Audit rights of the internal bank audit in cross-border situations (FN 1
I. Background
The rapid increase in regulatory requirements in European banking supervision law has made internal audit (hereinafter :IA9), more than ever, a third line of defense. (FN 2) In order to ensure a comprehensive control mechanism - also and in particular in banking groups - the auditors must have extensive access to all relevant business activities and processes.
This is all the more true the more complex the structure and activities of a banking group are, especially among subordinate companies abroad.
In the case of cross-border revisions in particular, the IA's inspection rights could diverge due to differing legal situations between the parent company and the subsidiary and, among other things, create problems for monitoring the consolidation.
The present article concretely addresses the rights and obligations of the internal banking group audit (hereafter referred to as »GA«) and focuses on the inspection rights of this organizational unit in the course of its cross-border audit activities.
II. Internal Audit - European legal framework
Despite its high practical relevance, the role of IA in the prudential supervision requirements at European level is mentioned explicitly either not at all (»CRD« (FN 3)) or marginal in the context of institution-specific calculation methods of regulatory standards (»CRR« (FN 4)). (FN 5)
The European legislator thus assumes (at least in specific cases) the existence of an IA, without, however, determining this function in European law. (FN6)
From a systematic point of view, the IA forms part of the »governance arrangements« (art 74 para 1 CRD (FN7)): Among other things, such arrangements must include adequate internal control mechanisms that take into account the nature, scale and complexity of the banking transactions carried out (paragraph 2 par cit).
According to CRD, the internal control mechanisms thus represent an umbrella term for the process-dependent internal control system (ICS) and the process-independent IA. (FN8)
According to art 109 para 2 CRD (»application level«), appropriate internal control mechanisms should also be ensured at (sub-)consolidated level. (FN 9) The obligation to set up a GA thus results directly from art 74 para 1 in conjunction with 109 para 2 CRD.
III. Internal audit - Austrian legal framework
Pursuant to art 42 para 1 of the Austrian Banking Act, credit institutions and financial institutions have an »internal audit unit which reports directly to the directors and which serves the exclusive purpose of ongoing and comprehensive reviews of the legal compliance, appropriateness and suitability of the entire undertaking«.
In the Austrian Banking Act, the Austrian legislature explicitly distinguishes between ICS (art 39) and IA (art 42). (FN10) The separation is also clearly evident from art 39 para 2 last sentence of the Austrian Banking Act, according to which the IA has to check the suitability and enforcement of the ICS at least once a year.
Despite this structural separation, the requirement to establish an IA can be considered as part of the general due diligence obligations under art 39 of the Austrian Banking Act. (FN11)
Within groups of credit institutions, the superordinate institution (IN) is responsible for fulfilling the tasks of the GA pursuant to art 30 para 5 of the Austrian Banking Act (art 42 para 7). (FN12)
In terms of corporate law, art 82 of the Austrian Stock Corporation Act and art 22 of the Austrian GmbH-Law require the establishment of an internal control system.
However, explicit requirements on setting up an IA are not found in company law. (FN13)
However, art 92 para 4 no 4 lit b of the Austrian Stock Corporation Act requires the supervision of the internal audit system by the Audit Committee.
IV. Audit areas
The range of duties (audit areas) of the IA are partly prescribed by law (art 39 para 2 last sentence, art 42 para 1 and para 4 of the Austrian Banking Act, art 32 of the Austrian Securities Supervision Act 2018), but more specifically by market practices (FN14) and official expectations (FN15).
The examination of the legal compliance, appropriateness and suitability of the entire company (art 42 para 1 and para 4) and the ICS (art 39 para 2, art 42 para 4 no 5) includes the revision of all operating and business areas and processes of a CI (including anti-money laundering procedures and ICAAP/ILAAP), intrabank regulations and work instructions (FN16) including the auditing of accounting, risk assessment and data-processing systems (see art 32 of the Austrian Securities Supervision Act 2018). (FN17)
For the GA, art 42 para 7 of the Austrian Banking Act does not standardize any explicit audit areas. (FN18) However, a purposeful orientation to the obligations under para 1 par cit seems reasonable to suppose by the law's mandate, according to which the IA of the superordinate institute has to take over the tasks of the GA, in conjunction with the relevant explanatory remarks of the government bill.
Thus, the purpose of the GA is to perform »the ongoing and comprehensive reviews of the legal compliance, appropriateness and suitability« of the entire CI group (art 42 para 1 analogously). (FN19) In accordance with the explanatory remarks of the government bill of the original version of the Austrian Banking Act 1993 (FN ), the GA has in particular »to examine the formal and material regularity of the consolidated accounting, the compliance with the regulatory norms of this Federal Law and the advisability of the organizational structure of the Group«.
The phrase »in particular« clarifies the demonstrative character of this listing and leaves the GA sufficient room for interpretation as regards the materiality of the audit areas in the light of a risk-based auditing approach.
In our view, the obligation of the GA for examination on a (sub-)consolidated level (see art 39 para 2 in conjunction with art 42 para 7 of the Austrian Banking Act, or art 109 para 2 CRD and art 11 para 1 CRR) must be interpreted broadly in the light of effective and comprehensive auditing activities and must not be limited just merely to the abstract scope of consolidation (as a fiction of a whole organism neutralizing intra-group processes), but should also include, if appropriate, in other words taking account of the risk-based approach, audits at the solo level in the participations themselves. Otherwise, for example, the audit of the IA at the subsidiaries by the GA would not be guaranteed and the legal obligation for a comprehensive audit would not be fulfilled. However, the permissibility of such audits ends where the subsidiary's autonomy is disproportionately subverted. (FN21)
V. Audit and inspection rights
Audit and inspection rights are not explicitly anchored in the Austrian Banking Act neither for the IA nor for the GA. However, in return, the relevant legal frameworks of the European banking supervision law serve as a template for the GA's rights. According to art 1 09 para 2 first sentence CRD, the institutions must ensure that »arrangements, processes and mechanisms required by Section II [general principles for internal control mechanisms according to art 74 CRD; note from the authors] are consistent and well-integrated and that any data and information relevant to the purpose of supervision can be produced.« (art 109 para 2 first sentence CRD).
Inversely, art 11 para 1 CRR, with explicit support for the internal control mechanisms to be set up by the institute, also stipulates an obligation for ensuring proper processing and forwarding the data necessary for (pillar I) consolidation. (FN22) Since GA forms part of the internal control mechanisms, it should also be granted access to all necessary data.
The obligation to exchange information applies to all companies in the scope of consolidation (FN23), irrespective of whether they are institutions in accordance with art 4 para 1 no 3 CRR in conjunction with art 2 CRD (see art 109 para 2 second sentence CRD).
Expressly stipulated is the submission requirement of all »data and information relevant to the purpose of supervision« at the expense of the subsidiaries (art 109 para 2 third sentence CRD), according to the wording, irrespective of whether their seat is located in Austria, in the EEA or in a third country (eg Switzerland, Serbia, USA, etc). (FN24)
This includes the establishment of an effective reporting to ensure the required lookthrough at consolidated level. (FN25)
The norm is addressed to all regulated companies included in the scope of consolidation. Similarly, art 11 para 1 second and third sentences CRR also applies to the consolidating institution as well as to the consolidated (regulated) companies; they share responsibility for ensuring the exchange of information. (FN26)
National legislators in the EEA must therefore not provide for any national provisions hindering an obligation to refer under art 109 para 2 third sentence CRD or art 11 para 1 CRR (data ring fencing; (FN27) see also art 124 para 1 CRD). Argumentum a maiore ad minus follows that seemingly conflicting national obligations of confidentiality to which a subsidiary is subject have to be interpreted in conformity with European law so that an exchange of information within the banking group is principally permissible in order to enable effective group management.
Thus, an exchange of information is ensured within the EEA in so far as the exchange concerns»data required for consolidation« (art 11 para 1 CRR) or»data and information relevant to the purpose of supervision« (art 109 para 2 first and third sentences CRD).
The wording of these provisions, in cases of doubt, suggests a very broad interpretation of the data concerned, as the aspects of the relevance is addressed both internally (art 11 CRR, »Prudential Consolidation«) and externally (art 109 CRD; »Review Processes«). Personal data (as a reference) as well as information covered by banking secrecy (art 38 of the Austrian Banking Act) are included in principle. (FN28)
The problem of inapplicability of art 109 para 2 third sentence CRD and art 11 para 1 third sentence CRR at the solo level of subsidiaries in third countries is obvious, whereby the norm applies directly unilateral to the superordinate institute in the EEA. However, if the superordinate institute cannot guarantee the exchange of information, meaning if the GA does not receive all the necessary data from the company in the third country, the institute violates its obligation under art 39 para 2 in conjunction with art 42 para 7 of the Austrian Banking Act at consolidated level (violation of a pillar II provision). (FN29)
Remarkably, this does not apply to pillar I consolidation, if the institution which is required to consolidate has been granted a license in accordance with art 19 para 2 lit a CRR (FN30) and thus, the third-country company is exempt from its scope of consolidation. Essentially, participation in a consolidated company in a third country which cannot provide all the relevant data is inadmissible. The audit and inspection rights of GA are therefore to be fully and comprehensively ensured for participations also in third countries.
VI. Interim summary
To summarize, both European and national legislators assume a consistent congruence between the rights and obligations of GA. Institutions must thus ensure that GA has the necessary audit and inspection rights for each audit area.
Within the CI Group, regulations which prevent the release of the necessary information to GA are inadmissible and would constitute a breach of the general due diligence obligations pursuant to art 39 para 2 and 7 in conjunction with art 42 para 7 of the Austrian Banking Act at the consolidated level. This applies both within the EEA and in participations in third countries.
VII. Group audit and European Data Protection Law
A. General
As shown, the GA should fulfill the following task (FN31) in particular: It is a guarantor of good corporate governance within the group due to its compulsory structure (art 42 para 7 of the Austrian Banking Act), risk manager and preserver of stakeholder interests, in other words of the claims of investors, clients, employees and the public - that is the role that not only the European legislator, supervisory authorities, financial investors, but also the public assigns to GA today.
The expectations of a GA are therefore high. Three out of four stakeholders believe that corporate scandals and economic criminality in recent years have increased the pressure on companies to set up a GA. (FN32)
New legal requirements, stricter liability claims on directors (see, for example, art 65 ff CRD) and increasingly stricter external supervisory bodies have brought the previously outlined task of GA into sharper focus. Originally, GA as a mere monitoring body that randomly audited business transactions for proper accounting treatment, is now seen as a key management tool that identifies weaknesses and risks in the operational and strategic field - especially in European subsidiaries, that analyses problems, that makes suggestions for improvement to eliminate the weak points and that ensures an efficient ICS. Thus, the GA supports the monitoring and control tasks of the management.
B. Research question
Now, GAs in banking groups are increasingly confronted with the problem that European subsidiaries, but also third-party companies, deny the legally intended cooperation between parent companies and subsidiaries, for example at the level of information exchange (FN33). The array of justifications for the refusal of information exchange or cooperation ranges from privacy concerns about the lack of extraterritorial validity of the national banking law or corporate law to the lack of responsibility of GA for the verification of the conduct of the foreign subsidiaries.
Out of the group of »denials«, the data protection law stands out. Is it even permissible within a banking group for the entity to be inspected (a subsidiary) to refuse any information to the inspector (the GA) on the grounds of data protection concerns, if the initially outlined provisions of the European banking supervision law are left aside? »Prima vista«, the legal situation seems to be ambiguous, especially with regard to the General Data Protection Regulation (GDPR) (FN34), which has been in force since May 25, 2018.
We are confronted with an obvious conflict of interest - on the one hand is the management of the parent company of the banking group together with the GA, which is obliged to provide comprehensive due diligence and which has to control the entire group, including subordinate subsidiaries (art 38 and art 42 para 7 of the Austrian Banking Act, 84 of the Austrian Stock Corporation Act etc) - this requires a comprehensive insight into the events in the group and an ongoing uninterrupted flow of information between the group members.
On the other hand, subordinate CI - also and in particular in other European countries or third countries - are obliged to maintain banking secrecy, (FN35) or more generally: to maintain discretion in the interest of their clients, creditors, etc, as far as no obligation to provide information proceeds the (obligation of) confidentiality. (FN36)
It has previously been shown that Austrian company law does not help in analyzing the relationship between GA and its subsidiaries, on the one hand, and directors, on the other hand, as far as the determination of frameworks and barriers of the two-way exchange of information is concerned. Although provisions of the type of art 247 para 3 of the Austrian Commercial Code (UGB) or art 30 para 8; art 42 of the Austrian Banking Act are characterized by the understanding that there is a principal obligation to provide information of the group-affiliated subsidiaries (including those outside the parent company's state of origin) to the parent institution and therefore also to GA. However, the objection of the lack of (local) validity of the mentioned rules outside the parent company's state of origin is obvious.
Therefore, the national company law cannot solve the mentioned cross-border conflict of interest satisfactorily. From the point of view of data protection law, an approach only results from the relevant European Union's primary and secondary law.
C. Excursus: Problem approximation based on supreme court rulings
While relevant, thematic European judicature (as far as can be ascertained) is lacking, the Constitutional Court (VfGH) has outlined a possible solution in a similar context, based inter alia on art 8 para 1 of the Charter of Fundamental Rights of the European Union (hereinafter: »Charter«), and makes clear statements about the relationship between a controller's right of access (here: the Committee of Inquiry of the National Council) and those to be controlled (in this case, the duties of presentation of the bodies of the Federation).
In the Selected Judgements of the Constitutional Court (VfSlg) 19.973/2015, the Constitutional Court summarized: It would not be possible to fulfill the inspection duties constitutionally conferred by the Committee of Inquiry without a comprehensive knowledge of all files and documents within the scope of the subject matter of the investigation. (FN37)
In this limited scope of the object of investigation, limited by the duties of the Committee of Inquiry, the submission of the files and documents requested by the Committee of Inquiry would therefore be precluded by neither art 1 DSG nor art 8 ECHR and art 8 of the Charter. The same must apply all the more to the - constitutionally interpreted - basic legal provisions of art 38 para 1 to 4 of the Austrian Banking Act and art 48a of the Federal Fiscal Code (BAO).
Each institution subject to information must therefore present the requested files and documents unblackened (uncovered) to the extent of the subject matter of the investigation, irrespective of other existing obligations of confidentiality. (FN38)
However, the obligation to provide comprehensive information to the body subject to the obligation to provide information would not have the power of the Committee of Inquiry or its members to publish the information obtained from the files or documents submitted, not even in the written report referred to in art 51 of the Rules of Procedure for Parliamentary Investigating Committees (RP-IC). Instead, the Committee of Inquiry regularly has to balance interests of its reporting between private secrecy interests (cf in this regard, art 1 DSG, but also art 8 ECHR and art 8 of the Charter) and public interests, which include, among others, the announcement of the results of the inspection.
To view the full article, click here.
Footnotes
1. Das gegenständliche Manuskript wird parallel in deutscher Sprache im Österreichischen Bankarchiv veröffentlicht.
2. See among others Schmidbauer/Ziebermayr in Laurer/M. Schütz/Kammel/Ratka (eds), Austrian Banking Act/CRR Comment (2017) art 42 recital 59.
3. Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC, OJ 2013 L 176 / 335.
4. Regulation (EU) no 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) no 648/2012, OJ 2013 L 176/1. »References« to the IA can be found in art 191, 221 para 4 lit h, 225 para 3 lit d, 259 para 3 lit g, 228, 292 para 1 lit f, 293 para 1 lit h, 321 lit e, 368 para 1 lit CRR; in most cases, these references are made in the context of internal models.
5. cf Kessler in Dellinger (ed), Austrian Banking Act Comment (January 2016) art 42 recital 13; SchmidBauer/Ziebermayr, art 42 recital 12.
6. As a requirement, only in art 368 para 1 lit d (nicht e) CRR the sufficient number and the fitness of the auditing staff in connection with the audit of internal models is required; see Mikulik in Laurer/M. Schütz/Kammel/Ratka (eds), CRR Comment (2017) art 368 CRR recital 2.
7. Emphasis not in the original.
8. cf also EBA, Guidelines on internal governance (EBA/GL/2017/11) 198.
9. cf also EBA, Guidelines on internal governance (EBA/GL/2017/11) 199.
10. cf also art 25a para 1 no 3 of the German Banking Act: The norm explicitly divides internal control procedures into ICS and, separately, IA.
11. Höllerer/Puhm/ Stern in Dellinger (ed), Austrian Banking Act Comment (2017) art 39 recital 14.
12. The parallel obligation of establishing an ICS and IA also at the consolidated level (art 30 para 7, art 42 para 7 of the Austrian Banking Act) is systematically consistent and, it is - in terms of the level of application of art 74 para 1 in conjunction with art 109 para 2 CRD - also in conformity with the Directive. The functional assignment of the tasks of the GA to the subordinate CI standardized in art 42 para 7 of the Austrian Banking Act should, however, be viewed as quite flexible by the legislature. For instance, art 42 para 6 continues to permit the waiving of separate organisational unit on a solo basis, if »provided that a separate organisational unit for internal audit exists within the group [highlighting by authors] of credit institutions or the sectoral association, of the credit institution group or sector federation a separate organizational unit for internal audit exists« (last expanded by Austrian Federal Law Gazette I, no 149/2017); see Keinert, organization of the internal audit, in particular possibilities of their outsourcing according to art 42 para 6 of the Austrian Banking Act, ÖBA 2011, 81.
In contrast to art 42 para 7, art 42 para 6 last subparagraph thus seems to assert cases in which the GA may also have a decentralized-functional character (»within the group«). Already the explanatory remarks of the government bill to the Austrian Federal Law Gazette 1993/532, 1130 BlgNo 18th GP 144, justified the functional allocation to the subordinate CI exclusively with their practicability. In order to resolve this supposed contradiction, it can be assumed that the GA (in the superordinate CI) may functionally use the IA in the respective (subordinate) entities (as vicarious agents of the GA), as long as this increases the effectiveness and efficiency of the audit activities and neither leads to selfassessment/internal audit nor to other potential conflict of interest. cf also Kessler, art 42 recital 122; see also Keinert, ÖBA 2011, 81. Especially in more complex structures, such as in multi-level CI groups or sector networks, it should be fundamentally permissible for subordinate or assigned institutes to act functionally in relation to other subordinate entities as GA under the above-mentioned conditions. However, the responsibility always remains with the superordinate CI.
13. cf Schmidbauer/Ziebermayr, art 42 recial 14.
14. See, for example, BCBS, The Internal Auditing Function in Banks (2012).
15. See FMA Austria, FMA Minimum Standards for Internal Auditing of February 18, 2005 (FMA-MS-IR); FMA Austria, FMA Minimum Standards for the Risk Management and Granting of Foreign Currency Loans and Loans with Repayment Vehicles of June 1, 2017 (FMA-FXTT-MS) recital 9; FMA Austria, FMA Minimum Standards for the Preparation of an Emergency Concept within the meaning of art 30 of the Austrian Investment Fund Act (InvFG) 2011 and art 39 of the Austrian Banking Act (September 1, 2011) recital 2.
16. cf FMA Austria, FMA Minimum Standards for Internal Audit (FMA-MS-IR); Siegl, FMA Minimum Standards for Internal Audit (»FMA-MS-IR«), ÖBA 2005, 742; Schmidbauer/Ziebermayr, art 42 recital 54 f.
17. For details on the obligations in performing the audit see Schmidbauer/Ziebermayr, art 42 recital 72 ff; Kessler, art 42 recital 45 ff; and EBA, Guidelines on internal governance (EBA/GL/2017/11) recital 201 ff.
18. cf also Siegl, ÖBA 2005, 742. However, a list of the tasks of the GA can be found, inter alia, in Kessler, art 42 recital 120.
19. It is also irritating that art 42 para 7 of the Austrian Banking Act prominently uses the term »group«, but the obligation to set up a GA addresses the (potentially narrower) credit institutions group pursuant to art 30 of the Austrian Banking Act (see art 30 and 59 of the Austrian Banking Act); See also Schirk/ Stern in Laurer/M. Schütz/Kammel/Ratka (eds), Austrian Banking Act/CRR Comment (2017) art 18 CRR recital 20 f.
20. cf explanatory remarks of the government bill 1130 Austrian Federal Law Gazette BlgNo 18. GP 144 (f.n. 12).
21. cf Schmidbauer/Ziebermayr, art 42 recital 113. Since K-IR operates in the interests of the group and is obliged to carry out a comprehensive audit, it is to be assumed that K-IR has a extensive guideline competence vis-à-vis the subordinate IRs (e.g. specification or supplementation of certain audit topics and audit methodologies). To ensure the consistency of the group-wide auditing activities, the K-IR has also a quality assurance function on a regular basis (e.g. when finalising audit reports).
22. cf Schirk/ Stern in Laurer/M. Schütz/Kammel/Ratka (eds), Austrian Banking Act/CRR comment (2017) art 11 CRR recital 25 ff.
23. cf EBA, Guidelines on internal governance (EBA/GL/2017/11), recital 82.
24. Nor is it undermined by art 109 para 3 CRD, according to which the rules on internal company management and control (Title VII, Chapter 2, Section II, CRD) do not apply to subsidiaries in third countries if the superordinate institution can prove the illegality of the application of these requirements in the third country (see EBA, Guidelines on internal governance [EBA/GL/2017/11], recital 87). The obligation to disclose data is based on section V (art 109 para 2 CRD), however, and is not restricted by art 109 para 3 CRD
25. cf Schirk/ Stern , art 11 recital 8.
26. The competent authority could therefore require both from the consolidating institution and from the institution that holds the participation directly the establishment of the lawful state of affairs under art 70 para 4 no 1 of the Austrian Banking Act. The obligation shall only not apply to companies that have been removed from the scope of consolidation pursuant to art 19 CRR; see Schirk/ Stern , art 11 recital 28.
27. National banking secrecy rules should not hinder prudential consolidation.
28. cf Schirk/ Stern , art 11 recital 27.
29. In such a case, ensuring the exchange of information would have to be examined basically in advance by the FMA, provided that the company in the third country is an CI (approval according to art 21 para 1 no 2 of the Austrian Banking Act), see Stern in Laurer/M. Schütz/Kammel/Ratka (eds), Austrian Banking Act/CRR Comment (2017) art 19 recital 14.
30. This normative extension of the De-Minimis rule actually seems surprising to a prudential regime, but has no relevance in practice. cf Stern , art 19 recital 11 ff. The EBA even proposed a deletion of lit a in 2014, but so far has been unheard of by the European Commission (also taking into account the proposals for CRR II). cf also EBA, Opinion of the European Banking Authority on the application of Articles 108 and 109 of Directive 2013/36/EU and of Part One, Title II and Article 113(6) and (7) of Regulation (EU) No 575/2013 (EBA/Op/2014/11) (29. 10. 2014).
31. For this purpose, see Meeuwsen, Setting up an Internal Audit using the Example of a GA in Amling/Bantleon (eds), Practice of Internal Audit (2018) 177 ff.
32. Meeuwsen (f.n. 31) 177.
33. There is a special form of data transfer (disclosure) between different group units (cf art 4 no 2 GDPR).
34. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
35. Exceptions confirm the rule: see, for example, Germany, which got rid of banking secrecy by July 23, 2017 (repeal of art 30a of the German Act to Combat Tax Evasion (dt StUmgBG)).
36. cf general provisions of the type of art 6 para 1 DSG (data secrecy) and art 38 para 1 of the Austrian Banking Act (banking secrecy) and similar provisions in other EEA and third countries.
37. cf also Selected Judgements of the Constitutional Court (VfSlg) 4106/1961 in connection with the audit mandate of the Court of Auditors.
38. cf Selected Judgements of the Constitutional Court (VfSlg) 17.065/2003 and 19.834/2013 for procedures under art 126a of the Federal Constitutional Law (B-VG).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
