Converging towards sound governance practices

Circular CSSF 12/552 on central administration, internal governance and risk management in banks and investment firms

On 12 December 2012, the CSSF published Circular 12/552 on central administration, internal governance and risk management (hereinafter, the “Circular"). This Circular applies to all Luxembourg credit institutions and investment firms, as well as to Luxembourg branches of credit institutions and investment firms whose country of origin is outside the European Economic Area (hereinafter, the "establishments") on an individual and consolidated basis. Professionals carrying out loan transactions shall only remain subject to specific rules relating to credit risk.

This Circular has entered into force on 1 July 2013. Certain transitional provisions are, however, provided regarding the composition of the Board of Directors, the collective fitness and the certificate of the compliance officer, whose rules will be applicable on 1 January 2014.

The purpose of this Circular is mainly to bring together all the key requirements in terms of internal governance within one single circular. Circular 12/552 therefore gathers, for banks and investment firms, the updated requirements of the following Circulars which shall now be repealed:


  • IML 95/120 – Central administration
  • IML 96/126 - Administrative organisation and accounting procedures
  • IML 98/143 - Internal control
  • CSSF 04/155 (repealed) - Compliance function
  • CSSF 05/178 - Administrative and accounting organisation, outsourcing of IT services
  • CSSF 10/466 - Disclosures in times of stress


The purpose of Circular 12/552 is also to complement the existing rules of governance by implementing recent guidelines issued by the European Banking Authority (EBA) and the Basel Committee.

The ‘three-line-of-defence’ model as a new standard

Intensive scrutiny over governance arrangements is a clearly observed trend in the supervisory approach adopted by regulators all over Europe. In terms of organisational structure, the provisions set out in the Circular 12/552 pave the way for setting the ‘three lines of defence’ risk governance model as a market standard.

‘Fit and proper’ management body and key function holders

Assessment of the suitability of members of the management body and key function holders are now required for all banks and investment firms. Three major criteria are proposed: reputation, experience and governance. In particular, regarding experience, both theoretical and practical experiences should be considered with a specific focus on 6 specific domains of experience: financial markets, regulatory framework, strategic planning, risk management, internal control and financial information.

These strengthened criteria highlights the necessity to share a thorough understanding of key financial, risk and strategic information within the management body in order to effectively conduct the activities of the institution. A particular attention is notably made on technical knowledge of the banking business and understanding of risks credit institutions face. This knowledge should contribute to the capacity of members of the management body of constructively challenging the decisions so as to provide effective oversight.

Increased requirements regarding risk management

Some of the key new requirements introduced by Circular 12/552 relate to risk management, both from an organisational and methodological (including ICAAP) point of view:

  • Institutions should create a Chief Risk Officer (CRO) position, member of the authorised management. In case such a function is not occupied on a full time basis by virtue of the principle of proportionality, institutions must notify CSSF
  • An additional report should be prepared by the risk control function that differs from the existing ICAAP report. To avoid redundancies, CSSF clarifies key differences in terms of content and objectives
  • Part III of the Circular is dedicated to specific requirements related to risk management, with particular provision related to concentration risk, credit risk (notably through the introduction of maximum loan-to-value ratio of 80% for retail mortgage loans to keep on benefiting from the risk weight of 35% under the standardised approach), risk transfer pricing and private banking.

Our solutions to help you enhance your framework

The multidisciplinary range of our Governance, Regulatory and Risk Strategies (GRRS) provide comprehensive and adapted solutions to the challenges posed by CSSF Circular 12/552. Our Deloitte governance framework offers an end-to-end view of corporate governance and forms the basis for the tools that help boards and executives quickly identify potential opportunities to improve both effectiveness and efficiency of their governance practices.

Examples of services include:

  • Training sessions to educate members of the governing bodies on their roles and responsibilities
  • Benchmark your governance framework against regulatory requirements and peers
  • Enhance efficiency of your internal corporate governance through revision of the segregation of duties among control functions
  • Support in ensuring your risk management system is adequate and commensurate to your needs and enhance your ICAAP process to match regulators’ expectations
  • Support in reviewing completeness of your documentation hierarchy (strategies, policies, procedures and regulatory reporting)
  • Provide outsourced solutions such as internal audit services or regulatory hotline

Podcast: CSSF Circular 12/552 - Converging towards sound governance practices

Did you find this useful?