Related information

MiFID Conference

Slides

Christina Sinclair, Head of Institutional Business Policy, Financial Services Authority
MiFID Conference, The Queen Elizabeth 11 Conference Centre, Westminster, London
15 May FSA

Slide 1

Good afternoon. I am going to talk about our implementation of the general organisational requirements contained in both MiFID and Capital Requirements Directive, known as the 'CRD'. Our proposals will be in our Consultation Paper 'Organisational Systems and Controls : Common Platform for Firms' which we will issue shortly.

This CP is the first MiFID-related CP we will issue; it is important to consult now because our proposals cover CRD requirements and we have to implement those by 1 January 2007.

My talk is in three parts: the first will explain what we mean by the common platform. In the second, I will describe our proposals on 3 key topics covered by the common platform and their impact on firms. Finally I will cover timing and transitional arrangements and what firms should do next.

Both the CRD and MiFID have provisions on organisational requirements. This is to be expected, as financial services regulators around the world are rightly concerned that the business and affairs of financial services firms are responsibly and effectively organised and controlled at senior management level and that firms' senior management take responsibility for this. Given our statutory objectives to maintain confidence in the UK financial markets, to protect consumers, and the reduction of financial crime, we share this concern. Effective senior management oversight and internal systems of control are essential for effective regulation and minimise the need for detailed FSA rules. Our existing Handbook provisions, largely guidance, establish standards on these matters. Firms operating in the UK, in the main, are familiar with these and have good systems and controls in place. For such firms the impact of the new requirements will be small.

As has been said before today, in implementing Directives such as CRD and MIFID, we are committed to being proportionate and doing so in a way that is consistent with statements in our Better Regulation Action Plan which, in particular, requires us to bear down on super-equivalence or gold plating – going beyond Directive-minima only where this is supported on a cost benefit analysis. In developing proposals for implementing the organisational requirements of these two Directives, we have been very conscious of our commitments.

Background to Common Platform Approach

Of course, management oversight and control is as relevant to firms whose business activities are subject to CRD requirements as it is to firms whose business activities are subject to MiFID. But when we looked at this more closely, we realised that most firms which conduct business which is subject to CRD requirements (and that includes CAD firms) are also subject to MiFID requirements. For example, investment banks, stockbrokers and many fundmanagers will be subject to both. And most credit institutions also conduct activities that bring them within MiFID.

So, for a large proportion of firms, both these Directives impose similar, but not identical, requirements and in many cases, broadly, these requirements relate to the same business activities. Risk management for example, to be effective, must look across all risks inherent in a firm's activities – whether they arise in respect of business subject to the CRD or MIFID. And we understand that many firms' internal controls establish one set of practices and procedures across the firm, such as, for example, in relation to business continuity, or compliance. So the Directive requirements were likely to overlap substantially.

Slide 2

To implement the Directives we saw that we had 3 options.

Option 1 – Maintain Current regime – with amendments

We could maintain our current regime, making changes necessary to make it directive compliant. This would have advantages – the requirements in the 2 Directives are broadly in line with our existing Handbook provisions. It would also leave in place one set of high level requirements applying to all firms across their business. We can see merit in one clear regulatory standard for these high level requirements on management oversight and internal controls. But such an approach is not consistent with our commitment to streamline the Handbook and our commitment to copy-out Directives.

Option 2 – Copy out to Directives

Our second option was to just copy-out both the CRD and the MiFID requirements creating two new parallel and over-lapping sets of requirements (giving 3 sets for those firms that also do other business such as insurance which are covered by existing standards). This has the advantage of being very transparent. But we were not sure that this was the lowest cost option and feedback from firms suggested that this would not be the option they would prefer.

When we looked at our data we found relatively few firms which did only CRD business i.e. did not also do business that brought them within the scope of MiFID. So, in some areas such as business continuity, which cuts across the whole of the firm's business, parallel requirements may not be the optimal approach. We were also mindful that although the CRD provisions are very high-level, the intention of the European Committee Banking Supervisors (CEBS) is to supplement these provisions by Level 3 material – such as their recent consultation on outsourcing principles.

Option 3 – A Common Platform

The third option seeks to maximise the advantages of these two and avoid the disadvantages. It is based on the principle that one set of requirements – one clear unified standard – is desirable, but also using copy-out approach, as this is consistent with our commitments for Directive implementation.

We have chosen to proceed by way of this third option – creating a common platform. We believe this approach is consistent with the European Commission's view that firms subject to both Directives should not have to comply with two sets of requirements. And we hope that our approach will influence future work at level 3 in both CEBS and CESR. Our view is that convergence on these topics would be highly desirable, particularly for those firms which are subject to both Directives.

Such an approach will involve some super-equivalence – mainly where Directive-minima are applied across both CRD and MiFID business activities. So we have, and are ready to, modify this approach where the CBA is not supportive – reverting to 2 sets of requirements. Hector said we will not be pursuing tidiness where it can't be justified. In the CP we explain this in more detail. We look to industry to challenge our cost assumptions in certain areas.

However, overall, for firms who currently have good management oversight, effective risk management and other internal controls, supported by practices and procedures, we expect the overall impact of our proposals is likely to be small.

The common platform provisions will be located in new topic-specific chapters in our SYSC sourcebook. The CP also contains two analyses of the costs and benefits of our proposals. One complies with our statutory obligations under FSMA and compares the impact of the proposals against our current regime. The second sets out our analysis on all areas of super-equivalence above directive minima. We invite industry comment on all areas where the common platform is super-equivalent, particularly where the CBA analysis is equivocal.

The common platform proposals cover 8 broad topics. But today I am going to talk on just 3 where I think our proposals will be of most interest.

Slide 3

Conflicts of Interest

Conflicts of interest, and potential conflicts, are ubiquitous in the financial services industry. Although the potential for conflicts to arise is likely to be greater in large organisations providing a range of financial services, even the smallest firm which, for example, is paid to act as an intermediary for a client, can have interests which conflict with those of its client. We recognise that it can be the very expertise which attracts a customer to a firm that may create the potential for conflicts to occur. But failure to deal appropriately with conflicts can undermine the confidence in the financial markets which is vital to the industry on impose costs. As some recent examples have spectacularly demonstrated, these costs, in loss of reputation, as well as direct costs, can be substantial. And the impact of the loss of consumer trust, is no less significant. Regulators around the world are rightly concerned with standards and expect strong management oversight and control of this aspect of firms' affairs, given the potential for detriment to customers of the firm concerned, (to the firm itself) and to market confidence.

The importance of rigorous and effective management of conflicts of interest is recognised in both MiFID and CRD. They have provisions which require Member States to introduce regulatory standards for the effective management of conflicts. We already have regulatory standards in this area, in our high-level Principles for Business, for example, which are broadly in line with the Directives. Our view is that maintaining a unified approach – one clear regulatory standard - is desirable in this area. Our proposals for implementing the Directives reflect this. Our common platform standard is that firms will be required to manage conflicts of interest wherever they arise in their regulated activities.

Slide 4

Conflicts continued

Requirements in MIFID, which supplement the high level requirement, will also be carried into the common platform. These include, for example, requirements that a firm's policy

  • should be in writing,
  • identify the circumstances which may give rise to a conflict of interest entailing material risk of damage to clients, and
  • specify the measures adopted to manage the conflicts. They also include requirements for firms to insulate staff from conflicts where this is a proportionate approach.

Proportionate

The results from our FSMA CBA indicate that the impact of moving to the common platform proposals in this area will be small for most firms. Our proposals recognise that, given the diversity of firms, the provisions need to apply proportionately, giving firms flexibility to adopt policies and measures that are appropriate for their circumstances. Thus, the procedures and practices we would expect to see in firms are likely to depend on the size and complexity of the firm's business. Our understanding, based in part on our 2005 thematic work, is that firms generally consider having a policy, identifying conflicts and establishing procedures for managing conflicts, including by insulating staff, to be very much part of existing normal business practice. Large multi-service firms may wish to review the best practice articulated in our Dear CEO letter of November 2005. Small firms' policies and procedures may well be simpler than those of larger, more complex firms, reflecting their business, but they will also need to be effective.

Disclosure

Our current requirements in COB 7.1.4 E cite disclosure to a customer of an interest in a transaction as one of the reasonable steps a firm may take in order to manage a conflict of interest. Our proposals also require disclosure of an actual or potential conflict of interest as a method of managing a conflict, but only where the firm is not reasonably confident that its other procedures and measures for managing the conflict or potential conflict will prevent the risk of damage to the client's interests. This does not imply that disclosure cannot be the appropriate method of managing a conflict. But it does change the emphasis – a firm must consider whether other measures will be effective before resorting to disclosure.

Disclosure alone is more likely to be appropriate in relation to conflicts which affect the interests of professional clients - who might reasonably be expected to protect their own interests and who are more likely to be able to use the information provided to them to influence the investment firm or choose another.

Firms may wish to use disclosure even where they have employed other measures to manage conflicts and those measures, such as functional independence or information barriers, have the effect that the risk of damage to clients' interests is low. Our proposed measures do not prevent this.

I turn to the second specific topic – Outsourcing.

Slide 5

Outsourcing

Many firms are now using third parties to carry out activities that the business itself would normally have undertaken. Outsourcing arrangements have the potential to transfer risk, management and compliance of the business to third parties, who may not be regulated and who may operate offshore. Therefore, they challenge the ability of firms to remain in control of their business risks and to comply with regulatory responsibilities.

In response, internationally, regulators have focussed their attention on the practices of firms. In January 2005, the Joint Forum and IOSCO issued guiding principles and, at European level, in April this year, CEBS published draft principles for consultation.

In this context it is not surprising that both MiFID and CRD cover outsourcing.

Firms can outsource any range of their activities in a variety of ways. And although it is possible, it is certainly not necessary for firms' outsourcing arrangements to be segmented into business subject to the CRD or business subject to MiFID. Outsourcing of some back office activities, for example, is likely to involve data and information that relate to business subject to both Directives.

So, we consider that there is a good case for a unified standard in this area, but also giving firms the flexibility to control and manage the risks arising in outsourcing in a way which is appropriate and proportionate, depending on the nature of the outsourcing. The common platform proposal looks to the circumstance that a firm relies on a third party for the performance of operational functions which are critical or important for the provision of continuous and satisfactory service. In this situation, the firm must take reasonable steps to avoid undue operational risk. And it must not impair the quality of its internal control – or the activities of its supervisor.

The requirement is not absolute, it focuses on reasonable steps; that is, the processes and procedures a firm should take.

Slide 6

Our proposals [MIFID-based] make it clear that in taking reasonable steps a firm should be satisfied that:-

  • the service provider has the ability, capacity and necessary authorisation to perform the outsourced activities reliably and professionally
  • the firm can assess the standard of performance
  • it can supervise the third party appropriately and manage risks associated with the outsourcing.

Our proposals also require a firm to take appropriate action where it appears the service provider is not carrying out the functions effectively or in compliance with applicable laws and regulatory requirements. Additional important safeguards are that:

  • the investment firm, its auditors and relevant competent authorities have effective access to data related to the outsourced activities, as well as to the business premises of the service provider
  • the service provider must protect confidential information belonging to the investment firm or its clients
  • the investment firm and the service provider must have a contingency plan that provides for disaster recovery
    • the outsourcing agreement must be in writing.

The proposals recognise that outsourcing to a member of the same group might involve less risk.
These proposals will be familiar to firms who have looked to draft guidance in CP 142 as an indication of the acceptable standards.

The CRD requirements cover outsourcing of activities other than those which are critical or important. Although we must apply the CRD requirements to businesses subject to CRD, we carefully considered whether it would be appropriate to extend these provisions to outsourcing of business relating to MiFID activities. Any requirements for such outsourcing should be proportionate to the risks of these arrangements. We do not believe that applying the MiFID permissions as rules would be proportionate, so we propose only guidance in this area. Such outsourcing is not entirely risk free, and the risks it poses can also threaten our statutory objectives, but our approach will give firms the flexibility to control and manage the risks arising from this outsourcing in a proportionate way.

Many of you may be aware that there is considerable controversy over the MiFID Level 2 provisions regarding the outsourcing of retail portfolio management services to non-EEA service providers. This is still to be negotiated through the L2 ESC process, and the outcome is far from certain. For this reason, we will consult on our implementation of these provisions in our Reforming Conduct of Business CP, after they have been adopted by the European Parliament.

I turn now to the third topic – Risk Control

Slide 7

Risk Control

Both MiFID and the CRD stress the importance of firms establishing effective risk control policies and procedures. We share this view. We also believe that a unified standard in this area is sensible for some but not all of the risk control requirements in the 2 Directives.

Our proposals for risk control are not substantially different from our current Handbook provisions. Our existing guidance will be replaced by high-level rules.

We propose that a firm is required to establish, implement and maintain adequate risk management policies and procedures which identify and set the tolerable level of risk relating to its activities and effectively manage those risks. A firm also has to have a separate risk control function, where this is proportionate depending on the nature, scale and complexity of its business. This function will be responsible for assessing the risks that the firm faces and for advising the firm's governing body and senior managers on these risks.

Our common platform proposals incorporate the detailed MiFID requirements which give support to the high level standards, reflecting the importance we attach to this area. These require a firm to monitor

  • the adequacy and effectiveness of its risk management policies and procedures
  • the level of compliance by the investment firm and its staff with its arrangements
  • the adequacy of measures taken to address any deficiencies.

Our CBA analysis was supportive of this approach.

We do not propose that a number of requirements on risk control contained in the CRD concerning credit and counterparty risk, market risk, residual risk, market risk, liquidity risk, operational risk and group risk be applied as a unified standard. Our CBA analysis was not supportive of any extension beyond business directly subject to CRD requirements. As these requirements look to the whole of a firm's business –operational risk, for example. To this extent, all the activities of firms, including activities subject to MiFID, will be captured in these requirements.

The other topics in the SYSC CP are also very important in the context of the management oversight and control we expect of firms – compliance, for example. And Business Continuity is also very topical, given the recent simulations in which the FSA has played a key role. These simulations highlighted the importance of firms planning now to deal with a serious interruption to the functioning of the markets.

Time does not permit me to cover all the topics today as I need to allow some minutes to explain our approach on transitionals.

Slide 8

Transitional Arrangements

As the Common Platform contains unified standards derived from two Directives, this presents us with a messy timing issue to deal with.

Firms must comply with the CRD from1 January 2007, but to require firms to comply with the whole of the common platform from 1 January 2007 would be 'super-equivalent' because MiFID does not commence until 1

November 2007 and the common platform contains MiFID derived requirements.

On the other hand, changing risk management and other internal controls and practices and procedures and the like involves cost and takes time. So some firms may wish to do this only once. We have decided that firms themselves are best placed to make a decision about when they want to switch to new requirements. So we propose to make the common platform – create the rules and guidance - ahead of 1 January 2007 so that firms that want to make only one change – from current Handbook requirements to common platform can do so. It will be their choice.

For firms that do not want to move to the common platform on 1 January, they can chose to do so any time up to 1 November 2007 – at which point it will be mandatory. During the period from 1 January to the time they switch, firms that are subject to CRD will need to comply with the CRD provisions (changing their management oversight if necessary) and also our existing Handbook provisions. A firm may only opt into the whole of the common platform early; a selective approach to adoption by firms would be impossible for us (and I am sure for firms) to monitor.

Of course, firms that are not subject to the CRD, will only need to comply with the common platform from 1 November. Before then SYSC Chapter 3 applies to them.

Slide 9

Next Steps

Our proposals for record-keeping, which are mainly conduct of business requirements, will be contained in our Reforming BOB Regulation CP. And as I have already mentioned, that CP will also contain our proposals in respect of the MiFID Level 2 measures on the outsourcing of retail portfolio management services to non-EEA service providers, when we know what the European Parliament has adopted.

Non-scope Firms

We plan to develop proposals for the application of the common platform to firms (except for insurers) outside the scope of MiFID and/or CRD over the next year. These requirements will be phased-in when our policy development and a suitable CBA have been completed and after further consultation. We will review our SYSC / organisational requirements for insurers as part of our work on the Solvency 2 Directive.

Read the CP! The consultation closes 19 August 2006. We will make the rules and publish a feedback statement in Q4 2006, so firms will have time to see them before 1 January 2007.

 

Back to topBack to top

More Speeches: