New Regulatory Guidelines on Corporate Governance for Banks, Securities Dealers and Financial Groups/Conglomerates (FINMA Circular 2017/1)

On 1 November 2016, FINMA published its new circular 2017/1 on “Corporate governance – banks” streamlining the regulatory framework on corporate governance for banks, securities dealers, financial groups and conglomerates by defining partially revised minimum requirements and underlying principles. The new circular consolidates and replaces three former FINMA circulars and addresses the experiences made in the financial crisis as well as the revised international standards. The most significant changes pertain to i) FINMA’s commitment to a more principle based approach and consistent application of the principle of proportionality, ii) the introduction of provisions for the audit and risk committee of the governing body as well as iii) the possibility to delegate the internal audit function to another unregulated group company, provided such group company fulfills certain minimum requirements regarding capabilities and resources. The new circular will enter into force on 1 July 2017.

By Peter Ch. Hsu / Sandro Fehlmann (Reference: CapLaw-2017-17)

1) Introduction

On 1 November 2016, FINMA published its new Circular 2017/1 “Corporate governance – banks” (Circular 17/1) streamlining the regulatory framework on corporate governance for banks, securities dealers, financial groups and (bank or securities dealer dominated) conglomerates (collectively referred to as Banks) by i) consolidating the currently applicable guidelines outlined in various circulars and FAQs and ii) partially revising the minimum requirements as well as the underlying principles. Circular 17/1 will enter into force on 1 July 2017. Concurrently, FINMA also revised its circulars 2008/21 on “Operational risks – banks” and 2010/1 on “Remuneration schemes”, which will both enter into force on 1 July 2017 as well (summary discussion on these to follow in a separate CapLaw publication).

Circular 17/1 remains to a large extent in line with the currently applicable FINMA guidance (and the draft circular published on 1 March 2016), except for a number of important changes in specific areas, which will be the focus of this article.

2) Circular 17/1 on Corporate Governance for Banks

a) Overview

Circular 17/1 consolidates the supervisory law requirements relating to corporate governance, internal control systems and risk management for Banks that were previously scattered between two FINMA circulars: i) circular 2008/24 “Supervision and internal control – banks” and ii) circular 2008/21 “Operational risks – banks” as well as the FAQ on the Governing Body (Oberleitungsorgan).

Circular 17/1 will supersede circular 2008/24 and the FAQ which currently regulates corporate governance aspects for banks and securities dealers. Circular 2008/24 has not been materially amended since its implementation in 2006. Therefore, the circular does not yet reflect lessons learned from the financial crisis. Furthermore, international standard setters such as the Basel Committee on Banking Supervision (BCBS) adjusted their guidelines in the meantime to implement a standard for a modern corporate governance and efficient risk management (e.g. the BCBS Guidelines on Corporate governance principles for banks dated July 2015 available under In addition, the International Monetary Fund (IMF) issued in its Financial Sector Assessment Programm of 2014 recommendations on capitalization and corporate governance (see In Circular 17/1, FINMA addresses these developments, completing it with additional risk management aspects demonstrating FINMA’s increased focus on a modern corporate governance as well as an adequate and efficient internal control system. Apart from international developments, this strengthened focus on risk management results from FINMA’s recent supervisory practice showing that operational risks in banking have become more diverse.

At its core, Circular 17/1 includes provisions relating to various corporate governance aspects such as governing and management bodies, risk management, the internal control system and internal audit. The circular consistently reflects the concept of principle-based regulation. However, FINMA explicitly acknowledged that corporate governance and risk management are regulatory topics that may not be adequately addressed by a “one size fits all”-approach (explanatory report dated 1 March 2016, p. 9). Consequently, the new circular aims to leave room for institutions to implement the requirements on a case-by-case basis, i.e. considering their different business models and the risks associated therewith (consultation report dated 22 September 2016, key point no. 2). Furthermore, FINMA expressly reserves the possibility to grant reliefs or be more restrictive in the individual case (note 8 of Circular 17/1).

b) Scope of Application of Circular 17/1

A significant change in Circular 17/1 vs. the current regulation is the shift from a “comply or explain” approach as currently applied in several areas to a consistently applied principle of proportionality. This allows FINMA to consider on a case-by-case basis the characteristics of each Bank in terms of size, complexity, structure and risk profile (note 8 of Circular 17/1). The principle of proportionality has mainly been implemented by differentiating between the different supervisory categories of Banks. Accordingly, more stringent requirements apply in certain areas for Banks in the supervisory categories 1-3 or for systemically relevant banks, whereas Banks in the supervisory categories 4 and 5 “only” have to fulfill the baseline requirements (see e.g. notes 31, 59 and 70 of Circular 17/1).

The reason for this shift is that the “comply or explain” approach, which is an established concept in self-regulatory regimes (i.e. institutions explaining non-compliance with certain requirements in their annual reports), is rare in the regulated space and has in practice rendered a timely supervision by FINMA difficult. FINMA also highlighted that it will consider granting exceptions in the future should it not be possible to meet the requirements of Circular 17/1 in a specific individual case for convincing reasons (explanatory report dated 1 March 2016, p. 10).

The provisions of Circular 17/1 on group structure have been aligned with international guidelines. Accordingly, the principles and provisions of Circular 17/1 for individual institutions will apply to financial groups and conglomerates by analogy, which largely aligns with current FINMA practice (note 98 of Circular 17/1). In particular, financial groups and conglomerates must implement rules on the tasks and responsibilities of the various bodies being responsible for the group management.

c) Modifications relating to the Responsibilities and Requirements for the Governing Body

Circular 17/1 uses the more general term “governing body” (Oberleitungsorgan) that, in principle, applies to all types of legal entities including e.g. companies limited by shares (AG) and cooperatives (Genossenschaften) as opposed to the term “board of directors” as referred to in circular 2008/24 that mainly refers to companies limited by shares in the meaning of article 620 et seq. CO.

The governing body must play an active role in strategic matters of a Bank (see as well the corporate law provisions on the non-transferable and unalienable competences of the board of directors in article 716a CO). Accordingly, Circular 17/1 contains a list of minimum required tasks and responsibilities for a Bank’s governing body, including the approval of the business strategy and risk policies. In this context, the governing body is responsible for the approval of the risk framework as well as the regulation, implementation and monitoring of an appropriate risk management and overall risk steering (note 10 of Circular 17/1). Besides such controlling aspects, Circular 17/1 will implement principles and structures for the governing body relating to the management of the Bank (so-called “checks and balances”), particularly in the areas of organization, accounting and the selection of candidates in key positions (notes 11-14 of Circular 17/1). The rather generic description of such activities corresponds with international standards (see e.g. principle no. 1 of the BCBS Corporate Governance Principles) and remains to a large extent in line with the current FINMA FAQ on the Governing Body. Finally, the governing body has to decide on important changes of the entity (and group) structure and investments of a strategic importance (note 15 of Circular 17/1). Interestingly, under the provisions of the draft circular 2016/xx “Corporate Governance – banks” published on 1 March 2016 (Draft Circular 17/1) the governing body had a general responsibility to decide on changes to the entity (and group) structure (note 17 of Draft Circular 17/1). In contrast, under Circular 17/1, the governing body only has to decide on important changes of the entity (and group) structure. This sensible adjustment allows for more flexibility in delegating tasks.

The provisions of Circular 17/1 on the composition of the governing body are largely similar to the current rules of the FAQ on the Governing Body and the provisions of the circular 2008/24. E.g. the requirement that at least one third of the board members must be independent will continue to apply. However, FINMA may in justified exceptional cases grant exceptions (note 17 of Circular 17/1). This might in particular be relevant in financial groups. Similarly to the current regime, a member of the governing body is deemed to be independent if he/she cumulatively fulfills at least the following criteria (notes 18-22 of Circular 17/1):

  • is not engaging in any other function in the institution or has not been engaged in such function in the last 2 years;
  • has not been employed as the responsible lead auditor of the financial institutions audit company within the last 2 years;
  • does not maintain a business relationship with the financial institution of a type or scope which may lead to a conflict of interests; and
  • is not a qualified shareholder in the meaning of article 3 (2) (cbis) Banking Act and article 10 (2) (d) Stock Exchange Act and also does not represent such a person. The Draft Circular 17/1 envisaged that a significant part of the members of the governing body could not be (or represent) a qualified shareholder of the financial institution. In Circular 17/1, however, this requirement has been eased to the extent that it only has to be fulfilled by at least one third of the board members.

Under Circular 17/1, Banks in the supervisory categories 1-3 are required to establish an audit and a risk committee, irrespective of the total number of members of the governing board (note 31 of Circular 17/1). Under former FINMA practice, a Bank was only allowed to create a committee if the governing body consisted in total of at least five members (see Susan Emmenegger/Hansueli Geiger, Bank-Aktiengesellschaft – Statuten und Reglemente mit Mustern, Zurich/Basel/Geneva 2004, N 145).

The tasks and responsibilities of the committees correspond to a large extent to international standards, in particular principle no. 3 of the BCBS Corporate Governance Principles. Consequently, the responsibilities of the audit committee mainly relate to monitoring and evaluation tasks, e.g. regarding the financial reporting, the internal control and compliance functions, the risk control as well as the independence and effectiveness of the external auditor (notes 34-39 of Circular 17/1). The tasks of the risk committee, in contrast, refer to the framework concept for the entity (or group) wide risk management, the evalution of the capital and liquidity planning as well as the general control over an appropriate risk management and risk strategy (notes 40-46 of Circular 17/1). Under Draft Circular 17/1, it was envisaged that Banks in the supervisory categories 1-3 had to create separately an audit committee and a risk committee (note 36 of Draft Circular 17/1). In contrast, the finalized Circular 17/1 requires this only for Banks in the supervisory categories 1 and 2 (note 31 of Circular 17/1). Accordingly, Banks in the supervisory category 3 may have a combined audit and risk committee. The majority of the members of the audit and the risk committee have to be independent in the meaning set forth above, but not mandatorily independent from the nomination committee as previously proposed in Draft Circular 17/1 (note 33 of Circular 17/1 and note 38 of Draft Circular 17/1).

d) Modifications relating to the Responsibilities and Requirements on the Management Body

Circular 17/1 defines minimum tasks and responsibilities of the management body and minimum requirements for its members which are largely in line with international standards, in particular the BCBS Corporate Governance Principles. Besides the operation of the daily business, the management body is responsible for the implementation of adequate internal systems such as the management information system (MIS), the internal control system and a suitable technology infrastructure (notes 47-50 of Circular 17/1). These management responsibilities have been adopted from circular 2008/24 (notes 80 et seq.) and circular 2008/21 (notes 122-123).

Although not expressly mentioned in Circular 17/1 (other than in the Draft Circular 17/1), the management body is, in our understanding, responsible for the monitoring of the compatibility of the business activities with the law and internal rules.

e) Modifications relating to the Risk Concept

Circular 17/1 provides for a duty to implement and manage a framework concept for the entity (and group) wide risk management which has been adopted from the circular 2008/21. Newly, FINMA explicitly requires such framework concept to be prepared by the management body and approved by the governing body (whereas before circular 2008/21 only referred to the requirement of approval by the governing body). Such framework concept has to include certain minimum standards addressing risk policy, risk appetite and risk limits of the respective institution (notes 53 et seq. of Circular 17/1).

Banks in the supervisory categories 1-3 have to include in their framework concept provisions referring to the risk data aggregation and reporting (Risikodatenaggregation und –berichterstattung), not only systemically relevant banks as it was initially envisaged in the Draft Circular 17/1. Systemically relevant banks are, however, required to certain additional specifications in their risk data aggregation rules (note 59 of Circular 17/1). FINMA included transitional provisions for the implementation of the respective rules: Banks in the supervisory categories 1-3 have to implement such provisions on risk data within a one year transitional period (note 103 of Circular 17/1). Systemically relevant banks, however, have to implement the additional requirements already at the time of the entry into force of the circular or within a three year transitional period upon classification as systemically relevant bank (note 105 of Circular 17/1).

As widely criticised by the participants in the consultation procedure for the Draft Circular 17/1 (e.g. by Postfinance AG or the University of St. Gallen), the existing regulation lacked a proper definition of the term “risk management” and its distinction from “risk control”. Unfortunately, Circular 17/1 does neither define the term nor otherwise bring more clarity in this regard.

f) Modifications relating to the Internal Control System and the Internal Audit

Circular 17/1 envisages a holistic concept of an internal control system (ICS) in line with international guidelines, such as the ISO 31000 rules on Risk management, comprising at least the performance-oriented business units and independent supervisory bodies (note 60 of Circular 17/1). Furthermore, Circular 17/1 requires Banks in the supervisory categories 1-3 to implement the role of an independent chief risk officer (CRO), who has to be a member of the management body if the Bank is systemically relevant. Such CRO may be responsible also for other independent control functions (e.g. for the compliance function) even in case of systemically relevant banks (notes 67 and 68 of Circular 17/1). In Draft Circular 17/1, a more restrictive approach was suggested as it required the CRO to be exclusively responsible for the risk control function.

Besides a semiannual report to the management body and an annual report to the governing body, the risk control function has to timely inform the management on special developments and, more extensively than under the current regime in circular 2008/24, in important cases, also the governing body (notes 75 and 76 of Circular 17/1).

Circular 17/1 adopts the detailed provisions refering to the implementation of an internal audit function from the circular 2008/24 almost verbatim. However, under the current regime, FINMA may in exceptional cases exempt a Bank from the requirement to implement an internal audit function (note 55 of circular 2008/24). Under Circular 17/1, no such explicit exemption option is envisaged. Similar to the current regime, in circumstances where the establishment of an institution-specific internal audit function appears to be inadequate (e.g. because of the small size of the Bank), the Bank may delegate the internal audit duties to i) the internal audit function of its parent company or of another group company, if this company is also a bank, a securities dealer or another supervised financial institution (e.g. and insurance company), ii) a second audit firm which is independent from the institution’s audit firm or iii) another group company or an independent third party, if the auditors confirm the professional capabilities and avaiability of appropriate technical and human resources (notes 83-86 of Circular 17/1). Extending the previous regime, Circular 17/1 in above iii) now also allows a delegation of the internal audit function to another (unregulated) group company, subject to the above confirmations by the auditors. This is particularly relevant if a Bank intends to outsource its internal audit function to e.g. an unregulated group internal service company. Considering the recent trend of financial institutions to implement a service company structure, this amendment is a sensible response to this trend.

Circular 17/1 provides for several minimum requirements on the remit of the internal audit. The requirement to prepare a multi-year plan for all risk relevant business activities which was contemplated in the Draft Circular 17/1 has not been adopted in Circular 17/1.

g) No Adoption of Provisions relating to Disclosure Duties

Draft Circular 17/1 envisaged to impose extended public disclosure obligations on Banks in the supervisory categories 1-3 similar to the corporate governance guidelines of the SIX. Such disclosure duties would have referred to information e.g. on the internal organization and functioning of the governing and the management body as well as vested interests of the members of the governing and the management body.

During the consultation period, the participants (such as UBS AG or the Verband Schweizerischer Kantonalbanken) questioned the legal basis for such disclosure duties and whether Circular 17/1 is the appropriate place for such disclosure rules. In response to this criticism, the entire chapter on disclosure requirements has not been included in Circular 17/1 but has been moved (in a reduced fashion) to the revised circular 2016/1 “disclosure – banks” which was published on 19 December 2016 and entered into force on 1 January 2017.

Peter Ch. Hsu (
Sandro Fehlmann (