Consultation on EBA guidelines on internal governance (EBA/CP/2025/20)

The EBA guidelines on internal governance (EBA/CP/2025/20)

On August 7, 2025, the European Banking Authority (EBA) launched a consultation (EBA/CP/2025/20)¹ on its revised guidelines on internal governance (current version EBA/GL/2021/05) in accordance with the Capital Requirements Directive (CRD).

The proposed amendments reflect changes to the CRD framework and other relevant legislation, such as the Digital Operational Resilience Act (DORA). The consultation will run until November 7, 2025, and is limited to the proposed amendments.

The draft revised guidelines have been adapted to the changes introduced by CRD VI. They clarify the requirements under Article 88(3) CRD VI to ensure that each member of the management body, senior officer, and key function holder has a documented role and task description and that a mapping of the tasks of the members of the management body, senior officers, and key function holders has been established.

They also contain specific guidance to ensure that branches in third countries have a sound governance framework. The draft revised guidelines have also been adapted to ensure alignment with the DORA Regulation and to take into account the findings of the EBA benchmarking report on diversity practices and gender-neutral remuneration policies. Finally, they also take into account insights from supervisory practice across the EU.

The guidelines on internal governance themselves were developed in accordance with Article 74(3) of Directive 2013/36/EU, which mandates the EBA to develop guidelines in this area, and in accordance with Article 48g(9) of Directive 2013/36/EU, which mandates the EBA to develop guidelines on arrangements, processes, and mechanisms for internal governance for branches in third countries.

The current revision of the EBA guidelines on internal governance is part of the EBA’s roadmap for implementing the banking package (CRR III/CRDV VI), which will enter into force on January 1, 2025. Together with the regulatory products, it will further strengthen a robust regulatory framework, efficient supervision, and improved risk control of credit institutions.

The “compliance focus” also includes (almost outside the primary focus defined by the EBA) the further development of the regulatory/MaRisk compliance function and the future of regulatory monitoring.

Background and possible objective of the consultation

On August 7, 2025, the European Banking Authority (EBA)² published a consultation on the revised guidelines on internal governance EBA/CP/2025/20³. The aim is to specify the requirements of the CRR III/CRD VI banking package and establish uniform standards across Europe. The revised version is primarily intended to bring more clarity and precision to the distribution of roles and responsibilities within institutions.

However, it also sets the course for the further development of the compliance function in accordance with MaRisk AT 4.4.2. In particular, regulatory monitoring will face new challenges in some institutions as a result:

In future, institutions will have to record and evaluate regulatory changes even more systematically and proactively in order to meet the increased requirements for transparency and control.⁴ The guidelines illustrate how crucial a closely integrated compliance and governance structure is for identifying risks at an early stage and ensuring long-term compliance with complex regulatory requirements.

As a result, legal monitoring will not only become more important in the future, but will also require efficient processes to reliably map the dynamic regulatory landscape, integrate it into the business organization, and establish a sustainable risk and compliance culture.

Key changes

The new guidelines contain several significant adjustments:

• Clear job descriptions for all members of the management body, senior managers, and key function holders.⁵
• Responsibility mapping that systematically outlines all responsibilities.
• Extension to branches in third countries to ensure robust governance there as well.
• Integration of DORA (Digital Operational Resilience Act)⁶ requirements with a focus on digital and operational resilience.
• Consideration of EBA studies on diversity and gender-neutral remuneration.⁷

but also

• The introduction of the term “legal risk stemming from non-compliance events” and the revision of Section 21 on the “compliance function.”⁸

The consultation period ends on November 7, 2025. This leaves institutions with a limited window of opportunity to get involved and, at the same time, prepare directly for possible implementation requirements.

Significance for regulatory/MaRisk compliance⁹ and regulatory monitoring

The Minimum Requirements for Risk Management (MaRisk)¹⁰ already require regulatory changes to be identified at an early stage, evaluated, and integrated into internal processes.¹¹

Section 25a of the German Banking Act (KWG)¹² in conjunction with AT 4.4.2 of the Minimum Requirements for Risk Management (MaRisk) require every institution to establish a proper business organization. According to the wording of the law, this also includes compliance with the legal requirements relevant to the institution and, according to the Bundesbank’s leaflet on compliance with financial sanctions, also the monitoring¹³ of corresponding controls. In order for these requirements to be met, the institution must be aware of them. This includes both changes to existing regulations and the introduction of new regulations.

Legal monitoring is therefore essential for systematically recording and managing the necessary information and is therefore an integral part of the compliance lifecycle.

• The aim is to keep the institution continuously informed about all essential legal requirements and specifications and to ensure their implementation in accordance with supervisory requirements.

  However, the EBA guidelines raise the bar:

  • Interdisciplinary assessment becomes a prerequisite, as topics such as DORA go beyond purely banking supervisory aspects.¹⁵
  • Verifiability is becoming more important – from the initial analysis to full implementation.

Adequacy and effectiveness as an expression of aspiration and reality

In many institutions, there is still a significant gap between regulatory requirements and practical implementation:

• Monitoring processes are often decentralized, heavily dependent on individual persons, and, despite increasing regulation, rarely quantitative¹⁶. The interaction between the specialist departments and the MaRisk compliance function often shows deficits, particularly with regard to responsibility for the timely transfer of information (obligation to fetch vs. obligation to deliver [a good example of this is compliance integration according to AT 8.1 and AT 8.2¹⁷ MaRisk]).
• Automated solutions for information gathering are often not implemented or only implemented selectively, which means that gaps cannot be ruled out.
• The interfaces between compliance, the legal department, risk management, IT, and HR are often not optimally integrated, which makes concrete and, if necessary, rapid coordination difficult.
• Regulatory consultations are usually included too late or only superficially, meaning that opportunities for active participation are missed and implementation processes are started late.
• Decisions by the highest courts are often not taken into account, or not sufficiently, in the monitoring process.
• New requirements and changes can hardly be evaluated centrally, and the traceability of implementation measures is limited.

Elements of sustainable regulatory monitoring

In view of these challenges, structured, digitally supported monitoring is virtually indispensable. Institutions that already have structured and successful monitoring systems in place rely on the following core components:

• Systematic and often technically supported regulatory/legal screening (identification of legal norms in new and significantly changed legal regulations and requirements)
• Clear responsibilities and defined escalation paths within the organization.
• Early and comprehensive recording of all regulatory developments – including ongoing consultation procedures.
• Systematic assessment of the impact on the organization, processes, IT systems, personnel, and governance structures.
• Interdisciplinary collaboration to integrate different perspectives and comprehensively assess risks.
• Binding action plans with clear responsibilities and deadlines.
• Audit-proof documentation in a digital compliance register for seamless tracking.

Manual approach in small institutions

Since many of the smaller institutions belong to an association, their regulatory monitoring is based primarily on input provided by the association and its circulars.

The circulars are supplemented by subscriptions to newsletters, in particular those from BaFin. Further research is often not carried out.

The process requires the specialist departments to identify new developments from circulars and newsletters and forward them to MaRisk Compliance, i.e., decentralized processing takes place first.

However, there is often no “two-way communication” that fulfills the first-line tasks according to AT 4.4.2 (1) MaRisk:

“Notwithstanding the tasks of the compliance function, the managers and business areas remain fully responsible for compliance with legal regulations and requirements”²⁰, which would complete the second-line component of the MaRisk compliance function.

Efficient IT-supported regulatory monitoring

Regulatory dynamics require permanent and, above all, structured, seamless monitoring—especially in the banking and financial sector, where mistakes can have various consequences ranging from reputational damage to high fines. Manual procedures in small institutions are prone to errors even in medium-sized institutions and are often no longer cost-effective in practice.

IT tools such as VÖB-Radar, COR3, or msg Legal Change Management²¹ can provide crucial support in this regard.

They automate the collection and filtering of relevant legislative changes, regulatory requirements, and supreme court rulings so that the compliance teams of the MaRisk compliance function – already in anticipation of future, more specific requirements of the EBA Guidelines on internal governance – can react quickly and specifically to the most important changes.

This saves time and increases clarity without replacing the final review of relevance or risk classification by experienced compliance experts. The combination of powerful technology and human expertise and compliance expertise is the key to efficient and reliable monitoring.

Artificial intelligence for increased efficiency

The use of artificial intelligence (AI) also offers promising opportunities to further optimize IT-supported legal monitoring and enable functionalities such as “chat with the law”:

• AI can automatically recognize, evaluate, and prioritize regulatory information, thereby reducing the workload of specialist departments and compliance departments.
• AI also allows for deeper risk analysis, including qualitative and quantitative risk assessment.
• Furthermore, the innovations can be automatically incorporated into the adaptation of the written rules (sfO).²²

The range of what existing tools in the field of AI already offer extends from exclusive information services to automated risk classification²³. However, the EU AI Act²⁴ and the BSI’s designation of criteria for trustworthy AI systems in the financial sector²⁵ raise the barriers to introduction and use.²⁶

In any case, it is important to note that AI does not replace human expertise. Interpreting complex regulatory requirements and assessing their specific impact on the institution, as well as the resulting institution-specific risk, still requires experience and human judgment. AI and quantitative models should therefore be viewed more as supporting tools that enable compliance officers to make informed decisions more quickly and in a more focused manner – but the ultimate responsibility always remains with humans and companies/institutions and not with any kind of “AI agent.”

Target vision for institutions

Today, modern regulatory monitoring is more than just an information channel. It is an integrated control and early warning system in the sense of a holistic ICS, which should meet the following minimum requirements:

• Central control with clearly defined responsibilities,
• Automated tools for continuous information gathering and evaluation, as far as possible,
• Standardized, interdisciplinary evaluation processes for holistic risk assessment,
• Direct and well-prepared decision templates for senior management and management,
• Complete, digital documentation of all process steps for traceability (audit-proof),
• Evaluability for verification purposes vis-à-vis auditors and supervisory authorities, but also for identifying trends and optimization potential.

Such a (regulatory) monitoring system helps to identify, assign, reduce, or mitigate regulatory risks and to allocate resources more effectively, thereby improving compliance risk management within the company in the long term.

Conclusion

The EBA guidelines set a clear new standard for regulatory monitoring: In the future, it must be faster, better structured, and, above all, transparent.

For regulatory/MaRisk compliance, this means (in many cases) more responsibility and a stronger role.

Overall, the compliance function is transforming from (often still) a purely controlling body to an active partner that actively shapes the compliance and risk culture within the institution.

Regardless of these requirements, which are new for many institutions, those with stable MaRisk compliance functions are already seeing that structured regulatory monitoring can help them identify opportunities and act strategically. Those who are aware of new requirements and their consequences at an early stage have more time to adapt procedures, processes, or products, plan partnerships, improve marketing messages, or set new priorities.

The success of this adaptation will determine how resilient and future-proof banks and financial institutions are and remain in the complex regulatory environment.