CRD VI Fit-and-Proper Roadmap 2026–2028: What Banks Need to Prepare for Now
The sixth amendment to the Capital Requirements Directive (CRD VI, Directive (EU) 2024/1619) was published in the Official Journal of the European Union in June 2024 and must be transposed into national law by the Member States by 11 January 2026. For credit institutions, the directive significantly expands Fit-and-Proper requirements: for the first time, not only members of the management body, but also a clearly defined group of Key Function Holders — including CFOs, CROs, CCOs and Heads of Control — are brought into the prudential suitability and reliability framework.
For banks in the DACH region, this means the familiar § 25c KWG workflow with reliability checks and suitability assessments at executive management level will be structurally expanded over the next 24 months. Anyone who only starts adapting in 2026 will run into a bottleneck of parallel personnel checks, documentation requirements and supervisory inquiries. This article provides a robust roadmap for 2026 to 2028, including quarterly milestones, functional assignments and an interface map to the existing EBA-ESMA Joint Guidelines.
Understanding the scope expansion: what CRD VI adds
CRD VI systematically broadens suitability and reliability assessments. Until now, the regime focused on members of the management body in its management and supervisory functions. The amendment explicitly adds the following groups:
Chief Financial Officer (CFO): Responsible for accounting, regulatory reporting and financial control. Unless already a member of management, the CFO is classified as a Key Function Holder.
Chief Risk Officer (CRO): Leads the second line of defense and aggregates and manages all material risk types.
Chief Compliance Officer (CCO): Responsible for AML, sanctions and securities compliance, as well as compliance with supervisory obligations.
Heads of Control Functions: Heads of Internal Audit, Heads of Risk Control and, where applicable, Heads of Anti-Financial-Crime. The exact delineation depends on the institution’s structure and is specified by the EBA-ESMA Joint Guidelines on the Assessment of the Suitability of Members of the Management Body and Key Function Holders (EBA/GL/2021/06, revised 2024).
In substance, the same five assessment criteria apply to the newly included persons as to executive managers: sufficient knowledge and skills, adequate time commitment, independence of judgment, the body’s collective suitability framework and — crucially — personal reliability and integrity. In practice, the latter is operationalized through criminal record certificates, credit checks, sanctions-list screenings and structured reputation reviews.
Integration with the existing BaFin § 25c KWG workflow
German institutions have worked with an established workflow for years: before the appointment of an executive manager, BaFin is notified under § 25c(1) KWG in conjunction with the BaFin guidance note on executive managers under KWG, ZAG and KAGB (as of April 2024), and extensive documents are submitted: CV, criminal record certificate (not older than three months), excerpt from the commercial central register, self-declarations regarding prior activities, insolvency proceedings and criminal proceedings. Processing usually takes six to twelve weeks.
CRD VI does not require Key Function Holders to be subject to the exact same notification regime — but the institution must maintain a structurally comparable internal assessment process that is documented in an audit-proof manner and can be presented during supervisory reviews. In its consultation paper on implementation (expected in Q4 2025), the Federal Financial Supervisory Authority has indicated that it will require an internal documentation obligation with maturity assessment for Key Function Holders, but no prior approval.
Roadmap 2026 → 2027 → 2028
Phase 1: 2026 — setup and scoping
Quarter | Milestone | Responsible function |
|---|---|---|
Q1 2026 | Scoping workshop: identification of all Key Function Holders in the institution. Alignment with the EBA list and existing MaRisk function segregation. | Head of HR, Compliance, Internal Audit |
Q1 2026 | Board governance decision on the expanded scope, documented in the organizational handbook. | Entire Management Board |
Q2 2026 | Adopt the expanded "Fit-and-Proper" policy: criteria catalog, assessment depth, documentation, review cycles. | CCO, Head of HR |
Q2 2026 | Selection and contracting of a GDPR-compliant background check provider. Coverage: DE, AT, CH plus other EU countries where the institution is active. | Head of Procurement, Data Protection Officer |
Q3 2026 | Develop interview templates for new Key Function Holders: structured guides for CFOs, CROs, CCOs and Heads of Control with role-specific competency areas. | HR Development, external legal counsel |
Q4 2026 | Pilot runs: three to five initial assessments of existing Key Function Holders as test cases. Iterative process improvement. | Compliance, HR |
Phase 2: 2027 — rollout and hardening
Quarter | Milestone | Responsible function |
|---|---|---|
Q1 2027 | Full rollout: all active Key Function Holders undergo the expanded Fit-and-Proper assessment. Complete file set for each person. | CCO, Head of HR |
Q2 2027 | Integration into the onboarding process for new hires at key-function level. No start of service without a completed assessment. | Head of HR |
Q2 2027 | Parallelization with EBA-ESMA Joint Guidelines 2024: collective suitability matrix at board and key-function level, documented in a suitability matrix. | Supervisory Board, Personnel Committee |
Q3 2027 | First internal audit of the Fit-and-Proper process: review of completeness, traceability and GDPR compliance. | Internal Audit |
Q4 2027 | Adjustments based on audit findings. Introduction of a digital, audit-ready file for each Key Function Holder. | CCO, IT |
Phase 3: 2028 — consolidation and supervisory dialogue
Quarter | Milestone | Responsible function |
|---|---|---|
Q1 2028 | First full annual reassessment wave of all Key Function Holders. Focus: changes in personal circumstances, continuous training, role adjustments. | CCO, HR |
Q2 2028 | Supervisory dialogue with BaFin and, where applicable, the ECB (in the SSM): presentation of the established process, exchange on best practices. | Management Board, CCO |
Q3 2028 | Benchmark analysis against peer institutions and supervisory expectations. Identification of optimization potential. | Compliance, Strategy |
Q4 2028 | Consolidated final report to the Supervisory Board: maturity assessment, action items, outlook. | CCO, Management Board |
Documentation requirements in detail
A review-proof file must be created for each Key Function Holder. The contents are derived from the EBA-ESMA Joint Guidelines 2024 and should be kept up to date throughout the full lifecycle of the role.
Personal details: CV, educational records, certificates, proof of qualifications from relevant training.
Reliability evidence: official criminal record certificate, excerpt from the commercial central register (where applicable), credit report, sanctions-list screening, international background check results where foreign links exist.
Independence check: disclosure of material private and business relationships, conflict-of-interest register, approval for secondary activities.
Competence assessment: role-specific criteria catalog, documented interview results, self-assessment, third-party assessment by the Management Board or Supervisory Board.
Time availability: inventory of parallel mandates, calculation of committed hours, thresholds depending on institution size.
Ongoing updates: annual self-declaration form, ad hoc reporting obligation in the event of material incidents (insolvency proceedings, criminal proceedings, civil litigation with material reputational relevance).
A 2025 Bitkom study on the digitization of the compliance function shows that only around one third of the surveyed credit institutions already keep their Fit-and-Proper files fully digital and audit-ready. For the CRD VI wave, paper is no longer scalable — by 2027 at the latest, an electronic file system will be standard practice.
Interview templates for the expanded Key Function Holders
The interview guides previously used for executive managers cannot be transferred one-to-one to Key Function Holders. Each function has a specific competency profile that must be covered in structured interviews.
CFO interview: IFRS and HGB accounting, regulatory reporting (COREP, FINREP, AnaCredit), treasury, tax law, investor relations. Scenario questions: handling a short-term liquidity crisis, communicating a results correction to the supervisor.
CRO interview: ICAAP, ILAAP, stress tests, ESG risks, model risk management, operational resilience. Scenario questions: escalation decision when risk tolerances are exceeded, dealing with supervisory findings in the context of the SREP.
CCO interview: German Money Laundering Act (GwG), KYC, sanctions law, MaRisk compliance function, WpHG, transaction monitoring. Scenario questions: handling a suspected insider dealing case, conflict between business interest and regulatory duty.
Head of Internal Audit: IIA standards, MaRisk AT 4.4.3, audit planning, sampling methodology, independence standards. Scenario questions: handling an audit finding that directly concerns a member of the Management Board.
The interviews should be conducted by a panel consisting of a Supervisory Board member, an external expert and, where appropriate, a recruitment consultant. The minutes are part of the Fit-and-Proper file.
Legal equivalents in Switzerland, Austria and across the EU
Switzerland
Switzerland does not implement CRD VI directly, but since the FINMA position paper on harmonization with EU supervisory standards (October 2025), it has been pursuing gradual alignment. The basis remains Art. 3(2)(c) BankA (guarantee of proper business conduct), as well as Art. 8 of the Banking Ordinance and the FINMA Circular 2017/1 "Corporate Governance — Banks". FINMA has announced that, as part of the next revision of the circular, it will include Key Function Holders at CFO, CRO and CCO level in the reliability assessment. For institutions in the SSM or with EU subsidiaries, the CRD VI logic is in practice already to be implemented today. Relevant in practice: the Swiss criminal records extract and the debt collection register extract cover only part of the reputation check scope — unlike the German criminal record certificate — so additional checks are regularly required.
Austria
Austria will implement CRD VI through an amendment to the Banking Act (BWG). Core provisions are § 5 BWG (authorization requirements and Fit-and-Proper requirements for executive managers) and § 28a BWG (suitability assessment of supervisory board members). In its 2026 supervisory program, the FMA identified the implementation of CRD VI as a priority topic and will likely operationalize the expanded group of persons through an adaptation of the FMA circulars on Fit-and-Proper tests. Austrian institutions should expect implementation to follow Germany with a slight time lag, but in substance in parallel.
Across the EU
At Union level, the EBA-ESMA Joint Guidelines on the Assessment of the Suitability of Members of the Management Body and Key Function Holders (EBA/GL/2021/06, in the 2024 revised version) form the substantive backbone. In addition, the EBA Guidelines on Internal Governance (EBA/GL/2021/05) apply and are strengthened in key respects by CRD VI. The European Central Bank applies its own SSM Fit-and-Proper Guide (current version December 2024) within the Single Supervisory Mechanism (SSM), which is directly applicable to significant institutions (SIs). For institutions that also fall under DORA, a useful linkage emerges: the reputation checks for outsourcing responsible persons under Art. 28 DORA and the Fit-and-Proper assessment under CRD VI can be bundled into an integrated background check process architecture.
Interface with the BaFin § 25c workflow
In practice, a staggered approach has proven effective: it systematically combines the external BaFin notification requirement for executive managers under § 25c KWG with the internal Fit-and-Proper assessment for Key Function Holders.
Unified document catalog for both groups of persons, with clearly marked modules additionally used for § 25c KWG notifications.
Shared digital platform for document capture, approvals and audit trails. GDPR-compliant, with clear deletion periods after the role ends plus statutory retention periods.
Harmonized reassessment cycles: annual self-declaration, full reassessment every three years, ad hoc checks triggered by material events.
Clear escalation paths for discrepancies between self-declarations and objective assessment findings — especially in relation to credit reports or criminal proceedings.
Typical pitfalls from practice
A 2024 Kienbaum analysis of the implementation maturity of regulatory personnel processes identifies three recurring problem areas. First, defining the relevant population: institutions regularly underestimate how many roles materially have Key Function character — especially in matrix-organized organizations. Second, data currency: criminal record certificates and credit checks are obtained once during onboarding, but are then no longer updated systematically. Third, interview quality: structured guides are missing, interviews are conducted ad hoc and documented incompletely.
The 2024 PwC Regulatory Compliance study also highlights a fourth point: the language dimension. For institutions operating across borders, foreign criminal record and reputation evidence must be obtained, translated and assessed consistently against German standards. Without a standardized process, this leads to significant lead times and quality risks.
Conclusion and recommendation
CRD VI is not a minor adjustment, but a structural expansion of supervisory personnel assessments. Institutions that start in 2026 without defining the Key Function scope will not get through the 2027 rollout phase without review risks. The roadmap presented here addresses the three critical success factors: clear scope definition at the outset, digitized documentation during rollout, and audit-proof consolidation in the maturity phase.
At the intersection with DORA, the EBA-ESMA Joint Guidelines and the national FMA and FINMA regimes, it becomes clear that Fit-and-Proper is no longer an isolated HR task, but an integrated compliance process with interfaces to outsourcing, risk management and supervisory reporting. Indicium Technologies provides banks in the DACH and EU regions with a GDPR-compliant, audit-ready platform that bundles background checks, reputation checks and Fit-and-Proper documentation into an integrated process architecture.
Book a demo and speak with our team about the practical implementation of your CRD VI roadmap — from scoping to the finished digital file.
Read more — related articles
Nabil El Berr
