Asset Management Regulatory Outlook 2018 Link’n Learn · a)Mifid/Priips outcome on IM and...

© 2018 Deloitte. All rights reserved

Asset Management Regulatory Outlook 2018 Link’n LearnFebruary 2018

© 2018 Deloitte. All rights reserved2

Arnaud Barosi – DirectorRisk AdvisoryDeloitte LuxembourgEmail: [email protected]: +352 621 283 642

Derina Bannon - Legal and Regulatory Manager

Investment Management

Deloitte Ireland

E: [email protected]

T: +353 1 417 2637

Gerard Lorent - Director

Strategy & Corporate Finance

Deloitte Luxembourg


T: +352 45145 4278

Gerard Lorent - Director

Tax & Consulting

Deloitte Luxembourg


T: +352 621 652 496

Contacts

mailto:[email protected]





Contents

1. Brief Overview and Introduction of the Deloitte Regulatory

Outlook Overview

2. Investment Management Overview Slide

3. Discussion on:

a)Mifid/Priips outcome on IM and challenges for the PERE world

b)GDPR

4.CSSF and ESMA’s Asset Management Priorities for 2018

5.AML IV impacts and PPR review

6.Central Bank of Ireland Asset Management Priorities for 2018

7.Conclusion

Introduction of the Deloitte Regulatory Outlook Overview

1. Meeting multiple regulatory deadlines

2. Preparing for Brexit

3. Supervisory spotlight on business models

4. Data protection, innovation and good customer outcomes

5. Customer vulnerability – broadening the perspective

6. Cyber risk and resilience

7. Managing risks from internal models

The defining cross-sector regulatory issues for 2018.

In the year ahead we see seven issues of strategic significance for all sectors of the

European financial services industry in 2018:

4

Regulatory and supervisory constants

At the heart of supervision.

Core supervisory issues that will continue to form a crucial part of “business as

usual” supervision.

• Governance and culture

• Conduct risk

• Data and reporting

• Disclosure

• Remuneration

• Risk appetite

5


Contents

1. Brief Overview and Introduction of the Deloitte Regulatory Outlook

Overview


3. Discussion on:


b)GDPR




7.Conclusion

7© 2018 Deloitte. All rights reserved


1. Scrutiny of costs and charges

2. Increasing investor transparency

3. Systemic risk concerns

4. Fund stress testing and liquidity and leverage control requirements

5. New rules going live : MiFID II, PRIIPs, ESMA large scale assessment of the reporting costs and past performance of retail investment products.

The regulatory landscape will be defined in 2018 by :

7



Systemic risk concerns

• Residual risk concerns will continue to dominate the

agenda

• There will be a need to develop strategic stress

testing plans with a focus on monitoring and control

requirements.

• 2017 the FSB published policy recommendations to

address structural vulnerabilities in asset

management, and IOSCO is reviewing how national

authorities have implemented the recommendations.

• Both ESMA and the ECB have also commented on

the risks associated with the growing asset

management sector.

8


Contents


Overview


3. Discussion on:

a)Mifid/Priips outcome on IM and challenges for the PERE

world

b)GDPR




7.Conclusion


Why Take Care take care

Context & main points of attention

• MIFID II firms, and IDD Firms (life, pension insurances) are subject to new distribution/selling requirements

• They concern “retail investors”

− Physical persons

− SMEs/corporate

• No financial products could be offered, proposed, or made available to retail investors without appropriate info

• No KID/PRIIPS no deal!


PERE end investor identification

Who are your investors?

Who are your end investors?

Are you certain that your investors are your true end investors?

Case of Private banking or life insurance:

• Your client might be a bank or life insurance, however if it ends up in retail hands, they can no longer offer your product without KID

• A private individual with 100 million EUR is still a retail client for MIFID II

• It is not a legal obligation, it is a commercial obligation!


As of today many distributors are reviewing their portfolios:

At distribution / intermediary level

Issues

• MIFID II & IDD are excessively complex

• Risks not to comply are high

• Shedding non-compliant instruments

Solutions

• Distributors need:

- Cost and charges disclosures to meet their obligations

- Granularity and level of details is very high – need to besupplied in aggregate and in details

- A KID/PRIIPS document to hand over toclients/investors

Non compliance - Consequences

• Product ban across the EU • Name and shame on authority web site• Financial sanctions up to EUR 5M

Could this happen because of one of your intermediary? The most difficult step is the first step, act now!


Market information post MIFID II

Product governance is well applied overall

• Several consequences:

• Need to abide by regulations, MIFID II is much more demanding, legal certainty and ease to meet it are key drivers (names are dropped from distribution)

• Need to be fully transparent with clients, with consequences for the entire industry

• Asset managers have to support distribution, as it is already painful to comply

• Distributors are now charging for advice, clients will want to see a return for this


PRIIPs affects Asset Managers differently depending on products and distribution model

Asset Manager AIFs

2018: PRIIP KID

Discretionary portfolio

2018: PRIIP KID

Unit linked insurance products

“ULIP”

now: UCITS KIID2020: PRIIP KID

Data Transparency

Raw dataPre-calculated

dataEPT - CEPT

Direct impacts

Indirect impacts

What challenges for insurers?- Pre-KID / contractual KID- HWNI / retail investors- Dedicated / external funds- Generic KID + mini KIDs / Unique KID

What changes ?- data frequency- SRI calculation- performance scenarios- RIY

Investor

Life Insurer

UCITS


European MiFID Template (EMT): 66 fields spread across 3 sections

Deloitte EMT services offering

General Financial Instrument

information

Target Markets - Investor type

Target Markets - Knowledge

and/or Experience

Target Markets - Ability to bear

losses

Target Markets - Risk tolerance

Target Markets - Client

objectives & needs

Costs & Charges ex ante

Costs & Charges ex post

Distribution strategy

Target Markets

Costs and charges

Static Data

Deloitte’s area of

expertise

EMT data collection

& assembly

Deloitte’s expertise offered through 6

services

Target Markets

determination

Transaction costs

compilation

On-going charges

compilation

Performance fees

estimation

EMT dissemination


Actions to take

What to do

1│Assess 2│Execute 3│Follow-up

• Assess current situation, cost and charges:

- Identify them- List them and track

• This leads to better information and management of costs

• Produce and regularly update your KID/PRIIPS

• Produce an EMT (MiFID)/EPT (PRIIPS) addressed to distributors and intermediaries

• Many traditional funds will be rejected, this might be an opportunity to open new asset classes to investors

• There are KIID/PRIIPS and C&S integrated factories


Moving forward AIFMD 2

Further strengthening of the depositary function

Harmonised Annex IV reporting

Third country marketing passport

More convergent supervisory practices

Alignment of the different cross-border practices

- After Madoff case and Lehman Brothers’ bankruptcy revealed failings in asset safekeeping principles, depositary should flag these issues to the manager, fund boards, and if necessary the regulator

- Depositary should review fund activity daily in order to identify issues in a timely fashion

- Following Brexit, existing NPPR will continue for the foreseeable future and probably beyond the original 2018 phase out date

- Different regulatory regimes that contribute to managers’ costs and ultimately reduce choice for European investors are expected to be harmonised

- As a starting point, no local fees are expected to be levied by regulators

Reassessment of the methodology for calculation of the leverage

- Industry is of the opinion that current ESMA’s methodology can inflate leverage reporting and there are calls for an alternative risk-weighted exposure methodology to be permitted

- Inconsistent approaches to Annex IV reporting for managers privately placing their products in EU filings need to be uniformed

Expected areas to be affected by the AIFMD 2

- Harmonised supervision for AIFMs with delegation out of the EU

- Common definition of what constitutes marketing / pre-marketing under AIFMD

As many factors contribute to the delay of the AIFMD 2 proposal, predominately Brexit and conflicting priorities on the EU level, it is likely that the status quo will continue for the foreseeable future

Conclusion

• Review of the overall AIFMD framework - AIFMD originally included a requirement that it must be reviewed by the European Commission by 22 July 2017- The Commission is now undertaking an evidence-based study to ascertain whether AIFMD’s initial objectives have been met, but also

to qualify its impact on the alternative investments industry

• Extension of the AIFMD passport - Brexit vote has prompted the EU to revaluate the concept of third-country equivalence - EU wants to ensure that equivalence is not used as backdoor into the EU by the UK

As policymakers have to deal with Brexit and its implications, this supersedes progress on AIFMD II and the answer to two remaining questions


Contents


Overview


3. Discussion on:


b)GDPR




7.Conclusion


What is the GDPR?

The General Data Protection Regulation (GDPR)

In 1995, the European Union released the

European directive 95/46/CE relative to

personal data protection. Unlike

regulations, directives should be transposed

into national to be applicable.

This directive was transposed into

Luxembourgish law in 2002 by the Amended Act of 2

August 2002 concerning the protection of

individuals with regard to the processing of personal data.

2002 2018

The General Data Protection Regulation will apply from 25 May 2018 directly across all 28 EU Member

States after a two years implementation period.Under the new Regulation, Data Protection Authorities

(DPAs) have investigative, corrective, advisory and authorization powers. They are entitled to impose administrative fines ranging from 2 to 4% of the groups worldwide annual turnover of the

preceding financial year or EUR 10 to 20 million, whichever is higher for infringements of data subject rights, non-compliance with an order of the DPA or

the obligations of the controller and processor.

1995 2016

On 4 May 2016, the EU Regulation on Data Protection (GDPR) has been published in

the Official Journal of the European Union. The GDPR has entered into force on 24 May

2016 and will replace the former 1995 EU Data Protection

Directive and create a unified data protection law


What is personal data?


The vast majority of organisations deal with personal data.

“Any information relating to an identified or identifiable natural person or data subject identified by reference to specific characteristics”.

Relating Identification Data subject Reference

• Content

• Purpose

• Result

• Direct

• Indirect

• Not dead

• Not unborn

• Not legal person

• Name

• ID number

• Location data

• Online identifier

• …


What is processing personal data?


Collection Storage Use Transfer Retention & Destruction

Personal data lifecycle

• Collection

• Recording

• Organisation

• Storage

• Consultation

• Retrieval

• Use

• Update

• Modification

• Combination

• Linking

• Alignment

• Disclosure by transmission

• Diffusion

• Destruction

• Erasure

• Blocking


What are the lawful grounds to process personal data?


Source : GDPR, Article 6 - Lawfulness of processing

“Processing shall be lawful only if and to the extent that at least one of the following applies:

ConsentThe data subject has given consent to the processing of his or her personal data for one or more specific purposes

Contract

Legal

Vital

Public interest

Legitimate interest

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Processing is necessary for compliance with a legal obligation to which the controller is subject;

Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Usually the majority of treatments have these lawful grounds


Chapters : Controller and processor, transfers

of personal data to third countries or

international organisations

• Accountability• Data protection framework• Data protection by design / by default• Data breach notification• Data protection impact assessment• International data transfers

Chapters : Principles, Rights of the data

subject

• Consent• Data subject rights• Profiling• Right to be forgotten• Data portability

Chapters : General provisions, Cooperation

and consistency, Independent supervisory

authority

• Broader territorial scope• One stop shop• Enforcement

What are the roles in GDPR?


Independent supervisory authority

Data subject

Controller and processor


Controller and processor


Data Protection Impact AssessmentWhere a processing is likely to result in highrisks to the rights and freedoms of naturalpersons, a DPIA is to be performed.Controllers should consult their supervisoryauthority where a DPIA indicates that theprocessing would result in a high risk in theabsence of measures taken to mitigate therisk.

International data transfersBCRs as tools for data transfersoutside the EU and EEA are nowembedded in law.Approved codes of conduct andcertifications could be relied onby entities not subject to theGDPR to provide adequatesafeguards for transfers ofpersonal data.

Data Protection by design/by defaultCompanies should implement appropriate technicaland organizational measures to integrate thenecessary safeguards into the processing ofpersonal data.By default, only necessary personal data should beprocessed. This requires control over : datacollection, extent of processing, retention period aswell as access to personal data.

Data breach notificationNotify data breach to the dataprotection authority no later than72h after becoming aware of it.Notify data breach to affected datasubjects without undue delay whenlikely to result in a high risk for theirright to data protection.Processors should report torespective customer-controllers.

Data Protection Framework/DocumentationCompanies should document the measuresimplemented.All the measures required by the GDPR, when puttogether, will result in a data protection relatedframework : DP policy, DP by design and bydefault, impact assessments, data breachnotifications, privacy notices, etc.

Requires Documentation

AccountabilityNew obligation for controllers and processors tobe able to demonstrate and therefore todocument their compliance with the GDPR.Companies will have to appoint a DataProtection Officer in specific situations (e.g.public authorities, large scale monitoring,special categories of data).


Data subject


Data subject rights

Existing rights are reinforced (access,rectification, deletion, objection to theprocessing).The GDPR introduces the rights toerasure, restriction of processing, dataportability and the right not be subjectto data profiling.

Profiling

The GDPR strictly frames profilingactivities and empowered datasubjects with the right not to besubject to decisions based onprofiling as well as the right to objectto profiling and notably profiling formarketing purposes.

Consent

Consent is spelled out more clearly as itshould be given through a clear affirmativeact establishing a freely given, specific,informed and unambiguous indication of thedata subject's agreement.Ticking a box when visiting an internetwebsite, choosing technical settings forinformation society services or anotherstatement or conduct which clearly indicatesin this context the data subject'sacceptance will be considered assatisfactory.Silence, pre-ticked boxes or inactivityshould not therefore constitute consent.

Requires Documentation


Independent supervisory authority


Enforcement

DPAs already have investigative, corrective, advisory and authorization powers.They will be entitled to impose administrative fines up to 4% of the groups worldwide annual turnover, or up to 20 millions.

Broader territorial scope

The GDPR will not only apply toprocessing activities of data controllersand processors established in the EU orusing equipment located in the EU, butalso to those that are not established inthe EU but whose activities target datasubjects are in the EU.

One stop shop

When having activities in more than 1 EU memberstate, the Data Protection Authority (DPA) of mainestablishment could act as lead DPA, supervisingprocessing activities throughout the EU.This will ease the interaction for controllers andprocessors with lead DPA while other DPAs will stillhave a say in cross-border operations throughconsistency and cooperation procedures.


Funds industry

Actors impacted by the GDPR

Funds attract a wide range of investors, from corporates, large multinationals, banks, pensions, other funds to individuals. In addition, there is a large number of partners (e.g. service providers) involved in the life of a fund, depending on the organizational model (e.g Management company, Transfer agent, Fund administration, etc.). When considering the impact of GDPR, each counterparty needs to assess its own obligations depending on its set up model.

The following slides will highlight few examples of the activities that will be impacted by the general data protection regulation.

Depository bank

Board

s o

f dir

ecto

rs o

f th

e fund

Investors

Transfer AgentFund

administrator

Central administration

Management CompanyFU

ND

Investment

manager & Risk

Management

Distributor

(Incl.

Marketing)


Contents


Overview


3. Discussion on:


b)GDPR




7.Conclusion


36 on-site visits specific to the Investment Fund Industry have been completed by the CSSF in 2016

Management Companies representing more than 15% of the AuM in Luxembourg have been inspected

9 Management Companies with AuM above EUR 15b have been visited

Delegate oversight – Still some areas for improvements in the monitoring of delegated activities

• Inadequate and imprecise documentation in the split between the activities retained bythe Management Companies and the outsourced activities;

• Initial due diligences on delegates must be performed before the start of the businessrelationship. Those initial due diligences are not enough to document an assessment ofthe risk embedded with the delegation of an activity;

• Ongoing monitoring is often partly based on KPI reports prepared by the delegates.Documentation of the assessment of the reliability of these KPIs by the ManagementCompanies is not sufficiently documented.

Risk Management

• Risk Management policy not fully compliant with local requirements: the measurement,the monitoring and management of risks are not detailed enough;

• Detailed risk information and limits not communicated regularly to governance, who donot have all the necessary information to take appropriate decisions;

Main observations and weaknesses reported by CSSF

On-site visit statistics

13

542

12

On-site control main areas

ManCo Governance

Risk Management

02/77 CSSF Circular handling

Others (MIFID, AML/KYC…)

Central Administration

• Risk Management policy and Risk Management Process must remain two distinctdocuments.

Demonstrate the local substance

• Management Companies must have the adequate technical and human resources tomanage the activities it has to perform as well as the oversight of delegates (bothquantity & quality);

• Management Companies must also have the adequate technical, IT and accountingfacilities;

• All substance principles apply to control activities on outsourced services such asCompliance, Risk Management, Valuation or Internal Audit.

Others areas of weaknesses

• Controls on appropriateness of own funds with legal requirements;

• Delay and completeness in the prudential reporting to CSSF;

• Delay in the quarterly reporting to CSSF;

• Lack of accuracy in the data included in the AIFM reporting to CSSF.

Regulatory On – Site Inspection

Main observations from 2016 CSSF activity report


Not legally binding but…

ESMA Opinion to support supervisory convergence in the area of investment management

On 13 July 2017, the European Securities and Markets Authority (ESMA) has published an Opinion setting out sector-specific principles in the area ofinvestment management, aimed at fostering consistency in authorization, supervision and enforcement related to the relocation of entities, activities andfunctions from the United Kingdom.

The intention of the Opinion is to ensure that the choice of a new location in the Brexit context is directed by actual business needs and to provide furtherclarification when it comes to prerogatives of home Member State NCA which shall retain the grip and control of critical operations of the relocating entities.

This should be achieved through compliance with general principles set out in the Opinion which could be divided into 3 topics of highest concern:authorization requirements, governance and delegation arrangements.

This document summarizes mentioned crucial points of the ESMA Opinion which Deloitte considers most relevant to the IM industry, their possible impact onNCAs practice going forward and the amount of additional compliance effort that it may require from actors established in Luxembourg.

The Opinion, although more particularly directed at Asset Managers considering to relocate in the EU following to Brexit, is likely to have impacts on all actorsestablished in the EU.

As a result of this ESMA Opinion, NCAs may decide to reinforce existing requirements or create new obligations.

Note that this document is for information sharing purposes only and does not amount to an advice or anticipation of CSSF possible developing practice as a result of the Opinion.


… more precise documentation and justification

The main areas of impact are fourfold

Substance

• ESMA proposes to align UCITS substance requirements to AIFM concept i.e. portfolio and risk management

• ESMA provides with minimum substance in the Manco (3 FTEs) as well as some key criterias to apply to ensure substance is in line with size, nature, scale and complexity of the business

• ESMA re-inforces the paramount role of local authorized management ensuring the ultimate decision-making is local

Delegation

• There must be documented objective reasons for delegation of any type of activity (incl. function such as IT, Legal, Finance, etc.): (i) detailed descriptions, (ii) explanations and (iii) evidence of the objective reasons provided

• Delegation to non-EU entities (directly or via chain of delegation) could make oversight and supervision of the delegated functions more difficult

• Delegation process and oversight are to be well documented and objectively reviewed (initial due diligence via RFP, on-going due diligence with a focus on on-site visits)

• Authorized entities should demonstrate to NCAs that they dedicate sufficient human and technical resources to initial and on-going due diligence process i.e it is unlikely that a single person has sufficient knowledge, experience and time to monitor a broader range of complex functions

Governance

• ESMA outlines that sound governance and internal control mechanisms require clarity as to the allocation of responsibilities, documented policies and procedures, structures

• ESMA insists NCAs to assess and put additional scrutiny on individuals with high numbers of (executive or non-executive) directorships

• ESMA highlights the importance of the senior management of the entity being available locally

Internal control functions

• ESMA is highlighting that compliance, internal audit and risk management functions must take active part to strategic decisions

• ESMA is putting emphasis on the necessity for the internal control functions, to ensure compliance does actually happen, including through escalation process to the regulator in last instance

• Internal control functions must carry out desk-based and on-site controls on an ongoing basis and are involved in the client acceptance and fund set-up processes (often organized in internal committees). These substantial activities usually necessitate a local presence


Contents


Overview


3. Discussion on:


b)GDPR




7.Conclusion


Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing

This Directive is the 4th directive to address the threat of money laundering and has to be transposed into respective national law of European Member States

It includes various changes. One of them is the inclusion of tax crimes in the definition of criminal activities under the directive, in line with the revised FATF recommendations

Directive (EU) 2015/849

The FATF (Financial Action Task Force - GAFI) is an independent inter-governmental body that develops international standards on combating money laundering and the financing of terrorism and their proliferation

The 2012/2013 FATF recommendations expanded the tax crimes related to direct taxes and indirect taxes as predicate/primary offence for money laundering without define tax crimes

Mutual evaluations are done to ensure that the FATF recommendations are in place

FATF 2012/2013 recommendations

European level

International level

2017 Luxembourg tax reform

Luxembourg level

Transposition into Luxembourg law of the 2012/2013 FATF recommendations and the 4th EU AML Directive via the 2017 Tax Reform (Law of 23 December 2016 - Luxembourg official journal n°274) for the part in connection with tax crimes in the scope of AML

Direct and indirect taxes (VAT, inheritance and registration duties) concerned Joint-Circular 17/650 of 17 February 2017 between the Cellule de Renseignement Financier (CRF) and the CSSF applicable as

guidelines

Simple tax fraud(fraude fiscale simple)1

Aggravated tax fraud (fraude fiscale aggravée)2

Tax swindle (escroquerie fiscale)

3

Not a tax crime. In existence before 2017. Same definition but new penalties’ amount

New tax crime Tax swindle existed before 2017. Now it includes reimbursements and modification of the penalties’ amount

4th AML Directive

Transportation into Luxembourg law


1) Increased emphasis on a risk-based approach

Obliged entities need to take appropriate steps to identify and assess the ML/TF risks taking into account risk factors including customers, countries or geographic areas, products, services, transactions or delivery channels. No KYC exemption cases, removal of white list

2) Changes in the application of Customer Due Diligence (“CDD”)

CDD is required for traders in high value goods when dealing in cash with a value over €10,000 (before: €15,000)

Specific risk assessments need to be conducted for each client in order to apply Simplified Due Diligence (“SDD”) (a non-exhaustive list of risk factors allowing for potentially lower risk situations is provided in Annex II of the Directive)

Enhanced Due Diligence (“EDD”) is applicable for companies in designated “high-risk” countries

Obliged entities need to take into account factors of potentially higher-risk situations (Annex III of the Directive) in the risk assessment of ML/TF

3) Modifications in the definition and treatment of Politically Exposed Persons (“PEP”s)

The definition of PEPs was expanded including also domestic individuals occupying prominent public positions as well as senior figures within international organizations

The period of EDD for PEPs was extended to a duration of 18 months after a PEP leaves office

4) Extended scope of the Directive

Tax crimes are recognized as a predicate offence of ML/TF

Broadening scope to cover on-line gambling: broaden the scope of the Directive beyond "casinos" to cover the whole gambling sector

4th AML Directive

Primary modifications


5) Strengthened cooperation between national Financial Intelligence Units (“FIU”s)

The increased powers of FIUs with regard to reporting obligations and cooperation must be recognized by financial institutions

6) Expanded definition of Ultimate Beneficial Owners (“UBO”s) and introduction of UBO Registers

Obliged entities are required to obtain and hold adequate, accurate and current information of UBOs and to make such information available to third parties via public registers

Obliged entities are obliged to provide the full legal name, month and year of birth, nationality, country of residence as well as nature and extent of interests of UBOs (subject to a threshold of 25%)

7) Development and incorporation of specific provision on data protection

Group-wide policies and procedures need to be established in order to ensure data protection for UBOs

8) Increased Sanctions

The maximum pecuniary sanction was increased to at least €5 million or 10% of the total annual turnover in the case of a legal person. The maximum pecuniary sanction was increased to at least €5 million in the case of a natural person

4th AML Directive

Primary modifications (Continued)


Contents


Overview


3. Discussion on:


b)GDPR




7.Conclusion


Irish Regulatory Structure

Central Bank of Ireland

Data Protection

Commissioner

Financial Services

Ombudsman

Director of Corporate

Enforcement

Compliance with Data Protection

requirements

Macro and Micro prudential regulation

and conduct of business

Consumer and SME Complaint Resolution

Compliance with the Companies Acts


CBI Strategic Plan 2016 – 2018

FIINANCIAL STABILITY

CONSUMER PROTECTION

SUPERVISION AND

ENFORCEMENT

REGULATORY POLICY

DEVELOPMENT

PAYMENTS, STATEMENTS

AND CURRENCY

ECONOMIC ADVICE AND STATISTICS

RECOVERY AND

RESOLUION

PRICE STABILITY

COMMUNICATION AND ACCOUNTABILITY

FULFILLING WORKPLACE FOR

OUR PEOPLE

SAFEGURADING STABILITY,

PROTECTING CONSUMERS

STRATEGIC RESPONSIBILITIES

STRATEGIC ENABLERS

VISION

MISSION


Regulation in a Dynamic Environment

New Structure in the CBI

Exchange Traded Funds CP86

IT and Cyber Risk

• Money Market Regulation entered into force and will strengthen

rules in relation to MMFs generally and CNAV MMFs in particular.

The Regulation will require a lot of preparedness by the industry

and the CBI. Level 2 measures are nearing finalisation.

Money Market Reform

MiFID II

Investment Fund Fees

Central Bank of Ireland (“CBI”) Regulatory and Supervisory Priorities for 2018*

“Regulation in a changing environment”. Speech by Gerry Cross , Director of Policy and Risk October 2017*

Since the 1st of September 2017 a new financial

regulation structure has been in place in the CBI:

• Prudential Regulation is responsible for the credit institutions, insurance and asset management directorates.

• Financial Conduct has the responsibility for consumer protection, securities and markets supervision and enforcement.

Policy and Risk covers both prudential and conduct issues and has a dual reporting line to the Deputy Governor Prudential Regulation and the Director General Financial Conduct

CP86 implementation will remain a key area of focus in 2018.The enhanced requirements including the role of designated persons, the oversight of delegates, the organisational effectiveness role and directors time commitments will all remain areas of supervisory focus.

The role of the Independent Director is a key part of good governance. The CBI view’s the role of the Independent Director as having “indispensable responsibility for challenge and oversight, including oversight of the supervision of delegates”. An Independent Director must assume the organisational effectiveness role.

• The Investment Firms Regulations 2017 will be updated to bring them in line with MiFID II.

• The aim of the CBI is to develop a single handbook for each sector.

• The CBI will continue to focus on this area. It has stated that IT and Cyber Risk go to the very heart of financial services. It is an area of rapid change. It must be given sufficient and effective attention by senior management.

• The CBI has published the Cross Industry Guidance on IT and Cybersecurity Risks and it sets out what the CBI’s expectations are in this area.

• Focus on transparency and disclosure

• The negative impact of fees and commissions will be a focus in 2018.

• Further scrutiny ahead including at European level.

The CBI issued a discussion paper which closed at the end of 2017and the CBI is seeking to understand the dynamic ETF environment and how these risks can be managed. Thepaper examines :

• Investor expectation and the functioning of the ETF in timesof stress is a key focus for the CBI.

• The role of the approved participants is to be closely examined.• Disclosure of portfolios publically is also to be examined.• Liquidity, collateral risk, counterparty risk, inclusion in indices, • Types of ETFs and their impact on the market. • The fact the ETF share price can trade at a discount to the NAV.


Regulation in a Dynamic Environment

Brexit

• BREXIT preparedness : The CBI expects firms to have well-developed contingency plans in place for a hard BREXIT with a focus on their customers and clients. The CBI is aware of the scale of businesses coming to Ireland and the complexity of these businesses. It must authorise and then supervisory these new businesses, it is a new environment for the CBI.

CBI supports ESMA and EIOPA guidance and opinions in relation to BREXIT. The CBI welcomes the development of the of ESMA’s “Supervisory Coordination Network”.

CBI supports the importance of fostering consistency in the authorisation and supervision of entities across Europe. All the regulators across European authorising activities and functions relocating from the UK must focus on achieving regulatory convergence.

The CBI has publically stated that it is of the view that it is operating in line with ESMA’s three recent sector opinions. This review by the CBI is ongoing. The CBI does not want to see a “race to the bottom” by regulators.

CBI has stated that there is “considerable merit “* in the ECB being give responsibility for supervision to large investment banks ( broker dealers ) given the potential impact on the financial system of their failure.

Outsourcing• The CBI will continue to focus on the very important issue of outsourcing. It has been an area of focus across all sectors and it will be high on the CBI’s agenda in

2018. The CBI will build on it’s thematic review of outsourcing in the fund administration sector and the Dear CEO that was issued.

• Outsourcing continues to grow and the complexity of arrangements gives rise to challenges in supervision.

• The CBI will survey firms across a range of sectors to gain further insight to the current and future pattern of outsourcing including third party and group arrangements. The CBI Survey is a fact finding mission.

• The CBI Survey will focus on services and operations outsourced, the issue of materiality and concentration of outsourced arrangements, contractual arrangements in place, all contingency plans and the extent of oversight and assurance reviews. It will focus on PRISM High, Medium-High, and Medium – Low Impact Regulated Firms.

DATA QUALITY


2018 Supervision Priorities*

High Quality Risk Based Assertive Supervision

Asset Management (“AM”) Supervision Directorate

*Speak delivered to A&L Goodbody Seminar by Michael Hodson, Director of Asset Management Supervision on the 26th of October 2017.

• AM Supervision Directorate

Supervision and Authorisation of a wide variety of firms in the Asset Management sector.

*371 Firms supervised in the MiFID investment services and fund service space.

*MiFID firms have approximately €433 billion assets under management and over 140,000 clients.

• Full Risk Assessment and Thematic Inspections

Focus on MiFID firms and Fund Service Providers.

IT and Operational risk Inspections

CBI will challenge firms on their MiFID II implementation and ensure that key objectives of the legislation are met including enhanced consumer protection outcomes and increased transparency in the market place.

CP86

Managerial functions, organisational effectiveness and retrievability of record.

Focus on 1 July 2018 implementation deadline.

• Brexit

CBI will challenge firms on their preparedness for Brexit.

Expectation that firms have continuancy plans in place.

Central theme is authorisation of new entities AND that it can be supervised.

CBI will not engage in a race to the bottom on regulatory authorising “shell” firms.

Industry Letter issued Q417.

Client Assets and Investor Money

Feedback from 2017 consultation and revised regulations will be published in 2018.

Engagement with fund service

providers and onsite inspections.

Outsourcing

The CBI will continue to focus on the very important issue of outsourcing. It has been an area of focus across all sectors and it will be high on the CBI’s agenda next year. It will build on the thematic review of outsourcing in the fund administration sector and the Dear CEO that was issued.

Outsourcing and the assessment of risks will remain an area of focus across the different sectors in 2018. CBI notes that other regulators Australian, Canadian, and the UK have all published standards and guidance on outsourcing.

Examination of FinTech as a disruptive force in outsouring.


Culture

Accessing culture risk is a priority for the CBI in 2018*

Central Bank of Ireland 2018

Culture powers the behavior of all individuals in an Asset Management firm

Good culture should be lead by management (tone from the top )

A detailed set of values are the guidelines on how behavior will achieve the firm’s vision

Culture seeps across operational, market and conduct risks

2018 : CBI will challenge firms on the appropriateness of their culture and the behaviours that the firms culture is supporting and promoting

*Speak delivered to A&L Goodbody Seminar by Michael Hodson Director of Asset

Management Supervision on the 26th of October 2017


2018 other CBI considerations


Thanks for attending

Do you have questions?

Recording of this presentation and many more on our YouTube channel:

https://www.youtube.com/user/DeloitteLuxembourg

Deloitte is a multidisciplinary service organization which is subject to certain regulatory and professional restrictions on the types of services we can provide to our clients, particularly where an audit relationship exists, as independence issues and other conflicts of interest may arise. Any services we commit to deliver to you will comply fully with applicable restrictions.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

About Deloitte Touche Tohmatsu Limited:

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 225,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

http://www.deloitte.com/about

https://www.facebook.com/deloitte?_rdr=p

https://www.linkedin.com/company/deloitte

https://twitter.com/deloitte

Asset Management Regulatory Outlook 2018 Link’n Learn · a)Mifid/Priips outcome on IM and...

Documents

Transcript of Asset Management Regulatory Outlook 2018 Link’n Learn · a)Mifid/Priips outcome on IM and...