Resources
Thought Leadership·08/07/2026·5 min

Setting the Cut: ESG Compliance at Financial Institutions

The first wave of CSRD reports has been filed. EBA/GL/2025/01 has applied to large EU institutions since January 2026. Yet a surprising number of European financial institutions are still in a pre-decision phase on ESG compliance. This report works through how to draw that line.

Setting the Cut: ESG Compliance at Financial Institutions
Share

OVERVIEW

The first wave of CSRD reports has been filed. EBA/GL/2025/01 has applied to large EU institutions since January 2026. The ECB continues to list deficiencies in climate and environmental risk management as a "prioritized vulnerability" in its supervisory priorities for 2025–2027. The regulatory machinery is no longer in the future tense.

Yet a surprising number of European financial institutions – particularly mid-sized and smaller ones – are still in a pre-decision phase: they have not formally defined what ESG compliance means for their institution, who owns it, or where the line between mandatory obligation and voluntary ambition lies.

Ownership is often contested between Sustainability, Risk, and Compliance teams, and the structural question – whether ESG legal-risk monitoring is run centrally or delegated into local jurisdictions – frequently remains open. To avoid sanctions or reputational damage, the Management Body must resolve both the accountability and the operating model. In many groups the ESG strategy originates at group level and has to be cascaded to every subsidiary, and a dedicated ESG team often forms simply because no existing function steps in to absorb the work – not because a separate methodology was the intention.

COMPLIANCE SCOPE

Mandatory Obligations, Prudent Monitoring, and Voluntary Commitments Are Not the Same Thing.

The mandatory ESG compliance perimeter for EU banks in 2026 is well-defined. The core layer – CSRD reporting, EBA/GL/2025/01 ESG risk integration, Pillar 3 ESG disclosures, EU Taxonomy KPIs – is widely understood. For institutions offering investment products, SFDR product disclosures, and the greenwashing prohibitions under ECGT (applying from September 2026) add a further layer of product-specific obligations.

A second, less frequently mapped category involves regulations that sit outside the traditional ESG frame but carry real implications for how banks assess portfolio risk and make lending decisions. The EU Deforestation Regulation (EUDR) is one example: financial institutions were deliberately excluded from its direct scope during the legislative process, with the Commission instead committing to an impact assessment on financial sector inclusion that was due by June 2025 – an open question whose resolution could extend direct EUDR obligations to banks in future. In the meantime, EBA/GL/2025/01 already creates a clear expectation that banks assess the transition and reputational risks their clients face from supply chain regulations of this kind, making EUDR a portfolio risk management question even where no direct bank obligation currently exists.

Beyond the mandatory layer, every institution faces a second-order question: how far should its ESG compliance scope extend? This is not a question with a universal answer. It is a question of risk appetite, but also of how an institution wants to position itself commercially, how it manages its reputation, and how it protects itself against greenwashing exposure in both directions.

This strategic choice creates a binary risk. On one side, institutions that project high ambition without the infrastructure to substantiate it face immediate greenwashing liability. At the other extreme, banks that try to stay invisible on ESG risk a governance friction – where their internal operations evolve under regulatory pressure without the communication discipline to manage the gap.

In 2026, both paths lead to the same destination: increased supervisory scrutiny. Enforcement is now primarily driven by the data-documented inconsistency between public claims and internal reality.

The decision – what is mandatory, what is prudent to adopt early given the regulatory trajectory, and what represents a genuine strategic choice – should involve Compliance, Legal, Risk, and the Management Body. It is not a decision the Sustainability function can or should make alone, because voluntary commitments that are inadequately resourced migrate rapidly into legal and reputational liability.

Navigating complexity: Our ESG radar as a tool for transparency within the ESG landscape
Navigating complexity: Our ESG radar as a tool for transparency within the ESG landscape

Central or Decentralised

The Operating Model for ESG Legal-Risk Monitoring Is a Separate Decision.

Once the perimeter is defined, the operating-model question follows immediately, and it is rarely answered explicitly. Where does ESG sit alongside the established MaRisk and regulatory compliance pillars? Is the monitoring of ESG-driven legal risks run from a central function with consolidated oversight, or delegated into local jurisdictions where on-the-ground specialists track applicable law? Both models can be defensible; what is not defensible is leaving the choice implicit.

In a centralised model, a single regulatory monitoring function maintains the inventory of in-scope obligations, screens for changes, and routes findings to the relevant first-line owners. Consistency and auditability are high; sensitivity to local implementation detail can be low. In a decentralised model, local ESG managers in each jurisdiction maintain the live picture of applicable law and feed material changes upward. Local proximity is high; the risk of fragmented standards and uneven escalation is correspondingly higher. Most institutions in practice operate a hybrid – central methodology and tooling, with defined escalation paths to and from local actors – but the calibration of that hybrid is where the governance discussion needs to happen explicitly.

Much of this conversation can be shortened by recognising that existing ERM and regulatory compliance processes already answer most of the structural questions. The escalation logic, the documentation standards, the four-eyes principle, the linkage between obligation inventory and control testing – these are not ESG-specific. The work is to extend the existing operating model to cover an enlarged regulatory perimeter, not to construct a parallel one.

This is also why a standalone ESG compliance track that runs on its own logic does not hold up. The compliance function already operates a stream that addresses the same questions, obligation identification, monitoring, control testing, escalation, and building a parallel ESG stream alongside it duplicates effort and fragments the regulatory picture. Where the ESG mandate sits is, in this respect, a secondary question: it can stay with a dedicated ESG team or move into the compliance function. What matters is that ESG-driven legal risk is run through the same methodology as every other regulatory obligation. An ESG compliance team can certainly remain in place, but it should adopt the compliance logic rather than maintain a separate one; which is, in practice, why ESG tends to find its way back into compliance even when it continues to operate under its own name.

RISK INTEGRATION

Disclosure Was the First Phase. Risk Integration Is the Current One.

The dominant public narrative around ESG compliance has been shaped by the CSRD implementation cycle. For many compliance functions, this has consumed significant capacity. That phase is not over, but it is no longer the frontier obligation.

EBA/GL/2025/01 represents a different kind of requirement. It is not a disclosure standard – it is a risk management mandate. Institutions must demonstrate to supervisors that ESG risks are embedded in their ICAAP, their risk appetite framework, their lending and investment processes, and their transition planning. What a bank discloses and what it operationally does are distinct questions, and the ECB is increasingly examining both. Institutions are expected to close the gap between ESG governance on paper and ESG governance in practice.

REGULATORY MONITORING

ESG Scope Decisions Have Direct Consequences for Regulatory Monitoring.

Since ESG factors have transitioned from purely thematic categories to integrated drivers of an institution's risk portfolio, they now directly dictate the boundaries of regulatory compliance and, consequently, the scope of compliance risk management.

The decisions described above – on perimeter definition and the boundary between mandatory obligation and voluntary commitment – are not only governance questions. They have direct operational consequences for how regulatory monitoring is structured. What an institution has decided it is responsible for must be reflected in what it monitors.

A monitoring program that has not been updated to reflect an extended ESG scope will systematically undercount the regulatory universe it is responsible for – generating false confidence rather than genuine oversight. Where the ESG scope is extended, whether to cover voluntary commitments, sector-specific frameworks, or a broader interpretation of sustainability-related risk, the monitoring perimeter must be updated to match.

Six Decisions That Get ESG Compliance Off the Ground
Six Decisions That Get ESG Compliance Off the Ground
The Fairfield & Archer solution ensures seamless monitoring and control of your ESG scope
The Fairfield & Archer solution ensures seamless monitoring and control of your ESG scope

The practical advantage is that modern regulatory monitoring approaches are built to scale: ESG-adjacent regulatory areas can be layered onto an existing monitoring program without rebuilding the underlying infrastructure, calibrated to the specific scope, jurisdiction, and ambition level of the institution.

Scope extension is not a constraint on the monitoring function; it is a configurable parameter that can be adjusted as the institution's ESG position evolves.

Setting the Cut: ESG Compliance at Financial Institutions — Fairfield & Archer