Financial Regulation

The EBA publishes draft guidelines on internal governance for consultation

The European Banking Authority (“EBA”) has published revised draft guidelines on internal governance under Directive 2013/36/EU (“CRD”) (“Draft Guidelines”), reflecting regulatory and supervisory developments since the previous version of July 2021 (EBA/GL/2021/05). The revisions are designed to further harmonize internal governance arrangements, processes, and mechanisms across EU financial institutions and third-country branches (“TCBs”), in line with amendments introduced by Directive (EU) 2024/1619 (“CRD VI”) and other recent legislative acts (in particular the Digital Operational Resilience Act, “DORA”). The Draft Guidelines also address lessons learned from supervisory practices, the increasing importance of environmental, social, and governance (“ESG”) risks, digitalization, and the need for robust risk management and internal controls. They also incorporate findings from the EBA’s benchmarking of diversity practices and gender-neutral remuneration policies.

Overall, the revisions envisaged by EBA are extensive, addressing in particular (i) the role and composition of management bodies, (ii) TCBs governance, (iii) third-party risk management, (iv) corporate values, (v) internal control functions, and (vi) business continuity management.

I. Scope of application / addressees

The Draft Guidelines clarify and expand their scope of application. They are addressed to competent authorities, financial institutions (including credit institutions and investment firms subject to the CRD), and now also financial holding companies and mixed financial holding companies approved under Article 21a(1) CRD.

Another key addition is the explicit application of the Draft Guidelines to TCBs, with specific provisions tailored to their specific governance challenges and the risks they pose to EU financial stability and market integrity.

However, as the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleitungsaufsicht, “BaFin”) has not implemented the EBA’s Guidelines on internal governance (due to its Circular on Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement, “MaRisk”)), the Draft Guidelines have relevance in particular for significant CRR credit institutions directly supervised by the European Central Bank (“ECB”). In this respect, the amendments proposed on the EBA’s Draft Guidelines generally correspond with the expectations by the ECB as provided in the Draft Guide on governance and risk culture published in July 2024 (the ECB has not released a final version yet).

II. Strengthened role and composition of the management body

 

1. Role and responsibilities of the management body

The Draft Guidelines reinforce the ultimate and overall responsibility of the management body for governance arrangements, as set out in Article 88(1) CRD. The management body must define, oversee, and be accountable for the implementation of effective and prudent management, including risk management, internal controls, and compliance with regulatory requirements.

The revisions require a clear distinction between the management (executive) and supervisory (non-executive) functions, with written documentation of responsibilities and duties. Institutions must draw up, maintain, and update individual statements of roles and duties for all members of the management body in its management function, senior management, and key function holders, as well as a comprehensive mapping of duties. This mapping must detail reporting lines, lines of responsibility, and the allocation of duties, and be kept up to date and available to competent authorities upon request.

Such a mapping requirement is not explicitly envisaged by MaRisk – however, it has become regular in BaFin’s administrative practice to request a clear description of the roles and responsibilities at management board level.

The management body’s responsibilities are expanded to include setting and overseeing the implementation of:

  • an adequate and effective internal governance and internal control framework which includes (i) effective processes to identify, manage, monitor and report ESG risks in the short, medium and long term and concentration risk arising from exposures towards central counterparties, as well as (ii) network and information systems that are set up and managed in accordance with DORA;
  • a corporate culture and values that foster diversity and inclusion (as such not yet explicitly reflected by MaRisk); and
  • specific plans and quantifiable targets to monitor and address the concentration risk arising from exposures towards systemic central counterparties

The Draft Guidelines now explicitly require taking into account the impact of ESG risks on traditional categories of financial and non-financial risks, but also the materialization of legal risks in the context of third-party arrangements, e.g. due to shortcomings in the area of fundamental rights violations.

2. Committees of the management body in its supervisory function

Significant institutions are required to establish a risk, nomination, remuneration and audit committee under EBA’s current Guidelines on internal governance. The Draft Guidelines specify the requirements for the members of the remuneration committee which need to have, individually and collectively, appropriate knowledge, skills and experience to assess the impact of ESG factors on and the consistency of the institution’s risk appetite regarding ESG risks, taking into account the assessment of the risk committee.

Further, the Draft Guidelines require the risk committee to oversee the implementation of the strategies for relevant risks, now also referring to fundamental rights, discrimination and information and communication technologies (“ICT”) risks.

III. Internal governance arrangements of TCBs

The Draft Guidelines introduce a dedicated section on TCBs, reflecting new requirements under Article 48g CRD. TCBs must implement robust and sound governance frameworks, generally in the same way as institutions, but taking into account proportionality and specificities.

Key requirements include:

  • At least two persons located in the relevant Member State must effectively direct the business, with the same duties and responsibilities as members of the management body in its management function.
  • The persons effectively directing the business of a TCB must be sufficiently present in the Member State, able to commit sufficient time, and avoid conflicts of interest arising from equivalent roles in the head office or other group entities; further they are required to possess good repute, sufficient knowledge, skills and experience to perform their duties (the same applies to key function holders, including the heads of the internal control functions).
  • Heads of internal control functions (risk management, compliance, audit) in class 1 TCBs (and class 2 if required) must not be removed without prior approval of the head office’s supervisory function.
  • TCBs must maintain sufficient substance and not become “empty shells” or “letter-box entities”, even when using third-party arrangements or back-to-back booking arrangements with the head office.
  • ICT risks must be managed in accordance with DORA, with documentation and registers for third-party arrangements.
  • Back-to-back booking arrangements must not result in systematic or substantial risk being managed outside the EU; associated business is expected to be run in the respective EU Member State.
  • Remuneration policies must comply with gender-neutral principles and be consistent with the TCB’s risk appetite regarding ESG risks.

Once the TCB regime under CRD VI has been transposed to German law, one may expect also revisions to BaFin’s MaRisk in this regard.

IV. Third-party risk management policy

The Draft Guidelines now require the management body to approve, regularly review, and update a third-party risk management policy (formerly “outsourcing policy”), in line with Article 28(12) DORA. Generally, ICT third-party services under DORA are broader than the term “outsourcing” and include all contractual arrangements for the use of ICT services to run the business operations of a financial entity (see Article 29(1)(a) DORA).

The third-party risk management policy must address the impact of third-party arrangements (including outsourcing and subcontracting) on the institution’s business and risk profile, now covering also any ICT risks. It needs to make clear that third-party arrangements do not relieve the institution of its legal and regulatory obligations and must be consistent with all other legislatives and regulatory requirements the institution is subject to.

V. Risk culture and corporate values

Institutions are required to develop an integrated and institution-wide risk culture. In this respect, the Draft Guidelines emphasize the need for a culture of equality, diversity and inclusion and the prevention of discrimination and harassment (as such not yet explicitly reflected by MaRisk). Further, they specify the indicators to be used in order to monitor the development of the representation and equal treatment of staff of different genders and take the results of their monitoring into account within their approach to manage staff. Such indicators include representation of genders at different management levels, age distribution by gender, in particular for managerial positions and the ratio of full-time vs. part-time positions per gender.

For the prevention and management of conflicts of interest, the Draft Guidelines refuse the simultaneous exercise of the roles of chair of the management body in its supervisory function and CEO within the same institution, and restrict cross-group directorships that may create oversight conflicts. If a CEO becomes a non-executive member (including chair) without a three-year cooling-off period, institutions must implement safeguards, such as the abstention from discussions or votes on matters where significant professional conflicts of interest may arise.

VI. Internal control / risk management / compliance

The Draft Guidelines expand the requirements for internal control functions. First, they emphasize that internal control functions must be independent of operational functions, senior management, and members of the management board by having sufficient authority, stature, and direct access to the management body in its supervisory function. Second, as the EBA’s current Guidelines on internal governance already allow the risk management function and compliance function to be combined, the Draft Guidelines, however, specify that this may only be the case under another senior person, provided there is no conflict of interest and the nature, scale, and complexity of the institution’s activities justify it.

As another key revision by the Draft Guidelines, the risk management function (“RMF”) needs to be headed by a senior manager with sufficient expertise, independence and seniority.

Further, the compliance function is envisaged to be reinforced with the explicit task to ensure that the institution’s risk strategy and all material management decisions take into account legal risk stemming from non-compliance events. The Draft Guidelines also require an independent senior manager as a head of the compliance function. The option to combine the roles of head of compliance with the head of RMF will be deleted.

In terms of the internal audit function (“IAF”), the Draft Guidelines now only envisage the IAF to be independent of the audited activities, but do not exclude anymore that it is combined with other functions.

VII. Business continuity management

The Draft Guidelines require institutions to establish sound business continuity management, now explicitly including a continuity policy as well as response and recovery plans to ensure ongoing operations and limit losses in the event of severe disruption. Business continuity management must be consistent with DORA in relation to ICT risks, and may include a specific independent function (i.e. the ICT crisis management function) or be part of the RMF.

The business continuity, contingency, response and recovery plans must be documented, implemented, tested, and regularly updated, with results reported to the management body. They are also subject to internal audit review. Training and awareness are required to ensure operational resilience.

VIII. Conclusions

The Draft Guidelines on internal governance represent a comprehensive update to the EBA’s expectations for governance arrangements in EU financial institutions and TCBs. The revisions reflect evolving regulatory requirements, with a strong emphasis on risk management, internal controls, diversity, ESG risks, and operational resilience.

Significant institutions supervised by ECB directly are advised to review and update their governance arrangements in line with these strengthened requirements while it remains to be seen if and to what extent BaFin will reflect the Draft Guidelines in its next MaRisk revision.

Comments to the Draft Guidelines can be submitted by 7 November 2025.

Forward
Expertise
Financial Regulation
Experts
Dr. Christian Hissnauer Aike I. Würdemann Tobias Kempf Daniel W. Adolph
Keep in Touch

Keep in Touch
Gleiss Lutz keeps you informed

We would be pleased to add you to our mailing list so that we can keep you informed about current legal developments and events.

Subscribe now