Financial Services

ESAs run second public consultation on joint guidelines on the exchange of information relevant to fit and proper assessments

Written by

Dr. Michael Huertas

RegCORE Client Alert | Banking Union | Capital Markets Union | Insurance Union


On 7 December 2023 the three European Supervisory Authorities (ESAs) comprised of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) launched a second public consultation on the joint guidelines on the system for the exchange of information relevant to fit and proper assessments (the Guidelines Available here, in the format published by the ESAs on 5 December 2023.Show Footnote).

This short consultation is open until 15 January 2024 and covers amendments extending the scope of the Guidelines to legal persons, thereby ensuring the complete coverage of data subjects. The ESAs invite comments only on the inclusion of legal persons in the scope of the Guidelines and the information exchanged in relation to them. Other comments will not be considered as these were in-scope of the first consultation which is now closed.  

Overall, the Guidelines aim to increase the efficiency of information exchange between sectoral supervisors (i.e., the relevant national competent authorities – NCAs) by harmonising practices covering both natural and legal persons in relation to the “joint system” – the ESA Information System (ESA-IS). The Guidelines are part of the ESAs delivering on their institutional mandate In accordance with Article 31(a) of their founding legislation.Show Footnote to jointly establish a system of the exchange of information relevant to the assessment of the fitness and propriety of holders of qualifying holdings, directors and key function holders of financial institutions by relevant NCAs.

This Client Alert, which should be read in conjunction with other analysis from our EU RegCORE, summarises the impacts of the Guidelines on the fit and proper assessments of firms operating or applying to do so across the EU-27 and how relevant data will be used and shared in the ESA-IS. The ESAs aim to finalise the Guidelines by July 2024 as each NCA will have to confirm in a “comply or explain” process whether they will apply the Guidelines and thus ESA-IS and equally by when, including taking into account the time necessary to feed historical data into the ESA-IS before the scheduled go-live.  The ESAs anticipate that ESA-IS will go live for the exchange of information to the assessment of fitness and propriety in 2024 or 2025 by the latest.

Key takeaways from the Guidelines

In the EU, the European System of Financial Supervision (ESFS) (comprised of the ESAs, the NCAs and in the context of the Banking Union – equally the respective competent authorities participating therein) as well as the Single Rulebook for financial services places great emphasis on fit & proper assessments and on-going compliance with respective standards throughout the supervisory lifecycle. This builds on the supervisory aim that adequate supervised firms’ governance can be attained only if those who control or manage such firms are fit and proper, and if those who are not fit and proper are effectively barred from entering such roles. In order to attain such results, suitable and proper assessments by NCAs and other competent authorities are crucial, and unquestionably, access to any relevant information by these authorities is a basic requirement for the accomplishment of such assessments.

Importantly, fit & proper assessments are not just conducted during a regulatory licensing phase but also upon the (re-)appointment of directors and key function holders as well as in the context of a change in their circumstances or in the change of ownership or change or extension of holders with a qualified participating interests in a supervised firm or group. Equally, the scope of fit & proper assessments are not just limited to those natural persons that are subject to individual accountability standards in respective EU-27 jurisdictions but equally to legal persons or other persons that are qualifying holders (i.e., can exercise control or have a direct or indirect shareholding (capital or voting rights) of 10% or more in the supervised firm) over a supervised firm and/or its group.

The competent authorities in the ESFS responsible for conducting fit & proper assessments will be, following go-live of the Guidelines, expected to incorporate the pertinent information in the ESA-IS in accordance with the Guidelines and the ESA-IS operating rules. The overall aim of the ESA-IS is to assist competent authorities in locating other competent authorities that have undertaken an assessment procedure for a person of interest. The Guidelines are clear in stating that before a competent authority conducts a fit and proper assessment of a (natural or legal) person of interest in accordance with relevant EU legislative requirements, that competent authority should use the ESA-IS to check whether there is any other competent authority that holds information on that relevant person of interest. All of this aims to improve the efficiency of the fit and proper assessments. Simultaneously, in accordance with the relevant data protection regulations, only essential and relevant information will be retained in the system, available only to those with a legitimate need to access it.

The transfer of pertinent information about the evaluation of the suitability and appropriateness of an individual will occur directly between the respective competent authorities, in accordance with the relevant regulatory framework, outside of the ESA-IS. Although these Guidelines facilitate the sharing of information between competent authorities, it is important to note that providing information does not absolve the competent authority from conducting their own fit & proper assessment. Every evaluation adheres to the relevant sector-specific criteria and takes into account the specific circumstances under which the assessment is conducted. The outcome from each new assessment may consequently vary from the outcome of a prior evaluation.

The ESAs have, independently of the public consultation, conducted a data protection risk assessment and reached out to the European Data Protection Supervisor to ensure that the ESA-IS and Guidelines adhere to the EU’s relevant data protection regulations. Accordingly, information entered into the ESA-IS for both natural and legal persons will be kept in the system for a maximum period of 15 years from the data of entry by the competent authority and then automatically deleted from the ESA-IS except where the relevant person is still subject to fitness and propriety requirements. In derogation from this approach, competent authorities may, having notified the ESAs thereof, apply shorter retention periods. Where such periods have been applied in line with national legislation, data should be removed from the ESA-IS by the competent authority following expiry of such shorter period. Equally, personal data may be lawfully requested to be removed by relevant persons of interest.


As the Guidelines are finalised and ESA-IS becomes operational, further updates from our EU RegCORE will be made available. In the interim, relevant supervised firms may wish to:

  • establish or improve their internal controls, policies and procedures for identifying, assessing and reporting any change in the circumstances or qualifications of their directors, key function holders and/or with respect to qualifying holders so as to reinforce on-going compliance with fit and proper requirements; and
  • assess and evaluate the scope and breadth of existing fit and proper assessments that may have been submitted and approved (or not as the case may be) across the respective ESFS and to ensure that this information is, to the extent not already the case, recorded centrally.

In the short to medium term, improving standards of what is collected by competent authorities with respect to whom and by when as well as centralisation of information held by respective supervised firms may allow for better strategic steering of their supervisory engagement with the respective competent authorities. It may also serve as a good means to be able to also correct information where it is incorrectly or incompletely recorded in ESA-IS or otherwise be held by a competent authority in the ESFS. This approach may be useful both for historic assessments as well as on a going-forward basis both as ESA-IS begins operation and equally as respective fit & proper guidelines (see separate coverage on both the ESAs and the Banking Union authorities’ rules in this area) may change over the next supervisory cycles.

Over the longer term, such centralisation may also benefit from equally capturing such information that has been shared in similar fit & proper assessments conducted by respective authorities in non-EU jurisdictions, in particular if the EU looks (or ahead of any pan-EU rulemaking response, individual Member States take action) to further build upon fit & proper requirements and introduce more comprehensive individual accountability regimes as is already the case in certain Member States and supervisory priorities of individual NCAs.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.  

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.  

Moreover, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.   

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via or our website.