On 5 June 2020, the European Securities and Markets Authority (ESMA) published new guidelines for the Compliance Function under the second Markets in Financial Instruments Directive 2014/65/EU (MiFID II), replacing the previous ESMA guidelines on the same topic issued in 2012.
These guidelines are aimed at senior managers who, as part of their obligations under MiFID II, must ensure that the compliance function fulfils the requirements set out in Article 22 of MiFID II.
The 2020 Guidelines
While the objectives of the compliance function as well as the key principles underpinning the regulatory requirements have remained unchanged, the obligations have been further detailed under MiFID II. The substantive changes to the Guidelines are set out below:
- Guideline 1 (compliance risk assessments) includes an enhanced requirement for the compliance function to conduct a formal risk assessment, including a requirement to assess financial instruments traded and distributed, the categories of a firm’s clients, the distribution channels of the firm and, where relevant the internal organisation of the group;
- Guideline 2 (compliance monitoring) has asked the compliance function to review a relevant sample of the firm’s clients and interview a sample of the firm’s clients;
- Guideline 3 (reporting) has an additional focus on a firm’s management needing to review “mandatory compliance reports” in respect of all investment services, activities and ancillary services provided by a firm;
- Guideline 4 (advisory and assistance obligations) provides emphasis on compliance providing training for management functions and senior management setting the compliance culture that not only focuses on investor protection, but also on “the stability of the financial system”;
- Guideline 5 (organisational requirements) focuses more on effective communication between the compliance function and other control functions such as internal audit and risk management as well as with any internal or external auditors;
- Guideline 6 is a new Guideline entirely, that centralises and expands the requirements on the skills, knowledge, expertise of the compliance function but also emphasizes that all compliance staff should have necessary skills, knowledge, expertise and authority to discharge their obligations;
- Guidelines 7, 8, 9, 10 (permanence of the compliance function), (independence of the compliance function), (proportionality and effectiveness of compliance function) and (on combination of compliance with other internal control functions) have been amended only in terms of language;
- Guideline 11 (outsourcing) highlights that outsourcing can only involve a delegation of tasks and not responsibilities, other changes are reflective of the principles of insourcing functions back to the firm or transferring to another outsourcing provider in the event of termination of an outsourcing arrangement. Most importantly in para. 80 the 2020 Guidelines introduce a new obligation on firms that: “Outsourcing of all or part of the tasks of the compliance function to non-EU entities may potentially make oversight and supervision of the compliance function more difficult and should therefore be subject to a closer monitoring.”;
- Guideline 12 (standards on the review of the compliance function by competent authorities) reiterates principles first established in the original MiFID and also points (in para. 87 of the 2020 Guidelines) to practices employed in some Member States as to a compliance officer preparing and filing an annual questionnaire permitting the competent authority to gather information on compliance of the firm.
The 2020 guidelines will be translated and the publication of the translations in all official languages of the EU will trigger a two-month period during which NCAs must notify ESMA whether they comply or intend to comply with the guidelines.