Article 9
Internal control mechanisms and risk management processes
1.
The Member States shall require regulated entities to have, in place at the level of the financial conglomerate, adequate risk management processes and internal control mechanisms, including sound administrative and accounting procedures.
2.
The risk management processes shall include:
(a)
sound governance and management with the approval and periodical review of the strategies and policies by the appropriate governing bodies at the level of the financial conglomerate with respect to all the risks they assume;
(b)
adequate capital adequacy policies in order to anticipate the impact of their business strategy on risk profile and capital requirements as determined in accordance with Article 6 and Annex I;
(c)
adequate procedures to ensure that their risk monitoring systems are well integrated into their organisation and that all measures are taken to ensure that the systems implemented in all the undertakings included in the scope of supplementary supervision are consistent so that the risks can be measured, monitored and controlled at the level of the financial conglomerate;
(d)
arrangements in place to contribute to and develop, if required, adequate recovery and resolution arrangements and plans. Such arrangements shall be updated regularly.
3.
The internal control mechanisms shall include:
(a)
adequate mechanisms as regards capital adequacy to identify and measure all material risks incurred and to appropriately relate own funds to risks;
(b)
sound reporting and accounting procedures to identify, measure, monitor and control the intra-group transactions and the risk concentration.
4.
The Member States shall ensure that, in all undertakings included in the scope of supplementary supervision pursuant to Article 5, there are adequate internal control mechanisms for the production of any data and information which would be relevant for the purposes of the supplementary supervision.
The Member States shall require the regulated entities, at the level of the financial conglomerate, to regularly provide their competent authority with details on their legal structure and governance and organisational structure including all regulated entities, non-regulated subsidiaries and significant branches.
The Member States shall require the regulated entities to disclose publicly, at the level of the financial conglomerate, on an annual basis, either in full or by way of references to equivalent information, a description of their legal structure and governance and organisational structure.
5.
The processes and mechanisms referred to in paragraphs 1 to 4 shall be subject to supervisory overview by the coordinator.
6.
Competent authorities shall align the application of the supplementary supervision of internal control mechanisms and risk management processes as provided for in this Article with the supervisory review processes as provided for by Article 124 of Directive 2006/48/EC and Article 248 of Directive 2009/138/EC. To this end, the ESA shall, through the Joint Committee, issue common guidelines aimed at the convergence of supervisory practices with regard to the application of supplementary supervision of internal control mechanisms and risk management processes as provided for in this Article, as well as on the consistency with the supervisory review processes as provided for by Article 124 of Directive 2006/48/EC and Article 248 of Directive 2009/138/EC. They shall issue specific common guidelines for the application of this Article to participations of the financial conglomerate, in cases where national company law provisions obstruct the application of Article 14(2) of this Directive.