The need to demonstrate you conduct rigorous risk assessments has never been more pressing. In June, ESMA published a series of high level guidelines on how MiFID firms should structure their compliance functions. The first of these guidelines suggested that firms should conduct a full risk assessment of their regulatory compliance obligations, and use this as the basis for their compliance monitoring and resourcing requirements.
In fact, these new ESMA guidelines build on similar guidance provided by ESMA in their MiFID compliance function requirements in 2012. But, in the eight years between these two sets of guidelines a great deal has changed:
- The regulatory portfolio being managed by firms has generally widened significantly, and firms have worked through the implementation of EMIR, MAR, GDPR, SMCR and MiFID II (amongst others)
- Risk assessments have become central to the FCAs supervisory process – particularly for financial crime, CASS and market abuse, whereby discussions will begin with a request to see your assessment. This practice has started to percolate into the wider market, with exchanges and counter-parties increasingly making similar requests.
- Many firms have not kept their compliance risk assessments fresh, or may not have a single, holistic compliance risk assessment. As such, it is difficult to demonstrate that compliance monitoring and resourcing is truly risk-based.
Having re-iterated the need for a comprehensive compliance risk assessment, it is likely that this document will rise in importance in interactions with the FCA. As such, firms should act now to ensure they have a comprehensive, credible compliance risk assessment in place, before the regulator asks for it.
What the regulator is looking for in a compliance risk assessment
A credible risk assessment should accurately characterise the firms exposure to specific legislation and regulation, overlaid with the particular risks that arise from the firms’ clients, products and operating model:
- Regulatory exposure
The permissions held by the business will determine to a large extent the regulations which will apply, helping to provide an initial scope for a risk assessment.
Servicing certain client groups will increase compliance risks for specific regulations, such as retail clients for MiFID services, vulnerable customers, or clients in high risk jurisdictions for AML. Understanding your client portfolio will help to identify risk ‘hot-spots’.
Similar to an assessment of clients, certain products will result in a heightened compliance risk, such as complex derivative products for EMIR, contracts for difference for retail clients, and deposit facilities for AML.
- Operating model
The structure of your business will also contribute to your compliance risk portfolio, such as the degree to which your MiFID business is part of a complex group structure, the extent to which you outsource your operations, and the extent that you rely on manual processes.
Once all risks have been identified and characterised, this should then link directly to your compliance monitoring programme, with the most time and resources applied to the most important risks.
How Bovill can help
We have developed a proprietary methodology for identifying, classifying and documenting a firms compliance risks, which is designed to be proportionate for small and medium-sized firms.
We also regularly work with clients to develop more granular risk assessments for market abuse and financial crime, as well as helping firms design and implement effective, proportionate compliance monitoring solutions.