Response to consultation on revised Guidelines on internal governance under CRD
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
- Paragraph 8 Scope of application:
We strongly object any deletion of the reference to national company law. Both supervised entities and supervisory authorities are required to comply with national company law. If national law contradicts EBA Guidelines, NCAs must declare themself non-compliant – while ECB also applies national law directly in its supervising function for SIs according to Art 4 (3) SSMR and has therefore to respect national law. It is of paramount importance for supervised entities that competent authorities (JSTs) are reminded of the norm hierarchy and of the supremacy of national law - Level 1 transposition of EU Directives - over EBA Guidelines.
We urge EBA to refrain from deleting the sentence:
“When implementing these guidelines, competent authorities should take into account their national company law and specify, where necessary, to which body or members of the management body those functions should apply.”
Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?
- General remarks
While we understand the importance of transparent and clear allocation of responsibilities, as intended by CRD V,I we would also like to emphasize that based on the proportionality principle institutions should be allowed to design their governance structure in a proportional manner adapted to their size, complexity and business model. Although proportionality is mentioned under Title I of the Guidelines, these detailed additions appear particularly challenging for smaller institutions, which have reduced personal and organisational ressources. Therefore, we strongly urge a thorough revision and shortening of this section to ensure clarity and proportionality by considering a simplified approach or even an exemption from the application of paragraphs 68a and 68b for small and non-complex institutions, in order to prevent undue burdens or obligations that fall outside the intended scope.
Furthermore, the proposed obligations regarding the mapping of duties and individual statements in paragraphs 68a and 68b introduce an excessive level of granularity, which is incompatible with the need for agile and adaptive management required by credit institutions in a competitive environment. Such detailed requirements may hinder the ability of institutions to respond efficiently to changing business needs and organizational structures.
- Paragraph 68a (Mapping of Duties) point c) – Duties for the role of each individual member of the management body
Institutions already maintain extensive documentation on task and role allocation (organizational charts, rules of procedure, role descriptions, fit & proper dossiers). An additional requirement for individual written duty descriptions creates duplicate work and redundant documentation without actually improving governance quality.
Individual duty descriptions suggest a formal delineation of responsibilities that, in practice, does not exist under collective overall responsibility (especially within the management body). This creates a discrepancy between documentation and reality.
Moreover, there are already detailed requirements for task allocations, fit & proper assessments, and segregation of management functions. A further obligation would duplicate rules and could lead to legal uncertainty; individual descriptions could be used ex post to tighten personal liability, even though overall responsibility still applies as a matter of law.
This would further reduce the attractiveness of management positions in the banking sector. Supervisory authorities already have access to rules of procedure, organizational policies, and fit & proper documentation. An additional document would provide no real informational value - only a formal “tick-the-box” exercise.
Furthermore, the requirement under to outline the duties for each role of the management in its supervisory function is disproportionate for a dualistic system as the members of the Supervisory Board (“management body in its supervisory function”) only have this role. As we mentioned above, extensive documentation of the backgrounds, skills and experiences of the members of a Supervisory Board already exists. Due to the Fit&Proper Framework we consider this as already fulfilled. Hence, requiring duty mapping for members of the management in its supervisory function is redundant: the supervisory function is inherently about oversight and monitoring the management body.
Therefore, we advocate for deleting this requirement or at least revising the reference to the “supervisory function”:
“c. The management body in its management functionshould agree and set out clearly where duties lie for the role of each individual member and what those duties entail. The duties should be outlined separately for both the management and the supervisory function of the management body.
The management body should be responsible for the allocation of the duties and responsibilities assigned to senior management and key function holders even if those duties are drafted below management body level.”
- Paragraph 68c, 2nd sentence – Appropriate measures to ensure that all individuals fulfil their duties
„The institution should take appropriate measures to ensure that all individuals appropriately fulfil their duties, and the individuals should be able to demonstrate to the supervisor upon request that they have taken all actions in their position that could reasonably be expected from them.”
We suggest that it should include illustrative examples of what is meant by appropriate measures (e.g., training programs, workstations equipped in line with the job description, realistic timelines, etc.).
Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?
- Paragraph 94 – Institutions should also aim, as part of the risk culture, at establishing a culture of equality, diversity and inclusion and prevent discrimination and harassment.
Illustrative examples regarding the interaction of this obligation with the EBA Guidelines on the management of ESG risks would be useful.
- Paragraph 107a – Simultaneous exercise of roles as management body member in different group institutions
Furthermore, the simultaneous exercise of the role of member of the management body in its management function and of member of the management body in its supervisory function in different institutions within the same group is not considered problematic under the current conflicts of interest framework. On the contrary, Art. 91 (4) CRD, the EBA Guidelines on Suitability, and the ECB Guide to fit and proper assessments do not require additional reporting obligations in these cases but rather recognize a privileged calculation that facilitates the compatibility of such intra-group roles. Considering the simultaneous exercise of the role as member of the management body in its management function and member of the management body in its supervisory function in different institutions within the group is not entirely in line with Art. 109 CRD which requires parent institutions to ensure that arrangements, processes and mechanisms are implemented in the subsidiaries group-wide. The appointment of members of the management bodies in the management function in the supervisory boards of subsidiaries is one of the most effective ways to ensure that arrangements, processes and mechanisms are consistent and well-integrated group-wide and any limitation of this empowerment of parent institutions would be detrimental to the governance framework of the group. The introduction of stricter requirements in this area is not only unnecessary but may also contradict the existing regulatory framework and the current supervisory practices.
- Paragraph 107b – Conflict of interest policy at institutional level
According to Article 28a (1) Austrian Banking Act (BWG), CEOs must not take up activities as the chairperson of the supervisory board within the same undertaking, in which they previously served as CEO, until a period of two years has passed since the termination of their function as CEO.
By extending the scope of the cooling-off regime to (i) all members of the management body in its supervisory function (including Chair) and (ii) all former members of the management body (last sentence of this paragraph), the EBA goes far beyond the requirements of CRD and the existing national legal framework based on CRD.
This would amount to a de facto pre-emption of legislation that properly falls within the remit of national parliaments and/or the EU legislator.
Apart from that, company and supervisory law already provide mechanisms to address conflicts of interest (e.g., mandatory recusal in cases of bias, the option to exclude individuals from discussions, fit & proper assessments).
In order to avoid conflicting situations with the already existing rules, the Guidelines should specify that the new paragraph 107b applies only in member states where currently such rules are not in place at all.
Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?
- Paragraph 172 – Heads of the internal control functions
This paragraph gives the impression that the potential conflicts of interest arising from combining the role of head of control functions with that of the management body, and from combining the role of head of control functions with other functions, are identical. However, there are in fact differences in the potential conflicts of interest, which should be addressed accordingly in different ways. This aspect should be taken into account in the requirements.
- Paragraphs 204, 209, 210 - Compliance Function
In the current draft, the phrase “legal risk stemming from non-compliance events” is used repeatedly in Chapter V, 21. Compliance Function (p. 70, paragraphs 209 und 210) as well as in paragraph 36 under the Chapter "Rationale and objective of the guidelines".
Without further clarification, “legal risk” could be interpreted to mean that the compliance function is responsible for legal risks in general (e.g., contract, litigation, or enforceability risks, as legal risk is defined under Article 4(1)(52a) CRR for operational risk requirements). These risks typically fall outside the core mandate of the compliance function and are usually assigned to other functions (Legal, Operational Risk, Litigation Management). To ensure a clear allocation of responsibilities and avoid misinterpretation, the text should consistently refer to “compliance risk”.