Article 4(1)³ of the ECSPR introduces general organisational and internal governance requirements for all CSPs, which implies, inter alia, that the management body in its supervisory function carries out an effective oversight of the management decision-making process, and the risks involved in the activity provided.  

According to Article 12(2)(e) of the ECSPR, the application for the authorisation as CSP shall provide the authorising NCA with a description of the prospective CSP’s governance arrangements and internal control mechanisms to ensure compliance with the ECSPR, including risk-management and accounting procedures.  

In addition to these general duties, paragraph (2) of the same Article 4 establishes more specific obligations regarding the management body of all CSPs which intermediate loans and requires to establish, and oversee the implementation of, appropriate systems and controls to assess the risks related to the loans intermediated. More detailed requirements are provided in paragraph (4) for the assessment of credit risk and relevant risk-management framework of CSPs which determine the price of the offers. This framework is complemented by the organisational requirements established in Article 6 of the ECSPR for lending-based CSPs which also provide the individual portfolio management of loans. 

Since Article 20(1)(b) of the ECSPR requires all CSPs that facilitate the granting of loans to annually publish an outcome statement indicating the expected and actual default rate of all loans facilitated by the CSP by risk category and by reference to the risk categories set out in the risk management framework, ESMA considers that the risk management framework of (all) lending-based CSPs should assess the risks of loans intermediated on their platform by classifying them into risk categories which correspond to the risks /probabilities of default of such loans. 

This would allow CSPs to soundly assess the risks of the loans that they offer on their platform in accordance with Article 4(2) of the ECSPR and at the same time to comply with Article 20(1)(b) of the same regulation and provide accurate outcome statements on actual and expected default rate of such loans by reference to same risk categories used in their risk management framework.   

Based on the above, ESMA believes that all CSPs shall establish – in the context of their organisational arrangements – a risk management framework whose complexity is also determined by the various provisions which are applicable to the specific activities provided by the CSP taking into account the nature, scale and complexity of such activities. When CSPs intermediate loans, such risk management framework shall at least assess the risks related to the loans intermediated on the crowdfunding platform (Article 4(2) of the ECSPR).   

In case of CSPs that determine the price of crowdfunding offers, the risk management arrangements shall also comply with the specific additional requirements set out in Article 4(4)(f) of the ECSPR.