Internal control framework
Legal and regulatory framework:
- Banking Law: Article 21, § 1, 2°
- NBB Regulation:
- Regulation of 19 May 2015 on the internal control and the internal audit function
- Relevant thematic NBB circulars:
- Circular NBB_2021_28 of 16 November 2021 transposing Guidelines EBA/GL/2021/05 of 2 July 2021 on internal governance
- Uniform letter of 16 November 2015 on the report of the senior management on the assessment of the internal control
- Circular NBB_2015_21 of 13 July 2015 concerning the internal control system and the internal audit function
- Circular NBB_2011_09 of 20 December 2011 on the report of the senior management on the assessment of the internal control
- International reference documents:
- Guidelines EBA/GL/2021/05 of 2 July 2021 on internal governance => paragraphs 141 to 151
Institutions should develop and maintain a culture that encourages a positive attitude towards risk control and compliance within the institution, as well a robust and comprehensive internal control framework. Under this framework, institutions’ business lines should be responsible for managing the risks they incur in conducting their activities and should have controls in place that aim to ensure compliance with internal and external requirements. As part of this framework, institutions should have independent control functions with appropriate and sufficient authority, stature and access to the statutory governing body to fulfil their mission, and a risk management framework.
The internal control framework of institutions should be adapted on an individual basis to the specificity of the institution’s activities, its complexity and the associated risks, taking into account the group context. Institutions should organise the exchange of the necessary information in a manner that ensures that each management body, business line and internal unit, including each independent control function, is able to carry out its duties. This means, for example, that appropriate information should be exchanged between the business lines and the compliance function (including the AMLCO), as well as between the persons responsible for the independent control functions at group level and the institution's statutory governing body.
Institutions should put in place, maintain and regularly update adequate internal control policies, processes/mechanisms and procedures. Particular attention should, inter alia, be paid to arrangements for combating money laundering and countering terrorist financing.
The written policies should be approved by the statutory governing body and communicated to all staff. This should be repeated each time significant changes are made.
The NBB recommends that at least the following governance policies be developed:
1 |
Fit & proper policy[1] |
---|---|
2 |
Diversity policy[2] |
3 |
Internal rules regarding external functions |
4 |
Remuneration policy |
5 |
Outsourcing policy |
6 |
Conflict of interest policy at institutional level |
7 |
Conflict of interest policy for staff |
8 |
Internal reporting policy (whistleblowing) |
9 |
Code of good business conduct |
10 |
Tax prevention policy |
11 |
Policy on preventing money laundering and terrorist financing |
12 |
Risk management policy |
13 |
New product approval policy |
14 |
ICT security and continuity policy |
15 |
Charters regulating the independent control functions |
The independent control functions should verify that the policies, mechanisms and procedures set out in the internal control framework are properly implemented in their respective areas of responsibility.
For further information on the internal control framework, please refer to paragraphs 141 to 151 of Guidelines EBA/GL/2021/05.
[1] Policy covering the selection, appointment, reappointment and succession of members of the statutory governing body as well as their induction and training.
[2] This policy may be part of the fit & proper policy, or it may be separate provided that the fit & proper policy makes explicit reference to it.