Compliance Functions Under the Spotlight

The Central Bank of Ireland (Central Bank) has published its Thematic Assessment of the Compliance Function in the MiFID Investment Firm Sector (Report), providing valuable insights into its supervisory expectations of Compliance functions within MiFID investment firms (Firms).

A Targeted Review of Compliance Effectiveness

The thematic assessment examined Firms’ compliance with Article 22 of the MiFID II Delegated Regulation and the associated ESMA Guidelines. Its focus was threefold:

• the structure and adequacy of the Compliance function;
• the effectiveness of compliance planning, monitoring and testing processes; and
• the quality of reporting and engagement at the board /sub-committee level.

The Central Bank adopted a two-stage approach, combining a questionnaire and desk-based review of compliance frameworks with more in-depth engagement, including direct interaction with Heads of Compliance.

Positive Findings

The Report identifies a number of encouraging trends across the sector.

In particular, Firms generally demonstrate a strong understanding of their regulatory obligations, and many have established Compliance functions that are appropriately resourced for their business model and scale.

The Central Bank also welcomed evidence of Compliance functions’ involvement in strategic decision-making regarding new products and business lines.

Key Areas of Regulatory Concern

Notwithstanding this progress, the Central Bank identified several recurring weaknesses that Firms will be expected to address as a matter of priority.

Lack of Succession Planning and Continuity

A consistent finding was the absence of robust succession planning and contingency arrangements within Compliance functions. Some Firms were unable to demonstrate how key responsibilities would be discharged in the event of staff absence or turnover.

This creates a vulnerability in maintaining a “permanent and effective” Compliance function, which is a core regulatory requirement.

Limited Visibility of Compliance in Training

Although most Firms provide compliance training, the Central Bank raised concerns where the Compliance function itself is not sufficiently involved in the design or delivery of training programmes.

The Central Bank views direct Compliance-led training as an important mechanism for embedding regulatory awareness and reinforcing an appropriate culture across the organisation.

The Central Bank welcomed linking compliance monitoring findings to the identification of specific training needs and to follow-up compliance monitoring to assess the effectiveness of such training.

Inconsistencies in Monitoring Frameworks

 Weaknesses identified in risk-based compliance monitoring programmes included:

• incomplete or static compliance risk assessments;
• insufficiently detailed compliance plans or “compliance universes”; and
• weak linkage between identified risks and monitoring activity, including failure to conduct regular review of all identified risks.

In some cases, these deficiencies limit senior management and boards’ ability to oversee compliance risk effectively.

The Central Bank welcomed the extension of monitoring activities beyond desk-based assessment to include on-site inspections of business areas to verify effective implementation of policies and procedures in practice.

Deficiencies in Board Oversight and Scrutiny

Although appropriate compliance reporting to the board is generally taking place, the Central Bank found that board and committee minutes often do not adequately capture the level of discussion or challenge expected.

Increasing Focus on Forward-Looking Compliance

The Report also highlights the importance of horizon scanning as a core compliance activity.

Most Firms have adopted processes to monitor regulatory developments, but the Central Bank emphasises that these should be used to support forward-looking decision-making and ensure that compliance frameworks evolve in line with regulatory change.

What Firms Should Do Now

The Central Bank has made clear that Firms are expected to take proactive steps in response to the Report.

In particular, Firms should:

• undertake a comprehensive self-assessment of their Compliance function in line with the findings of the Report and the requirements of Article 22 of the MiFID II Delegated Regulation and the associated ESMA Guidelines and obligations under the Consumer Protection Code and related guidance on Securing Customers’ Interests and the Protection of Consumers in Vulnerable Circumstances;
• identify and remediate gaps without delay;
• ensure the Report is discussed at the next board meeting and record the discussion in board minutes.

Conclusion

The Report represents a clear articulation of supervisory expectations regarding Compliance functions in Firms.

While many Firms have solid foundations in place, the Central Bank expects demonstrable improvements in areas such as governance, oversight and operational robustness.

Firms that take early and structured action to address the findings will be best positioned to meet regulatory expectations and withstand supervisory scrutiny.

For further information on the Report, or assistance with reviewing your compliance framework, please contact Shane Kelleher, John Aherne, a member of our Financial Regulation team, or your usual William Fry contact.