European regulators are tightening their scrutiny over some of the people banks and investment firms nominate to boards and key control positions, but they should have gone further.

In their current consultation on suitability ( out for public comment until May 25th ), the European Banking Authority ( EBA ) and European Securities and Markets Authority ( ESMA ) have signalled a shift towards a more challenging, interventionist posture so they can escalate concerns earlier or block nominations based on harmonized guidance and updated interpretation.

It sounds hard-hitting, but in truth, the bold language is wrapped around a carefully limited scope.

Suitability assessments for key staff emerged after the global financial crisis ( GFC ) when it became clear that poor oversight by weak boards and under-qualified or conflicted individuals led to serious problems. Regulators began shifting the burden of proof onto firms to demonstrate that the people they nominate are competent.

Now they want to raise the bar for granting supervisory approval, but only for some senior appointments.

Regulators rightly want to force banks and investment firms to credibly demonstrate that key staff are competent, honest, independent, act with integrity, have enough time to do their jobs, are properly trained, and can exercise effective oversight.

But the scope of scrutiny isn’t broad enough. It covers management bodies, so-called Internal Control Functions and Key Function Holders. All three trigger mandatory suitability assessments. On paper, that looks comprehensive. In practice, it leaves most of the operational power structure untouched.

That’s because in most countries where companies have single-tier control structures, “management body” means the board ( including chief executives as CEOs also sit on the board ), not the executive leadership team.

Only in two‑tier jurisdictions like Germany and Austria, where all members of supervisory boards ( board directors ) and management boards ( senior executives ) are statutory directors, are all senior operational executives included in the suitability regime.

Net not wide enough

Yes, weak, ineffective, complacent and detached boards that pre-GFC were oblivious to the unbridled risk-taking they waved through, fanned by the perverse incentive structures they presided over, were one of the problems that came to light after the crisis had detonated. So, ensuring they are not asleep at the wheel is a positive step.

But it was the senior executives in the operating divisions who actually wreaked the havoc that took the world to the brink in 2008. Yet the people who actually run the businesses day‑to‑day, who set risk appetite, drive commercial strategy, run the trading divisions, and make decisions that can blow the firm up and endanger financial stability, glide past suitability assessments.

People running Internal Control Functions ( ICF ) are subject to suitability assessment. This covers risk management, compliance and internal audit. But the other covered category – Key Function Holders ( KFHs ) – is still too discretionary. The people running ICF are automatically KFHs. The 2026 consultation added Chief Financial Officers to the list ( importing that from CRD VI, the latest iteration of the Capital Requirements Directive ). Otherwise, it’s optional.

And it’s the firms that decide who, to use regulatory parlance, is “critical to sound and prudent management”. Many decide that the chief operating officer, chief technology officer, chief data officer and heads of business divisions are not critical enough to warrant supervisory scrutiny. Even Chief Risk Officers can slip through if the firm designates someone else as the official ICF holder for risk – as is the case for some banks.

Regulators have missed an opportunity to widen the net to bring in all executive leadership.

The two-tier model in Germany and Austria demonstrates that the broader framework functions perfectly well when the legal structure supports it. Regulators should have made the case for equivalence across all jurisdictions.

In fairness, the gap isn't purely a failure of ambition. Bank lobby groups have pushed proportionality hard, company law in EU member states is deeply resistant to EU override, and guidelines are only as good as the national competent authorities implementing them. These are real constraints.

Elevating gender diversity or rhetoric?

If the problem with suitability is that regulators set a high bar and exempted most of the people who should be required to clear it, the treatment of gender diversity follows a similar template. Regulators are pushing the cause of gender diversity within the suitability framework, folding it into the concept of collective suitability.

In the drive to ensure that boards collectively understand their firm’s business model, strategy, risks, ESG impacts, and the wider stakeholder footprint, gender balance will form part of supervisory assessments as to whether boards have the right mix of skills, experience and perspectives.

The baseline stance is that diversity contributes directly to the capacity to provide proper oversight because gender‑balanced boards reduce groupthink. That’s reasonable. But the only binding changes in the current suitability consultation about gender that are different from last year’s draft guidance also come from CRD VI, which mandates banks to:

• Set numerical targets for the under‑represented gender,
• Publicly disclose those targets, and
• Publish operational policies – not aspirational claptrap – explaining how they will meet them.

While targets are one step removed from required outcomes, I’ve noted in the past that I’m sceptical about the utility of hard gender quotas as I’m not convinced that positive discrimination, tokenism or a box-ticking approach necessarily guarantees operational effectiveness or does much to effect sustained improvements in diversity up and down institutions.

Crafting language and setting formal supervisory expectations, as the EBA and ESMA have done to encourage firms to build more gender‑balanced candidate pools and support equal‑opportunities principles, seem a reasonable starting point. But over time, the needle does need to move on gender diversity in the real world. If not, current endeavours risk becoming another exercise in regulatory theatre.

While treating gender diversity as a core tenet of collective suitability is a positive step, relying on the hope that transparency alone will shame firms into gender action, while diversity frameworks avoid enforceable consequences and regulators persist with the fiction of gender‑neutral criteria, is not a credible position. Because it won’t drive change and they should know it.