«Guidelines Guidelines on certain aspects of the MiFID compliance function requirements 28 September 2012 | ESMA/2012/388 Date: 28 September 2012 ...»
Guidelines on certain aspects of the MiFID compliance function requirements
28 September 2012 | ESMA/2012/388
Date: 28 September 2012
I. Scope ________________________________________________________________ 3
II. Definitions ____________________________________________________________ 3
III. Purpose ______________________________________________________________ 4
IV. Compliance and reporting obligations _________________________________________ 4 V. Guidelines on certain aspects of the MiFID compliance function requirements ______________ 4 V.I Responsibilities of the compliance function ________________________________ 5 V.II Organisational requirements of the compliance function _______________________ 9 V.III Competent authority review of the compliance function _______________________ 15 ESMA • 103 rue de Grenelle • 75007 Paris • France • Tel. +33 (0) 1 58 36 43 21 • www.esma.europa.eu I. Scope Who?
1. These guidelines apply to investment firms (as defined in Article 4(1)(1) of MiFID), including credit institutions that provide investment services, UCITS management companies1, and competent authorities.
2. These guidelines apply in relation to the provision of the investment services and activities listed in Section A and the ancillary services listed in Section B of Annex I of the Markets in Financial Instruments Directive (MiFID).
3. These guidelines apply from 60 calendar days after the reporting requirement date referred to in paragraph 10.
4. Unless otherwise specified, terms used in the Markets in Financial Instruments Directive and the
MiFID Implementing Directive have the same meaning in these guidelines. In addition, the following definitions apply:
Markets in Financial Directive 2004/39/EC of the European Parliament and of the Council Instruments Directive of 21 April 2004 on markets in financial instruments amending Council Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the (MiFID) European Parliament and of the Council and repealing Council Directive 93/22/EEC, as subsequently amended.
MiFID Implementing Directive 2006/73/EC of 10 August 2006 implementing Directive 2004/39/EC of the European Parliament and the Council as
These guidelines only apply to UCITS management companies when they are providing the investment services of individual portfolio management or of investment advice (within the meaning of Article 6(3)(a) and (b) of the UCITS Directive).
5. Guidelines do not reflect absolute obligations. For this reason, the word ‘should’ is often used. However, the words ‘must’ or ‘are required’ are used when describing a MiFID requirement.
6. The purpose of these guidelines is to clarify the application of certain aspects of the MiFID compliance function requirements in order to ensure the common, uniform and consistent application of Article 13 of the Markets in Financial Instruments Directive (MiFID), Article 6 of the MiFID Implementing Directive, and specified related provisions.
7. ESMA expects these guidelines to promote greater convergence in the interpretation of, and supervisory approaches to, the MiFID compliance function requirements by emphasising a number of important issues, and thereby enhancing the value of existing standards. By helping to ensure that firms comply with regulatory standards, ESMA anticipates a corresponding strengthening of investor protection.
IV. Compliance and reporting obligations Status of the guidelines
8. This document contains guidelines issued under Article 16 of the ESMA Regulation.2 In accordance with Article 16(3) of the ESMA Regulation, competent authorities and financial market participants must make every effort to comply with guidelines.
9. Competent authorities to whom these guidelines apply should comply by incorporating them into their supervisory practices, including where particular guidelines are directed primarily at financial market participants.
10. Competent authorities to which these guidelines apply must notify ESMA whether they comply or intend to comply with the guidelines, with reasons for any non-compliance. Competent authorities must notify ESMA within two months of publication of the translations by ESMA to ‘firstname.lastname@example.org’. In the absence of a response by this deadline, competent authorities will be considered non-compliant. A template for notifications is available on the ESMA website.
11. Financial market participants are not required to report whether they comply with these guidelines.
V. Guidelines on certain aspects of the MiFID compliance function requirements
12. As part of its responsibility for ensuring that the investment firm complies with its obligations under MiFID, senior management must ensure that the compliance function fulfils the requirements set out in Article 6 of the MiFID Implementing Directive.
Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC.
13. The guidelines should be read together with the proportionality principle as set out in Article 6(1) of the MiFID Implementing Directive. The guidelines apply to investment firms taking into account the nature, scale and complexity of their respective businesses, and the nature and range of investment services and activities undertaken in the course of their business.
V.I Responsibilities of the compliance function Compliance risk assessment Relevant legislation: Article 6(1) of the MiFID Implementing Directive.
General guideline 1
14. Investment firms should ensure that the compliance function takes a risk-based approach in order to allocate the function’s resources efficiently. A compliance risk assessment should be used to determine the focus of the monitoring and advisory activities of the compliance function. The compliance risk assessment should be performed regularly to ensure that the focus and the scope of compliance monitoring and advisory activities remain valid.
15. MiFID requires investment firms to establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the investment firm to comply with its obligations under MiFID. As part of this, the compliance function should identify the level of compliance risk the investment firm faces, taking into account the investment services, activities and ancillary services provided by the investment firm, as well as the types of financial instruments traded and distributed.
16. The compliance risk assessment should take into account the applicable obligations under MiFID, national implementing regulation and the policies, procedures, systems and controls implemented within the firm in the area of investment services and activities. The assessment should also take into account the results of any monitoring activities and of any relevant internal or external audit findings.
17. The compliance function’s objectives and work programme should be developed and set up on the basis of this compliance risk assessment. The identified risks should be reviewed on a regular basis as well as ad-hoc when necessary to ensure that any emerging risks are taken into consideration (for example, resulting from new business fields or other changes in the investment firm’s structure).
Monitoring obligations of the compliance function Relevant legislation: Article 6(2)(a) of the MiFID Implementing Directive.
General guideline 2
18. Investment firms should ensure that the compliance function establishes a monitoring programme that takes into consideration all areas of the investment firm’s investment services, activities and any relevant ancillary services. The monitoring programme should establish priorities determined by the compliance risk assessment ensuring that compliance risk is comprehensively monitored.
19. The aim of a monitoring programme should be to evaluate whether the investment firm’s business is conducted in compliance with its obligations under MiFID and whether its internal guidelines, organisation and control measures remain effective and appropriate.
20. Where an investment firm is part of a group, responsibility for the compliance function rests with each investment firm in that group. An investment firm should therefore ensure that its compliance function remains responsible for monitoring its own compliance risk. This includes where a firm outsources compliance tasks to another firm within the group. The compliance function within each investment firm should, however, take into account the group of which it is a part - for example, by working closely with audit, legal, regulatory and compliance staff in other parts of the group.
21. The risk-based approach to compliance should form the basis for determining the appropriate tools and methodologies used by the compliance function, as well as the extent of the monitoring programme and the frequency of monitoring activities performed by the compliance function (which may be recurring, ad-hoc and/or continuous). The compliance function should also ensure that its monitoring activities are not only desk-based, but that it also verifies how policies and procedures are implemented in practice, for example through on-site inspections at the operative business units.
The compliance function should also consider the scope of reviews to be performed.
22. Suitable tools and methodologies for monitoring activities that could be used by the compliance
function include (but are not limited to):
(a) the use of aggregated risk measurements (for example, risk indicators);
(b) the use of reports warranting management attention, documenting material deviations between actual occurrences and expectations (an exceptions report) or situations requiring resolution (an issues log);
(c) targeted trade surveillance, observation of procedures, desk reviews and/or interviewing relevant staff.
23. The monitoring programme should reflect changes to the investment firm’s risk profile, which may arise, for example, from significant events such as corporate acquisitions, IT system changes, or reorganisation. It should also extend to the implementation and effectiveness of any remedial measures taken by the investment firm in response to breaches of MiFID.
24. Monitoring activities performed by the compliance function should also take into account:
(a) the business area’s obligation to comply with regulatory requirements;
(b) the first level controls in the investment firm’s business areas (i.e. controls by the operative units, as opposed to second level controls performed by compliance); and (c) reviews by the risk management, internal control function, internal audit function or other control functions in the area of investment services and activities.
25. Reviews by other control functions should be coordinated with the monitoring activities performed by the compliance function while respecting the different functions’ independence and mandate.
26. The compliance function should have a role in overseeing the operation of the complaints process and it should consider complaints as a source of relevant information in the context of its general monitoring responsibilities. This does not require compliance functions to have a role in determining the outcome of complaints. In this regard, investment firms should grant the compliance function access to all customer complaints received by the firm.
Reporting obligations of the compliance function Relevant legislation: Article 6(3)(b) and 9 of the MiFID Implementing Directive.
General guideline 3
27. Investment firms should ensure that the regular written compliance reports are sent to senior management. The reports should contain a description of the implementation and effectiveness of the overall control environment for investment services and activities and a summary of the risks that have been identified as well as remedies undertaken or to be undertaken. Reports must be prepared at appropriate intervals and at least annually. Where the compliance function makes significant findings, the compliance officer should, in addition, report these promptly to senior management. The supervisory function, if any, should also receive the reports.
28. The written compliance report to senior management should cover all business units involved in the provision of investment services, activities and ancillary services. Where the report does not cover all of these activities of the investment firm, it should clearly state the reasons.
29. The following matters should be addressed in these written compliance reports, where relevant:
(a) a description of the implementation and effectiveness of the overall control environment for investment services and activities;
(b) a summary of major findings of the review of the policies and procedures;
(c) a summary of on-site inspections or desk-based reviews performed by the compliance function including breaches and deficiencies in the investment firm’s organisation and compliance processes that have been discovered and appropriate measures taken as a result;
(d) risks identified in the scope of the compliance function’s monitoring activities;
(e) relevant changes and developments in regulatory requirements over the period covered by the report and the measures taken and to be taken to ensure compliance with the changed requirements (where senior management has not previously been made aware of these through other channels);
(f) other significant compliance issues that have occurred since the last report; and (g) material correspondence with competent authorities (where senior management has not previously been made aware of these through other channels).