EBA Moves to Redraw the Rulebook on Bank Governance

‍Key Takeaways

• Consultation Timeline: The EBA is accepting comments on the revised Guidelines on internal governance until 5 October 2025, with a virtual public hearing scheduled for 5 September.
• CRD VI Alignment: Updates incorporate new CRD VI requirements, including documented role statements for all management body members, senior managers, and key function holders, plus a formal mapping of responsibilities.
• Third-Country Branches: Stronger governance expectations for EU branches of third-country institutions, including independent internal control functions and clear organizational structures.
• DORA and ICT Risk: Governance requirements now align with the Digital Operational Resilience Act, mandating proportionate ICT risk management using the “three lines of defense” model.
• Culture and Accountability: Emphasis on fostering a strong risk culture, managing conflicts of interest, and embedding diversity, gender balance, and ESG risk oversight into governance practices.

Deep Dive

The European Banking Authority (EBA) has recently launched a consultation on proposed updates to its Guidelines on internal governance under the Capital Requirements Directive (CRD), aiming to bring them in step with recent legislative changes and supervisory priorities. The consultation, open until 5 October 2025, focuses on targeted amendments and invites feedback from across the financial sector.

The revisions align the Guidelines with CRD VI and the Digital Operational Resilience Act (DORA), while also reflecting findings from the EBA’s benchmarking report on diversity and gender-neutral remuneration policies. Lessons from supervisory practice across the EU have been built in, ensuring the updates are informed by both policy and real-world oversight experience.

Clearer roles and stronger oversight
A major change under CRD VI is the requirement for each member of the management body, senior manager, and key function holder to have a documented statement of their role and duties. Institutions will also need a detailed mapping of responsibilities to ensure accountability is transparent.

Third-country branches operating in the EU face more explicit governance expectations, including robust organizational structures, transparent lines of responsibility, and independent internal control functions.

The Guidelines also strengthen commitments to gender balance, diversity, and inclusion, recognizing these as essential to sound governance. ESG risks are given a more defined place in risk management frameworks, ensuring they are considered alongside other strategic and operational risks.

Integration with digital resilience standards
With ICT risks rising, the revised Guidelines align closely with DORA, requiring proportionate ICT risk management built around the “three lines of defense” model. This ensures technology-related risks are managed with the same rigour as other core banking risks.

The updates also maintain consistency with existing EBA guidance on third-party risk management, ESG oversight, remuneration policies, and the Supervisory Review and Evaluation Process (SREP).

Building a culture of governance
The framework reinforces the management body’s responsibility to set risk strategy, define risk appetite, and ensure effective oversight. Institutions will be expected to maintain conflict-of-interest policies, robust whistleblowing procedures, and controls for transactions involving management body members or related parties.

Together, these changes are designed to raise governance standards, improve supervisory oversight, and strengthen risk control, ensuring that governance arrangements are both clearly defined and actively embedded across the EU banking sector.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.