Response to consultation on draft Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders

Go back

Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?

Executive summary, former 3^rd paragraph

“The terms ‘management body in its management function’ and ‘management body in its supervisory function’ should be interpreted throughout the Guidelines in accordance with the applicable law within each Member State.”

This sentence has been deleted and should be reinstated. It is key to maintain the principle of prevalence of national laws on the EBA Guidelines.

Executive summary, 4^th paragraph and para. 64

“Competent authorities may also assess other key function holders on request”

The proposed text in the EBA/ESMA Guidelines in relation to the unilateral designation and assessment of key function holders by competent authorities (for example on page 7 but also in the articles referred to below) has no legal basis in CRD VI.

The executive summary and following points of the draft revised guidelines (ie § 64) suggest that competent authorities may unilaterally designate and assess “other KFH on request”, than the heads of the internal control functions and the CFO, without any explicit legal basis in CRD VI.

Furthermore it is directly contrary to its aims and purpose. The aim of CRD VI is – inter alia – to “(…) lay down a set of rules at Union level to put in place a more consistent an predictable fit-and-proper framework. This will foster supervisory convergence, further enable trust between competent authorities and provide more legal certainty to institutions” (45). Furthermore, it states: “In order to ensure legal certainty and predictability for the entities, it is necessary to establish procedural rules for verifying the suitability of members of the management body and key function holders of large institutions by competent authorities (48)”.

It is of the essence to implement a harmonised, stable and (therefore) predictable system of key function holder-assessments by Competent Authorities, limited to the heads of the internal control functions and CFO as described in CRD VI. The proposed text may lead to a differentiated approach, not only jeopardizing the aimed harmonization of the subject but it may also lead to practical issues and far too much red tape and legal insecurity for institutions.

We urgently request EBA/ESMA to delete all wording that suggests that Competent Authorities may unilaterally designate and assess other key function holders than the heads of the internal control functions and the CFO.

Background and rationale, para. 64

“and other key function holders, where required by the competent authority”

Same as the remark made above relating to the Executive summary, 4^th paragraph.

Background and rationale, para. 4 and para 13

Deletion of “The management body, as defined in points (7) and (8) of Article 3(1) of Directive 2013/36/EU, should be understood as having management (executive) and supervisory (non-executive) functions.”

The terms “management body in its management function” and “management body in its supervisory function” as of now are defined in accordance with “Directive 2013/36/EU and its implementation in national law”.

In our view, this proposed deletion rather introduces uncertainty to the defined terms then benefit the GL, as the referred definitions of those terms have already long been implemented in national law.

Consequently, we suggest to rethink removing the wording “in accordance with national law” as it also contradicts the already existing and unchanged intended interpretation of the terms, which are explicitly intended to be in line with national (company) law (para 4).

Background and rationale, para. 13

“cooling-off period”

This paragraph refers to the “cooling-off period” that the draft revised Guidelines on internal governance recommend applying when a former CEO or an executive director becomes chair or a member of the management body in its supervisory function (paragraph 107(b) of the draft revised Guidelines on internal governance) and to the mitigating measures to be taken in the absence thereof.

As we indicated in our response to the consultation on the draft revised Guidelines on internal governance, we consider that by extending the scope of the “cooling-off period” to (i) all members of the management body in its supervisory function (including the chair) and to (ii) all members of the management body (in its executive function), the EBA goes far beyond the requirements of the CRD and the existing national legal frameworks based on it. This would, in practice, amount to a pre-emption of legislation that normally falls within the competence of national parliaments and/or the EU legislator.

Furthermore, company law already provides mechanisms to address conflicts of interest (for example, the obligation to recuse oneself or the possibility of excluding certain individuals from discussions).

By introducing a three-year “cooling-off period”, the EBA would exceed the mandate conferred on it by Article 74(3) of the CRD, read in conjunction with Article 16(1) of the EBA Regulation, which allows it to fill gaps in the requirements set out in the CRD, but not to establish rules that go beyond it.

There are already national regulations in place. Since EBA and the competent authorities applying the Guidelines must comply with national law, and not the other way around, we see neither the need nor the scope for imposing a specific timeframe for a cooling-off period.

Background and rationale, para. 27

“ESG factors…form part of the knowledge requirements”

The last sentence states that key function holders should have knowledge regarding climate risks.

There is no legal basis in CRD for this requirement. In addition this requirement should not apply individually to each member of the management body but to the management body as a whole.

Background and rationale, para. 56

Scope of the ex-ante suitability application for large entities (ex post)

Providing a suitability application to the CA without undue delay but at latest 30 working days before the prospective member takes up their position might in some cases be unjustifiably strict and cannot be met in cases where there are several prospective candidates, in particular regarding the chair of the management body in its supervisory function. It is necessary to await the election at the Annual General Meeting; it would be unreasonably burdensome to be required to give 30 days’ notice in advance for each and every candidate. Given its inflexibility and the absence of provisions for exceptions, although in line with CRD VI, EBA must be aware that this might not be practical in all cases

This paragraph should be specified as follow: “Where the competent authority carries out suitability assessments after the member of the management body in its management function and Chair of the management body in its supervisory function takes up their position (ex post), in line with Article 91(1d) of this Directive, large entities in line with Articles 91(1d) of the Directive 2013/36/EU should provide a suitability application to the competent authority without undue delay but at the latest 30 working days before the prospective member takes up their position unless such requirement proves impracticable in duly justified circumstances, in particular where multiple candidates are subject to election processes, including for the position of chair of the management body in its supervisory function; in such cases, the application shall be submitted without undue delay following the election or nomination decision."

Background and rationale, para. 65

“For all entities, including those that do not fall under the RTS on the minimum information…”

Under this paragraph, the RTS on the minimum information to be submitted to the supervisor in the context of an ex-ante assessment request would apply to the assessments of the suitability of all entities, which has no legal basis and would be particularly problematic for cooperative regional banks.

The EBA cannot rely on the mandate concerning the file relating to ex-ante suitability applications, which was granted to it by Article 91(10) of CRD VI, to frame the content of all suitability applications or all entities.

Scope of application, para. 10

Proposed [NEW] i. These Guidelines are also addressed to the central body as referred to in Article 10 of Regulation (EU) No 575/2013, or, where waivers referred to in Article 21 of Directive 2013/36/EU apply, to the whole as constituted by the central body together with its affiliated institutions.

The proposed clarification of the scope of application is necessary to ensure legal certainty, consistency with Union law and effective supervisory application of the Guidelines in article 10 CRR central body structures specifically recognised under EU banking legislation.

Article 10 of Regulation (EU) No 575/2013 establishes a specific prudential framework for central body arrangements, under which affiliated institutions are permanently linked to a central body that exercises binding powers in key areas of prudential regulation, incl. internal governance, risk management and control. Where no waiver under Article 21 of Directive 2013/36/EU applies, supervisory responsibilities and accountability for internal governance, including suitability-related matters, it is appropriate and legally accurate that these Guidelines are explicitly addressed also directly to the central body, in addition to the affiliated institutions.

At the same time, where waivers under Article 21 of Directive 2013/36/EU are granted, Union law explicitly recognises that the central body and its affiliated institutions operate, for prudential purposes, as a single economic whole. In those circumstances, internal governance requirements, including fit and proper arrangements, are designed, implemented and overseen at the level of the central body and affiliated institutions as a whole rather than at the level of individual affiliated institutions on a standalone basis. Explicitly addressing the Guidelines, in such cases, to the whole constituted by the central body together with its affiliated institutions reflects the legal effects of the Article 21 CRD waiver and avoids an artificial fragmentation of governance responsibilities.

This clarification also supports supervisory convergence. In the absence of an explicit reference to Article 10 CRR structures and the interaction with Article 21 CRD waivers, competent authorities may apply the Guidelines inconsistently, either by focusing solely on the central body or by duplicating requirements at the level of affiliated institutions despite the existence of a waiver. Such divergent practices would undermine the objective of the Guidelines to promote a harmonised approach to suitability assessments across the Union.

Finally, the proposed wording does not extend the material scope of the Guidelines or introduce additional obligations. It merely clarifies the appropriate addressee of existing requirements in light of governance structures expressly recognised by Union law. As such, it enhances legal clarity, proportionality and effective implementation while remaining fully aligned with the CRR/CRD framework and established supervisory practice.

Scope of application, para. 10(h)

“and the assessment of key function holders”

Same as the remark made above relating to the Executive summary, 4^th paragraph.

Definitions, old para. 14

The definitions of CEO, CFO and key function holder used in these Guidelines are purely functional and are not intended to impose the appointment of those officers or the creation of such positions unless prescribed by relevant EU or national law (deleted)

We wonder why paragraph 14 of the current Guidelines has been deleted, as it seems to us that it remains fully relevant.

Why has this provision been removed?

Definitions, para. 19

“Large entities”

The definition of “Large entities” stating “means institutions defined in Article 4(1), point (3) of Regulation (EU) N° 575/2013” needs to be reviewed or clarified. When checking this reference, Article 4(1), point (3) seems to refer to following definition:

“’institution’ means a credit institution or an investment firm”. There is no link to the notion of large entities. The definition of large entities should be adjusted to refer to in Article 4(1), point (146) of Regulation (EU) N° 575/2013”.

Definitions, para. 19

“significant entities”

‘Significant’ entities should not be used; ‘systemically important’ is preferable.

Reasoning: The strict and consistent distinction between the terms “significant” and “systemically important” is indispensable in the context of financial regulations. Other Systemically Important Institutions (O-SIIs) and Globally Systemically Important Institutions (G-SIIs) should be distinguished from Significant Institutions (SIs) for the sake of clarity.

While SIs categorizes institutions, which are supervised by the ECB, the categories O-SIIs and G-SIIs have been established to differentiate between institutions, which are globally or nationally systemically important to the economy. O-SIIs and G-SIIs are necessary in order to be able to clearly see whose failure might trigger a financial crisis and are categorized by degree of influence they hold in global and/or domestic financial markets, they are categorized by very different criteria than SIs. The terms “significant” and “systemically important” therefore describe different concepts and areas of application.

By establishing a new category and definition regarding significance – namely significant entities – EBA is blurring the lines between the terms “significant” and “systemically important” institutions.

We therefore strongly urge EBA not to change the already established definitions and not to create further implementation difficulties.

We kindly suggest the following wording:

Systemically important entities

Means institutions referred to in Article 131 of Directive 2013/36/EU (global systemically important institutions (G-SIIs), and other systemically important institutions (OSIIs), and, as appropriate, other CRD institutions determined by the competent authority or national law, based on an assessment of the institutions’ size and internal organisation, and the nature, scope and complexity of their activities, and in accordance with Article 3(3) of this Directive financial holding companies and mixed financial holding companies that have been granted approval in accordance with Article 21a of this Directive and meet one of the aforementioned conditions.

Definitions, para. 19

“ability and powers to participate in the operating and financial policy decisions at the level below the management body or the level below the senior management”.

This definition forms part of the definition of “key function holders” as outlined in point 9a of Article 3(1) of CRD but seems to be rather broad and is unclear. What is meant by “participating in operating and financial policy decisions”? Can EBA/ESMA give concrete examples? Please explain the rationale of this article and what is expected from entities. Furthermore, does this article imply that senior management cannot qualify as key function holders per definition?

Implementation, para. 20

“These Guidelines apply 6 month after the publication of all translations of the GL, but not later than 31.12.2026.”

Art 16 para 3 of Regulation 1093/2010 states clearly that within two months of the publication of a guideline, each competent authority shall confirm whether it complies with, or intends to comply with, that guideline. If a competent authority does not comply with, or does not intend to comply with guidelines, it shall inform EBA of this, stating the reasons. This requirement therefore contradicts EBA’s approach of setting a specific deadline, as this is not in line with the law. We therefore object this decision to impose this timeline and refer to the existing provisions on national implementation, which have always proven to be fully effective.

Furthermore, there are MS which have not yet transposed the CRD VI – therefore the GL would be applied without a level 1 legal basis.

The reference to a specific date (31.12.2026) should therefore be deleted.

Besides, the suitability framework is structurally dependent on the internal governance framework. If the amended suitability Guidelines were to enter into force before the updated EBA Guidelines on Internal Governance, institutions and competent authorities would be required to apply suitability obligations that explicitly rely on governance concepts, role definitions and documentation requirements that are not yet in force, or that may still be subject to change. This would create legal uncertainty, inconsistent supervisory expectations and an unnecessary implementation burden.

The Internal Governance Guidelines are the primary regulatory instrument that operationalise governance CRD concepts at Union level; and the suitability framework should therefore follow, not precede, that framework.

Aligning the entry into force of the suitability Guidelines with the entry into force of the EBA Guidelines on Internal Governance ensures:

consistency with the CRD legal architecture;
a clear and predictable implementation sequence for institutions;
coherent supervisory practices across Member States; and
compliance with the principles of better regulation and proportionality.

For these reasons, it is justified and necessary to provide that the amended Joint Guidelines on suitability shall enter into force not before the entry into force of the updated EBA Guidelines on Internal Governance, while maintaining a standard application period after publication of translations.

It is also reminded that EBA has stated in the exchange with the industry that they foresee the suitability package to apply Summer 2027 at the earliest, so it is expected that this is reflected in the text of the Guidelines as well, in order to add to the legal certainty of the date of application of the Guidelines.

New competence requirements related to IT, Artificial Intelligence and DORA regulation

In the Artificial Intelligence Act, competence or training requirements are more at entity level, not on senior management. In DORA, at a rather general level (Article 5(4)): “Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.”

In the EBA/ESMA Guidelines, there are somewhat mixed and different level requirements related to the abovementioned competence and training requirements, scattered throughout the text, as evidenced in the examples listed below. This might be simply owed to being written by different authors, as in different places the same matter is referred to using different terminology. As such, most of the provisions (with the exception of paragraph 16) are formulated at a high level of generality. While this allows for a degree of flexibility in interpretation, it also creates a risk that broadly framed competence requirements may later be interpreted more stringently by supervisors. For reasons of legal certainty and consistent application, it should therefore be made clear what is concretely required.

Background and rationale, paragraph 16:

“With the Digital Operational Resilience Act and the Regulation on Artificial Intelligence, competent authorities have intensified their efforts to provide guidance on ICT and AI use in financial services. The European Securities and Markets Authority (ESMA) has recently issued a public statement on the use of AI in the provision of retail investment services. An adequate understanding of ICT systems and AI applications and their risks within the entities is essential for the management body to ensure a sound and adequate governance and control over these technologies.” Here we suggest replacing the term “thorough” by “adequate” as this seems to be more appropriate.

Background and rationale, paragraph 31:

“Furthermore, entities are required under Article 91(9) and (10)7 of Directive 2013/36/EU to devote adequate human and financial resources to the induction and training of members of the management body, including on ESG risks and impacts and on ICT risk, to engage a broad set of qualities and competences when recruiting members to and ….”

Background and rationale, paragraph 49:

“Entities need to provide sufficient resources for induction and training of members of the management body. Receiving induction should make new members familiar with the specificities of the entity’s structure, how the entity is embedded in its group structure (where relevant), and business and risk strategy. Ongoing training should aim to improve and keep up to date the qualifications of members of the management body so that at all times the management body collectively meets or exceeds the level that is expected. Ongoing training is a necessity to ensure sufficient knowledge of changes in the relevant legal and regulatory requirements, markets and products, and the institution’sentity’s structure, business model and risk profile, taking into account also ICT risks, ESG risks and impacts.”

Guideline paragraph 69(h):

i. data protection requirements and their implementation in light of other prudential requirements,

Paragraph 77:

This includes the management body collectively having an appropriate understanding of the areas for which the members are collectively accountable, and the skills to effectively manage and oversee the entity, including the following aspects:

f. information and communication technology and security, including the requirements within Regulation (EU) 2024/168941 on artificial intelligence systems;

n. requirements under Regulation (EU) 2022/255442 regarding digital operational resilience, including the respective delegated technical standards

In addition, references to ICT and DORA have been introduced in Annex I under the assessment of governance and risk management. In this context, the inclusion of elements such as threat-led penetration testing appears to go beyond what can reasonably be considered at management body level, given its highly technical and operational nature. If the intention is instead to capture the management body’s competence to oversee, assess and challenge the institution’s approach to cybersecurity risk, this should be stated explicitly in order to avoid misinterpretation.

Question 2: Are the changes made in Title II appropriate and sufficiently clear?

The entities’ assessment of the individual suitability of members of MB, para. 29

“Entities should use the individual statements, established under Article 88(3) of Directive 2013/36/EU and the EBA Guidelines on internal governance, setting out the roles and duties of the members of the management body in its management function for assessment and reassessment of the individual suitability of the respective members.”

This paragraph specifies that institutions are required to use individual statements in the assessment of the suitability of members of the management body in its management function, whereas the CRD VI does not provide for the use of this tool for that purpose, as it is primarily intended for competent authorities when assessing governance arrangements (recital 64 of the CRD VI).

Furthermore, this paragraph appears to require that the statement of duties be established prior to taking up office, although such a requirement is not provided for by the CRD VI.

We therefore suggest the deletion of this paragraph.

The entities’ assessment of the individual suitability of members of MB, para. 31

“if that member takes on additional duties, an additional directorship or starts to perform new relevant activities, including political ones.”

The draft Guidelines propose that the time commitment of members of the management body should be reassessed not only when they take on additional directorships, but also when they assume “additional duties”.

This wording is quite broad and could encompass a wide range of activities that may have little or no material impact in practice. A reassessment of the time commitment should therefore only be required where there is a meaningful effect on the member’s availability. If a member merely takes on a minor side activity with negligible impact (e.g., only a few working days per year), this should not trigger a reassessment. Such a broad and open-ended requirement would lead to continuous reassessment exercises.

This new reference should be deleted, as it has no legal basis and as executive roles, by their very nature, are dynamic and evolving.

The entities’ assessment of the collective suitability of the MB, para. 34

“Entities should use the individual statements,…”

The comment made in respect of paragraph 29 also applies to paragraph 34.

The entities’ assessment of the suitability of key function holders, para. 40

“Entities should use the individual statements,…”

The comment made in respect of paragraph 29 also applies to paragraph 40.

Do you have any views on the provisions regarding these independence criteria? Please explain any aspects that may influence the effectiveness, clarity, or implementation of these independence criteria across different business models/types of institutions.

The independence requirement, as it currently stands in the draft Guidelines, goes beyond what is provided for by CRD. CRD requires members of the management body to act with honesty, integrity and independence of mind, but does not define any notion of formal independence for example. Independence of mind under CRD is clearly conceived as a behavioral suitability requirement, not as a status derived from the absence of relationships or links.

The requirement of independence should only refer to the independence of mind.

Likewise, CRD does not require a minimum number of independent members within the management body.

The guidelines should respect the core purpose of cooperative banks, which is to serve members’ interests and requires the involvement of only elected members in the management body in its supervisory function, which involves a business relationship (“self-governance”).

Furthermore, the notion of independence should be adapted for fully owned subsidiaries; an independent member could be a Parent company employee who does not report to the Business Line of the subsidiary in which he is appointed.

It would be best for the criteria for independence to be left to the national level and deleted from these Guidelines and from ECB draft guide.

See also our comments on paragraphs 91-95 and comments further down the questionnaire.

Question 4: Are the changes made in Title III appropriate and sufficiently clear?

Sufficient time commitment of a member of the management Body, para. 50

Entities should monitor and record whether the members of the management body commit sufficient time to performing their functions.

The new requirement for institutions to document that members of governing bodies dedicate sufficient time to their duties introduces unnecessary administrative burden. This is particularly onerous for part-time supervisory board members in cooperative banks or similar regional institutions, as it could be interpreted as requiring detailed tracking of activities such as individual meeting preparation. We therefore recommend deleting the addition “and record.”

Adequate knowledge, skills and experience, para. 62

“This includes an appropriate understanding of those areas for which an individual member is not directly responsible…”

The draft adds the requirement for all board members to have an appropriate understanding of all the areas listed in paragraph 77.

This addition should be removed as it has no legal basis in CRD and the current drafting already ensures that the management body collectively understands these areas. This requirement should not be imposed at an individual level for the same reasons explained in the comments to paragraph 69 below.

Adequate knowledge, skills and experience, para. 69

“h. anti money laundering and counter terrorist obligations;

i. data protection requirements and their implementation in light of other prudential requirements,

j. the ability to present their views, discuss strategies and business objectives;”

Paragraphs 69 introduces additional assessment criteria whose regulatory basis and underlying rationale are not sufficiently clear. The Guidelines do not explain how these new elements derive from CRD provisions, nor how they are proportionate or necessary in light of the existing suitability framework.

As a result, it is difficult for institutions and competent authorities to assess the intended scope, added supervisory value and practical implications of these new assessment points.

While these areas are relevant at the level of the management body as a whole, it is not appropriate to require in-depth expertise from each individual member. Unlike core competencies such as risk management or accounting, these are specialized fields. A general understanding is already covered under the requirement for knowledge of the legal and regulatory framework (letter b). Accordingly, letters h and i should be deleted and instead reflected under collective suitability requirements.

These additions should be deleted as they have no legal basis and the management body is not a technical-operational body; it is responsible for oversight, strategic direction and ensuring that appropriate governance and control frameworks are in place. It should not be required that each individual member possesses specialised theoretical or practical experience in specific regulatory sub-domains.

Besides, the amendment under point (j) does not appear to be relevant, insofar as the ability to discuss strategy and business objectives does not, in itself, constitute a hard skill.

In addition, points (j) in both paragraphs 69 and 77 appear unnecessary and duplicative. These elements relate in substance to aspects of independence of mind, which is already addressed comprehensively in Section 9.2, together with specific definitions, assessment criteria and expectations. Including similar considerations again under the assessment of knowledge, skills and experience and under collective suitability risks regulatory overlap, legal uncertainty and inconsistent application, without providing additional clarity or supervisory benefit.

Furthermore, point (j) raises significant practical and legal concerns in terms of feasibility. Assessing a candidate’s prior working relationships, previous board dynamics or past decision-making behaviour often requires access to information that is not publicly available and is, in many cases, protected by confidentiality obligations or business secrecy vis-à-vis former employers or boards. Expecting candidates to disclose such information would be neither realistic nor appropriate and may conflict with contractual obligations, data protection principles and general limits on information that can reasonably be requested in a suitability assessment.

For these reasons, points 69(h) to (j) should be deleted. Matters relating to independence of mind should be assessed exclusively within the dedicated section of the Guidelines addressing that concept.

This would improve legal clarity, avoid unnecessary duplication, and ensure that suitability assessments remain proportionate, operationally feasible and aligned with the structure of the CRD framework.

Adequate knowledge, skills and experience, para. 69; Collective suitability criteria, para 77(f) and 77(n)

69. … i. data protection requirements and their implementation in light of other prudential requirements,

77. … f. information and communication technology and security, including the requirements within Regulation (EU) 2024/1689 on artificial intelligence systems;

…

n. Requirements under Regulation (EU) 2022/2554 regarding digital operational resilience, including the respective delegated technical standards

Express references to data protection (effectively GDPR), the AI Act and DORA in this context introduce a level of specificity that goes beyond what is necessary nor grounded for the suitability assessment framework under CRD VI.

Carving out these three specific regulatory regimes as particularly relevant for assessing the knowledge, skills and experience of individual management body members (paragraph 69) or the management body collectively (paragraph 77) imposes a significant burden on entities and limits the pool of suitable potential members of the management body. This risk is particularly pronounced where such references may be interpreted as implying expectations of detailed or technical regulatory knowledge.

Singling out these regimes also raises questions as to consistency with the otherwise principles‑based approach of the Guidelines, which do not prioritise specific regulatory frameworks in assessing suitability.

The Joint GL already includes language which suffices to cover the matters regulated by these three regimes, namely language on theoretical and practical experience relating to legal requirements and regulatory frameworks, ICT risk management and ICT matters more generally, the ability to present one’s views and discuss strategies and business objectives, and implementing a culture of probing and challenging management body decisions.

Accordingly, the explicit references to data protection, the AI Act and DORA should either be deleted or reformulated to focus on governance-level understanding and oversight capability rather than compliance with specific regulatory “requirements”.

Effective management of regulated entities entails management bodies and their individual members exercising executive judgment, supervision and risk management which should not be assessed on the basis of detailed knowledge of selected regulatory regimes as such.

In addition, introducing explicit references to individual legislative acts raises broader concerns regarding legislative technique. Once guidelines begin to single out particular regulations, this approach inevitably creates pressure to continuously expand and update such lists as new sectoral legislation enters into force (e.g. successive ICT, ESG, AML or sustainability frameworks). Over time, this risks leading to an endless spiral of incremental additions, fragmenting the framework and undermining legal clarity, implicitly prioritising certain regulatory frameworks, which is not supported in Level 1 legislation.

Such considerations, and emphasizing specific regulatory frameworks, are more effectively dealt with through supervisory review and dialogue, rather than being embedded as specific suitability requirements.

Adequate knowledge, skills and experience, para. 70

“When assessing the knowledge and experience of a member of the management body of entities which also issue asset-referenced tokens (ARTs) or provide crypto-asset services (CASPs) according to Regulation (EU) 2023/111435, paragraph 24 of the Guidelines on suitability assessments under Regulation (EU) 2023/111436 should be additionally adhered to with regard to the issuance of tokens or CASP services.”

This sentence should be moved to the end of the paragraph.

Adequate knowledge, skills and experience, para. 70

When assessing the practical and professional experience gained from previous positions, particular consideration should be given to:

…

g. additional knowledge gained from academical activities.

The newly introduced letter g refers to “additional knowledge gained from academical activities.” We assume this refers to academic or scientific engagement. Given its limited practical relevance, it should be clarified that such experience is only required where applicable, for example by explicitly adding “if applicable.”

Collective suitability criteria, para. 77(j)

“j. experience in implementing a culture of probing and challenging MB decision”

Same remark as for para 69(j) above: point 77(j) should be deleted. The requirement lacks clarity, particularly as to its meaning and how such experience is to be evidenced. While the underlying objective is understood, the provision is too vague and should be removed.

Matters relating to independence of mind should be assessed exclusively within the dedicated section of the Guidelines addressing that concept.

At a minimum, it should be clarified that “MB” refers to the management board, as the acronym is not defined.

Reputation, honesty and integrity, para. 84(d)

“relevant civil lawsuits”

First, a comma is missing following “relevant civil lawsuits”. More importantly, it is unclear why the presumption of innocence is limited to criminal proceedings. Either the previous wording should be retained, or it should be clarified that the initiation of civil or administrative proceedings does not imply wrongdoing. As a rule, such proceedings only rarely call into question a person’s reputation, integrity, or honesty, and this should be adequately reflected in the text.

Reputation, honesty and integrity, para. 86

86. When assessing the good repute of the members of the management body and key function holders and, in particular, where there are reasonable grounds to consider that, especially when there is information on increased ML/TF risks in connection with the entity, competent authorities should consider the following situations and risk factors: […]

(a) the sector of current and previous activity of the person.

This assessment should take into account whether the nature of the sector, in combination with the individual’s role and responsibilities, gives rise to an objectively identifiable increased ML/TF risk.

(b) existing or past business interests and ownership / participations of the person.

Such factors should be considered only insofar as they give rise to substantiated concerns regarding transparency or control that are relevant for the assessment of good repute.

(c) existing or past close associates, business partnerships or known proxy schemes.

This consideration should be limited to cases where there are concrete and verifiable indications that such relationships are relevant for the individual’s exposure to ML/TF risks.

(d) existing or past direct or indirect business relations and close family members
where such relationships are demonstrably relevant to the assessment of the individual’s good repute and are based on concrete information, taking due account of proportionality, data protection requirements and the presumption of innocence.

(e) existing or past other factors
which provide reasonable grounds for suspecting that the person is exposed to an increased risk of ML, TF or other profit-generating financial crimes. The fact that an individual is or was a politically exposed person should, in itself, not be sufficient to draw adverse conclusions, but should be assessed in its proper context together with other relevant factors.

Paragraph 86 is formulated in a highly open-ended and interpretative manner and appears to grant competent authorities very broad discretion in the assessment of good repute. In its current form, the provision raises concerns in terms of good administration, proportionality, data protection and the protection of legitimate expectations in supervisory decision-making.

In particular, paragraph 86. allows the competent authority to take into account a wide range of situations and risk factors without clearly defined thresholds, conditions or limiting criteria. The provision may be applied both in the context of a standard suitability assessment and in circumstances where there is information suggesting increased ML/TF risks in connection with the entity.

As drafted, this enables far-reaching assessments even in the absence of concrete suspicions relating either to the entity or to the individual concerned. This significantly differs from other parts of the Guidelines, where the exercise of supervisory powers is more clearly conditioned on the existence of material or specific concerns.

This lack of clear safeguards contrasts in particular with paragraph 26, which addresses the competent authority’s ability to assess governance arrangements or individuals where there are concrete suspicions related to money laundering or terrorist financing offences and sets out considerably stricter criteria.

Similar limiting concepts can be found elsewhere in the Guidelines, for example where reassessments are triggered only “when there are material concerns about the suitability” of a person. Paragraph 86 does not contain comparable qualifiers, such as reasonable grounds for suspicion or clearly demonstrated increased risk, which would appropriately constrain supervisory discretion.

Moreover, the breadth of paragraph 86 poses challenges from the perspective of individual legal protection. The provision allows consideration of factors such as family relationships, close personal or business relationships, or previous professional activities, without sufficient clarity as to how these concepts are defined or how relevance and causality are to be assessed. There is a risk that innocent candidates could be adversely affected solely on the basis of familial or associative links, without any substantiated indication of personal involvement or wrongdoing. This raises concerns regarding the presumption of innocence and the proportional treatment of individuals.

In addition, it is unclear how the examination of family relationships or third-party conduct can be reconciled with applicable data protection and privacy requirements, or how candidates would be expected to disclose or substantiate information that may not be publicly available and may be subject to confidentiality or secrecy obligations. Similar concerns arise in relation to the notion of “business relations and close family members”, which is not defined and may be interpreted inconsistently.

The provision also refers to certain sectors or professional backgrounds as potentially exposing individuals to increased ML/TF risk without sufficiently explaining the regulatory basis for such assumptions. It is unclear on what grounds prior employment or board experience in sectors such as international trade, energy, mining or defense would, in itself, justify an elevated ML/TF risk assessment at individual level.

Likewise, references to current or former politically exposed person (PEP) status appear to place such status very close to a presumption of suspicion, rather than treating it as one contextual factor within a structured and balanced assessment.

For these reasons, paragraph 86 would benefit from a more precise and constrained formulation (see redrafting proposal). Clearer conditions for its application, closer alignment with other parts of the Guidelines addressing ML/TF-related concerns, and explicit safeguards for proportionality, legal certainty and individual rights would significantly improve the clarity and robustness of the suitability framework.

Reputation, honesty and integrity, para. 86(a)

“Sectors that may be considered as vulnerable …”

The list of business sectors could be aligned with the risk factors set out in the current EBA Guidelines on ML/TF risk factors (§2.4) or with those listed in Annex III of the AMLR Regulation.

Reputation, honesty and integrity, paras. 86(d) and (e)

The description of these factors lacks sufficient precision. Their consideration in isolation (in the absence of the other factors referred to in points (a) to (c)), where no suspicion of money laundering or terrorist financing exists, may give rise to discriminatory outcomes, as individuals could be adversely affected solely on the basis of their links to a high-risk country or their status as politically exposed persons.

Reputation, honesty and integrity, para. 87

“key function holder”

Same as the remark made above (under question 1, relating to the Executive summary, 4^th paragraph)

Independence of mind, para. 91(a)

“i. independently assess and challenge the proposed decisions of other members of the management body and act in an independent manner;”

Point (a) provides that, in order to have independence of mind, a person must in particular be able to independently assess the decisions proposed by the other members of the management body and act independently.

However, we consider that independence cannot be defined by formal independence.

This is of no practical use and is not compatible with cooperative governance.

Independence of mind should not be defined as acting independently, as this could lead to confusion between independence of mind and formal independence, whereas paragraphs 89 and 90 distinguish between these two concepts. The terms “independently” and “and act in an independent manner” should therefore be removed.

CRD requires members of the management body to act with honesty, integrity and independence of mind, but does not define any notion of formal independence. Independence of mind under CRD is clearly conceived as a behavioral suitability requirement, not as a status derived from the absence of relationships or links. Independence of mind cannot be defined by formal independence.

Independence of mind, para. 93(h)

We challenge the addition to the list of situations that may create actual or potential conflicts of interest that should at least be taken into account, namely the case of a former CEO or member of the management body who becomes chair of the management body in its supervisory function or a member of the management body in its supervisory function within three years following the end of their executive duties.

See our comments relating to paragraph 13 above.

Independence of mind, paras 93 (h) and 95

h. without prejudice to national law, the former CEO or, where applicable another executive director or former executive director takes on the role of chairperson or as member of the management body in its supervisory function within the same entity within a time period specified in entities’ internal rules of three years after their position of a member of the management body in its management function ended (…)

95. A conflict of interest arising from the role change mentioned in paragraph 93 (h) with regard to being a member of the management body in its supervisory function should be mitigated in line with Section 11 of the EBA guidelines on internal governance.

CRD VI removes the exemption under which the Chair of the MBSF could serve simultaneously as the CEO within the same institution. The EBA and ESMA have proposed extending regulation in this area to include situations in which the CEO joins the MBSF after completing their term as executive director.

Neither Directive 2013/36/EU (CRD) nor its amended version under CRD VI (nor national frameworks eg. the upcoming revised Finnish Act on Credit Institutions), prohibit a current or former CEO from serving as a member of the management body, including as a non-executive member. On the contrary, both Union and national law explicitly continue to permit duality or sequential roles, subject to suitability and conflict-of-interest assessments.

Against this binding Level 1 framework, the introduction of a mandatory three-year cooling-off period lacks an identifiable legal basis. In any event, a three-year presumption of conflicts of interest for former management board members appears disproportionate. For example, even the strict rules of German stock corporation law are more limited as they provide for a two-year restriction, applicable only to listed companies.

In practice, such a requirement would effectively prohibit what primary Union law and national legislation expressly allow, namely the possibility for the current or former CEO to become a Board member. While understanding the risk such a transition creating a structural self-review risk, such an approach effectively turns a contextual conflict-of-interest assessment into a rigid exclusion mechanism, rather than allowing the institution to conduct a case-by-case evaluation based on whether any remaining influence or conflicts can in fact be adequately mitigated.

The ESA’s mechanistic approach would constitute a clear case of gold-plating, and even more so, through Level 3 guidelines, exceeding the ESAs’ mandate.

Moreover, the proposed cooling-off period cannot be justified on prudential grounds alone, as CRD already provides a comprehensive and sufficiently flexible toolkit to address potential concerns, including:

individual and collective suitability assessments;
conflict-of-interest rules;
independence of mind requirements; and
supervisory powers to impose case-specific remedies where warranted.

Imposing a fixed temporal prohibition replaces this case-by-case, risk-based framework with a rigid rule that disregards institutional diversity, national company law models and proportionality considerations. It also runs counter to the principle that guidelines should specify how to apply existing legal requirements, not create new ones.

Finally, this issue has already been raised during the consultation on the EBA Guidelines on internal governance, where similar concerns were expressed regarding over-prescriptiveness and lack of legal anchoring. Reintroducing such a requirement in the suitability Guidelines would therefore duplicate earlier criticised elements, adding unnecessary regulatory complexity and legal uncertainty.

This requirement lacks objective justification and should be removed. The CRD provides no legal basis for such a measure. By effectively imposing a three-year cooling-off period, the EBA would exceed its mandate under Article 74(3) CRD in conjunction with Article 16(1) of the EBA Regulation, which allows it to address gaps but not to introduce rules beyond the CRD framework.

The new paragraph also provides a de facto cooling-off period of at least three years, during which the CEO cannot be appointed as Chair or member of the Board of Directors. It also introduces specific mitigation measures for hypothetical and abstract conflicts of interest. All goes beyond CRD VI.

Therefore, the proposed provisions under paragraph 93(h) of the EBA Guidelines should be deleted.

Alternatively, the proposed paragraph should be amended so that it is the entity itself who is responsible for setting a clear time period for such a de facto cooling off period, when an executive director who, at the end of his/her term, takes on the role of Chair or member of the MBSF.

It is also reminded that having independent members, as referred to in paragraph 80 of the joint ESMA and EBA guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU, and non-independent members in the management body in its supervisory function is considered good practice for all relevant institutions. Paragraph 100 of the proposed guidelines already defines a cooling-off period with respect to a former CEO being considered an independent member of the MBSF. This language is carried over from the current version of these guidelines and is sufficient for the purpose of managing conflicts of interest.

Paragraph 33 of the EBA (Governance) Guidelines already prescribes that without prejudice to national law, the management body in its supervisory function should include independent members as provided for in Section 9.3 of the joint ESMA and EBA guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU.

General comment on formal independence requirements

As a general note, the provisions on independent non-executive members lack a legal basis in CRD VI and should be removed.

CRD requires independence of mind but no formal independence. Independence of mind is an essential pattern of behaviour. A member who is formally independent cannot automatically be presumed to act with independence of mind.

EBA and ESMA are not mandated to introduce expectations that effectively extend beyond Union law, national law, or state-level regulations. In addition, the formal independence criteria are overly restrictive and conflict the principles of cooperative governance and with Member State rules on employee representation (e.g. German labour law) and on appointments to supervisory bodies.

The CRD does not require, as the GL, a minimum number of independent members within the management body. We insist that the orientations should respect the core purpose of cooperative banks, which is to serve members’ interests and their specific democratic organization, which requires the involvement of only elected members in the management body in its supervisory function, which involves a business relationship (“self governance”).

The diversity in governance organizations is a factor of resilience for the European financial sector. Formal independence requirements are problematic for cooperative banks, as they conflict with their core purpose of serving members’ interests. Under German cooperative law for example, the principle of self-governance requires supervisory board members to be members of the institution, which inherently involves a business relationship. It should therefore be clarified that such membership and related business relationships—including those within cooperative banking networks—do not preclude classification as an “independent member.”

Independent members of the MBMF, para. 98

The term “relevant institutions” have been replaced by the term “all entities”

The scope of the recommendation to have independent members has been extended to all institutions, with no legal basis.

Why has the scope of this recommendation been extended? We are opposed to that.

Question 5: Are the changes made in Title IV appropriate and sufficiently clear?

No comments.

Question 6: Are the changes made in Title V appropriate and sufficiently clear?

Diversity policy objectives, paras 116-119, 123

Gender balance: It seems that the draft replaces references to “all genders” with “male and female genders”, which is surprising. It also requires setting a gender balance target with no legal basis.

The requirement to respect gender balance within the management body in its management function should be "mitigated" as proposed:

"The diversity policy of significant entities contributes to ensuring that the management body in its management function and in its supervisory function benefits from an appropriate gender balance."

The requirements set out in paragraphs 117 and 118 raise concerns with regard to their applicability to executive management teams. These requirements do not appear to sufficiently take into account paragraph 147, which explicitly states that institutions should not appoint additional members solely to meet diversity requirements and that competence and suitability requirements must remain the primary consideration. MBMF members are employed under employment contracts, typically of long duration, and cannot be dismissed or newly appointed solely to achieve a numerical gender target.

Applying quantitative diversity targets to the MBMF could therefore lead either to deviations from fit and proper requirements or to the setting of very low and purely formal targets, which would not appear to be the intended outcome.

For this reason, the Guidelines should clearly state that any quantitative gender balance targets apply only to the management body in its supervisory function and not to the management body in its management function.

Furthermore, paragraph 119 appears to be inconsistent with paragraphs 116 and 117. Paragraph 116 applies to non-significant entities and only requires that management bodies include both women and men. Paragraph 117, by contrast, applies exclusively to significant entities. Nevertheless, paragraph 119 states that non-significant entities may deviate from quantitative targets only where their management body has fewer than five members, which seems inconsistent with the preceding paragraphs.

Diversity policy objectives, para. 118

“Where significant entities fall short of complying with the target on gender balance within the management body, they should document the reasons why, the measures to be taken and the timeframe for measures to be taken, in order to ensure that an appropriate gender balance within the management body is met.”

We do not see the added value of this paragraph, under which we should document the reasons why we have not met our objective regarding gender balance within the management body, the measures that will be taken, and the timeframe within which these measures should be implemented in order to ensure that the objective is achieved, compared with paragraph 122 which is much broader.

Furthermore, it should be specified in the Guidelines that this recommendation does not introduce any additional obligations for institutions that are already subject to Directive (EU) 2022/2381 (“Women on Boards”), which provides for similar measures.

Diversity policy objectives, para. 123

“Where the entity established a nomination committee their composition should, where possible, be gender balanced.”

The recommendation on gender balance is extended to the nomination committee, yet we do not see the required legal basis for EBA to establish such an obligation. While we do not have an issue with the proposed content of gender-balancing the nomination committee, we cannot support the sudden focus on highlighting a new, legally baseless requirement.

It should also be highlighted that even Article 91para 8 CRD VI does not require a mandatory gender balance, therefore implying a total lack of a legal basis to establish an obligation in this regard.

The Directive provides that Member States or competent authorities shall require entities and their nomination committees, where established, to engage a broad set of qualities and competences when recruiting members of the management body and to promote diversity and gender balance at management body level. To that end, institutions are required to have policies promoting diversity at the level of the management body. The Directive does not, however, require nomination committees themselves to fulfil specific quantitative diversity outcomes.

Imposing quantitative diversity requirements at nomination committee level would not be feasible and would not reflect the allocation of competences under national governance arrangements.

Generally, the appropriate place for such and requirement would be the EBA GL on Internal Governance, specifically section 5.2 “Composition of Committees”.

Consequently, this provision should be deleted.

Question 7: Are the changes made in Title VI appropriate and sufficiently clear?

Suitability policy, para. 131

“Entities (2x) and “might”

It is unclear what is expected from entities. This relates to the definition of key function holders and the (general) question whether and how entities are expected to designate additional key function holders other than the heads of the internal control functions and the CFO. Please explain what is expected from entities.

Question 8: Are the changes made in Title VII appropriate and sufficiently clear?

Common elements for the assessment, para. 151

The number of this paragraph should be moved up to the level of the words “Without prejudice to Article 91(1a)…”, which appear in paragraph 150.

We appreciate that the EBA takes into account exceptional cases concerning the urgent replacement of executive directors, but it would be legitimate for this also to apply to the chair of the management body in its supervisory function and to key function holders.

It appears more realistic to require that the competent authority be informed, rather than consulted, as a consultation requirement could suggest that the institution must wait for the authority’s opinion for completing the suitability assessment of the member of the management body after he has taken up his position. By definition, this paragraph addresses situations where the vacancy could not be anticipated, and the replacement process should therefore not be unnecessarily delayed.

Assessment of suitability by entities, paras 160 and 171

Entities should keep up to date the information on the suitability of members of the management body and review it at least annually.

The reporting obligation should be clearly limited to changes that could affect the individual or collective suitability of the management body or key function holders.

Additionally, we criticise the annual frequency of reviewing the documentation on the suitability of board members. This appears duplicative in light of the periodic evaluation of governing bodies and creates additional administrative burden, particularly for smaller institutions that are only required to carry out such evaluations every two years.

For smaller institutions, an annual suitability assessment conducted through a formalized and resource-intensive process seems particularly disproportionate, especially since ad hoc reassessments are already required where specific triggers arise. In addition, the relationship between this general requirement and para. 175 remains unclear, as the latter requires annual reviews only for significant institutions, while allowing a two-year cycle for others. Against this background, the requirement in para. 160 should be removed or, at a minimum, aligned with the frequency of the regular evaluation of governing bodies.

Common elements for the assessment, para. 161

“For all entities,…”

Assessment of the suitability of individual members of the management body, para. 166

166. Entities should document a description of the position for which an assessment was performed, including the role of that position within the institution, the allocated duties, and should specify the results of the suitability assessment in relation to the following criteria:

…

d. reputation, honesty and integrity, as assessed in accordance with the provisions on good repute and integrity set out in Title III, Section 8 in these Guidelines;

Paragraph 166 introduces a requirement to document how diversity has been taken into account in the recruitment process. The regulatory basis for this new requirement is not clear.

We are concerned that the amended text goes against the principle of collective responsibility embedded in several Member States’ legal frameworks.

Moreover, in practice, institutions already record in board minutes how proposed compositions of the management body meet diversity requirements. Whether such documentation would fulfil the new requirement remains uncertain, which introduces legal and practical ambiguity. In principle, the introduction of new and broadly formulated documentation obligations should be avoided where existing practices already address the underlying objective.

In addition, point (d) under paragraph 166 appears disconnected from its context by introducing explicit AML-related considerations therein, namely:

reputation, honesty and integrity; including the existence of reasonable grounds to suspect that ML/TF is being or has been committed or attempted or that the risk thereof could be increased.

If such reasonable grounds for suspicion existed, the individual concerned would, by definition, not meet the requirement of good repute, honesty and integrity and would therefore not be appointed. Including this element as a separate documentation requirement within the proposed diversity context does not appear to add clarity or proportionality to the assessment framework.

Assessment of the collective suitability of the management body, paras 167 and 173(c)

“Entities should also ensure that all material individual roles and duties of the management body are allocated to a member of the management body.”

The demand that entities must ensure that all important individual roles and duties of the management body are assigned to a member of the management body should be deleted as it has no legal basis and goes against some national laws.

This requirement should be deleted. The management body in its supervisory function is a collegiate body with collective responsibility.

Should it be maintained, we are of the view that overall responsibility for the management body as a whole must be possible:

According to the Guidelines, "entities should also ensure that all material individual roles and duties of the management body are allocated to a member of the management body."

We understand this requirement to mean that no material role or duty should remain not taken into consideration within the management body when this role or duty is not allocated to an individual, according to national law. In any case, certain roles and duties are, by their nature, assigned to the management body collectively rather than to an individual member.

To avoid ambiguity, we suggest clarifying the wording to explicitly allow for such cases, for example by adding: “or to the management body as a whole.”

Therefore, we kindly propose the following change:

“167. When assessing the collective suitability of the management body, entities should assess the composition of the management body in its management and supervisory functions separately. The assessment of collective suitability should provide a comparison between the actual composition of the management body and the management body’s actual adequate collective knowledge, skills and experience, and the required collective suitability pursuant to Article 91(2b) of Directive 2013/36/EU. Entities should also ensure that all material individual roles and duties of the management body are allocated to a member of the management body or to the management body, in its supervisory function or in its management function, as a whole.”

Suitability assessment of key function holders by entities, para. 182

“periodically,”

Reevaluating KFH was not necessary until now, and the overwhelming burden outweighs the benefits and limitation to specific instances.

This requirement in CRD VI must be limited to a reasonable frequency and to ICF roles[PH1] . We therefore call on EBA to provide clarification on this matter, specifically to state:

Periodic re-evaluations impose high administrative burden and costs on institutions without evidence of added value for stable KFH roles; Provided that KFH regularly attend relevant professional development courses or seminars, or take part in ongoing training, reevaluation of KFH may be limited to specific cases (significant changes or events that necessitate a reassessment in any case). Furthermore, the ‘internal suitability guidelines’ element from CRD VI (Art 91a para 2) is missing and should be incorporated.
Periodic should be understood as “Risk-based”: “Periodic” should be event-driven (e.g. new risks), not calendar-based, to avoid box-ticking and align with the proportionality principle.

Consequently, “key function holders” must be replaced with “Internal Control Functions” and the following sentence should be added to the end of para. 182: Periodic in this regard should be “risk-based” and subject to the principle of proportionality rather than calendar-based, however, entities might decide to choose a frequency based on the specifics of the entity (e.g. every 3 years).

Suitability assessment of key function holders by entities, para. 184

“Entities should keep up to date the information on the suitability of members of key function holders and review it at least annually.”

An annual evaluation also for the KFH does not have a legal basis in the CRD and appears too much of a burden. This requirement should likewise be aligned with the standard evaluation cycle applicable to management roles in order to avoid unnecessary administrative burden.

Question 9: Are the changes made in Title VIII appropriate and sufficiently clear?

Competent authorities’ assessment procedures, paras 192, 193

192. Competent authorities should specify the supervisory procedures applicable to the suitability assessment of members of the management body of entities.

193. Competent authorities should specify the supervisory procedures applicable to the assessment of suitability of heads of internal control functions and the CFO of entities. Where deemed necessary by competent authorities similar procedures should be specified for other key function holders in large entities.

Paragraphs 192 and 193 appear internally inconsistent and potentially confusing as regards the intended scope of supervisory processes. Both paragraphs first state that competent authorities are required to define the supervisory processes applicable to the assessment of members of the management body and key function holders in large entities. However, immediately thereafter, both paragraphs indicate that similar processes should also be applied to entities other than large entities.

The draft suggests that supervisory authorities should consider introducing, for smaller institutions, supervisory assessment procedures prior to the appointment of board members similar to those applied to large institutions. This would significantly increase administrative burden for smaller, non-systemically important banks and could hinder the timely appointment of qualified candidates to management and supervisory boards. The requirement should therefore be removed.

Competent authorities’ assessment procedures, para. 193

"Where deemed necessary (...)"

The draft further proposes that supervisory authorities consider implementing comparable supervisory assessment procedures for the appointment of key function holders in smaller institutions. This would likewise create substantial additional bureaucracy and could delay the filling of critical positions, particularly in light of demographic challenges. This requirement should also be deleted.

Competent authorities’ assessment procedures, para. 194

"and key function holders"

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph)

Procedural requirements, para 199

Any additional disclosure should be in line with Art 87a CRD and Art 435 para 2 CRR:

Everything requested in paragraph 199 should be allowed to be disclosed in line with the well-established disclosure formats set out in Article 87a of Directive 2013/36/EU (CRD) and Article 435(2) of Regulation (EU) No 575/2013 (CRR). For example, by adding a footnote:

“This may be disclosed in accordance with the disclosures under Article 87a CRD and Article 435(2) CRR: ‘

Therefore, we kindly propose the following addition:

Footnote to para 199: “This may be disclosed in accordance with the disclosures under Article 87a of Directive 2013/36/EU and Article 435(2) of Regulation (EU) No 575/2013.”

Competent authorities’ assessment procedures, para. 199 d)

“d. time and steps of assessment by the competent authority”

Paragraph 199(d) should be clarified by specifically referring to the maximum period for concluding the suitability assessment and, where applicable, to the circumstances under which this time limit may be extended, as well as to the conditions governing such an extension.

Competent authorities’ assessment procedures, para. 201(a) and (b)

"and where applicable, key function holder"

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph)

Ex-ante application, para. 202.

To avoid misinterpretation and unintended de facto prior approval practices, we propose adjusting the section title (‘Supervisory considerations on appointments under ex‑post assessment frameworks’) and clarifying that any interactions before appointment are non‑binding, do not constitute prior approval, must not delay appointments, and leave national ex‑post regimes unaffected.

Ex-ante application, para. 202.

“…This application should be made without undue delay and as soon as there is a clear intention to appoint a member…”

The request for ex ante suitability concerns only the members of the management body in its management function and the chairman of the board of large entities. The wording of paragraph 202 may imply that there are other members who would be concerned.

The point should be worded as follows:

"Competent authorities should require large entities to submit an ex-ante suitability application in accordance with Article 91(1d) of Directive 2013/36/EU. This application should be made without undue delay and as soon as there is a clear intention to appoint a member of the management body in its management function or the chair of the management body in its supervisory function, or based on the appointment decision and in any case before the person takes up their position. It should be submitted at the latest 30 working days before the prospective members take up their position."

Competent authorities’ assessment procedures, para. 201(b) and para. 203

Paragraph 201(b) should be reworded so as to be adapted to Member States that have adopted an ex-post regime. In the last sentence, reference should be made to the date on which the individual takes up their position as the starting point of the two‑week time limit, rather than the date of appointment. Applying the two‑week time limit from the date of the appointment decision would, in effect, amount to applying an ex-ante regime to such appointments.

The same comment applies to paragraph 203 with regard to the appointment of the heads of internal control functions and the Chief Financial Officer.

Competent authorities’ assessment procedures, para. 205

"or a key function holder"

Same as the remark made above (under question 1, above relating to the Executive summary, 4th paragraph).

Paragraph 205 should be reworded on two points in order to be consistent with the CRD VI Directive:

(i) it should include the exception provided for under CRD VI where the institution is unable to submit certain documents or information: “unless the competent authority is satisfied that it is not possible for such information to be provided.”;

(ii) it should be specified that, in such circumstances, the institution must be informed that the competent authority may object to the individual taking up their position in the absence of submission of the requested documents and information. The current wording of this paragraph could give the impression that the decision of the competent authority is final, without any prior formal request or notice being addressed to the institution.

Enhanced dialogue, para. 206

“Competent authorities…should start an enhanced dialogue with the entity where material concerns regarding the suitability exist Section 24”.

Furthermore, it should be specified under which circumstances an enhanced dialogue should be initiated. It would appear appropriate for such dialogue to be initiated where the competent authority does not have sufficient information to assess the suitability of the candidate, in particular where the institution has not submitted all the required documents and information (see paragraph 205).

Also, we understand that it is a proper assessment that is done ex-ante by the supervisor and not a simple information.

Competent authorities’ assessment procedures, para. 212

"and the individual suitability"

This seems to be a typo (phrase should be deleted)

Ex-ante suitability application, para. 217

It should be specified in this paragraph that the competent authority’s concerns regarding the suitability of the candidate may stem from the absence of the requested documents or information.

Para 193 (old)

Why was this clause deleted?

Enhanced dialogue, para. 221

“Potential concerns should be raised as a general principle only with the entity”

This paragraph suggests that the institution is not expected to engage with the candidate in order to address the competent authority’s potential concerns in the context of the enhanced dialogue. However, it appears necessary to allow institutions to share such information with the candidate where this is relevant in order to enable institutions to respond as effectively as possible to those concerns.

Enhanced dialogue, para. 225

No maximal delay is provided for the enhanced dialogue all the more that supervisors can prevent the members to take up their positions. A maximum time limit should be set in order to give entities some visibility.

Reasonable ground to suspect ML/TF, para. 233

"and where applicable other key function holders"

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph)

Reasonable ground to suspect ML/TF, para. 234

"key function holder" (2x)

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph)

Reasonable ground to suspect ML/TF, para. 234 (c)

“c. the entity has materially changed its business activity or business model in a manner that suggests that its exposure to ML/TF risk has significantly increased, without updating its AML/CFT systems and controls in a commensurate and proportionate way;”

The conduct described constitutes a serious breach by the obliged entity of its AML/CFT obligations. As such, it should fall within the scope of point (b), rather than being presented as a separate category. Indeed, the competent authority responsible for assessing the suitability of members of the management body and key function holders does not have greater access to information concerning such conduct than it would have in relation to other breaches.

Reasonable ground to suspect ML/TF, para. 234 (d)

“d. a member of the management body or key function holder is alleged to have facilitated or committed a ML or TF, as defined by Article 1 of the Directive (EU) 2015/849;”

The situation referred to in paragraph (d) does not appear to differ from that described in paragraph (a). If this paragraph is nevertheless maintained as a separate provision, the consideration of allegations should be made conditional upon the existence of sufficiently reliable sources.

Reasonable ground to suspect ML/TF, para. 235 (f)

“f. other reliable and trustworthy information sources (e.g. adverse media, investigative journalism, whistleblowing reports)”

The possibility of relying on such sources should be subject to the existence of ongoing proceedings or decisions relating to the facts reported therein.

Reasonable ground to suspect ML/TF, para. 236

“In situations where the competent authority becomes aware of one or several ML/TF risk factors, as listed in paragraph 86, the assessment should focus on such ML/TF risk factors would give rise to reasonable grounds to suspect ML/TF or an increased ML/TF risk, in relation to the entity.”

The wording of the first sentence lacks clarity. It is therefore unclear whether the identification by the competent authority of several of the criteria referred to in Article 86 automatically constitutes reasonable grounds for suspicion of ML/TF, or merely indicates the existence of a higher ML/TF risk.

Reasonable ground to suspect ML/TF, para. 237

"key function holder"

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph)

Reasonable ground to suspect ML/TF, para. 237

“Where the person themselves committed or attempted ML/TF”

A finding by the competent authority that a member of the management body or a key function holder has committed or attempted money laundering should be considered immediately disqualifying, provided that such conduct has been established by a final judicial decision.

Reasonable ground to suspect ML/TF, para. 237

“or the person is, or has become, a designated person under EU sanctions lists”

The link established between designation on an EU sanctions list and unsuitability introduces political considerations into the assessment of suitability.

Cooperation between competent authorities, para. 239

"or key function holders"

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph).

Cooperation between competent authorities, para. 240

"or key function holders"

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph).

Cooperation between competent authorities, para. 242

"or a key function holder"

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph).

Cooperation between competent authorities, para. 245

"or a key function holder"

Same as the remark made above (under question 1, above relating to the Executive summary, 4^th paragraph).

Question 10: Are the changes made in Title IX appropriate and sufficiently clear?

No comments.

Question 11: Are the changes made to Annex 1 and Annex II appropriate and sufficiently clear?

Repeating what is stated above, references to ICT and DORA have been introduced in Annex I under the assessment of governance and risk management. In this context, the inclusion of elements such as threat-led penetration testing appears to go beyond what can reasonably be considered at management body level, given its highly technical and operational nature. If the intention is instead to capture the management body’s competence to oversee, assess and challenge the institution’s approach to cybersecurity risk, this should be stated explicitly in order to avoid misinterpretation.

Question 12: Is the table on scope of application of the Joint Guidelines appropriate and sufficiently clear?

No comments.

Upload files

EBA consultation - Fit and proper GL - EACB response - as submitted_0.pdf (857.18 KB)

Name of the organization

European Association of Cooperative Banks (EACB)

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Pillar 3 data hub

Reporting

Data

Publications

Media centre

Response to consultation on draft Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders

Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?

Question 2: Are the changes made in Title II appropriate and sufficiently clear?

Do you have any views on the provisions regarding these independence criteria? Please explain any aspects that may influence the effectiveness, clarity, or implementation of these independence criteria across different business models/types of institutions.

Question 4: Are the changes made in Title III appropriate and sufficiently clear?

Question 5: Are the changes made in Title IV appropriate and sufficiently clear?

Question 6: Are the changes made in Title V appropriate and sufficiently clear?

Question 7: Are the changes made in Title VI appropriate and sufficiently clear?

Question 8: Are the changes made in Title VII appropriate and sufficiently clear?

Question 9: Are the changes made in Title VIII appropriate and sufficiently clear?

Question 10: Are the changes made in Title IX appropriate and sufficiently clear?

Question 11: Are the changes made to Annex 1 and Annex II appropriate and sufficiently clear?

Question 12: Is the table on scope of application of the Joint Guidelines appropriate and sufficiently clear?

Upload files

Name of the organization