Updated 25/12/2024
In force

Initial Legal Act
Amendments
Search within this legal act

Article 9 - General

Article 9

General

1.   In order to assess whether an institution is compliant with the requirements on internal governance, including requirements on senior management and management body, internal reporting, credit risk control and internal audit, oversight and validation, competent authorities shall verify all of the following:

(a)

the robustness of the arrangements, mechanisms and processes of validation of rating systems of an institution and the appropriateness of the personnel responsible for the performance of the validation (‘validation function’) as referred to in points (c) and (f) of Article 144(1), point (d) of Article 174, Article 185 and Article 188 of Regulation (EU) No 575/2013, in respect of:

(i)

the independence of the validation function, in accordance with Article 10;

(ii)

the completeness and frequency of the application of the validation process, in accordance with Article 11;

(iii)

the adequacy of the methods and procedures of the validation function, in accordance with Article 12;

(iv)

the soundness of the reporting process and the process for addressing the validation conclusions, findings and recommendations in accordance with Article 13;

(b)

the internal governance and oversight of the institution, including the credit risk control unit and the internal audit of the institution, as referred to in Articles 189, 190 and 191 of Regulation (EU) No 575/2013 in respect of:

(i)

the role of senior management and the management body, in accordance with Article 14;

(ii)

the management reporting, in accordance with Article 15;

(iii)

the credit risk control unit, in accordance with Article 16;

(iv)

the internal audit, in accordance with Article 17.

2.   For the purposes of the verification under paragraph 1, competent authorities shall apply all of the following methods:

(a)

review the relevant internal policies and procedures of the institution;

(b)

review the relevant minutes of the institution’s internal bodies, including the management body, or committees;

(c)

review the relevant reports relating to the rating systems, as well as any conclusions and decisions taken on the basis of those reports;

(d)

review the relevant reports on the activities of the credit risk control, internal audit, oversight and validation functions prepared by the staff responsible for each of those functions or by any other control function of the institution, as well as the conclusions, findings and recommendations of those functions;

(e)

obtain written statements from or interview the relevant staff and senior management of the institution.

3.   For the assessment of the validation function, in addition to the methods referred to in paragraph 2, competent authorities shall apply all of the following methods:

(a)

review the roles and responsibilities of all staff involved in the validation function;

(b)

review the adequacy and appropriateness of the annual validation work plan;

(c)

review the validation manuals used by the validation function;

(d)

review the process of categorisation of the findings and the relevant recommendations in accordance with their materiality;

(e)

review the consistency of the conclusions, findings and recommendations of the validation function;

(f)

review the role of the validation function in the internal approval procedure of rating systems and all related changes;

(g)

review the action plan of each relevant recommendation, also in terms of its follow-up, as approved by the appropriate management level.

4.   For the assessment of the credit risk control unit, referred to in point (c) of Article 144(1) and Article 190 of Regulation (EU) No 575/2013, in addition to the requirements referred to in paragraph 2, competent authorities shall apply all of the following methods:

(a)

review the roles and responsibilities of all relevant staff and senior management of the credit risk control unit;

(b)

review the relevant reports submitted by the credit risk control unit and the senior management, to the management body or to the designated committee thereof.

5.   For the assessment of the internal audit or another comparable independent auditing unit as referred to in Article 191 of Regulation (EU) No 575/2013 in addition to the requirements referred to in paragraph 2, competent authorities shall apply all of the following methods:

(a)

review the relevant roles and responsibilities of all relevant staff involved in the internal audit;

(b)

review the adequacy and appropriateness of the annual internal audit work plan;

(c)

review the relevant auditing manuals and work programs and the findings and recommendations included in the relevant audit reports;

(d)

review the action plan of each relevant recommendation, also in terms of its follow-up, as approved at the appropriate management level.

6.   In addition to the methods listed in paragraph 2, competent authorities may review other relevant documents of the institution for the purposes of the verification under paragraph 1.