Circular 26/906: a comprehensive overhaul of governance and risk management for payment and e‑money institutions

What’s new 

Circular 26/906 unifies different existing texts about risk management, administration and governance applicable to e-money and payment institutions and:  

• Provides more detailed and prescriptive requirements regarding supervisory/management bodies and internal control  
• Set concrete criteria for the proportionality principle 
• Detail the mandatory product approval process 
• Prohibit the use of banking terminology 

Implications for payment and e‑money institutions 

Circular 26/906 elevates expectations for governance, internal control, and risk management of payment institutions and electronic money institutions. The principle of proportionality introduces a dynamic obligation: institutions must continuously assess whether their governance arrangements remain appropriate relative to their size, risk profile, service offering, transaction volumes, outsourcing landscape and IT complexity: 

• Larger or more complex institutions will be expected to scale up their governance, potentially adding specialized committees, reinforcing the management and supervisory bodies, or enhancing risk and compliance staffing; 
• Smaller actors may simplify but cannot dilute key safeguards such as segregation of duties and independent control functions. 

Below we detail some key changes accompanied by some practical insights: 

a) Proportionality principle

Even though the proportionality principle was already part of the previous framework, Circular 26/906 provides for specific criteria for the application of such principle.

Criteria to be taken into account 

• The risks and complexity associated with the type of products offered and services provided an in particular the provision of services other than payment or electronic money services including the provision of foreign exchange services, the granting of credits related to payment services, the combination of multiple authorizations from the financial sector, etc. 
• The volume of payment and electronic money operations (> EUR 10 billion) 
• The size of the institution in terms of turnover and balance sheet total (> EUR 0.5 billion) 
• The type and number of payment service users 
• The number of staff members of the institution (i.e., > 50 persons) 
• The distribution network (supported by more than one branch and/or a network of agents, distributors or representative offices) 
• The size of the group (shareholding structure to which the institution belongs) 
• The number and complexity of outsourcing arrangements including those related to IT systems and technologies (and in particular the level of dependence and concentration of the outsourcing arrangements); and  
• The structure of the IT systems architecture (including systems continuity) 

b) Product approval process

The Circular determines that no new activity may be undertaken before approval has been given by the management body, after having heard all parties concerned and in particular the internal control functions, and before the product approval process is over. 

Overview of the requirements

c) Prohibition of banking words 

The Circular clearly indicates that the management body must ensure that all communications and marketing, particularly in digital form, are consistent, clear, comprehensible and not ambiguous. In this context, the circular prohibits institutions of using terminology normally associated to credit institutions or by other (financial) institutions which carry out activities not covered by payment institutions or e-money institutions licenses.

Example of banned words 

• Banking services
• Deposits 
• Bank  
• Neo-bank 
• Bank accounts 

Key recommendations 

To comply efficiently with Circular 26/906, institutions should: 

• Conduct a proportionate governance gap assessment mapping current arrangements against the Circular’s requirements (structure, committees, reporting lines, internal documentation, internal control functions, and product governance procedures), and have the supervisory body formally validate the proportionality analysis annually 
• Review organizational charts and decision‑making flows to ensure transparency, eliminating undue complexity, and ensuring timely information flows, particularly across branches, distributors, agents, and group entities 
• Review conflicts‑of‑interest policies and procedures, including declaration processes, escalation routes, related‑party transaction approval mechanisms, and guidance on abstention from decision‑making 
• Implement or enhance a New Product Approval Process to include risk mappings, compliance assessments, scenario analyses, and clear internal sign‑off workflows before any new or materially changed activity is launched 
• Train management and staff on the new obligations, particularly in areas such as conflicts of interest, new product governance, and responsibilities of control functions 
• Implement a review process for all marketing and customer‑facing materials to ensure consistency with the institution’s license scope, approved products and the prohibition of banking terminology.