Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Capital Requirements Directive (CRD6) came into force on 9 July 2024. Under CRD6, banks from countries outside the EU that carry on "core banking activities" in the EU - in particular, deposit taking and lending - will have to establish a branch in the EU and apply for authorisation from the local regulator. These rules come into effect in 2026 and 2027. Third country banks that had previously relied on exemptions under local laws to do business in specific EU member states will no longer be able to do so. Branches of third country banks will also become subject to minimum requirements in the EU, including with regard to capital, liquidity and internal governance. Third country banks that already have branches in the EU may find themselves subject to higher requirements than they are currently subject to. In the light of the changes, third country banks may need to reconsider fundamentally how they do business in the EU and what kind of presence they need to have there.
The new version of the Capital Requirement Directive (CRD6) was published on 19 June 2024 and came into effect on 9 July 2024.
CRD6 has made a number of changes that will affect banks established in countries outside the EU (known as "third countries") that carry on certain activities in the EU.
The new rule says that EU member states must require undertakings established in a third country to establish a branch in their territory and apply for authorisation from the national competent authorities (NCAs) - i.e. the local financial regulators - to commence or continue carrying on certain "core banking activities" in the relevant member state.
The core banking activities in question are:
taking deposits and other repayable funds;
lending - both consumer credit and wholesale lending (including factoring); and
guarantees and commitments.
In the case of deposit taking, the new authorisation requirement will apply to any type of third country undertaking.
For the other types of core banking activity, however, the requirement to be authorised will only apply to undertakings that are credit institutions within the meaning of the EU's Capital Requirements Regulation (or would be credit institutions if they were established in the EU).1
As a result, non-EU undertakings which are not credit institutions and which carry on those other core banking activities will not be required to establish branches in the EU or to apply to have them authorised. The position of such undertakings will continue to be governed by the national law requirements in individual EU member states.
The list of activities covered by the Capital Requirements Directive is not limited to the "core banking activities"; for example, the CRD also applies to payment services and activities relating to investment business (such as dealing in transferable securities). Those other activities will not be subject to the new rule – only the "core banking activities" will be. However, if a third country undertaking brings itself within the definition of "credit institution" as a result of carrying on MiFID activities (see footnote 1), it will be within the scope of the new rules in relation to its core banking activities.
The requirement to become authorised will only apply to a third country undertaking that wishes to carry out a core banking activity "in a member state". However, it is not always clear where a core banking activity is regarded as being carried on. For example, if a US bank lends money to a French borrower, does the lending activity take place in the USA, France or in both locations?
There is currently no single answer to this question at an EU level, and different member states have historically taken different views about whether a core banking activity takes place "in" their jurisdiction. However, many member states take a restrictive approach and would regard a core banking activity as taking place "in" their territory if the customer is located in their territory.
It is likely that a restrictive approach will apply to the CRD6 rule, and third country undertakings may want to assume that any core banking activities that they engage in with EU-based customers and counterparties will be subject to the new rule. A more nuanced risk assessment will need to consider the position on a jurisdiction by jurisdiction basis.
There are some limited exceptions to the new rule:
A third country undertaking will be allowed to undertake a core banking activity with a client in the EU if the client approaches the third country undertaking at the client's "own exclusive initiative" for the provision of that activity.
Taking into account how the EU has applied the concept of reverse solicitation in other contexts - for example, in relation to investment business under the Markets in Financial Instruments Directive (MiFID) - it is likely that this exception will be interpreted very narrowly. Reliance on this exemption will be monitored closely by EU regulators, who will be keen to understand the position from a group wide perspective.
It is unlikely that a third country undertaking would be able to establish a viable business model for dealing with EU customers using the reverse solicitation exemption. However, the exemption may assist in certain ad hoc situations.
A third country undertaking will be allowed to provide core banking activities to credit institutions. This should mean, for example, that bank-to-bank lending is not covered by the new rule.
A third country undertaking will be allowed to provide core banking activities to EU-based members of its own group.
Where the third country undertaking is providing core investment services activities under MiFID, the new rule will not apply to any accommodating ancillary services, such as related deposit taking, granting credit or loans the purpose of which is to provide services under MiFID.
In practice, however, this exemption may be of limited benefit, as third country undertakings are restricted in their ability to provide MiFID services into the EU without local authorisation, and so it is unlikely that they will be able to provide any of the MiFID services that the core banking activities could be seen as ancillary to.
The new rule regarding authorisation is stated to be "without prejudice" to contracts which were entered into prior to 11 July 2026. What this appears to mean, in effect, is that there will be an exemption for contracts entered into by third party banks prior to that date.
From 11 January 2027 onwards, third country undertakings will be able to continue servicing contracts entered into before 11 July 2026 – but they will only be able to service contracts for core banking activities entered into after 11 July 2026 if they have obtained authorisation as a branch in the relevant member states(s).
Some questions remain about exactly how this cut-off date will operate. It is not clear, for example, whether third country banks will be able to continue being party to contracts entered into prior to 11 July 2026, but which are extended, rolled over or renewed after that date. However, it is expected that the exemption will be closely monitored and interpreted narrowly.
Member states are currently able to apply their own approaches to the question of whether and how a core banking activity may be provided in their territory, and can apply their own exemptions. For example:
In Germany, the local regulator (BaFin) has the power to grant exemptions to third country banks, which allows them to provide cross-border services into Germany without obtaining authorisation from BaFin (subject to certain criteria being met, such as BaFin determining that the third country bank is subject to equivalent supervision in its respective home country).
In Ireland, lending does not require authorisation from the local regulator (the Central Bank of Ireland - CBI) unless the loan is to a natural person. A third country bank that wishes to engage in wholesale lending into Ireland on a cross-border basis, or even to establish a branch office in Ireland for that purpose, does not currently need a licence from the CBI.
Under the new CRD6 rules, member states will have to follow the minimum harmonised EU rules and will not be able to apply their own approaches, except where they are imposing requirements that go beyond the minimum EU requirements. A third country undertaking that is carrying on a "core banking activity" in that member state will have to be authorised. Any exemptions that NCAs currently apply as a matter of their national law will have to be disapplied.
Non-EU banks that currently provide core banking activities into the EU in reliance on approaches taken by the NCAs in each member state will need to consider whether that is still possible under the new rule. They will also need to consider changes in national law that are made to implement the new CRD6 requirements.
CRD6 requires that NCAs must have the power to require third country branches to apply for authorisation as a subsidiary – i.e. to establish a corporate entity in that member state as a subsidiary of the third country undertaking and to apply for that new entity, rather than the branch, to be authorised by the local regulator.
CRD6 says that this power must be available at least where the third country branch meets any of the following conditions:
the branch has been or is carrying out non-exempt core banking activities with customers or counterparties in other member states (i.e. other than the member state in which the branch is authorised);
the branch meets the systemic importance indicators under the existing CRD tests for "other systemically important institutions" (O-SIIs) or is assessed as being of systemic importance under the new CRD6 provisions and poses significant financial stability risks in the EU or the member state where it is established; or
the branch meets the new criteria specified in CRD6 – namely that (i) the aggregate amount of the assets of all third country branches in the EU from the same third country group is €40 billion or more or (ii) the amount of third country branch assets in the member state where it is established is €10 billion or more.
CRD6 provides that NCAs and the European Banking Authority (EBA) will have to take steps to assess whether a branch is systemically important. Before it can exercise the power to require subsidiarisation, the NCA in the member state of the third country branch will have to consult with the EBA and the NCAs in the other member states where the third country undertaking has branches or subsidiaries. CRD6 contain a non-exhaustive list of indicators regarding the systemic importance of third country branches.
CRD6 does not mandate that branches meeting these criteria will have to establish subsidiaries rather than continue to operate as branches but, by setting minimum criteria and requiring that NCAs have the power to require subsidiarisation, CRD6 is likely to encourage NCAs to consider requiring subsidiarisation for third country undertakings which pose systemic risk and are effectively considered too risky to supervise as a branch.
Under the current rules, EU member states are able to determine their own approach towards the authorisation of third country bank branches – subject to the principle that they cannot be more favourable towards branches of third party banks than they would be towards the branches of banks from within the EU.
While there is some variability in how NCAs in individual member states approach this question, it is not uncommon for the NCA to allow certain aspects of the third country bank's business to be determined and supervised primarily by its regulator in its home state – so that, for example, a branch might be able to rely on meeting the capital requirements in its home country than having to bring capital into the EU.
If a third country undertaking had to subsidiarise, this would mean that having to set up a stand-alone entity within a member state, which would have to (amongst other things) be fully capitalised within the relevant member state and have its own senior management and governance arrangements. This would usually be more economically inefficient and operationally challenging for third country undertakings than simply operating a branch. However, unlike a third country branch, a subsidiary would be able to passport core banking services across the EU.
In addition to the subsidiarisation point, CRD6 says that, where appropriate to address the systemic risks identified, the NCA may subject the third country branch to targeted requirements, which may include that the branch:
If an NCA considers that a third country branch has systemic importance but decides not to exercise any of the powers in (a) above, the NCA will be required to provide a reasoned notification to the EBA and to the NCAs in any other member states where the third country undertaking has branches or subsidiaries.
In practice, these rules are likely to increase the pressure on NCAs to require third country branches to make changes to the way they are structured or do business.
CRD6 introduces minimum conditions which must be satisfied in order for an NCA in a member state to be able to authorise a third country branch. These are minimum requirements only – member states will be free to supplement these requirements if they wish, and CDR 6 expressly says that member states will be allowed to impose the same requirements that would apply to credit institutions authorised in the EU.
The minimum conditions for authorisation of a third country branch under CRD6 will be as follows:
CRD6 specifies certain regulatory requirements, which in summary will be:
The branch will have to satisfy minimum capital requirements, based on a percentage of the branch's average liabilities, and subject to a minimum amount. The capital will have to be held in the form of cash, EU government securities or other instruments that allow for unrestricted and immediate use, and the capital will have to be held in an escrow account in the relevant member state.
The branch will have to maintain liquid assets sufficient to cover liquidity outflows over a minimum period of 30 days. The liquid assets will have to be held in a separate account.
The branch will be subject to specific requirements regarding how it is governed, including in respect of its senior management and internal control functions. Senior management will be subject to the same remuneration requirements that apply to EU credit institutions. The EBA will issue guidelines in relation to the internal governance matters.
The branch will have to maintain a comprehensive and precise record of all the assets and liabilities that it has booked or originated.
The exact nature of these requirements will vary depending on whether the branch is classified as a Class 1 or Class 2 branch (see further below) and whether the host NCA has specified any additional local requirements.
The activities that a third country undertaking seeks authorisation for in an EU member state will have to be covered by the authorisation that the undertaking holds in the country where it is established, and those activities will have to be subject to supervision in the home country.
This potentially creates a significant problem for undertakings from third countries which have a narrower regulatory perimeter than the EU.
For example, in the UK it is not a regulated activity to carry on wholesale lending and the UK regulators would not supervise that activity directly (although they would consider the impact of that activity on the things that they do supervise – such as the bank's capital position, credit risk etc). If a UK bank wanted to set up a branch in an EU member state and carry out wholesale lending from that branch, it may find that the NCA in that member state will not grant authorisation to the UK bank on the basis that the activity is not covered by the bank's authorisation in its home country and is not supervised in the bank's home country, as required by the CRD6 rules. It remains to be seen how this type of situation will play out - as an overly strict interpretation here could have adverse implications for the real economy, which may not have been intended.
The supervisory authority of the third country undertaking in the relevant third country will have to have been notified of the application to establish the branch.
The third country branch will only be to carry out the authorised activities within the member state where it is established, and will not be able to carry out those activities in other member states on a cross-border basis (subject to some limited exceptions).
(This is not a new requirement; third country branches that are authorised in EU member states do not currently have passporting rights which would allow them to provide services into other member states. However, the current rules would allow the provision of cross-border services into another EU member state if the activity is not regulated in that other EU member state. It appears that the new CRD6 rule will prevent such arrangements in the future.)
Where a third country undertaking carries out activities in multiple EU member states, the EBA will be tasked with monitoring operations between those third country branches authorised in different member states and reporting to the European Commission in respect of them.
The NCA in the member state that authorises the branch will have to be able to:
It will be a requirement that there are no reasonable grounds to suspect that the third country branch will be used to commit or facilitate the commission of money laundering or terrorist financing.
The EBA will issue guidelines regarding the information that applicant firms will have to provide and the procedure and conditions for authorisation. It remains to be seen whether those guidelines will be provided in sufficient time, given the time required to obtain authorisation.
Member states will be prevented from applying to third country branches provisions which result in a more favourable treatment that that accorded to branches of institutions which have their head office in another member state. This is not a new concept, however; it already exists under the current version of the CRD.
CRD6 will also require the NCA in the EU member state to endeavour to conclude co-operation agreements with the third country undertaking's home supervisory authority.
We understand that some NCAs may require existing third country branches to re-apply in order to ensure that the authorisation of that branch continues. The third country branch will, in any event, need to be able to demonstrate that it can meet the new requirements under CRD6 and any additional requirements imposed by the NCA. CRD6 specifies that applications for authorisation will have to be accompanied by a programme of operations setting out the envisaged business, the activities to be carried out and the organisational structure and risk management of the branch in the relevant member state.
Member states will be required to classify third country branches into one of two categories in order to enable a more proportionate, risk based approach to supervision. The two categories are:
Class 1: where
Class 2: where the third country branch does not meet the conditions to be in Class 1.
Class 1 and Class 2 third country branches will be subject to different standards.
Class 1 branches will have to hold higher minimum amounts of capital and greater levels of liquid assets, and will be subject to more onerous requirements in terms of their internal controls – including having to comply with the same CRD6 requirements that EU banks have to comply with in relation to their organisational structures, processes and remuneration policies.
A Class 1 branch can also expect to be subject to a higher level of supervision by (i) the NCA in the member state where it is authorised and (ii) the NCAs in other member states where it has branches or affiliates.
There will also be an additional category of "qualifying third country branch" (QCB). A branch will be a QCB if:
Any third country branch that is not a QCB will automatically be put into Class 1 and will become subject to the higher requirements.
The benefit of being a QCB is that the branch can be categorised into Class 2. In addition, in respect of QCBs member states will be permitted to waive certain CRD6 requirements that would otherwise have applied to those branches – such as (i) the liquidity requirements and (ii) reporting requirements (in whole or in part, provided that the NCA is able to obtain the information directly from the supervisory authorities of the third country).
It is the European Commission who will determine whether a third country is equivalent or not for the purposes of the QCB determination (with input from the EBA and agreement from member states). That means that it could be a political decision. As we saw after Brexit in other areas of financial services, the EU has refused to make equivalence determinations in favour of the UK, even where the law in the UK is virtually identical to that in the EU. The concern would be that it does the same here – for the UK, and for other third countries where it might be to the EU’s benefit to restrict access.
Third country banks from countries who don’t have an equivalence determination will still be able to establish a branch in the EU – but they will automatically be put into Class 1 and made subject to the most onerous requirements.
The way in which third country branches are supervised is expected to change under CRD6. Third country branches will:
Third country undertakings with branches in the EU can expect to become subject to closer and more intrusive supervision (and potentially enforcement action) within the EU than they may have been subject to previously. This will particularly be the case where the third country undertaking has branches in more than one member state; the EBA will have a specific remit to monitor the operations between third country branches of the same head undertaking.
The new rules could affect the business of third country banks in a number of ways:
It is unlikely that third country banks that have no branch or subsidiary in the EU will be able to continue carrying on core banking activities with EU-based customers and counterparties. They may need to either:
If they need to take steps to get authorised in the EU, they should consider this sooner rather than later, as it can take a long time to obtain the relevant authorisation as a bank, and the process may become even more challenging as a result of the CRD6 changes.
Third country banks which already have authorised branches in the EU will want to consider the following issues:
Are the branches (taken together) of such systemic importance that they may be required to subsidiarise?
How will the new minimum requirements and supervisory standards affect them?
Do they have authorisation in the home state for the activities they wish to provide in the EU?
Will they be in Class 1 or Class 2 or be a qualifying third country branch?
Are there are any steps they could be taking ahead of CRD6 being implemented to reduce the likelihood of them being regarded as systemically important or a Class 1 firm – e.g. by re-routing certain types of business to bring them below thresholds?
Given the new focus on the risks of third party branches at a cross-EU level, should third party banks with multiple EU branches consider restructuring themselves at an EU level?
The introduction of CRD6 presents an opportunity for third country undertakings to undertake a strategic review of their offering in EU jurisdictions and determine whether to move to a branch or subsidiary model.
The timings and next steps are likely to be as follows:
Date |
Event |
9 July 2024 |
CRD6 came into force |
10 January 2026 |
Deadline for EU member states to have transposed the measures in CRD6 into their national law. Deadline for the EBA to submit draft regulatory technical standards (RTSs) to the Commission in respect of certain requirements for branches, such as the reporting and booking requirements, and co-operation between NCAs and colleges of supervisors. |
11 January 2026 |
Deadline for member states to apply the CRD measures. |
10 July 2026 |
Deadline for the EBA to issue guidelines to specify (amongst other things):
|
11 July 2026 |
Cut-off date: the exception for pre-existing contracts will cease to apply to contracts entered from 11 July 2026 onwards. Certain obligations on third country branches to report regulatory and financial information to NCAs come into effect. |
10 January 2027 |
Deadline for the EBA to issue guidelines on the application to third country branches of CRD rules relating to internal governance/recovery and resolution, remuneration and independent risk management functions. |
11 January 2027 |
The remaining new third country branch provisions (i.e. other than the reporting obligations that come into effect on 11 July 2026) will come into effect. These provisions include the requirement for a third country branch to be authorised in a member state where core banking activity is undertaken. |
The timetable gives rise to some concerns. In particular, if the EBA does not prepare RTSs regarding the branch authorisation process until six months before the deadline for third country branches to have obtained their authorisation, that leaves very little time for NCAs to implement the requirements and for third country branches to be able to submit their applications and the NCAs to process them. Any RTS will therefore need to allow for live NCA authorisation processes to remain valid.
Although it is over two years before most of the new requirements come into effect, third country undertakings need to start a mapping exercise and risk assessment in order to guide business decisions and prepare to restructure across business lines and (where necessary) establish new entities.
Our global team has significant experience of liaising with regulators and assisting firms to assess the impact of CRD6, implement strategic business model reviews and to obtain any necessary regulatory authorisations. If you would like to discuss how to kick start your CRD6 impact assessment, please speak to one of our contacts listed.
Authored by Dominic Hill and Sinéad Meany.