Financial Regulation

The EBA’s draft RTS on qualifying holding procedures – harmonisation and comprehensive screening

The European Banking Authority (“EBA”) has launched a public consultation on draft regulatory technical standards (“RTS”) regarding the documents and information to be provided by proposed acquirers in qualifying holding procedures (“QHPs”). The preparation of the draft RTS is based on EBA’s mandate under Art. 23 para. 6 Credit Requirements Directive 6 (“CRD VI”) to develop common document requirements for QHPs related to CRR credit institutions. Upon finalisation and review by the European Commission (“Commission”), the RTS will be adopted by the Commission as a binding delegated regulation.

Context

The draft RTS fit into the efforts at EU level to further harmonise QHPs in relation to regulated entities. In July 2017, the Commission adopted Delegated Regulation (EU) 2017/1946 to harmonise the list of required documents and information to be provided by proposed acquirers of investment firms (regulated in Germany under the German Securities Institution Act (Wertpapierhandelsgesetz, “WpIG”)). In Germany, Delegated Regulation (EU) 2017/1946 has been accompanied by the Ownership Control Ordinance for Securities Institutions (Wertpapierinstituts-Inhaberkontrollverordnung,WpI-InhKontrollV”).

The draft RTS now aim to harmonise the documents and information required for QHPs where a proposed acquirer intends to acquire a qualifying holding in a (significant or less significant) CRR credit institution. In this respect, the delegated regulation will replace the German Ownership Control Ordinance (Inhaberkontrollverordnung, “InhKontrollV”), including the amendments to the InhKontrollV proposed by the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”) to enhance the efficiency of QHPs (in particular by the exemption for proposed acquirers acting as intermediaries in the holding chain). Please see in this regard our article on the draft InhKontrollV.

However, the InhKontrollV will remain applicable with regard to QHPs in relation to the acquisition of financial service institutions, payment and e-money institutions as well as insurance companies. In this respect, it is likely that the InhKontrollV will be streamlined to accommodate the harmonisation efforts by the draft RTS.

What is new under EBA’s draft RTS (compared to the draft InhKontrollV)?

Requirements related to anti-money laundering (“AML”)

AML considerations are central to the information requirements under the draft RTS, generally reflecting reinforced commitments of regulatory authorities to preventing the use of the financial system for money laundering or terrorist financing (“ML/TF”) (see in this regard also our article on BaFin’s strategic objectives for 2026 to 2029). In this respect, the draft RTS envisage:

  • Disclosures of AML policies: Where the proposed acquirer is an obliged entity under Article 2 of Directive (EU) 2015/849 (“AML Directive”), it is required to provide details of its AML and counter-terrorist financing (“CFT”) policies and procedures, including on-going investigation related to AML/CFT issues.
  • Origin and legitimacy of funds: The proposed acquirer must submit a detailed explanation of the sources of funding for the acquisition, including supporting documents such as financial statements, bank statements, and tax statements.
  • Details of asset sales and borrowed funds: If assets are to be sold to finance the proposed acquisition, details of the sale (including conditions, price, and acquisition history) must be provided. If borrowed funds are used, the proposed acquirer must disclose the lender’s identity, the financing contract, the structure and location of the debt, repayment plans, and any refinancing intentions. Where the lender is not a regulated credit or financial institution, comprehensive information on the lender’s activity, legal form, and source of funds is required.
  • Tracing of crypto-assets: If crypto-assets are used, the proposed acquirer must provide information to trace the transfer of such assets, in line with Regulation (EU) 2023/1113, irrespective of whether the transfer is executed via credit institutions or payment institutions or any other network used.
  • Group structure and AML impact: Where the proposed acquirer is part of a group, an analysis of the impact of the acquisition on the group’s consolidated supervision perimeter and the ability of the target institution to comply with AML/CFT requirements must be provided.
  • Assessment of AML risks in the business plan: For acquisitions resulting in significant influence or control, the business plan must include an assessment of inherent AML/CTF risks and outline any actions to ensure compliance with the AML/CFT framework, including remedies for any deficiencies.

Information technology (“IT”) and cybersecurity

The draft RTS recognise the growing importance of IT, cybersecurity, and digital innovation in the financial sector. Therefore, expanded information requirements under the draft RTS include:

  • Professional experience/knowledge in IT and digital innovation: CVs of proposed acquirers that are natural persons as well as of management body members of proposed acquirers that are legal persons must highlight experience IT, cybersecurity, digital innovation, and (where relevant) crypto-assets and distributed ledger technology (“DLT”).
  • IT and technology architecture in the business plan: Where the proposed acquisition results in control or significant influence, the business plan must describe the impact on the target institution’s IT and technology architecture, including:
    - changes to administrative and accounting procedures, internal controls, and risk management systems;
    - details of IT systems, software (in-house and external), data flowcharts, and security procedures (including back-up, business continuity, and audit trails);
    - policies on third-party IT service providers (i.e. outsourcings), especially for critical or important functions, including selection criteria, contractual arrangements, and quality of service expectations; and
    - data aggregation capabilities in the new organisational structure.
  • ICT and cybersecurity risks: The business plan must assess operational, ICT, and cybersecurity risks, and describe measures to mitigate these risks, especially in the context of digital operational resilience (as per Regulation (EU) 2022/2554 (“DORA”)).

Trusts and similar legal structures

Where the proposed acquirer is a trust or similar structure, the draft RTS envisage specific and detailed information requirements to ensure transparency and effective supervision. In this respect, the draft RTS go beyond the requirements of the draft InhKontrollV and require information in relation to trusts, including:

  • Identification of key individuals: The trust must provide the identity of all trustees, persons managing assets, settlors, beneficiaries, and protectors (if applicable), including personal details, contact information, official identity documents, and detailed CVs.
  • Trust documentation: A copy of the trust deed or equivalent document establishing and governing the trust must be submitted.
  • Legal and business description: The trust must describe its main legal features, functioning, business activity, and the type and value of trust property.
  • Investment policy: A description of the trust’s investment policy, any restrictions, factors influencing investment decisions, and exit strategies must be provided.
  • AML and financial soundness: The method of financing the trust and the resources ensuring its financial soundness to support the target institution must be disclosed, with a focus on the origin and legitimacy of funds (see above).
  • Conflict of interest and relationships: Information on financial and non-financial interests or relationships with the target institution, its shareholders, or management must be provided, along with proposed methods for managing any conflicts of interest.

Requirements for Alternative Investment Funds (“AIFs”) and Undertakings for Collective Investment in Transferable Securities (“UCITS”)

Special provisions apply to AIFs and UCITS, reflecting their structures and regulatory frameworks. In this respect, AIFs, UCITS, or their management companies must provide:
- details of the investment policy, restrictions, factors influencing investment decisions, and exit strategies;
- the identification and background of individuals or committees responsible for investment decisions, including personal details, CVs, and professional experience (with a focus on financial services, IT, and digital assets);
- copies of contracts in case of delegation of portfolio management; and
- a description of the performance of qualifying holdings previously acquired in EU supervised entities over the last three years.

Business plan and strategic intentions

The level of detail required in the business plan depends on the size of the qualifying holding and the degree of influence to be exercised:

  • Qualifying holdings up to 20%: The proposed acquirer must submit a document outlining the strategy for the acquisition (strategic or portfolio investment), intended holding period, intentions regarding active minority shareholder status, and willingness to provide additional funds if needed.
  • Qualifying holdings of 20% to 50%: In addition to the above, the proposed acquirer must provide details on the intended influence over the target’s financial position (including dividend policy), strategic development, resource allocation, and medium-term financial goals.
  • Qualifying holdings of 50% or more / control: A comprehensive three-year business plan (reflecting a base case and a stress scenario) is required, including:
    - integration plan for the target institution within the proposed acquirer’s group, if applicable;
    - assessment of financial and non-financial risks, including credit, market, liquidity, operational, ICT, cyber, third-party, ML/TF, and ESG risks;
    - impact on corporate governance, organisational structure, internal controls, IT systems, and compliance with AML/CFT and other regulatory requirements;
    - outline of any necessary updates to the recovery plan 
    - due diligence reports on the target institution (where available); and
    - internal approval documents for the acquisition, such as minutes of the decision-making body.
  • The RTS do not reflect the fact that the target’s recovery plan is generally not disclosed as part of the due diligence as it is typically treated as highly confidential. Hence, it remains to be seen how proposed acquirers can get their hands on the recovery plan before the acquisition.

Conclusion

The draft RTS set out a detailed and comprehensive framework for the documents and information to be provided by proposed acquirers in QHPs. They have a particular focus on AML compliance, transparency of funding sources, IT and digital innovation risks, the specificities of trust structures, and the requirement for a forward-looking, risk-sensitive business plan. These measures are intended to ensure the sound and prudent management of a CRR credit institution and to safeguard the integrity of the financial system.

However, the draft RTS also include document requirements which may be subject to discussions in acquisition transaction due to the sensitivity of the documents, such as the requirement to outline any necessary updates to the recovery plan or to provide due diligence reports on the target institution). Such requirements will need to be included in a proposed acquirer’s considerations as to which extent a due diligence is reasonable.

As part of the consultation process, a public hearing will take place via conference call on 15 July 2025. The consultation period ends on 18 September 2025.

Forward
Keep in Touch

Keep in Touch
Gleiss Lutz keeps you informed

We would be pleased to add you to our mailing list so that we can keep you informed about current legal developments and events.

Subscribe now