This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

CSSF Circular 12/552 - "Central administration, internal governance and risk management" | Brochure


Converging towards sound governance practices

Updated rules for wide-spread challenges

CSSF Circular 12/552On 11 December 2012, the CSSF issued circular 12/552 entitled “Central Administration, Internal Governance and Risk Management” that replaces and repeals six existing circulars (IML 95/120, IML 96/126, IML 98/143, CSSF 04/155, CSSF 05/178 and CSSF 10/466). Applicable to banks and investment firms, the objective of the new circular is to centralise in one single document all the main requirements related to governance matters, thereby efficiently transposing rules promulgated by European authorities, notably by the European Banking Authority.

While taking into account the principle of proportionality, the Luxembourg regulator has adopted very precise rules regarding the respective role and responsibilities of the governing and management bodies (i.e. Board of Directors and Authorized Management) and has recognised in its regulatory framework the “three-line-of-defence” concept that clearly positions the Compliance, Risk Control and Internal Audit functions in the organisation.

Even if several requirements of circular 12/552 were already demanded by prevailing regulation, the text also includes new elements, such as the “fit and proper” conditions for the members of the management body, the strengthened role of the Risk Control function or the existence of designated information security and IT officers.

The release of this circular represents a unique momentum for banks and investment firms to review the adequacy of their existing governance framework and to seize this opportunity to enhance its efficiency and value-adding capabilities.

Have you ever asked yourself?

  •  Do we already comply with supervisory expectations and requirements?
  •  What are the options available to optimize efficiency of compliance, risk and internal audit in our organisation and avoid redundancy?
  •  What are the reporting requirements for our Institutions and what should be the nature of their content?
  •  And how do the others organize themselves to meet governance requirements?

How can Deloitte help you?

The multidisciplinary range of our Governance, Risk and Regulatory Services provide comprehensive and adapted solutions to the challenges posed by CSSF Circular 12/552
Examples of services include:

  •  Training sessions to educate members of the governing bodies on their roles and responsibilities
  •  Benchmark your governance framework against regulatory requirements and peers
  •  Enhance efficiency of your internal corporate governance through optimizing interactions among control functions
  •  Provide outsourced solutions such as internal audit services or regulatory hotline

The “three-line-of-defence” model as a new standard

Intensive scrutiny over governance arrangements is a clearly observed trend in the supervisory approach adopted by regulators all over Europe. In terms of organizational structure, the provisions set out in the Circular 12/552 pave the way for setting the ‘three lines of defence’ risk governance model as a market standard.

This model is already in place in some institutions but despite embracing it, some companies still struggle to articulate how oversight is apportioned between the risk management and other specialist functions, such as compliance or finance departments.

Transparent apportionment of oversight responsibilities and the existence of independent checks and challenges are critical to achieving an adequate organizational structure with a clear allocation and appropriate segregation of responsibilities.

We can help you tackle the broad issues of enterprise risk management and effective corporate governance, while offering specialized assistance in high risk areas such as regulatory risk reporting, compliance and internal audit services or information systems. For more details, visit

Page Last Updated



Stay connected:
Get connected
Share your comments
More on Deloitte Luxembourg
Learn about our site

Recently published