ESMA published, on 5 June 2020, new final guidelines on certain aspects of the compliance function requirements under the recast Markets in Financial Instruments Directive (MiFID II).
The new guidelines replace those issued in 2012, and have been updated in accordance with MiFID II requirements – specifically article 16(2) of MiFID II and article 22 of the MiFID II Delegated Regulation.
ESMA notes that the new guidelines “will enhance the value of existing standards by providing additional clarifications on certain specific topics, such as new responsibilities in relation to MiFID II’s product governance requirements, by notably detailing further the reporting obligations of the compliance function”.
Once translations of the guidelines have been published in all official languages of the EU, NCAs will have two months in which to notify ESMA whether they comply, or intend to comply, with the guidelines. If the UK accepts compliance with the guidelines, it is expected that the FCA would continue to apply the guidelines (at least in some form) following Brexit, in line with the UK’s general approach to preserving EU legislation at the point of exit.
The role of the compliance function – broader context
The appropriate role, structure and responsibilities of the compliance function have been the subject of much consideration over time, particularly in the context of wholesale banks. The 2020 guidelines, which broadly speaking are high-level and outcomes-focussed, do continue to allow flexibility and to recognise the proportionality principle expressly in relation to the structure of the compliance function and how the expected specific outcomes are to be achieved.
Which firms and activities are in scope?
ESMA has clarified that the guidelines are addressed to investment firms and credit institutions providing investment services and activities; or selling, or advising clients in relation to, structured deposits. The guidelines also extend to UCITS management companies and external Alternative Investment Fund Managers (AIFMs) when providing MiFID investment services and activities in accordance with the MiFID services “bolt-on” regimes under UCITS Directive and the AIFMD.
What do the guidelines cover?
The 2020 guidelines comprise of 12 guidelines which fall into three broad categories, as set out in the table below. The 2020 guidelines include one new guideline, and some revisions to other guidelines as detailed below.
|Responsibilities of the compliance function||Organisational requirements for firms||Competent authority review|
|Compliance risk assessment
|Review by competent authorities
|Skills, knowledge, expertise and authority
(guideline 6; new in 2020 guidelines)
|Advisory and assistance obligations
(guideline 4) (reference to “assistance” is new in 2020 guidelines)
|Proportionality with regard to effectiveness
(guideline 9) (previously under 2012 guidelines referred to as “Exemptions”)
|Combining the compliance function with other internal control functions
(guideline 10) (the 2020 guidelines refer to “combining” which replaced “complying” under the 2012 guidelines).
Overview of clarifications provided by the guidelines
The language of the guidelines in many respects closely reflects that of the MiFID II Delegated Regulation, article 22. We set out below some of the main clarifications provided.
Compliance risk assessment (guideline 1)
The compliance risk assessment should reviewed on a regular basis, and updated when necessary, to ensure that the objectives, as well as the focus and scope, of compliance activities remain valid. It should take into account: the types of financial instruments traded and distributed; categories of the firm’s clients; distribution channels; and the internal organisation of group (where relevant).
Reporting obligations (guideline 3)
A significant amount of new guidance is set out in relation to the content of regular and ad hoc mandatory compliance reports (MiFID Delegated Regulation, article 22(2)(c) and 3(c)). This falls into five categories: general information; manner of monitoring and reviewing; findings; actions taken; and other information.
Some examples of note to be covered in the mandatory reports include:
- a summary of the compliance function’s structure, including the overall personnel employed, their qualifications and reporting lines;
- information as regards any deviation by senior management from important recommendations or assessments issued by the compliance function; and
- information in relation to any deviation from the principle that the other business units must not issue instructions or otherwise influence compliance staff and their activities.
On product governance arrangements, detailed clarification is provided on matters to be addressed in mandatory reports (taking into account a firm’s role as manufacturer and/or distributor). These focus on elaboration of product governance policies and procedures (see guideline 4 below) and how compliance is monitored against those.
Granular information is to be included on the number and nature of products manufactured or distributed, including their respective target market and other relevant information from the product approval process (e.g. concerning complexity, conflicts of interest, relevant data from the scenario analysis and cost-return ratio). Information should also be provided on the distribution strategy (manufacturers), and whether and to what extent the products are distributed outside their (positive) target market.
Advisory and assistance obligations (guideline 4)
The clarifications highlight the interplay between compliance and senior management, including where compliance should be supported by senior management – with specific reference to promotion of a compliance culture.
The compliance function should be involved in the development of relevant policies and procedures, expressly including those on remuneration and product governance. Also, the compliance function should have the specific right to participate in the product approval process for manufacturers and distributors, where applicable.
Effectiveness (guideline 5)
There are two points of note in relation to the additional guidance supporting this guideline. Firstly, express reference is made to the compliance function having access to all relevant databases and records including recordings of telephone conversations and electronic communications. Secondly, any necessary arrangements should be put in place to facilitate the effective exchange of information between the compliance function and (a) other control functions, eg internal audit and risk management; and (b) internal and external auditors.
Skills, knowledge, expertise and authority (new guideline 6)
Skills, knowledge, expertise. It is expected that within the compliance function, there should be knowledge of at least MiFID II and all related delegated and implementing acts, the national implementing laws and regulations as well as of all applicable standards, guidelines and other guidance issued by ESMA and competent authorities, as far as these are relevant for the performance of the compliance tasks. Firms may need to review the knowledge and expertise of their compliance functions (and consider whether any further training is appropriate) to ensure that the updated standards are met.
Authority. The compliance function, and the compliance officer, must have the necessary authority to carry out their obligations. The compliance officer must demonstrate high professional ethical standards and personal integrity. The compliance officer should also have sufficiently broad knowledge and experience and a sufficiently high level of expertise so as to be able to assume responsibility for the compliance function as a whole and ensure that it is effective.
Reference is made in the guidance to some member states licensing or approving the compliance officer which may strengthen the position of the compliance function, but is not mandatory.
Combining the compliance function with other internal control functions (guideline 10)
The guidance clarifies that control functions should preferably be separated, although this is not mandatory in all cases, provided that sufficient resources should be allocated to MiFID II compliance at all times. Compliance and internal audit functions, however, must not be combined (for firms that have a separate internal audit function).
There is further clarification on the independence of the compliance officer and the single officer responsible for safeguarding client assets under article 7 of the MiFID II Delegated Directive, where these roles are not performed by the same person. In this scenario, the compliance officer should not supervise or issue any instructions to the designated client assets officer.
The combination of the compliance function with other internal control functions within firms has been the subject of much debate, and restructuring, over time. Some firms may choose, for example, to (re)combine their compliance and financial crime functions. Such structures are permitted and indeed foreseen under guideline 10, and viewed as acceptable where independence is not compromised and sufficient resources are allocated.
Guideline 3 also recommends that firms should, subject to the proportionality principle, favour an organisation where the compliance function and the complaints management function are properly separate – although again, this is not mandatory and should be assessed on a case by case basis.
Outsourcing (guideline 11)
The guidance confirms that article 16(5) of MiFID II and article 31 of the MiFID II Delegated Regulation concerning outsourcing requirements applicable to critical or important functions, apply in full to the outsourcing of the compliance function.
Where a firm relies on the principle of proportionality under guideline 9, such that the firm’s compliance staff are also involved in the performance of services or activities they monitor, then the guidance clarifies a firm could determine that outsourcing of compliance function’s tasks would be appropriate. The guidance goes on to set out some further well established regulatory expectations and requirements applicable to outsourcing more generally.
Guideline 11 also specifically notes that outsourcing of all or part of the tasks of the compliance function to non-EU entities may potentially make oversight and supervision of the compliance function more difficult and should therefore be subject to a closer monitoring. This should be on the radar of any UK firms performing outsourced compliance functions for EU affiliates or third party firms.
Review by competent authorities (guideline 12)
A firm must have a compliance function that is adequately resourced and organised, with adequate reporting lines, as condition for authorisation. The guidance refers to some member states assessing ongoing compliance with this requirement by requiring compliance officers to complete an annual questionnaire in relation to compliance of the firm.
 Directive 2014/65/EU
 Commission Delegated Regulation (EU) 2017/565
 Commission Delegated Directive (EU) 2017/593