Exemptions for financial undertakings

Risk management in financial undertakings is governed by Article 77(b) of Act No. 161/2002 (in Icelandic) on Financial Undertakings. The first paragraph of Article 77(b) of the Act states, among other things, that a financial undertaking shall operate risk management in a unit that is independent of its other operational units, if applicable, taking into account the size, nature and scope of the undertaking’s operations and the multifaceted nature of its operations. The functions of risk management are discussed in greater detail in the EBA’s Guidelines on the Internal Governance of Financial Undertakings.

The third paragraph of Article 77(b) of the Act deals with the head of risk management. It states, among other things, that the managing director of the financial undertaking appoints the director of risk management.

According to the fifth paragraph of Article 77(b) of the Act, if the activities of a financial undertaking do not justify the special permanent position of a head of risk management, the Financial Supervisory Authority may authorise another high-ranking employee to supervise the risk management of the financial undertaking, provided that there are no conflicts of interest.  In making such an assessment, the Financial Supervisory Authority shall take into account the nature and scope of the undertaking’s activities and how multifaceted it is.

The risk committees of financial undertakings are governed by Article 78 of the Act on Financial Undertakings.  According to the first paragraph of Article 78 of the Act, a financial undertaking must operate a risk committee. The committee shall consist of a minimum of three members. Committee members must be board members of the relevant company and possess sufficient knowledge and skills to fully understand and monitor the undertaking’s risk policy and risk appetite. The work of the risk committee, as well as the audit committee, is discussed in greater detail in the EBA’s Guidelines on the Internal Governance of Financial Undertakings.

The Financial Supervisory Authority can grant two types of exemptions in connection with the operation of the risk committee.

On the one hand, the Financial Supervisory Authority, taking into account the nature and scope of the undertaking’s activities and how multifaceted it is, may grant an exemption from the operation of a risk committee or from individual aspects of a risk committee’s operations. The Financial Supervisory Authority may set conditions for exemptions for financial undertakings. In the event of such an exemption, the duties of the risk committee shall then mutatis mutandis rest on the board of the financial undertaking, cf. the fifth paragraph of Article 78 of the Act.

However, the Financial Supervisory Authority, taking into account the size, nature and scope of a financial undertaking's operations, and the multifaceted nature of the undertaking's operations, may authorise a financial undertaking to combine the functions of the risk committee and the audit committee as provided for in Section A of Chapter IX of Act no. 3/2006 (in Icelandic) on Annual Accounts. The members of the combined committee must have sufficient knowledge and ability to carry out tasks that would otherwise have been assigned to each committee individually, cf. fourth paragraph of Article 78 of the Act on Financial Undertakings.

The auditing section of a financial undertaking is governed by Article 16 of the Act on Financial Undertakings. The work of the auditing section is discussed in greater detail in the EBA’s guidelines on the internal governance of financial undertakings  and General Guidelines no. 3/2008 (in Icelandic) and they also apply if an exemption from the operation of an internal auditing section is granted.

According to the first paragraph of Article 16 of the Act, a financial undertaking must have an auditing section to handle internal auditing and it shall operate independently of other departments in the financial undertaking’s organisation; it is part of its organisational structure and an aspect of its internal system of controls. The board of directors of a financial undertaking shall engage the director of the undertaking’s auditing section, who shall be responsible for internal auditing on its behalf, cf. the second paragraph of Article 16 of the Act.

According to the fifth paragraph of Article 16 of the Act, the Financial Supervisory Authority may, having regard to the nature and scope of the management of specific financial undertakings, grant an exemption from the operation of such an auditing section or particular aspects of its activities and set special conditions for undertakings that are granted such exemptions.

The Financial Supervisory Authority has issued General Guidelines no. 2/2011 (in Icelandic), which describe the criteria taken into account when deciding on the granting of the exemption. The following discussion covers the main elements that must be included in an application for such an exemption and the accompanying documents.

An exemption from the operation of an internal auditing section is requested from the Financial Supervisory Authority with a written application. The application must state the reasons for applying for an exemption.

When deciding on the granting of an exemption, the Financial Supervisory Authority looks in particular at operational risks, i.e. ensures that the scope of a financial undertaking's operations is below ISK 100 bn. It is possible to grant an exemption even though a financial undertaking exceeds the above-mentioned criterion. The conditions are that the independence of the internal auditing section is better secured by this measure, the number of full-time employees is below 100 and that the relevant financial undertakings have few and simple operating licences. It is also taken into account if an internal auditing is assigned to the parent company.

A financial undertaking must satisfy the conditions for the exemption granted at any given time. This means that a financial undertaking must notify the Financial Supervisory Authority if the conditions for an exemption have changed. The Financial Supervisory Authority also reserves the right to withdraw the exemption or set special conditions for it later if circumstances change.

In addition to a written application specifying the grounds for an exemption, the following documents must be submitted:

1. Evidence of eligibility and competence.
2. A written agreement.
3. Analysis of the impact of the exemption on the overall risk policy and internal controls as well as the contingency plan.

Detailed requirements are made regarding the qualification, competence and independence of the internal auditor, cf. Article 16 the Act on Financial Undertakings. The same requirements are made to the director of the parent company's internal auditing section as to the external expert. For this reason, the Financial Supervisory Authority requests:

• Confirmation of eligibility and competence with a signed declaration from the parent company's internal auditing section (Icelandic) or a declaration from an external expert (Icelandic).
• Education and professional curriculum vitae if the director or expert is not an authorised public accountant.
• If a director or expert has an international certification as an internal auditor, a copy of it is requested.

Assessment of the eligibility of the head of the parent company's internal auditing section and the external expert is ongoing. This means that if a new person takes over the job after a financial undertaking has received approval for an exemption from the operation of an internal auditing section, they must send the Financial Supervisory Authority a notification to that effect as well as confirmation of their eligibility and competence. Also, if the qualifications of a director or an external expert change in such a way that they may no longer meet the eligibility requirements of the law, this must be reported to the Financial Supervisory Authority.

The auditor or auditing firm of a credit institution cannot undertake both internal and external audits for the same credit institution, cf. Article 5 of Regulation (EU) No 537/2014 adopted into law with Act no. 94/2019 on Auditors and Auditing.

The following are some of the items that must be stated in the contract with the head of the parent company’s internal auditing section and the external expert regarding internal auditing:

• The board of directors of a financial undertaking shall appoint the director of the undertaking's auditing section, who shall be responsible for internal auditing on its behalf. In view of the above, it is right that the board of directors also appoints the director of the parent company's internal auditing section or an external expert. The managing director can also appoint him/her according to a special mandate from the board where the party is named. The director or expert must also be named in the contract and must sign it.
• Definitions of the tasks of internal auditing and the authority of the director or expert shall be stipulated, cf. Guidelines no. 3/2008.
• It is necessary to state that the Financial Supervisory Authority has access to all data related to internal auditing tasks in the relevant financial undertaking. The same applies to the access of the board of directors, the audit committee and the auditors of the financial undertaking.
• The board and managing director of a financial undertaking are responsible for ensuring that satisfactory internal control and internal auditing are in place. Therefore the responsibility for internal auditing of the financial undertaking's board of directors and the managing director must be stipulated.
• Provisions regarding the duration and termination of the contract must be stated. It is important not to set unrealistic demands regarding the duration or costs due to the scope of the internal auditing.
• An obligation of confidentiality shall be stipulated, cf. Article 58 of the Act on Financial Undertakings.
• The head of the parent company's internal auditing section or an external expert and their employees involved in the internal auditing of a financial undertaking may not be shareholders in the relevant financial undertaking. Employees must jointly possess sufficient experience and expertise to handle the section’s tasks, cf. the first paragraph of Article 16 of the Act on Financial Undertakings. It is therefore right to stipulate these conditions in the contract in a general manner.

Financial undertakings need to explain the impact of being granted an exemption or continued exemption from the operation of an internal auditing section and have a contingency plan in place if the contract with an external expert ends.