© 2018 Deloitte. All rights reserved
Asset Management Regulatory Outlook 2018 Link’n LearnFebruary 2018
© 2018 Deloitte. All rights reserved2
Arnaud Barosi – DirectorRisk AdvisoryDeloitte LuxembourgEmail: [email protected]: +352 621 283 642
Derina Bannon - Legal and Regulatory Manager
Investment Management
Deloitte Ireland
T: +353 1 417 2637
Gerard Lorent - Director
Strategy & Corporate Finance
Deloitte Luxembourg
T: +352 45145 4278
Gerard Lorent - Director
Tax & Consulting
Deloitte Luxembourg
T: +352 621 652 496
Contacts
© 2018 Deloitte. All rights reserved3
Contents
1. Brief Overview and Introduction of the Deloitte Regulatory
Outlook Overview
2. Investment Management Overview Slide
3. Discussion on:
a)Mifid/Priips outcome on IM and challenges for the PERE world
b)GDPR
4.CSSF and ESMA’s Asset Management Priorities for 2018
5.AML IV impacts and PPR review
6.Central Bank of Ireland Asset Management Priorities for 2018
7.Conclusion
Introduction of the Deloitte Regulatory Outlook Overview
1. Meeting multiple regulatory deadlines
2. Preparing for Brexit
3. Supervisory spotlight on business models
4. Data protection, innovation and good customer outcomes
5. Customer vulnerability – broadening the perspective
6. Cyber risk and resilience
7. Managing risks from internal models
The defining cross-sector regulatory issues for 2018.
In the year ahead we see seven issues of strategic significance for all sectors of the
European financial services industry in 2018:
4
Regulatory and supervisory constants
At the heart of supervision.
Core supervisory issues that will continue to form a crucial part of “business as
usual” supervision.
• Governance and culture
• Conduct risk
• Data and reporting
• Disclosure
• Remuneration
• Risk appetite
5
© 2018 Deloitte. All rights reserved6
Contents
1. Brief Overview and Introduction of the Deloitte Regulatory Outlook
Overview
2. Investment Management Overview Slide
3. Discussion on:
a)Mifid/Priips outcome on IM and challenges for the PERE world
b)GDPR
4.CSSF and ESMA’s Asset Management Priorities for 2018
5.AML IV impacts and PPR review
6.Central Bank of Ireland Asset Management Priorities for 2018
7.Conclusion
7© 2018 Deloitte. All rights reserved
Investment Management
1. Scrutiny of costs and charges
2. Increasing investor transparency
3. Systemic risk concerns
4. Fund stress testing and liquidity and leverage control requirements
5. New rules going live : MiFID II, PRIIPs, ESMA large scale assessment of the reporting costs and past performance of retail investment products.
The regulatory landscape will be defined in 2018 by :
7
8© 2018 Deloitte. All rights reserved
Investment Management
Systemic risk concerns
• Residual risk concerns will continue to dominate the
agenda
• There will be a need to develop strategic stress
testing plans with a focus on monitoring and control
requirements.
• 2017 the FSB published policy recommendations to
address structural vulnerabilities in asset
management, and IOSCO is reviewing how national
authorities have implemented the recommendations.
• Both ESMA and the ECB have also commented on
the risks associated with the growing asset
management sector.
8
© 2018 Deloitte. All rights reserved9
Contents
1. Brief Overview and Introduction of the Deloitte Regulatory Outlook
Overview
2. Investment Management Overview Slide
3. Discussion on:
a)Mifid/Priips outcome on IM and challenges for the PERE
world
b)GDPR
4.CSSF and ESMA’s Asset Management Priorities for 2018
5.AML IV impacts and PPR review
6.Central Bank of Ireland Asset Management Priorities for 2018
7.Conclusion
10© 2018 Deloitte. All rights reserved
Why Take Care take care
Context & main points of attention
• MIFID II firms, and IDD Firms (life, pension insurances) are subject to new distribution/selling requirements
• They concern “retail investors”
− Physical persons
− SMEs/corporate
• No financial products could be offered, proposed, or made available to retail investors without appropriate info
• No KID/PRIIPS no deal!
11© 2018 Deloitte. All rights reserved
PERE end investor identification
Who are your investors?
Who are your end investors?
Are you certain that your investors are your true end investors?
Case of Private banking or life insurance:
• Your client might be a bank or life insurance, however if it ends up in retail hands, they can no longer offer your product without KID
• A private individual with 100 million EUR is still a retail client for MIFID II
• It is not a legal obligation, it is a commercial obligation!
12© 2018 Deloitte. All rights reserved
As of today many distributors are reviewing their portfolios:
At distribution / intermediary level
Issues
• MIFID II & IDD are excessively complex
• Risks not to comply are high
• Shedding non-compliant instruments
Solutions
• Distributors need:
- Cost and charges disclosures to meet their obligations
- Granularity and level of details is very high – need to besupplied in aggregate and in details
- A KID/PRIIPS document to hand over toclients/investors
Non compliance - Consequences
• Product ban across the EU • Name and shame on authority web site• Financial sanctions up to EUR 5M
Could this happen because of one of your intermediary? The most difficult step is the first step, act now!
13© 2018 Deloitte. All rights reserved
Market information post MIFID II
Product governance is well applied overall
• Several consequences:
• Need to abide by regulations, MIFID II is much more demanding, legal certainty and ease to meet it are key drivers (names are dropped from distribution)
• Need to be fully transparent with clients, with consequences for the entire industry
• Asset managers have to support distribution, as it is already painful to comply
• Distributors are now charging for advice, clients will want to see a return for this
14© 2018 Deloitte. All rights reserved
PRIIPs affects Asset Managers differently depending on products and distribution model
Asset Manager AIFs
2018: PRIIP KID
Discretionary portfolio
2018: PRIIP KID
Unit linked insurance products
“ULIP”
now: UCITS KIID2020: PRIIP KID
Data Transparency
Raw dataPre-calculated
dataEPT - CEPT
Direct impacts
Indirect impacts
What challenges for insurers?- Pre-KID / contractual KID- HWNI / retail investors- Dedicated / external funds- Generic KID + mini KIDs / Unique KID
What changes ?- data frequency- SRI calculation- performance scenarios- RIY
Investor
Life Insurer
UCITS
15© 2018 Deloitte. All rights reserved
European MiFID Template (EMT): 66 fields spread across 3 sections
Deloitte EMT services offering
General Financial Instrument
information
Target Markets - Investor type
Target Markets - Knowledge
and/or Experience
Target Markets - Ability to bear
losses
Target Markets - Risk tolerance
Target Markets - Client
objectives & needs
Costs & Charges ex ante
Costs & Charges ex post
Distribution strategy
Target Markets
Costs and charges
Static Data
Deloitte’s area of
expertise
EMT data collection
& assembly
Deloitte’s expertise offered through 6
services
Target Markets
determination
Transaction costs
compilation
On-going charges
compilation
Performance fees
estimation
EMT dissemination
16© 2018 Deloitte. All rights reserved
Actions to take
What to do
1│Assess 2│Execute 3│Follow-up
• Assess current situation, cost and charges:
- Identify them- List them and track
• This leads to better information and management of costs
• Produce and regularly update your KID/PRIIPS
• Produce an EMT (MiFID)/EPT (PRIIPS) addressed to distributors and intermediaries
• Many traditional funds will be rejected, this might be an opportunity to open new asset classes to investors
• There are KIID/PRIIPS and C&S integrated factories
17© 2018 Deloitte. All rights reserved
Moving forward AIFMD 2
Further strengthening of the depositary function
Harmonised Annex IV reporting
Third country marketing passport
More convergent supervisory practices
Alignment of the different cross-border practices
- After Madoff case and Lehman Brothers’ bankruptcy revealed failings in asset safekeeping principles, depositary should flag these issues to the manager, fund boards, and if necessary the regulator
- Depositary should review fund activity daily in order to identify issues in a timely fashion
- Following Brexit, existing NPPR will continue for the foreseeable future and probably beyond the original 2018 phase out date
- Different regulatory regimes that contribute to managers’ costs and ultimately reduce choice for European investors are expected to be harmonised
- As a starting point, no local fees are expected to be levied by regulators
Reassessment of the methodology for calculation of the leverage
- Industry is of the opinion that current ESMA’s methodology can inflate leverage reporting and there are calls for an alternative risk-weighted exposure methodology to be permitted
- Inconsistent approaches to Annex IV reporting for managers privately placing their products in EU filings need to be uniformed
Expected areas to be affected by the AIFMD 2
- Harmonised supervision for AIFMs with delegation out of the EU
- Common definition of what constitutes marketing / pre-marketing under AIFMD
As many factors contribute to the delay of the AIFMD 2 proposal, predominately Brexit and conflicting priorities on the EU level, it is likely that the status quo will continue for the foreseeable future
Conclusion
• Review of the overall AIFMD framework - AIFMD originally included a requirement that it must be reviewed by the European Commission by 22 July 2017- The Commission is now undertaking an evidence-based study to ascertain whether AIFMD’s initial objectives have been met, but also
to qualify its impact on the alternative investments industry
• Extension of the AIFMD passport - Brexit vote has prompted the EU to revaluate the concept of third-country equivalence - EU wants to ensure that equivalence is not used as backdoor into the EU by the UK
As policymakers have to deal with Brexit and its implications, this supersedes progress on AIFMD II and the answer to two remaining questions
© 2018 Deloitte. All rights reserved18
Contents
1. Brief Overview and Introduction of the Deloitte Regulatory Outlook
Overview
2. Investment Management Overview Slide
3. Discussion on:
a)Mifid/Priips outcome on IM and challenges for the PERE world
b)GDPR
4.CSSF and ESMA’s Asset Management Priorities for 2018
5.AML IV impacts and PPR review
6.Central Bank of Ireland Asset Management Priorities for 2018
7.Conclusion
© 2018 Deloitte. All rights reserved19
What is the GDPR?
The General Data Protection Regulation (GDPR)
In 1995, the European Union released the
European directive 95/46/CE relative to
personal data protection. Unlike
regulations, directives should be transposed
into national to be applicable.
This directive was transposed into
Luxembourgish law in 2002 by the Amended Act of 2
August 2002 concerning the protection of
individuals with regard to the processing of personal data.
2002 2018
The General Data Protection Regulation will apply from 25 May 2018 directly across all 28 EU Member
States after a two years implementation period.Under the new Regulation, Data Protection Authorities
(DPAs) have investigative, corrective, advisory and authorization powers. They are entitled to impose administrative fines ranging from 2 to 4% of the groups worldwide annual turnover of the
preceding financial year or EUR 10 to 20 million, whichever is higher for infringements of data subject rights, non-compliance with an order of the DPA or
the obligations of the controller and processor.
1995 2016
On 4 May 2016, the EU Regulation on Data Protection (GDPR) has been published in
the Official Journal of the European Union. The GDPR has entered into force on 24 May
2016 and will replace the former 1995 EU Data Protection
Directive and create a unified data protection law
© 2018 Deloitte. All rights reserved20
What is personal data?
The General Data Protection Regulation (GDPR)
The vast majority of organisations deal with personal data.
“Any information relating to an identified or identifiable natural person or data subject identified by reference to specific characteristics”.
Relating Identification Data subject Reference
• Content
• Purpose
• Result
• Direct
• Indirect
• Not dead
• Not unborn
• Not legal person
• Name
• ID number
• Location data
• Online identifier
• …
© 2018 Deloitte. All rights reserved21
What is processing personal data?
The General Data Protection Regulation (GDPR)
Collection Storage Use Transfer Retention & Destruction
Personal data lifecycle
• Collection
• Recording
• Organisation
• Storage
• Consultation
• Retrieval
• Use
• Update
• Modification
• Combination
• Linking
• Alignment
• Disclosure by transmission
• Diffusion
• Destruction
• Erasure
• Blocking
© 2018 Deloitte. All rights reserved22
What are the lawful grounds to process personal data?
The General Data Protection Regulation (GDPR)
Source : GDPR, Article 6 - Lawfulness of processing
“Processing shall be lawful only if and to the extent that at least one of the following applies:
ConsentThe data subject has given consent to the processing of his or her personal data for one or more specific purposes
Contract
Legal
Vital
Public interest
Legitimate interest
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Usually the majority of treatments have these lawful grounds
© 2018 Deloitte. All rights reserved23
Chapters : Controller and processor, transfers
of personal data to third countries or
international organisations
• Accountability• Data protection framework• Data protection by design / by default• Data breach notification• Data protection impact assessment• International data transfers
Chapters : Principles, Rights of the data
subject
• Consent• Data subject rights• Profiling• Right to be forgotten• Data portability
Chapters : General provisions, Cooperation
and consistency, Independent supervisory
authority
• Broader territorial scope• One stop shop• Enforcement
What are the roles in GDPR?
The General Data Protection Regulation (GDPR)
Independent supervisory authority
Data subject
Controller and processor
© 2018 Deloitte. All rights reserved24
Controller and processor
The General Data Protection Regulation (GDPR)
Data Protection Impact AssessmentWhere a processing is likely to result in highrisks to the rights and freedoms of naturalpersons, a DPIA is to be performed.Controllers should consult their supervisoryauthority where a DPIA indicates that theprocessing would result in a high risk in theabsence of measures taken to mitigate therisk.
International data transfersBCRs as tools for data transfersoutside the EU and EEA are nowembedded in law.Approved codes of conduct andcertifications could be relied onby entities not subject to theGDPR to provide adequatesafeguards for transfers ofpersonal data.
Data Protection by design/by defaultCompanies should implement appropriate technicaland organizational measures to integrate thenecessary safeguards into the processing ofpersonal data.By default, only necessary personal data should beprocessed. This requires control over : datacollection, extent of processing, retention period aswell as access to personal data.
Data breach notificationNotify data breach to the dataprotection authority no later than72h after becoming aware of it.Notify data breach to affected datasubjects without undue delay whenlikely to result in a high risk for theirright to data protection.Processors should report torespective customer-controllers.
Data Protection Framework/DocumentationCompanies should document the measuresimplemented.All the measures required by the GDPR, when puttogether, will result in a data protection relatedframework : DP policy, DP by design and bydefault, impact assessments, data breachnotifications, privacy notices, etc.
Requires Documentation
AccountabilityNew obligation for controllers and processors tobe able to demonstrate and therefore todocument their compliance with the GDPR.Companies will have to appoint a DataProtection Officer in specific situations (e.g.public authorities, large scale monitoring,special categories of data).
© 2018 Deloitte. All rights reserved25
Data subject
The General Data Protection Regulation (GDPR)
Data subject rights
Existing rights are reinforced (access,rectification, deletion, objection to theprocessing).The GDPR introduces the rights toerasure, restriction of processing, dataportability and the right not be subjectto data profiling.
Profiling
The GDPR strictly frames profilingactivities and empowered datasubjects with the right not to besubject to decisions based onprofiling as well as the right to objectto profiling and notably profiling formarketing purposes.
Consent
Consent is spelled out more clearly as itshould be given through a clear affirmativeact establishing a freely given, specific,informed and unambiguous indication of thedata subject's agreement.Ticking a box when visiting an internetwebsite, choosing technical settings forinformation society services or anotherstatement or conduct which clearly indicatesin this context the data subject'sacceptance will be considered assatisfactory.Silence, pre-ticked boxes or inactivityshould not therefore constitute consent.
Requires Documentation
© 2018 Deloitte. All rights reserved26
Independent supervisory authority
The General Data Protection Regulation (GDPR)
Enforcement
DPAs already have investigative, corrective, advisory and authorization powers.They will be entitled to impose administrative fines up to 4% of the groups worldwide annual turnover, or up to 20 millions.
Broader territorial scope
The GDPR will not only apply toprocessing activities of data controllersand processors established in the EU orusing equipment located in the EU, butalso to those that are not established inthe EU but whose activities target datasubjects are in the EU.
One stop shop
When having activities in more than 1 EU memberstate, the Data Protection Authority (DPA) of mainestablishment could act as lead DPA, supervisingprocessing activities throughout the EU.This will ease the interaction for controllers andprocessors with lead DPA while other DPAs will stillhave a say in cross-border operations throughconsistency and cooperation procedures.
© 2018 Deloitte. All rights reserved27
Funds industry
Actors impacted by the GDPR
Funds attract a wide range of investors, from corporates, large multinationals, banks, pensions, other funds to individuals. In addition, there is a large number of partners (e.g. service providers) involved in the life of a fund, depending on the organizational model (e.g Management company, Transfer agent, Fund administration, etc.). When considering the impact of GDPR, each counterparty needs to assess its own obligations depending on its set up model.
The following slides will highlight few examples of the activities that will be impacted by the general data protection regulation.
Depository bank
Board
s o
f dir
ecto
rs o
f th
e fund
Investors
Transfer AgentFund
administrator
Central administration
Management CompanyFU
ND
Investment
manager & Risk
Management
Distributor
(Incl.
Marketing)
28© 2018 Deloitte. All rights reserved
Contents
1. Brief Overview and Introduction of the Deloitte Regulatory Outlook
Overview
2. Investment Management Overview Slide
3. Discussion on:
a)Mifid/Priips outcome on IM and challenges for the PERE world
b)GDPR
4.CSSF and ESMA’s Asset Management Priorities for 2018
5.AML IV impacts and PPR review
6.Central Bank of Ireland Asset Management Priorities for 2018
7.Conclusion
© 2018 Deloitte. All rights reserved29
36 on-site visits specific to the Investment Fund Industry have been completed by the CSSF in 2016
Management Companies representing more than 15% of the AuM in Luxembourg have been inspected
9 Management Companies with AuM above EUR 15b have been visited
Delegate oversight – Still some areas for improvements in the monitoring of delegated activities
• Inadequate and imprecise documentation in the split between the activities retained bythe Management Companies and the outsourced activities;
• Initial due diligences on delegates must be performed before the start of the businessrelationship. Those initial due diligences are not enough to document an assessment ofthe risk embedded with the delegation of an activity;
• Ongoing monitoring is often partly based on KPI reports prepared by the delegates.Documentation of the assessment of the reliability of these KPIs by the ManagementCompanies is not sufficiently documented.
Risk Management
• Risk Management policy not fully compliant with local requirements: the measurement,the monitoring and management of risks are not detailed enough;
• Detailed risk information and limits not communicated regularly to governance, who donot have all the necessary information to take appropriate decisions;
Main observations and weaknesses reported by CSSF
On-site visit statistics
13
542
12
On-site control main areas
ManCo Governance
Risk Management
02/77 CSSF Circular handling
Others (MIFID, AML/KYC…)
Central Administration
• Risk Management policy and Risk Management Process must remain two distinctdocuments.
Demonstrate the local substance
• Management Companies must have the adequate technical and human resources tomanage the activities it has to perform as well as the oversight of delegates (bothquantity & quality);
• Management Companies must also have the adequate technical, IT and accountingfacilities;
• All substance principles apply to control activities on outsourced services such asCompliance, Risk Management, Valuation or Internal Audit.
Others areas of weaknesses
• Controls on appropriateness of own funds with legal requirements;
• Delay and completeness in the prudential reporting to CSSF;
• Delay in the quarterly reporting to CSSF;
• Lack of accuracy in the data included in the AIFM reporting to CSSF.
Regulatory On – Site Inspection
Main observations from 2016 CSSF activity report
© 2018 Deloitte. All rights reserved30
Not legally binding but…
ESMA Opinion to support supervisory convergence in the area of investment management
On 13 July 2017, the European Securities and Markets Authority (ESMA) has published an Opinion setting out sector-specific principles in the area ofinvestment management, aimed at fostering consistency in authorization, supervision and enforcement related to the relocation of entities, activities andfunctions from the United Kingdom.
The intention of the Opinion is to ensure that the choice of a new location in the Brexit context is directed by actual business needs and to provide furtherclarification when it comes to prerogatives of home Member State NCA which shall retain the grip and control of critical operations of the relocating entities.
This should be achieved through compliance with general principles set out in the Opinion which could be divided into 3 topics of highest concern:authorization requirements, governance and delegation arrangements.
This document summarizes mentioned crucial points of the ESMA Opinion which Deloitte considers most relevant to the IM industry, their possible impact onNCAs practice going forward and the amount of additional compliance effort that it may require from actors established in Luxembourg.
The Opinion, although more particularly directed at Asset Managers considering to relocate in the EU following to Brexit, is likely to have impacts on all actorsestablished in the EU.
As a result of this ESMA Opinion, NCAs may decide to reinforce existing requirements or create new obligations.
Note that this document is for information sharing purposes only and does not amount to an advice or anticipation of CSSF possible developing practice as a result of the Opinion.
© 2018 Deloitte. All rights reserved31
… more precise documentation and justification
The main areas of impact are fourfold
Substance
• ESMA proposes to align UCITS substance requirements to AIFM concept i.e. portfolio and risk management
• ESMA provides with minimum substance in the Manco (3 FTEs) as well as some key criterias to apply to ensure substance is in line with size, nature, scale and complexity of the business
• ESMA re-inforces the paramount role of local authorized management ensuring the ultimate decision-making is local
Delegation
• There must be documented objective reasons for delegation of any type of activity (incl. function such as IT, Legal, Finance, etc.): (i) detailed descriptions, (ii) explanations and (iii) evidence of the objective reasons provided
• Delegation to non-EU entities (directly or via chain of delegation) could make oversight and supervision of the delegated functions more difficult
• Delegation process and oversight are to be well documented and objectively reviewed (initial due diligence via RFP, on-going due diligence with a focus on on-site visits)
• Authorized entities should demonstrate to NCAs that they dedicate sufficient human and technical resources to initial and on-going due diligence process i.e it is unlikely that a single person has sufficient knowledge, experience and time to monitor a broader range of complex functions
Governance
• ESMA outlines that sound governance and internal control mechanisms require clarity as to the allocation of responsibilities, documented policies and procedures, structures
• ESMA insists NCAs to assess and put additional scrutiny on individuals with high numbers of (executive or non-executive) directorships
• ESMA highlights the importance of the senior management of the entity being available locally
Internal control functions
• ESMA is highlighting that compliance, internal audit and risk management functions must take active part to strategic decisions
• ESMA is putting emphasis on the necessity for the internal control functions, to ensure compliance does actually happen, including through escalation process to the regulator in last instance
• Internal control functions must carry out desk-based and on-site controls on an ongoing basis and are involved in the client acceptance and fund set-up processes (often organized in internal committees). These substantial activities usually necessitate a local presence
32© 2018 Deloitte. All rights reserved
Contents
1. Brief Overview and Introduction of the Deloitte Regulatory Outlook
Overview
2. Investment Management Overview Slide
3. Discussion on:
a)Mifid/Priips outcome on IM and challenges for the PERE world
b)GDPR
4.CSSF and ESMA’s Asset Management Priorities for 2018
5.AML IV impacts and PPR review
6.Central Bank of Ireland Asset Management Priorities for 2018
7.Conclusion
© 2018 Deloitte. All rights reserved33
Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
This Directive is the 4th directive to address the threat of money laundering and has to be transposed into respective national law of European Member States
It includes various changes. One of them is the inclusion of tax crimes in the definition of criminal activities under the directive, in line with the revised FATF recommendations
Directive (EU) 2015/849
The FATF (Financial Action Task Force - GAFI) is an independent inter-governmental body that develops international standards on combating money laundering and the financing of terrorism and their proliferation
The 2012/2013 FATF recommendations expanded the tax crimes related to direct taxes and indirect taxes as predicate/primary offence for money laundering without define tax crimes
Mutual evaluations are done to ensure that the FATF recommendations are in place
FATF 2012/2013 recommendations
European level
International level
2017 Luxembourg tax reform
Luxembourg level
Transposition into Luxembourg law of the 2012/2013 FATF recommendations and the 4th EU AML Directive via the 2017 Tax Reform (Law of 23 December 2016 - Luxembourg official journal n°274) for the part in connection with tax crimes in the scope of AML
Direct and indirect taxes (VAT, inheritance and registration duties) concerned Joint-Circular 17/650 of 17 February 2017 between the Cellule de Renseignement Financier (CRF) and the CSSF applicable as
guidelines
Simple tax fraud(fraude fiscale simple)1
Aggravated tax fraud (fraude fiscale aggravée)2
Tax swindle (escroquerie fiscale)
3
Not a tax crime. In existence before 2017. Same definition but new penalties’ amount
New tax crime Tax swindle existed before 2017. Now it includes reimbursements and modification of the penalties’ amount
4th AML Directive
Transportation into Luxembourg law
© 2018 Deloitte. All rights reserved34
1) Increased emphasis on a risk-based approach
Obliged entities need to take appropriate steps to identify and assess the ML/TF risks taking into account risk factors including customers, countries or geographic areas, products, services, transactions or delivery channels. No KYC exemption cases, removal of white list
2) Changes in the application of Customer Due Diligence (“CDD”)
CDD is required for traders in high value goods when dealing in cash with a value over €10,000 (before: €15,000)
Specific risk assessments need to be conducted for each client in order to apply Simplified Due Diligence (“SDD”) (a non-exhaustive list of risk factors allowing for potentially lower risk situations is provided in Annex II of the Directive)
Enhanced Due Diligence (“EDD”) is applicable for companies in designated “high-risk” countries
Obliged entities need to take into account factors of potentially higher-risk situations (Annex III of the Directive) in the risk assessment of ML/TF
3) Modifications in the definition and treatment of Politically Exposed Persons (“PEP”s)
The definition of PEPs was expanded including also domestic individuals occupying prominent public positions as well as senior figures within international organizations
The period of EDD for PEPs was extended to a duration of 18 months after a PEP leaves office
4) Extended scope of the Directive
Tax crimes are recognized as a predicate offence of ML/TF
Broadening scope to cover on-line gambling: broaden the scope of the Directive beyond "casinos" to cover the whole gambling sector
4th AML Directive
Primary modifications
© 2018 Deloitte. All rights reserved35
5) Strengthened cooperation between national Financial Intelligence Units (“FIU”s)
The increased powers of FIUs with regard to reporting obligations and cooperation must be recognized by financial institutions
6) Expanded definition of Ultimate Beneficial Owners (“UBO”s) and introduction of UBO Registers
Obliged entities are required to obtain and hold adequate, accurate and current information of UBOs and to make such information available to third parties via public registers
Obliged entities are obliged to provide the full legal name, month and year of birth, nationality, country of residence as well as nature and extent of interests of UBOs (subject to a threshold of 25%)
7) Development and incorporation of specific provision on data protection
Group-wide policies and procedures need to be established in order to ensure data protection for UBOs
8) Increased Sanctions
The maximum pecuniary sanction was increased to at least €5 million or 10% of the total annual turnover in the case of a legal person. The maximum pecuniary sanction was increased to at least €5 million in the case of a natural person
4th AML Directive
Primary modifications (Continued)
36© 2018 Deloitte. All rights reserved
Contents
1. Brief Overview and Introduction of the Deloitte Regulatory Outlook
Overview
2. Investment Management Overview Slide
3. Discussion on:
a)Mifid/Priips outcome on IM and challenges for the PERE world
b)GDPR
4.CSSF and ESMA’s Asset Management Priorities for 2018
5.AML IV impacts and PPR review
6.Central Bank of Ireland Asset Management Priorities for 2018
7.Conclusion
© 2018 Deloitte. All rights reserved37
Irish Regulatory Structure
Central Bank of Ireland
Data Protection
Commissioner
Financial Services
Ombudsman
Director of Corporate
Enforcement
Compliance with Data Protection
requirements
Macro and Micro prudential regulation
and conduct of business
Consumer and SME Complaint Resolution
Compliance with the Companies Acts
© 2018 Deloitte. All rights reserved38
CBI Strategic Plan 2016 – 2018
FIINANCIAL STABILITY
CONSUMER PROTECTION
SUPERVISION AND
ENFORCEMENT
REGULATORY POLICY
DEVELOPMENT
PAYMENTS, STATEMENTS
AND CURRENCY
ECONOMIC ADVICE AND STATISTICS
RECOVERY AND
RESOLUION
PRICE STABILITY
COMMUNICATION AND ACCOUNTABILITY
FULFILLING WORKPLACE FOR
OUR PEOPLE
SAFEGURADING STABILITY,
PROTECTING CONSUMERS
STRATEGIC RESPONSIBILITIES
STRATEGIC ENABLERS
VISION
MISSION
© 2018 Deloitte. All rights reserved39
Regulation in a Dynamic Environment
New Structure in the CBI
Exchange Traded Funds CP86
IT and Cyber Risk
• Money Market Regulation entered into force and will strengthen
rules in relation to MMFs generally and CNAV MMFs in particular.
The Regulation will require a lot of preparedness by the industry
and the CBI. Level 2 measures are nearing finalisation.
Money Market Reform
MiFID II
Investment Fund Fees
Central Bank of Ireland (“CBI”) Regulatory and Supervisory Priorities for 2018*
“Regulation in a changing environment”. Speech by Gerry Cross , Director of Policy and Risk October 2017*
Since the 1st of September 2017 a new financial
regulation structure has been in place in the CBI:
• Prudential Regulation is responsible for the credit institutions, insurance and asset management directorates.
• Financial Conduct has the responsibility for consumer protection, securities and markets supervision and enforcement.
Policy and Risk covers both prudential and conduct issues and has a dual reporting line to the Deputy Governor Prudential Regulation and the Director General Financial Conduct
CP86 implementation will remain a key area of focus in 2018.The enhanced requirements including the role of designated persons, the oversight of delegates, the organisational effectiveness role and directors time commitments will all remain areas of supervisory focus.
The role of the Independent Director is a key part of good governance. The CBI view’s the role of the Independent Director as having “indispensable responsibility for challenge and oversight, including oversight of the supervision of delegates”. An Independent Director must assume the organisational effectiveness role.
• The Investment Firms Regulations 2017 will be updated to bring them in line with MiFID II.
• The aim of the CBI is to develop a single handbook for each sector.
• The CBI will continue to focus on this area. It has stated that IT and Cyber Risk go to the very heart of financial services. It is an area of rapid change. It must be given sufficient and effective attention by senior management.
• The CBI has published the Cross Industry Guidance on IT and Cybersecurity Risks and it sets out what the CBI’s expectations are in this area.
• Focus on transparency and disclosure
• The negative impact of fees and commissions will be a focus in 2018.
• Further scrutiny ahead including at European level.
The CBI issued a discussion paper which closed at the end of 2017and the CBI is seeking to understand the dynamic ETF environment and how these risks can be managed. Thepaper examines :
• Investor expectation and the functioning of the ETF in timesof stress is a key focus for the CBI.
• The role of the approved participants is to be closely examined.• Disclosure of portfolios publically is also to be examined.• Liquidity, collateral risk, counterparty risk, inclusion in indices, • Types of ETFs and their impact on the market. • The fact the ETF share price can trade at a discount to the NAV.
© 2018 Deloitte. All rights reserved40
Regulation in a Dynamic Environment
Brexit
• BREXIT preparedness : The CBI expects firms to have well-developed contingency plans in place for a hard BREXIT with a focus on their customers and clients. The CBI is aware of the scale of businesses coming to Ireland and the complexity of these businesses. It must authorise and then supervisory these new businesses, it is a new environment for the CBI.
CBI supports ESMA and EIOPA guidance and opinions in relation to BREXIT. The CBI welcomes the development of the of ESMA’s “Supervisory Coordination Network”.
CBI supports the importance of fostering consistency in the authorisation and supervision of entities across Europe. All the regulators across European authorising activities and functions relocating from the UK must focus on achieving regulatory convergence.
The CBI has publically stated that it is of the view that it is operating in line with ESMA’s three recent sector opinions. This review by the CBI is ongoing. The CBI does not want to see a “race to the bottom” by regulators.
CBI has stated that there is “considerable merit “* in the ECB being give responsibility for supervision to large investment banks ( broker dealers ) given the potential impact on the financial system of their failure.
Outsourcing• The CBI will continue to focus on the very important issue of outsourcing. It has been an area of focus across all sectors and it will be high on the CBI’s agenda in
2018. The CBI will build on it’s thematic review of outsourcing in the fund administration sector and the Dear CEO that was issued.
• Outsourcing continues to grow and the complexity of arrangements gives rise to challenges in supervision.
• The CBI will survey firms across a range of sectors to gain further insight to the current and future pattern of outsourcing including third party and group arrangements. The CBI Survey is a fact finding mission.
• The CBI Survey will focus on services and operations outsourced, the issue of materiality and concentration of outsourced arrangements, contractual arrangements in place, all contingency plans and the extent of oversight and assurance reviews. It will focus on PRISM High, Medium-High, and Medium – Low Impact Regulated Firms.
DATA QUALITY
© 2018 Deloitte. All rights reserved41
2018 Supervision Priorities*
High Quality Risk Based Assertive Supervision
Asset Management (“AM”) Supervision Directorate
*Speak delivered to A&L Goodbody Seminar by Michael Hodson, Director of Asset Management Supervision on the 26th of October 2017.
• AM Supervision Directorate
Supervision and Authorisation of a wide variety of firms in the Asset Management sector.
*371 Firms supervised in the MiFID investment services and fund service space.
*MiFID firms have approximately €433 billion assets under management and over 140,000 clients.
• Full Risk Assessment and Thematic Inspections
Focus on MiFID firms and Fund Service Providers.
IT and Operational risk Inspections
CBI will challenge firms on their MiFID II implementation and ensure that key objectives of the legislation are met including enhanced consumer protection outcomes and increased transparency in the market place.
CP86
Managerial functions, organisational effectiveness and retrievability of record.
Focus on 1 July 2018 implementation deadline.
• Brexit
CBI will challenge firms on their preparedness for Brexit.
Expectation that firms have continuancy plans in place.
Central theme is authorisation of new entities AND that it can be supervised.
CBI will not engage in a race to the bottom on regulatory authorising “shell” firms.
Industry Letter issued Q417.
Client Assets and Investor Money
Feedback from 2017 consultation and revised regulations will be published in 2018.
Engagement with fund service
providers and onsite inspections.
Outsourcing
The CBI will continue to focus on the very important issue of outsourcing. It has been an area of focus across all sectors and it will be high on the CBI’s agenda next year. It will build on the thematic review of outsourcing in the fund administration sector and the Dear CEO that was issued.
Outsourcing and the assessment of risks will remain an area of focus across the different sectors in 2018. CBI notes that other regulators Australian, Canadian, and the UK have all published standards and guidance on outsourcing.
Examination of FinTech as a disruptive force in outsouring.
© 2018 Deloitte. All rights reserved42
Culture
Accessing culture risk is a priority for the CBI in 2018*
Central Bank of Ireland 2018
Culture powers the behavior of all individuals in an Asset Management firm
Good culture should be lead by management (tone from the top )
A detailed set of values are the guidelines on how behavior will achieve the firm’s vision
Culture seeps across operational, market and conduct risks
2018 : CBI will challenge firms on the appropriateness of their culture and the behaviours that the firms culture is supporting and promoting
*Speak delivered to A&L Goodbody Seminar by Michael Hodson Director of Asset
Management Supervision on the 26th of October 2017
© 2018 Deloitte. All rights reserved43
2018 other CBI considerations
© 2018 Deloitte. All rights reserved44
Thanks for attending
Do you have questions?
Recording of this presentation and many more on our YouTube channel:
https://www.youtube.com/user/DeloitteLuxembourg
Deloitte is a multidisciplinary service organization which is subject to certain regulatory and professional restrictions on the types of services we can provide to our clients, particularly where an audit relationship exists, as independence issues and other conflicts of interest may arise. Any services we commit to deliver to you will comply fully with applicable restrictions.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
About Deloitte Touche Tohmatsu Limited:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 225,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
Top Related