Response to consultation on revised Guidelines on internal governance under CRD
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
While we appreciate the EBA’s efforts to clarify the subject matter, scope of application, definitions and date of application in the draft Guidelines, we have some concerns regarding their appropriateness and clarity.
- Subject matter and scope of application: As mentioned above, the Guidelines appear to extend beyond the remit of interpreting existing EU law, introducing new obligations not foreseen in CRD VI. We recall that Guidelines should serve to interpret and ensure consistent application of existing legislation, not to create new regulatory requirements. If the Guidelines are issued before the full transposition and notification of CRD VI by all Member States, there is a significant risk of overlap or contradiction with national regimes, which could undermine legal certainty and the harmonisation objective.
- In Paragraph 6 of the Guidelines, there is a reference that states that the EBA’s Guidelines on internal governance should apply to network and information systems in accordance with Regulation (EU) 2022/2554 (DORA). This creates a lack of clarity, given that DORA is already highly detailed, particularly in relation to risk management. On this note, it should be highlighted that it is not the systems and networks themselves that should be covered by the Guidelines, but rather the ICT management of all risks.
- Regarding Paragraph 8, on the terms ‘management body in its management function’ and ‘management body in its supervisory function’, we consider it essential that the last sentence of paragraph 8 is retained. If deleted, as suggested in the draft Guidelines, it would create significant uncertainty regarding how the management and supervisory functions should be understood and allocated in practice. This point is particularly relevant for smaller institutions, where it is crucial that competent authorities can rely on national company law to specify which bodies or members are responsible for the respective functions. For smaller institutions, where governance structures are often simpler and characterised by overlapping roles, proportionality is a practical necessity. Without the explicit reference to national company law, the Guidelines risk becoming de facto binding requirements that fail to account for national differences as well as the institution’s size, complexity and business model. This would impose unnecessary documentation burdens and create the risk of ambiguity in the allocation of responsibilities. Overall, retaining the last sentence of paragraph 8 would therefore support the principle of proportionality, provide clarity for both authorities and institutions, and ensure that the Guidelines can be implemented in a manner consistent with national governance frameworks.
- With regard to Paragraph 9, we propose rewording it as follows: “In Member States where the management body appoints person(s) that effectively direct the business of the institution, that/those person(s) belong, in accordance with Article 3(1)(8a) of Directive 2013/36/EU, to the management function of the management body.”
- Definitions: While most definitions are generally understood, we recommend further alignment with the terminology used in CRD VI and national texts that will transpose the Directive to avoid ambiguity. Any new or expanded definitions should be duly justified and remain consistent with both the Directive and national implementing measures, to prevent divergent interpretations across Member States. Furthermore, decision to define operational resilience specifically may also warrant examination.
- Date of application: We believe that the proposed date of application is premature. The Guidelines should only become applicable after all Member States have transposed and notified the Directive to the European Commission. Otherwise, financial institutions may face conflicting requirements and uncertainty during the transition period. We recommend that the date of application be set no earlier than 2027, to allow for proper implementation and alignment with national frameworks.
- Supervisory Convergence: The Guidelines should support supervisory convergence across the Union. Premature application risks fragmenting the regulatory landscape rather than fostering harmonization.
Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?
We acknowledge the EBA’s intention to clarify and strengthen the principles of proportionality and the role of the management body and its committees. However, we have several concerns regarding the appropriateness and clarity of the proposed changes:
- Title I: Proportionality. While the Guidelines reaffirm the principle of proportionality, we believe that the current drafting does not provide sufficient clarity or flexibility for institutions to apply this principle in practice. The level of prescriptiveness in certain sections may limit the ability of institutions—especially those with complex or group structures—to tailor their governance arrangements to their size, nature, and risk profile. It is essential that the Guidelines explicitly recognize the diversity of governance models across Member States, including those established under national law transposing CRD VI. Financial institutions should retain the ability to organize their internal governance in the manner they consider most appropriate, in line with their own internal policies and procedures, if they remain compliant with the overarching requirements of the Directive and national laws. We also note that, in some instances, the draft Guidelines appear contradictory: while they state that national company law provisions will be respected, certain requirements introduced by the Guidelines contradict existing national frameworks. This inconsistency may create confusion and legal uncertainty, particularly where national regimes differ from the approach taken in the Guidelines. The Guidelines should fully respect national legal systems and allow institutions to comply with their own governance arrangements as recognized under national law.
- Title II – Role of the Management Body and Committees: The changes introduced in Title II, particularly regarding the separation of functions, conflicts of interest, and the composition and responsibilities of committees, partially go beyond the requirements of CRD VI and may restrict organizational flexibility. For example, the proposed restrictions on the compatibility of roles within group structures and the additional requirements for committee composition are not always aligned with the Directive or with national implementing measures. This could result in overlaps or contradictions with national regimes, especially if the Guidelines are applied before full transposition. In particular, the Guidelines are overly restrictive regarding the compatibility of roles, even though institutions already have their own internal policies and procedures in place to mitigate potential conflicts of interest. We believe that institutions should retain the flexibility to organize their management bodies and committees in accordance with their own risk management frameworks, if these are effective and compliant with the overarching requirements. Also we see no legal basis for the requirement in point (o) of Paragraph 22 to establish plans and objectives regarding concentration risks toward "systemic" central counterparties, and ask for removing this provision. Moreover, regarding Paragraph 33, we continue to have concerns regarding the legal foundation in CRD VI for requiring independent members on the supervisory body and would welcome further consideration of this provision. Lastly, we also note that some of the new obligations may create unnecessary administrative burdens and do not sufficiently take into account the need for efficient and agile governance, as highlighted in the EBA’s own work on regulatory simplification.
- Clarification of scope (paragraph 20): We recommend introducing clarifying language in paragraph 20 to properly delimit the scope of the obligations, in line with Article 88 (3) of CRD VI, which applies from the level of the management body in its management function. It should be made explicit that the requirement to maintain and report a mapping of duties and individual statements of responsibilities applies exclusively from the level of the management body in its management function. This clarification should also be reflected in paragraph 68.a(c) of the EBA Guidelines (see below response to question 3).
- Remuneration Committee - ESG Knowledge (paragraph 51): We consider excessive to require specific, both individual and collective, ESG expertise for members of the Remuneration Committee. The current wording is already sufficiently robust and ensures an appropriate balance of competencies within the Committee. It would be more appropriate to maintain a global experience criterion covering ESG, remuneration, HR, and governance for the Remuneration Committee, without prejudice to the coordination and complementarity provided by the Risk Committee and/or other relevant committees (in particular, the Sustainability Committee), and in line with Article 76.4.2 of CRD VI: “The management body in its supervisory function and, where one has been established, the risk committee shall determine the nature, the amount, the format, and the frequency of the information on risk which it is to receive. In order to assist in the establishment of sound remuneration policies and practices, the risk committee shall, without prejudice to the tasks of the remuneration committee, examine whether incentives provided by the remuneration system take into consideration risks, including those resulting from the impacts of ESG factors, capital, liquidity and the likelihood and timing of earnings.”. Furthermore, the proposed drafting does not adequately reflect the full range of responsibilities of the Remuneration Committee, focusing only on ESG Factors and overlooking other key duties.
- Role of the Risk Committee (paragraph 61. C): We note that the paragraph 61 expands the responsibilities of the risk committee to include oversight of “fundamental rights”. In our view, the reference to “fundamental rights” exceeds the remit of these Guidelines and the competence of the risk committee. Matters related to fundamental rights are already addressed by broader legal frameworks at both the EU and national levels and should not be included as a specific responsibility of the risk committee within the context of internal governance. We therefore recommend that this reference be deleted from the Guidelines.
- Diversity and Inclusion: We welcome that the Guidelines do not introduce specific percentages or quotas for diversity and inclusion. In the current geopolitical context, such requirements could create challenges for institutions with extraterritorial activities. We encourage the EBA to maintain this approach, allowing institutions the necessary flexibility to address diversity and inclusion in a manner that is appropriate to their specific context and operational realities.
Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?
We acknowledge the need for clear frameworks on governance structures and allocation of responsibilities. However, we find it important to highlight that the draft Guidelines go significantly beyond the requirements of CRD VI regarding mapping of duties and individual statements by introducing very specific and detailed obligations. Although proportionality is mentioned, these detailed additions appear particularly challenging for smaller institutions, which have fewer staff members and where individuals often perform multiple roles as a practical expression of proportionality and as a reflection of the natural organisational structure.
We fully recognise the importance of transparency and clear allocation of responsibilities, as intended by CRD VI. However, it should be underlined that while the wording of Article 88(3) CRD VI allows institutions to design their governance structure in a proportional manner adapted to their size, complexity and business model, the detailed requirements set out in the draft Guidelines risk imposing a significant administrative burden.
We note that the requirements come in addition to a number of existing documents already prepared and regularly updated by institutions, such as job descriptions, organisational charts and terms of reference for board committees etc. In our view, it should therefore be recognised that institutions should, to the greatest possible extent, be allowed to rely on existing documentation to fulfil the new requirements, where appropriate.
In our view, it would be in line with the principle of proportionality and the stated political objective of simplification at EU level, that institutions should not be required to prepare new and parallel documents, to the extent that comprehensive and up-to-date material already exists. The preparation of new documents that overlap with existing documentation would, in our assessment, not contribute to better governance but would merely create additional administrative burdens. At the same time, this would be contrary to the signals of simplification and proportionality emphasized by both legislators and supervisory authorities.
In light of this, ESBG has significant concerns regarding the changes put forward in Title III (governance framework), section 6, which are detailed here:
- Excessive Granularity and Operational Burden: The proposed obligations regarding the mapping of duties and individual statements introduce an excessive level of granularity, which is incompatible with the need for agile and adaptive management required by credit institutions in a competitive environment. Such detailed requirements may hinder the ability of institutions to respond efficiently to changing business needs and organizational structures.
- Legal Certainty and Timing: Without the transposition of CRD VI by Member States, there is no legal certainty for financial institutions to apply these new requirements, especially since Article 88(3) of CRD VI gives a mandate for Member States to develop it. Therefore, the obligations set out in paragraphs 68a and 68b should be deleted to avoid potential conflicts with national transposition processes.
- Consolidated Reporting (paragraph 68.a(b)): We request the deletion of the obligation to report mappings of duties and individual statements at a consolidated level for each subsidiary. This requirement goes beyond what is established in Article 88(3) of the Directive and represents a disproportionate operational burden, particularly for banking groups with complex structures. For example, a parent entity would be required to maintain an up-to-date repository of individual statements for employees whose responsibilities may frequently change, compromising efficiency.
- Documentation requirement – Justification of split roles (paragraph 68a, letter f, point v): We wish to underline that the documentation requirement in provision cited here, concerning the justification for split roles, may pose particular challenges for smaller institutions. The fact that employees often perform several roles is, as mentioned, an expression of proportionality and of the institution’s natural organisational structure. This should not in itself be regarded as evidence of a lack of governance arrangements or insufficient allocation of responsibilities.
- Documentation requirement – Responsibilities in the use of third parties (paragraph 68a, letter f, point vi): Similarly, the requirement in point vi, concerning documentation of responsibilities in the use of third parties, including outsourcing, may be inappropriate in a broader prudential context. According to ‘Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders’, an outsourcing officer would typically not be classified as a key function holder or as part of the effective management. The requirement in point vi would therefore mean that persons without formal management responsibilities would have to be documented as responsible, which could create uncertainty regarding the actual allocation of responsibilities and risk obscuring the governance structure.
- Time Commitment (paragraph 68.b(a)): We recommend deleting references to ‘time commitment’, as suitability matters do not fall within the scope of these Guidelines. In any case, it is not appropriate to include time commitment statements for executive positions.
- Individual Statements in Suitability Procedures (paragraph 68.b(d)): The requirement to incorporate individual statements into suitability procedures is not foreseen in Article 88(3) of CRD VI. If such a requirement is to be considered, it should be addressed exclusively through the future RTS (Regulatory Technical Standards) still under development, not through these Guidelines. The Guidelines should facilitate the implementation of Article 88(3), not expand its scope with additional obligations. Consequently, section 9 of the Guidelines should also remove any reference to suitability procedures.
- Collective Responsibility (paragraph 68.c): The paragraph establishes a regime of collective responsibility below the management body in its management function, which should not be imposed through a non-binding instrument such as Guidelines. Introducing such an obligation via an inappropriate normative vehicle exceeds the proper remit of Guidelines and creates legal uncertainty in the exercise of internal governance functions. We propose eliminating this section.
- Annex: We note that Annex II on “individual statements of roles and duties” goes beyond the CRD by operationalising the requirement through a voluntary but detailed template. The requirement to specify expected time commitments for each role will in practice be difficult to comply with when individuals hold multiple roles simultaneously, which is widespread in smaller institutions. Documentation of time commitment may therefore be problematic, as it does not necessarily reflect insufficient resources or inadequate governance, but rather the practical and organisational frameworks of the institution. In practice, this could lead to institutions having to allocate additional resources or, in some cases, consider outsourcing tasks or functions. Therefore, we consider that the Annex should not be included in the Guidelines, due to its excessive level of detail and interventionism, as explained above.
For the sake of clarity, we recommend that section 7 retains its previous title “organisational framework is a group context”. If not, it may be confused with section 6.1, which currently shares the same heading. Maintaining distinct and consistent titles is essential to ensure the readability and technical accuracy of the Guidelines.
In summary, while we support the overall objective of enhancing governance frameworks, we believe that the requirements in section 6 are overly detailed, create unnecessary administrative burdens, and may conflict with both the CRD VI and national implementing rules.
Our primary recommendation is to delete the identified paragraphs. If deletion is not considered feasible, however, we strongly urge a thorough revision and shortening of this section to ensure clarity, proportionality (considering a simplified approach or even an exemption from the application of paragraphs 68a and 68b for small and non-complex institutions), and legal certainty, and to prevent undue burdens or obligations that fall outside the intended scope.
The EBA should provide credit institutions with greater flexibility to determine, within the proportionality framework outlined in Title I, how they fulfil documentation obligations. This approach would help streamline requirements while avoiding unnecessary duplications.
To reiterate, credit institutions typically maintain comprehensive internal documentation covering tasks and duties through various mechanisms including strategies, organizational structures, role descriptions, and responsibility frameworks. Where separate documentation is required for Article 88(3) CRD VI purposes, we recommend allowing institutions to focus on summarizing essential elements rather than potentially duplicating existing governance documentation in new formats. Moreover, particularly related to the abovementioned Annex II, where supervisory authorities deem specific formats necessary for their supervised institutions, we suggest that these be developed through appropriate consultation with the affected parties.
We note that Article 91(14) CRD VI contains an important reservation regarding Member State laws on appointment processes for management body members in supervisory functions, particularly where regional or local elected bodies are involved, or where the management body lacks selection authority.
We suggest the EBA guidelines explicitly acknowledge this reservation to ensure alignment with the legal framework. In such circumstances, "mapping of duties" requirements may not be practically applicable. We also wish to highlight that some institutions have limited influence over supervisory body composition, including aspects such as gender balance, which should be considered when implementing individual assessment requirements referenced in paragraphs 68b and 68c. These considerations also apply to paragraph 101a.
Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?
We have significant concerns regarding the changes made to Title IV, particularly with respect to the new restrictions on the compatibility of roles and conflicts of interest within intra-group structures, as set out in section 107a of the Guideline.
Firstly, we propose the deletion of paragraph 107a. The Guidelines introduce additional restrictions on the compatibility of roles and conflicts of interest within banking groups that are not foreseen in CRD VI. These limitations reduce the organizational flexibility of banking groups and create unnecessary burdens, without clear justification. In particular, the proposed prohibition on combining the role of CEO of a subsidiary and Chair of the parent company should be rejected. This scenario is not comparable to the situation addressed in Article 88(3) of CRD VI, which concerns the simultaneous holding of CEO and Chair positions within the same entity.
Furthermore, the simultaneous exercise of the role of member of the management body in its management function and of member of the management body in its supervisory function in different institutions within the same group is not considered problematic under the current conflicts of interest framework. On the contrary, CRD (Art. 91.4), the EBA Guidelines on Suitability, and the Guidelines on Fit & Proper issued by the ECB do not require additional reporting obligations in these cases but rather recognize a privileged calculation that facilitates the compatibility of such intra-group roles. Considering the simultaneous exercise of the role as member of the management body in its management function and member of the management body in its supervisory function in different institutions within the group is not entirely in line with Art. 109 CRD which requires parent institutions to ensure that arrangements, processes and mechanisms are implemented in the subsidiaries group-wide. The appointment of members of the management bodies in the management function in the supervisory boards of subsidiaries is one of the most effective ways to ensure that arrangements, processes and mechanisms are consistent and well-integrated group-wide and any limitation of this empowerment of parent institutions would be detrimental to the governance framework of the group. The introduction of stricter requirements in this area is not only unnecessary but may also contradict the existing regulatory framework and the current supervisory practices.
Additionally, these new restrictions may undermine the ability of banking groups to leverage internal expertise and ensure effective oversight across group entities, especially in complex or cross-border structures. The flexibility to allocate roles within the group, subject to robust internal policies and conflict of interest mitigation measures, is essential for efficient and effective governance. Imposing blanket prohibitions or additional reporting requirements could have the unintended consequence of reducing the pool of qualified candidates for key positions and increasing administrative burdens, without a corresponding benefit in terms of risk culture or governance quality.
It is also important to highlight that the current regulatory framework already provides for adequate safeguards to address potential conflicts of interest, including requirements for transparency, disclosure, and the implementation of internal policies and procedures. The Guidelines should recognize and build upon these existing mechanisms, rather than introducing duplicative or conflicting obligations. For example, rules regarding the prevention of conflicts of interests in cases where a member of the management body in its management function becomes a member of the management body in its supervisory function within the meaning of the new paragraph 107b are already available in the current legal framework of some member states. In order to avoid conflicting situations with the already existing rules, the Guidelines should specify that the new paragraph 107b applies only in member states where currently such rules are not in place at all.
Further to the abovementioned paragraph 107b, it should also be noted that a cooling-off period of three years is indirectly postulated for changing from a CEO position to the supervisory board. This requirement, which is not objectively justified, should be waived.
Moreover, we also propose considering the deletion of paragraph 107c, as this matter is already fully covered by the general rules on the duty of loyalty, avoidance of conflict of interest, and the abstention that apply to both the CEO and other Board Members, and therefore, the introduction of an additional regime is not justified and would only create overlaps and legal uncertainty.
In summary, while we support the objective of fostering a strong risk culture, we believe that the changes in Title IV—particularly those relating to intra-group governance and the cooling off period—are not appropriate. We recommend that the Guidelines be revised to ensure consistency with the Directive, respect for national and group-level governance arrangements, and the preservation of organizational flexibility, while continuing to promote high standards of risk culture and conflict of interest management.
Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?
As for ESG risk in risk management framework (pursuant to paragraph 152), CRD VI introduces new requirements to incorporate ESG risks at different time horizons into institutions risk framework, however the guidelines seem to further highlight the importance of ESG risks by specifying that the “The risk management framework should pay particular attention to ESG risks…”.
ESG risks are of equal importance as other risk drivers and should therefore be handled at a level that is equal to other risk drivers. Consequently, we propose that the phrase “pay particular attention to” is substituted with “address”.