Financial Services

Revisiting ESMA’s 2020 Guidelines on the MiFID II compliance function and applying lessons learned

Written by

Dr. Michael Huertas


Financial services firms (and their senior management) are required to maintain a permanent and effective compliance function that in turn is required to carry out various duties and responsibilities.See Article 22 of Commission Delegated Regulation (EU) 2017/565 as available, as at the time of writing hereof, in the last consolidated updated version (dated 2 August 2022) available here.Show Footnote Various firms, notably those in-scope of the EU’s Directive 2014/65/EU (MiFID II) have also, since 5 September 2020, had to comply with supervisory expectations on the MiFID II compliance function as set out in the GuidelinesAvailable here as (last) updated in the binding version of the Guidelines dated 6 April 2021, which updates the version first published by ESMA as a Final Report on 5 June 2020. Please also see compliance table of EU Member States NCAs as (last) updated 13 October 2022 available here.Show Footnote published by the European Securities and Markets Authority (ESMA). These 2020 Guidelines replaced similar guidelines issued by ESMA in 2012 and updated principles therein to enhance clarity and foster greater convergence in the implementation and supervision of the compliance function amongst firms that are “in-scope” for the purposes of the 2020 Guidelines (In-scope Firms).  

The Guidelines are addressed to competent authorities i.e., supervisory authorities (collectively NCAs) and certain financial market participants in order to establish consistent, efficient and effective supervisory practices within the European System of Financial Supervision (ESFS) and to ensure the common, uniform and consistent application of certain aspects of the MiFID II compliance function. In-scope Firms need to thus take into account the expectations set in the Guidelines as well as the national level frameworks into which the Guidelines have been included and any additional jurisdiction-specifics set by the respective NCAs pursuant to their own mandate, some of which may, despite the Guidelines, differ between NCAs where these fall outside of the scope of the Guidelines.

Following a continued inflow of new entrants as well as new types of In-scope Firms into the EU, whether as a result of Brexit or otherwise, coupled with a raft of legislative/regulatory compliance (along with financial crime) failings across established firms, both large and small, complex and non-complex, it should come as no surprise that EMSA and the NCAs are increasing their focus on In-scope Firms meeting the Guideline’s outcomes. More importantly, the ESFS is likely to become even more strict and intrusive following relevant authorities’ return to “supervision as normal” following the end of the COVID-19 pandemic. In-scope Firms will want to assess whether they are (still) doing enough to meet the baseline expectations of the Guidelines as well as the jurisdiction-specifics and individual expectations as set by the NCAs that supplement the Guidelines’ outcomes.

This Client Alert revisits the contents of the Guidelines considering the lessons learned as the role and challenges of the compliance function has considerably changed since 2020. This Client Alert should be read in conjunction with other analysis from our EU RegCORE notably on changes to the three-lines of defence (3LoD) model following the impact of COVID-19 pandemic and the longer-term adoption of remote and/or hybrid working arrangements. This Client Alert should also be read in conjunction with developments around crypto-assets, as a number of crypto-asset service providers may well apply for authorisations that mean they become an In-scope Firm for purposes of the Guidelines.

A closer look at the Guidelines and lessons learned since 2020

ESMA uses the Guidelines to specify the common supervisory expectations applicable to the compliance functions at the following In-scope Firms:

  1. Investment firms when carrying out in MiFID II/MiFIR and IFD/IFR “investment services” or “investment activities” or when selling or advising clients in relation to structured deposits;
  2. Credit institutions (i.e., banks) when carrying out in MiFID II investment services or investment activities or when selling or advising clients in relation to structured deposits;
  3. Undertakings for collective investment in transferable securities (UCITS) management companies when providing services in Art. 6(3) of the UCITS Directive i.e., portfolio management; and
  4. Alternative investment fund managers (AIFMs) when providing services referred to in Article 6(4) of the AIFMD i.e., portfolio management.

The Guidelines are structured to focus on different aspects of the compliance function and its efficiency in its operations. It remains firms’ (and senior management at those firms) individual responsibility to actively keep track on the performance of their compliance function through an internal compliance risk assessment.

As detailed below, the Guidelines are specific in their supervisory expectations however, in light of not having been updated since 2020, this may raise a number of questions in light of how the COVID-19 pandemic and the longer-term adoption of remote and/or hybrid working arrangements have had an effect on the compliance function. In particular both the ESFS and In-scope Firms may want to revisit and demonstrate that the compliance function and its target operating model (TOM) is performing against the expectations set in the Guidelines in particular as to what the compliance function is being tasked to do, how and where, notably where remote/hybrid working extends the 3LoD model well beyond its traditional “office-centric” set-up.

Moreover, the fact that the Guidelines have also not been updated since 2020 but major legislative reforms have been entered into force since then is also grounds to warrant In-scope Firms to revisit their arrangements. Some of these recent reforms include those affecting MiFID II (such as IFR/IFD and the introduction of both quantitative and qualitative “K-Factors”) as well as those extending the scope of “financial instruments” to include certain eligible crypto-assets and respective activity (see our coverage on MiCAR) as well as a wider-reaching supervisory focus on third-party risk management and (digital) operational resilience. These considerations may be of importance for both those compliance functions at established In-scope Firms inasmuch as it is at newly licensed In-scope Firms both when setting up a permanent, effective and independent compliance function and maintaining and adjusting it according to the specific risks faced over time.  

Read the entire article as a PDF here