Guidance on Compliance Functions
September 2, 2020 by Clare Curtis
On 5 June 2020 ESMA published new final guidelines on certain aspects of the compliance function requirements under the Markets in Financial Instruments Directive (MiFID II). Whilst the appropriate role, structure and responsibilities of the compliance function have been under review before, these new guidelines are intended to be high-level and outcomes-focused to allow flexibility and proportionality in relation to the structure of the compliance function.
Whilst we are all aware that the long-awaited Brexit is just round the corner it is anticipated that the UK FCA will still very much look to this guidance as standards to be imposed on firms here in the UK. These guidelines are aimed at investment firms and credit institutions providing investment services and activities; or selling, or advising clients in relation to, structured deposits. They also extend to UCITS management companies and external Alternative Investment Fund Managers when providing MiFID investment services.
As these guidelines are based heavily on the 2012 guidelines we have focused on some of the key changes in this 2020 update.
Changes to the 2012 Guidelines
There are 12 guidelines set out in this publication which fall into three broad categories which are the Responsibilities of the Compliance Function, Organisational requirements for firms and Competent authority review and below sets out some of the adjustments that have been made in the new guidelines which firms should consider:
Guideline 1 (compliance risk assessments) has been revised to require firms to conduct a formal risk assessment of the compliance function which is reviewed regularly, to ensure that compliance risks are fully understood and monitored.
Guideline 2 (compliance monitoring) One new suggestion is that the compliance function should review a sample of the firm’s clients and even interview these clients.
Guideline 3 (reporting obligations) has greater emphasis on a firm’s management needing to review “mandatory compliance reports” which should include information on the structure of the compliance function, information regarding any deviation by senior management from recommendations or assessments issued by the compliance function; information in relation to any deviation from the principle that the other business units must not issue instructions or otherwise influence compliance staff and their activities. details on product governance as well as tracking complaints, including the recommendation that the compliance function and complaints management function are separated.
Guideline 4 (advisory and assistance obligations of the compliance function) this guideline now emphasizes the need for compliance to provide training for the management while senior management are responsible for setting the compliance culture.
Guideline 5 (organizational requirements of the compliance function) there is an emphasis on effective communication between the compliance function and other control functions such as internal audit and risk management as well as with any internal or external auditors,
Guideline 6 (Skills, knowledge, expertise and authority)- New -although previously contained elsewhere this guideline requires that all compliance staff (and not just the compliance officer) should possess necessary skills, knowledge, expertise and authority to discharge their obligations. Also the guideline specifically requires the compliance officer to be able to demonstrate a high standard of professional ethics and personal integrity;
Guideline 7 (permanence of the compliance function), Guideline 8 (independence of the compliance function), Guideline 9 (proportionality and effectiveness of compliance function) remain substantially unchanged.
Guideline 10 (on combination of compliance with other internal control functions) The guidance clarifies that control functions should preferably be separated, although this is not mandatory in all cases.
There is further clarification on the independence of the compliance officer and the single officer responsible for safeguarding client assets, where these roles are not performed by the same person. In this scenario, the compliance officer should not supervise or issue any instructions to the designated client assets officer.
Guideline 11 (outsourcing of the compliance function) this guideline reconfirms that outsourcing of the compliance function can only involve a delegation of tasks and not responsibilities although it does note that in certain circumstances the outsourcing of these tasks can be beneficial when for instance there is a potential conflict. It also notes that outsourcing of all or part of the tasks of the compliance function to non-EU entities may potentially make oversight and supervision of the compliance function more difficult and should therefore be subject to a closer monitoring. This should be on the radar of any UK firms performing outsourced compliance functions for EU affiliates or third party firms.
Guideline 12 (standards on the review of the compliance function by competent authorities) A firm must have a compliance function that is adequately resourced and organised, with adequate reporting lines, as condition for authorisation. The guidance refers to some member states assessing ongoing compliance with this requirement by requiring compliance officers to complete an annual questionnaire in relation to compliance of the firm.
How can Effecta Help?
Having worked with many firms Effecta can review your firms current Compliance structure in line with the ESMA guidelines to ensure international best practice has been implemented given the nature and scale of your business. Following this review Effecta can provide an assurance report with recommendations for senior management and Compliance to review and discuss.
Alternatively Effecta can help you to set out the scope of your Compliance function and their interaction with other departments in your firm through a terms of reference which can be presented to the relevant Committee for approval to set the foundation for the Compliance team to build on.