control functions should be commensurate with the nature, scale and complexity of the firm’s activities and should be set down in writing.

4:159 The control functions should have access to all business lines and internal units with the potential to generate risk, as well as to relevant subsidiaries and affiliates. They should interact with the business units to help achieve the objective of firm-wide awareness of the importance of risk management.

4.4.3.1.6. Reporting

4:160 The heads of the risk management, compliance and internal audit functions should report at least once a year directly to the statutory governing body on the performance of their tasks and also inform senior management (or, where applicable, the management committee).  Such direct access, which implies they do not have to go through senior management, is necessary in order to enable the statutory governing body to exercise its supervisory function more closely with regard to implementation of the firm’s strategy and its functioning.

4:161 Reporting to the statutory governing body can be done through the risk committee. When, in addition to the risk committee, an audit committee has also been set up, it is recommended that the risk management and compliance functions report to the risk committee and the internal audit function to the audit committee.[3]

4:162 The (at least) annual activity report of the independent control functions should:

  1. 1. document all tasks performed by the independent control function during the preceding period;
  2. 2. clearly indicate all shortcomings identified;
  3. 3. provide recommendations to remedy these shortcomings.

Own-initiative reports

4:163 Article 34 of the Brokerage Supervision Act provides that, when so justified by the circumstances, the heads of the risk management function and the compliance function can of their own initiative, without first referring the matter to senior management (or, where applicable, the management committee), inform the statutory governing body of their concerns and, where applicable, alert it to the fact that specific risk-related developments have or could have a negative impact on the firm or, in particular, could damage its reputation.

4.4.3.1.7. Periodic assessment

4:164 In the performance of its supervisory function, the statutory governing body should periodically, and at least once a year, verify the proper functioning of the independent control functions. To that end, it should regularly receive a report from senior management, without prejudice to the direct examination of any relevant information provided by the functions concerned, where applicable through the specialised committees set up for this purpose by the statutory governing body.  For the compliance function, the statutory governing body should assess its functioning based on a predetermined model described in Circular NBB_2019_15 and should observe the collection date indicated in the NBB’s communications on qualitative reporting.

4.4.3.1.8. Removal

4:165 In accordance with Article 62 §2 of the Brokerage Supervision Act, the heads of the independent control functions may not be removed without the prior approval of the statutory governing body acting in its supervisory capacity.  If the removal of the head of an independent control function is being considered, the firm should first inform the NBB so that the latter can examine whether the reasons for removal are justified and, where appropriate, whether special measures should be taken based on the firm’s governance.

[1] Please see the section of the NBB’s website on the prevention of money-laundering and terrorist financing.

[2] Functional reporting to a senior manager consists of reporting on the activities of the independent control function concerned, without that member being able to intervene in the decision-making process (no hierarchical role).  The senior manager to whom the heads of the independent control functions report should also determine, in consultation with the statutory governing body and/or its specialised committees, the human and material resources (IT, etc.) required by the independent control function concerned to carry out its tasks properly and should monitor resource-related issues.

[3] Circular NBB_2019_15 stipulates that the compliance function reports to the statutory governing body through the audit committee. This reporting to the statutory governing body should now be understood as taking place, in most cases through the risk committee, although reporting through the audit committee may also be considered compliant.