Aspects of Corporate Governance Regulations for CNBS-Supervised Institutions

On October 22, 2022, in the Official Gazette No. 36,057, the Corporate Governance Regulation for Supervised Institutions (hereinafter referred to as the Corporate Governance Regulation) was published, establishing an adaptation period of 8 months.

During the adaptation period, we had the opportunity to advise banks, insurance companies, and other institutions supervised by the CNBS in updating their articles of incorporation and bylaws, as well as various policies, manuals, guidelines, and/or corporate governance codes. Additionally, in the second half of 2023 and 2024, we guided clients regarding CNBS reports resulting from audits aimed at verifying compliance and implementation of various aspects of the Corporate Governance Regulation.

Among the highlights of the Corporate Governance Regulation, we find the expansion of the concept of “suitability” contained in the special laws of each of the supervised institutions. In this regard, the CNBS establishes 3 types of suitability:

    • Financial Suitability.
    • Moral Suitability.
    • Technical Suitability.

These suitability concepts reaffirm the high criteria and standards for membership in the administrative bodies and officials of the supervised institutions, as outlined in CNBS Circular No. 17/2017 and in the Regulation of Minimum Requirements for New Supervised Institutions, on which we wrote an article in 2023.

Another of the most important changes established by this regulation is the implementation of “risk governance.” On this topic, it is established that the administrative body and its support committees are responsible for overseeing, strengthening, and promoting risk governance, with an emphasis on identifying and managing risks through the following lines of defense:

    1. The first line of defense: Responsible for the day-to-day management of risks and focuses on identifying, assessing, and reporting each exposure, considering the approved risk appetite and its policies, procedures, and controls. It is generally associated with business lines or significant activities of the supervised institution. Business lines or operational management own the risk, so they must recognize and manage the risk they assume in carrying out their activities.
    2. The second line of defense: Complements the first by monitoring and reporting to the respective authorities. It generally includes the risk management function, the regulatory compliance function, including anti-money laundering and counter-terrorism financing prevention, or other surveillance functions as established by the commission.
    3. The third line of defense: Consists of an independent and effective internal audit function that provides the Board of Directors and its Board of Directors or its equivalent with information on the quality of the risk management process. Additionally, it is responsible for conducting general and risk-based reviews to ensure to the board of directors, board of directors, or its equivalent, that the corporate governance framework, including the risk governance framework, is effective and that policies and processes are consistently applied.

The entry into force of the Corporate Governance Regulation, as well as CNBS audits, demonstrate that current policy aims to strengthen the “Corporate Governance Framework” of supervised institutions. As defined in the regulation, the Corporate Governance Framework consists of a set of laws, regulations, policies, manuals, and responsible and transparent ethical practices, which must be aligned with principles of good international practices.

Likewise, subsequent CNBS audits and the findings and actions required by them in their reports demonstrate that their policy also aims to ensure that supervised institutions implement (in practice through their various sessions, whether of the administrative body or its support committees) what is established in the Corporate Governance Framework, that is, to give life and compliance to what is established in laws, regulations, policies, manuals, and corporate governance codes. In this sense, each of the supervised institutions needs to strengthen their legal and regulatory compliance departments to avoid possible administrative sanctions from the regulator.