Response to consultation on revised Guidelines on internal governance under CRD

Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?

Executive Summary

We strongly support the objective of good governance standards as a cornerstone of financial stability and effective supervision. At the same time, we are concerned that the Draft Guidelines adopt an approach that is excessively detailed and prescriptive in several areas, adding new obligations with no legal basis and extending the scope of application of certain provisions of CRD. This risks undermining the principle-based framework established under CRD, creating inconsistencies with national company law frameworks, and transforming the Guidelines into de facto binding obligations that go beyond the legislator’s intent. In our view, the final text should remain principle-driven, proportionate, and consistent with EU and national legislation, while leaving sufficient flexibility to reflect the diversity of governance models across Member States. This would also be more in line with the overall simplification agenda of the European Commission. 

More concretely, we encourage the EBA to:

• Respect national frameworks and corporate law and regulatory systems: In particular, by acknowledging the legitimacy of one-tier board systems and avoiding requirements that undermine the principle of collective responsibility embedded in several Member States’ legal frameworks, as well as other governance schemes foreseen and allowed by national company law (e.g., Chair of the management body holding executive functions).
• Reconsider the provisions on mapping of duties and individual statements (paragraph 68 and following): These introduce an excessive level of detail, create legal uncertainty and unnecessary costs, and go beyond both CRD VI, especially as no political agreement in detail was reached regarding these topics and that EBA received no mandate regarding them; they should be simplified and reframed to avoid turning governance into a purely and costly administrative exercise, The CRD scope of requirement for mapping of duties should not be enlarged by the EBA to all members of the management body and to all levels in a group.
• Strengthen proportionality and flexibility: By ensuring that governance expectations are tailored not only to institutions’ size, complexity, and risk profile, but also to the diversity of board structures recognised under EU and national legislation.
• Ground recommendations on evidence and impact assessment: Avoiding the presentation of certain arrangements as universal best practices (one size fits all approach) without empirical support and recognising that different governance models can deliver equivalent outcomes.
• Allow sufficient time for implementation and coordination with other EU initiatives: Ensuring realistic adaptation periods and alignment with the entry into force of related legislative acts (such as CRD VI and DORA) to prevent overlaps, duplication, and unnecessary compliance burdens

Our position reflects the importance we attach to strong internal governance as a cornerstone of financial stability, while at the same time highlighting areas where the Draft Guidelines might be becoming overly prescriptive, diverging from the principle-based approach chosen, and conflicting with national corporate regulations. 

General Comments

We welcome the overarching objective of high governance standards, particularly in light of new legislative developments such as CRD VI[1], DORA[2] and the AI Act[3]. Nevertheless, we are concerned that the Draft Guidelines adopt an approach that is excessively detailed and prescriptive in several areas, going beyond CRD prescriptions with no legal basis. This risks both undermining the principles-based nature of the CRD governance framework and creating obligations that have not been intended by the legislator.

This, in our opinion, has two main implications: first, that the Guidelines are perceived as introducing new binding requirements due to their prescriptive approach, even if they are supposed to be soft law; and second, that they generate unintended conflicts with national company law frameworks, particularly in jurisdictions with one-tier board structures.

Moreover, respect for national company law is essential to ensure the effectiveness and legitimacy of supervisory standards. In several Member States, the legal framework is based on one-tier board systems where directors collectively exercise both management and supervisory functions. In such cases in particular, attempts to individualise responsibilities (beyond those delegated to executive members of the management body) or to impose structural requirements inconsistent with national legislation are not feasible and risk undermining the principle of collective responsibility of the management body embedded in national company law. The Guidelines should therefore acknowledge (not only formally as stated in paragraph 26 of the Consultation Paper, but also de facto) this diversity of governance models and avoid introducing obligations that conflict with national legal frameworks and the principles of CRD.

We also note that some of the recommendations contained in the Draft Guidelines are presented as if they were universal best practices, without supporting evidence or impact assessment (e.g. the preference for an independent and non-executive Chair). Experience from recent supervisory cycles and financial crises shows that governance failures are not necessarily linked to the absence of these prescribed arrangements. In some cases, institutions that fully complied with such provisions have nevertheless encountered significant difficulties. Therefore, it is critical that the EBA supports its guidance with empirical analysis and leaves room for alternative governance models that can deliver equivalent outcomes.

A further concern relates to the potential supervisory use of these Guidelines. While they are formally classified as soft law, under Article 16 of Regulation (EU) No 1093/2010, in practice institutions are often expected to comply with EBA Guidelines in full. This creates a situation where detailed provisions – despite their non-binding legal status - may be enforced as de facto legal requirements, blurring the distinction between supervisory guidance and hard law. We believe this undermines legal certainty and shifts the balance away from the co-legislators, who recently debated and decided not to include some of these measures in CRD VI. We therefore urge the EBA to ensure that the Guidelines respect the boundaries set by EU legislation and national legal frameworks.

We consider it essential that any changes to the Guidelines shall remain fully aligned with the framework set out in CRD, ensuring consistency with EU legislation and avoiding the introduction of requirements that go beyond what has been established by the EU legislators.

Finally, we would also welcome further clarity from the EBA on how they intend to coordinate with the ECB regarding the changes in the Draft Guidelines, to ensure consistency across supervisory practices within the Banking Union. We note that the ECB also recently consulted on its own Guide on Governance and Risk Culture but is yet to produce a final document[4]. We hope that the opportunity is being taken to reduce duplication and overlap between the two.

In line with these general considerations, we provide below our detailed feedback on the specific questions raised by the EBA in the Draft Guidelines. Our comments are guided by the same principle-based and flexible approach outlined above, with the aim of ensuring that the final text remains consistent with CRD VI, fully respects national company law frameworks, and avoids unnecessary prescriptiveness.

Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear? 

Respect for National Frameworks

We welcome the EBA’s effort to clarify the subject matter, scope and definitions of the Guidelines. However, in our view, several aspects require further refinement to ensure that the Guidelines are both flexible and consistent with the CRD principles and national legislative frameworks.

In this regard, it is essential to keep the reference to national company law in paragraph 8. It is very important that the Guidelines effectively respect national company law frameworks, as envisaged in CRD and avoid imposing expectations that conflict with established governance models. In several Member States, national company law provides for one‑tier board systems where members of the management body collectively exercise both management and supervisory functions. In such systems in particular, it is not legally feasible to individualise responsibilities in the manner suggested in some of the Draft Guidelines provisions, such as allocating individual responsibilities to non-executive members of the management body, nor distinguishing between the duties of the management (executive) and the supervisory (non-executive) functions in one‑tier board systems as the management body performs both. The Draft Guidelines should therefore explicitly acknowledge this reality and avoid imposing expectations that could contradict national law or undermine the principle of collective responsibility applicable to one-tier board systems.

As an example of the above, the following provisions in paragraph 8 should be reinstated: “When implementing these guidelines, competent authorities should take into account their national company law and specify, where necessary, to which body or members of the management body those functions should apply”.

Furthermore, we believe it is important that the Guidelines explicitly recognise that the diversity of governance frameworks within the EU is the result of deliberate choices by national legislators and the EU legislator itself. While this diversity and recognition of national company law is formally recognised in the Guidelines (paragraph 26 of the Consultation Paper), we believe that these principles are not embedded in some of its provisions, which can be understood as an intrinsic contradiction of the Guidelines. In this sense, the CRD framework was designed to accommodate different legal systems, and any attempt to impose a uniform governance model through soft law instruments would risk undermining this balance. By preserving references to national company law, the EBA can ensure that institutions implement robust governance arrangements that are fully consistent with their legal environment, while still meeting the overarching objectives of sound risk management and effective oversight.

We also note with concern the removal of flexibility regarding the role of the Chair. The current EBA Guidelines on internal governance (EBA/GL/2021/05) rightly allow the possibility of having a Chair with executive functions, provided that appropriate checks and balances are in place (e.g. senior independent board members, larger number of non-executive directors, or clear division of roles). This approach respects the diversity of EU governance frameworks across the EU (and aligns with CRD, which only prohibits the combination of Chair and CEO), while ensuring that adequate safeguards against concentration of power are maintained. We see no reason for the removal of this section in paragraph 37 and we strongly recommend that the current drafting, which allows for this flexibility, be preserved in the revised Guidelines.

Moreover, we understand that this deletion would go beyond CRD VI, which only prohibits the combination of Chair and CEO, and would unjustifiably constrain national company law models that the EU legislator has deliberately allowed to continue. In this sense, we also note that there is no empirical evidence to demonstrate that one governance scheme delivers better outcomes than others. Recent supervisory experience and past financial crises have shown that institutions with different board structures (whether one-tier or two-tier, with executive or non-executive chairs) can be equally exposed to governance and financial failures. This underlines the importance of avoiding a one size fits all approach and instead focusing on ensuring that each institution has robust checks and balances, effective risk management and a strong culture of accountability, rather than imposing a uniform model across the Union.

Definitions

We are unsure as to the rationale for the deletion of the definitions “head of internal control functions” and “key function holder” as the terms are still used throughout the Draft Guidelines. While we note that that the definitions are addressed in CRD itself, the practical scope and interpretation of KFHs remains unclear and may vary depending on national implementation and supervisory interpretation. It would be helpful if the Guidelines could provide further clarity to ensure consistent understanding across jurisdictions, aligning the scope of “key function holders” for internal and external assessment, while continuing to allow flexibility of interpretation by institutions according to their governance framework and applicable national company law.

Indeed, for the purposes of individual statements and the mapping of duties, it would be helpful to elaborate further on the CRD VI definitions of senior management and key function holders, while continuing to explicitly allow each institution sufficient flexibility to determine and document these roles in line with its own governance framework and applicable national company law. For instance, the scope of individuals falling under “senior management” could become overly broad, particularly in light of the new requirements for individual statements of responsibilities and mapping of duties.

In addition, we request the reintroduction of paragraph 11, which stated that the definitions of CEO, CFO and Key Function Holder are purely functional and not intended to impose the appointment of those officers or the creation of such positions unless prescribed by relevant EU or national law.

For the sake of clarity, we request that the EBA clarify throughout the whole document, and by reinstating the first part of paragraph 9 of the Guidelines, that the “management function of the management body” may be, alternatively, a person (for example, CEO and/or General Manager) or a collegial body (for example, Management team or Executive Committee). See also our comments on paragraph 9 under Question 2 below. 

Date of Application

Finally, we note that the date of application of the revised Guidelines has not been specified. During the EBA’s hearing for this consultation, it was suggested that they will be published in April 26.  We suggest that there should be a period of at least 2 months after the publication of the Guidelines before they apply. We stress the importance of allowing sufficient time for institutions to adapt their internal policies and structures, especially where the Guidelines introduce significant new documentation and reporting requirements (e.g. mapping of duties and individual statements). Implementation timelines should be realistic and coordinated with the entry into force of relevant legislative acts to avoid unnecessary overlaps or duplications. Further, and at least, only new nominations after the publication of the Guidelines and RTS (cf. paragraph 60b) should be subject to the new requirements, in in order to avoid retroactive application and ensure a proportionate transition.

[1] The Sixth Capital Requirements Directive - Directive (EU) 2024/1619

[2] The Digital Operational Resilience Act - Regulation (EU) 2022/2554

[3] The Artificial Intelligence Act - Regulation (EU) 2024/1689

[4]https://www.bankingsupervision.europa.eu/framework/legal-framework/public-consultations/html/governance_and_risk_culture.en.html

Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?

Proportionality

While we welcome the EBA’s intention to reinforce the role of proportionality in Titles I and II, we consider that the current drafting does not fully capture the breadth of this principle. In our view, proportionality should encompass not only the size, complexity and risk profile of institutions, but also the diversity of the different board structures permitted across the EU within the flexibility allowed by both EU and national legislation. A clearer acknowledgment of these elements would help ensure that the Guidelines can be applied consistently and effectively across Member States.

In connection with the above, a proposal for a new wording of paragraph 16 is suggested:

“16. The proportionality principle encoded in Article 74(2) of Directive 2013/36/EU aims to ensure that internal governance arrangements are consistent with the individual risk profile and business model of the institution, so that the objectives of the regulatory requirements and provisions are effectively achieved. In applying this principle, competent authorities should take into account the diversity of governance frameworks and management body structures permitted across the EU within the flexibility provided by European Union and national company law”.

Embedding a broader understanding of flexibility within the proportionality principle, and ensuring consistency with national company law frameworks, is essential to preserve legal certainty and accommodate the diversity of governance models across the EU. Clarifying paragraph 16 along the lines suggested above would provide clearer guidance while avoiding prescriptive requirements that could conflict with national law and undermine the collective responsibility of the management body in one-tier systems.     

Additional Comments

Paragraph 9: The reference to the delegation of the management function of the management body to an internal executive body should be reinstated, as it provides clarity and certainty in Member States where company law allows such delegation. As for other persons exercising the management function of the management body, their appointment may differ across EU jurisdictions, as governed by national law. For instance, there are Member States where they may only be appointed by the management body in its supervisory function, and other Member States where they may be appointed by shareholders (as is the case as regards the appointment of directors in one-tier systems). The reference to their appointment should therefore be removed. We suggest the following wording: “In Member States where the management body delegates, partially or fully, the executive functions to a person or an internal executive body (e.g. a chief executive officer (CEO), management team or executive committee), those executive functions on the basis of that delegation should be understood as constituting the management function of the management body. Persons that exercise the management function of the management body, including those that effectively direct the business of the institution in accordance with Article 3(1)(8a) of Directive 2013/36/EU, are to be assessed for their suitability in line with Article 91 of this Directive.”

Paragraph 22c.i: The rationale for the removal of the term "independent" is not clear, especially considering the emphasis placed on the independence of internal control functions elsewhere in the Guidelines (e.g., paragraph 174a under section 19.2 "Independence of internal control functions" or paragraph 176 under section 19.3 "Combination of internal control functions"). The independence of the compliance function is a fundamental principle of governance, and ensuring clarity and consistency within the Guidelines would be desirable. See also our comment on paragraph 206. 

Paragraph 23: For the sake of clarity, we request that the EBA defines the terms “traditional categories of financial and non-financial risks” and “potential materialisation of operational and legal risks”.

Paragraph 37: We note that, under the new principle in CRD VI (88.1), while the chair of the management board cannot be the CEO of the institution, s/he may still have executive duties in the institution (and in the group). The executive chair role is also permitted under national laws of certain Member States and is expressly recognized in paragraph 62 of the Basel Committee on Banking Supervision's Corporate Governance principles for banks[1]: “[t]o promote checks and balances, the chair of the board should be an independent or nonexecutive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank’s checks and balances, e.g. by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board.”. The recommendation to implement strong checks and balances where the chair assumes executive duties should not be removed from paragraph 37 of the Guidelines, as they have proven successful to avoid an excessive concentration of power and are aligned with relevant national laws.

Paragraph 51: we suggest deleting the reference to “individually” in paragraph 51 requiring remuneration committee members to meet knowledge and expertise criteria on an individual basis given that we understand that this requirement is inconsistent with the collegiate nature of management body committees. In our view, the effectiveness of these bodies derives from their collective composition, where members contribute complementary skills and experience. Preserving a collective approach is also more proportionate and in line with sound governance principles, while avoiding the risk of imposing individual knowledge, skills and experience requirements that go beyond what is foreseen under CRD. The individual requirement would be contrary to (i) the collective suitability criteria for members of the management body set out in the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders[2] and (ii) the collective knowledge requirement set out for the remuneration committee in section 2.4.1 of the EBA Guidelines on sound remuneration policies[3]. The collective requirement also seems excessive as it involves a non-justified difference between ESG factors and other material factors with —potentially higher— impact on remuneration incentives, such as financial performance, capital and liquidity or management risk. Similarly, highlighting ESG risks among all the risks of an institution is not justified and introduces concerning uncertainties on the importance of other risks when assessing remuneration incentives. Additionally, these knowledge requirements would impose an additional burden to institutions in the course of finding the relevant candidates for management body positions.

Paragraph 61: As an overall comment, we are concerned that the EBA’s approach to identification of particular risks is not fully coherent. Highlighting individual risks in the Guidelines because they are appearing elsewhere in the EBA’s work may lead to the interpretation that other individual risks not mentioned are less important. We suggest that it should be a core focus of good governance to ensure that all types of traditional and emerging risk are understood and mitigated.   In addition, the Guidelines move between distinguishing between (1) ‘financial’ and ‘non-financial’ risks, and (2) ‘market’, ‘credit’ and ‘operational’ risks – consistency of terminology throughout the Guidelines would be helpful.    

Paragraph 61c: We suggest listing all risks usually included in the risk appetite statement: Market, Credit, Liquidity, Operational, Reputational, Compliance, Legal, ICT. We suggest that 'operational risk' should not be further specified in this guideline. If specification remains included, we disagree that operational risks should include “fundamental rights and discrimination”.  If maintained, it would be helpful if the EBA could clarify the intended meaning of “fundamental rights” in this context. We assume that it refers to ESG risks which should be made evident from the wording itself so that this does not leave room for interpretation.

Paragraph 61c: The intended meaning of “discrimination” is unclear in this context, as is the article of CRD VI from which the requirement derives. We also note that the Supervisory Board itself is better suited to allocating the topic of discrimination (including risks stemming from it) to a committee best equipped for it. This could be an ESG Committee or the Audit Committee, as the latter also handles whistleblowing reports. If discrimination risks arise, combined sessions with the Risk Committee would be better suited, instead of allocating this topic exclusively to the Risk Committee. In light of this, we request that the EBA considers deleting the reference.

Paragraph 62: We consider that there is no legal basis in CRD VI for the risk committee to provide input to the remuneration committee regarding ESG risks and related targets or key performance indicators hence the proposed amendment should be cancelled. Indeed, CRD assigns the risk committee the very specific (and different) task of examining the incentives provided by the remuneration system to verify if they take into consideration “risks, including those resulting from the impacts of ESG factors, capital, liquidity and the likelihood and timing of earnings” ^[4]. Furthermore, assigning this additional task risks creating confusion on the different roles that these two committees have in the definition of remuneration policies and practices. Also, the reference to “related targets or key performance indicators” is ambiguous as these are terms typically used in the context of remuneration and incentive systems (especially “key performance indicators” which is never used by CRD VI with reference to ESG risks). This ambiguity increases the risk of potential confusion as to the tasks of each committee and reinforces the need to eliminate the proposed amendment.

[1]https://www.bis.org/fsi/fsisummaries/corp_gov_principles.htm

[2]https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/joint-esma-and-eba-guidelines

[3]https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/remuneration/guidelines-sound-remuneration-policies-under-crd

[4] Art. 76, par. 4, as amended by CRD VI, “(…) In order to assist in the establishment of sound remuneration policies and practices, the risk committee shall, without prejudice to the tasks of the remuneration committee, examine whether incentives provided by the remuneration system take into consideration risks, including those resulting from the impacts of ESG factors, capital, liquidity and the likelihood and timing of earnings”.

Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?

Overall Comments

We acknowledge the objective of ensuring good governance frameworks through the provisions in Title III, section 6. However, in our view, the drafting introduces an excessive level of detail that goes beyond what is necessary to achieve sound oversight and risk management and, in some areas, also goes beyond what is required under CRD VI.

For instance, the Draft Guidelines include very specific requirements on the mapping of duties, individual statements, reporting lines, and organisational structures. While transparency is important, this degree of prescription risks creating rigid compliance exercises rather than fostering effective governance. In practice, institutions may be forced to focus on producing documentation to satisfy supervisory checklists instead of tailoring governance arrangements to their specific size, complexity and business model.

We believe that the Guidelines should set out principles and expected outcomes, such as clarity of responsibilities, independence of control functions, and effective oversight, while allowing institutions flexibility to design and document their governance structures in line with their applicable legal framework. This would better respect the principle of proportionality and avoid turning the Guidelines into overly prescriptive rules. 

In addition, it should be recognised that under the principle of collective responsibility, which applies equally to one-tier and two-tier board structures, individual responsibilities cannot be allocated or individualised among the members of the management body, since they exercise them collectively. In these systems, directors act in a collegiate manner and exercise both management and supervisory functions, with the principle of collective responsibility embedded in company law. Any requirement to assign specific responsibilities to individual members would therefore contradict national legislation and undermine the legal framework within which boards operate. This is especially relevant in the case of non-executive directors who are all assigned with the same set of duties and authorities as board members, in contrast with executive directors to whom an additional set of management duties and authorities are delegated in compliance with CRD and national company law.

Moreover, according to the interpretation expressed by EBA during the public hearing, institutions would be expected to prepare individual statements only for each member of the management body in its management function. Indeed, Article 88(3) of CRD VI explicitly limits the requirement to establish an “individual statement of responsibilities” to members of the management body in its management function (as well as KFH and senior management). This requirement therefore should not apply to members of the management body in its supervisory function.

In addition, we are particularly concerned with the provisions introduced in paragraphs 68 and following, which require highly detailed mapping of duties and individual statements to be approved by the management body. The level of granularity envisaged in these provisions goes well beyond what is necessary to ensure clarity of responsibilities and risks transforming governance into an administrative burden. In large and multinational groups, such requirements could potentially affect a very high number of individuals, including senior managers and key function holders across different jurisdictions, thereby creating disproportionate complexity and legal uncertainty.

Furthermore, we note that no political agreement was reached on detailed provisions regarding mapping of duties or individual statements. CRD Recital 54 allows Member States to adopt or maintain stricter requirements for the individual statements and maps but does not refer to any EBA stricter requirements. Nor has there been a specific EBA mandate on this point. For Member States that do not provide further clarification through secondary legislation, institutions will likely fall back on the EBA Guidelines under the “comply or explain” principle. This effectively turns the Guidelines into quasi-binding requirements. Therefore, we suggest that the Guidelines should focus on setting out good practice, leaving room for national discretion and proportional implementation.

Comments on Individual Sections of Paragraph 68

Accordingly, we propose the following:

Paragraph 68: We request that the EBA clarify if the referred “substance” is intended as economic substance as in the rest of the Guidelines.

Paragraphs 68 a and b: We ask the EBA to rephrase, deleting any reference to the management body in the supervisory function. Including the management in its supervisory function (e.g. the Supervisory Board in a 2-tier system or the non-executive directors in a 1-tier system) goes beyond what is required according to Recital 54 and Article 88 (3) of Directive 2013/36/EU, as this only requires institutions to prepare the mapping of roles with regard to the management body in its management function. In addition, it would not be practical as the management in its supervisory function does not have any reporting lines or any lines of responsibility. Any setting of guidelines in this regard targeting the management in its supervisory function, e.g. no 68 c of the draft Guideline, is thus outside of the competence of the EBA.

Paragraphs 68 a, b and c: Clarification is required as to whether (1) the mapping of duty and individual statement of duties is to be rendered public outside of the organisation or is to be seen as an internal document and (2) the mapping of duties and individual statements are additional documents to be created to the specified ones under VII Transparency 3f. “Composition and functioning of the management body/internal division of tasks and 8a Organisational structure / [..] allocation of competences and responsibilities”. If so, it would be helpful if the EBA could clarify which features differ and how they would add value for the institution.

Paragraph 68.a.b: The EBA provides that this mapping of duties applies not only at the level of institutions subject to the directive but also to all entities within the prudential consolidation group (this would therefore be applicable within certain non-regulated or non-European entities). It is also planned that the parent company additionally establish a mapping of functions on a consolidated basis, which does not respect the legal autonomy of legal entities, even when part of the same group. Besides, under French law, group subsidiaries can delegate the responsibility of the internal control functions to the heads of internal control functions of the mother company. As a consequence, could the EBA clarify that it is possible to require a mapping of duties only for the heads of internal control functions at the top-mother company level receiving such delegation?

Paragraph 68.a.c.: We suggest deletion, or alternatively amendment as follows: “The management body should agree and set out clearly where duties lie for the role of each individual member and what those duties entail. The duties should be outlined separately for both the management and the supervisory function of the management body. The management function of the management body should be responsible for the allocation of the duties and responsibilities assigned to senior management and key function holders even if those duties are drafted below management body level.”.

We suggest that the provision of 68.a.f. is amended as follows, to avoid duplication of existing procedures: “The mapping of duties - which can be documented within the Institution’s existing organisational rulebook - should complement the institution’s existing governance framework, which explains its governance arrangements, how its governing bodies are structured and interact, and its organisational chart, and in addition include at least the following…”

Paragraph 68a.f.ii: We request that the EBA considers deleting this provision for the supervisory function. The competences of the management in its supervisory function (Supervisory Board) are derived directly from statutory company law and/or the Articles of Association of the legal entity. The duty to additionally draw up an explanation is disproportionate and redundant. This provision also goes beyond the duties in Art. 88 (3) of Directive 2013/36/EU and this wording lays outside of the guiding-competence of the EBA. Regarding the Management Board in its Management Function, Senior Management and Key Function Holders, an online system (intranet) of the institution containing organisational charts (with the respective reporting lines, rules of procedures and schedules of responsibilities) should be sufficient to meet this requirement. The mere copying of existing tableaus, guidelines or procedures in another intranet location or format would be an unnecessary administrative burden and has no additional value on its own.

Paragraph 68.a.f.iii: We suggest that the mapping should identify roles rather than individual names. Traceability to specific persons is already ensured through the institution’s internal nomination system and the signing of individual statements of duties. Listing personal names directly in the mapping would add unnecessary complexity and may quickly become outdated. Furthermore, we suggest deletion of references to “roles and duties” contained in the mapping of duties. These references appear (i) incoherent, since the mapping of duties should be updated first and only afterward should the individual statements be modified accordingly, and (ii) inconsistent with point 68.b.d, which states with regard to the individual statements: “Institutions should review it on a regular basis, taking into account the review of the mapping of duties.” 

Paragraph 68.a.f.v.: We request that the EBA considers deleting this provision, at least for the supervisory function. This requirement goes beyond the wording of Art. 88 (3) of Directive 2013/36/EU. Non-executive directors of the management board hold their function based on statutory law added by already public, clear and detailed provisions in the Articles of Incorporation as required by Company Law. Extensive documentation of the backgrounds, skills and experiences of the members of a Supervisory Board already exists (e.g. CVs, competence matrix, documentation of experts of certain topics).

Paragraph 68.a.g:  We understand that requirement in paragraph 68a g), which states that “the management body should approve the mapping of duties and institutions should timely update it as appropriate, taking also into account the review of the individual statements” introduces an excessive level of detail that risks converting the mapping into a formalistic compliance tool rather than a genuine instrument of good governance. In large and multi-national groups, such mapping may cover a very high number of positions, meaning that management body approval of each update would create an unmanageable administrative burden and divert the management body from its primary strategic decision-making and oversight responsibilities.

We request that the EBA considers deleting this provision. It goes beyond what is required according to Art. 88 (3) of Directive 2013/36/EU, which only requires institutes to prepare documentation and keep it updated. No voting and approving necessity can be interpreted from the wording. Requiring approval by the Supervisory Board is unlawful under 2-tier company law and, ineffective for its desired effect; simpler, yet more effective alternatives exist: 

1. Roles, functions and duties need to retain flexibility, they will not be drawn up and then left unchanged for a long period of time.
2. A 2-tier supervisory board is not competent for allocation and supervision of duties and roles below the management level as this responsibility is strictly operational. 

3. The decision-making process, especially of a 2-tier-board would strongly delay any flexible reshaping and changing of company roles and responsibility.

    

If this paragraph must be retained, a more proportionate approach would be to amend paragraph 68a g) so that the management body is required to approve only the overall policy, methodology and governance framework for the mapping of duties, while responsibility for maintaining and updating the detailed mapping rests with senior management. Material changes and assurance reports could then be presented to the management body periodically, with the mapping made available to supervisors upon request. This would preserve accountability and transparency while respecting proportionality and national company law and would avoid imposing unnecessary burdens that add little supervisory value.[1]

Paragraph 68.b.a: The indication of the expected time commitment should remain part of the FAP assessments and not be extended to members of the senior management which are not subject to FAP assessment.

Paragraph 68.b.c: The text states that “In the case of an individual who holds roles in more than one institution, including within a group, an individual statement is required in respect to each institution”. We suggest that this is overly burdensome for group structures that ant an exemption should be provided.

Paragraph 68.b.d: We have several concerns with this requirement. 

• First, it is highly unlikely that an individual can give a written statement confirming a certain role or certain responsibilities when the Fit and Proper process for this position is not yet completed and the person has not yet taken over the respective position;
• Second, it conflicts with data privacy law (e.g. principle of data minimization (Article 5 of GDPR) as sensitive personal data are concerned;
• Third, the signature requirement goes beyond what is required according to Art. 88 (3) of Directive 2013/36/EU and may conflict with national employment laws as a change of contract;
• Fourth, assumption of the role should be sufficient proof of an individual’s acceptance of the duties of that role;
• Fifth, the suitability questionnaire should be produced only for Key Function Holders according to Article 91a of CRD VI and the previous EBA and ESMA GL on assessment of suitability[2] and not for all the rest of senior management as the Draft Guidelines seem to suggest; and 

• Finally, we request clarification as to what is meant by “in due time” per Article 88(3) CRD VI to ensure consistent supervisory expectations across Member States and whether “in accordance with the RTS” envisages any further procedural requirements beyond the directive’s “upon request” standard.

   

In conclusion, we encourage the EBA to simplify the drafting of section 6. A more concise and principle-based text would achieve the intended supervisory objectives without introducing unnecessary prescriptiveness and would allow institutions to apply the Guidelines more effectively within their national governance frameworks. This would also be more in line with the overall simplification agenda of the European Commission. 

[1] We note that this is a change that the UK regulators are currently considering to the UK Senior Managers and Certification Regime, on account of their desire to significantly reduce the administrative burden on firms. See, for instance https://www.fca.org.uk/publications/consultation-papers/cp25-21-senior-managers-certification-regime-review 

[2]https://www.eba.europa.eu/sites/default/files/document_library/Publications/Guidelines/2021/EBA-GL-2021-06%20Joint%20GLs%20on%20the%20assessment%20of%20suitability%20%28fit%26propoer%29/1022127/Final%20report%20on%20joint%20EBA%20and%20ESMA%20GL%20on%20the%20assessment%20of%20suitability.pdf

Question 4: Are the changes made in Title III section 7 (third-country branches) appropriate and sufficiently clear?

Section 7.2: In the draft Guidelines, the EBA differentiates between requirements for credit institutions, 'institutions’, and branches. Where the Guidelines refer to the 'management body in its management function' and the 'management body in its supervisory function' (7.2), it should be clarified that the Head Undertaking of a third country branch will often have delegated these responsibilities to a regional manager and to headquarters in a different entity. Furthermore, the Draft Guidelines do not allow for proportionality; it would be unrealistic for the Head Undertaking of a large international banking group to engage on all branch management and supervisory matters. We therefore suggest that the EBA amends the Draft Guidelines to allow for the Head Undertaking management body, while retaining responsibility, to delegate the day-to-day supervisory functions as appropriate. What is appropriate may differ between banks, but examples might be delegation to the general managers of the bank in the region (with direct links to the management body if needed), or the setting up of a delegated governance forum for specific branch related issue. We would like to reiterate that in our view, asking the Head Undertaking management body to have such a close involvement in the branch is unrealistic unless there is some acknowledgement of proportionality.

The EBA should also clarify that third country branches are expected to apply the Guidelines proportionally and line with the arrangements specified in section 7.2 of the Draft Guidelines. Although the draft makes clear the differentiation between full credit institutions and TCBs, we feel it could be more clearly stated that third country branches should apply the guidelines in a proportionate manner as set out in Section 7.2 to satisfy the rules laid down in Article 48g of CRD VI.

Paragraph 90h: The application of DORA to third country branches is currently under review, by virtue of DORA Q&A 102[1], whereas Paragraph 90h of the EBA Guidelines would imply that DORA requirements should be applied in full to third country branches. It would be premature to include third-country branches into the scope of the revised internal governance guidelines, at least until the review is completed with a decision to apply DORA to such entities. Otherwise, there is a material risk of divergence between the EBA and European Commission position leading to gold-plating of DORA for entities that are not currently within its scope as a matter of EU law. Consistency in approach and rationale will be key to avoiding any unintended extension of DORA’s scope. We would also recommend that the EBA amend the Guidelines to specify that application of DORA is proportionate, in line with provision within Article 48g of CRD VI.

Paragraph 90i: This states that "third country branches should ensure at a minimum, transactions with an EU nexus are neither systematically nor substantially back-to-backed, and are risk-managed from the EU". This goes beyond the requirements in CRD VI and may have a negative impact on branches' pricing models. The Guidelines should be clarified to define what should be considered within the definition of “back-to-back”. In the market this is generally understood to cover the trading book and not the banking book. Furthermore, where the article states that "associated business is expected to be run in the Member State", this is too broad. It should be clarified that this just applies to trading book activities and not to banking activities and outsourcing arrangements. To apply the latter would be disproportionate for third country branches.

Paragraph 90j: Please note that article 48(g)(2) of CRD VI provides that third country branches shall comply with articles 92, 94 and 95 of CRD which do not include article 93 and do not refer to “the EBA Guidelines on sound remuneration policies under Directive 2013/36/EU, taking into account the risk appetite regarding ESG risks.” We would therefore suggest that article 90j be modified as follows:

“Third-country branches should comply with the remuneration principles set out in Articles 92, 94 and to 95 of Directive 2013/36/EU39 and the EBA Guidelines on sound remuneration policies under Directive 2013/36/EU, taking into account the risk appetite regarding ESG risks. [.../...].”

[1]2023_6876 DORA Regulation & Applicability to Third-Country Branches | European Banking Authority

Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?

The guidelines are much broader than CRD VI, in that they concern all employees and not just the management body (for example: ratio of full-time vs part time positions per gender, days of training by gender, etc). (Paragraph 101 a) We strongly oppose to that.

In addition, it is unclear whether the EBA is linking risk culture expectations (Title IV) with the management of ESG risks. In other words, we would like the EBA to clarify whether it considers that risk culture – including equality, diversity and inclusion, the prevention of discrimination and harassment (94) and the monitoring of gender-balance indicators (104a) – should now be covered as part of ESG risk management. The impact would be significant, as firms would have to integrate risk culture factors also into the role and composition of the management body and committees (22, 51, 62), and potentially in individual statements of responsibility and mappings as well. However, ESG risk management applies a financial-risk lens over external factors that can transmit into credit/market/liquidity/operational risk, while DEI should remain inward-looking and focused on own employees. Linking risk culture with ESG risk management and equality, diversity and inclusion practices risks conflating two distinct actions. Based on the stated objectives for the revision of the guidelines, we believe this outcome would be unintended and disproportionate. We therefore recommend clarifying the intent and distinction in the revised guidelines and, in particular:

• On committees’ ESG skills, we suggest the EBA draw a clearer line between ESG risk-management expertise and DEI risk-culture skills. Where Paragraph 51 requires the remuneration committee to have, “individually and collectively,” the knowledge to assess the impact of ESG factors and align remuneration with ESG-risk appetite, and Paragraph 62 assigns the risk committee a role in providing ESG-risk input and KPIs, the guidance should specify which competencies are expected clarifying that they should refer only to the collective composition of the Committee, and avoid wording that could be read as bringing DEI obligations into ESG risk oversight. Consider anchoring ESG elements to Article 76/Section 6 (prudential risk) while treating DEI as a distinct culture and conduct topic. Please see also our comments above on paragraph 51.
• On risk culture and business conduct, Paragraph 94 currently frames DEI (“equality, diversity and inclusion”) as part of “risk culture,” which risks conflating prudential ESG risk management with DEI culture expectations. We recommend revising the drafting so DEI sits under corporate values and conduct (as already reflected in Paragraph 22(k)), with risk culture (Paragraph 22(j)) focused on risk awareness and risk-taking behaviours, thereby preserving a clean boundary between prudential ESG risk and DEI culture.
• On DEI/DOI reporting, clarification is needed if the list is mandatory or more given as (non-exhaustive) examples. Paragraph 101a should to state unambiguously whether the listed “additional indicators” are optional monitoring tools or minimum required metrics; this will help prevent their being treated as ESG-risk KPIs. We also recommend defining the reporting populations—what “senior management” and “key function holders” mean for DEI/DOI monitoring—and indicating the level(s) of application (individual, sub-consolidated, consolidated) and frequency, drawing on the Article 109 application framework. Also monitoring should be proportionate, meaning it should depend on whether this has been identified as being material. In addition, we suggest adding that the selection of indicators to measure diversity (all types of diversity) should remain within the discretion of the institution.
• On statements of responsibility and duty mapping, we suggest the EBA require institutions to document ESG risk-management duties separately from DEI/DOI culture and conduct duties, both in the individual statements and in the mapping of duties mandated under Article 88, and reflect this distinction in the optional Annex II template. This would clarify accountabilities, support proportionality, and avoid the impression that DEI culture oversight forms part of ESG prudential risk management or of the risk committee’s remit.

Paragraph 107a and b: We note that, under the new principle in CRD VI (88.1), while the chair of the management board cannot be the CEO of the institution, s/he may still have executive duties in the institution (and in the group). Accordingly, we suggest the following amendment “In accordance with article 88 paragraph 1 of Directive 2013/36/EU, the simultaneous exercise within the same institution of the functions of chair of the management body in its supervisory function and CEO is prohibited. Similarly, wWithin a group, the role of Chair of the management body in its supervisory function of a parent entity should not automatically be precluded for a held by the CEO of a subsidiary…”

Paragraph 107a: the impact on “the duty to oversee their own previous actions” is not clear since the paragraph refers to functions exercised simultaneously.

Paragraph 107b: The provision envisaged by the EBA Guidelines of a cooling-off period of at least three years, as well as the specific mitigation measures for hypothetical and abstract conflicts of interest (beyond those already in the Guidelines), goes beyond the requirements of the CRD VI.  Specifically, the company’s autonomy in appointing the Chair and non-executive directors would be compromised. In this respect, it should be taken into consideration that the role of non-executive board members may coexist with the position as non-independent member of the board. 

For this purpose, the mentioned provisions under paragraph 107b of the EBA Guidelines should be deleted. It should be instead clarified that an executive director who, at the end of his/her term, takes on the role of Chair or member of the management body with supervisory function, cannot be qualified as an “independent director” for the period established by national regulations regarding the independence requirements for directors without any prejudice to the role as non-executive director.  This approach is also consistent with the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body.

Having said the above, it should be also considered that the overall safeguards for managing specific conflicts of interest according to the ordinary rules of disclosure and abstention would remain in force, as these are already extensively regulated by corporate law.

Paragraph 129: Although the Draft Guidelines do not include amendments on this specific matter, we suggest that this may be an opportunity for the EBA to simplify the set of information required on exposures granted to related parties, making it more consistent with the information required in the context of the ECB's Fit & Proper Questionnaire[1], thereby reducing the compliance burden in the presence of non-significant exposures. In any case, it is suggested to raise the current threshold for determining the relevance of exposures for which additional information is required, currently set at €200,000.

[1]https://www.bankingsupervision.europa.eu/activities/authorisation/shared/pdf/ssm.fit_and_proper_questionnaire_update_202112.en.pdf

Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?

We understood from the public hearing of 5 September 2025 that the EBA understands risk management and compliance to be mandatory functions within a second line but that institutions may set up additional control functions. However, the examples for the additional control functions could be interpreted as formally excluding from the second line other functions, which also monitor and oversee risks (e.g. Human Resources, Physical Security etc). A clarification on this regard enhances transparency for institutions. We suggest an additional note on risk management and compliance being mandatory second line functions within a second line and, in accordance with the proportionality principle, additional control functions being considered part of the second line if they are mandated by the board with the monitoring and oversight of a risk category.

Paragraph 152: The addition of the following text goes beyond CRD Article 74(1) and should be deleted “and to the channels through which they may drive their prudential risks, in particular through environmental physical and/or transition risks, and be compliant with the requirements set out in the EBA Guidelines on the management of ESG risks (EBA GL/2025/01).”

Paragraph 171: Even if a member of the management body in its management function exercises this role, he/she must be able to delegate to a subordinate (e.g. Compliance Manager or AML/CFT Manager) the exercise of his missions, although this does not exempt him from his ultimate responsibility in this area. We suggest that paragraph 171 could specify that the responsibility of the member of the management body relating to AML is “without prejudice of the right of the institution to appoint a person responsible (e.g. Head of Compliance) for the implementation of policies, procedures regarding AML/CFT”.

Paragraph 175.d: We request that the EBA considers revising to “remuneration system”. The supervisory function is only responsible for the “remuneration system” but not for individual compensation packages.

Paragraph 176: We suggest rewording the last sentence as follows: ‘The internal audit function must not be combined with another any other business line or another (internal control) function’. Please see also our comments on internal audit below. 

Paragraphs 204, 209 and 210: The change in wording from "compliance risk" to "legal risk stemming from non-compliance events" raises significant questions regarding the delineation between compliance risk and legal risk. This is particularly relevant as the Compliance function is specifically limited to certain legal areas that are associated with heightened compliance risks. The proposed amendment appears to blur the responsibilities between the Compliance function and role of the Legal department, which we consider neither practical nor appropriate. Furthermore, this change in wording contradicts Article 76(5) of CRD VI, which explicitly assigns responsibility for compliance risk to the Compliance function. We therefore recommend maintaining the original wording.

Paragraph 206: The rationale for the removal of paragraph 206 is not clear, especially considering the emphasis placed on the independence of internal control functions elsewhere in the Guidelines (e.g. paragraph 174a under section 19.2 "Independence of internal control functions" or paragraph 176 under section 19.3 "Combination of internal control functions"). The independence of the compliance function is a fundamental principle of governance, and ensuring clarity and consistency within the Guidelines would be desirable. See also our comment on paragraph 22.c.i.

Internal Audit

Paragraph 215: The removal of the last sentence in 215 is not comprehensible. As the IAF should not be combined with 1^st or 2^nd Line responsibilities, the sentence should be maintained and amended as follows ‘Therefore, the IAF should not be combined with any other business line or other functions). This is in line with our feedback above on paragraph 176.

We have concerns regarding paragraph 223, which requires the annual internal audit plan to be approved by the management body. In our view, in institutions where an Audit Committee exists and such a committee is composed entirely or in the majority by independent non-executive directors with the necessary expertise and maintaining frequent interaction with the internal auditor, it is both more efficient and more consistent with best governance practices to foresee the possibility that the Audit Committee approves the plan. 

This reinforces the independence of the internal audit function and ensures that the plan is subject to specialised scrutiny. Moreover, we understand it is especially appropriate for one-tier management body institutions in which the management body (as a whole) has both supervisory and management functions, while the Audit Committee is only devoted to supervisory functions.

Thus, requiring approval by the whole management body in all cases risks turning the process into a formality, potentially reducing the added value of the Audit Committee’s work. For this reason, we suggest amending paragraph 223 to recognise that approval by the Audit Committee should be sufficient in institutions where such a committee exists:

“An internal audit plan should be drawn up at least once a year on the basis of the annual internal audit control objectives. The internal audit plan should be approved by the management body. In institutions where an Audit Committee exists, composed mainly or entirely of independent non-executive directors with the required expertise and direct oversight of the internal audit function, the internal audit plan might be approved by the Audit Committee, without prejudice to applicable national provisions”.

Finally, it is worth noting that this change would further contribute to the alignment of the Guidelines with national capital markets supervisors’ expectations. As an example of this, the recently published Technical Guide of the Spanish Securities Market Commission (CNMV) on Audit Committees of Public Interest Entities already foresees the possibility of the internal audit plan being approved by either the Board of Directors or the Audit Committee.

Question 7: Are the changes made in Title VI (business continuity managment) appropriate and sufficiently clear?

Paragraphs 225, 228, 229 and 230: In these paragraphs the term ‘recovery’ and ‘recovery plans’ are mentioned. It should be clarified in the text of these guidelines that the reference to ‘recovery’ and ‘recovery plans’ is not to the ‘recovery’ and ‘recovery plans’ relating to financial stress in accordance with the Bank Recovery & Resolution Directive (BRRD), but to ‘disaster recovery’ as part of business continuity management.

Otherwise, AFME supports the alignment with DORA and has no further comments in response to this question.

Upload files

Name of the organization