There is no escape. The European Parliament voted to delay implementation of the MiFD II for a year, until January 2018. Two weeks later, the UK voted in its referendum to leave the EU. Neither, however, will free investment firms from its requirements.
Most obviously, the two-year negotiation period to determine the terms of the UK’s departure will begin only when the UK gives an official notification of its intention to withdraw. David Cameron says that is a task for the new Prime Minister. As a result, we will almost certainly still be an EU member at the start of 2018.
The FCA is advising against any complacency. On the morning following the Brexit vote, it issued a statement reaffirming that existing EU financial regulation would remain in force – and that firms should also “continue with implementation plans for legislation that is still to come into effect”.
There’s unlikely to be much benefit delaying preparations – and particularly when it comes to requirements regarding outsourcing.
Same old, same old
On the one hand, MiFID II could well drive uptake of outsourcing. Requirements for increased transaction reporting are likely to prove overwhelming for many smaller firms to handle in-house. In fact, reporting in general is likely to present a challenge. The requirement for portfolio managers to report depreciations of 10 per cent or more to investors, for instance, could quickly become burdensome, particularly in volatile markets. A number are likely to consider outsourcing client reporting to avoid being distracted from their core function.
On the other, the Directive makes it clear that regulatory expectations are high when important operational functions are put out to third parties. Firms must ensure arrangements do not “materially impair” the quality of internal controls or their ability to supervise and monitor compliance. If customer service or investment performance could suffer, the firm must take reasonable steps to avoid “undue additional operational risk.
In practice, the rules make it clear that firms can outsource the operational function but not their legal liability for it. As a result, outsourcers must be carefully chosen and closely monitored.
None of which is new for UK firms.
For a start, the outsourcing requirements under MiFID II are essentially the same as those under the original 2004 Markets in Financial Instruments Directive (MiFID) that’s already in force. Article 16(5) of new Directive, closely matches Article 13(5) of the original.
Perhaps more importantly, the UK regulator has already taken these obligations to heart. From the 2012 “Dear CEO” letter on outsourcing in asset management to its Thematic Review on the following year, the FCA has long been clear: firms need to take their responsibilities seriously. And it continues to be: Last November it published proposed guidance for firms outsourcing to the cloud. The requirements for outsourcing under SYSC 8 in the FCA handbook, meanwhile, strongly reflect MiFID and its implementing Directive.
And the pressure does not come just from the FCA. Last year, the Financial Reporting Council, which promotes good corporate governance, published its new standard for audit firms involved in reporting to the FCA on firms’ compliance with Client Asset (CASS) rules. This emphasises the importance of clarifying regulatory responsibilities when using third party services. Again, the result is increased pressure on firms to demonstrate strong governance around outsourced arrangements.
Given all this, then, firms could be forgiven for wondering what more MiFID II adds. Nevertheless, they would be wise not to ignore it.
While the FCA’s approach has pre-empted many of the requirements likely under the new regime, challenges remain.
First, the FCA has tended to focus much of its attention on potential risks for retail customers when it comes to ensuring outsourcing does not damage services or controls. By contrast, MiFID II applies equally to retail and professional or institutional clients. Similar standards are likely to be expected in all outsourced arrangements.
Second, the new Directive does introduce some genuinely new obligations. Notably, it includes a requirement that firms can terminate an outsourced arrangement “with immediate effect” (Article 31.2 g) where this is in the interests of its clients.
In practice, this is likely to be hugely challenging. On a plain reading, it would require a firm to take over running the procedures and processes undertaken by the outsourcer almost overnight. Yet most firms do not have the necessary level of involvement and knowledge of the operations and complexity of the functions they outsource.
But this really just reflects the key reason firms cannot afford to be complacent about MiFID II: they need to have that knowledge. Despite the FCA’s continued pressure, most firms still have some way to go in developing on-going monitoring and understanding of their outsourced suppliers. Heavy investments in due diligence at the outset of outsourcing arrangements are often not maintained. Too frequently, there is little understanding of outsourcers’ day-to-day activities or oversight of the way they operate. MiFID II will renew pressure to change this.
Firms need to start working with their suppliers now to address this. They cannot wait until 2017 or even 2018 – in part because the FCA is already putting pressure to move this way; and partly because developing effective oversight of the end-to-end processes undertaken by critical service suppliers is a big task. It takes real investments of time and resources. It is, however, exactly what will be required of all firms – sooner or later.
By David Moffat, Executive Director, Business and Product Development, IFDS.