On 17 August 2022 the European Central Bank (ECB) acting in its role at the head of the Banking Union's Single Supervisory Mechanism (SSM) published an article in its August edition of the Supervision Newsletter entitled "Licensing of crypto-asset activities."1 The article caused a wave of positive responses even if the ECB-SSM does not and has not intimated that it will authorise those persons that qualify as crypto-asset service providers (CASPs) under the EU's Markets in Crypto Assets Regulation (MiCA) which at the time of publication of that article is still going through various steps in its legislative journey and will likely only be finalised at the end of 2022 or start of 2023 with various other parts of that new framework coming into full force by 2025.

What the Supervision Newsletter article however does do quite well is raise the importance of the ECB-SSM's role, in the Banking Union, as the ultimate decision-maker for authorisations of Banking Union supervised institutions (BUSIs) i.e., credit institutions (banks) (as well as certain MiFID investment firms) along with financial holding companies (FHCs) and mixed financial holding companies (MFHCs) as well at those credit institutions that the ECB-SSM terms "fin-tech credit institutions" (FCI) – the latter are authorised credit institutions2 which undertake services relating to cryptoassets albeit they will not be regulated nor supervised as a CASP by the ECB-SSM.3

On 23 March 2018, the ECB-SSM published the following two supervisory guides on license applications (which remain in force, without much alteration – save for additions to the GLAG resulting in a second revised edition being published January 2019)4 :

  1. The General License Application Guide – second revised edition (GLAG II) 5 ; and
  2. The FCI License Application Guide (FLAG) 6 .

Both the GLAG II and FLAG despite being supervisory guidance read very much like rules.7 Moreover, they should also be read in conjunction with various Regulatory Technical Standards (RTS) that apply under EU law, notably on the information requirements and the common assessment methodology for the authorisation of credit institutions, as published by the European Banking Authority (EBA).8 These supersede and take precedence of requirements that may be included in forms published by national competent authorities (NCAs) as well as forms that have been harmonised, at the EU-level, for authorisation processes relating to MiFID II investment firms (including those, that as a result of the EU's Investment Firms Regulation and Directive (IFR/IFD) regime may be or become subject to ECB-SSM supervision).9 The GLAG II and FLAG should also be read in conjunction with the ECB-SSM FHC/MFHC Authorisation Guide (the (M)FHC License Application Guide – the (M)FHC Application Guide).10

While NCAs serve as the entry point for the authorisation and licensing process, the ECB-SSM is the ultimate decision maker for all licensing decisions (granting as well as withdrawals) in the Banking Union. The ECB-SSM has specific supervisory powers granted under EU law as well as those not explicitly mentioned therein but which are included under national law.11 Ultimately the ECB-SSM is the gatekeeper of what it terms "common procedures" applicable to ECB and NCA responsibilities in the context of Banking Union and both GLAG II and FLAG form part of such common procedures.

This Client Alert summarises the contents of the various ECB-SSM guides as well as the ECB-SSM's supervisory expectations, including in the Supervision Newsletter article and how these requirements and expectations apply to applicants.

Harmonisation of the authorisation process using an adaptive and jurisdiction agnostic approach as well as providing clarity on CRR/CRD IV concepts

A core overarching priority of the ECB-SSM's Banking Union mandate is to drive harmonisation of rule interpretation as well as uniform application of supervisory principles and practices. This also specifically applies to licencing applications by introducing "common procedures". These common procedures are "jurisdiction agnostic" i.e., they operate across the Banking Union identically, while concurrently allowing for interoperability with existing national standards and processes and thus a certain degree of flexibility. All of this aims to ensure the SSM's application of the EU's Single Rulebook for financial services across the Banking Union is truly more single.

The GLAG II and FLAG, in addition to harmonising supervisory processes and conveying specific supervisory compliance objectives, broaden the scope of the EU's Single Rulebook, as applied inside the Banking Union. This is accomplished by introducing the notion of an FCI as a new sub-category of a credit institution without requiring a legislative revision to the definition of "credit institution" as stated in the CRR/CRD IV framework. Similarly, the GLAG II and FLAG provide explanations on specific terms used in the EU-wide prudential capital regulation when applied in the Banking Union.

The requirements set in the GLAG II and FLAG are complementary to one another. As a result, an aspiring FCI applicant will need to take note of and comply with the requirements set out in each of these Guides. Equally, these Guides are intended to allow for flexibility of how the common concepts and approaches applied by the ECB-SSM to a traditional credit institution or a FCI are applied and that these requirements remain practical as well as relevant. Both Guides specifically allow the ECB-SSM to develop further standards on assessment of regulatory capital as well as the regulated business plans a.k.a. the "programme of operations" document that is a cornerstone of every application for authorisation setting out how the applicant will conduct its regulated activity and non-regulated business and with whom and where.

Equally, the Guides also tie-in with other SSM workstreams related to the authorisation process as well as on-going supervision. Notably, GLAG II and the FLAG (as well as the (M)FHC Application Guide) should also be read in conjunction with the revised ECB-SSM Guides concerning:

  • the fitness and propriety assessments of natural persons in relation to certain functions requiring supervisory approval (the F&P Guide), which has also been updated since its original publication, most notably in January 2022; and
  • on-site inspections and internal model investigations (the OSIIMI Guide), which has had some minor amendments since its original publication.

Dedicated coverage on both the F&P Guide and the OSIIMI Guide, as in force at the time of this Client Alert, are available from PwC Legal's EU RegCORE in respective Client Alerts.

Equally, with respect to FCIs, the above-mentioned Guides should also be read in conjunction with the EBA's policy on FinTech – which is also covered in dedicated coverage from PwC Legal's EU RegCORE. The ECB-SSM's move to establish supervisory expectations in terms of FCI's license applications, is a welcome move to drive greater harmonisation and certainty in an area of rapid transformation and traditional credit institution authorised BUSIs operating as FCIs.

That being said, all of these ECB-SSM level supervisory Guides are limited in their application "only" across the Banking Union. These Guides therefore do not aim to replace or displace rules and supervisory approaches outside the scope of the SSM's mandate that continue to enjoy application across the EU-27 more broadly. An applicant that will conduct its business both in Banking Union Member States and in EU non-Banking Union Member States as well as non-EU jurisdictions will need to take account of which compliance requirements and supervisory expectations apply where, when and with respect to what activity – including any extraterritorial implications.

Useful guidance from the ECB-SSM on CRR/CRD IV's terminology

The GLAG II provides useful and important guidance, without prejudice to national law, on terms not otherwise defined in the CRR/CRD IV framework, as and when these are applied in the Banking Union. This is particularly relevant where national transposition of the CRR/CRD IV framework, as an EU-27 regime, into the respective Member States (in the Banking Union or outside of it) has led to inconsistencies of interpretation amongst those national regimes.

Some of these inconsistencies are due to (i) national options and discretions that are permitted in the CRR/CRD IV framework (as amended) which the ECB-SSM in the Banking Union is seeking to streamline (including most recently in 2022),12 as well as (ii) inconsistences that may arise because of NCAs' (incorrect) interpretation and application of such terms or NCAs differing supervisory approaches. It remains to be seen whether such clarifications contained in the GLAG II or FLAG will be applied to how the CRR/CRD IV framework is applied in non-Banking Union EU Member States.

Para. 4.1 of the GLAG II recaps the CRR definition of a credit institution i.e., "an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account." That paragraph goes on to state (emphasis added in bold) that:

"The ECB understands that this definition includes entities with a more traditional business model, and also those that reflect the evolving role of banks in society, especially if they explore the use of modern financial technologies (fintech), provided that both components of the definition are present: (i) taking deposits or other repayable funds and (ii) granting credits. In particular, if the fulfilment of these two essential banking activities is not clear-cut, the ECB will examine the underlying reasons and perform a focused analysis. Specific consideration will be given to entities that do not perform both activities but are nonetheless subject to a mandatory licensing requirement in their Member State, such as depositaries of undertakings for collective investment in transferable funds (UCITS) and alternative investment funds."

The ECB-SSM is also clear that it will assess whether the two components (taking deposits or other repayable funds and granting credits) are both "sufficiently developed". Moreover, it will examine more in-depth cases for any additional motives behind an application where these two components are not sufficiently developed, including with reference to a phasing-in period i.e., 12 months following commencement of business (see discussion re an authorisation otherwise lapsing below) and the overall impact on the viability of the business model.

In any event, the GLAG II's clarification on the inconsistencies discussed above aims to harmonise understanding in respect of some key terms in the CRR/CRD IV framework. This includes clarifications in GLAG I and GLAG II that:

  • "deposits and other repayable funds" include, for supervisory purposes, long-term savings accounts, current accounts, immediately repayable savings accounts, funds in investment accounts, or in other forms that are to be repaid. Reference is also made to a 1999 Court of Justice of the European Union judgment13 where it was determined that "[...] "other repayable funds" refers not only to financial instruments with the intrinsic characteristic of repayability, but also to those which, although not having that characteristic, are the subject of a contractual agreement to repay the funds paid." This ultimately brought a much larger scope of activity into the ECB-SSM's supervisory mandate. "Deposits" are clarified as those that are covered in the Deposit Guarantee Scheme Directive14 and confirms that funds received in the course of payment services activity or e-money activity is not subject to the CRR/CRD IV Framework but the relevant PSD2 and E-Money legislative frameworks;
  • references to the "public," for prudential regulatory and supervisory purposes, implies "[...] an element of protection for natural or legal persons entrusting funds to unsupervised entities whose financial soundness is not established." Both GLAG I and GLAG II thus, perhaps rather imprecisely, aim to delineate between what is the "public" and those that have a (personal) relationship with the company to whom they entrust their money and are capable of assessing the financial soundness. Other "professional market parties" are not deemed to be the "public." Whilst this is an undefined term, there is reference to such persons needing to evidence sufficient expertise and funds to conduct their own counterparty research. One might assume this refers to those parties that are not categorised as MiFID retail clients. It is unclear how this will impact engagement with high-net worth individuals or other financial services activity for mass affluent customers; and
  • reference to "grant credit for own account" means that "[...] the granting of credits or loans, must be carried out by the credit institution 'for its own account.'" The credit institution is therefore the creditor, while the credit/loans that it grants become its assets." A cross-reference to Annex 1 of the CRD IV is made as to which financial activity/products are covered. Both GLAG I and GLAG II also specify that overdrafts can qualify as credits under the CRR/CRD IV Framework.

General requirements of applicants and an overview of the process set out in the GLAG II

The GLAG II details the stages and processes in the authorisation process and which SSM component is responsible for what in this Banking Union process. The GLAG II welcomingly uses hypothetical examples to help guide the reader through the process. These processes are supplemented to FCI-specific considerations discussed below in the context of the FLAG.

For applicants seeking authorisation as a credit institution as well as a FCI, this ECB-SSM process begins by the applicant submitting a complete application file to the NCA who in turn will consult and cooperate with the ECB-SSM. The legal maximum for consideration of a complete application is 12 months from submission. As is the case with other application processes for other licenses, supervisors have the discretion to determine whether a file is complete.

If the application is not complete, the 12-month time period will only start once the application file is notified as being complete. Supervisors may use this period to request additional information and/or clarifications prior to the formal time period beginning to count. It may equally pause the clock during the 12 months if additional information is deemed necessary. Consequently, this means that in practice an authorisation process may take much longer than the statutory 12-month period. That time period also will not take into account the time needed by the applicant and its professional advisors in readying the extensive amount of information to be submitted with the application.

In summary, the formal stages of the authorisation process can be broken down into:

  1. The pre-application stage, which may allow for preparatory discussions with the NCA;
  2. The submission to and verification stage conducted by the NCA;
  3. The subsequent assessment stage conducted in respect of the NCA's dossier and then by the ECB-SSM;
  4. The supervisory Decision stage conducted by the ECB-SSM. Notably, like any SSM Decision, these may impose "ancillary provisions" on the applicant. These include the option of the SSM to set:
    1. an "obligation" i.e., a requirement or restriction that applies for a set period; or
    2. a "condition," i.e., a pre-requisite that needs to be fulfilled prior to granting of the license; or
    3. a "recommendation," i.e., a non-binding suggestion or an "ex ante commitment" which are binding conditions subsequent; and
  5. Following the application of the Decision, the handover to "ongoing supervision" stage follows. This means the authorised BUSI is then subject to ongoing supervision and by either the ECB-SSM directly and the NCA indirectly or by the NCA directly and the ECB-SSM indirectly. In both instances the authorised BUSI will become subject to the ECB-SSM administered "Supervisory Review and Evaluation Process" (SREP). This is a core supervisory tool, which is applied across the EU-27 by respective authorities in the European System of Financial Supervision but is tailored, for use in the Banking Union, to SSM-specifics. Details of SREP as well as ECB-SSM administered SREP are set out in detailed coverage from PwC Legal's EU RegCORE.

The following graphics are, as set out as in GLAG II and detail the timeline for the license application process and present this visually. 15


Throughout this SSM process, the NCAs and the ECB-SSM apply the following four general licencing principles to how the "common procedures" and thus GLAG II, FLAG as well as the (M)FHC Application Guide are applied. These can be distinguished between:

  1. The "gatekeeper role": whereby the ECB-SSM acts as a gatekeeper in assessing whether an applicant should receive a license. The SSM focuses on a BUSI applicant's:
    1. regulatory capital levels (initial capital as well as own funds requirement) including liquidity and solvency profile as well as the quality of regulatory capital, its availability as well as its location of where it is booked and timing of its contribution;
    2. "programme of operations" i.e., the regulated business plan setting out the proposed regulated and non-regulated business activities and strategy in light of the economic environment in which the applicant intends to operate and what this means for its business model viability including relevant financial projections;
    3. structural organisation (including IT and outsourcing arrangements) of management and operational layers, allocation of tasks, reporting lines and the organisation of the applicant's quantitative and qualitative risk management as well as its control functions (in a three lines of defence model);
    4. governance arrangements and internal control and risk management framework (including as documented in policies and procedures as well as non-documented based systems and controls) to have:
      1. sufficient and adequate staffing and levels of competence as well as technological resources;
      2. effective decision-making with a clear allocation of power and responsibilities at all levels (including the geographical location of such functions compared to where the regulated and thus risk-bearing activity is located); and
      3. robust means to reduce undue influences and identify, mitigate and manage conflicts of interest affecting the applicant's business and interests of its clients;
    5. resilience of outsourcing arrangements and a robust outsourcing risk monitoring framework. In particular the ECB-SSM will assess (and this may become subject to more scrutiny as a result of the EU's proposed Regulation called the Digital Operational Resilience Act (DORA) which is expected to be finalised October 2022) the:
      1. nature of and rationale for outsourced activities;
      2. experience, track-record and location of the service providers;
      3. soundness of the outsourcing policy and its impact on risk management, in particular for cross-border arrangements; and
      4. contractual arrangements in the form of service level agreements, including KPIs and rights on in-sourcing in solvent and non-solvent situations.
    6. suitability of managers and key function holders (conducted by the ECB-SSM for direct and indirect BUSIs) in line with inter alia the F&P Guide; and
    7. suitability of relevant direct and indirect shareholders, their qualifying holdings116 and any significant influence;
  2. open and complete communication: The ECB-SSM and relevant NCAs all expect that an applicant shall: "[...] accurately and completely prepare their application and openly and swiftly share information to help the supervisors reach an informed decision. The information requirements are based on the EBA's RTS and ITS on the [details] required for the authorisation of credit institutions." Quite importantly, in the context of publication of GLAG I and GLAG II, following some very public statements by the ECB-SSM on a perceived lack of completeness of applications it had received, a new paragraph clarifying that delays in processing an application were mostly due to incomplete information or insufficient details provided by the applicant in connection with the authorisation application that was introduced. This assessment (perhaps to be viewed as a criticism) can be applied to all BUSIs;
  3. consistency: which applies both to new or extended authorisations and is not aimed to lead to a re-assessment of existing authorisations that pre-date both GLAG I's and GLAG II's publication in its final form; and
  4. case-by-case assessment and proportionality: as with certain other SSM Guides, this principle clarifies that whilst "all relevant circumstances will be taken into account" the NCAs and the ECB-SSM will include considerations applying risk-based proportionality. These principles, specify that the license application review process will assess whether the BUSI applicant has sufficient substance in terms of presence and resources. An assessment of substance will also look at whether the applicant is actually "sufficiently engaging in activities that it must undertake in order to be defined as a credit institution within the meaning of EU law." This latter principle can be applied to other BUSIs conducting their respective regulated activity that they are seeking a license for.

These assessments will direct how the ECB-SSM rates the business model viability of the BUSI at inception. That analysis will in turn flow into the SREP. The ECB-SSM-led SREP tool has itself been rolled-out to a much wider body of BUSIs.

Principles applicable to license exemptions and lapses

Both GLAG II and FLAG provide clear and definitive conditions17 when an initial license application, a change in activity, a change in legal form or an extension of a license application will be required. Moreover, both Guides specify when an exemption to the license requirement applies or when a license lapses.

One key exemption to the need for a license may arise in the context of a merger. This exemption for a need for a license may apply where a merger exists for a "legal second" whether due to commercial or regulatory (i.e., BRRD and/or SRM) relevant measures. The ECB-SSM defines a "legal second" as the length of time "[...] needed to complete the transactions involved [...]" and the SSM will take into account the specific circumstances prior to assessing whether a license application exemption can be applied for or whether a special "Bridge Bank" license is required.

It is important to note that an exemption request does not replace the need to obtain all other regulatory, supervisory and SSM-specific consents. This also extends to the continued need to obtain relevant merger or change in control consents irrespective of being able to rely on such an exemption.

Moreover, a license that has been issued by the SSM to a BUSI will lapse where the BUSI does not make use of the authorisation for 12 months i.e., the license will go stale and then lapse. Equally, a license will also lapse if the BUSI has ceased to engage in business for more than six months.18 A BUSI may also withdraw its application or expressly renounce its authorisation and thus cease its regulated business with immediate effect.

A focus in the FLAG's key provisions

The FLAG applies specifically to those BUSIs that qualify as FCIs. The FLAG defines a FCI as a credit institution whose "[...] business models in which the production and delivery of banking products and services are based on technology-enabled innovation."

The ECB-SSM's current use of the term of what is and what is not FinTech, is different to that of the EBA and instead the ECB-SSM uses the definition set by the Financial Stability Board. Putting aside those differences in definitions, the ECB-SSM's definition sets the parameters of who might qualify as a FCI and thus be subject to the FLAG's additional requirements that are applicable to applicants on top of those in the GLAG II.

The ECB-SSM's overarching principle is to apply supervisory scrutiny to FCIs and to ensure they are properly authorised, have suitably qualified members of the management body, suitable ownership structures and have in place risk control frameworks that anticipate and respond to the FinTech-specific and other non-FinTech-specific risks (such risks not being defined) that arise in their field of operations.

The FLAG's requirements, when read in conjunction with those in GLAG II, serve to balance the creation of a FinTech friendly supervisory environment while concurrently ensuring that proactive (systemic) risk management and resilience measures are not compromised. Additional obligations and measures that are relevant to and which may be imposed upon FCIs primarily focus on these having to hold additional regulatory capital.

Such additional obligations are however driven by firm specific as opposed to business sector specific attributes. Moreover, the FLAG is not only jurisdiction agnostic but also describes itself as "technology-neutral". Consequently, it does not aim to favour traditional banking sector activity and actors over those using FinTech. Whether this will be the case in relation to the supervisory experience of FCIs remains to be seen.

In any event, FCIs will need to evidence a large amount of self-assessment on risks specific to its operations as well as those risks that contribute to the risks of its peers and the financial sector as a whole as well as providing details in how these are managed. As a result, FCI applicants and potentially some existing BUSIs that heavily use FinTech in connection with their regulated activity are encouraged by the FLAG to:

  • sufficiently provide detailed evidence of the technological knowledge of members of the management body;
  • appoint a Chief Information Technology Officer as a member of the executive board of the FCI;
  • implement measures to ensure that any business incubators and/or providers of seed capital or other growth capital are aware of the fact that their holdings, financial soundness, reputation and shareholder and own corporate governance and other specific attributes to involvement with the FCI. These will be reviewed as part of the authorisation process of a FCI;19
  • conduct sufficiently clear dialogue with the (NCA and/or) ECB-SSM in relation to change of ownership models as the FCI grows. Dilution of founding capital investors will need to be managed as qualifying holdings and/or direct and indirect significant influence relationships change;
  • recognise that FCIs will be subject to heightened post-authorisation supervisory reviews (whether as part of SREP or otherwise), in particular in relation to evaluating credit-granting and scoring methodologies (especially where provided by a third-party vendor), collateral and security arrangements, and internal governance arrangements including compliance with the ECB-SSM's non-performing loans and exposures supervisory Guide as well as the forthcoming obligations introduced by the EU's Regulation on digital operational resilience (also known as DORA);
  • assess the adequacy of their resourcing needs. This applies to regulatory and economic capital as well as to sufficient human capital. FCIs are specifically expected to be able to evidence they can cover start-up losses for the first three years of activity. Foreseeable losses and the break-even point are expected to be communicated by the FCI as part of their application;
  • implement and maintain robust and resilient IT arrangements, data governance and cyber-resilience processes and policies. This applies in relation to traditional regulated and non-regulated outsourcing and delegation arrangements as well as cloud outsourcing and have been supplemented by EBA expectations as well as those from its sister European Supervisory Authorities and will also be overhauled by the requirements set out in DORA; and
  • design and maintain an "exit plan", as tailored to the specifics of the operation. The exit plan is presented at the request of supervisors and aims to cover how an FCI would plan to cease its own business operations on its own initiative during a solvent wind-down of operations. Cessation of business should be carried out without harm to consumers nor disruption to the financial system nor a need for regulatory/supervisory intervention. Costs of the exit plan, including how to close without imposing losses on depositors is to be covered by the FCI's "own funds" component of its regulatory capital.

Importantly, the final version of the FLAG, unlike the draft version, no longer required that the ECB-SSM nor NCAs perform (although they may still choose to) a follow-up inspection one year after an FCI is licensed to assess whether the FCI is operating as envisioned in its application or whether an exit plan needs to be triggered.

ECB-SSM approval processes for FHCs and MFHCs – the (M)FHC Application Guide's requirements

As set out above FHCs and MFHCs require authorisation pursuant to the CRD V20 making targeted changes and introducing a new Article 21a into CRD IV. As a result, FHCs and MFHCs will require a license unless an exemption applies. In the context of the Banking Union, the ECB-SSM is the competent authority responsible for approval of a FHC or a MFHC where it is the consolidating supervisor, which in most cases it will be – notably in the context of when a FHC/MFHC is used to meet the EU's Intermediate Parent Undertaking requirements, which apply when a third-country headquartered financial services owns one or more credit institutions or an investment firm with operations in the Banking Union and when certain quantitative thresholds are met (as discussed in further detail in a standalone Client Alert from PwC Legal's EU RegCORE).

(M)FHCs that require an authorisation are required to provide all of the information set out in Art. 21a(2) CRD IV and as outlined in national law to the consolidating supervisor (i.e. in most cases the ECB-SSM). In instances where the (M)FHC has a competent authority in a Member State that is different to the consolidating supervisor such information must also be provided to that competent authority in addition to the consolidating supervisor. In most instances, notably where the (M)FHC is not in a Banking Union participating Member State, then a joint decision will be applied.

The (M)FHC Application Guide is clear that the decision to grant an approval for a FHC or a MFHC will typically be taken within six months of receipt of an application that has been acknowledged as being complete. With all application processes this assumes and thus requires that all information and requirements have been fulfilled with the applicant as otherwise the application will be deemed incomplete and the six months' time period will not start. For (M)FHCs these requirements are simpler when compared to other BUSIs and thus the application as a FHC or MFHC focuses on:

  • the internal distribution of tasks within the group (including prevention/management of intragroup conflicts as well as the enforcement of group-wide policies);
  • the structural organisation of the group (which includes the roles of the (M)FHC as well as the shareholding structure); as well as
  • the suitability of the shareholders and board members of the (M)FHC.

The (M)FHC Application Guide also sets out details when, in accordance with Article 21a(4) CRD IV, the five exemption conditions, all of which must be fulfilled, that allow for the (M)FHC to be exempted from the approval requirement. Once exempted, such (M)FHCs must then fulfil these exemption requirements on an on-going basis. The ECB-SSM will, unless national law states otherwise, consider the exemption application and may also take an individual or a joint decision depending on circumstances.

Failure to comply with the approval requirement can lead to the imposition of supervisory measures i.e., either administrative pecuniary and/or non-pecuniary measures in line with the ECB-SSM's rules (see standalone coverage on the SAPP Guide from PwC Legal's EU RegCORE).21

As with the GLAG II and the FLAG, similar measures apply when a (M)FHC no longer meets its approval conditions or when the exemption conditions are either not fulfilled at the outset or no longer fulfilled following approval.

Outlook and further considerations

For market participants looking to apply to become authorised as a BUSI, in particular those as a FCI, the ECB-SSM's Guides discussed above provide for:

  • a much clearer roadmap of what areas applicants and their advisors ought to highlight in their license applications as well as the stages and supervisory touchpoints that are relevant in respect of the license applications;
  • clarity on the extent and focus of supervisory scrutiny that will be applied by the ECB-SSM, specifically in relation to entities that may evidence similar traits as FCIs. This applies in respect of both SREP but also any on-going supervisory inspections;
  • details of when a FCI will require an exit plan. It should be noted that the exit plan concept is being replicated in order to provide clarity and certainty for other solvent wind-downs of other types of BUSIs and non-BUSI regulated financial service providers; and
  • guidance on forthcoming reforms and further areas of harmonisation that the ECB-SSM may choose to pursue.


1 The article is available here.

2 And crucially not to be confused with the term "neobanks" which has been used by commentators but also by relevant firms themselves to describe a host of FinTech activity, including firms running IT applications offering "banking as a service" mostly without such firms being regulated in accordance with EU financial services legislation in a full sense. In many instances, neobanks are tied agents of regulated firms that will hold the relevant regulated permissions. Put simply, a neobank will more often than not, not be a bank...

3 A full overview of the ECB-SSM's roles and responsibilities in the authorisations process both for granting and withdrawing licenses is available from the following landing page of the ECB-SSM, which at the time of writing of this Client Alert was last updated 21 July 2022. A further Q&A is available for those relocating to the euro area which was last updated on 7 April 2022.

4 For context it should be noted that the final versions of the GLAG and FLAG were subject to a consultation period on the draft versions that ran from September to November 2017. The final versions only made minor amendments to the draft versions and the context for such changes are summarised in a Feedback Statement (available here) providing explanations and rationales for such changes. Details on the extension of the GLAG to GLAG II are available here.

5 Available here. GLAG 1 is available here.

6 Available here.

7 This is despite the heading of each of the Guides stating: "The policies, practices and processes set out here may have to be adapted over time. This Guide does not have a legally binding nature and consists of a practical tool to support applicants and all entities involved in the process of authorisation to ensure a smooth and effective procedure and assessment. The Guide will be updated regularly to reflect new developments and experience gained in practice." However, the Guides refer to legislative texts and supervisory expectations that are binding or otherwise very persuasive in their application. Moreover, the start of para. 2.4 in both Guides state: "The supervisors need to apply the regulatory requirements when assessing license applications. To ensure that they do so consistently, the interpretation of those requirements needs to be clarified and common supervisory practices and processes need to be developed." These are set out in the public and non-public versions of the SSM Supervisory Manual and the ECB-SSM can itself or on behalf of NCAs sanction applicants and authorised BUSIs.

8 Available here.

9 Crucially, MiFID investment firms have historically been chosen as the regulated entity to house non-deposit taking investment banking business that operates in parallel to an ECB-SSM supervised deposit taking credit institution that is authorised by the ECB-SSM for that regulatory permission (set out under the CRR/CRD IV, as amended) through reference to GLAG II or the FLAG (as the case may be). The entry into force of the IFR/IFD has meant that certain MiFID investment firms will be categorised as "Class 1 Investment Firms" and thus treated and thus, in the Banking Union, be supervised by the ECB-SSM as credit institutions for SSM supervision purposes. That being said, the common methodology for MiFID investment firm authorisation applications remains set out in Commission Delegated Regulation 2017/1943: which is available here.

10 The ECB-SSM sets this out in a standalone document that is available here, details of which are discussed below..

11 These powers were communicated to various NCAs (SSM/2017/0140), dated 31 March 2017, available here.

12 See various articles of M. Huertas in the Journal of International Banking Law and Regulation on this topic.

13 See judgment of the Court of Justice of the European Union, Case C-366/97, 11 February 1999.

14 See Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014, as amended, on deposit guarantee schemes, as implemented into national law of the EU Member States.

15 Available here.

16 or, in the absence of qualifying holdings, the ECB-SSM will apply EBA standards to assess the 20 largest or possibly all shareholders. To briefly recap, for Banking Union purposes, a participation in a credit institution will be a "qualifying holding" when it represents 10% or more of any shares and/or voting rights in the credit institution. A supervisory notification of that first 10% threshold and any relevant threshold above is required. This is in addition to any other supervisory reporting required in a respective jurisdiction.

17 Including where an entity wishes to become a credit institution or where two or more institutions merge to form a new entity.

18 The GLAG II's wording is not entirely precise in this area. However, this time period is taken to mean consecutive months and also cross-refers to the "sufficient substance and engagement" tests that were originally assessed as part of the initial application and business model viability assessment. It remains unclear whether a lapse in one area could cascade through to other areas. Moreover, it remains also unclear, whether a lapse or withdrawal of a SSM license might have knock-on effects to any licenses that the BUSI holds from other regulators.

19 Despite the ECB-SSM's supervisory reservations, it is interesting to note that fundraising via initial coin offerings and/or token generating events are not explicitly included in the FLAG.

20 Directive EU 2019/878 available here. Which should be read in conjunction with Regulation (EU) 2019/876 (CRR II) available here, which amended the CRR.

21 Available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.