Guidelines on Certain Aspects of the MiFID II Compliance Function Requirements (ESMA35-36-1952)
On 5th June 2020 the European Securities and Markets Authorities (“ESMA”) published new Guidelines on certain aspects of the MiFID II compliance function requirements (the “Guidelines”), which repeal the previous Guidelines. The Guidelines are addressed to specific market participants, including investment firms and to competent authorities. The guidelines aim to enhance the value of existing standards by providing additional clarifications on certain specific topics, such as new responsibilities in relation to MiFID II’s product governance requirements.
Below there is a brief description of the new guidelines, summarising where necessary the main changes introduced through the Guidelines. At the end there is a correlation table between the Guidelines and the corresponding 2012 Guidelines.
1 Responsibilities of the compliance function
Guideline 1 - The compliance function shall conduct a risk assessment to ensure that compliance risks are comprehensively monitored, by adopting a risk-based monitoring program on the basis of this compliance risk assessment. The compliance risk assessment should be reviewed on a regular basis, and, when necessary, updated. The new provisions of the Guidelines created additional expectations regarding the following:
The findings of the compliance risk assessment shall be used to set the work program of the Compliance Function and to allocate the functions resources efficiently.
The compliance risk assessment shall be reviewed on a regular basis, and, when necessary, updated to ensure that the objectives, focus and the scope of compliance monitoring and advisory activities remain valid.
Guideline 2 - Monitoring obligations of the compliance function The risk-based monitoring program shall allow to evaluate whether the firm’s business is conducted in compliance with its obligations under MiFID II, as well as whether its internal policies and procedures, organisation and control measures remain effective and appropriate to ensure that compliance risk is comprehensively monitored. Guideline 3 - Reporting obligations of the compliance function The mandatory compliance reports should cover all business units involved in the provision of investment services, activities and ancillary services provided by a firm stating the reasons where this approach is not followed. The said reports are expected to contain additional Information based on the amended Guideline 3 in relation to general information, manner of monitoring and reviewing, findings, actions taken and other information. The Compliance report should also cover the firm’s product governance arrangements addressing at least a) the compliance function’s role in participating to the elaboration, monitoring and reviewing of the firm’s product governance policies and procedures; b) all topics required under Article 22(2) MiFID II Delegated Regulation; c) information about the financial instruments manufactured/distributed by the firm, aiming to assess whether the firm’s product governance arrangements function as intended. Finally, subject to the principle of proportionality, the new provisions of the guidelines require the Compliance Function and the Complaints Management Function to be properly segregated. Guideline 4 - Advisory and assistance obligations of the compliance function There are no major changes in the provisions of this guideline when compared to the guidelines of 2012. According to this guideline the compliance function is expected to fulfil its advisory and assistance responsibilities, including providing support for staff and management training; providing day-to-day assistance for staff and management and participating in the establishment of policies and procedures within the firm. Training should be performed on a regular basis, and needs-based training should be performed where necessary and developed on an on-going basis.
2 Organisational requirements of the compliance function
Guideline 5 - Effectiveness of the compliance function According to this guideline firms must ensure that appropriate human and other resources, including IT resources, are allocated to the compliance function after considering the scale and nature of the investment services, activities and ancillary services and other services provided by the firm. The new requirements added to this guideline refer to the need for the firms to put in place necessary arrangements to ensure an effective exchange of information between the compliance function and other control functions (for example internal audit and risk management) as well as with any internal or external auditors. Guideline 6 - Skills, knowledge, expertise and authority of the compliance function In this Guideline it is highlighted that the Firm’s compliance staff shall have the necessary skills, knowledge and expertise to discharge their obligations, complemented by the necessary authority. Emphasis is given to the Compliance Officer who must have sufficiently broad knowledge and experience and a sufficiently high level of expertise so as to be able to assume responsibility for the compliance function as a whole and ensure that it is effective. The Guideline recognises that in order to demonstrate the necessary level of knowledge and/or of experience, different options may be foreseen at national level in the Member State concerned. For instance, some competent authorities approve the nominated Compliance Officer following an assessment of the qualifications of the compliance officer whereas other might follow a combination of the analysis of the compliance officer’s curriculum vitae, as well as an interview with the nominated person and/or an exam to be passed. Guideline 7 - Permanence of the compliance function This guideline is the same as Guideline 6 of the 2012 Guidelines and its provisions remained unchanged. In short, the compliance function shall perform its tasks and responsibilities on a permanent basis ensuring that the responsibilities of the Compliance Officer are fulfilled when the Compliance Officer is absent, and adequate arrangements are in place to ensure that the responsibilities of the compliance function are performed on an ongoing basis. Guideline 8 - Independence of the compliance function Guideline 8 is matching Guideline 7 of the 2012 and its provisions, referring to the independence of the Compliance Function from senior management and other units of the firm remain unchanged, with the exception of the deletion of the statement that the “Compliance Officer should be appointed and replaced by senior management or by the supervisory function”. Guideline 9 - Proportionality with regard to the effectiveness of the compliance function This Guideline refers to the effectiveness of the Compliance Function, it is the same as Guideline 8 of the 2012 Guidelines and its provisions remain unchanged. Guideline 10 - Combining the compliance function with other internal control functions According to this guideline firms shall favour a structure where control functions are properly separated. The combination of the compliance function with other control functions may be acceptable if this does not compromise the effectiveness and independence of the compliance function and any such combination should be documented. The combination of the compliance function with other control units at the same level (such as money laundering prevention) may be acceptable if this does not generate conflicts of interests or compromise the effectiveness of the compliance function. The new provisions enhanced guideline 10 on the below areas:
Where an internal audit function has been established and is maintained within the investment firm in accordance with Article 24 of the MiFID II Delegated Regulation, such function may not be combined with other control functions.
Where the Compliance Officer is not appointed as the single officer referred to in article 7 of the MiFID II Delegated Directive, both the single officer and the Compliance Officer should act independently and the Compliance Officer should not supervise and/or issue any instruction to the single officer
Where the compliance function is combined with other control functions or where it is also responsible for other tasks (for example anti-money laundering), the firm should ensure that it allocates enough resources for MiFID compliance at all times
Guideline 11 - Outsourcing of the compliance function This Guideline is not applicable for CIFs due to the approach of CySEC regarding outsourcing the Compliance function.
3 Competent authority review of the compliance function
Guideline 12 - Review of the compliance function by competent authorities This Guideline is applicable to Competent authorities and the way they review the Compliance Function.
Written by Angeliki Georgiou, Independent Legal Associate