Compliance and Internal Audit

1.1

Unless otherwise stated, this Part applies to a CRR firm

1. (1) with respect to the carrying on of the following from an establishment in the UK:
1. (a) regulated activities;
2. (b) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of Regulated Activities Order;
3. (c) ancillary activities;
4. (d) in relation to MiFID business, ancillary services; and
5. (e) unregulated activities in a prudential context; and
2. (2) with respect to the carrying on of passported activities by it from a branch in another EEA state;
3. (3) in a prudential context with respect to activities wherever they are carried on; and
4. (4) taking into account any activity of other members of a group of which the firm is a member.

1.2

In this Part, the following definitions shall apply:

competent authority

means the authority, designated by each EEA State in accordance with Article 48 of MiFID, unless otherwise specified in MiFID.

[Note: Art. 4(1)(22) of MiFID]

host Member State

has the meaning given in Article 4(1)(21) of MiFID.

[Note: Art. 2(6) of the MiFID implementing Directive]

2.1

A firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.

[Note: Art. 13(2) of MiFID]

2.2

A firm must, taking into account the nature, scale and complexity of its business, and the nature and range of financial services and activities undertaken in the course of that business, establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under the regulatory system, as well as associated risks, and put in place adequate measures and procedures designed to minimise such risks and to enable the PRA to exercise its powers effectively under the regulatory system and to enable any other competent authority to exercise its powers effectively under MiFID.

[Note: Art. 6(1) of the MiFID implementing Directive]

2.3

A firm must maintain a permanent and effective compliance function which operates independently and which has the following responsibilities:

1. (1) to monitor and, on a regular basis, to assess the adequacy and effectiveness of the measures and procedures put in place in accordance with 2.2 and the actions taken to address any deficiencies in the firm's compliance with its obligations; and
2. (2) to advise and assist the relevant persons responsible for carrying out regulated activities to comply with the firm's obligations under the regulatory system.

[Note: Art. 6(2) of the MiFID implementing Directive]

2.4

In order to enable the compliance function to discharge its responsibilities properly and independently, a firm must ensure that the following conditions are satisfied:

1. (1) the compliance function must have the necessary authority, resources, expertise and access to all relevant information;
2. (2) a compliance officer must be appointed and must be responsible for the compliance function and for any reporting as to compliance required by General Organisation Requirements 4.2;
3. (3) the relevant persons involved in the compliance functions must not be involved in the performance of services or activities they monitor;
4. (4) the method of determining the remuneration of the relevant persons involved in the compliance function must not compromise their objectivity and must not be likely to do so.

[Note: Art. 6(3) first paragraph of the MiFID implementing Directive]

2.5

A firm need not comply with 2.4(3) or (4) if it is able to demonstrate that in view of the nature, scale and complexity of its business, and the nature and range of financial services and activities, the requirements under those rules are not proportionate and that its compliance function continues to be effective.

[Note: Art. 6(3) second paragraph of the MiFID implementing Directive]

2.6

1. (1) This rule applies to a firm conducting investment services and activities from a branch in another EEA State.
2. (2) References to the regulatory system in 2.1, 2.2 and 2.3 apply in respect of a firm’s branch as if regulatory system includes a host Member State's requirements under MiFID and the MiFID implementing Directive which are applicable to the investment services and activities conducted from the firm’s branch.

[Note: Art. 13(2) of MiFID]

3.1

A firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its financial services and activities, undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm and which has the following responsibilities:

1. (1) to establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm's systems, internal control mechanisms and arrangements;
2. (2) to issue recommendations based on the result of work carried out in accordance with (1);
3. (3) to verify compliance with those recommendations; and
4. (4) to report in relation to internal audit matters in accordance with General Organisation Requirements 4.2.

[Note: Art. 8 of the MiFID implementing Directive]