INDEPENDENCE NEEDS TO BE LOOKED AT MUCH MORE WIDELY AND IS MORE TO DO WITH ENSURING OBJECTIVITY AND MINIMISING OR EVEN PREVENTING SELF-REVIEW .
STUART CAMPBELL , ASSOCIATE DIRECTOR , PROTIVITI
Firms will have to monitor their exposure to risk and have a policy to detect any risk of the business failing . Their compliance teams must be given the ‘ necessary authority ’, resources , expertise and access to any relevant information .
In addition , compliance teams need to operate independently and their pay and bonuses should not compromise objectivity .
Ensuring such independence is not necessarily easy or straightforward .
Stuart Campbell , who heads up the MiFID II practice area at Protiviti , says that if the only measure of independence is whether employees are paid by the company they are policing , then it is unrealistic to expect any control functions to ever be truly independent or operate effectively .
He says : “ Independence needs to be looked at much more widely and is more to do with ensuring objectivity and minimising or even preventing self-review .”
Andrew Glessing , head of compliance at Alpha FMC , explains that many firms look to operate a classic ‘ three lines of defence ’ model to ensure that their compliance function works independently of the business units .
He says : “ The business will typically seek to observe firm-wide policies , follow detailed operating procedures and implement quality checking processes in order to meet the rules of the regulators .
“ The role of compliance is then to ‘ check the checker ’ in the areas of highest risk . Audit is the third line of defence which checks the quality and independence of the compliance team ’ s work .”
RISKY BUSINESS Independent non-executives at board level and on risk committees are central to ensuring this approach works well .
Glessing says it is vial that findings are not watered down and that remedial actions are undertaken where necessary . Campbell , meanwhile , explains that the non-executive directors need to understand the activities of the firm , its products and services and risks and must be confident in asking questions until they receive the assurance they need .
“ An effective board will have in its composition the appropriate spread of experience and knowledge and the gravitas to be respected and taken seriously by senior management ,” he says .
“ The heads of control functions such as legal , compliance , risk and internal audit have important roles to play in this regard so that there is effective supervision .”
REVISED REQUIREMENTS Every 12 months , compliance teams are required to produce a report to the management body on risks identified from customer complaints .
Similarly , a risk management team – which again will operate independently – will also produce a report to the management body which details any corrective actions .
In addition , on the risk management side , firms must have a way of quantifying the level of risk that they can withstand and draw up policies identifying key threats .
A key part of the MiFID II proposals concerns the area of internal audit . Firms should have an audit plan , which monitors systems and controls and there should be individuals responsible for internal audit who are separate and independent from other functions in the business .
Again , the internal audit team should issue recommendations in a report at least every year .
Paul Anderson , head of financial regulation ( UK ) at law
40 | THE TRADE MiFID II HANDBOOK www . thetradenews . com