The eighty questions a G-SIB procurement function will send a new supplier on engagement — independence, conflicts of interest, PI cover, DORA third-party governance, GDPR/data protection, information security, business continuity, subcontractor policy, financial crime. We answer them all on this page, the same way every time. The page is also available as a signed PDF for circulation to the Chief Procurement Officer, the Operational Risk function and the Third-Party Risk Management team. Where procurement has a proprietary questionnaire, we complete it within five business days at no charge.
1.1Legal form of the supplying entity
Ezelman SAS, a French société par actions simplifiée, registered in France. Trading name: Ezelman. Registered office in Paris. SIRET, VAT (TVA intracommunautaire) and Kbis extract are supplied on request with the counter-signed NDA. The firm is founder-owned with no outside investors; partnership structure is described in full on the stance page.
1.2Parent, subsidiaries or affiliated entities
None. Ezelman is a standalone entity. There is no group structure, no parent, no subsidiaries and no affiliated advisory entities that contract in its name. This simplifies the third-party risk assessment materially compared with supplying from a multi-entity consulting group.
1.3Ultimate beneficial ownership (UBO)
Hannan Mohammad, founder, is the sole UBO with more than 25% ownership. A registry-level UBO attestation is issued on request. No politically exposed person (PEP) status; no sanctions-list exposure; KYC pack delivered on request with the counter-signed NDA.
1.4Year founded and years of continuous operation
Ezelman was founded in 2020. The firm has operated continuously since incorporation. Founder tenure in the regulatory-risk field precedes incorporation by approximately two decades, primarily inside European G-SIBs and a Big-4 regulatory risk practice.
1.5Geographies of legal operation
France (primary). Client engagements are executed across the European Union (principally FR, DE, IT, NL, ES, LU), the United Kingdom, the Gulf Cooperation Council (UAE, KSA, Qatar) and the United States. Ezelman does not operate in sanctioned jurisdictions.
2.1Auditor independence
Ezelman is not an audit firm and has no statutory-audit or assurance relationship with any client. We are entirely outside the EU Audit Regulation perimeter. Where a bank’s statutory auditor has a non-audit-service conflict with consulting work, that conflict is structurally absent at Ezelman.
2.2Conflicts policy & register
A written conflicts-of-interest policy applies on every mandate. A live register records, per active mandate: the client entity, the scope, the named supervisor counterparties in play, and any regulatory counterparty-level conflict. Before taking a new mandate we run a three-step conflicts screen:
The written policy, including how conflicts are waived (client-consent model) or declined (no-waiver model), is included in the PDF pack.
2.3Regulatory cooling-off and prior-employer restrictions
The founder observes a self-imposed 12-month cooling-off from any former employer before taking a supervisor-facing mandate involving that employer’s direct supervisory dialogue. The current window is long past and this restriction is now historical, but the policy remains in force for future moves by any additional partner.
2.4Gifts, entertainment, anti-bribery
Zero-value threshold on gifts from regulated-entity clients in the twelve months either side of a live mandate. Entertainment is recorded in a written log. Anti-bribery policy is consistent with the French Sapin II law and the UK Bribery Act 2010 standard. No facilitation payments; no political contributions made in the firm’s name.
2.5Independence from software vendors
Ezelman does not resell software and is not a reseller or implementation partner of any regulatory-risk software vendor. No commission, referral fee or revenue share is received from any technology provider discussed in a client deliverable. Vendor-selection work is contracted on a fixed fee with the vendor-agnostic output expressly warranted.
3.1Professional indemnity (PI) & civil liability
Professional indemnity cover is placed with a tier-one European insurer. Standard limits: €5m per claim · €10m aggregate per policy year. Higher per-mandate limits are available and have been placed for specific engagements on request. The annual certificate of insurance is issued directly by the broker to the bank’s procurement or third-party risk team within two business days of request.
3.2Public & general liability
General liability (public liability, employer’s liability and damage to premises) is bundled in a standard French commercial package. Certificate on request.
3.3Cyber liability
Standalone cyber-liability cover is held, with first-party and third-party components (breach response, notification costs, business interruption, regulatory defence). Limits disclosed on counter-signature of the NDA.
3.4Financial standing
Ezelman is profitable, positive net equity, zero financial debt. Audited or certified statutory accounts (under French GAAP) are available on request under NDA. The firm does not depend on a bank line or invoice-discounting facility for working capital. Cash runway is disclosed in the formal DDQ return.
3.5Revenue concentration
Operating policy: no single client > 40% of trailing-twelve-month revenue at the firm level. Current concentration is well inside that ceiling. This is an internal ceiling, not a statutory one; it matters to third-party risk teams and so we publish it.
4.1DORA — ICT third-party service provider status
Ezelman’s services are not ICT services within the meaning of Article 3(21) of Regulation (EU) 2022/2554 (DORA). Our engagements are advisory professional services with no provision of ICT assets, ICT-related services or software to the in-scope entity. Where advisory work nevertheless touches ICT concentration risk (for instance, technology-vendor selection for a regulatory-reporting platform), we adopt the ICT-service contractual clauses by analogy to simplify the bank’s register entry.
4.2EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02)
Ezelman accepts the standard EBA outsourcing contractual framework, including: description of the outsourced activity, service levels, audit & access rights (see 4.3), sub-outsourcing notification, data-protection, business continuity, termination rights and supervisory access. On critical-or-important engagements we accept the “critical-or-important” tag, the corresponding governance obligations and the register entry by the client.
4.3Audit rights — client, statutory auditor, supervisor
Ezelman accepts full audit & access rights for the client’s internal audit function, its statutory auditor and its competent supervisor (ECB / NCA / ACPR, as applicable), including on-site access to working papers at our premises, information-system walk-throughs and interviews with named mandate personnel. These rights survive termination of the mandate for the applicable retention period.
4.4Sub-outsourcing / chaining
No sub-outsourcing without prior written client consent (see s.08). Where a delivery partner is used, the same outsourcing framework is flowed down contractually and the partner is named in the client’s outsourcing register.
4.5Data residency & processing locations
Default: EU-only data residency. Primary processing in France, DR in another EU member state. No data export to non-adequate third countries. For GCC or US engagements, dedicated in-region processing arrangements are set up on a mandate basis with documented cross-border transfer mechanisms.
5.1Controller / processor classification
For client-instructed processing of personal data (typically limited — HR datasets, credit-file sampling), Ezelman acts as processor under GDPR Article 28. A standard Data Processing Agreement (DPA) is executed with every mandate that involves personal data.
5.2Minimisation principle
On regulatory-risk engagements the rule is de-identified samples wherever the analytical purpose permits. Client teams de-identify before transfer. We request personal data only where the regulatory purpose requires it (for instance, credit-file review on an IRB-model inspection).
5.3International transfers
EU-default. Where a mandate has GCC or US dimensions, transfers are supported by the EU–US Data Privacy Framework (where applicable), Standard Contractual Clauses, or the equivalent GCC local-law transfer mechanism. DPIA contribution on request.
5.4Retention
Client working papers: retained for the duration required by the supervisor’s access right (typically ten years from engagement close for ECB-relevant mandates, or longer where an active supervisory dialogue is open). Personal data within those papers is minimised before filing.
5.5Data breach notification
Material incident affecting client data: notification within 24 hours of detection to the client’s named Third-Party Risk contact, with a formal report within five business days. Our internal incident playbook is included in the PDF pack.
6.1Security control baseline
Ezelman operates to an ISO/IEC 27001-aligned control baseline calibrated for a specialist boutique. We do not yet hold ISO 27001 certification; the decision to certify is revisited in the 2027 roadmap. Independent penetration testing is run annually; findings are closed before the next cycle.
6.2Endpoint & device management
Managed device fleet · full-disk encryption enforced · MDM controls · no BYOD for client data · phishing-resistant MFA (hardware keys / platform authenticators) on every client-data system.
6.3Client data segregation
Per-mandate data-room architecture · least-privilege access · no cross-mandate reuse of working papers · immutable audit log of access events, retained for the full retention period.
6.4Third-party tooling
A restricted, disclosed list of business applications (productivity, communications, collaboration) is used. Each is inventoried, risk-rated and subject to vendor due diligence. No client data is placed in unvetted third-party services. The list is available under NDA.
6.5Incident response SLAs
Detection to client notification: ≤ 24h for material incidents, ≤ 72h for contained incidents that do not involve client data exposure, written root-cause report within ten business days of containment. Full IR playbook in the PDF pack.
7.1Business continuity plan (BCP)
A documented BCP covers founder unavailability, office unavailability, systems unavailability and extended force-majeure events. Tested annually against a stated scenario (current scenario: protracted founder unavailability for four consecutive weeks). Results recorded in a BCP log available under NDA.
7.2Key-person risk — the honest answer
Ezelman is a founder-owned boutique. The firm is structurally concentrated on one partner today, with a roadmap to a second partner by end-2027 (see stance page). The following mitigants are in place:
For any procurement team that considers this mitigant set insufficient relative to mandate materiality, the correct conclusion is that the structural mismatch is real and a different supplier should be chosen. We would rather lose a bid than hide this.
7.3IT resilience · recovery
RTO/RPO target for client working papers: RTO 4h / RPO 1h. Backups in a second EU member state. Restore-from-backup drill run on a documented cadence, with last-test date disclosed to the client on request.
8.1Subcontracting policy
Default posture: no subcontracting. If the mandate requires specialist capacity we do not carry in-house, we propose a named delivery partner before the statement of work is signed, and the partner is contracted separately (directly to the client) where possible, or with flow-down EBA/DORA clauses where contractually consolidated under Ezelman.
8.2Delivery-partner network
A small, vetted senior-only delivery-partner network supplements Ezelman on mandates where domain-specialist capacity is required (for instance, FRTB quantitative modelling, GCC Arabic-language documentation support, US Basel III Endgame specifics, IFRS 9 model-risk review). Each partner is an independent senior practitioner or a specialist boutique, pre-vetted for the above criteria, and contracted on a mandate-specific basis.
8.3Flow-down of obligations
Every contracted partner executes a mirror NDA, a mirror conflicts warrant and the applicable data-protection / security obligations. Their identity is disclosed to the client before engagement; no “silent” subcontracting.
9.1AML / CFT policy
Written AML/CFT policy in place, calibrated for professional-services activity and consistent with the French AML regime applicable to consulting firms that handle client funds or sensitive financial data. KYC on the contracting entity at onboarding; PEP & sanctions screening on beneficial owners of both Ezelman and its clients.
9.2Sanctions screening
EU, UK, US OFAC and UN sanctions lists screened at onboarding and re-screened on the annual KYC refresh. Ezelman does not accept mandates from sanctioned entities or from jurisdictions under comprehensive EU sanctions. We do not advise on sanctions evasion — this is an explicit engagement-letter exclusion.
9.3Anti-bribery / anti-corruption
Compliant with the French Sapin II regime. UK Bribery Act 2010 standard adopted for UK-facing mandates. US FCPA-equivalent discipline for US-facing mandates. Annual refresher training; gifts and hospitality logged; facilitation payments forbidden.
10.1Environmental
Scope-1/2 footprint reported at a boutique scale (largely travel-driven). Policy: where a client engagement can be delivered hybrid with no loss of supervisor-facing defensibility, we default hybrid. Carbon reporting on request, with the caveat that a firm of this size does not publish an annual sustainability report.
10.2Social & diversity
Ezelman hires senior only. The accurate D&I statement therefore refers to a very small N — meaningful statistics cannot be reported. What can be said: the published hiring policy on the careers page is explicit that we do not hire below Director level, that candidate evaluation is reference-driven and that the pay range is disclosed up-front to every candidate.
10.3Modern slavery / human rights
Low-risk supply chain (professional services, office, IT). Standard statement available on request. Annual review of delivery-partner network for human-rights compliance under the French loi de vigilance where the firm is in scope, or voluntarily below the threshold.
10.4Code of conduct · whistleblowing
A written code of conduct applies to the founder and any future partner or delivery-partner personnel operating in the firm’s name. An external whistleblowing channel (via an independent law firm, named on request) is available to clients and employees alike.
11.1Engagement model
Default: fixed-fee per statement of work, scoped to a named supervisor-facing deliverable. Time-and-materials is available for open-ended advisory retainer work but is not our preferred model. Hybrid fixed-fee plus capped time-and-materials is common for CRR3 programmes.
11.2Typical mandate size
Single-workstream regulatory mandates: €250k–€600k. Multi-workstream or multi-quarter programmes: €600k–€1.5m. Larger aggregate engagements are constructed as a sequence of scoped statements of work, not as an open-ended framework.
11.3Rate card · day-rates
Founder / senior-partner day-rate is disclosed in writing at proposal stage. There is no hidden rate card and no junior-substitution mechanism: the rate quoted is the rate delivered. No multi-tier pyramid is hidden behind a blended rate. The published fee-to-bps grid (in the PDF pack) translates typical mandate fees into CET1 basis-point economics for the CFO’s benefit.
11.4Payment terms & currency
Standard payment terms: 30 days from invoice, invoicing monthly on milestone completion. EUR is the default billing currency; USD and AED available for US and GCC mandates respectively, with FX locked at contract date.
11.5Referral policy
We pay a 5% mandate referral fee to introducers who bring a mandate that proceeds to signed statement of work. Disclosed to the client at proposal stage. Where the introducer is an employee of the client, the referral is refused.
12.1Primary procurement contact
Procurement enquiries: procurement@ezelman.com · same-day response in EU business hours, next-day in GCC business hours. Direct line to the founder: hmohammad@ezelman.com.
12.2Complaints escalation path
Level 1: founder (Hannan Mohammad) in writing. Level 2: independent counsel of record (named on request). Level 3: external mediation via a Paris-based commercial mediation body where the client consents to the process. We have not had a formal complaint escalated past Level 1. If this changes we will disclose it on request.
12.3Litigation & regulatory action history
None. Ezelman has no open, pending or historical litigation as at the last review date. No regulatory action, no settlement, no client-initiated arbitration. The annual attestation is refreshed on the DDQ cycle.
12.4Bespoke questionnaires
If the bank’s procurement function runs a proprietary DDQ / RFP template, we complete it within five business days at no charge. Send the template to procurement@ezelman.com with a named point-of-contact in Third-Party Risk Management on the bank side.
Full, signed PDF of this pack for distribution to the Chief Procurement Officer, Operational Risk and the Third-Party Risk Management team. One file, current version.