Response to consultation on revised Guidelines on internal governance under CRD
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
Point 7 & 8. Management Body / Management Body in its management function and Management Body in its supervisory function
First, we acknowledge that the Draft Guidelines intend to embrace all existing board structures and do not advocate any particular structure, due to the diversity of national laws, that provide diverse models for board systems, with one-tier and two-tier board systems.
Proposal:
From this perspective, we have the view that the following provision in paragraph 8 of the Drfat Guidelines should be maintained: “When implementing these guidelines, competent authorities should take into account their national law and specify, where necessary, to which body or members of the management body those functions should apply”.
Nevertheless, to foster an objective of consistency and harmonisation across member states, we have the view that the necessity to embrace the diversity of board structures, should not take place at the expense of clarity in the allocation of the requirements, as described in these Draft Guidelines.
Proposal:
Wherever it is possible (ref: sections II.1 / II.4), we recommend that the Draft Guidelines refer to the “management body in its management function” and the “management body in its supervisory function”, as defined in the CRD.
Point 13. Head of Internal Control Functions & Key Function Holders
We note the removal of the definition of the “Head of Internal Control Functions” & “Key Function Holders” which are core in these guidelines and very often subject to misinterpretations.
Proposal: we suggest reintroducing the definition of these concepts.
Point 13. Operational resilience
We note that the definition of “operational resilience” is consistent with the definition proposed in the draft Guidelines on the sound management of third-party risk (non-ICT related services), but it does not coincide with that of "digital operational resilience" introduced by the DORA Regulation.
According to DORA Regulation, “digital operational resilience” means “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.
By contrast, the concept of “operational resilience” as described in the draft Guidelines under analysis refers to a financial institution's ability to perform critical or important functions in the event of a disruption. This capability enables a financial institution, directly or indirectly, including through the use of functions provided by third-party service providers, to identify and protect itself from threats and potential failures, to react and adapt, and to recover and learn from disruptive events, in order to minimize their impact on the performance of critical or important functions in the event of a disruption. In the context of the draft Guidelines under analysis, the concept of “operational resilience” is used mainly in relation to ICT and security risk management.
Proposal:
We propose that the definition adopted in the Guidelines is aligned with DORA Regulation.
Point 14. Application date:
We would expect the Guidelines to clarify their intended application date, especially since CRD VI has not yet been transposed in most Member States. Without such clarification, the EBA risks getting ahead of the legislative process, which may create uncertainty for institutions regarding compliance
Proposal:
We propose to clarify the intended application date of the Guidelines.
Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?
Point 22c.i Independence of the internal control function
Paragraph 22c subpoint i - the removal of the term "independent" in paragraph 22.c subpoint i is not comprehensible, especially considering the emphasis placed on the independence of internal control functions elsewhere in the Guidelines (e.g., paragraph 174a under section 19.2 "Independence of internal control functions" or paragraph 176 under section 19.3 "Combination of internal control functions").
The independence of the internal control functions is a fundamental principle of governance, and ensuring clarity and consistency within the Guidelines is necessary.
Proposal:
We suggest reintroducing the term “independent” in paragraph 22c subpoint i.
Point 29a. Segregation of duties
We suggest clarifying the following wording “ A member of the management body may be responsible for an internal control function as referred to in Title V, Sections 19.1 and 19.3, provided that the member does not have other mandates that would compromise the member’s internal control activities and the independence of the internal control functions.”
If the intention in this paragraph is to refer to segregation of duties, and mitigation of conflict of interest, we suggest expressing it differently:
“Mandate” is not the adequate terminology if we want to address the case of a member of the management body in charge of private banking, credit, trading room or any other risk-taking function that would be incompatible with an ICF role.
Additionally, new paragraph 29a does not only refer to Section 19.1 (“Heads of the internal control functions”) as it does the (deleted) paragraph 26, but also to Section 19.3 (“Combination of internal control functions”). We understand that it should refer to Section 19.1 (particularly paragraph 172) only but not to Section 19.3 (paragraph 176).
Paragraph 172 describes the “heads of internal control functions” as such, with the possibility that the internal control function is headed by a member of the management body in its management function. On the other hand, Section 19.3 (paragraph 176) deals with the combination of internal control functions, which now does not only include the combination among internal control functions but also with other tasks performed by a senior person as provided under new paragraph 6 of article 76 of CRD introduced by the CRD VI when conditions established thereto are met such as but not limited to the absence of conflicts of interest.
New paragraph 6 of article 76 of CRD does not refer to a member of the management body in its management function but to a “senior person”, which should be understood in accordance with the new definition of “senior management” of article 3(1)(9) of the CRD as amended by the CRD VI, which specifically excludes members of the management body.
Proposal:
We suggest reformulating paragraph 29a. “A member of the management body in its management function may be the head of an internal control function as referred to in Title V, Sections 19.1, provided that the member does not have other responsibilities that would compromise the member’s internal control activities and the independence of the internal control functions”
Point 37. Unjustified requirement of non cumulation of the role of Chairman of the Management Body in its supervisory function and other executive roles
We note that according to the Article 88(1)(e) of Directive 2013/36/EU, the chairman of an institution's management body, in their supervisory function, cannot also hold the chief executive officer (CEO) position simultaneously within the same institution.
We still note that the CRD does not prevent the chair from exercising other executive functions within the institutionand thus qualifying as an executive member of the management body.
The executive chair role is also permitted under national laws of certain Member States and is expressly recognized in paragraph 62 of the Basel Committee on Banking Supervision's Corporate Governance principles for banks: “[t]o promote checks and balances, the chair of the board should be an independent or nonexecutive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank’s checks and balances, e.g. by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board.”
Proposal:
We therefore suggest that the the recommendation to implement strong checks and balances where the chair assumes executive duties should be maintained in paragraph 37 of the Guidelines.
Point 51. Composition of the specialised committees of the Management Body in its supervisory function
In this part, we see a missed opportunity to clarify the requirements for the composition of the specialised committees of the Management Body in its supervisory function. We unfortunately observe that the various requirements addressing the requirements for the composition of the specialized committees of the Management Body in its supervisory function are dispersed into EBA Guidelines, not only on Internal Governance, but EBA Guidelines on the assessment of the suitability of members of the management body & key functions, and EBA Guidelines on sound remuneration practices.
This is counterproductive when it comes to simplify and push for consistency and harmonisation.
We recommend taking the opportunity to centralize these requirements into the EBA Guidelines on Internal Governance.
We refer to this following section: “The risk and nomination committees should be composed of non-executive members of the management body in its supervisory function of the institution concerned.”
Proposal:
We suggest to clarify this wording to specify what are the specialized committees of the management body in its supervisory function targeted by this “non-executive composition” requirement. Indeed, we observe very diverse set-up in terms of combining nomination/remuneration committees.
We suggest reformulating “The risk committee and the nomination and remuneration committees (separate or combined) should be composed of non-executive members of the management body in its supervisory function of the institution concerned”.
Point 51. Requirement on ESG Skills
We note that the Draft Guidelines introduces a requirement for ESG related skills at the individual level of the members of the remuneration committee.
This individual requirement seems excessive, not required under CRD VI and contrary to (i) the collective suitability criteria for members of the management body set out in the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders and (ii) the collective knowledge requirement set out for the remuneration committee in section 2.4.1 of the EBA Guidelines on sound remuneration policies.
In addition, to impose specific ESG requirements at the collective level also seems excessive as it involves a non-justified difference between ESG factors and other material factors with — potentially higher — impact on remuneration incentives, such as profitability, capital and liquidity risks.
Similarly, we recommend to consider ESG risks in no different manner that all the risks of an institution. While making a focus on ESG risks was certainly necessary at the early stage, we believe that the embedding of this category of risks is now mature enough to fully embed it into the general risk management framework of the institutions.
Proposal:
We suggest to amend as follows: “Members of the remuneration committee should have, individually and collectively, appropriate knowledge, skills and experience to assess the impact of different factors (including ESG factors), and the consistency of the institution’s risk appetite with remuneration incentives, taking into account the assessment of the risk committee specified under paragraph 62.”
Point 61. Description of the scope of the Risk Committee
We refer to the section “The risk committee should at least (…) c. oversee the implementation of the strategies for capital and liquidity management as well as for all other relevant risks of an institution, such as market, credit, operational (including legal, fundamental rights, discrimination and ICT risks).
We have the view that the illustrative list under bracket after “operational” seems very random, and we disagree that we should include in operational risks “fundamental rights and discrimination”.
Proposal:
We suggest referring to the current regulation (art 4.1 (52) CRR definition of operational risk and the recently published draft RTS on Operational Risk Taxonomy) and to only refer to ‘operational risks’.
We suggest reformulating:
“The risk committee…c. oversee the implementation of the strategies for capital and liquidity management as well as for all other relevant risks of an institution, such as market, credit, operational and reputational risks, in order to assess their adequacy against the approved risk strategy and risk appetite;”.
Point 62. Duty of the Risk Committee towards the Remuneration Committee
We refer to the paragraph, “the risk committee should provide input to the remuneration committee regarding ESG risk and related targets or key performance indicators that should be taken into account in the remuneration policy and for performance measurement.” We see no legal basis from which this recommendation would derive.
Proposal:
We propose removing the proposed amendment.
Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?
68a. New requirement for a “mapping of duties”
We note that this new requirement would come in addition to already several existing corporate governance documents, highly time consuming in their preparation and ongoing updates: job descriptions, organisation charts including reporting lines, governance charts, organization charters of all committees.
We believe this new requirement will involve a very significant administrative burden for Human Resources Department and for the Management Body.
We also note that including the management in its supervisory function goes beyond what is required according to Art. 88 (3) of Directive 2013/36/EU. Art. 88 (3) of Directive 2013/36/EU in its wording clearly only requires institutions to prepare the mapping of roles regarding the management body in its management function.
Proposal:
We suggest 1) clarifying that the mapping of duties is not required for the management body in its supervisory function 2) clarifying that the mapping of institution’s activities and responsibilities of the management can be included in documents approved by the corporate bodies without the need for a specific format (as listed above) and without the need to be approved by the management body, since the approval could be delegated to the management body in its management function.
68a.b Introduction of the notion of a “group”
We welcome that the notion of “group” is introduced in the Draft Guidelines. This section is highly relevant for international financial places, welcoming branches and subsidiaries, such as Luxembourg.
The definition of a group is usually not defined from a strict legal perspective and the meaning can change depending on the applicable regulations (financial reporting and consolidation, shareholders and stakeholders regulations, …).
In addition, the requirement “each institution within a group should draw up a mapping” broaden the scope of the supervision and the requirement of mapping potentially to non-regulated and non-EU entities within the “group”.
Proposal:
We suggest that a definition of “group” should be provided including only entities in the scope of supervision under the consolidating entity (see art 86 et seq.).
We have the view that this opportunity should be taken to clarify here what is required in terms of describing the reporting lines, at the entity level and at a consolidated level.
The requirements of the local regulators varies from what is accepted and rejected, in terms of plain line to local hierarchy and doted line to group reporting line, as an example.
68.a.c Responsibility of the allocation of duties
We refer to the section “The management body should be responsible for the allocation of the duties and responsibilities assigned to senior management and key function holders even if those duties are drafted below management body level”, and we note that it is unclear which body is in charge of allocating the duties and responsibilities.
Proposal:
We suggest redrafting as following:
“The management body in its management function should be responsible for the allocation of the duties and responsibilities assigned to senior management and key function holders”.
68.a.f.(v). Content of the mapping of duties
We refer to our recommendation in 68a.
68.a.g Requirement to update the allocations of duties
We note that the proposed requirements are adding significant and uncessary administrative burden to the duties of the Human Resources function and Management functions. We furthermore note that this provision goes beyond what is required according to Art. 88(3) CRD VI, which only requires institutions to prepare documentation and keep it updated. No voting and approving necessity can be interpreted from the wording.
Proposal:
We suggest to remove the following statement: “The management body should approve the mapping of duties and institutions should timely update it as appropriate, taking also into account the review of the individual statements.”
68.b.a. Indication of the expected time commitment
We believe that the indication of the expected time commitment should remain part of the Fit & Propper assessments and not be extended to members of the senior management which are not subject to FAP assessment.
Proposal:
We propose to limit the requirement of the declaration of the expected time commitment to the members of the Management Body and to the Heads of Internal Control Functions.
68.b.b. Confirmation of the principle of collective responsibility of the Management Body
We note that the current wording weaken the the overarching principle of collective responsibility of the management body.
Proposal:
We suggest rewording of the first sentence: “The allocation in the individual statements of role(s) and duties to a member of the management body in its management function does not exempt the respective individuals from their roles and duties as members is without prejudice to the collective responsibility of the management body.”
Paragraph 68.c. Obligation to establish individual statements and map responsabilities
We note that the article 88(3) of Directive (EU) 2024/1619 introduces an obligation to establish individual statements and map responsibilities. This article does not introduce any requirement in terms of the concerned individuals having to demonstrate that they fulfull their duties.
The proposed wording use subjective expressions such as ‘all actions that could reasonably be expected’, without clear performance indicators.
We ask the regulator to clarify the objective going that far. If the intention is to have ground for a withdrawal of authorization, we believe this would exceed the intention of the CRD.
Proposal:
We propose to remove the paragraph 68c in full.
Question 4: Are the changes made in Title III section 7 (third-country branches) appropriate and sufficiently clear?
We have no specific comment on this part, but we trust it would be valuable to specify if appart from this section, other requirements of the guidelines are also appplicable to TCBs.
Paragraph 90c. The prescription referred to persons effectively directing the business seems to go beyond what is required by CRD VI introducing new requirements. In particular, we would suggest deleting the following sentence: “The position held in the third-country branch should be counted, where the conditions of Article 91 paragraphs (3) and (4) of Directive 2013/36/EU are met, as an executive directorship.”
Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?
Point 101a. New requirements on KPIs to monitor Gender Diversity
We welcome that some concrete KPIs are listed to monitor gender diversity but we regret that the focus is only put on gender diversity. We also fear that the selection of indicators as proposed will become a prescriptive list, while we trust the selection of indicators should remain of the prerogative of the Management Body in its supervisory function.
Proposal:
We propose that this section is expanded in a way to promote diversity on gender, geographical origin, education and background.
We also propose that to specify that the list of indicators should remain at the discretion of the institution.
Point 107a. New requirements on the non-cumulation of the Chair of the Management Body of a parent entity with the role of CEO of a subsidiary
We refer to the section “Similarly, within a group, the role of Chair of the management body in its supervisory function of a parent entity should not be held by the CEO of a subsidiary. “
First, we note that this important new requirement appears for the first time in this section of the draft guidelines. We more importantly note that that prohibition under CRD VI is strictly limited to the roles of chair and CEO within the same institution. Extending the prohibition to all the entities within a group would go beyond the level 1 EU legislator’s choice.
Proposal:
We propose the removal of the section 107a and 107b of the draft guidelines.
We also suggest that the principle according to which several directorships are permitted within the same group is reconfirmed, subject to the identification and mitigation of the potential conflicts of interest. On this regards, we note that the executive or non-executive directorships held within the same group shall count as a single directorship according to the CRD.
Point 107b. Cooling off period after an executive role
We agree that a former member of the management body in its management function, who takes the role of Chair or member of the Management Body in its supervisory function, should be considered as non-independent, for a period of time established by the local regulators.
Nevertheless, the provision contemplated in the draft guidelines, aiming to establish a cooling-off period of at least three years, as well as specific mitigation measures for conflict of interests, goes beyond the requirements of the CRD.
Proposal:
We propose that the provision under paragraph 107b is removed.
Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?
Point 171. Compliance Officer
We would welcome clarification on whether the “separate AML/CFT compliance function” mentioned in the second sentence of paragraph 171 (i.e. “Institutions may establish a separate AML/CFT compliance function as an independent control function”) is the “compliance officer” mentioned in paragraph 204 (please see comments to paragraph 204, below) or the “compliance officer” prescribed under paragraph 2 of Article 11 of the Regulation (EU) 2024/1624.
Should be the latter case, please note that, whereas the second sentence of paragraph 171 allows but it does not require to have it, the paragraph 2 of Article 11 of the Regulation (EU) 2024/1624 requires it (at least for “obliged entities”) by establishing that the “[o]bliged entities shall have a compliance officer, to be appointed by the management body in its management function and with sufficiently high hierarchical standing, who shall be responsible for the policies, procedures and controls in the day-to-day operation of the obliged entity’s AML/CFT requirements, including in relation to the implementation of targeted financial sanctions, and shall be a contact point for competent authorities […].”
Therefore, the wording of this second sentence of paragraph 171 is not fully aligned with Regulation (EU) 2024/1624.
Proposal: we recommend to align the requirements allocated to the Compliance Officer in all Regulations.
187. Role of the Risk Management Function in ESG risk-related strategies, policies and plans
The Risk Management Function, “RMF”, should provide the management body with all relevant information to establish ESG risk-related strategies, policies and plans with quantifiable targets, in line with the EBA guidelines on the management of ESG risks, particularly section 6.
We note that the EBA Guidelines includes more than quantifiable targets.
Proposal:
We suggest reformulating as below:
“The RMF should provide the management body with all relevant information to establish ESG risk-related strategies, policies and plans in line with the EBA guidelines on the management of ESG risks (EBA GL/2025/01), particularly section 6.”
201. Cumulation of role as member of the management body in its management role and head of internal control function
We note that the paragrah 201 is not fully aligned with the paragraph 29a and paragraph 172, according to which, a member of the management body in its management function may be responsible for an internal control function.
Proposal: we suggest rewording as following:
“As a general principle, the head of the RMF should be a senior manager with sufficient expertise, independence and seniority to challenge decisions that affect an institution’s exposure to risks.” The head of the RMF may also be a member of the management body in its management function provided it complies with paragraphs 29a and 172.”
204. Scope of the Compliance Function and role of the Compliance officer
This section is according to us highly problematic. We create a perception that Compliance is a sub-risk of legal Risk and create some confusion on the important notion of the lines of defence.
We are totally opposed to the proposed amendment concerning the compliance function, extending its responsibility, beyond compliance matters, to the management of ‘legal risk stemming from non-compliance events’.
Proposal:
We propose to refer to the provision of the Level 1 of legislation (see par. 76.5 of Directive (EU) 2024/1619 (CRD VI) which provides that “Member States shall ensure that: […] the compliance function assesses and mitigates compliance risk and ensures that the institution’s risk strategy takes into account compliance risk and that compliance risk is adequately taken into account in all material risk management decisions”).
We also propose to clarify the role of the Compliance Manager versus the role of the Compliance Officer, as currently, the role of the Compliance Officer, as per the article 11 of the Regulation (EU) 2024/1624, seems more restricted that the role of the Compliance Officer under the paragraph 204 commented above.
215. Independence of the Internal Audit Function
We note that the removal of the sentence “Therefore, the IAF should not be combined with other functions.”
We suggest clarifying the requirements for a combination with other functions if now allowed.
Question 7: Are the changes made in Title VI (business continuity managment) appropriate and sufficiently clear?
We have no specific comment to make on section VI.