Subscribe to PLMJ’s newsletters to receive the most up-to-date legal insights and our invitations to exclusive events.
We are looking for people who aim to go further and face the future with confidence.
Subscribe to PLMJ’s newsletters to receive the most up-to-date legal insights and our invitations to exclusive events.
We are looking for people who aim to go further and face the future with confidence.
Published on 20 March, the recent Notice from the Banco de Portugal brings changes related to the governance systems, internal control and organisational culture of the supervised institutions.
On 20 March 2025, Banco de Portugal Notice 2/2025 (the “Notice”) was published, amending Banco de Portugal Notice 3/2020 on the governance, internal control systems, and organisational culture of supervised institutions.
This Notice entered into force on 21 March 2025, but institutions have a period of 6 (six) months from the date of entry into force to adapt to the new obligations. However, credit institutions and financial companies with their registered office in Portugal, as well as financial companies, mixed financial companies, and holding companies subject to supervision by the Banco de Portugal and when classified as parent companies under the General Framework for Credit Institutions and Financial Companies, have 12 (twelve) months from the date of entry into force to adopt a supervisory body.
The following changes aim to ensure more efficient supervision and to adapt regulatory practices to the requirements of the European financial landscape, promoting a more robust and proportionate organisational culture.
There is an obligation to establish training plans for the members of the management and supervisory bodies. The aim of this is to ensure that they are kept abreast of the risks to which the institution is or may be exposed, with particular attention to emerging risks. The management and supervisory bodies will be responsible for approving multi-annual training plans. These plans must be reviewed annually to ensure that their members have up-to-date knowledge of the evolving risk framework and regulatory requirements. This approach aims to strengthen oversight and decision-making capabilities and promote an organisational culture consistent with best practices in risk management and control.
The concept of deficiencies has been revised to include defaults, with the aim of simplifying and standardising the treatment of this issue by supervised institutions. .
For the purposes of the Notice, deficiencies are defined as any situation that may have a current or potential impact on the institution's financial condition, level and requirements of capital, internal governance, liquidity, leverage, business model, and risk management and control. Such situations include (i) non-compliance with legal provisions, regulations, the institution's internal rules or guidelines issued by the competent authorities applicable to its activities; and (ii) identified opportunities for improvement, in particular on the basis of nationally or internationally recognised best practices.
Institutions now have the option of segmenting the risk management function into different organisational units. However, it is mandatory that at least one of these units maintains a comprehensive and integrated view of all the risks to which the institution is or may be exposed. The person in charge of this unit will be formally recognised as the head of the risk management function.
The management body is responsible for ensuring that risk management is carried out in an integrated manner, promoting the effective exchange of information between the different units and ensuring that the unit with overall responsibility has the necessary means to monitor the quality and sufficiency of the information received from the other units.
If the risk management function is split into more than one unit, the institution must notify the Banco de Portugal of this decision at least 60 days before the planned implementation date. The notification must include a detailed description of the structure to be adopted, as well as a justification by the management and supervisory bodies as to its appropriateness given the nature, scale and complexity of the institution's activities, guaranteeing the robustness of the internal control and risk management system.
If it is considered that the fragmentation of the risk management function compromises the effectiveness of the institution's risk management, in particular because it does not guarantee the objectives defined in the Notice, the Bank of Portugal, in the exercise of its supervisory powers, may at any time require that risk management be centralised in a single organisational unit.
Institutions authorised to receive deposits, whose total assets over an uninterrupted period of two years and on an individual basis are less than €3 billion and which do not provide common services in accordance with the provisions of Article 50(3) of the Notice, may now combine the risk management and compliance functions in a single structural unit. However, they must comply with the applicable requirements, in particular as regards the availability of the material, technical and human resources necessary for the effective performance of those functions.
To this end, the management body may decide, by means of a reasoned decision to be recorded in the minutes, to combine the two functions. This decision must be preceded by the opinion of the supervisory body.
In this case, the management body must ensure that the combined function fully complies with the applicable requirements and that it has sufficient resources to adequately perform its duties. In addition, effective mechanisms must be put in place to prevent or mitigate potential conflicts of interest arising from the combination of the responsibilities of the two functions in a single organisational unit.
Institutions wishing to adopt this solution must notify the Banco de Portugal of their intention at least 60 days before the planned implementation date. The notification must include a detailed description of the proposed structure, accompanied by an analysis of the adequacy of material, technical and human resources, as well as a justification by the management and supervisory bodies of the appropriateness of the solution given the nature, size and complexity of the institution's activities, guaranteeing the maintenance of an effective and prudent internal control and risk management system.
The use of aggregated pre-approvals for related party transactions is now permitted, subject to certain conditions. The approval must set out the specific conditions for the execution of such transactions and ensure that both the approval and the conditions set are reviewed at least quarterly.
The management body must approve a specific internal policy governing this matter, after obtaining the prior opinion of the supervisory body. This policy must specify, inter alia:
(i) the responsibilities of the risk management and compliance functions in identifying and analysing related party transactions;
(ii) the mechanisms for ensuring compliance with the obligations laid down in the General Regime for Credit Institutions and Financial Companies regarding the granting of credit to members of corporate bodies and holders of qualifying holdings, including reporting to the competent authorit
(iii) the responsibilities of the senior managers of the relevant units in overseeing these operations, including the obligation to report quarterly to the risk management and compliance functions; and
(iv) the procedures for these functions to report periodically to the management and supervisory bodies, providing information that enables the monitoring of transactions and the prompt reporting of any non-compliance with internal rules or applicable laws, together with recommendations for corrective action;
In addition, the internal policies must include the necessary procedures to ensure mandatory reporting to the supervisory authority. In this context, Banco de Portugal Instruction 17/2011 is repealed, except for the section on mandatory reporting, as all other provisions are already included in the Notice.
Institutions will now be able to use collaborative solutions to carry out operational tasks as part of their internal control functions. In addition, subcontracting of these tasks, which was previously allowed only on an ad hoc basis, can now be done on a permanent basis. The aim of this change is to provide greater flexibility for institutions, especially smaller ones, while ensuring a framework that is in line with the principle of proportionality.
This notification must contain essential information, including a detailed description of the collaborative solution to be adopted and the reasoning of the management and supervisory bodies as to its suitability, the nature, scale and complexity of the institution’s activities.
Procedures must be established to ensure that the appointment of the statutory auditor or audit firm is reported to the supervisory authority and should be included in the selection and appointment policies of statutory auditors or audit firms in institutions authorised to receive deposits. However, there is an exception for the Caixas de Crédito Agrícola Mútuo, which are part of the Sistema Integrado de Crédito Agrícola Mútuo (Integrated Mutual Agricultural Credit System).