With the first MiFID Directive, the European lawmakers emphasized the importance of an independent compliance function. It formalized the requirements investments firms had to fulfil to ensure a control framework that would “detect any risk of failure by the firm to comply with its obligations under Directive 2004/39/EC, as well as the associated risks, and put in place adequate measures and procedures designed to minimise such risk and to enable the competent authorities to exercise their powers effectively under that Directive”.
The ambitions of the EU to establish a sounder compliance element in financial institutions can be found across the MiFID and in particular in Article 7 where it gave material indications towards the expectations of the legislator. Not least the Global Financial Crisis of 2007/2008 laid bare that these good intentions were not sufficient to get a firm grip on the activities of supervised firms. It became soon apparent that this arrangement would not be enough and while the European regulators tried to improve and concretize the existing rules, for instance, through producing guidelines on certain aspects of the MiFID compliance function requirements, more was needed.
The review of the first Directive therefore also focused on what could be done to improve the existing framework and make financial institutions implement a setup that in a perfect world could prevent a crisis such as GFC. While MiFID II built on the existing work and carried the high level obligations of investment firms over (“An investment firm shall establish adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and tied agents with its obligations under this Directive as well as appropriate rules governing personal transactions by such persons.”), it was ESMA Technical Advice (2014/1569) that put more flesh on the bone:
Still, as time would show, these instructions were not enough to support a function as crucial as compliance. ESMA this week published a consultation paper that sets out its draft guidelines on certain aspects of the MiFID II compliance function requirements.
The paper builds on the 2012 guidelines and reorganizes the various sections:
- Responsibilities of the compliance function;
- o Compliance risk assessment;
- o Monitoring obligations of the compliance function;
- o Reporting obligations of the compliance function;
- o Advisory and assistance obligations of the compliance function;
- Organisational requirements of the compliance function;
- o Effectiveness of the compliance function;
- o Skills, knowledge, expertise and authority of the compliance function;
- o Permanence of the compliance function;
- o Independence of the compliance function;
- o Proportionality with regard to the effectiveness of the compliance function;
- o Combining the compliance function with other internal control functions;
- o Outsourcing of the compliance function;
- Competent authority review of the compliance function.
As such, most of the existing best practices have been confirmed and only in selected areas amended or supplemented:
- With regard to the monitoring obligations of the compliance function, the compliance function may now, as an additional tool for monitoring activities, also interview the firm’s clients.
- In respect of its reporting obligations, compliance reports should now systematically include information about the compliance function’s role in the elaboration, monitoring and review of the firm’s product governance requirements; and if relevant, all points listed in paragraph 32 of the guidelines (general information, manner of monitoring and reviewing, findings, actions taken (including related timeline and organisational units involved) and others) but in respect of the firm’s product governance arrangements. The supporting guidelines now also spell out what the parts of the report addressing the financial instruments manufactured/distributed by the firm and its distribution strategy should cover, as a minimum, i.e. the number and nature of the products manufactured/distributed, their target markets and other information to assess the product’s compliance-risk (e.g. complexity of the product, product-related conflicts of interests, etc.); ii) for manufacturers, as part of the information on the respective distribution strategy, the respective distributors of the products; and iii) whether the products are distributed outside their (positive) target market and to which extent. Also, the reports of the compliance function should include any issue arising out of the implementation of the arrangements the firm has in place to assess, minimise and manage any conflict of interest from the compliance function also acting as the firm’s complaints handling function.
- While the guidelines on advisory and assistance obligations of the compliance function have barely been amended, the draft guidelines now also specify that the “compliance culture” of the firm should be supported by senior management.
- The guidelines regarding the effectiveness of the compliance function remain identical but a new paragraph provides that the firm should have in place the arrangements necessary to ensure effective communication between the compliance function and the other control functions (such as internal audit and risk management) as well as with any internal or external auditors.
- A new guideline 6 – Skills, knowledge, expertise and authority of the compliance function – has been added as a result of a split of guideline. The new additions to the supporting guidelines mainly detail good supervisory practices which national competent authorities and firms may consider to, respectively, supervise and integrate in their compliance function arrangements. In addition, the new supporting guidelines expressly provide that the compliance officer should demonstrate high professional ethical standards and personal integrity. Indeed, given the importance and nature of the role of the compliance function, ESMA believes that the compliance officer should be irreproachable in terms of ethics and personal integrity.
- A new paragraph has been added at the end of guideline “Combining the compliance function with other internal control functions” as ESMA believes that taking into account the nature, scale and complexity of the business of the firm, and the nature and range of investment services and activities undertaken in the course of that business, although a firm may have compliance staff working on other control units at the same level, it should consider establishing and maintaining a core team within compliance staff members whose sole area of responsibility is MiFID II compliance.
- Guideline 11 on the outsourcing of the compliance function has been amended to clearly state that a firm cannot discharge its compliance function responsibilities by outsourcing all or part of its compliance function and the relevant responsibilities attached to the functions and/or tasks outsourced will always rest with the firm.
- And lastly the guideline regarding the review of the compliance function by competent authorities has been amended to reflect good practices that certain NCAs use to supervise the compliance function requirements.
While often appearing only little substantial, the changes proposed by the guidelines still provide a considerable shift in the existing framework and should warrant some attention from compliance officers and senior management at financial institutions across the European Union and beyond, especially considering the Increasing Accountability of Senior Management in Financial Services. Contributions will therefore be most welcome and the consultation closes on 15 October 2019. The full set of guidelines together with the consultation paper is available here.