ESMA MiFID II Guidelines for the Compliance Function

The model of general legal liability of companies, introduced by the Community legislator and implemented at sectoral level, for financial intermediaries, through the MiFID II, represents a de facto model of legal exemption for the responsi-bilities of the entrepreneur. This implies that the existence of compliance moni-toring, and of a model of organization, management and control that integrates the requirements of MiFID II, produce the effect of exempting the intermediary from liability, transferring any legal risk of the ineffectiveness of the controls or in application of the organizational measures, respectively, to the compliance of-fices and to the individual operators who provide advisory services. ESMA

(European Security & Market Authority) intended to intervene in order to strengthen the preventive effectiveness of the compliance function by increasing the responsibility of the financial intermediary, in order to prevent violations and fraudulent sales (misselling) and to make the MOG and company operating prac-tices factually consistent. It should be pointed out that these are still organisa-tional models of a ‘relative’ risk approach, insofar as they are associated with the level of risk of non-compliance that the company is willing to assume on its own (so-called ‘risk approach’ models). It should be noted that these organisational models are always ‘relative’ in approach to risk, as they are associated with the level of non-compliance risk that the company is willing to assume (so-called

‘risk approach’ models), whereas the legal exemption for the intermediary’s re-sponsibilities resulting from the issuance of the MOG is ‘absolute’: this is why ESMA is concerned - correctly - to ensure that the internal control system, as well as other business organisational controls, are effective in preventing and deterring possible violations of MiFID II.

On 5 June 2020, ESMA published new Guidelines on certain aspects of compli-ance function requirements, pursuant to Directive 2014/65/EU. The Guidelines aim to establish consistent, efficient and effective supervisory practices within the European System of Financial Supervision (ESFS) and to ensure a common, uniform and consistent application of certain aspects of the compliance function by ensuring that financial intermediaries comply with uniform regulatory stand-ards.

The obligations have been further strengthened with respect to the MiFID II regulations, enhancing the requirements of the compliance function outlined in Article 16 of the Directive and Article 22 of Regulation 565/2017 (‘Delegated Regulation’). The aim is to provide a better framing of the requirements for the conduct by the Compliance function of the Risk Assessment.

The main changes introduced concern the following operating principles.

• A specific section of the periodic compliance report will be prepared con-cerning the product governance rules adopted for the financial instruments produced or distributed by the intermediary.

• Specific knowledge, skills and authority are required of the staff members assigned to the compliance function.

• The guaranteed autonomy and independence of the Head of Compliance and the Single Point of Responsibility for Safeguarding Client Assets is enshrined (¹⁰) when they are not the same person is ensured.

• The requirements for the compliance function to carry out risk assessments are better detailed, redefining their frequency and periodicity (including event-based), as well as elements suitable for defining compliance risks and (¹⁰) Intermediaries shall designate a single person with appropriate expertise to safeguard customers’ financial instruments and liquid assets. This figure is potentially central to the implementation of the principle of safeguarding the best interests of the customer.

introducing additional safeguards to ensure the continuity of the function in case of outsourcing of compliance.

The operating principles follow the precise indications of the guidelines, divided into 12 points corresponding to the same number of thematic areas:

• Guideline 1 - Risk assessment. The compliance function is called upon to develop a review and update programme with adequate frequency with respect to any significant changes in the company’s business activities or in the regulatory framework, including on an event-driven basis, if necessary. The programme extends to elements such as the characteristics of the investment services and activities provided, the type of financial instruments produced or distributed, the category of clients, and the distribution channels.

• Guideline 2 – Monitoring. The risk-based monitoring programme, aimed at ver-ifying compliance with MiFID II requirements, includes the assessment of the effectiveness of policies and procedures. This assessment is based on on-site inspections, the use of Key Risk Indicators (KRIs) and interviews with employees and customers.

• Guideline 3 – Reporting. The content of reporting on the results of controls for each business unit is extended. It should include a specific section on the company’s product governance arrangements.

• Guideline 4 – Advice. The compliance function provides advice and assistance to staff members who request it, and its involvement is envisaged in the prep-aration of company policies and procedures on investment services and ac-tivities, as well as in the adoption of strategic decisions or new business mod-els, or in the event of significant organisational changes.

• Guideline 5 – Effectiveness. Management is responsible for monitoring, at least annually, whether the number of resources and related skills remain adequate to carry out the non-compliance risk management activity and for providing for the allocation of an adequate budget. The compliance function must be able to access all the company’s databases in order to be aware of the various non-compliance risk profiles.

• Guideline 6 – Competencies. The compliance function must have broader knowledge, skills, professional experience and authority. In turn, the compli-ance function is required to provide training in MiFID II based on the specific needs of the business units.

• Guideline 7 – Stability. In accordance with the principle of stability, the com-pliance function has procedures in place to ensure the continuity of its activ-ities even in the absence of the compliance officer.

• Guideline 8 – Independence. The organisational arrangement of the compliance function must allow it to be operationally independent of instructions or in-fluence from top management or other business units.

• Guideline 9 – Proportionality. In accordance with a sound principle of propor-tionality, financial intermediaries should take into account the nature, scale

and complexity of their business and the range of investment services and activities when allocating organisational measures and resources to the com-pliance function.

• Guideline 10 – Relationship with other control structures. The aggregation of com-pliance and other control functions should not compromise the effectiveness and independence of the function or create conflicts of interest.

• Guideline 11 – Outsourcing. Any outsourcing of the compliance function must not compromise its quality and independence, create additional operational risks, compromise internal control activities, or compromise the firm’s ability to effectively monitor the compliance of its actions with regulatory require-ments.

• Guideline 12 – Review by competent authorities. The competent authority is not limited to granting the necessary authorizations to conduct business activities, but periodically reviews the assurance of the compliance function’s equip-ment, autonomy and functioning. As part of the ongoing supervision, the competent authority checks the appropriateness of the measures taken by the compliance function.

1.4.2. EU Regulation 2019/2088 on sustainability reporting in the