Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

For certain types of financial institutions, particularly investment firms, the relevant EU and national legislation contains explicit requirements for the setting up of an independent, permanent and effective compliance function. The compliance function’s tasks include, among other things, monitoring the adequacy and effectiveness of the institution’s policies and procedures; internal reporting to the management body; and monitoring of complaints and complaints handling. On the basis of these tasks, the compliance function shall establish a risk-based monitoring programme.

The competent authorities view a compliance function as an essential part of the sound business operations of a financial institution. In published guidance and instructions for licence applications, the Netherlands Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB) also require other financial institutions – such as insurers, payment institutions and banks – to establish an independent and effective compliance function. This guidance customarily also contains indicative tasks for the compliance function (similar to the tasks for investment firms' compliance function) as well as the (optional) obligation to adopt an annual compliance plan.

Gatekeepers

How important are gatekeepers in the regulatory structure?

An internal audit or control function that can internally and independently assess the effectiveness of a financial institution’s organisation – and its internal control mechanisms, procedures and measures – is an essential element of an institution’s sound business operations.

For most financial institutions, an internal audit or internal control function is explicitly required in EU and national regulations, or in the competent authorities’ guidance. Customary tasks of the internal control function include establishing, implementing and maintaining an audit plan (annually); issuing audit recommendations; and direct reporting to the institution’s senior management.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Most financial institutions incorporated in the Netherlands will be either a public limited liability company (NV) or a private limited liability company (BV). Dutch corporate law provides for one-tier boards (a board consisting of one single corporate body with executive directors and non-executive directors); however, most BVs and NVs have a two-tier board, consisting of a management board and a separate supervisory board.

For Dutch legal entities, management boards generally have the duty to manage and set the strategy of the general course of affairs of the company. Furthermore, the management board represents the company. The supervisory board (or non-executive directors) needs to supervise the management board’s policy as well as the general course of affairs of the company and its business.

Boards of financial institutions have the same tasks and responsibilities under corporate law as boards of other companies. However, boards of financial institutions are also subject to the standards and requirements of the Financial Supervision Act (Wft) and the competent authorities. For most financial institutions, members of the management board and the supervisory board need to be tested for competence and integrity by the competent authorities prior to taking office and may be removed if the authorities have reason to doubt their integrity or ability to manage a financial institution.

For certain financial institutions, including banks and insurance undertakings, the competence and integrity screening requirement also applies to senior management who have a role directly under the statutory management board and are responsible for employees whose activities can significantly affect the institution's risk profile.

When are directors typically held individually accountable for the activities of financial services firms?

Managing directors can be held individually accountable for the activities of their company for different reasons, including mismanagement. Special liability may apply in the case of a company’s bankruptcy. In general, supervisory directors can only be held liable for a company’s actions in cases where they are found to have directed actions as de facto managing directors.

Under Dutch corporate law, members of the management board of a company are personally accountable to the company for any damage caused by not fulfilling their obligations with care and attention. This mismanagement exists when there is serious misconduct by the directors, a standard tested by the question of whether a reasonable and experienced managing director would have taken the same action.

In the case of serious misconduct, all managing directors are jointly accountable for all internal damages. A director can be exonerated by proving that either he or she had no knowledge of the misconduct, or that he or she did try everything, reasonable to his or her power, to prevent the misconduct. This can mean that a director who does not agree with decisions may need to step down to avoid liability.

Managing directors may also be held liable by third parties for damages caused during their tenure as director. This external liability is based on the unlawful act. If a director takes an action that causes damages to third parties and the damages are a direct result of the director’s actions, the director may be held liable.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

The Wft provides that private law legal acts that are performed in violation of the Wft – and the rules promulgated thereby or thereunder – cannot be challenged on that basis (subject to certain exceptions where explicitly provided otherwise). This means that actions of a financial institution that violate most financial regulations cannot be annulled on that basis by third parties; however, of course, the competent authorities may take actions against the violating institution.

In addition, actions in violation of financial regulations can provide added cause for private rights of action such as an unlawful act and a breach of duty. Certain financial institutions, typically banks and retail financial services providers, are deemed to have a special societal role, adding an additional duty of care vis-a-vis customers. Duties of care are also enumerated in the Wft from a regulator’s perspective, but can add additional grounds to a private right of action.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Certain financial institutions have a special duty of care, especially when dealing with retail clients. Professional clients are generally afforded less protection. Dutch law also distinguishes the degree of protection depending on the services provided by a financial institution.

A financial firm’s duty of care obligation typically entails client protection measures, such as the provision of sufficient information before entering into an agreement and during the contractual relationship; assessments of the suitability or appropriateness of a financial service or product for a client; and the maintenance of well-functioning complaints handling procedures.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Financial services providers are required to tailor their products, advice and services to the level of sophistication of the customer or counterparty. This tailoring is achieved through a process of customer due diligence, client level qualification, and suitability and appropriateness assessments. In general, the three levels of customer (ie, retail, professional, eligible counterparty) are sufficient to specify the sophistication of a customer.

In addition, certain financial institutions are required to take all (new) financial products offered through a product approval and review process, whereby the institution must assess the target market of clients for a product prior to offering it to the market (and regular review thereof).

Rule-making

How are rules that affect the financial services industry adopted? Is there a consultation process?

Dutch financial regulations consist of financial laws, and secondary decrees and regulations with more detailed rules. In addition, the AFM and the DNB issue further rules and guidance (binding and non-binding).

Laws and (governmental) decrees need to be adopted by the parliament as the Dutch legislator. Laws and decrees relating to the financial services industry are customarily subject to a consultation process. In the course of the consultation process, the first draft of the relevant act is usually published by the Dutch government (the responsible ministry) for consultation and will often be amended before it is finally adopted by the Dutch parliament.

The DNB and the AFM usually also initiate a consultation process and publish a draft of the guidance. The guidance may be amended following comments received and result in new, final guidance.

During the consultation process, any person (typically including industry groups, regulatory specialists and market participants) may comment on the envisaged new legislation, regulations or guidance. Consultation plays an important role in the rule-making of the Dutch legislator and competent authorities, and it is not uncommon for draft provisions to be materially changed as a result of the feedback received.