Response to consultation on revised Guidelines on internal governance under CRD
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
Preliminary Comments
We agree with the EBA that governance is an important topic. Preventing and managing potential risks is banks’ main responsibility and supervisors already have effective legal tools to control the proceedings we have put in place such as robust checks and balances, effective risk management and a strong culture of accountability.
CRDVI added new obligations and technical mandates were given to the EBA to clarify the meaning of the Level 1 provisions regarding pre notifications, fit and proper and reinforced dialogue.
We would like to highlight first that none EBA GL should lead to new obligations or extended scope of application without legal basis nor proportionality. Guidelines should respect the scopes defined in Level 1, and national and organisational specificities. Although soft law as EBA GL is legally non-binding, it nonetheless has de facto binding effects because of the often-expressed supervisory expectations that it is expected that they will be implemented by financial institutions and complied by competent authorities.
For more details, cf. the Less is more Report- https://lnkd.in/eHkSrQKX.
They should not be overly prescriptive and detailed, which could lead to unnecessary burdensome processes, which does not seem to fit with the existing trend towards simplification in the EU and will come at significant cost of implementation and maintenance.
They should not impose a uniform model across the Union. They should take into consideration not only the size, complexity and risk profile of institutions, but also the diversity of governance frameworks and corporate board structures across the European Union, notably some national or cooperative ones.
We observe that the scope of application of certain provisions of CRD VI has been extended. We are highly concerned notably about:
- the detailed expectations provided in relation to the mapping of duties and individual statements set in guidelines 68a, 68b and 68c which (i) impose excessive formalism, (ii) generates legal risk, especially regarding individual responsibility, in contradiction with the principal of collective suitability and, in some Member States, the principal of collective decision of the management body (iii) organizational rigidity and disproportionate administrative burden, especially as the CRD scope of requirement for mapping of duties is enlarged by the EBA to all members of the management body and to all levels in a group.
- the risks of some guidelines to limit the access of CEOs to the Board of directors within Groups. Those paragraphs are not in line with national corporate laws which do not provide for any such limitation and are not adapted to the specific French model of company governance. It highly limits the organizational flexibility and governance arrangements of banking institutions. It also creates legal uncertainty and increases the risk of litigation. Hence, we ask for the removal of guidelines 107a and 107b.
- We request to delete any wording requiring independence of internal control functions from General Management, including the supervision of the Chief Risk Officer’s compensation. These guidelines disproportionately stiffen the conditions for the supervision of control functions by executive officers. Moreover, the provisions contained in Guideline 174a were already present in Guidelines 141 and 172 without any notion of independence from the General Management. The original wording should therefore be repeated. The heads of internal control functions are members of the senior management thus, internal control functions cannot be independent from all senior management.
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
Paragraph 2: We do not agree with the statement in paragraph 2 « Competent authorities as defined in Article 4(2) of Regulation (EU) No 1093/2010 to whom guidelines apply should comply by incorporating them into their practices as appropriate (e.g. by amending their legal framework or their supervisory processes), including where guidelines are directed primarily at institutions”. The directly applicable legal framework is the national law, and the proposed wording casts doubt over this principle.
Paragraph 8: The reference to the national company law was deleted, which is surprising. It is very important to keep this paragraph, as competent authorities shall apply national laws in their supervisory practices. EU law is framed with Regulations which apply directly in member states, but also with directives which need to be transposed by national law: institutions are bound by such national laws which may differ from one country to another. Institutions are also bound by laws which do not derive from EU law and have no other choice but to respect those laws.
Paragraph 11: Definitions (CO, KFH, Heads of internal control functions) have been suppressed, which might lead to an extension of the scope of some parts of the GL.
It is important to maintain the idea that the definitions are purely functional and not intended to impose the appointment of those officers or the creation of such positions unless prescribed by relevant EU or national law.
Since the term “CEO” is not defined in the CRD and its definition was maintained in point 13, point 11 should not be completely removed but drafted as follows: The definition of CEO used in these guidelines is purely functional and is not intended to impose the appointment of a CEO unless prescribed by relevant EU or national law”.
Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?
Paragraph 18: Could the EBA clarify the difference between the outsourced and use of third-party service providers (including the outsourcing of functions) and distribution channels (paragraphs 18 and 163)?
Paragraph 22 k and 94: Request to review the requirement for the Board of Directors of banks to encourage (“to foster”) inclusion and diversity under the heading of “corporate culture” and at the same level as responsibility and ethical behavior. While inclusion and diversity are among the concerns of European banks, they do not seem to be part of the culture or the remit of the prudential supervisor. These important issues are addressed in the context of other cross-sector regulations such as the CSRD, which are more suited to support banks’ strategy in this area.
Paragraph 22 n: We feel it is preferable to retain CRD6 art 76(2) formulation rather than referring to EBA guidelines on ESG risk monitoring and transition plans : « specific plans and quantifiable targets, and processes to monitor and address the financial risks arising in the short, medium and long-term from ESG factors, including those arising from the process of adjustment and transition trends, consistent with… »
Paragraph 23: For the sake of clarity please define the terms “traditional categories of financial and non-financial risks” and “potential materialisation of operational and legal risks”
Paragraph 37 and §107 a and b: The new principle in CRD VI (88.1) is that the chair of the management board cannot be the CEO of the institution but it doesn’t mean that he cannot have executive duties, in the institution (and in the Group).
It goes beyond the provisions of the directive CRD6. If not, as a fallback position, the exemption that has been deleted should be reintegrated.
Paragraph 51: The word “individually” should be deleted since it should not be imposed to each member of the remuneration committee to have knowledge regarding ESG matters. We cannot require all Committee members to have ESG expertise. Expertise must be collective.
Paragraph 61: Please define the terms “fundamental rights” and “discrimination”.
Paragraph 62: It is proposed to add that the risk committee should provide input to the remuneration committee regarding ESG “risks and related targets or KPI”. We fail to identify the legal basis upon which this recommendation would derive. Although, in practice some KPIs related to carbon commitments are monitored by the Audit committee. In both cases, for the sake of practicality, the guidelines could provide that ESG risks and related targets and KPI are provided by Risk Committee and/or Audit Committee and/or Risk function and/or Finance function. The risk committee is not supposed to provide input to the remuneration committee regarding ESG risks and related targets or indicators; there is no legal basis in CRD.
Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?
This section is overly detailed and prescriptive.
Paragraph 68 a
CRD (Recital 54) allows Member States to adopt or maintain stricter requirements for the individual statements and maps. It does not refer to any EBA stricter requirements. Also, no mandates were given to the EBA regarding mapping of duties and individual statements or responsibility for example.
*Point a: the reference to “the persons who are part of the governance arrangements” should be clarified as referring to the management body in its supervisory function collectively and not individually, which otherwise put at risk fundamental principle of the collegiality of the Board of director, under the French law.
*Point b: The EBA provides that this mapping of duties applies not only at the level of institutions subject to the directive but also to all entities within the prudential consolidation group (this would therefore be applicable within certain non-regulated or non-European entities). It is also planned that the parent company additionally establish a mapping of functions on a consolidated basis, which does not respect the legal autonomy of legal entities, even when part of the same group.
Article 109 of Directive 2013/36/EU clearly states « at the sub consolidates level, or at the consolidation level, so provides for application either on an individual basis, at the sub consolidates level, or at the consolidation level, but not cumulatively at all levels.
Besides, under French law, group subsidiaries can delegate the responsibility of the internal control functions to the heads of internal control functions of the mother company. As a consequence, it should be possible to require a mapping of duties only for the heads of internal control functions at the top-mother company level receiving such delegation.
*Point c: the CRD6 Directive does not include the management body in its supervisory function in the scope of the obligation for institutions to draw individual statements and mapping of duties. Therefore, the reference to the supervisory function should be deleted. This requirement contravenes the principle of collegiality of Board decisions under French law, which guarantees the quality and fluidity of its decisions.
It is to be noted though that Art. 88 (3) refers to "Person that is part of governance arrangement" in accordance with Art. 74 which is unclear.
CRD (Art. 88.3) specifies that the overall collective responsibility of the management body should be respected; although, paragraph 68c organizes an individual responsibility as they will be used to enforce of individual accountability in case of misconduct. We believe that mapping of duties and individual statements should not lead to a division of tasks and responsibilities, because of the importance of the collective suitability, as in some Member States, as France, there is a principle of collective decision taken by the management body in its supervisory function and company law provides for a responsibility of the management body as a collegial body.
*Point f (ii): The EBA targets the same population as for individual statements and adds the board and its committees. These provisions go further than what is provided by the CRD6 Directive.
*Point g: the EBA also provides that this mapping of duties is nominative and that it must be approved by the board of directors. This provision constitutes an interference of the board in the management of the company and should be deleted. as it (i) generates a transfer of responsibility to the Management Body in ins supervisory function of a mission that clearly goes beyond the traditional guidance and oversight role and (ii) generates a significant additional workload.
Paragraph 68 b
The reference to the time commitment has to be deleted (full time functions). This level of detail is too restrictive and removes all flexibility in case of need."
*Point c:” In the case of an individual who holds roles in more than one institution, including within a group, an individual statement is required in respect to each institution”. Why no exemption for groups, as this obligation is burdensome. This should be done at the parent company level, not at the individual level."
*Point d: The CRD6 Directive is only mentioning that the individual statements should be sent to the competent authority “in due time, upon request”. The EBA goes beyond the directive by requesting the communication of the individual statements with the F&P files.
Annexe II should be deleted as it goes too far into the details.
Paragraph 68-c
Article 88(3) of Directive (EU) 2024/1619 only introduces an obligation to establish individual statements and map responsibilities; it does not set out a burden of proof framework in terms of establishing “individuals” not fulfilling these duties. Paragraph 68c appears to introduce such a regime at level 3, where it is not the competent authority, but the individual, that needs to evidence proper fulfilment of duties. This seems to exceed the mandate of the level 1 text and raises concerns.
The proposed paragraph is likely to create interpretative difficulties as regards what may be deemed an “issue” and the "measures that could reasonably be expected" in response.
What is the supervisor’s objective in this regard? Is it to characterize a breach that could justify a withdrawal of authorization, which would go beyond the CRD, as the latter does not provide for sanctions? We therefore request the deletion of these provisions, as they do not stem from the CRD.
Question 4: Are the changes made in Title III section 7 (third-country branches) appropriate and sufficiently clear?
NA
Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?
Paragraph 101 a: The guidelines are much larger than the CRD VI regulation in that they concern all employees and not just the management body (for example: ratio of full-time vs part time positions per gender, days of training by gender, etc). Indeed, the new article 91 of CRD VI specifies in para. 8 that entities have “to proportionally promote diversity and gender balance in the management body”. Also, Paragraph 9 of this article specifies that “competent authorities shall collect the information in accordance with article 435 (2), point c of Regulation (UE) No 575/2013, and the article 435 of Regulation 575/2013 specifies that “Institutions shall disclose the following information, including regular, at least annual updates, regarding governance arrangements : c) the policy on diversity for the selection of members of the management body”.
Furthermore, we consider that it is not relevant to detail so deeply examples of KPIs relative to gender diversity and inclusion, where today the CSRD has already given clear requests on these topics, and moreover the staff segmentation should be adapted to the specificities of entities and sectors.
We request a deletion of gender equality indicators: the EBA requires the production and monitoring of additional indicators, not currently produced. We call for consistency with existing frameworks such as CSRD, in line with the European simplification objective.
A single framework of obligations should be applied, namely that of the CSRD.
Paragraph 107 a: We request for the outright withdrawal of Articles 107(a) concerning:
the simultaneous exercise of the role of member of the management body in its management function and of member of the management body in its supervisory function in different institutions that are part of the same group should be assessed regarding potential conflicts of interests stemming in particular from the individual’s duty to oversee their own previous actions and if detected, they should be properly mitigated”.
We notice the establishment of procedures for managing conflicts of interest when a CEO is a member of the Board in Group entities. This guideline does not entirely prevent a CEO of any entity of the Group from having access to the Board of any other entity of the Group. Nevertheless, it raises questions of principle with regard to company law rules which do not provide for such limitation and may lead to legal uncertainty.
We notice the prohibition for the CEO of a subsidiary to be Chairman of the Board of Directors of their parent company. Although the text does not prohibit senior management in the strict sense from being a member of the board of the company which employs it, it seems obvious that the conditions imposed would inevitably lead to this prohibition.
These provisions could limit options, particularly in the context of succession plans within the boards of directors of subsidiaries and their parent companies.
It goes far beyond the CRD6 Directive which does not prohibit for a member to have several directorships within the same group whilst ensuring effective governance. Indeed, the privileged counting of directorships which provides notably that executive or non-executive directorships held within the same group shall count as a single directorship has been confirmed in the CRD6 Directive. Each entity has a suitability policy in place which covers conflicts of interests situations.
In addition, the impact on “the duty to oversee their own previous actions” is not clear since the paragraph refers to functions exercised simultaneously.
Paragraph 107b: We request to remove the limits of access for a former CEO to the Board (including as Chair), in the absence of a 3-year cooling-off period.
For example, it provides for abstentions from voting on or for the Board to supervise on certain matters related to the person’s previous duties. This is contrary to French law. Under French law, this situation is managed by specific regulation on related-party agreements called “conventions réglementées”.
Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?
Paragraph 152: “The risk management framework should pay particular attention to [.../...] and to the channels through which they may drive their prudential risks, in particular through environmental physical and/or transition risks and be compliant with the requirements set out in the EBA Guidelines on the management of ESG risks (EBA GL/2025/01). The end of this paragraph is not part of article 74(1) of CRD, we would suggest its deletion.
Even if a member of the management body in its management function exercises this role, he/she must be able to delegate to a subordinate (e.g. Compliance Manager or AML/CFT Manager) the exercise of his missions, although this does not exempt him from his ultimate responsibility in this area.
Paragraph 174a and 175d: We request to review any wording requiring independence of internal control functions from the General Management, including the supervision of the Chief Risk Officer’s compensation. These guidelines disproportionately stiffen the conditions for the supervision of control functions by executive officers. Moreover, the provisions contained in Guideline 174a were already present in Guidelines 141 and 172 without any notion of independence from the General Management. The original wording should therefore be repeated.
Please note that the heads of internal control functions are members of the senior management thus, internal control functions cannot be independent from all senior management.
Paragraph 175 d, the proposal to add: “The remuneration of heads of internal control functions should be directly overseen by the management body in its supervisory function” is not compatible with national legislation as in France.
According to French law it is not within the reach of the management body in its supervisory function (i.e. the Board of Directors) nor any of its committees to directly perform the appraisals nor to directly decide the annual remuneration of any staff other than the members of the management body in its management function (i.e. the corporate officers: CEOs and deputy CEOs). Please remove the proposed change.
Paragraph 204: We request to reformulate guidelines that could require the compliance function to supervise legal functions and paradoxically restrict the scope of responsibility for compliance only to legal risks (while this function is responsible for non-compliance risk). Today, however, legal risk falls within the legal function, which has the relevant expertise. These approximate formulations, not provided for by the CRD, would imply a fundamental and unjustified challenge to the current organization of banks There is a risk of confusion; it is advisable to use the terminology of the CRD
What does the term ‘non-compliance event’ mean? Is it an actual or potential risk? Article 76(5)(e) of CRD VI uses the term ‘compliance risk’ rather than ‘non-compliance event’. The EBA should clarify the meaning of this term, in particular to determine whether it refers to an actual or a potential risk.
Question 7: Are the changes made in Title VI (business continuity managment) appropriate and sufficiently clear?
Question 7 : NA
Final subjects
The date of application of the revised guidelines is not specified. It has been specified during the EBA audition that the guidelines will be published in April 26.
We take the view that the date of application should be delayed by at least two months following the publication of the guidelines and RTS in all official EU languages. At the very least, only new nominations after the publication of the GL and RTS (cf. paragraph 60 b GL) should be concerned by these dispositions.
We would like to know how EBA intend to coordinate with the ECB, regarding their draft revised guide on internal governance.