|
EU
|
Article 1 - Subject-matter and scope
|
|
2
|
References to investment firms shall encompass credit institutions and references to financial instruments shall encompass structured deposits in relation to all the requirements referred to in Article 1(3) and 1(4) of Directive 2014/65/EU and their implementing provisions as set out under this Regulation.
|
|
EU
|
Article 21 - General organisational requirements
|
|
1
|
Investment firms shall comply with the following organisational requirements:
|
|
|
(a)
|
establish, implement and maintain decision-making procedures and an organisational structure which clearly and in documented manner specifies reporting lines and allocates functions and responsibilities;
|
|
|
(b)
|
ensure that their relevant persons are aware of the procedures which must be followed for the proper discharge of their responsibilities;
|
|
|
(c)
|
establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the investment firm;
|
|
|
(d)
|
employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them;
|
|
|
(e)
|
establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the investment firm;
|
|
|
(f)
|
maintain adequate and orderly records of their business and internal organisation;
|
|
|
(g)
|
ensure that the performance of multiple functions by their relevant persons does not and is not likely to prevent those persons from discharging any particular function soundly, honestly, and professionally.
|
|
|
When complying with the requirements set out in the this paragraph, investment firms shall take into account the nature, scale and complexity of the business of the firm, and the nature and range of investment services and activities undertaken in the course of that business.
|
|
2
|
Investment firms shall establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.
|
|
3
|
Investment firms shall establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to their systems and procedures, the preservation of essential data and functions, and the maintenance of investment services and activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of their investment services and activities.
|
|
4
|
Investment firms shall establish, implement and maintain accounting policies and procedures that enable them, at the request of the competent authority, to deliver in a timely manner to the competent authority financial reports which reflect a true and fair view of their financial position and which comply with all applicable accounting standards and rules.
|
|
5
|
Investment firms shall monitor and, on a regular basis, evaluate the adequacy and effectiveness of their systems, internal control mechanisms and arrangements established in accordance with paragraphs 1 to 4, and take appropriate measures to address any deficiencies.
|
|
EU
|
Article 22 - Compliance
|
|
1
|
Investment firms shall establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under Directive 2014/65/EU, as well as the associated risks, and put in place adequate measures and procedures designed to minimise such risk and to enable the competent authorities to exercise their powers effectively under that Directive.
Investment firms shall take into account the nature, scale and complexity of the business of the firm, and the nature and range of investment services and activities undertaken in the course of that business.
|
|
2
|
Investment firms shall establish and maintain a permanent and effective compliance function which operates independently and which has the following responsibilities:
|
|
|
(a)
|
to monitor on a permanent basis and to assess, on a regular basis, the adequacy and effectiveness of the measures, policies and procedures put in place in accordance with the first subparagraph of paragraph 1, and the actions taken to address any deficiencies in the firm's compliance with its obligations;
|
|
|
(b)
|
to advise and assist the relevant persons responsible for carrying out investment services and activities to comply with the firm's obligations under Directive 2014/65/EU;
|
|
|
(c)
|
to report to the management body, on at least an annual basis, on the implementation and effectiveness of the overall control environment for investment services and activities, on the risks that have been identified and on the complaints-handling reporting as well as remedies undertaken or to be undertaken;
|
|
|
(d)
|
to monitor the operations of the complaints-handling process and consider complaints as a source of relevant information in the context of its general monitoring responsibilities.
|
|
|
In order to comply with points (a) and (b) of this paragraph, the compliance function shall conduct an assessment on the basis of which it shall establish a risk-based monitoring programme that takes into consideration all areas of the investment firm’s investment services, activities and any relevant ancillary services, including relevant information gathered in relation to the monitoring of complaints handling. The monitoring programme shall establish priorities determined by the compliance risk assessment ensuring that compliance risk is comprehensively monitored.
|
|
3
|
In order to enable the compliance function referred to in paragraph 2 to discharge its responsibilities properly and independently, investment firms shall ensure that the following conditions are satisfied:
|
|
|
(a)
|
the compliance function has the necessary authority, resources, expertise and access to all relevant information;
|
|
|
(b)
|
a compliance officer is appointed and replaced by the management body and is responsible for the compliance function and for any reporting as to compliance required by Directive 2014/65/EU and Article 25(2) of this Regulation;
|
|
|
(c)
|
the compliance function reports on an ad-hoc basis directly to the management body where it detects a significant risk of failure by the firm to comply with its obligations under Directive 2014/65/EU;
|
|
|
(d)
|
the relevant persons involved in the compliance function are not involved in the performance of services or activities they monitor;
|
|
|
(e)
|
the method of determining the remuneration of the relevant persons involved in the compliance function does not compromise their objectivity and is not likely to do so.
|
|
4
|
An investment firm shall not be required to comply with point (d) or point (e) of paragraph 3 where it is able to demonstrate that in view of the nature, scale and complexity of its business, and the nature and range of investment services and activities, the requirements under point (d) or (e) are not proportionate and that its compliance function continues to be effective. In that case, the investment firm shall assess whether the effectiveness of the compliance function is compromised. The assessment shall be reviewed on a regular basis.
|
|
EU
|
Article 23 - Risk management
|
|
1
|
Investment firms shall take the following actions relating to risk management:
|
|
|
(a)
|
establish, implement and maintain adequate risk management policies and procedures which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm;
|
|
|
(b)
|
adopt effective arrangements, processes and mechanisms to manage the risks relating to the firm's activities, processes and systems, in light of that level of risk tolerance;
|
|
|
(c)
|
monitor the following:
|
|
|
|
(i)
|
the adequacy and effectiveness of the investment firm's risk management policies and procedures;
|
|
|
|
(ii)
|
the level of compliance by the investment firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with point (b);
|
|
|
|
(iii)
|
the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements, processes and mechanisms or follow such policies and procedures.
|
|
2
|
Investment firms shall, where appropriate and proportionate in view of the nature, scale and complexity of their business and the nature and range of the investment services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:
|
|
|
(a)
|
implementation of the policy and procedures referred to in paragraph 1;
|
|
|
(b)
|
provision of reports and advice to senior management in accordance with Article 25(2).
|
|
|
Where an investment firm does not establish and maintain a risk management function under the first sub-paragraph, it shall be able to demonstrate upon request that the policies and procedures which it is has adopted in accordance with paragraph 1 satisfy the requirements therein.
|
|
EU
|
Article 24 - Internal audit
|
|
Investment firms shall, where appropriate and proportionate in view of the nature, scale and complexity of their business and the nature and range of investment services and activities undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the investment firm and which has the following responsibilities:
|
|
|
(a)
|
establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the investment firm's systems, internal control mechanisms and arrangements;
|
|
|
(b)
|
issue recommendations based on the result of work carried out in accordance with point (a) and verify compliance with those recommendations;
|
|
|
(c)
|
report in relation to internal audit matters in accordance with Article 25(2).
|
|
EU
|
Article 25 - Responsibility of senior management
|
|
1
|
Investment firms shall, when allocating functions internally, ensure that senior management, and, where applicable, the supervisory function, are responsible for ensuring that the firm complies with its obligations under Directive 2014/65/EU. In particular, senior management and, where applicable, the supervisory function shall be required to assess and periodically review the effectiveness of the policies, arrangements and procedures put in place to comply with the obligations under Directive 2014/65/EU and to take appropriate measures to address any deficiencies.
The allocation of significant functions among senior managers shall clearly establish who is responsible for overseeing and maintaining the firm’s organisational requirements. Records of the allocation of significant functions shall be kept up-to-date.
|
|
2
|
Investment firms shall ensure that their senior management receive on a frequent basis, and at least annually, written reports on the matters covered by Articles 22, 23 and 24 indicating in particular whether the appropriate remedial measures have been taken in the event of any deficiencies.
|
|
3
|
Investment firms shall ensure that where there is a supervisory function, it receives written reports on the matters covered by Articles 22, 23 and 24 on a regular basis.
|
|
4
|
For the purposes of this Article, the supervisory function shall be the function within an investment firm responsible for the supervision of its senior management.
|
|
EU
|
Article 30 - Scope of critical and important operational functions
|
|
1
|
For the purposes of the first subparagraph of Article 16(5) of Directive 2014/65/EU, an operational function shall be regarded as critical or important where a defect or failure in its performance would materially impair the continuing compliance of an investment firm with the conditions and obligations of its authorisation or its other obligations under Directive 2014/65/EU, or its financial performance, or the soundness or the continuity of its investment services and activities.
|
|
2
|
Without prejudice to the status of any other function, the following functions shall not be considered as critical or important for the purposes of paragraph 1:
|
|
|
(a)
|
the provision to the firm of advisory services, and other services which do not form part of the investment business of the firm, including the provision of legal advice to the firm, the training of personnel of the firm, billing services and the security of the firm's premises and personnel;
|
|
|
(b)
|
the purchase of standardised services, including market information services and the provision of price feeds.
|
|
EU
|
Article 31 - Outsourcing critical or important operational functions
|
|
1
|
Investment firms outsourcing critical or important operational functions shall remain fully responsible for discharging all of their obligations under Directive 2014/65/EU and shall comply with the following conditions:
|
|
|
(a)
|
the outsourcing does not result in the delegation by senior management of its responsibility;
|
|
|
(b)
|
the relationship and obligations of the investment firm towards its clients under the terms of Directive 2014/65/EU is not altered;
|
|
|
(c)
|
the conditions with which the investment firm must comply in order to be authorised in accordance with Article 5 of Directive 2014/65/EU, and to remain so, are not undermined;
|
|
|
(d)
|
none of the other conditions subject to which the firm's authorisation was granted is removed or modified.
|
|
2
|
Investment firms shall exercise due skill, care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions and shall take the necessary steps to ensure that the following conditions are satisfied:
|
|
|
(a)
|
the service provider has the ability, capacity, sufficient resources, appropriate organisational structure supporting the performance of the outsourced functions, and any authorisation required by law to perform the outsourced functions, reliably and professionally;
|
|
|
(b)
|
the service provider carries out the outsourced services effectively and in compliance with applicable law and regulatory requirements, and to this end the firm has established methods and procedures for assessing the standard of performance of the service provider and for reviewing on an ongoing basis the services provided by the service provider;
|
|
|
(c)
|
the service provider properly supervises the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
|
|
|
(d)
|
appropriate action is taken where it appears that the service provider may not be carrying out the functions effectively or in compliance with applicable laws and regulatory requirements;
|
|
|
(e)
|
the investment firm effectively supervises the outsourced functions or services and manage the risks associated with the outsourcing and to this end the firm retains the necessary expertise and resources to supervise the outsourced functions effectively and manage those risks;
|
|
|
(f)
|
the service provider has disclosed to the investment firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
|
|
|
(g)
|
the investment firm is able to terminate the arrangement for outsourcing where necessary, with immediate effect when this is in the interests of its clients, without detriment to the continuity and quality of its provision of services to clients;
|
|
|
(h)
|
the service provider cooperates with the competent authorities of the investment firm in connection with the outsourced functions;
|
|
|
(i)
|
the investment firm, its auditors and the relevant competent authorities have effective access to data related to the outsourced functions, as well as to the relevant business premises of the service provider, where necessary for the purpose of effective oversight in accordance with this article, and the competent authorities are able to exercise those rights of access;
|
|
|
(j)
|
the service provider protects any confidential information relating to the investment firm and its clients;
|
|
|
(k)
|
the investment firm and the service provider have established, implemented and maintained a contingency plan for disaster recovery and periodic testing of backup facilities, where that is necessary having regard to the function, service or activity that has been outsourced;
|
|
|
(l)
|
the investment firm has ensured that the continuity and quality of the outsourced functions or services are maintained also in the event of termination of the outsourcing either by transferring the outsourced functions or services to another third party or by performing them itself.
|
|
3
|
The respective rights and obligations of the investment firms and of the service provider shall be clearly allocated and set out in a written agreement. In particular, the investment firm shall keep its instruction and termination rights, its rights of information, and its right to inspections and access to books and premises. The agreement shall ensure that outsourcing by the service provider only takes place with the consent, in writing, of the investment firm.
|
|
4
|
Where the investment firm and the service provider are members of the same group, the investment firm may, for the purposes of complying with this Article and Article 32, take into account the extent to which the firm controls the service provider or has the ability to influence its actions.
|
|
5
|
Investment firms shall make available on request to the competent authority all information necessary to enable the authority to supervise the compliance of the performance of the outsourced functions with the requirements of Directive 2014/65/EU and its implementing measures.
|
|
EU
|
Article 32 - Service providers located in third countries
|
|
1
|
In addition to the requirements set out in Article 31, where an investment firm outsources functions related to the investment service of portfolio management provided to clients to a service provider located in a third country, that investment firm ensures that the following conditions are satisfied:
|
|
|
(a)
|
the service provider is authorised or registered in its home country to provide that service and is effectively supervised by a competent authority in that third country;
|
|
|
(b)
|
there is an appropriate cooperation agreement between the competent authority of the investment firm and the supervisory authority of the service provider.
|
|
2
|
The cooperation agreement referred to in point (b) of paragraph 1 shall ensure that the competent authorities of the investment firm are able, at least, to:
|
|
|
(a)
|
obtain on request the information necessary to carry out their supervisory tasks pursuant to Directive 2014/65/EU and Regulation (EU) No 600/2014;
|
|
|
(b)
|
obtain access to the documents relevant for the performance of their supervisory duties maintained in the third country;
|
|
|
(c)
|
receive information from the supervisory authority in the third country as soon as possible for the purpose of investigating apparent breaches of the requirements of Directive 2014/65/EU and its implementing measures and Regulation (EU) No 600/2014;
|
|
|
(d)
|
cooperate with regard to enforcement, in accordance with the national and international law applicable to the supervisory authority of the third country and the competent authorities in the Union in cases of breach of the requirements of Directive 2014/65/EU and its implementing measures and relevant national law.
|
|
3
|
Competent authorities shall publish on their website a list of the supervisory authorities in third countries with which they have a cooperation agreement referred to in point (b) of paragraph 1.
Competent authorities shall update cooperation agreements concluded before the date of entry into application of this Regulation within six months from that date.
|
|
EU
|
Article 72 - Retention of records
|
|
1
|
The records shall be retained in a medium that allows the storage of information in a way accessible for future reference by the competent authority, and in such a form and manner that the following conditions are met:
|
|
|
(a)
|
the competent authority is able to access them readily and to reconstitute each key stage of the processing of each transaction;
|
|
|
(b)
|
it is possible for any corrections or other amendments, and the contents of the records prior to such corrections or amendments, to be easily ascertained;
|
|
|
(c)
|
it is not possible for the records otherwise to be manipulated or altered;
|
|
|
(d)
|
it allows IT or any other efficient exploitation when the analysis of the data cannot be easily carried out due to the volume and the nature of the data; and
|
|
|
(e)
|
the firm’s arrangements comply with the record keeping requirements irrespective of the technology used.
|
|
2
|
Investment firms shall keep at least the records identified in Annex I to this Regulation depending upon the nature of their activities.
The list of records identified in Annex I to this Regulation is without prejudice to any other record-keeping obligations arising from other legislation.
|
|
3
|
Investment firms shall also keep records of any policies and procedures they are required to maintain pursuant to Directive 2014/65/EU, Regulation (EU) No 600/2014, Directive 2014/57/EU and Regulation (EU) No 596/2014 and their respective implementing measures in writing.
Competent authorities may require investment firms to keep additional records to the list identified in Annex I to this Regulation.
|
