Governance in CRD6: A new SMCR-style regime for EU banks

At a glance:

• The EBA has consulted on revisions to its internal governance guidelines, incorporating new requirements introduced by the Capital Requirements Directive (CRD6).
• The consultation paper sets out further detail on upcoming SMCR-style requirements for banks to draw up individual statements of responsibilities and to produce a comprehensive mapping of duties across the organisation.
• All banks authorised in the EU and subject to CRR/CRD will be in scope, and the requirements will also directly affect their subsidiaries established outside the EU (and senior individuals within them).
• With CRD6 due to be transposed by 10 January 2026, the implementation timeline is short (although supervisors may not insist on full compliance before the EBA guidelines are finalised).
• UK experience suggests that implementation will be complex and time-consuming. For the management body, senior management and employees classified as ‘key function holders’, these are important new requirements that could have material implications for their roles – especially where the mapping of duties identifies gaps in responsibilities and duties that need to be closed.
• Clearer individual accountability, set out through the individual statements, will increase the onus on in-scope individuals to demonstrate that they are taking all of the actions that could reasonably be expected of them to fulfil their allocated duties.

The EBA has consulted on revisions to its internal governance guidelines, incorporating new requirements introduced by the Capital Requirements Directive (CRD6).

Most notably, the consultation paper sets out further detail on upcoming SMCR-style requirements for banks in scope of CRD6 to draw up individual statements of responsibilities for the management body in its management function, senior management and key function holders, and to produce a comprehensive mapping of duties across the organisation.

According to the recitals of CRD6, the rationale is to equip supervisors with new tools to assess the suitability of in-scope individuals, to address instances where responsibilities are overlooked because they do not fall neatly under the remit of a single person, and to strengthen accountability within the most senior levels of banks’ management.

This blog provides an overview the new requirements, and the steps that banks need to take to implement them effectively. Given the similarity with SMCR, the blog also highlights lessons that EU banks can learn from UK banks’ experience.

What is required?

Individual statements of responsibility (SoRs)

All members of the management body in its management function, senior managers and key function holders (see below for more details) will need to have a ‘documented statement of roles and duties which clearly sets out their role’. This should be consistent with the mapping of duties.

Mapping of duties

Banks will be required to produce and maintain a comprehensive and accurate mapping of duties across the organisation, aligned with the SoRs described above.

Both the individual statements and the mapping of duties need to be kept up to date on a continuous basis, and available to supervisors on request.

Where do you start?

1. Define who is in scope

The first task for banks is to define which individuals are captured by the requirements. The absence of a pre-defined list of individuals makes this more challenging than it is under SMCR or comparable EU member state regimes such as SEAR in Ireland.

The regime captures several layers of management within banks: the management body (in its management and supervisory functions), senior management, and key function holders. The mapping of duties needs to capture all of these layers, however individual statements are only required for the management body in its management function, senior management and key function holders.

The employees who are formally part of the management body of a bank will generally be well-defined. However, the definitions of ‘senior management’ and ‘key function holders’ are more open to interpretation (which may lead to differences of opinion between banks and their supervisors).

Senior management are employees who exercise executive functions and are responsible for the day-to-day running of the bank, but are accountable to the management body (rather than being part of it).

Key function holders are individuals with significant influence over the direction of the institution, but are not members of the management body (and do not have the broad operational responsibilities of senior management). Examples of key function holders include, but are not limited to, the heads of internal control functions (ICFs), and the CFO (where they are not part of the management body), or heads of important business lines or branches.

Banks should already have in place a risk-based approach to the selection of key function holders, in line with the joint ESMA and EBA guidelines on the assessment of the suitability of members of the management body and key function holders.

In practice, there may be some overlap between the different categories, and certain individuals may be classified differently across banks, depending on the scope of their role.

Despite these ambiguities, banks should be able to produce a long-list of individuals potentially captured by the regime. Given the interplay between the requirements and suitability assessments, firms may be able to use the list of job titles in the ECB’s fit and proper questionnaire as a starting point.

2. Define an inventory of responsibilities that need to be allocated

Banks will need to understand the full universe of responsibilities that need to be discharged in order for the mapping of duties to be ‘comprehensive’, and in order to identify any gaps in their governance arrangements.

Unlike SMCR, there is no prescribed list of responsibilities for banks to allocate.

However, banks can begin to develop an inventory of responsibilities from the broader content of the EBA guidelines, which provide a comprehensive overview of the collective responsibilities of the management body, in both its management and supervisory functions, the roles of the audit, risk and nomination committees, the Chair of the management body, and of ICFs.

For completeness, banks would also need to capture obligations arising from other regulatory and supervisory sources (such as DORA, the EU AI Act or ECB guidelines). Lists of prescribed responsibilities from comparable regimes such as SEAR and SMCR will also be a useful reference, especially in areas where the EBA guidelines do not provide much detail (for example, on the responsibilities of senior management or non-internal control function key function holders).

3. Draw up individual statements

A defined inventory of responsibilities will provide a robust starting point for allocating them to specific individuals in SoRs. Banks will also need to refer to existing internal documents, such as job descriptions or role profiles.

The EBA has provided an optional template for the SoRs. Each statement needs to capture: personal information about the individual in question, what category the individual is in (i.e. management body in its management function, senior manager or key function holder); a description of the individual’s role; expected time commitment; and a list of all of the relevant and applicable duties that the individual is expected to perform as part of their role.

The EBA states that banks need to ensure that the individual statements are ‘concise, logical, but sufficiently detailed to [be] understandable’.

There are lessons that EU banks can learn from the implementation of SMCR, which also includes requirements for banks to draw up SoRs for individual Senior Managers. The FCA’s Feedback Statement on Statements of Responsibilities and Responsibilities Maps included a useful question for banks to ask themselves as they fill out individual statements: ‘Could someone who understands the type of business that you do, but doesn’t know how your firm is organised, understand what the [individual] is accountable for by reading their SoR?’.

While the template itself is relatively straightforward, agreeing what goes in each individual statement is likely to be more challenging. Where this leads to an individual taking on new responsibilities, this will often lead to discussions about remuneration.

Additional clarity on individual responsibilities will make it easier for supervisors to pinpoint exactly who is responsible in the event that things go wrong – not least given the ECB’s recommendation, in its draft guide on governance and risk culture, that banks allocate responsibility for the remediation and follow-up of audit and supervisory findings and measures in individual statements.

According to the EBA’s draft guidelines, individuals are deemed to have failed to fulfil their duties if an issue arises within their area of responsibility, and they have not taken all reasonably expected actions to prevent its occurrence or to mitigate its continuation once brought to their attention.

Exactly what constitutes ‘reasonably expected actions’ is not clarified in the guidelines, but the potential consequences for failure are severe. In addition to fitness and propriety consequences, CRD6 Article 65(2) gives supervisors new powers to apply Periodic Penalty Payments and other administrative penalties directly to individuals in scope of the regime. The maximum individual penalty available is significant; EUR 50k per day for up to six months.

Banks will need to think carefully about the practical activities that in-scope individuals need to undertake to demonstrate that they are discharging their responsibilities. This could include the MI flows, the committees they attend and delegation to team members.

4. Build the responsibility map

There is no template for the mapping of duties in the draft guidance. The EBA has instead taken a more principles-based approach, with banks having the flexibility to present the mapping of duties ‘in the way they see fit, as long as the general principles are followed’.

What is clear is that the level of detail required is high, and more complex than a simple aggregation of banks’ individual statements of responsibilities.

Banks will also need to capture details of the reporting lines and ‘lines of responsibility’, implying that the mapping will also need to include details of relevant committees, escalation paths, delegations, supporting functions and control layers.

The scope of the guidelines will compound the scale of the exercise for banks with a complex legal entity structure. The requirements apply at the individual, sub-consolidated and consolidated basis, and each banking entity within a group is required to produce a mapping of duties. This includes entities established in third countries, where they are included in the prudential scope of consolidation (as long as applying the guidelines would not be ‘unlawful’ under the laws of the third country). The consolidating entity is also responsible for drawing up a mapping of duties at the consolidated level.

We expect that the mapping of duties will be a complex and time-consuming exercise for many banks, in particular where certain duties traverse different business lines. Existing internal documents (such as organisation charts) will be a helpful reference, but in practice they will often lack the specificity required. Moreover, the shift from an internal-facing document to one that must satisfy external regulatory scrutiny will require precision and robust governance.

Some firms operating in the UK will already have experience of implementing a similar requirement: ‘enhanced’ firms under the SCMR are required to produce a Responsibilities Map. As is the case with SoRs, UK regulators’ feedback (while not directly applicable) can provide banks with a useful steer on how to meet the EBA’s requirements. For example, the FCA’s 2019 feedback statement includes detailed examples of what a Responsibilities Map should look like for an enhanced firm within a global banking group.

5. Approve, and maintain and embed

According to the guidelines, while the drafting and detailed work on the mapping of duties may occur at a lower level, the mapping must be signed off by the management body. Banks will need to ensure they include sufficient time for rigorous management body review and challenge in their implementation plans.

The work banks will need to do extends well beyond the initial set-up. Banks will need to have appropriate processes and mechanisms to ensure they meet the requirements continuously across the group, and are able to provide the relevant information to supervisors upon request. Banks will need to establish processes for both periodic and ad-hoc updates to both SoRs and the mapping of duties.

Human Resources teams will play a key role in embedding the requirements within banks – including through alignment of contracts and job descriptions with the new requirements, and embedding individually allocated responsibilities into performance reviews and remuneration frameworks. Internal audit and compliance functions will also have an important role to play in the regular testing, ongoing monitoring, gap analysis and remediation that banks will need to do to embed the guidelines effectively.

When is the deadline?

The guidelines do not set out a clear implementation deadline. CRD6 is due to be transposed by 10 January 2026 – meaning that the requirements will apply from 11 January, assuming Member States meet the deadline.

However, NCAs may not insist on full compliance before the EBA’s guidelines are finalised. Other supervisory publications that are underpinned by the EBA guidelines (such as the ECB’s guide on governance and risk culture) also look set to be delayed until the EBA’s guidelines are finalised.

According to the EBA’s latest work programme, it plans to finalise the guidelines in Q3 2026. This suggests that banks should be working towards fully aligning with the guidelines by mid-to-late 2026. This is a tight timetable, given the scope of the requirements.

Banks should engage with their supervisors at an early stage to ensure that they have a clear view on when they will be expected to produce fully finalised and approved individual statements and the mapping of duties.

Time to get going

Given the continued supervisory focus on the effectiveness of banks’ governance arrangements (the internal governance and risk management module of the SREP has long been a key driver of low SREP scores in the SSM), we expect supervisors to set a high bar for compliance.

Moreover, as the requirements are enshrined in CRD6, our baseline assumption is that the substance of the EBA’s guidelines will not change significantly in the consultation phase.

Banks already have enough information to get started on the individual SoRs, and assess the gap between current practices and the new mapping requirements.

SMCR implementation in the UK often turned into a long-running implementation programme, more analogous to a full-scale transformation than a box-ticking exercise. Banks that take a proactive approach, with senior-level buy-in from an early stage, will be best placed to meet the high bar that supervisors will set.