A summary of the European Securities and Markets Authority (ESMA) draft guidelines on certain aspects of the MiFID II compliance function requirements.
Purpose of this Briefing Note
This briefing note summarises the draft guidelines on certain aspects of the MiFID II compliance function requirements, which ESMA are currently consulting on. A link to the consultation paper can be found at the end of this briefing note, with the actual guidelines set out in Annex III of the paper.
ESMA’s aim is to enhance clarity and foster convergence in the implementation of certain aspects of the expanded compliance function requirements introduced under MiFID II. They also intend to replace the existing ESMA 2012 guidelines on the same topic.
The consultation will be of most interest to investment firms providing investment services and activities, including selling or advising clients on structured deposits, UCITS management companies and external Alternative Investment Fund Managers (AIFMs) when providing investment services and activities under the UCITS Directive (2009/65/EC) and the Alternative Investment Fund Managers Directive (2011/61/EU) (AIFMD).
On 15 July 2019, ESMA published a consultation paper (ESMA35-43-2019) setting out draft guidelines on aspects of the compliance functions requirements under the MiFID II package of measures. ESMA describes the compliance function as a crucial function within firms, responsible for identifying, assessing, monitoring and reporting on the firm's compliance risk. The consultation paper confirms and builds on ESMA's 2012 guidelines, broadening the scope to cover changes to the compliance function requirements introduced by MiFID II and the results of supervisory activities conducted by national competent authorities (NCAs) on the application of the compliance functions, i.e. the FCA in the UK.
The draft guidelines
ESMA notes that, in order to avoid any unnecessary repetitions, it has deleted from the 2012 guidelines the ones that have been incorporated directly in the MiFID II Delegated Regulation. ESMA however notes that the corresponding supporting guidelines still provide a valuable contribution in terms of practical examples and clarification on how the requirements should be applied in practice.
Taking into considerations all the above, the guidelines have been partially reorganised and divided in the following main sections and 12 sub-sections:
I. Responsibilities of the compliance function
Compliance risk assessment
Monitoring obligations of the compliance function
Reporting obligations of the compliance function
Advisory and assistance obligations of the compliance function
II. Organisational requirements of the compliance function
Effectiveness of the compliance function
Skills, knowledge, expertise and authority of the compliance function
Permanence of the compliance function
Independence of the compliance function
Proportionality with regard to the effectiveness of the compliance function
Combining the compliance function with other internal control functions
Outsourcing of the compliance function
III. Competent authority review of the compliance function
Review of the compliance function by competent authorities
Under each of the 12 sub-sections, further specific supporting guidance, ESMA’s opinion and examples are detailed.
Each of the sub-sections can be summarised as follows:
General guideline 1-Compliance risk assessment
The compliance function shall, amongst others, conduct a risk assessment to ensure that compliance risks are comprehensively monitored. The compliance function shall establish a risk-based monitoring programme on the basis of this compliance risk assessment to determine its priorities and the focus of the monitoring, advisory and assistance activities.
General guideline 2- Monitoring obligations of the compliance function
The aim of the risk based monitoring programme should be to evaluate whether the firm’s business is conducted in compliance with its obligations under MiFID II, its related delegated acts and/or any national implementing provisions thereof and whether its internal guidelines, organisation and control measures remain effective and appropriate.
General guideline 3- Reporting obligations of the compliance function
The written compliance report (annual CF10 report) to senior management should cover all business units involved in the provision of investment services, activities and ancillary services. Where the report does not cover all of these activities of the firm, it should clearly state the reasons.
General guideline 4-Advisory and assistance obligations of the compliance function
Firms should ensure that the compliance function fulfils its advisory responsibilities including: providing support for staff training; providing day-to-day assistance for staff and participating in the establishment of policies and procedures within the firm (e.g. the firm’s remuneration policy or the firm’s product governance policies and procedures).
General guideline 5- Effectiveness of the compliance function
When ensuring that appropriate human and other resources are allocated to the compliance function, firms should take into account the scale and types of investment services, activities and ancillary services undertaken by the firm.
General guideline 6- Skills, knowledge, expertise and authority of the compliance function
Firm’s compliance staff shall have the necessary skills, knowledge, expertise and authority to discharge their obligations. This requirement should in particular be taken into account by firms when appointing the compliance officer. Having regard to the function and tasks assigned to the compliance officer, he or she should demonstrate high professional ethical standards and personal integrity.
General guideline 7- Permanence of the compliance function
MiFID II requires firms to ensure that the compliance function performs its tasks and responsibilities on a permanent basis. Firms should therefore establish adequate arrangements for ensuring that the responsibilities of the compliance officer are fulfilled when the compliance officer is absent, and adequate arrangements to ensure that the responsibilities of the compliance function are performed on an ongoing basis. These arrangements should be in writing.
General guideline 8-Independence of the compliance function
Firms should ensure that the compliance function holds a position in the organisational structure that ensures that the compliance officer and other compliance staff act independently when performing their tasks.
General guideline 9-Proportionality with regard to the effectiveness of the compliance function
Firms should decide which measures, including organisational measures and the level of resources, are best suited to ensuring the effectiveness of the compliance function in the firm’s particular circumstances.
General guideline 10-Combining the compliance function with other internal control functions
A firm should generally not combine the compliance function with the internal audit function. The combination of the compliance function with other control functions may be acceptable if this does not compromise the effectiveness and independence of the compliance function. Any such combination should be documented, including the reasons for the combination so that competent authorities are able to assess whether the combination of functions is appropriate in the circumstances.
General guideline 11- Outsourcing of the compliance function
Firms should ensure that all applicable compliance function requirements are fulfilled where all or part of the compliance function is outsourced. Note: this doesn’t take away the accountability and responsibility for compliance from the firm!
General guideline 12-Review of the compliance function by Competent authorities
Competent authorities should review how firms plan to meet, implement and maintain the MiFID II compliance function requirements. This should apply in the context of the authorisation process, as well as, following a risk-based approach, in the course of on-going supervision. Note: this requires no direct action from firms and refers to the FCA review that firms have implemented guidelines 1 to 11 above.
ESMA invites responses to its consultation paper, with the deadline for comments on the draft guidelines being 15 October 2019. ESMA intends to publish the final guidelines in the second quarter of 2020. Although only at draft stage, it would be unlikely that any significant changes to these guidelines will emerge.
We recommend that firms should evidence a review of existing compliance function arrangements, both in light of these guidelines but also on an ongoing basis. The supporting guidelines within the consultation paper also provide specific detail under each general guideline. Subsequently, firms should give consideration to implementing any enhancements if deemed necessary and proportionate to the regulatory activities your firm undertakes.
Please contact us at Gem Compliance if you wish to discuss any aspect of your compliance function structure, including if you wish a review conducted against these guidelines.
This newsletter contains generic information and has been generated for professional clients and associates of Gem Compliance Consulting Limited only and should not be regarded as advice. We will not be liable for loss, however caused by parties acting on the information contained herein.