Thank you for the opportunity to comment on the ESA consultation on its draft joint Guidelines on the system for the exchange of information relevant to fit and proper assessments.
The European Savings and Retail Banking Group (ESBG) would like to provide you with the comments below, which we hope will be considered by the ESA.
ESBG has strong concerns about the guidelines as proposed.
Through two aspects, the draft guidelines would interfere with the division of responsibilities between the ESAs and the national competent authorities in some Member States:
• The envisaged obligation to query the database violates the sole competence of the national competent authority responsible for the respective suitability assessment procedure.
• Especially in cases of a negative result or a withdrawal of an application in a previous assessment procedure, there will be a de facto binding effect of the previous procedure, even if the draft guideline explicitly rejects such a binding effect in Recital 11.
The stated legal basis (Art. 31a, Art. 16 (1) ESA Constitutive Act; for EBA: EU Regulation 1093/2010) does not cover the establishment of such an elaborate, centrally organized database also from a substantive law point of view.
The database is not necessary to ensure efficient supervision within the meaning of Article 16 (1) of the ESA Constitutive Act. Equally efficient options are available that are less costly and more data-efficient. Automated, standardized inquiries at the deposited contact points ("telephone directory", option A on page 17, accompanying document) as part of a decentralized solution, for example, would not be costly and would be at least as efficient.
It is up to the competent authority to decide whether data should be matched in a suitability assessment procedure. There will only rarely be a reason to do this, since in the vast majority of cases there will be no question of another authority being responsible for the data. The vast majority of data is collected even though it will most likely never or only very rarely be needed by other competent authorities.
The use of the data that may be obtained through the management of the database by the ESAs is only rudimentarily hinted at. Recital No. 8 (page 8 draft guidance) talks about statistics that should be derivable from the use of the database. However, the draft guideline text itself does not contain any further explanations in this regard. There is therefore a risk here that the ESAs want to derive certain findings from the database, which in turn could be used as the basis for further measures. For this reason - and also for reasons of data protection law - the text of the guidelines (and not the announced operating regulations) itself must specify the purpose for which the ESAs themselves wish to access and evaluate data, and to what extent and on the basis of which legal basis.
1. Compliance and reporting obligations
2. Subject matter, addressees and definitions
3. Use of the ESAs Information System
4. Information exchange and cooperation between the competent authorities using the ESAs Information System
ESBG believes that there is some room for improvement in the proposed draft guidelines.
We would like to stress that it is important that a thorough risk evaluation is done between on the one hand the gains with the new system for the exchange of in-formation relevant to fit and proper assessments and on the other hand the pur-pose of the use of the information/data from an integrity legal perspective.
The aim of the use of the information obtained must be precise and strict limited to the purpose for which the ESAs themselves wish to access and evaluate data, and to what extent and of which legal ground.
ESBG proposes to include:
• a general obligation in the guidelines that queries of the database may only be made for a legitimate reason and must be logged;
• the data subject must be informed when a query is made about him or her; and
• minimum standards for data security must be established.
In ESBG’s opinion, special care should be taken when competent authorities exchange information among them on the members of the management body regarding data protection issues. For example, in the Bank of Spain’s suitability questionnaire there is a declaration to be signed by the candidate regarding data protection allowing the Bank Spain to treat the data and send it to the ECB and other supervisors.
In addition, attention to the statuary deadlines as well as to the nature of each of the procedures alone, must not be disregarded. Specially, we would like to call attention to the deadlines set out for adopting a decision by the authority (set out in national law and in the joint ESMA and EBA Guidelines on suitability), which should not be altered, suspended or elongated under any circumstances, as a consequence of the exchange of information between authorities under the proposed Guidelines and ESASs Information System.
Moreover, we suggest introducing specific clarification in the following provisions:
16. The requested authority should, in accordance with the principle of sincere cooperation set out in Article 4(3) of the Treaty on European Union (TEU) and reflected in Article 2(4) of the Founding Regulations, and taking into account Union sectoral provisions, respond to the request at the latest within 2 weeks from receipt of the request and provide the information or explain why the information can only be provided at a later date. In any case, the deadlines applicable to the assessment at stake should not be elongated or suspended by delay or absence of answer of the requested authority. In case of a negative assessment or a withdrawal of application for an assessment, available information about the reasons for the negative assessment or the withdrawal should also be provided.
18. Where the exchange of information is impossible in accordance with paragraph 17, the requested authority should as soon as possible but at the latest within 2 weeks from receipt of the request, inform the requesting authority and explain the reasons thereof. In case of a partial impossibility to provide all requested information, the requested authority should provide to the requesting authority the part of the information whose provision is permitted and explain the reasons for withholding other parts of the information. In any case, the absence of the required information should not alter, elongate or suspend the deadlines applicable to the assessment at stake.