Keeping check

With a considerable extension to audit requirements outlined in MiFID II, Kevin Rose asks where firms’ priorities should be when assessing the effectiveness of their risk and audit functions.

The MiFID II delegated acts, which were announced on 25 April 2016 outline compliance, risk and organisational responsibilities for regulated firms.

The European Commission is essentially proposing good practice. More specifically, it has detailed requirements for effective boards and risk frameworks, which it expects companies to put in place.

Firms will have to monitor their exposure to risk and have a policy to detect any risk of the business failing. Their compliance teams must be given the ‘necessary authority’, resources, expertise and access to any relevant information.

In addition, compliance teams need to operate independently and their pay and bonuses should not compromise objectivity.

Ensuring such independence is not necessarily easy or straightforward.

Stuart Campbell, who heads up the MiFID II practice area at Protiviti, says that if the only measure of independence is whether employees are paid by the company they are policing, then it is unrealistic to expect any control functions to ever be truly independent or operate effectively.

He says: “Independence needs to be looked at much more widely and is more to do with ensuring objectivity and minimising or even preventing self-review.”

Andrew Glessing, head of compliance at Alpha FMC, explains that many firms look to operate a classic ‘three lines of defence’ model to ensure that their compliance function works independently of the business units.

He says: “The business will typically seek to observe firm-wide policies, follow detailed operating procedures and implement quality checking processes in order to meet the rules of the regulators.

“The role of compliance is then to ‘check the checker’ in the areas of highest risk. Audit is the third line of defence which checks the quality and independence of the compliance team’s work.”

Risky business

Independent non-executives at board level and on risk committees are central to ensuring this approach works well.

Glessing says it is vial that findings are not watered down and that remedial actions are undertaken where necessary.

Campbell, meanwhile, explains that the non-executive directors need to understand the activities of the firm, its products and services and risks and must be confident in asking questions until they receive the assurance they need.

“An effective board will have in its composition the appropriate spread of experience and knowledge and the gravitas to be respected and taken seriously by senior management,” he says.

“The heads of control functions such as legal, compliance, risk and internal audit have important roles to play in this regard so that there is effective supervision.”

Revised requirements

Every 12 months, compliance teams are required to produce a report to the management body on risks identified from customer complaints.

Similarly, a risk management team – which again will operate independently – will also produce a report to the management body which details any corrective actions.

In addition, on the risk management side, firms must have a way of quantifying the level of risk that they can withstand and draw up policies identifying key threats.

A key part of the MiFID II proposals concerns the area of internal audit. Firms should have an audit plan, which monitors systems and controls and there should be individuals responsible for internal audit who are separate and independent from other functions in the business.

Again, the internal audit team should issue recommendations in a report at least every year.

Paul Anderson, head of financial regulation (UK) at law firm Squire Patton Boggs, has experience of clients needing to evaluate their internal audit obligations under the Alternative Investment Fund Managers Directive (AIFMD).

He found there was a large element of ‘land grabbing’ going on by different departments.

“There was quite a lot of internal tension about who got what and I can see that happening under MiFID II as well,” he says.

“I saw it particularly with the compliance people who have had constantly increasing salaries for the past 10 years and then started to feel a bit threatened by the rise of internal audit. As a result we have seen some senior compliance people positioning themselves more as COOs.”

Rise of the bean counter

He believes the question of whether internal audit departments can truly be independent is one pushed by vested interests: “I think the people that are going to push the ‘independence agenda’ are the accountants,” he argues.

“There is a criticism to be levelled at quite a lot of EU legislation that it just creates more jobs for the accountants. You may well see accountants running around saying ‘you need us to help build your internal audit function and you need us to be appointed to do it because your internal people can’t have sufficient credibility and independence’.

“The level of recommendations that the internal auditors might make is going to depend on how you scope the engagement, and that’s another area which the accountants are good at – ‘scope creep’.”

David Haylor, director of Internal Audit Connections, which specialises in internal audit and risk recruitment, suggests that given the highly regulated nature of this area of industry, it is even more important that audit/risk teams fully understand the risks to an organisation of getting this wrong.

He advises that an organisation ensures it has an experienced audit and risk committee who are willing to both challenge and back the new teams.

“Ensure the new head of audit and risk has a strong reporting line to the non-executive chair of the audit and risk committee, and that this chair has a strong voice on the board,” he says.

“Without this it can be very hard to demonstrate independence of the function.”

He warns that one of the greatest mistakes made when establishing a new function is forgetting the cultural element, meaning the support from the business for a newly formalised culture of audit and risk.

“Any team with no support, or even hostility, from the business and receiving lip service support from the board will fail from day one,” he explains.

“You cannot just set up a function, you need to clearly communicate, on an ongoing basis, why this is necessary and of real value to the organisation. The ability to communicate this should be a key competency taken into account when hiring the new head of department.”

Taylor concedes that organisations with no prior audit/risk teams may feel uncomfortable with the costs involved; such teams aren’t income generative and it is often very hard to quantify success. However, he warns that the regulatory fines, reputational cost and share price impact will dramatically outweigh the cost of a quality audit and risk team when something does go wrong.

There are limitations to the EC recommendations.

Ralph Achkar, capital markets product director at Colt, explains that for some of the technical aspects, the MiFID II recommendations fall short of covering the full scope of implications and the implementation challenges.

As such, when implementing some of these technical solutions, firms are left with different interpretations of the regulation and uncertainty of the appropriate solution.

“For the non-technical aspects, the recommendations are in some cases rules-based and hence there could also be different behaviours that will fall outside these rules and would require further legislation going forward,” he says.

“Overall, the delays incurred to clarify rules are causing extra strain on firms building or looking for market solutions to the new requirements. These are solutions that require some time to consider and implement. Conversation between participants and their service providers to find efficient ways for complying also take time to put in place. The delay in bringing these rules into legislature means that the time for firms to comply is greatly reduced, putting unnecessary pressure on market participants.”

Stuart Campbell of Protiviti argues that while the way the ESMA guidance is interpreted and enforced by regulators and firms will vary, UK regulators have been fairly consistent for many years in their general approach to the independence of compliance and ensuring its objectivity.

He adds: “Based on discussions with my clients and contacts, it seems that the FCA is pushing some firms’ compliance functions to improve their objectivity by handing over certain tasks to business areas.

The tasks include responsibility for handling complaints; managing training & competence records and assessments; undertaking quality control over suitability assessments.

The argument being that it is not possible for compliance to objectively monitor these processes if it is itself involved in the process.

“Nevertheless it is not straight forward to have a complete separation. For instance, is compliance’s role in a significant business change project threatening its objectivity or adding to ensuring the effect of the change meets regulatory requirements?

“It is harder to opine say on difficult decisions concerning client on-boarding to meet AML and Sanction requirements or in meeting regulatory requirements and expectations in marketing material for new products.”