Final Report on Joint Guidelines for the ESAs System for Exchange of Information on Fitness and Propriety

JC/GL 2024 88 4 November 2024 Final report on Joint Guidelines on the system established by the European Supervisory Authorities for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 2 Contents

1. Executive Summary 3
2. Background and rationale 5
3. Joint Guidelines on the system established by the European Supervisory Authorities for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities 8 Status of these joint Guidelines 8 Reporting requirements 9 Title I – Subject matter, scope and definitions 10 Title II – Use of the ESAs Information System 12 Title III – Information exchange and cooperation between the competent authorities using the ESAs Information System 14 Title IV – Final provisions and implementation 17
4. Accompanying documents 18 4.1 Cost-benefit analysis / impact assessment 18 4.2 Feedback on the public consultation 23 Summary of responses to the consultation and the ESAs’ analysis 24

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 3

1. Executive Summary Adequate governance of financial institutions can only be achieved if the persons who control or manage such institutions are fit and proper and if persons who are not fit and proper are effectively prevented from assuming such roles. To achieve such outcomes, fit and proper assessments by competent authorities are critical and, indisputably, access of these authorities to any relevant information is a basic condition for the success of such assessments. Against this background, new provisions (Articles 31a) were added to Regulation (EU) No 1093/2010, Regulation (EU) No 1094/2010 and Regulation (EU) No 1095/2010 (collectively referred to as the ‘Founding Regulations’), thereby tasking the EBA, EIOPA and ESMA (collectively referred to as the ‘ESAs’) with establishing a system for the exchange of information relevant to such fit and proper assessments. The ESAs are therefore not only strongly committed but also under the legal obligation to establish such a system. As mandated, therefore, in Articles 31a of the Founding Regulations the ESAs have developed a system which consists of a cross-sectoral database (ESAs Information System) and these joint Guidelines on how to use the ESAs Information System as well as on the exchange of relevant data with the aim of fostering a timely exchange of information between competent authorities. The ESAs Information System will hold limited information on persons who are subject to a fitness and propriety assessment under Union sectoral provisions. Fitness and propriety, as referred to in Articles 31a of the Founding Regulations,should be construed as referring to the overall assessment of the suitability of the holders of qualifying holdings, directors and key function holders, be they natural or legal persons. The competent authorities performing such assessments will include the relevant information consistent with these Guidelines in the ESAs Information System. The aim of the ESAs Information System is to support competent authorities in identifying other competent authorities that have conducted such an assessment process for a person of interest, thereby enhancing the efficiency of the fit and proper assessments. At the same time, in line with the applicable data protection requirements, only limited and necessary information will be stored in the system, accessible on a strict need-to-know basis. The actual exchange of information that is relevant to the assessment of the fitness and propriety of a person of interest will be made between the relevant competent authorities in line with the applicable regulatory framework outside of the ESAs Information System. The ESAs have made a data protection risk assessment and contacted the European Data Protection Supervisor to ensure that the ESAs Information System and the joint Guidelines comply with the applicable data protection requirements.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 4 While these Guidelines support the request and exchange of information between competent authorities, the provision of information does not relieve the competent authority from making its own assessments of fitness and propriety. Each assessment follows the applicable sectoral requirements and considers the context in which an assessment is made. The result of a new assessment may, therefore, differ from the result of a previous assessment.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 5 2. Background and rationale

1. Articles 31a of Regulation (EU) No 1093/2010, Regulation (EU) No 1094/2010 and Regulation (EU) No 1095/2010 (collectively referred to as the ‘Founding Regulations’), task the EBA, EIOPA, and ESMA (collectively referred to as the ‘ESAs’) with establishing a system for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities in accordance with the legal acts referred to in Article 1(2) of the Founding Regulations. For the purpose of these Guidelines, fitness and propriety, as referred to in Articles 31a of the Founding Regulations, should be construed as referring to the overall assessment of the suitability of the holders of qualifying holdings, directors and key function holders, be they natural or legal persons.
2. Articles 8(1) point (a) of the Founding Regulations provide that the ESAs shall use the full powers available to them when carrying out their tasks in accordance with the Founding Regulations. To achieve their tasks, Articles 8(2) point (c) set out as a power of the ESAs the issuance of guidelines pursuant to Articles 16 of the Founding Regulations. In accordance with Articles 16 of the Founding Regulations, the ESAs shall, with a view to establishing consistent, efficient and effective supervisory practices within the European System of Financial Supervision (ESFS), and to ensuring the common, uniform and consistent application of Union law, issue guidelines addressed to all competent authorities or all financial institutions and financial market participants.
3. In line with the mandate set out in Articles 31a of the Founding Regulations, the ESAs have developed a system to facilitate the timely exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants between competent authorities in accordance with the legal acts referred to in Articles 1(2) of the Founding Regulations; this system includes the ESAs Information System and these Guidelines. The Guidelines clarify how the ESAs Information System should be used and how data should be exchanged.
4. It is expected that competent authorities will apply these Guidelines when requesting and receiving information relevant in the context of their assessments of fitness and propriety in accordance with the Union sectoral provisions. In that respect, competent authorities should make use of the ESAs Information System to identify any competent authority that holds relevant information on the individuals who are going to be assessed for fitness and propriety. Competent authorities should request the relevant information and take it into account within their assessments of fitness and propriety in accordance with the Union sectoral provisions.
5. In accordance with Articles 31a and in conjunction with Articles 2(4) and Articles 35 of the Founding Regulations, the Guidelines should ensure that competent authorities include the

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 6 information on holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants in the ESAs Information System in the context of the assessment of fitness and propriety of a person of interest. 6. To ensure that all relevant information on such assessments is available, it is necessary to include information at the initiation of assessments (when a notification or application is filed with the competent authority), so that not only concluded but also ongoing assessments and assessments that were ended before a final decision had been taken (e.g. if an application has been withdrawn or is put on hold) are included in the ESAs Information System. Additional assessments made for the same persons should be included in the ESAs Information System, to ensure a full overview of assessments initiated. 7. An entry in the ESAs Information System will provide information about the competent authority that holds relevant information about a person of interest. It will not contain any qualitative information on the assessment or its outcome. 8. Competent authorities should make the initial request for information relevant to the assessment of fitness and propriety through the ESAs Information System, which will help the tracking of such requests and will allow the generation of statistics on the use of the system. Any requests for information should set out the Union sectoral provisions based on which the request is being made. 9. In accordance with the principle of sincere cooperation set out in Article 4(3) of the Treaty on European Union (TEU) and reflected in Articles 2(4) of the Founding Regulations, the request for information should be appropriately responded to, to the extent that it is legally feasible. Confidentiality, data privacy or other professional secrecy restrictions set out in the sectoral or in any other applicable legal provisions must be duly considered in relation to the information requested. 10. The actual exchange of underlying information that is relevant to the assessment of the fitness and propriety of a person of interest will be made bilaterally between the relevant competent authorities outside the ESAs Information System. The information exchange may be supported by additional cooperation agreements. Where an application for the assessment of fitness and propriety has been withdrawn, put on hold or rejected the information should, to the extent permissible and possible, also include the reasons for this. 11. While these Guidelines support the request and exchange of information between competent authorities, the provision of information does not relieve the competent authority from making its own assessments of fitness and propriety. Each assessment follows the applicable sectoral requirements and takes into account the context in which an assessment is made. The result of a new assessment may therefore differ from the result of a previous assessment. 12. Compliance with these Guidelines should be without prejudice to the provisions of the Union legal acts referred to in Articles 1(2) of the Founding Regulations and, in particular, to the

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 7 provisions of the legal framework or other existing legal acts dealing with the fitness and propriety assessment by competent authorities and any exchanges of information for this purpose. Where such provisions prevent the information exchange or where they set out specific requirements for such an exchange, these Guidelines will apply to the extent permissible under these provisions. 13. The ESAs have developed operating rules for the ESAs Information System which do not form part of these Guidelines. The operating rules will be communicated to competent authorities.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 8 3. Joint Guidelines on the system established by the European Supervisory Authorities for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities Status of these joint Guidelines This document contains joint Guidelines to be issued pursuant to Articles 16 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority); of Regulation (EU) No 1094/2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority); and of Regulation (EU) No 1095/2010 establishing a European Supervisory Authority (European Securities and Markets Authority) (collectively referred to as the ‘Founding Regulations’). The adoption of the Guidelines is to be done in accordance with Articles 56, second subparagraph, of the Founding Regulations. In accordance with Articles 16(3) of the Founding Regulations, competent authorities must make every effort to comply with the Guidelines. The joint Guidelines aim at establishing consistent, efficient and effective supervisory practices within the European System of Financial Supervision (ESFS), and at ensuring the common, uniform and consistent application of Union law with regard to the use of the system established by the ESAs for the exchange by competent authorities of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants in accordance with the legal acts referred to in Articles 1(2) of the Founding Regulations.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 9 Competent authorities to which the joint Guidelines apply should comply by incorporating them into their supervisory practices or regulatory framework as appropriate (e.g. by amending their legal framework or their supervisory processes). Reporting requirements The expected date of application of these joint Guidelines is the day of the publication of translations in all official EU languages on dd.mm.yyyy [publication of translations of the final joint Guidelines in all official EU languages]. In addition, competent authorities are expected to comply with parts of the joint Guidelines at a later stage (a different time when provisions concern legal or natural persons), taking into account the time necessary to feed historical data into the ESAs Information system before using the ESAs Information system. In accordance with Articles 16(3) of the Founding Regulations, competent authorities must notify the respective ESA whether they comply or intend to comply with the joint Guidelines, or otherwise with reasons for non-compliance, by dd.mm.yyyy (two months after the publication of translations of the final joint Guidelines in all official EU languages). In the absence of any notification by this deadline, competent authorities will be considered by the respective ESA to be non-compliant. Notifications should be sent to [compliance@eba.europa.eu, compliance@eiopa.europa.eu and compliance.fpsguidelines@esma.europa.eu] with the reference ‘JC/GL/2024/xx’. A template for notifications is available on the ESAs’ websites. Notifications should be submitted by persons with appropriate authority to report compliance on behalf of their competent authorities. Notifications will be published on the ESAs’ websites in line with Articles 16(3) of the Founding Regulations. The joint Guidelines will be applicable during the comply and explain procedure, having already been extensively consulted upon with competent authorities. Additionally, two public consultations took place, ending on 2 May 2023 and 15 January 2024, respectively. The ESAs have also liaised with the European Data Protection Supervisor, whose informal opinion was taken into account. These joint Guidelines are necessary for the implementation of Articles 31a of the ESAs Regulations and are addressed only to competent authorities.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 10 Title I – Subject matter, scope and definitions Subject matter

1. These Guidelines clarify the use of the ESAs Information System by competent authorities and the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders in accordance with the legal acts referred to in Article 1(2) of Regulation (EU) 1093/2010, Article 1(2) of Regulation (EU) 1094/2010 and Article 1(2) of Regulation (EU) 1095/2010 on the basis of Articles 31a thereof. Addressees
2. These Guidelines are addressed to competent authorities referred to in Articles 4(2) of Regulation (EU) No 1093/2010 and Regulation (EU) No 1094/2010 and in Article 4(3) of Regulation (EU) No 1095/2010. Definitions
3. Terms used and defined in legal acts referred to in Article 1(2) of Regulation (EU) 1093/2010, Article 1(2) of Regulation (EU) 1094/2010 and Article 1(2) of Regulation (EU) 1095/2010 on the basis of Articles 31a of the Founding Regulations have the same meaning in these Guidelines. Assessment means a final decision of a competent authority on the suitability of a person of interest in accordance with Union sectoral provisions, which would be either an approval, including a tacit approval, or rejection, including a tacit rejection, including at the point of authorisation. ESAs Information System means a digital platform established jointly by the EBA, EIOPA and ESMA in accordance with Articles 31a of Regulation (EU) No 1093/2010, Regulation (EU) No 1094/2010 and Regulation (EU) No 1095/2010. ESAs Information System operating rules means the set of rules, specifications, arrangements, processes and procedures for the use of the ESAs Information System by competent authorities, including but not

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 11 limited to technical specifications, language arrangements, access rights and their management. Competent authorities means authorities as defined in Articles 4(2) of Regulation (EU) No 1093/2010 and Regulation (EU) No 1094/2010 and in Article 4(3) of Regulation (EU) No 1095/2010. Financial institution and financial market participant means a financial institution referred to in Articles 4(1) of Regulation (EU) No 1093/2010 and Regulation (EU) No 1094/2010 and a financial market participant referred to in Article 4(1) of Regulation (EU) No 1095/2010. Union sectoral provisions mean provisions of the legal acts referred to in Articles 1(2) of Regulation (EU) No 1093/2010, Regulation (EU) No 1094/2010 and Regulation (EU) No 1095/2010 on the exchange of information relevant to the assessment of the fitness and propriety of persons of interest. Request for information means a request for information relevant to the assessment of the fitness and propriety of a holder of (a) qualifying holding(s), director or key function holder of a financial institution and a financial market participant in accordance with the Union sectoral provisions submitted through the ESAs Information System by an assessing authority consistent with these Guidelines. Requesting authority means a competent authority submitting a request for information. Requested authority means a competent authority receiving a request for information. Person of interest means a natural or legal person assessed or to be assessed for the fitness and propriety of a holder of (a) qualifying holding(s), a director or

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 12 a key function holder of financial institutions and financial market participants in accordance with Union sectoral provisions. Withdrawal of application means the retraction by the applicant of any explicit or tacit application or notification for an assessment process before a decision has been taken by the competent authority. Title II – Use of the ESAs Information System Using the ESAs Information System 4. For the purpose of the assessments of the fitness and propriety of persons of interest in accordance with Union sectoral provisions, competent authorities should use the ESAs Information System, thereby submitting, searching and requesting information relevant to the assessment of fitness and propriety in line with these Guidelines. Data input into the ESAs Information System 5. Competent authorities that make an assessment of the fitness and propriety of a person of interest should include the data referred to in paragraph 7 of these Guidelines in the ESAs Information System within two weeks after the receipt of a notification or application for an assessment of fitness and propriety (date of entry). 6. Where there is an additional or a new assessment of an already assessed person of interest, a new entry in the ESAs Information System should be created. 7. The data to be supplied to the ESAs Information System should include with regard to the person of interest: 7.1. natural person: a. first name(s); b. surname/family name; c. date of birth; d. place of birth;

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 13 e. where available, other names (including, where available, birth name) used by the person (AKA names); 7.2. legal person: a. the legal name of the legal person or entity (including abbreviation of legal form); b. AKA names of the legal person; c. the legal entity identifier (LEI); d. where the LEI is not available, the registration number, such as from a central register, commercial register, companies register or similar public register; and e. country of incorporation (headquarters); and with regard to the assessing competent authority: 7.3. for a natural person and legal person: a. data as set out below: i. for data added after the establishment of the ESAs Information System: the date of entry as per paragraph 5; ii. for historical data added to the ESAs Information System: relevant date available to the competent authority (e.g. date of application or notification, decision, entry into function, etc.); b. legal act referred to in Articles 1(2) of the Founding Regulations under which the assessment was performed; and c. where available, reference number of the record held by the competent authority. 8. The information entered in the ESAs Information System under paragraph 7 will be kept in the ESAs Information System for a maximum period of 15 years from the date of entry by a competent authority and then automatically deleted from the ESAs Information System. Competent authorities may apply shorter retention periods. Where shorter retention periods have been applied in line with applicable Union or national law, the competent authority should remove the data from the ESAs Information System accordingly after such periods end. In addition to the expiration of the retention period, information could also be deleted by competent authorities upon receiving notification that the person of interest is deceased. The above is without prejudice to the right of access, rectification or erasure by the concerned data subjects as provided for in

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 14 Articles 17, 18 and 19 of Regulation (EU) 2028/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies. 9. Competent authorities should designate contact points for receiving and responding to requests and make this information available in the ESAs Information System. The contact point details should include the functional e-mail address used in the process of fitness and propriety assessments, a phone number of the unit/department dealing with the fit and proper assessments (optionally) and, for relevant staff members, the given name(s) / family name, position, professional e-mail address and phone number. 10.Competent authorities should keep the lists of contact points, including functional e-mail addresses, up to date and review them at least annually. Data searches within the ESAs Information System 11.Before a competent authority makes an assessment of the fitness and propriety of a person of interest in accordance with Union sectoral provisions, the competent authority should look up in the ESAs Information System if there is any other competent authority that holds information on this person of interest. Title III – Information exchange and cooperation between the competent authorities using the ESAs Information System Sending requests for information 12.Where the ESAs Information System search indicates that relevant information for the purpose of an assessment is available, the competent authority should, before making the assessment, submit a request for information through the ESAs Information System to the competent authorities identified in line with paragraph 11 that hold relevant information on the person of interest. 13.The requesting authority should set out the reason for the request, the information requested and the Union sectoral provisions on the basis of which the assessment is being made. 14. The requesting authority should provide the requested authority with any document or supporting material deemed necessary to support the request using bilateral means of communication outside of the ESAs

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 15 Information System. Competent authorities may facilitate the exchange of information by way of cooperation arrangements1 . Processing and responding to requests for information 15.The actual exchange of underlying information that is relevant for the assessment of the fitness and propriety of a person of interest will be made bilaterally, between the requesting and requested authorities outside the ESAs Information System. 16.The requested authority should, in accordance with the principle of sincere cooperation set out in Article 4(3) of the Treaty on European Union (TEU) and reflected in Articles 2(4) of the Founding Regulations, and taking into account Union sectoral provisions and any other applicable legal acts related to sectoral provisions, respond to the request within two weeks from receipt of the request and provide the information or explain why the information can only be provided at a later date and specify that date. In the case of a negative assessment or a withdrawal of the application for an assessment, available information about the reasons for the negative assessment or the withdrawal should also be provided. 17.The requested authority should not provide the information requested where confidentiality or personal data protection requirements set out in Union sectoral provisions or in any other applicable legal provisions prevent it from doing so or where the requested authority cannot, for objective reasons, provide the information requested. 18.Where the exchange of information is impossible in accordance with paragraph 17, the requested authority should, as soon as possible but at the latest within two weeks from receipt of the request, inform the requesting authority and explain the reasons for this. If it is partially impossible to provide all the requested information, the requested authority should provide the requesting authority with the part of the information whose provision is permitted and explain the reasons for withholding other parts of the information. 19.The requested authority may ask for clarifications from the requesting authority regarding the request received. The requesting authority should respond to any such clarification requests without undue delay. If clarifications are sought, the time period under paragraphs 16 and 18 1 E.g. ESMA Multilateral Memorandum of Understanding on Cooperation Arrangements and Exchange of Information

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 16 should start after the clarifications are provided by the requesting authority. Confidentiality 20.Competent authorities should treat all information received in accordance with these Guidelines as confidential and treat it in line with professional secrecy and personal data protection requirements set out in Union legislation and applicable national law.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 17 Title IV – Final provisions and implementation 21.These Guidelines apply from dd.mm.yyyy [publication of translations of the final joint Guidelines in all official EU languages], with the exception of: a. paragraphs 4, 11, 12, 13, 14, 15, 16, 17, 18, 19, which will apply from [15 May 2025] for assessments of natural persons, and from [30 April 2026] for assessments of legal persons; b. paragraph 7.2 (a-e), which will apply from [30 January 2026]. 22.Competent authorities should include available historical data on natural persons for the last five years, calculated from the date of application of these Guidelines, in the ESAs Information System by 15 May 2025. 23.When single data points for the natural person, e.g. date or place of birth, specified under paragraph 7.1 are not available, the requesting and requested authorities should ensure by other means that the information that should be provided is relevant to the assessment of the person of interest. 24.Competent authorities should include available historical data on legal persons for the last two years calculated from [30 January 2026] in the ESAs Information System by 30 April 2026. In the absence of an LEI for legal persons, other registration numbers (e.g. from a central register, commercial register, companies register or similar public register) and in addition the country of incorporation should be inputted into the ESAs Information System.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 18 4. Accompanying documents 4.1 Cost-benefit analysis / impact assessment Articles 16(2) of Regulation (EU) 1093/2010, Regulation (EU) 1094/2010 and Regulation (EU) 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (Founding Regulations) specify that the ESAs should carry out an analysis of ‘the potential related costs and benefits’ of any guidelines they develop. Such analyses shall be proportionate in relation to the scope, nature and impact of the guidelines. This analysis should provide an overview of the findings regarding the problem to be dealt with, the solutions proposed and the potential impact of these options. Articles 31a of the Founding Regulations require the ESAs to establish a system for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities in accordance with the legislative acts referred to in Articles 1(2). Therefore, the impact of this requirement will not be assessed, as it stems directly from the Level 1 text, rather than from these Guidelines. Other aspects of procedural specifications within these Guidelines will be assessed from the perspective of costs and benefits that they entail for competent authorities and ESAs, as well as in terms of financial stability. More generally, the Guidelines are not expected to create a significant burden on financial institutions and financial market participants as the requirement to assess the suitability of persons of interest stems from other legal acts. The information exchange is limited to competent authorities. The cost impact for market participants is limited to the cost of supervision that is invoiced to financial institutions and financial market participants. Compared to the overall costs of supervision, the difference in costs of different options for a mandated information system is seen as immaterial. In this section ESAs look at specific issues where various options were weighed and choices made. The section explains the costs and benefits of each of these options and the preferred option. Necessity of Guidelines Articles 31a of the Founding Regulations require the establishment of a system for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities in accordance with the legislative acts referred to in Articles 1(2) of the Founding Regulations.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 19 These Guidelines are based on Articles 16(1) of the Founding Regulations. The objectives of these Guidelines are to establish consistent, efficient and effective supervisory practices within the ESFS and to ensure the common, uniform and consistent application of Articles 31a of the Founding Regulations. In particular, they aim to provide clarifications to competent authorities on how to use the ESAs Information System and how to exchange information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants by competent authorities in accordance with the legislative acts referred to in Articles 1(2) of the Founding Regulations. The harmonisation of the underlying processes leads to their increased efficiency. A higher level of transparency is seen as appropriate as personal data will be processed. While administrative costs for issuing guidelines may be slightly higher than for issuing internal operating instructions, the issuance of guidelines has been chosen as they lead to a higher level of harmonisation and transparency. Options Two options have been discussed. Option A: Developing a basic address book with the contact details of the persons in charge of the fit and proper assessment process in the competent authorities. Option B: Developing a more sophisticated solution in the form of (i) a basic address book with the contact details of the persons in charge of the fit and proper assessment process in the competent authorities and (ii) a cross-sectoral shared database where the competent authorities will post the basic details of the person of interest, and that other competent authorities may consult in their assessments in order to identify which competent authority to contact for specific information regarding the assessment(s) of the person of interest. Option A would be a system documented in guidelines without a database, which would harmonise the information exchange processes and establish a contact list that enables competent authorities to contact other competent authorities and make requests. Such an option would not be efficient as competent authorities would potentially issue requests to competent authorities that do not hold information on a person. Relying fully on the information provided by a person of interest on previous assessments made has been considered but was seen as too risky as in the case of negative assessments such information might be withheld or as there may be other intentional or unintentional omissions by persons of interest. Additionally, as a standalone solution, Option A might eventually lead to a higher number of requests as the competent authorities performing the assessment (requesting competent authorities) would have to approach other competent authorities (requested competent authorities) on a more speculative basis to know whether the person of interest had been already assessed by another competent authority. Overall, such a system has not been seen as sufficiently effective, and Option A would have limited added value as a standalone solution and therefore would be suboptimal.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 20 Option B would be a system in which competent authorities enter specified information relevant to the assessments and guidelines that harmonise the use of the system and the information exchange. Such a system would ensure that all assessments are recorded and requesting competent authorities can directly contact the competent authorities that hold relevant information. Option B should provide a significant gain in time for the requesting competent authority – following matches being made by the system on basic person of interest data – to identify a requested competent authority that performed an assessment of a similar given person of interest, and this would increase the efficiency of the supervisory processes and rational use of resources. Option B should also help reduce the risk of fraud as requesting competent authorities could, just with the information visible in the ESAs Information System, cross-check information from a person of interest against past assessments made by other competent authorities and, in a second step, leverage the result of the assessment itself with the bilateral exchange with the requested competent authorities. Such a system has fewer risks than Option A and ensures the effective processing of information exchanges. Option B has been retained and sub-options regarding the retention periods and points of data entry and the technical exchange of data have been considered. Historical data The added value of the ESAs Information System is to allow competent authorities to perform the assessment on a person of interest, and to find out whether other competent authorities have previously assessed this person. Therefore, historical data are needed to make the database a practical tool from the beginning. Questions were raised by competent authorities around costs related to the reporting burden of populating the database with historical data. Further concerns were raised around the feasibility of inputting the data on historical assessments, which may involve large volumes of data. As a consequence of the above, a pragmatic approach has been chosen, whereby historical data would be uploaded when they are readily available for the assessments performed in the five years preceding the date of application of these Guidelines. Some data incompleteness in terms of data fields can be accepted for historical data as without data the ESAs Information System would not be useful, not be used and not fulfil its purpose. This solution would bring the benefit of being able to use the ESAs Information System starting the first day of implementation of the Guidelines but without excessive costs. A retention period of 15 years has been seen as sufficient to ensure that all relevant assessments can be identified within the database. Longer time periods would create a risk that the database would hold information on persons who are no longer active in the financial system and will also not return to it. To reduce the amount of such data and to protect personal data, the maximum retention period for data has been set at 15 years after the date of data entry into the system, whereby the date would not be changed after entry. Competent authorities may apply shorter retention periods, on a case-by-case basis, when required for compliance with EU and national legislation. Data entry

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 21 The entry of multiple dates – the date of entry and the date of the decision – has been considered so as to have all data in the database in a timely manner, and a retention date linked to the date of entry. However, this option was seen as too burdensome as multiple entries would need to be made. As there are thousands of such assessments per year, the additional burden would be material. The disadvantage of the date of entry is that assessment processes have a different length, and therefore, the time period in which relevant information would be found would not be 100% harmonised. Depending on whether the assessment is conducted independently or as part of other processes (e.g. licensing a new entity), the assessment process would vary in general from four months to up to a year; the timing differences are not seen as problematic. Moreover, an existing notification/application is already considered relevant information, and therefore, the database should also include the names of persons who are currently being assessed and not only the names of persons for whom the assessment has been finalised. Data could have been exchanged within the IT system to be developed or outside of it. While a central solution would allow the tracking of requests and ensure a common set of data security measures, the costs for such a system need to be considered. Currently, competent authorities exchange information bilaterally. No need has been identified for a centralised technical platform for the actual exchange of information, which would also create the need for additional data protection risk assessments. Therefore, the system is only used for the identification of the relevant competent authorities that hold information on the person of interest and for the requests for information, but not for the actual exchange of information, which takes place outside the system on a bilateral basis between competent authorities. If a secure information exchange platform is desired later, such an option could be added separately. Natural persons and legal persons of interest The inclusion of persons of interest is appropriate to fulfil the ESAs’ mandate under Articles 31a of the Founding Regulations and should not be limited to natural persons only. It was considered that omission of input on legal persons in the ESAs Information System would be material, as such information is crucial (i) to enable competent authorities to fulfil their obligation to assess the reputation of the legal person itself, and (ii) to increase the effectiveness of the ESAs Information System. Costs The costs for the development of the intended ESAs Information System have been estimated at approx. EUR 260 000, the annual costs for its use and maintenance at EUR 40 000 to 45 000 p.a. and operational costs at approx. EUR 300 / month. For competent authorities limited one-off costs exist for adapting current databases. Stability of the financial market The requirement that the suitability of people responsible for financial institutions and financial market participants (e.g. management body and directors) be assessed safeguards the sound

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 22 management of financial institutions and financial market participants and contributes to financial stability. Hence, a more efficient system for assessments of such persons is seen as beneficial for financial stability. No negative effects have been identified. Overall conclusion The development of these joint Guidelines is necessary to comply with Articles 31a of the Founding Regulations. Overall, the costs created by the joint Guidelines and the ESAs Information System are low for the ESAs and competent authorities, and the cost impact on market participants is minimal. Overall, the ESAsInformation System should support financial stability, by ensuring a more effective process and more complete information to assess the suitability of persons of interest.

GL ON THE ESAs SYSTEM FOR THE EXCHANGE OF INFORMATION RELEVANT TO THE ASSESSMENT OF FITNESS AND PROPRIETY 23 4.2 Feedback on the public consultation The ESAs publicly consulted on the draft proposal contained in this paper twice. The first consultation period lasted for three months and ended on 2 May 2023. Two responses were received, both of which were published on the EBAs’ website. This paper summarises the key points and other comments arising from the consultation, the analysis and discussion triggered by these comments and the actions taken to address them if deemed necessary. Where respondents made similar comments or the same body repeated its comments in response to different questions, the comments and the ESAs’ analysis are included in the section of this paper where the ESAs consider them most appropriate. Given the limited additional information included, the second public consultation was targeted at the inclusion of legal persons and was open from 6 December 2023 until 15 January 2024. No responses were received. The Banking Stakeholder Group, Insurance and Reinsurance Stakeholder Group, Occupational Pensions Stakeholder Group and Securities and Markets Stakeholder Group did not provide an opinion.

24 Summary of responses to the consultation and the ESAs’ analysis Comments Summary of responses received ESAs’ analysis Amendments to the proposals General comments The envisaged obligation to consult the database violates the sole responsibility of the national authorities for the respective suitability assessment procedure. The ESAs Information System will facilitate and thus enhance the exchange of information among the CAs. When assessing the suitability of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants, it is crucial for CAs to have access to and to assess specific information about the person. The ESAs Information System will 1) make available a cross-sectoral list of CAs’ contact points in charge of fit and proper assessments and 2) set up an EU searchable database which will hold limited information on holders of qualifying holdings, directors and key function holders assessed and CAs holding information on these persons of interest. Competent authorities remain responsible for the assessment process regarding the person assessed. No change In cases of a negative result or a withdrawal of an application in an early assessment procedure, there will be a de facto binding effect of the earlier procedure, even if the draft Guidelines explicitly reject such a binding effect in recital 11. Information on the assessments and related outcomes will not be stored in the ESAs Information System nor shared between CAs through the ESAs Information System, but rather upon request on a bilateral basis only. Competent authorities remain responsible for the assessments. No change

25 Comments Summary of responses received ESAs’ analysis Amendments to the proposals The stated legal basis (Article 31a in conjunction with Article 16(1) of the Founding Regulation; for the EBA: Regulation (EU) No 1093/2010) does not cover the establishment of such an elaborate, centrally organised database from a substantive law point of view either. Article 31a of the ESAs Regulation requires the ESAs to ‘develop a system for the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions by competent authorities in accordance with the legislative acts referred to in Article 1(2)’. The ESAs Information System has been designed to meet the need of supervisors. No change It is up to the competent authority to decide whether data should be matched in a suitability assessment procedure. There will only rarely be a reason to do this, since in the vast majority of cases there is no question of another authority having jurisdiction that was established in the past. The vast majority of data are collected even though they will most likely never or only very rarely be needed by other competent authorities. The ESAs Information System, with the information available on the existence of applications received (including if withdrawn) or assessments made, will allow CAs to easily identify which other CA(s) should be consulted in the context of their assessment of an application received from a person of interest. No outcomes of the assessments performed by the CAs are available in the ESAs Information System. No change The use of the data that can be obtained through the management of the database by the ESAs is only rudimentarily hinted at. Recital 8 (p. 6 of the draft Guidelines) refers to statistics that are to be derivable from the use of the database. The draft Guidelines text itself, however, does not contain any further explanations on this. There is therefore a danger here that the ESAs will want to derive certain findings from the database, which in turn could be used as the basis for further measures. Therefore, it must be regulated in the text of the The ESAs Information System has been designed to improve the exchange of information regarding fit and proper assessments among the authorities operating in different Member States and in different sectors with a view to achieving convergence of supervisory practices and to help eliminate possible fraud cases. The statistics will be used to improve further cooperation and information exchange among the cross-sectoral authorities. No change

26 Comments Summary of responses received ESAs’ analysis Amendments to the proposals Guidelines themselves (and not in the announced operating regulations) – including for reasons of data protection law – with what purpose, to what extent and on what legal basis the ESAs themselves are to access and evaluate data. The EBA and ESMA will also use the ESAs Information System acting in their capacity as direct supervisors. The competence for the information exchange is provided in the legal acts. It should be mandatory for the data subject to be informed when a request is made for personal data. Furthermore, it would be necessary to include an obligation in the Guidelines that queries of the database may only be made for a legitimate reason and must be recorded. Finally, it should be ensured that sufficient standards for data security are set. The applicable legal acts provide the grounds for the inclusion of specific information relating to applicants in the ESAs Information System. The information included in the ESAs Information System will not be openly available to CAs but made available only upon specific request; it will be limited to information necessary for the requesting CA to identify whether this applicant previously submitted an application at another CA. Data subjects are informed through the privacy statements. Queries in respect of the database will be logged, made and addressed in line with the competence provided for this under the legal acts and in compliance with data protection regulations. The ESAs strive for high security standards. Data security, including for exchange between the requesting and requested authorities, will be in accordance with appropriate practices. No change It is proposed to include: a general obligation in the Guidelines that queries of the database may only be made for a legitimate reason and must be logged. Only CAs’ staff that are involved in the fitness and propriety assessment process will have access to the ESAs Information System and introduce queries that include legal basis under applicable sectoral legislation. No change

27 Comments Summary of responses received ESAs’ analysis Amendments to the proposals In addition, attention to the statutory deadlines as well as to the nature of each of the procedures alone must not be disregarded. Specially, we would like to call attention to the deadlines set out for adopting a decision by the authority (set out in national law and in the joint ESMA and EBA Guidelines on suitability), which should not be altered, suspended or extended under any circumstances, as a consequence of the exchange of information between authorities under the proposed Guidelines and the ESAs Information System. The joint Guidelines do not have an effect on the deadlines provided by other sectoral legislation. No change 16. The requested authority should, in accordance with the principle of sincere cooperation set out in Article 4(3) of the Treaty on European Union (TEU) and reflected in Articles 2(4) of the Founding Regulations, and taking into account Union sectoral provisions and any other applicable legal acts related to sectoral provisions, respond to the request within two weeks from receipt of the request and provide the information or explain why the information can only be provided at a later date and specify that date. In any case, the deadlines applicable to the assessment at stake should not be extended or suspended by delay or absence of an answer from the requested authority. In the case of a negative assessment or a withdrawal of the application for an assessment, available information about the reasons for the negative The joint Guidelines do not add any new requirements regarding the deadlines of the assessment process. They only help to improve the information exchange among the CAs operating in different Member States and in different sectors. No change

28 Comments Summary of responses received ESAs’ analysis Amendments to the proposals assessment or the withdrawal should also be provided. 18. Where the exchange of information is impossible in accordance with paragraph 17, the requested authority should, as soon as possible but at the latest within two weeks from receipt of the request, inform the requesting authority and explain the reasons for this. If it is partially impossible to provide all the requested information, the requested authority should provide the requesting authority with the part of the information whose provision is permitted and explain the reasons for withholding other parts of the information. In any case, the absence of the required information should not alter, extend or suspend the deadlines applicable to the assessment at stake. The joint Guidelines do not add any new requirements regarding the deadlines of the assessment process. The joint Guidelines only help to improve the information exchange among the CAs operating in different Member States and in different sectors. No change