As is well known, the European Union’s Markets in Financial Instruments Directive (“MiFID”) has been the subject of debate in the financial markets for an extended period. Based upon the present timetable, Investment firms carrying on business in Member States will be required to comply with the new MiFID provisions by November 2007.
MiFID forms a part of the EU’s Financial Services Action Plan, which seeks to create a single market for financial services. MiFID replaces the Investment Services Directive (“ISD”) which was adopted in 1993. MiFID follows the “passporting” structure adopted by both the ISD (in relation to investment firms) and the Consolidated Banking Directive (in relation to banks). In essence, an investment firm established and authorised in one Member State may provide services or establish branches in other Member States without further authorisation.
MiFID has a variety of consequences for investment firms. For example, investment advisory activities, commodity and credit derivatives and contracts for differences are brought within the scope of the “passporting” regime. Investment firms falling within the scope of the Directive will also be subject to regulatory capital requirements under the new Capital Requirements Directive. In broad terms, therefore, MiFID is designed both to update the ISD and to take further steps on the road to a single market in financial services.
The purpose of the present note, however, is to examine the consequences of MiFID for outsourcing operations, and to consider the current draft of the supporting measures which are relevant in this field.
Benefits and Consequences of Outsourcing
Outsourcing may be of benefit in a number of different business sectors and in a variety of different ways. A company may elect to outsource certain functions, either because it cannot perform those functions “in house” on a cost-effective basis or because the provider may be able to provide enhanced levels of service or economies of scale. In spite of its potential benefits, outsourcing offers certain challenges to the supervisor of regulated investment firms. In particular:
a) where a major function is performed outside the authorised entity, then the investment firm concerned may not have sufficient control over the performance of that function; and
b) supervision of the regulated entity may be affected by the fact that a separate service provider has become involved.
The FSA’s Handbook already contains detailed rules dealing with outsourcing and the management of the risks involved. However, MiFID will take matters a step further forward.
Outsourcing and Operational Risk
Article 13 of MiFID sets out certain core “organisational requirements” to be applied to investment firms. In particular, Article 13(5) states a general principle to the effect that:
“An investment firm shall ensure, when relying on a third party for the performance of operational functions which are critical for the provision of continuous and satisfactory service to clients and the performance of investment activities on a continuous and satisfactory basis, that it takes reasonable steps to avoid undue additional operational risks.”
Moving to a greater level of detail, the Article then provides that:
“Outsourcing of important operational functions may not be undertaken in such a way as to impair materially the quality of its internal control and the ability of the supervisor to monitor the firm’s compliance with all obligations.”
The Article then confirms the need for:
“...sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment and effective control and safeguard arrangements for information processing systems...”
The Draft “Level 2” Measures
On 6 February 2006, the European Commission published its draft “Level 2” measures, which are designed to provide some of the necessary technical support for the implementation of MiFID. In view of the emphasis placed on outsourcing by Article 13(5) of MiFID itself, it is unsurprising that the draft Level 2 measures deal with this aspect in some depth.
The subject is of some importance to companies involved in the provision of outsourcing services, not least because - in certain cases - more onerous requirements apply to providers established outside the EU. The key provisions are as follows:
As noted above, article 13(5) of MiFID applies to the outsourcing of “...operational functions which are critical for the provision of continuous and satisfactory service...” The Level 2 measures confirm that functions are “critical” if a defect or failure in those systems would materially impair the investment firm’s compliance with its authorisation conditions or the soundness or continuity of its investment services and activities.
A number of general conditions apply to outsourcing arrangements. In particular, whilst outsourcing involves the delegation of a function, the senior management of an investment firm cannot delegate its responsibility for the performance of that function. This statement reflects the existing UK policy, namely that regulatory responsibility rests with the investment firm and its senior management.
Investment firms must be required to exercise due skill and care when entering into, managing or terminating an outsourcing arrangement involving any of the “critical services” described above.
Apart from that relatively high-level requirement, investment firms must ensure that:
a) the service provider has the ability, resources and legal authorisation necessary to provide the services in a reliable and professional manner;
b) the service provider must carry out the outsourced services effectively and, for this purpose, the investment firm must establish procedures for monitoring the quality of service;
c) the service provider must properly supervise the conduct of the outsourced services and adequately manage the associated risks;
d) the investment firm must take appropriate action if the service provider is not carrying out the outsourced functions effectively and in compliance with applicable regulations;
e) the investment firm must itself retain the expertise required to supervise the outsourced functions;
f) the service provider must notify the investment firm of any development which may have an impact on its ability to provide the services;
g) the investment firm must have rights of termination where necessary;
h) the service provider must undertake to co-operate with the regulator of the investment firm;
i) the investment firm, its auditors and its regulator must have access to the premises and data held by the service provider;
j) the service provider must protect the confidentiality of client information; and
k) where appropriate, the parties must establish a disaster recovery plan
The Level 2 measures require that the respective functions of the investment firm and the service provider must be “clearly allocated” in a written agreement between them - usually described as a “service level agreement”. In view of the detailed requirements outlined in paragraph 4 above, it will be clear that the agreement must also provide for continuous monitoring and assessment of the outsourcing arrangements. Quite apart from commercial considerations, service providers will have to accept this state of affairs since it flows from authorisation requirements applicable to the client investment firm.
Service providers established outside the EU will need to take note of Article 15 of the Level 2 measures. Where an investment firm outsources portfolio management services to retail clients to a service provider located in such a country, the service provider must satisfy the following additional conditions:
a) it must be authorised in its home country to provide portfolio management services and it must be subject to prudential supervision in that country; and
b) there must be a co-operation agreement between the supervisor of the investment firm and the supervision of the service provider.
Where these conditions are not met, the investment firm must notify its own supervisor of the proposed arrangement, and may only proceed in the absence of objections from that quarter. Non-EU service providers in this position will find it difficult to maintain or grow market share.
The Way Forward
What will be the consequences of MiFID and the supporting legislation for service providers to the financial industry?
As noted earlier, it is true that the FSA’s Handbook already contains the regulator’s policy on outsourcing. That policy is directed towards the supervisory risks posed by outsourcing and thus, in broad terms, addresses the same issues as those dealt with in Article 13 of MiFID and the applicable Level 2 requirements. Nevertheless, the MiFID provisions are more detailed and, of course, they form a part of a new, EU legislative initiative. The new MiFID provisions will therefore apply to all regulated entities across the European Union; the subject will no longer be a purely domestic concern for individual regulators or institutions. The likely consequences therefore seem to be as follows:
a) service providers may expect their regulated clients to have a renewed focus on the content and performance of service level agreements;
b) on next renewal or re-negotiation, regulated firms will be seeking to bring those agreements into line with MiFID; and
c) in an effort to demonstrate compliance with Article 13, it is perhaps likely that regulated clients will be seeking more detailed reporting, co-operation, monitoring and similar procedures. Compliance with such arrangements will inevitably lead to additional burdens (and, hence, to additional costs) so far as service providers are concerned.