Most banking institutions have a fit and proper process. Nomination committees meet, candidates are reviewed, questionnaires are completed, appointments are made. The system works — until the European Central Bank asks to see it.
Directive 2024/1619 (also commonly referred to as Capital Requirements Directive VI) changed the rules. What was once a back-office governance exercise has become a front-line supervisory priority. For legal directors, Secretaries General, and governance managers at significant banking institutions, the question is no longer whether fit and proper management is happening — it is whether it can be proven.
What CRD VI Actually Changed
The Capital Requirements Directive VI introduced three changes that matter in practice for the banking industry:
1. The 30 working days’ advance notification rule
Institutions must notify national competent authorities at least 30 working days before appointing a board member or key function holder. This is not a filing requirement but rather a live review window during which supervisors actively assess the candidacy. Incomplete documentation at that stage means appointments can be completely blocked.
The supervisory veto power
National authorities can now reject an appointment before it takes effect. The entire internal selection process can be undone. This means that from the search, the shortlist, the committee review, the board vote it can be undone if the ECB or a national competent authority finds the evidence insufficient.
The expanded scope
CRD VI formally brings key function holders into the assessment framework for the first time: heads of internal audit, compliance, risk management, and significant business lines. If your institution has not yet mapped which roles now fall under this requirement, that mapping is already overdue.
These changes turn fit and proper management into something it was not before: a structured, pre-appointment governance process with direct regulatory consequences and no margin for error.
Five criteria for Institutions to keep in mind
The ECB evaluates every candidate to fiduciary and governance positions — and every board collectively — across five criteria.
- Reputation: The individuals must have a clean regulatory record, conduct history and their ethical judgement must be appropriate for a position of fiduciary duty.
- Experience: The qualifications and prior governance experience must have prepared them for the specific duties of the new role.
- Independence of mind: Individuals must be capable of challenging management decisions objectively, free from undue influence and conflicts of interest.
- Time commitment: Candidates must have sufficient availability to prepare for meetings, engage with materials, and exercise real oversight.
- Collective suitability: The board as a whole must cover every competency required to govern the institution. This includes risk, audit, ESG, technology, and legal compliance.
All the criteria are demanding in their own way, but the collective suitability can be more challenging.
Why collective suitability is a different challenge
Because the first four criteria apply to individuals only, they can, at least in principle, be addressed through background checks or even self-declarations.
As opposed to it, collective suitability applies to a whole group. This is where it can get complicated.
This requirement asks institutions to demonstrate that the board, as a whole, holds every competency needed to govern the institution. By every competency the CRD VI refers to:
This is not a one time assessment, it is an ongoing governance capability that cannot be demonstrated without updated, consistent and consolidated data – retrievable on demand.
Why old processes no longer hold
Most institutions currently manage the fit and proper’s directives through a familiar combination of methods:
Even if the most senior collaborator has archived all this knowledge somewhere on a drive or their computer, this process no longer holds. It used to work before CRD VI came into play. Under the new directive, instant access to information, and formal documentation are key.
Limitation examples of the old process
The 30 day notification window
This required notice period before certain in-scope changes or transactions demands that all candidate profiles, conflict of interest declarations and questionnaire results are complete and structured prior to any change submission. There is no time to consolidate fragmented data and records once a supervisory request comes in.
The duty mapping and suitability assessments
CRD VI requires formal documentation of each board member’s specific responsibilities, paired with a suitability assessment tied to those duties. Across multi-entity banking groups — where a single director may hold mandates across several subsidiaries — this cannot be maintained manually. The information must be accessible (with strict access control of course) at all times. Otherwise there is room for significant operational and regulatory risk.
As we can see, the main issue is in the structure. Institutions cannot always produce a complete, traceable record of how each director was assessed. CRD VI requires so much granularity, such as knowing who assessed individuals, against which criteria and the outcomes, that without the proper system it can be not only inefficient but also risky.
Building the infrastructure that closes the gap
Addressing this gap requires more than new tools applied to existing workflows. To really close the gap, data needs to be structured.
An audit-ready fit and proper infrastructure needs four things working in concert:
Now the challenge is, these aspects can only work together, operating as one. If each aspect is kept separately, with director profiles in a shared drive and mandates in a point solution for instance, the result will still be fragmented data. Which is exactly what the CRD VI exposes.
Building compliance that holds on the long-run
The key term here is centralization, although it is not the goal in itself. It is just the enabler.
For banking groups operating across multiple entities, this becomes particularly critical. Directors can be sitting on the boards of different subsidiaries, representing different assessment obligations and different duty maps. The proper entity management solution will help institutions stay ahead of the game. Anytime the European Central Bank asks for documentation, it must be one click away, not days, not hours and let alone months.
Just like other legal requirements, CRD VI should be seen as more than admin work. It is the ultimate opportunity for institutions to structure their data, always, not because an audit is coming up but because governance has always been a top priority.
What’s really slowing your in-house legal team down?
Discover what in-house legal professionals say drains their productivity — and how modern legal tech helps them reclaim time for high-value work. Download the DiliTrust white paper.
