Last month, the European Securities and Markets Authority (ESMA) released its final guidelines on the Markets in Financial Instruments Directive (MiFID II) compliance function. The guidelines, which follow a three month long consultation last year, are designed to establish consistent and effective supervisory practices to ensure the common, uniform and consistent application of a number of aspects of the MiFID II compliance function, the regulator said.
‘The guidelines will enhance the value of existing standards by providing additional clarifications on certain specific topics, such as new responsibilities in relation to MiFID II’s product governance requirements, by notably detailing further the reporting obligations of the compliance function,’ it added.
Which firms are covered?
The European regulator has clarified that the guidelines will apply to investment firms and credit institutions providing investment services and activities. The guidelines will also extend to UCITs and AIFMD firms when they are providing MIFID investment services.
Under MiFID II, the overall role of compliance has been expanded in certain areas, and include new responsibilities around compliance risk, reporting obligations, internal control functions, and outsourcing due diligence. The new guidelines replace the existing ESMA 2012 guidelines on the same topic, and expand the compliance function role. So, what’s new?
In a blog post last year, we noted that the draft guidelines promote a risk based approach as a basis for determining the appropriate tools to be used by the firm’s compliance function – as well as the firm’s monitory programme and the frequency of monitoring activities performed by the compliance function.
That philosophy has largely underpinned the final guidelines too. While expanding the compliance function, there are a number of changes that compliance experts should take note of. These include:
Compliance risk assessment (Guideline 1):
The compliance risk assessment should be reviewed on a regular basis and should be updated where necessary. The risk assessment should take into account: the types of financial assets traded and distributed; the makeup of the firm’s clients; distribution channels and platforms; and the internal organisation of the firm.
Reporting obligations (Guideline 3):
There are new guidelines set out relating to the content of regular and ad hoc mandatory compliance reports, as per MiFID Delegation Regulation, article 22(2)(c) and 3(c)). General information, manner of monitoring, findings, actions taken and other information are the five categories that require some level of reporting, and the guideline 3 is definitely worth reading in detail.
Advisory and assistance (Guideline 4):
The compliance function must be involved in the development of relevant policies and procedures, especially those relating to remuneration and product governance.
According to ESMA, the compliance function should also have the specific right to participate in the product approval process for manufacturers and distributors.
Skills, knowledge and expertise (Guideline 6):
It’s expected that the compliance function will have sufficient knowledge of MiFID II and all related acts, including any guidance issued by ESMA and any national competent authorities (NCAs) – at least insofar as these are relevant to performing compliance tasks.
Firms may need to periodically review the skills, expertise and knowledge of their compliance functions, including making extra hires or implementing further training in order to make sure that the updated compliance functions standards can be met.
It’s also expected that the compliance function, and compliance officers, must have sufficient authority to carry out their functions. The compliance officer shall be knowledgeable and experienced enough to assume responsibility for the compliance function – and make sure that it is operating effectively as a whole.
Combining compliance and internal controls (Guideline 10):
The combination of the compliance function with other internal control functions, while controversial, is now explicitly accepted under guideline 10. While the compliance and audit functions must be kept seperate, ESMA has said that combining compliance and internal controls, such as financial crime, are acceptable where the independence of each function is not compromised and sufficient resources are allocated to both.
Outsourcing (Guideline 11):
Outsourcing in certain situations, including to the cloud, is accepted as per 16(5) of MiFID II and article 31 of the MiFID II Delegated Regulation.
ESMA is currently consulting on cloud outsourcing guidelines, and AQMetrics COO, Claire Savage, will be releasing a larger analysis – both of the guidelines and outsourcing generally – in the coming days. Be sure to look out for that.
Potential review by NCAs (Guideline 12):
Firm’s must be aware that the compliance function will have adequate reporting lines to the relevant NCAs. Some members states may assess ongoing compliance, and may require compliance officers to complete an annual questionnaire that covers the overall compliance of the firm.
The full guidelines can be viewed here.