Final Report on Supervisory Expectations for the Management Body

15 October 2025 ESMA84-2131909211-9912 ESMA - 201-203 rue de Bercy - CS 80910 - 75589 Paris Cedex 12 - France - Tel. +33 (0) 1 58 36 43 21 - www.esma.europa.eu 2 Final Report Supervisory expectations for the management body

3 Table of Contents 1 Executive Summary ....................................................................................................4 2 Overview of the Final Report .......................................................................................4 2.1 Background..........................................................................................................4 2.2 Feedback statement.............................................................................................5 3 Annexes ....................................................................................................................13 3.1 Annex I – Summary of questions........................................................................13 3.2 Annex II – Cost-benefit analysis .........................................................................14 3.3 Annex III – Final supervisory expectations .........................................................14

4 1 Executive Summary Reasons for publication With these supervisory expectations, ESMA aims at offering a consistent reference point for all our entities supervised1 regarding governance arrangements, specifically focusing on the management body. By publishing these expectations, ESMA ensures that all supervised entities are equally informed about its standards for this area. Additionally, this publication enhances transparency for potential applicants and future supervised entities.2 On 8 July 2024, ESMA published a Consultation Paper (CP) on its proposed supervisory expectations for the governance arrangements of supervised entities. This Final Report includes a feedback statement, a cost-benefit analysis and the revised supervisory expectations developed taking into account the feedback received. Further information on the rationale for ESMA’s proposals can be found in the CP. Contents The main body of this Final Report (section 2.2) summarises the contributions received to the consultation conducted by ESMA and explains how this feedback has been considered in developing the revised supervisory expectations. Annex I sets out the list of questions contained in the CP. Annex II presents the cost-benefit analysis. Annex III lays out the full text of the final supervisory expectations. Next Steps ESMA will consider the supervisory expectations in Annex III for the purpose of its supervision three months following the publication of the Final Report. 2 Overview of the Final Report 2.1 Background

1. On 8 July 2024, in line with Article 16(2) of the ESMA Founding Regulation3 , ESMA published a CP on supervisory expectations on governance arrangements in order to 1 ESMA is responsible for the supervision of Credit Rating Agencies (CRAs), Benchmark administrators (BMAs) of EU critical benchmarks and third-country recognised benchmarks, third country-CCPs that qualify as systemically important (Tier 2 CCPs), Data Reporting Service Providers (DRSPs), Securitisation Repositories (SRs) and Trade Repositories (TRs). 2 Such as European Green Bonds external reviewers, ESG rating providers and Consolidated Tape Providers (CTPs).

5 gather input from supervised entities and relevant stakeholders. The 15-week public consultation closed on 18 October 2024. 2. ESMA received a total of 21 responses (11 of which confidential) from credit rating agencies (8), benchmark administrators (3), securitisation repositories (2), one trade repository (1), one data reporting services provider (1), one securities exchange (1), one ESG rating provider (1) and their respective associations, as well as entities operating in a group structure offering two or more of these services including Tier 2 CCPs, benchmark administrators, trade repositories and securities exchanges(4). The 10 non￾confidential contributions are available on ESMA’s website. 3. The feedback statement summarises the main aspects raised in responses to the CP and demonstrates how these contributions have been taken into account in developing the final supervisory expectations. 2.2 Feedback statement 4. Respondents to the CP were largely supportive of ESMA’s proposals to specify its supervisory expectations on entities’ governance arrangements. 5. Proposals for amendments to the guidance were mainly focused on objections to the prescriptiveness of certain supervisory expectations based on proportionality grounds and on ESMA’s lack of a legal basis to enact regulation in the field of corporate governance, particularly when the different mandates that the supervisory expectations encompass have distinct Level 1 requirements. 6. Based on this feedback, ESMA has made a number of revisions to the structure and content of the supervisory expectations, explained in the subsequent subsections of this Final Report. Notably, it has transformed the guidance into a set of 12 high-level principles, which it expects entities to build on in order to enhance their governance and oversight arrangements. 7. The more detailed supervisory expectations contained in the CP were reflected as guidance under one of the 12 principles. Whilst ESMA expects entities to focus on the 12 core principles, we believe that the supporting guidance provide useful insights for entities into how ESMA assesses governance and oversight arrangements. However, we accept that adherence to the corresponding core principle may be achieved using a variety of approaches proportionate to an entity’s nature, scale and complexity. 3 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority).

6 2.2.1 Introduction – Questions 1 and 2 8. Respondents broadly agreed with ESMA’s proposed scope of the application. A number of respondents raised concerns about the uncertainty stemming from the principle of proportionality. 9. Several respondents raised concerns about what they perceive to be a “one-size-fits￾all” approach. These contributions noted that most of the mandates in scope of the guidance have different Level 1 requirements that the supervisory expectations did not take into account. 10. Similarly, other responses expressed uncertainty on the application of the supervisory expectations to entities of different sizes and complexities. Often, it was requested of ESMA to clarify whether there is a minimum threshold of size and complexity at which the supervisory applications should start to apply. 11. One respondent highlighted that it does not see a legal basis granting ESMA the power to regulate governance arrangements at such level of granularity. 12. Another respondent noted the importance of the supervisory expectations being viewed as principles-based guidelines, as opposed to strict and enforceable regulatory requirements. 13. Respondents also stressed that third-country entities operating under the recognition or equivalence regimes should not be covered by the supervisory expectations. These contributions state that imposing governance requirements on top of these entities’ third￾country legislative and regulatory requirements would amount to regulatory overreach. 14. ESMA response: ESMA would like to clarify that the aim of the document consulted on is to set out expectations and outline what ESMA considers to be best practices in relation to governance arrangements. They should be seen as guidance for both ESMA and supervised entities regarding the role and responsibilities of a management body. The supervisory expectations are to be used as an instrument in ESMA’s supervisory dialogue with entities in the context of the effectiveness of their governance and oversight arrangements. 15. Given this purpose, ESMA recognises that the proposed text contained detailed expectations which were drafted using prescriptive language. We also take note that, despite our efforts to incorporate the principle of proportionality, uncertainty remained as to how this may be applied in practice. 16. To address these concerns, ESMA has redrafted the supervisory expectations into a set of 12 high-level principles. These principles are designed to condense the previous draft into a set of core expectations and are drafted in the form of outcomes. The more granular expectations contained in the Consultation Paper have been reflected under one of the 12 core principles as supporting guidance. ESMA remains of the view that this guidance provides useful insights for entities into how ESMA assesses governance

7 and oversight arrangements. However, we accept that adherence to the corresponding core principle may be achieved using a variety of approaches. 17. ESMA believes that these changes address the concerns raised by a number of respondents. By setting out the core outcomes ESMA is looking for in the set-up and operation of the management body, we create greater clarity for entities under our supervision. At the same time, focusing on high-level principles allows entities to design approaches to achieve compliance tailored to their circumstances driven by their nature, scale and complexity. This allows proportionate application and avoids a “one-size-fits￾all” approach. 18. ESMA believes it is of paramount importance to maintain a level playing field. As such, we will be very mindful of the corporate governance requirements applicable in non-EU jurisdictions, and of the need for the management body of an entity located outside the EU to focus its attention on both the entity’s EU and non-EU activities. For the avoidance of doubt, we reiterate our previously stated position that in the event of any conflict with national or Union law, the requirements set out in primary or secondary legislation take precedence over the supervisory expectations. 2.2.2 The roles and responsibilities of the management body – Questions 3 and 4 19. Respondents broadly agreed with ESMA’s views on the role and responsibilities of the management body. However, there were several comments and concerns raised. 20. A number of respondents expressed confusion as to the proposed combination of the management and supervisory functions within the concept of the management body. Equally, the use of the term “executive senior management” in the supervisory expectations was viewed as unclear, as it seemed to overlap with the management function of the management body. 21. Other respondents interpreted ESMA’s expectations to require the involvement of the management body in all day-to-day decision-making which they considered impractical. Additionally, one contribution disapproved of the description of the management body as the entity’s “ultimate decision-making body”. 22. One respondent questioned whether the management body of a subsidiary that is fully owned by a parent undertaking should be empowered to set the strategy and objectives of the entity, instead of the management body of the overarching group. 23. One respondent argued that the reference to “a sufficient level of independence from the group” contained in ESMA’s supervisory expectations could be interpreted as requiring the involvement of a minimum number of individuals who have no role in the management body or any other governance bodies of the wider group structure, which could be disproportionately burdensome. 24. A minority of respondents stressed that tone from the top should not be a responsibility of the management body, as its independent members are often too distant from employees to effectively implement it.

8 25. ESMA response: ESMA notes that the concepts of management body, management function and supervisory function are well established. It is not ESMA’s intention to reinvent or redefine these. Nor is it ESMA’s intention that the management body as a whole or its supervisory function are unduly involved in the day-to-day operation of the entity. It is vital for the management body to play an active role in overseeing the entity and this will, at times, involve exercising decision-making power. Principle 1 sets out ESMA’s general expectation that the management body of the entity is empowered to set and oversee the entity’s strategy and risk management framework. ESMA accepts that this outcome may be achieved through different set-ups, for example where the entity is part of a wider group. As a result, the expectations addressing these scenarios have been reflected in the supporting guidance relating to Principle 1. 26. Principle 2 describes ESMA’s expectation that the management body of the entity is and remains accountable as its key oversight body. This wording has been revised to address the concerns with the description of the management body as the entity’s ultimate decision-making body. 27. In Principle 3, ESMA sets out its expectations regarding the effective challenge provided by the supervisory function of the management body. 28. ESMA accepts that where the management body at group level determines a global business strategy, the management body of subsidiaries will be limited in its ability to set the entity’s entire business strategy. However, in ESMA’s view and in line with Principles 1, 2 and 3, this should not result in an entirely passive role by the management body of the subsidiary. Instead, it remains fully accountable for the subsidiary’s strategy and compliance with all applicable EU regulatory requirements. To this end, it should be kept well informed of the group-determined business strategy and ensure a good understanding of how this strategy will be implemented by the entity it oversees. Where the management body considers that the planned implementation poses risks to the entity’s ability to meet its regulatory obligations, it should adopt measures to ensure that this does not happen. 29. ESMA would like to take this opportunity to clarify that, under para. 61 of the CP, entities may choose to appoint the same individual as a member of multiple management bodies within a wider group structure. However, in line with Principle 1, when acting in their capacity as a member of the management body of the entity, such individuals should take decisions in the best interests of the entity. As a result, ESMA considers that the management body of the entity and its members should act sufficiently independently from any group structure they may be part of. 30. ESMA considers tone from the top to be an important part of how a management body steers the direction of and conduct within the organisation it oversees. ESMA further acknowledges that senior and middle managers have a vital role to play in operationalising the tone from the top and underlines that the supervisory expectations are not looking to shift this responsibility to the members of the management body. Instead, ESMA considers that the management body should actively agree the tone from the top it wishes to establish within the organisation. As set out in the CP, this

9 includes a consideration of the key formal and informal incentives that determine corporate culture. This expectation has been reflected in Principle 4. 31. ESMA acknowledges that we used the term “executive senior management” within the CP without providing a clear definition which has led to some confusion. We have now included a definition in the document which makes clear that we focus on the most senior persons directing the supervised entity on a day-to-day basis which is typically the CEO or equivalent and his/her direct reports. 2.2.3 Operation of the management body and role of the chair – Questions 5, 6 and 7 32. Respondents generally agreed with ESMA’s expectations regarding the operation of the management body. Most comments related to the keeping of records and the role of the chair. 33. Concerns were raised by one respondent about the recording of pre-meetings of the management body or committees, on the basis that doing so could undermine the valuable distinction between meetings (which are minuted) and pre-meetings (which are not), each serving a different purpose. 34. A minority of contributions questioned the necessity and benefits of requiring individuals to be explicitly named in meeting minutes, alluding to privacy concerns. 35. Another respondent disagreed with the need for records to capture "key points of discussion including key contributors and dissenting voices”, as this may inadvertently deter participants from engaging in open and honest exchanges of diverse perspectives. Moreover, such records may oversimplify or misrepresent the complexity and nuance inherent in decision-making processes. 36. Several respondents claimed that the chair should not be required to be a non-executive member of the management body. The consultation feedback also suggested that instead of a reference to “standard term”, the supervisory expectations should clarify that entities should not appoint chairs on a rolling basis. 37. One respondent asserted that the chair should not be tasked with overseeing the appropriateness of the management body's composition. 38. One respondent argued that establishing a defined role for the chair would imply the necessity of appointing multiple individuals to the management body, which contradicts existing legal requirements. 39. ESMA response: ESMA has condensed the relevant sections of the CP into Principles 5 (operation of the management body), 6 (effective reporting), 7 (control function access to the management body), 8 (record keeping) and 9 (effective leadership). 40. ESMA understands the concerns raised regarding the recording of pre-board meetings and we agree with the views expressed by respondents that decisions should be taken

10 solely by the full and formally convened management body as opposed to within pre￾board meetings. Therefore we have removed the expectations discussing pre-board meetings and are retaining our expectation in Principle 8 that appropriate records of meetings of the management body should be kept. In the supporting guidance we have also removed reference to individuals being named in minutes as we believe that this expectation is too granular. Nevertheless, ESMA reiterates that it is vital for a management body’s effective functioning that its members challenge decisions and stimulate debate. 41. Principle 9 now sets out ESMA’s high-level expectation that the management body is led effectively. In our view and experience, this role is typically performed by the chair of the management body. However, ESMA accepts that firms may find alternative approaches to achieving this outcome. 42. ESMA would like to reiterate our stance expressed in the paragraph 35 of the CP that we did not intend to require entities to appoint independent non-executive directors as chairs. Rather, we believe that the role of the chair is non-executive in nature. As we noted in the CP, this “highlights that the role of the chair is to allow the management body to carry out its crucial role of providing challenge to executive senior management. This may be harder where the chair of the management body is also the CEO or equivalent of the entity and requires the application of the principle of independence of mind as mentioned above.” We have clarified this in the principles. 43. ESMA accepts that the reference to a standard term in the context of the role of the chair is unclear. As pointed out by some respondents, ESMA’s intention is to highlight that the appointment of a chair on a rolling basis carries risks for the effectiveness of the role. Therefore, the text has been refined to reflect this concern and express our expectation that the chair is appointed for an appropriate period of time to prevent discontinuity in leadership. 44. ESMA recognises that the role of the chair is typically to lead efforts to ensure that the management body’s collective skillset and composition remain appropriate, whilst the responsibility for this may reside elsewhere, e.g. the management body as a whole or the shareholders. Nevertheless, ESMA believes that the chair should play an important role in this process and guide the interactions with the relevant stakeholders. ESMA has therefore amended the relevant supporting guidance. 2.2.4 Effectiveness and composition of the management body – Questions 8 and 9 45. Respondents generally agreed with ESMA’s expectations regarding the effectiveness and composition of the management body. 46. Some respondents conveyed disappointment over the categorisation of the appointment of the same individual to multiple management bodies as a risk to dedication and focus to the regulated entity. Rather, these contributions viewed this as a potential risk that might be more relevant to groups with disparate operations and regulatory environments.

11 47. Some contributions mentioned that, as long as the principles on recruitment and diversity are enshrined in existing policies or corporate documents, they should not necessarily have to be transposed into a dedicated recruitment and diversity policy. 48. A minority of contributions voiced concerns on what were seen as burdensome review requirements. Some questioned the need for the performance of third-party effectiveness reviews other than in exceptional circumstances. Others proposed that succession and recruitment planning should not be part of regular reviews. 49. Several responses indicated the need for tailored individual training at executive director level, noting that it would be inappropriate for these individuals to undertake the normal staff-level inductions. On the other hand, a minority of respondents suggested that establishing a formalised training plan for individual members of the management body would be disproportionate for smaller entities. One response claimed that training should not be among the responsibilities of the management body. 50. ESMA response: The supervisory expectations contained in this section of the CP have been condensed into Principles 10 (composition of the management body), 11 (reviewing effectiveness) and 12 (training and recruitment). 51. The supervisory expectations already acknowledged that there are potential benefits to individuals serving on multiple management bodies. Whilst ESMA accepts that the risk of lack of focus on individual entities within a group is more prevalent in groups with disparate operations or regulatory environments, it does not believe that it is entirely absent in groups with global operations and largely equivalent regulatory environments. In ESMA’s view, asking individuals to serve on multiple management bodies will inevitably divide their attention. Therefore, this has been described as a risk which entities should be aware of and manage effectively. 52. ESMA believes succession and recruitment planning is a vital component of ensuring the continued effectiveness of a management body. This, however, is not to say that the management body should have sole responsibility for the succession and recruitment of new directors. ESMA accepts that in most entities, such decisions must involve a number of stakeholders, including shareholders. However, ESMA believes that regular reviews of the effectiveness of succession and recruitment plans should be used to inform such decisions. 53. ESMA acknowledges that depending on the type of review chosen, this can be time and resource consuming for entities. Therefore, the supervisory expectations explicitly refer to the use of the proportionality principle when choosing the type of review. ESMA understands that the most intensive tools may only be used for specific circumstances that may include, but are not limited to, changes in governance arrangements, but also failures or near-misses in the oversight provided by the management body. As part of the redrafting of the supervisory expectations, ESMA has included the expectation to carry out a regular effectiveness review in Principle 11. The more detailed expectations regarding the scope and type of review have been reflected in the supporting guidance. This reflects ESMA’s belief that these parameters should be determined by the management body depending on the entity’s individual circumstances.

12 54. ESMA believes that diversity of its membership is an important driver of the effectiveness of a management body. Therefore, we continue to expect that supervised entities make meaningful efforts to increase or maintain the diversity of their management bodies. However, in an effort to reduce the granularity of our expectations, we have removed the expectation to establish a diversity policy and to set concrete diversity objectives. 55. ESMA acknowledges that the establishment of a formalised training plan for individual members of the management body might be burdensome for some entities. As a result, we have amended the relevant supporting guidance to explain that our expectation is for training plans to be appropriate in line with the entity’s nature, scale and complexity. 56. ESMA accepts that training should be tailored to the individual director and their executive or non-executive role. We have therefore amended the supporting guidance respectively. 2.2.5 Additional comments – Question 10 57. Respondents also provided comments on the fact that certain entities carrying out a similar activity are not subject to the same governance requirements, such as DRSPs supervised by NCAs. 58. Other participants remarked upon the absence of a reference to the supervisory expectations to conflicts of interest management within the management body. 59. ESMA response: ESMA acknowledges that NCA-supervised DRSPs are not covered by our supervisory expectations. ESMA is in regular dialogue with NCAs to share information on supervisory practices. Where we believe that there is a significant difference in approach between ESMA and the NCAs, we may carry out work to achieve greater convergence. 60. ESMA agrees that effective management of conflicts of interest within all entities under our supervision is an essential part of their internal control frameworks. This applies to all employees of an entity, in particular the members of its management body. As we have laid out in the supporting guidance relating to Principle 4, ESMA considers that the members of the management body should lead their organisation with strict adherence to behavioural standards, including conflicts of interest.

13 3 Annexes 3.1 Annex I – Summary of questions Q1: Do you agree with the proposed scope of application of these supervisory expectations? If not, please explain. Q2: Do you agree with the proposed approach to proportional application? Q3: Do you agree with the expectations regarding the role and responsibility of the management body? If not, please explain. Q4: Do you expect that adherence to the expectations set out in this section would be overly burdensome or otherwise difficult for your entity? If so, please explain. Q5: Do you agree with the expectations regarding operation of the management body? If not, please explain. Q6: Do you agree with the expectations regarding the role of the chair? If not, please explain. Q7: Do you expect that adherence to the expectations set out in this section would be overly burdensome or otherwise difficult for your entity? If so, please explain. Q8: Do you agree with the expectations regarding the effectiveness and composition of the management body? If not, please explain. Q9: Do you expect that adherence to the expectations set out in this section would be overly burdensome or otherwise difficult for your entity? If so, please explain Q10: Are there any topics or areas that you would have expected to be covered or covered in more detail? If so, please explain

14 3.2 Annex II – Cost-benefit analysis 61. ESMA has consulted market participants on its preliminary cost-benefit analysis (CBA). As outlined throughout the feedback statement, we have made changes to the supervisory principles so as to be clearer that entities are able to rely on the principle of proportionality in order to achieve the outcomes described. We have reflected these changes in the section on proportionality. Options Qualitative description Objective The objective of these supervisory expectations is to communicate a harmonised approach to ESMA’s supervision of an entity’s governance structures and practices to supervised entities within ESMA’s supervisory remit. By delivering a common approach, where feasible and practical, ESMA will streamline its own supervisory processes and promote a common level of conduct within the relevant entities. Benefits ESMA considers that by setting out our supervisory expectations in relation to governance and oversight arrangements it will provide additional clarity on ESMA’s expectations in this area and ensure a level-playing field for new applicants considering applying for registration. In addition, the publication of our expectations together with the efforts by the entities under our supervision to adhere to them, should result in the further strengthening of industry practice in this space. Costs to entities ESMA assesses that adherence to the expectations will result in limited additional costs for the entities affected. Firstly, adherence with most expectations will require updates to existing policies and procedures or terms of reference. Some expectations may require entities to consider previously untouched areas, such as a full formulation of a management body’s tone from the top. Very few expectations may result in substantial additional work, most notably in relation to the review of the effectiveness and composition of a management body. ESMA considers that none of the expectations would require entities to recruit additional employees or procure IT systems. Secondly, for entities which are smaller, have limited scope and a low complexity of operation, the expectations provide for them to seek adherence in a manner proportional to their position. Lastly, ESMA’s expectations draw extensively on concepts used in existing international and EU standards. This should ensure that ESMA’s expectations do not go over and above what might

15 be required at national level or within other jurisdictions which the entities under our supervision are active in. Costs to regulator The proposed supervisory expectations are not considered to propose any significant or additional costs to ESMA. The purpose of the expectations is to allow for a consistent and harmonised approach to supervision across ESMA supervisory mandates. As such they are intended to reduce conflicting or overlapping approaches to supervision across ESMA supervisory mandates. ESG-related aspects The supervisory expectations on the management body are intended to ensure a harmonised and consistent approach to ESMA’s supervision of an entity’s governance arrangements. As a result, all issues discussed in this CBA are of relevance to the ESG-related aspects. Innovation-related aspects Innovation-related aspects are not of direct relevance to the specific nature of the proposed supervisory expectations. Proportionality-related aspects ESMA has redrafted our supervisory expectations into 12 Core Principles additional supporting guidance. These 12 Principles set out the outcomes we would like entities to achieve in relation to their governance and oversight arrangements. However, ESMA accepts that they may be different approaches to achieves these outcomes which will be linked to the entity’s nature, scale and complexity. ESMA foresees that larger, more complex entities with more significant scale may have more arrangements that are performed more frequently, with a higher intensity and/or which are more sophisticated than smaller, less￾complex entities with more focused business models.

16 3.3 Annex III – Final supervisory expectations A. Definitions Management Body The body or bodies which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include persons who effectively direct the business of the entity. For the purpose of this document, this refers to the most senior governing bodies within an organisation. The term is defined in BMR, Article 3(1), point (20) and in MIFIR, Article 2(1), point (22). It covers the concepts of:  ‘administrative or supervisory board’, of a CRA, [being part of the ‘senior management’, as defined in CRAR, Article 3(1), point n)]  ‘administrative or supervisory board, or both, in accordance with national company law’, as defined in EMIR, Article 2(27) Supervised entities For the purpose of these supervisory expectations, this refers to the entities directly supervised by ESMA, namely: • Benchmark Administrators (BMAs) of EU critical benchmarks and third-country recognised benchmarks • Third-country CCP that are systemically important or likely to become systemically important for the financial stability of the Union or of one or more of its Member States (Tier 2 CCPs) pursuant to Article 25(2a) of EMIR. • CRAs • DRSPs • SRs

17 • TRs Executive Senior Management The most senior persons directing the supervised entity on a day-to-day basis. This is typically the Chief Executive Officer (CEO) or equivalent and his/her direct reports. B. Introduction Scope of application

1. These supervisory expectations are relevant to all firms directly supervised by ESMA. ESMA intends to use these principles as the basis for our supervisory engagements with entities. Currently, these are administrators of EU critical benchmarks and third-country recognised benchmarks, Tier 2 CCPs, CRAs, DRSPs, SRs and TRs.
2. Where there is a case of conflict, requirements stipulated in primary or secondary legislation (including applicable requirements in third country legislation) will prevail over any supervisory expectation set out in this document.
3. With regard to future mandates, ESMA will consider whether these supervisory principles are also relevant for them. The management body concept
4. This document refers to the concept of the management body. This is defined as “the body or bodies [..] which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include persons who effectively direct the business of the entity”.4
5. Management body is a generic term that refers to the most senior governing bodies within an organisation. A management body is composed of a supervisory function and a management function and as such includes the non￾executive directors and executive directors of an entity. The management function has responsibility for the day-to-day management of the firm whereas the supervisory function is charged with overseeing the firm and its executive management. 4 See Article 3(1), point (7), of CRD and Article 4(1), point (36), of MiFID II which are effectively identical.

18 6. Where this document refers to the management body, the principles set out apply to all its members. Otherwise, the document refers to the management body in its supervisory or management function in order to set out principles which apply only to these respective parts. It is noted that this document does not set out principles regarding the fitness and propriety of individuals carrying out specific functions (e.g. CEO, Independent Non-executive Directors etc). Structure of the document 7. This document sets out twelve principles which describe outcomes which ESMA believes each supervised entity should seek to achieve to ensure the robustness and effectiveness of its governance and oversight arrangements. These core principles are supported by guidance. This additional guidance sets out ESMA’s views of good practice. Outcome-based supervisory approach 8. ESMA accepts that a supervised entity’s individual circumstances may mean that the detail set out in supporting guidance is not applicable or does not represent the most effective way to achieving the outcome set out in the corresponding core principle. Supervised entities’ individual approaches may be tailored to the specific circumstances of each supervised entity which are in turn closely linked to the nature, scale and complexity of the organisation. 9. ESMA intends to use these principles as the basis for our supervisory engagements with entities. When assessing the robustness and effectiveness of a supervised entity’s governance and oversight arrangements, we will refer to the principles set out in this document. Supervised entities should therefore consider how they adhere to these principles. 10.When assessing the nature of an entity, ESMA will consider the business and type of operations of the entity, including its market role/mission, type, diversity and criticality of products and services offered. 11.When assessing the scale of the business, ESMA will have regard to relevant factors including headcount, revenue, number of clients and products, market share, interconnections with other industries/infrastructures, ancillary services and their relationship with core services and other factors specific to the size and market impact of the entity. 12.When assessing the complexity of an entity, ESMA will consider amongst other factors, its organisational structure and arrangements (group structure / relationships, shared services, outsourcing, etc.) as well as its operational characteristics with regard to people, processes, technology, product offerings and interconnections.

19 13.When assessing the overall risk profile of an entity, ESMA will consider amongst other factors, its risk exposure, the strength and maturity of its internal control environment, its business culture, attitude and prevailing behavioural patterns. 14.As an example, entities of smaller sizes and with a lower level of complexity, can adhere to the principles by designing processes which are applied less frequent and/or with less intensity when compared to entities which are larger and have more complex business activities. C. The role and responsibilities of the management body Principle 1 – Responsibilities of the management body 15.The management body of an entity is empowered to set the entity’s strategy, objectives and overall direction. The management body is responsible for setting and overseeing the entity’s risk management framework, including its risk appetite. Supporting guidance – general role 16. The duties of the management body are clearly defined, distinguishing between the duties of the management (executive) function and of the supervisory (non￾executive) function. 17.The management body has the appropriate legal authority to fulfil its mandate, in accordance with applicable law.  18.The management body’s role, responsibilities and operation are set out in formal documentation. Such documentation may take the form of terms of reference. 19.The management body formally establishes and documents roles and responsibilities of the internal control functions and approves any material changes thereto. Supporting guidance – strategy setting and implementation 20.Where the entity’s business strategy is determined by the management body in its management function, the supervisory function is appropriately involved, in particular where the entity’s ability to continue to meet its regulatory obligations could be affected. 21.Where the entity is a subsidiary of a group, the group’s business strategy may to a large part determine the strategy of its subsidiary. Nevertheless, the management body maintains full accountability for the entity’s strategy. It maintains a good awareness of the group’s overall business strategy and the role played by the entity as the subsidiary in its implementation. To that extent,

20 the management body of the entity is provided with sufficient notice of any group-level discussions which may affect the entity. Where the management body of the entity considers that key strategic initiatives may lead to the entity failing to meet its regulatory obligations, it intervenes. Supporting guidance – risk management oversight 22.The management body has a comprehensive understanding of the risk universe5 applicable to the entity and the risks’ relative likelihood and impact. 23.The management body approves and regularly reviews the entity’s risk appetite and risk tolerance levels in relation to the key risks. The management body receives information on the status and development of key risks against risk appetite directly from the Heads of the internal control functions. 24.Where the information reported to the management body indicates that operations are not in line with the risk appetite, the management body ensures that appropriate mitigation action is taken. Principle 2 – Accountability and delegation 25.The management body is the key oversight body in relation to all matters relating to the supervised entity. Where certain responsibilities are delegated, for example to committees, the management body remains accountable for them. Supporting guidance 26.The management body receives all necessary information to carry out its oversight role in a timely manner. 27.The delegation of certain responsibilities by the management body and the corresponding process are set out in formal documentation. Principle 3 – Effective challenge 28.The supervisory function oversees and challenges the management function of the management body. The management function is responsible for the day-to￾day management of the entity and the implementation of the strategy set by the management body as a whole.  29.Members of the management body in its supervisory function are collectively able to effectively provide such oversight and challenge. Supporting guidance 5 A risk universe is a list of the risks an entity faces, which can be combined with an assessment of each risk’s severity of impact and likelihood of occurrence.

21 30.Where the management body in its supervisory function considers that key strategic initiatives or risk exposures may lead to the entity failing to meet its regulatory obligations, it intervenes in a timely manner, requiring remedial actions and overseeing their implementation. Principle 4 – Tone from the top 31.The management body of the entity is responsible for setting the tone from the top. 6 Supporting guidance 32.The management body of the entity agrees on the corporate culture it intends to establish within its organisation and how it will effectively communicate it. 33.The management body is mindful that the tone from the top is expressed through different means of communication, for example the entity’s business strategy or a code of conduct. It is also reflected in the entity’s incentive structures, including its approach to remuneration. 34.It is also demonstrated through the actions and behaviours of members of the management body and executive senior management and their alignment with the stated ethical values. 35.Executive senior management and middle managers recognise their importance in implementing the tone from the top. 36.The management body seeks to monitor and assess the prevalent corporate culture at the entity. D. Operation and leadership of the management body Principle 5 - The operation of the management body 37.The management body holds regular and effective meetings, allowing it to oversee the entity’s business. Meetings are conducted in a way to ensure open and comprehensive discussions and clear decision-making. Supporting guidance 38.The management body meets at an appropriate frequency in proportion to the nature, scale and complexity of the entity it oversees. Meetings are of sufficient length so as to allow the meaningful discussion of key items and the active participation of all members of the management body. 6 The term describes the efforts to ensure a positive corporate culture that promotes and rewards honesty and integrity as well as compliance with rules and regulations.

22 39.The management body in its supervisory function and in its management function interact effectively. Both functions provide each other with sufficient information to allow them to perform their respective roles. 40.Members of the management body act with independence of mind. For instance, all members engage actively and are able to make their own sound, objective and independent decisions and judgments when performing their functions and responsibilities. Principle 6 – Effective reporting 41.Reporting to the management body is designed to provide it with a comprehensive, risk-focused view of the operations of the entity. It allows the management body to discharge its responsibilities, including making decisions when required. Supporting guidance 42.Reports to the management body ensure a balance between providing a comprehensive overview of a proposal or issue and the need to be concise. Reports indicate clearly whether a decision is being sought or whether the item is brought for input or simple notification. 43.In addition to the control functions, reporting should also include first-line and support functions, such as IT, business development and other core operational areas. 44.Where the management body’s management and supervisory functions are carried out by two separate bodies (e.g. in dual board structures), reporting to each body is meaningful and allows its members to carry out their respective functions. Whilst reporting to the supervisory function may be focused on exceptions, key risks and initiatives, it is still sufficiently comprehensive to allow for the effective oversight of the entity. 45.The management body provides regular feedback on the quality of the reporting it receives and what improvements might be made, or additional topics might be covered. Principle 7 – Control function access to the management body 46.Given their independent role, internal control functions have unfettered access to the entity’s management body in its supervisory function. Members of the

23 management body’s management function and executive senior management do not prevent or interfere with the direct communication between management body in its supervisory function and the internal control functions. Supporting guidance 47.Where an entity outsources some of its internal control functions to other entities within a group, these internal control functions regularly report and seek discussion with the entity’s management body. Principle 8 – Record keeping 48.The entity ensures that a comprehensive, accurate and impartial internal record is maintained of each meeting of the management body. Supporting guidance 49.Records of the meetings of the management body capture the key points of discussion, any decisions made and their corresponding rationale and agreed actions. 50.Records of the meetings of the management body are maintained in electronic format and enable the tracking of agreed actions by assigned action owners, timelines and deliverables. Principle 9 – Effective leadership 51.The management body’s work to oversee the entity’s strategy and risk management is led effectively by one of its members. Supporting guidance 52.The member leading the work of the Management Body is typically the chair of the management body. In structures where the supervisory function and the management function of the management body are formally separated into two bodies, this role may be performed by the chair of the management body in its supervisory function. 53.The chair is appointed for an appropriate period of time to ensure continuity and effectiveness of leadership. The chair’s role is non-executive in nature in order to facilitate the management body to carry out its crucial role of providing challenge to the executive senior management.

24 54.In cooperation with the relevant stakeholders, the chair leads the effort to ensure the composition and collective skillset of the management body remains appropriate, given the nature, scale and complexity of the business (see section E). 55.The chair of the management body takes responsibility for its effective overall functioning and contributes to an efficient flow of information within the management body and between the management body and the committees thereof, where established. 56.In consultation with executive senior management and other members of the management body, the chair determines the agenda for each meeting, ensuring appropriate prioritisation of key topics. 57.The chair encourages and promotes open and critical discussion and ensures that dissenting views can be expressed and discussed within the decision￾making process. 58.The chair leads efforts to review the effectiveness of the management body and design appropriate mitigation where gaps are identified (see section E). The chair also takes responsibility for ensuring the management body and its individual members adhere to high standards of integrity and conduct. E. Composition and effectiveness of the management body Principle 10 - Composition of the management body 59.In line with its nature, scale and complexity, the entity ensures that the management body has an appropriate number of members. At both collective and individual levels, the management body has the skills, experience and knowledge required to perform its role and duties. Supporting guidance 60.The entity is mindful that whilst the skillset requirements of members of the management and supervisory functions of the management body overlap, they may also differ. These differences are reflected in the entity’s approach to recruitment and training (see principle 12).

25 61.The entity considers the time commitment needed by members of the management body and makes this transparent to existing and prospective members. Prospective members in turn agree to such time commitment before joining the management body. 62.Members of the management body have a sufficient understanding of the entity’s activities and the risks such activities entail. The skillset of the management body evolves with the business and the environment it operates in to prevent the development of oversight gaps. 63.In accordance with the nature, scale and complexity of its business, the entity ensures that a broad set of qualities and competences are considered when recruiting members to the management body. 64.Some entities may choose to appoint the same individual as a member of multiple management bodies within a wider group. Whilst this may have certain benefits, it can also hamper the individual’s ability to dedicate sufficient time to and focus on the supervised entity. Where entities choose this approach, they consider how they will mitigate this risk and regularly review the effectiveness of their arrangements (see principle 11). Principle 11 - Reviewing effectiveness 65.The management body regularly reviews its own effectiveness. Supporting guidance 66.Reviews of the management body’s effectiveness cover an appropriate spectrum of its operation and interaction with key stakeholders. This may include: • The operation of the management body: meeting frequency, length, agenda, management information; the quality of discussions and the effective participation of all members; follow-up of raised concerns and agreed actions • The management body’s communication with key stakeholders within and outside the entity, including the tone from the top • The continued adequacy of the management body’s collective skillset

26 • The time commitment required of members of the management body • The management body’s training and education needs • Succession and recruitment planning 67.The frequency of such reviews and their form is proportional to the nature, scale and complexity of the entity. 68.Reviews can take the form of, inter alia, self-assessments by the members of the management body, interviews with members carried out by the chair, a review by Internal Audit or the appointment of a third party with experience of carrying out board effectiveness reviews. Principle 12 - Training and recruitment 69.The management body has a detailed view of the individual and combined skillsets it requires in order to ensure effective oversight of the entity. It seeks to close existing or anticipated skills gaps through a mix of individual and collective training as well as recruitment. Supporting guidance 70.In line with its nature, scale and complexity, the entity establishes appropriate training plans for the members of its management body, including external and/or specialist training where particular skills gaps exist. 71.All new non-executive members of the management body, or newly-hired executive members, should receive a sufficiently comprehensive induction training, tailored to the individual’s existing knowledge and experience. Typically, this may include the entity’s business model and strategy, governance and departmental structure, approach to risk management, internal control and regulatory compliance and key policies and procedures.