With the issuance of Circular 553, CySEC aims to provide guidance on the application of certain aspects of the compliance function requirements provided in article 17(2) of the Investment Services and Activities and Regulated Markets Law (‘the Law’) and Article 22 of the MiFID II Delegated Regulation 2017/565, in order to ensure the common, uniform and consistent application of these legal requirements.
This circular should be read with Circular C447. Circulars C030 and C050 are repealed and replaced by this circular.
In summary, the following aspects of the compliance function are being explored:
- Responsibilities of the compliance function
Guideline 1: Compliance risk assessment
In accordance with Article 22(2) of the MiFID II Delegated Regulation, the compliance function shall, as part of its tasks, conduct a risk assessment to ensure that compliance risks are comprehensively monitored.
The identified risks should be reviewed on a regular basis and, when necessary, also on an ad-hoc basis to ensure that any emerging risks are taken into consideration (for example, resulting from new business fields, other relevant changes in the Investment Firm’s structure or in the applicable regulatory framework).
Guideline 2: Monitoring obligations of the compliance function
The aim of the risk-based monitoring programme should be to evaluate whether the Investment Firm’s business is conducted in compliance with its obligations under the Law, as well as whether its internal policies and procedures, organisation and control measures remain effective and appropriate to ensure that compliance risk is comprehensively monitored.
Guideline 3: Reporting obligations of the compliance function
The mandatory compliance report according to paragraphs (2)(c) and (3)(c) of Article 22 and paragraphs (2) and (3) of Article 25 of the MiFID II Delegated Regulation is a suitable tool to warrant the necessary management attention. The mandatory compliance report should cover all business units involved in the provision of investment services, activities and ancillary services provided by the Investment Firm. Where the report does not cover all of these activities and services of the Investment Firm, it should clearly state the reasons.
Guideline 4: Advisory and assistance obligations of the compliance function
Investment Firms should ensure that the compliance function fulfils its advisory and assistance responsibilities, including providing support for staff and management training; providing day-to-day assistance for staff and management and participating in the establishment of policies and procedures within the Investment Firm (e.g. the Investment Firm’s remuneration policy or the Investment Firm’s product governance policies and procedures).
- Organisational requirements of the compliance function
Guideline 5: Effectiveness of the compliance function
When ensuring that appropriate human and other resources are allocated to the compliance function, Investment Firms should take into account the scale and types of investment services, activities and ancillary services undertaken by the Investment Firm.
Guideline 6: Skills, knowledge, expertise and authority of the compliance function
Investment Firms’ compliance staff shall have the necessary skills, knowledge and expertise to discharge their obligations pursuant to Articles 21(1)(d) of the MiFID II Delegated Regulation. Furthermore, the compliance function shall have the necessary authority pursuant to Article 22(3)(a) of the MiFID II Delegated Regulation. These requirements should in particular be taken into account by Investment Firms when appointing the compliance officer.
Guideline 7: Permanence of the compliance function
The first subparagraph of Article 22(2) of the MiFID II Delegated Regulation requires Investment Firms to ensure that the compliance function performs its tasks and responsibilities on a permanent basis. Investment Firms should therefore establish adequate arrangements for ensuring that the responsibilities of the compliance officer are fulfilled when the compliance officer is absent, and adequate arrangements to ensure that the responsibilities of the compliance function are performed on an ongoing basis. These arrangements should be in writing.
Guideline 8: Independence of the compliance function
Investment Firms should ensure that the compliance function holds a position in their organisational structure that ensures that the compliance officer and other compliance staff act independently when performing their tasks.
Guideline 9: Proportionality with regard to the effectiveness of the compliance function
Investment Firms should decide which measures, including organisational measures and the level of resources, are best suited to ensuring the effectiveness of the compliance function in the Investment Firm’s particular circumstances.
Guideline 10: Combining the compliance function with other internal control functions
An Investment Firm should favour an organisation where control functions are properly separated. The combination of the compliance function with other control functions may be acceptable if this does not compromise the effectiveness and independence of the compliance function. Any such combination should be documented, including the reasons for the combination so that the CySEC is able to assess whether the combination of functions is appropriate in the circumstances. However, where an internal audit function has been established and is maintained within the Investment Firm in accordance with Article 24 of the MiFID II Delegated Regulation, such function may not be combined with other control functions such as the compliance function, in accordance with Article 24.
Guideline 11: Outsourcing of the compliance function
Investment Firms should ensure that all requirements applicable to the compliance function continued to be fulfilled where all or part of the compliance function is outsourced.
Investment Firms can only outsource tasks, but not responsibilities: Investment Firms wishing to engage in outsourcing remain fully responsible for the tasks that are outsourced. In other words, as set out in Article 31(2)(e) of the MiFID II Delegated Regulation, the ability to control outsourced tasks and manage the risks associated with the outsourcing must always be retained by the Investment Firm initiating the outsourcing.
- Competent authority review of the compliance function
Guideline 12: Review of the compliance function by the competent authorities
CySEC reviews how Investment Firms plan to meet, implement and maintain the applicable compliance function requirements. This applies in the context of the authorisation process, as well as, following a risk-based approach, in the course of ongoing supervision.
The compliance function must immediately disclose to the CySEC every important development that may substantially affect his ability to effectively perform the compliance function and to fulfill its responsibilities appropriately.