On June 5, 2020, the European Securities and Markets Authority (ESMA) published the final guidelines on certain aspects of the compliance function under MiFID II (the 2020 Guidelines)1. These rules, which are addressed to competent authorities i.e., supervisory authorities and certain financial market participants, specify the requirements such MiFID investment firms and those firms insofar as they provide what MiFID defines as investment services and/or ancillary services (such firms referred to as relevant in-scope firms). These firms need to maintain an efficient compliance function in accordance with Article 16(2) Directive 2014/65/EU (MiFID II)2 and Article 22 of the Delegated Regulation (EU) 2017/565 (MiFID II Delegated Regulation).3 This Client Alert addresses the changes that relevant in-scope firms may wish to consider as a result of the 2020 Guidelines, which will come into effect on September 5, 2020.4 This Client Alert will also likely be of interest and should be read in conjunction with our series on the EU’s new IFR/IFD regime, which introduces a new prudential framework for relevant firms engaging in MiFID activity.5
By way of background, under the MiFID II/MiFIR6 framework, relevant in-scope firms are required to establish a compliance function to ensure the firm’s compliance with the MiFID II obligations. At a high level, the MiFID II Delegated Regulation sets out the responsibilities of the compliance function as well as the organizational requirements relevant in-scope firms have to satisfy in order to ensure the effectiveness of that function. The 2020 Guidelines will replace similar guidelines which ESMA issued in 20127 (2012 Guidelines) on the basis of MiFID I. The 2020 Guidelines now complete the transition from the MFID I to the MiFID II with respect to the regulation of the compliance function as well as updating reference including as to AIFMD.
The 2020 Guidelines are addressed to the following relevant in-scope firms conducting the following activity in or through the EU:
- Investment firms when carrying out in MiFID II investment services or investment activities or when selling or advising clients in relation to structured deposits;
- Credit institutions (i.e., banks) when carrying out in MiFID II investment services or investment activities or when selling or advising clients in relation to structured deposits;
- Undertakings for collective investment in transferable securities (UCITS) management companies when providing services in Art. 6(3) of the UCITS Directive i.e. portfolio management; and
- Alternative investment fund managers (AIFMs) when providing services referred to in Article 6(4) of the AIFMD i.e. portfolio management.
In general, we expect that the 2020 Guidelines will provide further clarity for market participants and their compliance obligations and equally improve convergence of the EU’s Single Rulebook for financial services in this area. While this may be seen as favorable with regard to cross-border operations, investment firms may wish to reassess the specifics of their compliance functions, and where necessary amend those functions, in order to ensure compliance on an ongoing basis.
With respect to the content of the 2020 Guidelines, the general principles as set out in the 2012 Guidelines have remained unchanged. From its structure, the 2020 Guidelines no longer differentiate between “general guidelines” and “supporting guidelines”. Most of the changes in the final 2020 Guidelines follow what ESMA had put forward as part of the consultation process that closed in October 2019.
Substantive changes and specifications are set out on the level of the individual guidelines with the following key areas that firms may wish to consider:
- Guideline 1 (compliance risk assessments) has been revised to introduce a more concrete requirement for the compliance function to conduct a formal risk assessment (reviewed on a regular basis) to ensure that compliance risks are comprehensively monitored. While this requirement is not new, the tone applied is considerably more focused in the 2020 Guidelines when compared to the 2012 Guidelines including a requirement to assess, as in the past, the financial instruments traded and distributed, the categories of a firm’s clients, the distribution channels of the firm and, where relevant the internal organization of the group;
- Guideline 2 (compliance monitoring) has been amended in the most part linguistically. One new suggestion, although in most jurisdictions this is existing market practice, is for the compliance function to review a relevant sample of the firm’s clients and, by way of an additional tool8, interview a sample of the firm’s clients;
- Guideline 3 (reporting obligations) has been amended to focus much more on a firm’s management needing to review “mandatory compliance reports” in respect of all investment services, activities and ancillary services provided by a firm. Equally, the 2020 Guideline changes some of what is in the reports even if the underlying principles remain unchanged but are reinforced, notably with respect to capturing the actions taken, details on product governance as well as tracking complaints, including new suggestions (para. 28) that, subject to the proportionality principle, firms should favor an organization where the compliance function and complaints management function are properly separated;
- Guideline 4 (advisory and assistance obligations of the compliance function) remains largely the same as in the 2012 Guidelines save for an emphasis on compliance providing training for management functions but also, as has been the case in a number of jurisdictions, senior management setting the compliance culture that not only, as in the past, focuses on investor protection, but also on “the stability of the financial system”;
- Guideline 5 (organizational requirements of the compliance function) remains largely unchanged and restates the principles from the 2012 version even if it focuses comparably more on effective communication between the compliance function and other control functions such as internal audit and risk management as well as with any internal or external auditors;
- The introduction of a new Guideline 6 centralizes and expands the requirements on the skills, knowledge, expertise of the compliance function that were previously contained elsewhere, including in the MiFID II Delegated Regulation but also emphasizes that all compliance staff (and not just the compliance officer) should possess necessary skills, knowledge, expertise and authority to discharge their obligations. Equally the compliance officer is now expressly required to be able to demonstrate a high standard of professional ethics and personal integrity;
- Guidelines 7 (permanence of the compliance function), 8 (independence of the compliance function) and 9 (proportionality and effectiveness of compliance function) have been amended only in terms of language as opposed to principles;
- Guideline 10 (on combination of compliance with other internal control functions) follows general principles that existed in the 2012 Guidelines but these principles are amended to reflect changes introduced by MiFID II;
- Guideline 11 (outsourcing of the compliance function) mainly restates the principles from the 2012 Guidelines with a reference to other general principles that have existed independent of MiFID II changes, such as that outsourcing can only involve a delegation of tasks and not responsibilities. Other changes are reflective of the principles of insourcing functions back to the firm or transferring to another outsourcing provider in the event of termination of an outsourcing arrangement. Lastly the 2020 Guidelines replicate principles previously contained in the European Supervisory Authorities’ (ESMA, EBA and EIOPA) (the ESAs) as well as the ECB-SSM’s “supervisory principles on relocations” (SPoRs)9, which were introduced to communicate the ESAs and ECB-SSM’s supervisory expectations on Brexit-proofing but which were subsequently expanded more generally to apply to third-country firms i.e., non-EEA firms. Specifically, in para. 80 the 2020 Guidelines introduce a new obligation on firms that: “Outsourcing of all or part of the tasks of the compliance function to non-EU entities may potentially make oversight and supervision of the compliance function more difficult and should therefore be subject to a closer monitoring.”,
- Guideline 12 (standards on the review of the compliance function by competent authorities) reiterates principles first established in MiFID I and also points (in para. 87 of the 2020 Guidelines) to practices employed in some Member States as to a compliance officer preparing and filing an annual questionnaire permitting the competent authority to gather information on compliance of the firm. In addition to suggesting how to improve such questionnaire, para. 88 of the 2020 Guidelines concludes with stating that the “…above practices could be helpful to other competent authorities.”