CRD VI is now final: non-EU banks must start preparing now

Relevant to: Executives (CFOs, COOs, CROs, Chief Control Officers etc); Heads of Risk, Planning, Transformation, Strategy and Compliance; Legal Counsel; Board Members.

At a glance:

• The EU has now published its near-final Banking Package, which (in part) makes significant amendments to the EU’s Capital Requirements Directive (known as CRD VI). 
• Cross-border services: from November 2026, non-EU banks will no longer be able to provide cross-border “core banking” services to EU-based clients, subject to exemptions for interbank and intragroup activities, as well as for business resulting from client “reverse solicitation”.
• Third-country Branches (TCBs): also from November 2026, new and existing TCBs face (re)authorisation against a new EU-wide set of requirements, including on capital, liquidity, risk management and governance, that are more stringent than those currently applied in some Member States (MS).
• TCB subsidiarisation: some TCBs (whether due to size, systemic importance or having conducted cross-border business) may be required to restructure, hold additional capital or even subsidiarise in order to resolve supervisory concerns.
• Big Picture: CRD VI will force non-EU banks to rethink their overall European footprint. Non-EU banks operating or considering setting up multiple TCBs should assess the benefits of consolidating their business into one European entity, and any decisions should be made alongside wider rationalisation programmes already in train.
• Why now? given the number of considerations in play, non-EU banks must start their impact assessment now, not only to be ready to comply, but to be “right-sized” for when these potentially costly rules take effect. 

Background to EU Banking Package and overall context

In December 2023, the European Commission published the near-final text of its new Banking Package (following months of trilogue negotiations we covered previously). It is clear that this package will have a significant effect on many non-EU banks European footprints: significantly restricting their ability to provide “core banking” services into the EU, as well as introducing a new harmonised regime for the regulation of TCBs via targeted amendments to CRD VI.

Today, both cross-border services and TCBs are subject to varying national rules across MS. Differences also exist within MS due to national competent authorities (NCAs) waiving certain requirements for individual TCBs. Therefore, establishing more uniform requirements for both is a significant step towards EU-wide harmonisation of the rules governing non-EU banks’ EU activities. However, we do not expect complete uniformity (even within the scope of CRD VI’s provisions) – CRD VI is a Directive, not a Regulation, meaning MS will implement its provisions in their own legal frameworks with inevitable differences in approaches.

We expect CRD VI to enter into force around May 2024. On that basis, we would then expect most of its provisions to begin applying in November 2025, save for the cross-border services restrictions and new TCB regime discussed below that will have effect one year later.

Restriction on cross-border services

From November 2026, non-EU banks (defined below) will no longer be able to commence or continue conducting cross-border “core banking” services (i.e. accepting deposits and other repayable funds, lending as well as providing guarantees and commitments) to EU-based clients, specifically:

• Third-country credit institutions (i.e. third-country undertakings that would qualify as a credit institution if established in the EU).
• Third-country investment firms which deal on own account OR underwrite financial instruments AND which have (or belong to a group with) assets exceeding EUR 30 billion OR which carry out investment services in amounts exceeding EUR 30 billion.
• Any other deposit-takers not covered by either of the above (but only for the purposes of deposit-taking rather other “core banking” services more generally).

This restriction is then subject to three important exemptions:

• Reverse solicitation: an EU-based client approaches a non-EU bank at “its own exclusive initiative” for the provision of “core banking” services. This exemption extends further than a similar concept in MiFID II, exempting further business “necessary, or closely related” to the business originally solicited.
• Interbank: the business is with an EU-based credit institution.
• Intragroup: the business is with an EU-based entity of the same group.

Separately, CRD VI also allows for grandfathering of contracts entered into before May 2026. Non-EU banks operating on this basis will need to consider what would be the  trigger events that would mean that the contract is considered new such that the grandfathering provision would no longer apply.

Where business cannot comply with any of above exemptions, non-EU banks will only be able to provide “core banking” services in the EU through an EU TCB or subsidiary.

National implementing rules or subsequent guidance may clarify remaining areas of legal ambiguity around the cross-border restriction, which include:

• Exclusion of “core banking” services ancillary to core MiFID activities / services: there is an exclusion for “core banking” services ancillary to the provision of core MiFID services. However the extent to which a service must be ancillary to be excluded is unclear. As is, we expect providing services such as cash accounts for the sole purposes of securities transactions (e.g. buying or selling shares or bonds) would be scoped-out here.
• EU-clients’ non-EU business: It is unclear whether a non-EU bank providing “core banking” services to an EU client for the purposes of the client’s non-EU business would be captured by the restriction.
  
• Location considerations: CRD VI does not define what constitutes providing “core banking” services “in” a MS. As such, existing location-based legal arguments may be preserved. If addressed in national implementation, we may see such rules vary: some MS have historically been more permissive of these arguments than others.
  

TCB authorisation and new requirements

From November 2026, both new and existing TCBs will have to comply with and be re-authorised under a new set of EU-wide minimum requirements. NCAs will be able to decide that authorisations of TCBs granted before this date can remain valid, although they must still comply with the regime.

CRD VI maintains that authorisation may only take place where the NCA has “endeavoured” to sign a “model administrative agreement” with the home state regulator of the TCB in question. TCBs, especially those headquartered (HQed) in jurisdictions with fewer existing relationships to MS’ NCAs, should consult with local NCAs to confirm re-authorisation will be possible.

CRD VI differentiates between two classes of TCB: Class 1 and Class 2 (we expect the majority of TCBs will qualify for the former). TCBs will be designated as Class 1 under the new regime if they:

• take retail deposits in excess of EUR 50 million;
• take retail deposits in excess of 5% of their total liabilities;
• booked or originated more than EUR 5 billion assets in the past year; or
• are not a “qualifying” branch (i.e. they are headquartered in a jurisdiction the Commission has not deemed equivalent)

Depending on TCB classification, the new regime will require TCBs to:

• hold a capital endowment equivalent to 2.5% (or 0.5%, if Class 2) of the branch’s average liabilities over the past three accounting periods, subject to a minimum of EUR 10 million (or EUR 5 million, if Class 2);
• comply with the liquidity coverage ratio (or hold sufficient unencumbered and liquid assets to cover liquidity outflows for a minimum of 30 days, if Class 2);
• maintain a “registry book” of all assets and liabilities booked or originated within the TCB for risk management information purposes, and develop and regularly review a policy on booking arrangements;`
• comply with a range of risk management, governance and reporting requirements, including:
  • hiring at least two persons managing the business internally (potentially extending into a requirement to form a local management committee at NCA discretion);
  • operating robust risk management processes whose output is subject to management reviews every two years;
  • effective management of counterparty risks, extending to counterparty credit risk management for those TCBs engaging in back-to-back or intragroup operations;
  • operating robust risk management processes whose output is subject to management reviews every two years;
  • reporting of balance sheet, significant exposures and funding concentrations;
  • further reporting on head undertaking activities, such as its plans for the TCB, recovery plan and a list of services provided by the head undertaking for EU clients on basis of reverse solicitation.

NCAs must periodically employ an independent third-party to assess TCBs’ compliance with the internal governance and risk controls requirements mentioned above.

The EBA will finalise the full details of some of the requirements over the coming years, especially regarding the specific booking arrangements TCBs must apply. At a minimum, this will include keeping a record of assets and liabilities originated by the TCB, those booked or held elsewhere for the TCB’s benefit, as well as off-balance sheet items.

As mentioned above, this new regime constitutes an EU-wide set of minimum requirements. This means only those TCBs currently regulated “below” this new baseline, whether due to less robust existing national-level rules or due to being in receipt of waivers, will face a commensurately larger compliance burden from November 2026.

TCB subsidiarisation

TCBs may be required to subsidiarise if they meet any of the four following conditions:

1. the TCB has assets in excess of EUR 10 billion;
2. the TCB belongs to a group which across the EU has aggregate TCB assets in excess of EUR 40 billion;
3. the NCA judges the TCB to be “systemically important” on the basis of its size, importance to the EU/MS economy, significance of cross-border activities and interconnectedness with the wider financial system; or
4. the TCB has been conducting business in a MS other than the one it is authorised in.

In most cases, the NCA shall first impose additional prudential requirements on a TCB, or require it to restructure its assets and activities “in such a manner that they cease to qualify as systemic” or “cease to pose an undue risk” to financial stability. If this outcome is judged to be insufficient, TCBs can still be required to subsidiarise. However, if a NCA feels that alternative measures would be insufficient “to address” “material supervisory concerns”, it can utilise the subsidiarisation power without pursuing other options.

The first condition alone scopes in a large number of TCBs: at end-2020, 16 TCBs (out of a total 106) had more than EUR 10 billion in assets, with 19 more having between EUR 3 and 10 billion in assets.

Implications for firms

CRD VI will force non-EU banks to rethink their overall European footprint. Foremostly, simply to comply with the new rules: firms must decide the future of any existing, now non-compliant cross-border services. This may involve setting up or expanding existing TCBs in MS where they have existing cross‑border business, transferring business to an existing (or new) EU subsidiary able to passport across MS or ultimately ceasing business in that MS altogether.

Migrating such business to an EU balance sheet, as well as reforming existing TCBs to comply with the new rules, have operational and financial implications for firms:

• Operationalising the migration: in order to migrate such business to an EU balance sheet, non-EU banks will have to: identify affected clients; allocate internal resource to facilitate the migration and satisfy client-specific needs; repaper contracts; and complete new onboarding and new KYC due-diligence for the new EU entity. Because the definition of “lending” as an activity extends to the arranging of loans and the booking, non-EU banks may also have to migrate staff as well.
• Single-Supervisory Mechanism (SSM): EU subsidiaries of non-EU banks not currently subject to the ECB’s SSM should evaluate their likelihood of crossing the EUR 30 billion threshold in the medium term, incorporating CRD VI-related asset migration, and plan accordingly.
• Establishing new entities: non-EU banks establishing an EU subsidiary for the first time will have to meet stringent supervisory expectations over subsidiary authorisation. If the non-EU bank sets up two or more EU entities (inclusive of both credit institutions and investment firms) with a combined total EU asset value exceeding EUR 40 billion, then it will also have to establish an IPU.
• Changes to the control framework: while CRD VI is expected to simplify the underlying complexity of cross-border rules, it is likely that regulators will take a hard stance on any breaches. Non-EU banks should review their booking arrangements and controls framework, especially regarding cross-border policies, country manuals, booking decision trees, transaction query tools and post-transaction monitoring. Specific control requirements and documentation will need to be considered for reverse solicitation scenarios – if controls are not already robust following Brexit these will need to be bolstered.
• Decreased cost-efficiency of TCBs: the new prudential requirements, as well as potential supervisor-led subsidiarisation/restructuring/additional Pillar 2 requirements, could decrease TCBs’ cost-efficiency (especially for those currently subject to less exacting regulation or in receipt of waivers). According to the EBA, 23% of TCB assets were not subject to any capital requirements at all as of end-2020, with an additional 67% of assets only subject to a minimum initial capital requirement. Similarly, the new EU-wide governance, reporting and booking model requirements will also increase a TCB’s fixed costs.

Conclusion

While less cost-efficient at first glance, non-EU banks operating or considering setting up multiple TCBs should assess the benefits of consolidating their business into one EU subsidiary. Subsidiaries have passporting rights, so firms avoid the repeated costs and operational strain of setting up and maintaining a TCB in each MS they have material cross-border business in (especially if a non-EU bank’s total TCB assets may grow close to the EUR 40 billion subsidiarisation threshold once asset migration has occurred). Ultimately, any decisions should be made with an eye to right-sizing their entire European (not just EU) footprint in parallel with any rationalisation programmes already in train. For example – cost increases to European banking operations may further incentivise non-EU banks to reconsider the attractiveness of a mid-size European presence. Given the number of relevant considerations, firms should begin identifying a best way forward now, to ensure they are not only compliant but “right-sized” for the November 2026 deadline.