Response to consultation on draft Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
With regards to subject matter, scope and definitions, we recommend clarifying that:
- Key function holders may be outsourced or provided through professional GRC firms, provided that the individual designated as KFH meets the suitability criteria and the firm maintains adequate governance, resources, and oversight mechanisms.
- The definition of “key function holder” should explicitly include individuals operating within external professional service firms.
This clarification would align the Guidelines with market practice and the outsourcing frameworks under CRD, MiFID II, and EBA Guidelines on Outsourcing Arrangements.
Question 2: Are the changes made in Title II appropriate and sufficiently clear?
We support the enhanced clarity on suitability assessments. However, we propose adding that when a KFH operates within a GRC firm, the assessment should consider both the individual’s suitability and the firm’s organisational capacity, including its internal governance, quality assurance, and resource allocation.
This ensures proportionality and recognises the team‑based delivery model. Suitability assessments should consider both the individual’s competence and the organisational capacity of the GRC firm supporting the role.
This reflects established market practice and aligns with the proportionality principle.
Do you have any views on the provisions regarding these independence criteria? Please explain any aspects that may influence the effectiveness, clarity, or implementation of these independence criteria across different business models/types of institutions.
We welcome the emphasis on independence of mind and the safeguards intended to ensure objective oversight. However, we believe the Guidelines should more fully reflect the diverse ways in which independence is achieved in practice, both through:
- Professional GRC firms, and
- Individuals acting in their personal capacity as independent non‑executive directors (INEDs).
Independent Individuals Acting in Their Own Capacity
While GRC firms provide structural independence, individual INEDs remain a cornerstone of effective governance. Many such individuals bring decades of sectoral experience, cross‑industry knowledge, professional judgement developed through varied roles, independence rooted in personal reputation and ethical standards.
It is therefore important that the Guidelines do not inadvertently discourage or economically disincentivise individuals from taking up INED roles.
Economic and Professional Development Considerations
Excessively restrictive expectations, such as rigid limits on the number of roles, prescriptive minimum hours, overly granular expectations of involvement may have unintended consequences.
Individuals may be discouraged from investing in their own development, including in emerging areas such as ICT, AI, cyber risk, ESG, or digital operational resilience.
The pool of qualified INEDs may shrink, particularly in smaller Member States or specialised sectors.
The cost of governance may rise disproportionately, affecting smaller or start‑up entities most acutely.
A balanced approach is therefore essential.
The Fine Line Between Effective Supervision and Micro‑Management
The Guidelines should explicitly recognise that Independence of mind does not equate to continuous operational involvement.
If expectations on time commitment or documentation become too onerous, there is a real risk that INEDs drift into micro‑management, undermining the distinction between supervisory and executive functions. Boards become operationally entangled, contrary to good governance principles.
This risk is particularly acute in areas such as ICT and AI, where the Guidelines rightly expect board‑level understanding, but where supervisory oversight must remain strategic rather than operational.
Risk of Boards Becoming Compliance‑Driven at the Expense of Strategy
If regulatory expectations, explicit or perceived, require excessively detailed minutes, exhaustive documentation of every challenge raised, continuous demonstration of “visible” independence, boards may become compliance‑oriented rather than strategy‑oriented, overly focused on documenting challenge rather than exercising judgement, and potentially less effective in guiding long‑term business development.
This is not aligned with the purpose of the management body under CRD/MiFID II, which includes setting strategy, ensuring sustainability, and overseeing risk, not merely satisfying procedural expectations.
Risk of Performative Behaviour by INEDs
If the regulatory environment implicitly rewards “visible challenge”, INEDs may feel compelled to be unnecessarily vocal, raise points for the sake of documentation, or adopt adversarial positions to demonstrate independence.
This can distort board dynamics and undermine constructive, trust‑based governance.
Recommendation
We recommend that the Guidelines explicitly acknowledge that:
- Independence of mind is demonstrated through judgement, objectivity, and freedom from undue influence, not through volume of interventions or hours spent.
- Both GRC‑firm‑based KFHs and individual INEDs contribute meaningfully to independence, albeit through different mechanisms.
- Proportionality must apply not only to entities but also to individuals, to avoid discouraging participation in governance roles.
As an industry organisation, IFSP has had the opportunity to discuss its member’s experiences related to the effectiveness, clarity, or implementation of these independence criteria across different business models/types of institutions in Malta. The points outlined above highlight these experiences from a high level, but ensuring proportionality remains a key consideration. It is important that the right balance is achieved between strategic direction and supervision both at an entity level and at the level of the competent authorities, so as to ensure that creativity and business growth is not stifled due to disproportionate or ineffective control mechanisms.
Question 4: Are the changes made in Title III appropriate and sufficiently clear?
See above
Question 5: Are the changes made in Title IV appropriate and sufficiently clear?
GRC firms typically maintain structured training programmes for their staff, including KFHs. Such firm‑level training programmes should be recognised as satisfying the requirement for ongoing training and induction.
Question 6: Are the changes made in Title V appropriate and sufficiently clear?
GRC firms contribute positively to diversity by developing broad talent pipelines and mentoring junior professionals who may later transition into in‑house roles. This strengthens the overall governance ecosystem and should be recognised as a positive contribution.
Question 7: Are the changes made in Title VI appropriate and sufficiently clear?
Where key functions are outsourced, the entity’s suitability policy should explicitly reference the governance and quality‑assurance frameworks of the GRC firm and the firm’s internal controls, escalation processes, and resource allocation mechanisms
Competent authorities should accept documentation provided by GRC firms as part of suitability assessments.
Question 8: Are the changes made in Title VII appropriate and sufficiently clear?
Entities should be permitted to rely on internal suitability assessments conducted by GRC firms, and firm‑level documentation supporting the competence and capacity of the KFH.
This approach supports proportionality and reduces duplication.
Question 9: Are the changes made in Title VIII appropriate and sufficiently clear?
Competent authorities should consider:
- the track record and organisational capacity of the GRC firm
- the firm’s governance, quality assurance, and resource model
- the structural independence provided by the GRC‑firm model
This ensures a consistent and proportionate supervisory approach.