Response to consultation on revised Guidelines on internal governance under CRD
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
Addressees (para 5a)
As financial holding companies and mixed financial holding companies would be explicitly introduced into the text, it is suggested to specifically mention CRR Art.10 central bodies, to achieve greater legal certainty:
5a.These guidelines are addressed to competent authorities as defined in point(i)of Article (2)of Regulation(EU), and to financial institutions as defined in Article 4(1) of Regulation (EU) 1093/2010 that are either institutions for the purposes of the application of Directive 2013/36/EU as defined in point 3 of Article 3(1) of Directive 2013/36/EU also having regard to Article 3(3) of that Directive or investment firms subject to Title VII of Directive 2013/36/EU in application of Article 1(2) and (5) of Regulation 2019/2033/EU. These Guidelines are also addressed to third-country branches as defined in point 1 of Article 47(3) of Directive 2013/36/EU, and to financial holding companies and mixed financial holding companies that have been granted approval in accordance with Article 21a(1) of Directive 2013/36/EU also having regard to Article 3(3) of that Directive as well as to central bodies as referred to in Article 10 of Regulation (EU) No 575/2013.
Scope of application (paras 6-12)
We observe that the scope of application of certain provisions of CRD VI has been extended, which we are highly concerned about (see, notably, our introduction in the attached file).
Footnote 14: The purpose of footnote 14, and in particular of the new proposed addition, is unclear, considering that Paragraph 6 refers to “all risks”. This should be clarified.
Paragraph 2: We do not agree with the statement in paragraph 2 « Competent authorities as defined in Article 4(2) of Regulation (EU) No 1093/2010 to whom guidelines apply should comply by incorporating them into their practices as appropriate (e.g. by amending their legal framework or their supervisory processes), including where guidelines are directed primarily at institutions”. The directly applicable legal framework is the national law, and the proposed wording casts doubt over this principle.
Paragraph 7: Article 3(1)(8a) and (8) CRD do not define the “management (executive) and supervisory (non-executive) functions”, but the “management body in its management function” and the “management body in its supervisory function”. Therefore, paragraph 7 should be redrafted as follows:
[…] The management body, as defined in points (7) and (8) of Article 3(1) of Directive 2013/36/EU, should be understood as having management (executive) functions when acting as a “management body in its management function” and has having supervisory (non-executive) functions when acting as a “management body in its supervisory functions” as those terms are defined, respectively, in points (8a) and (8) of that article.
Paragraph 8: We strongly object to the deletion of the reference to the national company law. Reference to national company law should remain; it is unclear why the section of paragraph 8 (“When implementing these guidelines, competent authorities should take into account their national company law and specify, where necessary, to which body or members of the management body those functions should apply.”) should be deleted. In fact, banks must also comply with national company law (within applicable EU law). Since the EBA guidelines are sometimes overly detailed and go beyond what is required under CRD6, conflicts with national law may arise. If national law contradicts EBA guidelines, NCAs must declare themselves non-compliant – while the ECB also applies national law directly in its supervisory function for SIs according to Art.4(3) SSMR and, therefore, must respect national law. It is of paramount importance for supervised entities that competent authorities are reminded of the norm hierarchy and of the supremacy of national law – Level 1 EU Directives transposed nationally – over EBA guidelines
The deleted sentence should be reinstated.
Paragraph 9: The rationale behind the rewording of structure pursuant to which certain people effectively direct the business of institutions is unclear. It would be helpful for the EBA to clarify its reasoning in this regard.
Paragraph 11: The term “CEO” is not defined in the CRD and its definition was maintained in the Guidelines. Therefore, paragraph 11, which refers to this definition, should not be deleted and rather redrafted as follows:
11. The definition of CEO used in these guidelines is purely functional and is not intended to impose the appointment of a CEO unless prescribed by relevant EU or national law.
Definitions (para. 13)
Similarly in paragraph 13, the rationale behind the new definition of operational resilience is unclear. DORA uses the definition “Digital Operational Resilience”, which differs both in terminology and substance from this definition. Furthermore, the definition “operational resilience” refers to “financial entities” which is not defined in the present Guidelines. Instead, “financial entities” is defined under DORA, the scope of which is broader than the scope of “financial institutions”. The definition of operational resilience under paragraph 13 should be aligned with DORA.
Implementation (paras 14-15)
The date of application of the revised guidelines is not specified. During the EBA hearing of 5 September, it was stated that the guidelines would be published in April 26. The EACB takes the view that the date of application should be delayed, by at least two months following the publication of the guidelines and RTS in all official EU languages.
At the very least, only new nominations after the publication of the guidelines and RTS (see para. 60b of the guidelines) should be affected by these provisions.
It would be helpful for the EBA to clarify how it intends to coordinate with the ECB regarding its draft revised guide on internal governance.
Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?
Proportionality (paras 16-18)
Proportionality is meant to underpin the guidelines (as specified throughout p.5 and 21), “taking into account the institution’s size, internal organisation and nature, and the complexity of its activities”; however, it is also indicated that the guidelines shall “apply to all institutions regardless of their governance structures (p.4 and 5). The text of the guidelines should be made more consistent in this regard, and should not extend the scope of the CRD obligations (see introduction).
As regards subparagraph 18.k. (“the outsourced use of third-party service providers (including the outsourcing of functions) and distribution channels;”) and paragraph 163, it would be helpful for the EBA to clarify the difference between the outsourced and use of third-party service providers (including the outsourcing of functions) and distribution channels.
Role and responsibilities of the management body (paras 19-27)
Paragraph 20: Please refer to our comments in Question 3, paragraphs 68a – 68c and Annex II.
To better align with Article 88(3) CRD6, we suggest the following addition to paragraph 20:
[...] Without prejudice to the overall collective responsibility of the management body, institutions should also draw up, maintain and update individual statements setting out the roles and duties of the members of the management body in its management function and a mapping of duties as specified under paragraphs 68a and 68b.
Under paragraph 22, point c.i(a) (“includes effective processes to ...”), it is unclear why concentration risk from exposures to central counterparties is explicitly mentioned here, especially since there are procedures for other concentration risks. We recommend deleting the specific reference to central counterparties; if anything, central clearing counterparties should also be included.
The references to “short, medium and long term” are also unclear and undefined.
Paragraph 22, point c.i (b) is also unclear in its wording (“network and information systems”) and seems misaligned with DORA. Article 5 DORA stipulates that having an internal governance and control framework in place “ensures effective and prudent management of ICT risk (…) in order to achieve a high level of digital operational resilience.” To remedy this misalignment, paragraph 22.c.i (b) should be replaced as follows:
ensures an effective and prudent management of ICT risk, in accordance with Article 6(4) Regulation (EU) 2022/2554, in order to achieve a high level of digital operational resilience.
We fail to find the legal basis of paragraph 22, point o (“specific plans and quantifiable targets...”) establishing requirements for specific plans and quantifiable targets regarding concentration risks through central counterparties. There is no mention of these requirements under Article 76(2) CRD. They should therefore be completely deleted as they would lead to unnecessary administrative (documentation) efforts.
Management function of the management body (paras 28-34)
The MBMF does not have to be a collective decision-making body. Given the different detailed responsibilities assigned to the management body under CRR Art. 189, the Guidelines should clearly indicate that the MBMF may carry out its responsibilities in different compositions of one or more persons.
It should be noted that in some Member States, senior management are, by definition, subordinates of the CEO, and not belonging to the MBMF, they cannot constitute a collective decision-making body, unless specifically provided for in national (company) law.
As such, we suggest the insertion of a new paragraph as follows:
27a. The management body in its management function shall consist at least of a CEO and, if there are persons who effectively direct the business of an institution together with the CEO, of those persons. Given the various responsibilities assigned to the management body in its management function in the individual articles of the CRR[1], the management body in its management function may carry out its duties in different compositions consisting of one or more persons according to the individual responsibilities assigned to the management body in its management function.
Role of the chair of the management body (paras 35-39)
It should be clarified that this requirement only applies to the management body in its supervisory function.
The EBA should only expect the Chair to fulfil the requirements in paragraphs 35 to 39 where they are relevant and applicable, depending on the institution’s governance system.
The current text conveys the false impression that the management body in its management function is always a collective decision-making body with several members. In some Member States, it is more common that the CEO has the sole legal responsibility for directing the business of the institution and, pursuant to company law, cannot delegate his or her responsibility to his or her subordinates. It should not be required from the MBMF that the chair should be a non-executive member.
In addition, Article 88.1 CRD6 provides for a new principle under which the chair of the management body in its supervisory function cannot be the CEO of the institution. Paragraph 37 should be amended in this regard. And, the reference to a “non-executive member” should be more specific.
Regarding the EBA’s proposal to delete the second sentence of paragraph 37 (“Where the chair...”), we understand this to mean that there should no longer be exceptions to the principle established in the first sentence, that the chair of the management body should not perform executive functions. However, in dualistic systems with separate management and supervisory functions (also taking into account national corporate law requirements), this would generally not be feasible, especially since there are no uniform requirements for the chair of the management body. Institutions usually have appropriate policies/measures to manage potential conflicts of interest here. Therefore, the deletion of the second sentence of para. 37 (“Where the chair is permitted to assume executive duties, the institution should have measures in place to mitigate any adverse impact on the institution’s checks and balances...”) should be avoided.
Committees of the management body in its supervisory function – composition of committees (paras 46-55)
The recommendations included in paragraph 51 appear to lack legal basis. The CRD6 nowhere specifies that members of the remuneration committee should individually and collectively have the knowledge referred to.
In addition, the EBA/GL/2021/04 specify (paragraph 56): “Members of the remuneration committee should have collectively appropriate knowledge expertise and professional experience concerning remuneration policies and practices, risk management and control activities, namely with regard to the mechanism for aligning the remuneration structure to institutions’ risk and capital profiles”.
We propose that the requirement for appropriate knowledge, skills and experience to assess the impact of ESG factors should be set only collectively, which would be in line with the overall expectations set for the remuneration committee.
As such, we suggest that paragraph 51 should be redrafted as follows:
The risk and nomination committees should be composed of non-executive members of the management body in its supervisory function of the institution concerned. The audit committee should be composed in accordance with Article 51 of Directive 2006/43/EC28. Members of the remuneration committee should have, individually and collectively, appropriate knowledge, skills and experience to assess the impact of ESG factors on, and the consistency of the institution’s risk appetite regarding ESG risks with, remuneration incentives taking into account the assessment of the risk committee as specified under paragraph 62.
Finally, the draft guidelines emphasize the individual knowledge and skills in relation to ESG factors, which clearly broadens the general requirement for collective knowledge. Meanwhile, they do not set similar levels of specific expectations for the risk committee (highlighting ESG factors).
Committees of the management body in its supervisory function – role of the risk committees (paras 61-63)
Parts of paragraph 61 seem excessive and/or unclear.
The illustrative list under brackets after the term “operational” included in paragraph 61, point c, seems very random and should be deleted. We suggest keeping it to the current regulation (CRR definition of operational risk and the recently published RTS on Operational Risk Taxonomy) and to only refer to ‘operational risks’. We disagree that we should include in operational risks “fundamental rights and discrimination” as these fall under compliance.
Accordingly, paragraph 61 should be redrafted as follows:
61. Where established, the risk committee should at least:
a. advise and support the management body in its supervisory function regarding the monitoring of the institution’s overall actual and future risk strategy and risk appetite, taking into account all types of risk, to ensure that they are in line with the business strategy, objectives, corporate culture and values of the institution;
b. assist the management body in its supervisory function in overseeing the implementation of the institution’s risk strategy and the corresponding limits set;
c. Oversee the implementation of the strategies for capital and liquidity management as well as for all other relevant risks of an institution, such as market, credit, operational (including legal and IT, fundamental rights, discrimination and ICT risks) and reputational risks.
In paragraph 62, the EBA proposes to add a requirement for the risk committee to provide input to the remuneration committee regarding ESG “risks and related targets or KPI”. We fail to identify the legal basis from which this requirement stems. Furthermore, in practice, some KPIs related to carbon commitments are monitored by the Audit committee. In both cases, for the sake of practicality, the guidelines could provide that ESG risk-related targets and KPIs are provided by the Risk Committee and/or Audit Committee and/or Risk function and/or Finance function. The risk committee is not supposed to provide input to the remuneration committee regarding ESG risks and related targets or indicators; there is no such legal basis in CRD.
[1] Such as CRR Art. 189 regarding the approval of internal models
Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?
Organisational framework (paras 68-70)
Generally speaking, this section is overly detailed and prescriptive, at times appearing unnecessary (e.g. 68b point b requires that members of the management body possess appropriate understanding etc., which is already covered by existing suitability requirements). Moreover, there is overlap and interaction with other requirements, e.g. in relation to the requirements of the internal governance policy/Annex I (e.g. 68a point f). A less detailed and more streamlined approach to the Guidelines should be considered, which may also help address some of the issues below.
We also wish to underline that CRD6 is applicable to institutions (Art 2.). In this context, the EBA should refrain from differing expressions such as “institutions and investment firms”. The EBA Guidelines are mandated by CRD Art. 74(3) and therefore the EBA should closely adhere to the terminology and scope of the CRD.
Paragraph 68
In addition to our reactions set out in the introduction, it should be clarified, regarding the EBA’s proposed addition to this paragraph (“It should ensure that institutions…”), whether the substance referred to is intended as economic substance, as in the rest of the guidelines.
Paragraph 68a: mapping of duties
Further clarification is needed whether the mapping of duties and individual statements are documents to be created in addition to the ones specified under Title VII - Transparency, point 3f: Composition and functioning of the management body/internal division of tasks and Annex I point 8a Organisational structure [..] allocation of competences and responsibilities. If so, it should be specified exactly which features differ and add value for the institution.
In line with Art. 88(3) CRD6, the Guidelines should specify “without prejudice to the overall collective responsibility” as follows:
68a.a. Without prejudice to the overall collective responsibility of the management body, institutions should draw up and maintain, in accordance with Article 88(3) of Directive 2013/36/EU, in a single set of documents or a repository, an accurate and comprehensive mapping of duties including details of the reporting lines, of the lines of responsibility, and of the persons who are part of the governance arrangements as referred to in Article 74(1) of Directive 2013/36/EU and of their duties.
Paragraph 68a.b: Regarding the proposed provisions concerning application in a group context, it is sufficient to simply refer to the existing provisions under Chapter 7 “Application in a group context” in order to avoid unnecessary and confusing new provisions. Moreover, according to CRD6 Art. 88(3), of management bodies, it is only the MBMF that is subject to the obligation referred to paragraph 68a.c.
Generally, Art. 109 CRD provides for an application either on an individual basis, at the sub-consolidated level, or at the consolidated level, but not cumulatively at all levels.
The reference to 'group' should be deleted, as the guidelines must be applied in accordance with Art. 109 CRD.
The mapping of duties should enable the institution to identify any gaps between the roles and the activities covered by the institution and ensure an effective internal governance framework. Institutions should be responsible for developing and maintaining a mapping of duties that is appropriate for, and accurately reflects the size and nature, organisational structure and complexity of the institution including, where applicable, of the group.
The EBA should also consider rephrasing and deleting any reference to the management in the supervisory function throughout 68a-b to align with the CRD6.
Paragraph 68a.c:
Institutions already maintain extensive documentation on task and role allocation (organizational charts, rules of procedure, role descriptions, fit & proper dossiers). An additional requirement for individual written duty descriptions creates duplicate work and redundant documentation without actually improving governance quality.
Art. 88(3) CRD only applies to members of the management body in its management function, senior management and KFH. It is to be noted though that Art. 88 (3) refers to a “Person that is part of governance arrangement” in accordance with Art. 74, which is unclear.
The requirement under paragraph 68a.c to outline the duties for each individual member of the management body in its supervisory function is disproportionate for a 2-tier-system. In certain Member States, only the members of the Supervisory Board have this role. Extensive documentation of the backgrounds, skills and experiences of the members of a Supervisory Board already exists (e.g. CVs, competence matrix and documentation of experts of certain topics). This requirement goes beyond the stipulation in Art. 88(3) CRD6. A further obligation would duplicate rules and could lead to legal uncertainty; individual descriptions could be used ex post to tighten personal liability, even though overall responsibility still applies as a matter of law.
This would further reduce the attractiveness of management positions in the banking sector. Supervisory authorities already have access to rules of procedure, organizational policies, and fit & proper documentation. An additional document would provide no real informational value - only a formal “tick-the-box” exercise.
Beyond that, individual duty descriptions suggest a formal delineation of responsibilities that, in practice, is incompatible with collective overall responsibility (especially within the management body). This would create a discrepancy between documentation and reality, and might enhance the risk of individual responsibility of the members of the management body. Duty mapping for members of the management in its supervisory function is not required pursuant to Art. 88(3) CRD6 and should therefore not be included.
The wording “even if those duties are drafted below management body level” is unnecessary and creates confusion, as this provision relates to functions at MB-1 level, and should be deleted.
The EBA should at least consider rephrasing and deleting any reference to the management in the supervisory function, to the following effect:
68a.c. The management body in its management function should agree and set out clearly where duties lie for the role of each individual member and what those duties entail. The duties should be outlined separately for both the management and the supervisory function of the management body. The management body should be responsible for the allocation of the duties and responsibilities assigned to senior management and key function holders even if those duties are drafted below management body level.
Paragraph 68a.e: Similarly, the EBA should consider rephrasing this provision as follows:
The mapping of duties should be coherent with the individual statements of role and duties as referred to in paragraph 68b. It should provide a clear overview how roles and duties allocated in a particular statement fit into the overall management system and internal governance; and include sufficient information to enable a clear understanding of how the management and internal governance arrangements of the institution are structured and operate.
Paragraph 68a.f.ii: The competences of the management in its supervisory function (Supervisory Board) are derived directly from statutory company law and/or the Articles of Association of the legal entity. The duty to additionally draw up an explanation is disproportionate and redundant. the management body itself is the corporate body authorised to adopt decisions pursuant to local law (for instance in Dutch law). As such, there is no rationale for this guideline.
This provision goes beyond the duties prescribed in Art. 88(3) CRD6 and its wording lays outside of the guiding competence of the EBA. The reference to the management body in its supervisory function and its sub-committee should be deleted.
In addition, it should be noted with regard to the Management Board in its Management Function, Senior Management and Key Function Holders: an online system (intranet) of the institution containing org-charts (with the respective reporting lines, rules of procedures and schedules of responsibilities) should be sufficient in order to meet this requirement. The mere copying compilation of existing tableaus, guidelines or procedures in another intranet location is an unnecessary administrative burden and has no additional value on its own.
Paragraph 68a.f.(v): This requirement goes beyond the wording of Art.88(3) CRD. Non-executive directors of the management board hold their function based on statutory law added by already public, clear and detailed provisions in the Articles of Incorporation as required by Company Law. Extensive documentation of the backgrounds, skills and experiences of the members of a Supervisory Board already exists (e.g. CVs, competence matrix, documentation of experts of certain topics). Against this background, at least the members of the supervisory board should be exempted from this requirement.
Paragraph 68a.g: As the mapping of duties may take the form of a repository instead of a document, it is unclear how the approval rights of the management body in its management function and in its supervisory function must be applied. Moreover, this reflects existing governance structures rather than establishing new ones, so it is unclear why (additional) approval would be required. This paragraph should be deleted.
Moreover, the provision goes beyond what is required according to Art.88(3) CRD, which only requires institutions to prepare documentation and keep it updated. No voting and approving necessity can be interpreted from the wording. In certain Member States, an approving necessity by the Supervisory Board is unlawful under 2-tier company law, ineffective for its desired effect and simpler, yet more effective alternatives exist: (1) Roles, functions and duties need to retain flexibility, they will not be drawn up and then left unchanged for a long period of time; (2) A 2-tier supervisory board is not competent for allocation and supervision of duties and roles below the management level as this responsibility is strictly operational, and (3) The decision-making process, especially of a 2-tier-board would strongly delay any flexible reshaping and changing of company roles and responsibility. Against this background, at least the members of the supervisory board should be exempted from this requirement.
Paragraph 68b: Individual statements roles and duties
Our previous comments relating to paragraph 35a apply herein as well: the current text conveys the impression that the MBMF is always a collective decision-making body with several members. In practice, in certain Member States the CEO bears the sole legal responsibility for directing the business of the institution and, pursuant to company law, cannot delegate his or her responsibility to his or her subordinates. It should not be required from the MBMF that the chair should be a non-executive member. As such, the EBA should at the very least consider rephrasing and deleting any reference to the management in the supervisory function throughout paragraphs 68a and 68b.
The “Optional template for individual statements of rule and duties” provided in Annex II should be deleted. There is a significant risk that this template could be misinterpreted as binding. If a supervisory authority considers it necessary to prescribe a specific format to the institutions it supervises, it should coordinate this with the relevant group of addressees.
It should be clear throughout the Guidelines that assigning specific roles and duties to individual members of the management body in its management function does not relieve the management body of its broader collective responsibilities. All members of the management body should maintain an adequate understanding of, and contribute to, all key areas of the business, even where certain tasks are allocated to specific individuals. In addition, the Guidelines should specify that the provisions on individual statements apply only to appointments taking place after the publication of the revised guidelines and the RTS to specify the minimum content of the ex-ante notification.
In any event, the Guidelines should adhere to the terminology and scope of CRD6. The MBSF is not within the scope of individual statements. Furthermore, the national transpositions of the CRD6 need to be respected, and therefore references to national law need to be added throughout the Guidelines.
Paragraph 68b.a: It is unclear why the provision mentions “key duties” instead of “duties”. This should be clarified.
The indication of the expected time commitment should remain part of the FAP assessments and not be extended to members of the senior management which are not subject to FAP assessment.
Paragraph 68b.b: The second sentence 'All members of the management body … attributed to the respective member' is unnecessary, as this is already covered by suitability requirements, and should be deleted. The following wording is suggested:
68b.b. The allocation in the individual statements of role(s) and duties to a member of the management body in its management function does not exempt the respective individuals from their roles and duties as members is without prejudice to the collective responsibility of the management body. All members of the management body in its management function are expected to have an appropriate understanding of, and contribute to, areas of the business, including for any other roles and duties not directly attributed to the respective member. Moreover, even when roles and duties are allocated to a specific individual, the other members of the management body should not be exempted from their collective duty regarding the institution.
Annex II should be deleted, as it goes into too much detail.
Paragraph 68b.d: This provision is difficult to assess pending the publication of the consultation on the RTS / Guidelines on Suitability. This sequencing makes it difficult to provide adequate and balanced feedback as requested.
In relation to fit and proper, due to the unclear content of Article 91(10) and 1d CRD, the actual scope of this paragraph is also unclear. It would be helpful to specify to which entities these requirements apply.
This provision seems disproportionate as any person could only assume the respective role after the passing of the suitability assessment. It conflicts with data privacy law (e.g. principle of data minimization; Art. 5 GDPR) as sensitive personal data are concerned.
Moreover, the requirement to sign statements is unclear in its purpose; it goes beyond what is required under Art. 88 (3) CRD and may conflict with national company law as division of duties is up to the management body in its management function collectively.
Paragraph 68c
Article 88(3) of Directive (EU) 2024/1619 only introduces an obligation to establish individual statements and map responsibilities; it does not set out a burden of proof framework in terms of establishing “individuals” not fulfilling these duties. Paragraph 68c appears to introduce such a regime at level 3, where it is not the competent authority, but the individual, that needs to evidence proper fulfilment of duties. This seems to exceed the mandate of the level 1 text and raises concerns.
From a legal certainty perspective, the proposed wording is problematic due to vague and subjective expressions such as ‘all actions that could reasonably be expected’. Without clear benchmarks, individuals may be exposed to retrospective assessments based on evolving expectations, undermining predictability and fairness (the ‘moving goalpost’ dilemma).
There is also no explicit materiality threshold as to which issues are the be considered in scope. The draft Guidelines read so that an individual is deemed to not have fulfilled their duties if “an issue” arises in their area of responsibility. In order to prove innocence, it is the individual who needs to establish to have taken actions that “could reasonably be expected” to prevent or stop “the issue”.
In varied organizational structures of EU banks, the ambiguity of grounds for liability may deter qualified professionals from assuming key roles, where “issues” may rise at regular intervals, despite diligent efforts. Therefore, the current wording of paragraph 68c. creates a risk of chilling effect, and it can be seen as a matter of EU banking sector competitiveness as well.
The obligation established by the CRD is limited to requiring the formalisation of lines of responsibility. The proposed paragraph 68c is likely to create interpretative difficulties as regards what may be deemed an “issue” and the ", actions that could reasonably be expected" in response. As such, paragraph 68c, which introduces legal uncertainty, should be deleted. Furthermore, it is unclear what the supervisor’s objective is in this regard and whether it is meant to characterise a breach that could justify a withdrawal of authorisation. This would go beyond the CRD, as the latter does not provide for sanctions.
In particular, the last half-sentence of para. 68c (“the individuals should be able...”) according to which members of the management and supervisory boards must be able to prove to the supervisory authorities upon request that they have fulfilled their intended tasks, does not appear to be objectively justified and should be deleted. Credit institutions must in any case be able to prove at any time that the regulatory requirements have been met (in Germany, among other things, through the regulatory audit according to § 29 KWG and in the context of special audits according to § 44 KWG). This already entails appropriate information obligations for the institutions and their bodies. An additional personal accountability of individual board members to the supervisory authority would constitute overregulation, especially when applied to LSIs. If applied to supervisory board members, this requirement could also further reduce the willingness of suitable representatives of the regional economy to accept such mandates.
The assessment and consequences of not fulfilling duties should be subject to national company law and employment law. In addition, the legal regimes for statutory board members and senior managers who are ‘ordinary’ employees differ.
While the objective of enhancing and clarifying accountability is commendable, the current formulation raises several legal and practical concerns. Therefore, we respectfully suggest that the EBA consider removing paragraph 68c. entirely.
Question 4: Are the changes made in Title III section 7 (third-country branches) appropriate and sufficiently clear?
Third-country branches’ internal governance arrangements (paras 90a-90j)
EU cooperative banks can only welcome the fact that European branches of third-country banks would be brought under the same rules as they are.
Third-party risk management policy (paras 91-93)
Paragraph 91: Regarding the replacement of the term “outsourcing” with “third party ”, the distinction between the terms, and the effect of this differentiation, are not clear.
Paragraph 92: To avoid a very broad responsibility of the management body, the wording “provided by third party service providers" should be limited to out-serviced services only (in line with current guidelines).
Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?
Corporate values and code of conduct (paras 99-104)
Paragraph 94: “Institutions should also aim, as part of the risk culture, at establishing a culture of equality, diversity and inclusion and prevent discrimination and harassment.”
Clarification regarding the interaction of this guideline with the EBA Guidelines on the management of ESG risks would be useful.
Paragraph 101: this provision greatly exceeds requirements provided under CRD in that they concern all employees and not just the management body (for example: ratio of full-time vs part time positions per gender, days of training by gender, etc). Indeed, the new Article 91(8) CRD6 specifies that entities have “to proportionally promote diversity and gender balance in the management body”. Also, Art.91(9) specifies that “competent authorities shall collect the information in accordance with Art. 435(2), point c of Regulation (EU) No 575/2013, and Art. 435 of Regulation 575/2013 specifies that “Institutions shall disclose the following information, including regular, at least annual updates, regarding governance arrangements : c) the policy on diversity for the selection of members of the management body”.
Furthermore, we consider that it is not relevant to detail so deeply examples of KPIs relative to gender diversity and inclusion, where today the CSRD has already given clear requests on these topics. The Gender Equality Directive (equal opportunities and equal treatment of men and women in matters of employment and occupation) also covers this topic at length. The EBA Guidelines should avoid duplicating or overlapping with these requirements.
Moreover, staff segmentation should be adapted to the specificities of entities and sectors.
Paragraph 101a: This provision should be rejected, as implementing this monitoring obligation based on the example or similar indicators would create new bureaucratic effort of little benefit. This would be inappropriate, especially for small and medium-sized institutions with a rather tiny workforce. Alternatively, the requirement should be explicitly made subject to the principle of proportionality. At the very least, the mention of example indicators should be deleted, as such a list could create supervisory expectations. Even if they are only non-binding examples, institutions could feel compelled to include at least some of them in their monitoring. It also remains unclear at what intervals this should be reviewed, i.e., how many times per year the relevant indicators should be assessed.
Conflict of interest policy at institutional level (paras 105-107)
Paragraph 107a: This provision should be deleted as lacking legal basis in CRD. Contrary to the first sentence of the paragraph regarding the simultaneous exercise of the function of chair of the supervisory body and CEO within the same institution, there is no provision in the CRD regarding positions within a group.
Article 88(1) CRD6, as mentioned in this paragraph ("In accordance with...") only prohibits in para. 1(2)(e) the simultaneous exercise of the functions of chair of the supervisory body and CEO—which is not possible in a dualistic governance system anyway. Further requirements, especially regarding the simultaneous exercise of a management function in a parent and a supervisory function in a subsidiary are not included in CRD6.
Paragraph 107b: CRD6 removes the exemption under which the Chair of the MBSF could serve simultaneously as the CEO within the same institution. The EBA is proposing to extend regulation in this area to include situations in which the CEO joins the MBSF after completing their term as executive director. It also provides a cooling-off period of at least three years, during which the CEO can be appointed as Chair or member of the Board of Directors, provided specific mitigation measures for hypothetical and abstract conflicts of interest are introduced.
By extending the scope of the cooling-off regime to (i) all members of the management body in its supervisory function (including the Chair) and (ii) all former members of the management body (last sentence of this paragraph), the EBA goes far beyond the requirements of CRD and the existing national legal frameworks based on CRD. This would amount to a de facto pre-emption of legislation that properly falls within the remit of national parliaments and/or the EU legislator.
Apart from that, company and supervisory law already provide mechanisms to address conflicts of interest (e.g., mandatory recusal in cases of bias, the option to exclude individuals from discussions, fit & proper assessments).
Para. 33 of the EBA Governance Guidelines already prescribe that without prejudice to national law, the MBSF should include independent members as provided for in section 9.3 of the joint ESMA and EBA guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/63/EU and Directive 2014/65/EU.
It is also reminded that having independent members, as referred to in para.80 of the joint ESMA and EBA guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/63/EU and Directive 2014/65/EU, and non-independent members in the management body in its supervisory function is considered good practice for all relevant institutions.
An executive director who, at the end of their term, takes on the role of Chair or member of the MBSF, would in any case be assessed against criteria for independent members as provided for in Section 9.3 of the joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/63/EU and Directive 2014/65/EU.
By introducing a three-year cooling-off period, the EBA would exceed its mandate under Article 74(3) CRD in conjunction with Article 16(1) EBA Regulation, which allows it to close gaps within the CRD requirements, but not to establish regulations going beyond the CRD. The reference made by the EBA at the public hearing on September 5, 2025, to the existing EBA/ESMA guidelines on the assessment of the suitability of members of the management body and key function holders (Fit & Proper Guidelines) is misplaced, as a previous membership in the management body only leads to non-independence in the supervisory body (para. 89 lit. a), and only as a rule (para. 90). Furthermore, the Fit & Proper Guidelines cannot be used as justification for an excessive implementation of CRD6.
For these reasons, this paragraph should be deleted.
Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?
Risk management framework (paras 152-162)
Paragraph 152: The risk management framework should account for all risks, and therefore also pay attention to ESG risks. The term “particular” should be removed as it breeds uncertainty. In this respect, we suggest the following wording:
152 [...] The risk management framework should also pay particular attention to ESG risks in the short and medium term and over a long-term horizon of at least 10 years, and to the channels through which they may drive their prudential risks, in particular through environmental physical and/or transition risks, and be compliant with the requirements.
Heads of the internal control functions (paras 172 - 174a)
Paragraph 172 – Heads of the internal control functions
This paragraph gives the impression that the potential conflicts of interest arising from combining the role of head of control functions with that of the management body, and from combining the role of head of control functions with other functions, are identical. However, there are in fact differences in the potential conflicts of interest, which should be addressed accordingly in different ways. This aspect should be taken into account in the requirements.
Independence of internal control functions (paras 174a-175)
Paragraph 174a: It should be noted that the heads of internal control functions are often members of the senior management and may be a member of the MBMF; thus, internal control functions cannot be independent from all senior management and MBMF.
Furthermore, the reference to ‘mission’ should be replaced by ‘duties’..
Paragraph 175.d: In accordance with CRD6 (Art 92(2)f)), “the remuneration of the heads on control functions is directly overseen by the remuneration committee referred to in Article 95 or, if such a committee has not been established, by the management body in its supervisory function”.
By removing the option of direct supervision by a remuneration committee, the EBA goes beyond the original level 1 legislative framework endorsed by the European Parliament and Council of the EU. The EBA’s guidelines therefore alter core aspects of CRD, as proposing to remove the option of direct supervision by the remuneration committee. EBA’s actions can therefore be see as overstepping its powers as its proposed change is not consistent with the broader legislative intent not the established legal hierarchy, effectively creating stricter mandatory rules through its non-binding level 3 guidelines.
The suggested addition to the provision is not compatible with national legislation (as in France: according to French law it is not within the reach of the management body in its supervisory function, i.e. the Board of Directors) nor any of its committees to directly perform the appraisals nor to directly decide the annual remuneration of any staff other than the members of the management body in its management function (i.e. the corporate officers: CEOs and deputy CEOs)). As such, it should be deleted.
Alternatively, the wording of this paragraph should be significantly amended to avoid a material tightening of the content intended in CRD. The following wording is suggested:
175. In order for the internal control functions to be regarded as independent as per paragraph 174a, the following conditions should be met: [...]
d. the remuneration of the internal control functions staff should not be linked to the performance of the activities the internal control function monitors and controls, and not otherwise likely to compromise their objectivity. Without prejudice to national law, Tthe remuneration of the heads of internal control functions should be directly overseen by the remuneration committee referred to in Article 95 of Directive (EU) 2013/36 or, if such a committee has not been established, by the management body in its supervisory function, as also prescribed in section 2.4 of the EBA guidelines on sound remuneration policies.[1]
Combination of internal control functions
Paragraph 176: “[…] institutions should be able to demonstrate that the nature, scale and complexity of the activities of the institution do not justify appointing a specific person for the risk management function or the compliance function”.
This will be very difficult for institutions to demonstrate. Therefore, we suggest keeping Paragraph 176 as it is drafted in the 2021 GL.
Compliance function (paras 204-213)
Paragraph 204: In the current draft, all references to “compliance risk” have been deleted and replaced with reference to “legal risk stemming from non-compliance events”. This phrase is used repeatedly in Chapter V, 21. Compliance Function (p. 70, paragraphs 209 und 210) as well as in paragraph 36 under the Chapter "Rationale and objective of the guidelines". This could be interpreted to mean that the compliance function is responsible for legal risks in general (e.g., contract, litigation, or enforceability risks, as legal risk is assigned under Article 4(1)(52a) CRR for operational risk requirements). These risks typically fall outside the core mandate of the compliance function and are usually allocated to other functions (Legal, Operational Risk, Litigation Management).
Should this be interpreted as meaning that improper management of compliance risks would lead to legal risks as defined in CRR3, this would not constitute a material change compared to the existing guidelines. This new disposal should be clarified, as it has the potential to create confusion namely as to the role of the compliance function as opposed to the role of the legal function. Furthermore, it is not consistent with the provisions set in Level 1 of legislation (See Art. 76(5) CRD6 which provides that 176“Member States shall ensures that: ... the compliance function assesses and mitigates compliance risk and ensures that the institution’s risk strategy takes into account compliance risk and that compliance risk is adequately taken into account in all material risk management decisions”). In addition, the deletion of “compliance risk” adds uncertainty to the distinction of the various compliance functions (AML/CFT, securities compliance). Also, some Member States (eg. Austria, Art. 39(6) in conjunction with 69 (1) of the Banking Code) have introduced laws against avoiding risks linked to the disregard of certain rules as this constitutes compliance risk.
Therefore, to ensure a clear allocation of responsibilities and avoid misinterpretation, the text should consistently refer to “compliance risk” and the previous references to compliance risk should be reinstated.
In addition, the term ‘non-compliance event’ is very unclear. Article 76(5)(e) of CRD6 uses the term ‘compliance risk” rather than “non-compliance event”. The ECB’s draft Guide on Governance and risk culture does not mention this term either. The EBA should clarify the meaning of this term, in particular to determine whether it refers to an actual or a potential risk.
In accordance with (new) paragraph 29a and paragraph 172, a member of the management body in its management function may be responsible for an internal control function.
The following redrafting is suggested:
204. Institutions should establish a permanent and effective compliance function to manage legal risk stemming from non-compliance risk and events. The compliance function should be headed by an independent senior manager responsible for this function across the entire institution (the head of compliance). The head of compliance may also be a member of the management body in its management function provided it complies with paragraphs 29a and 172.”
Similar clarifications are needed in regards to paragraphs 209 and 210.
Paragraphs 204 / 205 / 206: In the current draft, paragraphs 205 and 206 have been deleted. We understand they have been replaced by the following sentence in paragraph 204: “The compliance function should be headed by an independent senior manager responsible for this function across the entire institution (the compliance officer or head of compliance)”. This leads to a far too broad definition of “independence”. The proportionality introduced by paragraphs 205 and 206 should be maintained.
The following redrafting is suggested:
205 - Where it is not proportionate to appoint a person who is dedicated only to the role of head of compliance, taking into account the principle of proportionality as set out in Title I, this function can be combined with the head of the RMF or can be performed by another senior person (e.g. head of legal), provided there is no conflict of interest between the functions combined.
206 - The compliance function, including the head of compliance, should be independent of the business lines and internal units it controls and have sufficient authority, stature and resources, as set out in para. 174a. Taking into account the proportionality criteria set out in Title I, this function may be assisted by the RMF or combined with the RMF or other appropriate functions, e.g. the legal division or human resources.
[1] EBA remuneration GL: 37: ‘the supervisory function should determine and oversee the remuneration of the members of the management function and, if the remuneration committee referred to in section 2.4 has not been established, directly oversee the remuneration of the senior officers in the independent control functions, including the risk management and compliance functions”.
Question 7: Are the changes made in Title VI (business continuity managment) appropriate and sufficiently clear?
Business continuity management (paras 224-230)
Paragraph 230: The addition of the wording “and subject to internal audit review” is unnecessary and should be deleted.