The Dechert speakers were:
Mikhaelle Schiappacasse, Senior Associate (MS)
Matthew Duxbury, Associate (MD)
Dick Frase, Partner (DF)
MS Good morning everyone and welcome to this new session on MiFID In Focus, Unlocking Organisational Requirements. I’m joined by my colleague, Matt Duxbury. I’m Mikhaelle Schiappacasse, and we’re both associates here in the financial services group in London.
We will be joined later by our colleague Dick Frase who will be speaking about product development, and provide some additional updates since the last seminar that covered that topic.
So, without further ado, I’ll hand it over to Matt to start us off.
MD Thank you, Mikhaelle. Good morning, everyone. My name’s Matt Duxbury and I’m an associate in the financial services group here at Dechert. In today’s seminar we are focusing on internal organisation and governance, but what exactly does this mean, what are the new rules under MiFID II, and what will the impact be on your business?
Broadly, we are focusing on the policies and procedures, functions and structure related to the organisation and management of investment firms. The rules apply to MiFID investment firms, though as we will explain, in certain instances theFCA has extended the rules to non-MiFID firms in certain cases.
So, what does internal organisation and governance under MiFID cover? Well, the rules can largely be categorised as falling within those areas as shown onscreen. Now, under MiFID II not all of this is new. Risk management, internal audit and the restrictions on the scope of personal transactions remain completely unchanged from the current rules under MiFID I.
However, most areas have seen some changes. As I will explain shortly, the key change to complaints handling is that the rules now apply to both professional and retail clients. The rules are also more prescriptive.
There’s a new complaints management function, and information on complaints must now be reported to the competent authority, although for SCA firms this is already the case in respect of retail clients. There are new reporting requirements for compliance as well, and there is a greater overlap with the complaints handling function.
We will look at the conflicts of interest rules too, and as we will explain, there are three key changes under MiFID II. There is now an even greater focus on the management and prevention of conflicts, rather than their disclosure. The requirements that apply when making a disclosure are now more prescriptive, and there are also additional oversight responsibilities for the management body.
As Mikhaelle will explain, outsourcing broadly remains the same. There are new content requirements for outsourcing agreements, and firms must be able to immediately terminate their outsourcing arrangements where this is in the best interests of their clients.
Recordkeeping, though, is subject to some more significant changes. As Mikhaelle will cover later, the MiFID II includes new rules on telephone and electronic communications. Although a lot of you here will already be having to comply with the SCA’s existing telephone taping requirements, the MiFID II rules are more extensive. There are also some minor changes to the rules on the responsibility of senior management and data security.
Then there’s two areas which are completely new to MiFID II, product governance and remuneration. Of the two, product governance has probably received the most attention. As Dick will explain later, these are completely new rules which require product approval processes to be implemented by firms which manufacture financial instruments, so that’s those who design, create and implement products. And those manufacturers must identify a target market for each financial instrument it manufactures and take steps to ensure that each financial instrument is distributed to its target market.
There are also obligations on distributors to obtain information on this new product approval process for each financial instrument that they are distributing. And with remuneration you might well be familiar with existing rules under other regimes such as CRD IV, UCITS V or AIFMD, but this is the first time that MiFID directly covers remuneration. Having said that, as Mikhaelle will explain, there is existing guidance which is issued by ESMA under MiFID I, and to the extent that this guidance was already being complied with, we would expect the impact to be fairly minimal.
So, this morning we will cover each area that has changed and the two new areas to MiFID II, focusing in particular on the new products governance regime, the telephone recording requirements, the additional complaints handling and compliance obligations, conflicts of interest and remuneration. We will identify what is new under MiFID II, its likely impact on MiFID investment firms, and actions that you should be thinking about taking between now and January next year.
Now, there’s one thing that each of these areas have in common, and that’s the management body who is responsible for overseeing the organisation of the firm. Under MiFID II the management body is subject to new requirements as to competition and has more extensive responsibilities than before, and it’s the new rules applying to the management body which Mikhaelle will cover first.
MS Thank you, Matt. I’m going to look briefly at the operation of the management body generally under MiFID, and more specifically the changes that have been brought into play under MiFID II. The management body needs to be of good repute, have sufficient knowledge, skill and experience, and commit sufficient time to fulfil its functions. These requirements are broader than those under MiFID I which only refer to good repute and experience.
ESMA and the EBA have issued a joint consultation on draft guidelines on the assessment of the suitability of members of the management body and key function holders, and it is quite detailed guidance. So, for example, when it looks at the question of experience, it considers things such as knowledge in the area of financial markets, legal and regulatory matters, business strategy, risk management, corporate governance, audit and accounting.
ESMA and the EBA have even gone as far as putting together a matrix that you can use to evaluate the competencies of your management body. MiFID II has also picked up on the issue of diversity on management bodies and has looked at the issue of the lack of diversity causing groupthink in decision making, and so under MiFID II there are requirements of attention to be given to diversity in terms of age, gender, origin, education and profession.
More particularly, firms that are significant in terms of their size, organisation, nature, and the scope and complexity of their business are required to establish gender diversity targets for their management bodies, and to make those public, and to report on compliance and how they’re doing in reaching those targets.
The management body is responsible, of course, for the overall strategic objectives of a firm, its risk strategy and its internal governance. It’s more specifically responsible for areas such as human resources, so this will include new requirements relating to oversight of senior management. It’s responsible for all policies relating to the provision of services, activities, products and operations, and it’s also responsible for the disclosures and communications that are made by the firm, and this brings in the new recordkeeping requirements. They are responsible for the remuneration policy that needs to be put in place, which Matt has just mentioned, and also for the management of conflicts of interest.
MiFID II has drawn in a number of requirements from CRD IV, and one of these is a requirement for the board to exercise oversight over the financial controls of the business as well, although one would hope that they’re already doing that.
So, the goal of the management body in exercising its oversight function is the prevention of conflicts of interest, the maintenance of the integrity of the market and client protection, and these latter two categories are new to MiFID II; MiFID I was only really interested in prevention of conflict of interests. In exercising its decision-making function, the management body needs to pay attention to the risk tolerance of the firm and to its clients’ needs and characteristics, and in order to fulfil its function, the management body needs to have access to sufficient information and documentation so that it can exercise effective oversight.
As I mentioned, MiFID II drew quite extensively on CRD IV in terms of its management body requirements, and one of the things that it’s drawn in to MiFID II are requirements relating to the number of directorships that members of a management body of asignificant firm can hold. The FCA has extended this to cover not just MiFID firms but all common platform firms, and these limits are one executive and two non-executive roles, or four non-executive roles. A directorship within one group constitutes one directorship, so obviously if you’re running a bunch of group companies, they have meetings every quarter all together, you’re still going to be operating with the same kind of management body.
In addition, the regulator, so the FCA, can permit one additional non-executive role to be filled by somebody. In addition, firms are no longer permitted to have the CEO and the chairman to be the same individual, unless they have justified that to the regulator and the regulator has approved that particular arrangement.
Significant firms need to establish a nominations committee that is responsible for reviewing and recommending the composition of the overall management body. That committee is also responsible for setting the diversity targets that I mentioned earlier, and it’s responsible for doing an overall review of the operation, so a sort of performance review of the management body on an annual basis, looking at things such as composition, structure, knowledge, skill and overall performance.
Looking towards January 2018, firms need to evaluate their existing management body against the EBA and ESMA guidance to see if they fit within those criteria, or if anything isn’t covered within those criteria which the regulators are concerned about. Firms also need to make sure that the current members of their management body do not exceed the limits on directorships. They also need to establish a nominations committee if they’re a significant firm and they don’t currently have one, and that committee will then need to establish diversity targets, do the necessary reporting and also establish a regular system for reviewing the overall performance of the management body.
Firms should ensure that their own internal governance processes permit or ensure that sufficient information makes its way to the management body, both in terms of reporting and documentation, so that the management body can exercise effective oversight. In addition, that exercise of that oversight should be properly documented so that it can be evidence to the regulator should that become a question.
Now, I’m going to hand over to Dick Frase to speak briefly on the organisational requirements relating to product manufacturing and distribution.
DF Morning, everyone. I think the organisational product distribution requirements we touched on in an earlier talk last year was fairly high level. We’ve now gone down to quite a lot of detail both in the level three guidance and also with the FCA having issued its rules. So, I will go through this in a reasonably practical way, but there’s a lot of information that needs looking at.
Just to be completely clear as to who this is most relevant to, AIFMs and UCITS ManCos are not within the scope of this regime. However, in the case of UK ManCos and AIFMs, the FCA has said this applies as guidance, so you’re expected to follow it in some shape or form. And in the case of third country funds, if they want to distribute into Europe at all using MiFID firms to distribute, such as high net worth private wealth management services or retail private banks, then they will have to conform to this.
The level of product design, if you like, is relatively high in the case of a fund in terms of identifying a target market, and if you are seeking to distribute through MiFID firms, they are under a lot of pressure themselves to meet the same standards. So, if they’ve got a choice of ten offshore businesses who want to distribute into Europe, and nine of those comply with the rules and the tenth one doesn’t, they’re probably going to cross the tenth off their list, so it’s de facto there.
Something else which is worth bearing in mind right at the beginning is that according to the FCA this is a regime which applies to portfolio management, so individual segregated accounts in principle are a distribution channel according to the FCA. I have to say, I don’t think that’s correct if you look at the legislation which is aimed at distribution in the conventional sense and defines distribution in terms of marketing or selling or placing, as opposed to going out into the market and buying a stock to go into a discretionary portfolio, but nevertheless, that’s where we are at the moment. The FCA has said that proportionality should apply, which I think means they don’t expect all of this to be applied in a portfolio management situation, but the next question of course is, what part of it do you apply?
So, background – otherwise the regime applies to manufacture and distribution of MiFID financial instruments, so it doesn’t apply to commodities or real estate. It extends to institutional investors and professional clients as well as retail, because although it’s largely based on the UK regime, the UK regime is a retail one. It will apply to any product which is sold after 2018, even if it was manufactured beforehand, so existing funds, if you’re still distributing in Europe through MiFID firms, would want to look at this and get something in place insofar as your distributors expect it or need it or could be encouraged by it.
Then, if you’re a UK based MiFID firm and you are distributing outside the EU, the rules will still apply in terms of the manufacturing obligations, although the distribution rules will not apply to distributors in third countries. And I think I’ve already talked about the distribution by MiFID entities that have products manufactured by non-MiFID entities, in other words by UCITS and AIFs.
So, first we’ll look at the obligations on the manufacturers, and most of what’s in here is picked up from the level three guidance issued by ESMA in April. So, you have to assess the target market. This is really what this is all about – what’s the target market for the product. It shouldn’t just be thrown out into the business sector or the retail sector, you have to decide who it’s meant to be sold to. You can see therefore that this is very much based on a retail model and, indeed, a life assurance model, where the products in life assurance are complicated and you need to work out whether what you’re selling is life assurance or retirement saving or income, for example.
So, five categories there to be assessed against – type of clients, knowledge and experience, financial situation, risk tolerance and compatibility with the target market, and clients’ objectives and needs. You end up with a series of forms or due diligence checklists to run through in the case of each product. The other things that they mention include characteristics and nature of the product, complexity, risk reward, liquidity and so on.
By and large, the simpler the product – and this regime includes listed securities, for instance, if they’re actually designed to be marketed – the lesser planning you will need to do to it. There are examples at the back of the guidance which say that if it’s a share that’s being sold, then really the target market is pretty large and there isn’t a huge narrowing down on it.
Continuing with the manufacturer’s obligations, the manufacturer has to have a distribution strategy, which I’m sure everyone has got, but the distribution strategy has to be consistent with the target market, so you’ve got to map that back onto who you think you’re selling to.
Again, you can see the retail flavour in here of selling a sophisticated product which is designed to include risk to someone who’s risk averse and saving for their retirement.
Manufacturer, and this is particularly the bit where it really bites, must take reasonable steps to ensure the product is distributed consistently with that target market. The manufacturer has to keep an eye on what its distributors are doing and whether they’re not selling in a completely unexpected way. That will require some revisions of the arrangements with distributors, if only to keep a sense of who they’re marketing to.
Then the manufacturer has to think about the type of investment services through which clients will acquire the product. This mostly seems to be aimed at execution only products which are, again, sold typically to retail investors, and whether the product is simple enough to sell on an execution only basis. So listed equity, probably yes, lots of other things, probably not, and will probably require some level of advice. What level of advice? Would it be independent advice? Well, probably not in most cases, but certainly advice which is sufficiently specialist to be able to cope with the particular type of product.
If we treat portfolio management as is being proposed as another distribution channel, then from the manufacturer’s point of view, that does look like a distribution channel. There are various requirements for conducting a regular review, typically annually, and there is more detail on this in the FCA’s new source book which is called PROD, for products, and is at the back of the final policy statement which came out this week. Now, we’re looking here at the obligations of the distributor. Forget for a moment about what the manufacturer is doing in terms of designing their product. We’re looking here at what the distributor has to do, and it’s relatively easy to think of this, if you think of a financial planner in the retail market.
The target market identification has to be conducted as part of the general scoping process in which the firm decides what the range of services are that it’s going to offer, and what products it’s going to distribute, so it has to look at these in tandem. Independent advice is coming back in. It used to be in some time ago, but it got scrapped in the UK, though typically you will say: this is the range, there are too many products in the market for me to look at all of them, so I’m going to look at a certain range of products which will suit my client’s needs, and so I will have some endowment policies, I will have some pensions type products, I will have a range of vanilla unit trusts and have some slightly more unit trusts – I will vet all of these products individually, and they will then go on my best advice panel or my panel of products that have passed the test, and I can therefore typically refer to these when I’m giving advice on financial planning to individual clients.
Certainly I have to take that model and alter it and say, how does this work in our particular market or your particular market, and what would the implications of that be for your distribution process. Then you assess the product that you’re looking at in terms of its target market and the people you’re marketing to, using the same five categories that we saw for the manufacturer. You take account of the manufacturer’s information about its target market and its distribution strategy, and if the manufacturer has not done any of this because it’s a listed company and it’s not required to, or because it’s a third country entity and it’s not required to, and you still want to sell the product, then you have to kind of replicate that process yourself and query the level of detail.
There are sections all over this saying, apply in a proportional way, so you do have some discretion if things are simple or impractical or whatever to take a view on this, but the standard framework is pretty detailed, and that’s really because that obligation is on the distributor. It can’t just turn around and say that there wasn’t any information available and they just used whatever readily came to hand. There will be pressure on the funds industry and the securitisation industry to do this work, even if they’re not strictly required to do so.
Then there is a concession which is probably aimed at portfolio management, saying that products which are sold outside the target market are okay where they’re used for diversification or hedging purposes, which actually is mostly what portfolio management is about. By the time you’ve finished this enormous analysis there may not be that much left that actually adds to the process. Once again, the distributor has to conduct a regular review annually to see that it’s all looking right.
The last bullet is really what I’ve already said, that you have to cover the same ground. There is a line in the guidance expressly saying that a suitability assessment does not substitute for this process, although in a number of cases I strongly suspect that the suitability assessment will do most of what this is actually requiring to do, again, depending on the circumstances. So that’s my quick tour through the latest on product manufacturing and distribution.
MS Thank you, Dick. We’re going to turn now to recordkeeping requirements under MiFID II, and this is generally a completely new area under MiFID II in terms of telephone recording and electronic recordkeeping, although MiFID did have a general requirement to retain sufficient documentation in order for the regulators to perform their supervisory function.
The FCA has also had in place a requirement around recording since 2009, but the MiFID rules are much broader in terms of both scope and duration.
The FCA has proposed, or rather has determined, that it will extend these requirements to cover much broader category of firm and activities, so it will cover portfolio management companies, including AIFMs, UCITS management companies and CIS operators. It’s also going to expand to corporate finance business, at least where the communications are of the type that would be in scope for the purposes of a MiFID firm. It’s going to cover firms engaging in energy and oil market activities, firms engaging in commodities and exotic derivatives business, article three firms, and branches of third country firms. So we say the FCA language of those businesses that are engaging in arranging, dealing as agent or principal, managing or managing an AIF UCITS or acting as a CIS operator in respect of financial instruments.
Records need to be retained of all telephone calls, electronic communications and face to face meetings relating to the reception, transmission or execution of transactions, regardless of whether it’s a client transaction or proprietary transaction, and this is true whether or not the transactions itself is ultimately completed, and it’s also true whether or not it’s an internal or external communication by the firm.
It relates specifically to transactions that are in respect of financial instruments, although for the non-MiFID firms that are covered by these requirements it only applies to the recording of communications relating to transactions and financial instruments on trading venues. It also covers communications to any sort of party, not just professional clients or eligible counterparties – any type of communication. So, overall it captures a much broader category of transactions than would be captured under the current FCA rules in this area.
The records need to be maintained for at least five years. The FCA can extend this period for an additional three years if it wishes. The records need to be maintained in a way that they’re readily accessible, that they’re not able to be manipulated and that they can be easily copied or produced, both if there’s a request from the regulator or if there’s a request from a client.
The firm needs to make reasonable efforts to record the communications on any device which it has provided to its personnel, whether employees or contractors, and this means that firms are going to need to limit the ability for their personnel to use personal devices that they don’t have any ability to access or copy or record.
Firms need to make sure that they advise the client prior to engaging in the reception, transmission or execution of any transactions that the communications in this area are going to be subject to recording and recordkeeping, and they also need to tell those clients that a copy of it is available upon request for the period of five years. That communication needs to be done at least once, and it needs to be done in the language in which the services are being provided to the client.
The communications need to be monitored by the firm on a risk based and proportionate basis, and firms are expected to put in place a framework for identifying high risk transactions. Firms are now required to have in place a recording and electronic communications policy which is proportionate, so it’s appropriate for the size, organisation of the firm, and the nature of scale and complexity of that firm’s business.
The policy needs to cover which communications are within scope of the policy, and it needs to be a technology neutral policy, particularly as things move forward and we find ourselves using more varied forms of communication. The policy also needs to cover the procedures that are used for recording the communications. So, for example, in the case of a face-to-face meeting, you’re going to need to make a written record of that particular meeting, and there has actually been guidance given both within MiFID and also separately by the FCA in terms of what that written record should actually cover. It needs to cover the date, the time of the meeting, the location, the attendees, who initiated the meeting, and then also relevant information regarding the transactions – so price, volume, type of instrument, and the timing.
In the case of retail financial advisors, the FCA has gone beyond this and said it needs to cover anything that would be relevant for anybody wanting to look back at the record and know what was going on, so anything relevant to the transaction should be recorded.
The policy also needs to prevent the use of personal devices, except in extraordinary circumstances (to the extent that there are certain individuals within the firm who are permitted to use a personal device) and there needs to be a record kept of that. The management body, as mentioned previously, is responsible for defining this particular policy and exercising oversight over it, both from the recording and the general recordkeeping obligations.
In order to prepare for the implementation of MiFID in this area, firms will need to develop IT to cover this area as we’re moving very close to the implementation date, or they need to be putting in place a contract with a third party provider to ensure that they’re able to make the necessary recordings and store the records in the appropriate manner. They also need to develop or update their telephone and electronic communication policy. It may also be a good idea to look at the privacy policy and make sure that it’s not in conflict with this policy, and it will need to make sure that the necessary systems and procedures are in place so that any of these kinds of communication are recorded going forward, and that will also mean that the staff will have to be properly trained to know when and what they need to record and how that process operates.
I’m going to hand it over to Matt now to look at complaints handling.
MD Thanks, Mikhaelle. Okay. So, turning to the new complaints handling rules. So, as most of you will be aware, MiFID firms are already required to implement complaints handling policies and procedures for their retail clients, while the FCA currently has in place complaints handling rules which apply to complaints from eligible complainants. So, broadly, eligible complainants include clients acting outside their trade or profession, micro enterprises, as well as small charities which have less than one million, and trustees of trusts which also manage less than one million.
As I briefly mentioned earlier, under MiFID II the most notable change is in its scope. Unlike MiFID I, MiFID II covers complaints from both retail and professional clients rather than just retail clients. Firms are therefore required to treat MiFID complaints in the same way, irrespective of client categorisation.
However, the FCA’s implementation isn’t quite as clear cut as that. The FCA has introduced a new section into its rules which specifically deals with the treatment of MiFID complaints, so that’s complaints against MiFID firms which arise in the context of its MiFID business.
For professional clients, just the MiFID II complaints handling requirements will apply. So, to be clear, only certain of the FCA’s existing rules derive from MiFID, so it’s these existing rules plus the new rules under MiFID II which I will touch upon shortly, which will apply to complaints from professional clients.
If the complainant is a retail client but not an eligible complainant, the same rules will apply, but for MiFID complaints where the complainant is an eligible complainant, a number of the FCA’s existing rules relating to consumer awareness, complaint resolution, time limits, complaint forwarding, time barring and data publication which go beyond the MiFID II requirements will continue to apply. And as far as non-MiFID complaints are concerned, the rules remain unchanged.
There’s clearly some short term operational difficulties for firms, particularly those which might carry out both MiFID and non-MiFID business, to identify how to treat complaints from various types of clients, but in the long term this will hopefully ensure that MiFID complaints from professional clients will not be subject to too many extra rules.
So, what else is new? Well, there’s a new complaints management function, although this may also be fulfilled by whoever is carrying out the compliance function and in practice we will expect a lot of firms to take this approach. MiFID II is also more prescriptive in the processes to be followed when dealing with a complaint. The complaints handling policy must provide clear, accurate and up to date information about the complaints handling process, and the policy must be endorsed by the management body.
Notably, the FCA has indicated in the form of guidance that senior management should take responsibility for the implementation of the complaints management policy and for monitoring compliance. There are also requirements to provide details of the complaints process to clients or professional clients which should either be done on request or when acknowledging a complaint, and such detail should include information about both the complaints management policy and the contact details of the new complaints management individual. And, although not new for SCA firms, clients and potential clients must be able to make complaints free of charge.
As far as responding to complaints is concerned, MiFID II provides that firms must respond without undue delay and, when dealing with complaints, set out the client’s options using plain language. When providing the firm’s position, the firm should also include that the complainant might be able to refer its complaint to an alternative dispute resolution entity or even take civil action against the firm.
And finally, MiFID II also introduces new rules on complaints reporting. Now, although this is not new for FCA firms, for the first time these reporting requirements will now apply to complaints from professional clients. So, for FCA firms this will require reporting to the FCA concerning all complaints received from professional clients, which, as is currently the case for retail clients, must be done at least twice a year and in a form which is prescribed by the FCA.
So, what should firms be doing now? Well, the changes introduced by MiFID II should not be too burdensome for firms. There might be additional cost implications in the short term, with having to also treat complaints from professional clients in the same way, but there shouldn’t be too many significant changes in the way in which complaints are actually treated, though for firms which only deal with professional clients this will be a whole new regime which they’ll have to get to grips with.
So in terms of the next steps, firms should be reviewing their complaint handling procedures and policies to ensure that they are MiFID II compliant, preparing or modifying template disclosures of their complaints handling process which they could provide to clients, ensuring that the complaints management policy has been endorsed by the management policy, and appointing an individual to fulfil this new complaints management function.
So, moving on to compliance. The changes here aren’t quite as extensive, but there are three things which we think firms should have to take note of under MiFID II. First, the compliance function will now be required to meet new reporting obligations. The compliance function must report at least annually to the management body on the overall control environment, identified risks, complaints handling reporting, as well as any remedies undertaken or to be undertaken by compliance.
It must also report directly to the management body whenever it detects a significant risk of failure by the firm to comply with its obligations under MiFID II.
Second, the compliance function under MiFID II has responsibility to monitor policies and procedures implemented by the compliance function on a permanent basis. Under MiFID I this applied on a regular basis, so although just a subtle change in the language, this does set a higher bar which would seem to prevent firms just monitoring compliance on a periodic or ad hoc basis.
And third, there is now greater overlap with the complaints handling process. The compliance function is required to exercise greater oversight over complaints handling. It must use complaints as a source of information in carrying out its responsibilities, and also use complaints handling data in identifying and addressing risks.
So, the changes here are not too significant, and we would expect the impact on firms to be relatively minimal. The compliance policies should be reviewed to ensure that they are compliant with the new MiFID II requirements, and reporting systems put in place to the management body.
I’m going to hand back over to Mikhaelle, who’s going to cover outsourcing.
MS Thank you, Matt. The outsourcing requirements under MiFID II are more or less the same as they are under MiFID I. They apply to outsourcing of critical or important functions, and under the FCA rules it’s to those functions that are related to regulated activities, listed activities and ancillary services. Most of the changes that have been made in MiFID II are basically by way of clarification. For example, MiFID II makes it clear that when outsourcing, a firm needs to retain sufficient resources and experience in order to exercise effective oversight over the service providing firm.
However, there are a couple additions being made. For example, the agreement that needs to be put in place between the outsourcing firm and the service providing firm needs to contain certain content, and that content requirement is now set out in MiFID II. It includes provisions relating to the ability to give instructions, the right to information and access to the service provider’s premises, books and records, termination, and consent to any onward outsourcing. In addition, the outsourcing firm needs to be able to terminate these arrangements immediately where it’s considered to be in the interests of its clients.
In addition, the requirements relating to the outsourcing of portfolio management services to third country service providers has been tightened. So, under MiFID I, in order to make such an outsourcing arrangement for retail clients you had to have in place a cooperation agreement between the regulator of the outsourcing firm and the regulator of the service providing firm, and the service providing firm of course therefore had to be subject to local regulation. That is still the case, but now this applies to the outsourcing of all portfolio management business to third country firms, so not just retail related services.
In addition, it used to be that the regulator was able to waive the criteria. So, for instance, if the third country firm was not subject to local supervision, the FCA could say, that’s fine, we think this is reputable or whatever. That ability has now been removed from MiFID II.
So in terms of implementing these fairly minor changes, firms do need to look at their outsourcing agreements to make sure that they actually cover the contents requirements that have been set out in MiFID II, and also that they have the ability to terminate those arrangements immediately if it’s in the interest of their clients, and also they need to make sure that the outsourcing service provider is subject to local supervision and is in a country with which the FCA, if you are a UK-based firm, has a cooperation agreement in place specific to the transfer of information, and this is a different agreement, for instance, than the MOU that’s been put in place for AIFMD purposes. So that needs to be checked just to make sure that your outsourcing arrangements are all in order.
I’m now going to hand it back to Matt to look at senior management and data security issues.
MD Thanks, Mikhaelle. I will just cover these two areas quite quickly as the changes here are fairly minor. So, as far as senior management is concerned there is a new requirement to allocate responsibility for the oversight of the organisational requirements to a senior manager. And with data security the new rules mainly relate to enforcing stronger cyber security measures, so mechanisms will need to be implemented to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access, prevent information leakage, and also to maintain the confidentiality of data at all times.
So an update to data security systems will need to be considered to the extent that these requirements are not already being fulfilled, and responsibility for the organisational requirements should be allocated to one or more senior managers.
I’m now going to look at the rules on conflicts of interest. As you will know, the concept of conflicts of interest is not new to MiFID II, but certain key requirements have been strengthened. So, starting with the basics, what exactly is a conflict of interest under MiFID? Well, it includes any conflicts between the interests of the firm and the duty that it owes to a client, or two or more of its clients, but provided that there is potential loss or disadvantage to a client.
And in line with existing practice under MiFID I, the FCA in the UK will apply the MiFID II conflicts of interest rules to UCITS ManCos, most UK AIFMs, and EEA AIFMs which manage or market a UK AIF.
So, what’s new under MiFID II? Well, first there’s an even greater focus on preventing and managing conflicts of interest rather than disclosure. Second, the disclosure requirements themselves have become more prescriptive, and third, there are additional oversight responsibilities for the management body.
Under MiFID II there is even greater emphasis on managing and preventing conflicts of interest, with the directive aiming to remove the overreliance on disclosure. Firms have an obligation to manage conflicts and mitigate the potential impact of the risks arising from them as far as possible. Disclosure is now specifically stated in a delegated regulation to be a measure of last resort, and has evidence that a conflicts policy is deficient and inadequate. Having said that, the FCA has stated that disclosure being a measure of last resort does not change the regulatory expectations that it has in firms, but the changes under MiFID II do clearly put a much stronger emphasis on this.
In addition, firms must now take all appropriate, rather than reasonable, steps to identify and to prevent or manage conflicts. This certainly sets a higher bar of compliance, and the FCA has indicated that it expects firms to be more active in identifying which changes to their operations might be required to prevent or manage conflicts. The FCA is also clear that disclosure is not a form of managing a conflict.
Now, it’s also worth noting that firms will have to continue to be aware of their obligations which they have as a fiduciary under common law. If it is determined under MiFID II that a conflict can be managed and therefore disclosure is not required, a firm will still need to consider if it is required under common law to disclose the conflict in its capacity as a fiduciary. Now, this will often have to be considered on a case-by-case basis, and sometimes there might not be a straightforward answer to this, given a slight conflict between the regulation and the provisions under common law.
Moving on to disclosure requirements, when disclosing a conflict of interest under MiFID I, as well as ensuring the disclosure is in a durable medium, a firm had to disclose the general nature and/or source of the conflicts and, notably, provide sufficient detail for the client to make an informed decision on whether or not to proceed with the service giving rise to this conflict.
Under MiFID II the requirements are much more prescriptive. In addition to what was already required under MiFID I, when disclosing a conflict of interest firms must also specifically describe the conflicts of interest that arise in the provision of investment or ancillary services, explain the risks that arise to the client as a result of the conflict, note the steps which the firm has already taken to mitigate the risks of that conflict, and, notably, clearly state that the organisational and administrative arrangements established by the firm to prevent or manage that conflict are not sufficient to ensure that the client’s interests will be protected.
It’s also worth noting that each of the prescribed items which I’ve just run through apply irrespective of client categorisation, but the description itself for each of those items should take into account the nature of the client. So, in practice, whilst you have to tick all the same boxes irrespective of whether you’re dealing with a professional or a retail client, disclosure to retail clients should be tailored to take into account their background.
And finally, there are changes to who oversees conflicts of interest and where responsibility for this lies. In addition to what was required under MiFID I, responsibility for ensuring appropriate conflicts policies and procedures are in place now rests with the management body. At least annually the conflicts of interest policy should be reviewed with senior management receiving a written report where conflicts of interest have arisen. There is also a new requirement to keep an up to date record of the kinds of investment services and activities in which a conflict creates a risk of damage to a client. Senior management should receive, again annually, written reports on situations contained within these new records.
Now, it’s the FCA’s belief that these two rules which I’ve just mentioned are in practice already being complied with by most firms, so hopefully the impact here should be fairly minimal. It’s also worth noting that for non-MiFID firms, unlike the rest of the conflicts of interest rules which I’ve just run through, the FCA are applying these on a guidance only basis.
And to the extent that firms aren’t already doing so, the conflicts policy must now also address conflicts arising out of third party inducements, as well as the firm’s own remuneration policies and incentive structures, and their addition to the legislation is clearly a sign of the importance which the regulator is placing on these two items. And then there are also additional rules for those carrying out underwritings or placings.
So, there are notable changes to conflicts of interest under MiFID II, but we don’t think that an upheaval of the current approach is necessarily required. But what should firms be doing now? Well, firms should be reviewing and updating their conflicts policies and procedures to reflect the updated rules under MiFID II – in particular, the greater emphasis on managing and preventing conflicts rather than just relying on the ability to disclose a conflict to clients.
Firms should also consider preparing templates which they can adapt and use to make the more extensive disclosures to conflicts to clients; to the extent they’re not already in place, also implement reporting systems to senior management and, finally, firms should also consider under their current agreements with clients whether or not they currently have any obligations to disclose conflicts of interest and ensure that this obligation might not cause them to inadvertently breach the new MiFID II approach.
I’m now going to hand back over to Mikhaelle, who is going to cover remuneration.
MS I’m sensitive that we’re running over our scheduled ending time right now, so I’m going to just whip through remuneration because it is a new category that’s being covered under MiFID II. As I mentioned, it’s a new requirement. However, there are existing ESMA guidelines in place, and for firms that already implement those existing guidelines you’re likely to find that there aren’t really any practical changes. What really happens here is that the ESMA guidelines have been given firm regulatory standard by implementing them into MiFID II.
The FCA has determined that it’s going to extend the application of these requirements to common platform firms, but not to AIFMs or UCITS ManCos, and to article three firms and to branches of third country firms.
The remuneration rules apply to all relevant persons who impact directly or indirectly on the provision of investment or ancillary services, or on the corporate behaviour of the firm. So, for example, this would include sales staff, their managers, client-facing analysts, product developers, front office staff, and to tied agents. It applies to both financial and non-financial remuneration, so salary, cash, loans, carried interest, pension contributions, insurance, or even seminars in exotic locations.
The management body is responsible for defining and approving, and overseeing the remuneration policy, and it needs to do this with advice from the compliance function. The policy covers the usual types of requirements you see in these remuneration rules now, balanced between fixed and variable remuneration, and the use of qualitative and quantitative criteria. Examples here of qualitative criteria that have been given are regulatory compliance, fair treatment of clients and the quality of client services that have been provided. The policy also needs to not compromise the objectivity of the compliance function.
So, unlike other remuneration rules, the rules under MiFID II are concerned with preventing conflicts of interest. Other remuneration regimes that we’ve seen coming out lately – so, for example, those under AIFMD – are concerned with the maintenance of financial stability. While the other regimes tend to focus on key risk takers or senior management, those under MiFID II focus on client-facing personnel and seek to limit the opportunity for those personnel to find themselves in a conflict of interest with the firm’s clients. For this reason, for example, the use of sales targets for retail sales, for retail clients, is prohibited under MiFID II.
Many firms will be subject to other remuneration regimes already, so they might be subject to rules under CRD III or IV under the UCITS or under AIFMD, and the FCA has made it clear that it expects firms to comply with these regimes, even though they overlap. So, it means that firms, practically speaking, are either going to have to put in place one remuneration policy that fits everybody, or they’re going to have to apply different remuneration policies in respect of different relevant staff.
So, you’ll have a different category of relevant staff under the MiFID rules and a different category of relevant staff under, say, AIFMD, and there will be some overlap, but they might be different for your sales force in certain circumstances, for example.
Firms should therefore take a look at their remuneration policies, make sure that what they have in place meets the MiFID requirements, and as I mentioned at the beginning, I think that the likelihood of many changes being made for those firms who already comply with ESMA’s guidelines are fairly limited.
That completes today’s seminar. I want to thank you for holding on a little bit longer. I know we ran over a bit. Thank you very much.
Commentary
Issue 125
MiFID II In Focus
Unlocking organisational requirements under MiFID II
A TRANSCRIPT OF A SEMINAR HELD AT DECHERT’S LONDON OFFICE ON 5 JULY 2017
Originally published in the August 2017 issue