When MiFID II enters into force on 3 January 2018 it will significantly overhaul the existing law regulating financial markets. This briefing is the third in a series of briefings on the MiFID II framework which we hope will help firms to prepare for its entry into force over the coming months. It focuses on changes to two of the existing organisational requirements namely compliance and outsourcing. We will deal with the remaining organisational requirements in further briefings. Changes in the organisational requirements will affect both investment firms and credit institutions carrying on investment activities (“Firms”).


According to Article 16 of MiFID II, Firms must comply with a number of requirements relating to compliance policies and procedures, conflicts of interest, product approval processes, business continuity, outsourcing, internal procedures, data security, record-keeping, client assets and title transfer collateral arrangements. There is some overlap between these requirements and those set out under Articles 23 and 24 of MiFID II. Article 23 deals with conflicts of interest while Article 24 deals with general principles and information to clients.

The organisational requirements set out in Article 16 are supplemented by delegated measures: Commission Delegated Regulation 2017/565 (“Delegated Regulation”) contains supplemental provisions dealing with both compliance and outsourcing.

While the MiFID II Directive are largely similar to those set out in MiFID, there are a number of differences. There are also significant differences in some of the requirements set out in the MiFID Implementing Directive 2004/39 on the one hand (“Implementing Directive”), and the Delegated Regulation on the other.


Both MiFID and MiFID II require a Firm to have adequate policies and procedures in place to ensure compliance with its MiFID/MiFID II obligations, as well as appropriate rules governing personal transactions by its managers, employees and tied agents. However, as compared to the Implementing Directive, the Delegated Regulation imposes a number of new obligations relating in particular to the compliance function, senior management responsibility and complaints handling.

Compliance Function

Under both MiFID and MiFID II the compliance function must; (a) monitor and assess the adequacy and effectiveness of the compliance policies and procedures, and (b) advise and assist relevant persons responsible for carrying out investment services and activities to comply with the Firm's MiFID/MiFID II obligations. However the Delegated Regulation contains further detail as to what is required by way of compliance with these requirements, including the performance of a compliance risk assessment as a mandatory step. It also strengthens the connection between the compliance function and the management body in several respects, including through the introduction of annual and ad hoc reporting requirements. Moreover, the Delegated Regulation specifically requires the compliance function to monitor the operations of the complaint-handling process and to consider complaints as a source of information in the context of its monitoring responsibilities.

Senior management responsibility

Under the Delegated Regulation, the allocation of significant functions among senior managers must clearly establish who is responsible for overseeing and maintaining the Firm's organisational requirements. Records of the allocation of significant functions must be kept up-to-date.

Complaints Handling

The MiFID II Delegated Regulation extends the existing requirement for Firms to establish complaints management policies and procedures for retail clients to all clients, including potential clients. Firm will consequently need to ensure that they have appropriate policies and procedures in place for managing complaints from non-retail clients.

Each Firm will also need to ensure that its complaints management policy provides clear, accurate and up-to-date information about its complaints handling process and publish the details of this process. Clients and potential clients must be able to submit complaints free of charge and the relevant Firm must respond to complaints in plain English, without undue delay. When responding to complaints, the Firm must inform clients about their options, including the availability of alternative dispute resolution and civil action.


Under both MiFID and MiFID II a Firm must take reasonable steps to avoid undue operational risk when outsourcing the performance of operational functions which are critical to the provision of continuous and satisfactory service to clients and the performance of investment activities on a continuous and satisfactory basis. It must also ensure that outsourcing of important operational functions is not undertaken in such a way as to impair materially the quality of its internal controls and the ability of its supervisor to monitor the Firm’s compliance with all its obligations.

However, there are a number of differences between the more detailed requirements set out in the Delegated Regulation on the one hand and the Implementing Directive on the other. In particular, the Delegated Regulation explicitly requires the written agreement on outsourcing to clearly allocate the respective rights and obligations of the Firm and of the service provider. In addition, the Firm must keep its instruction and termination rights, its rights of information and its right to inspections and access to books and premises. The agreement must also ensure that outsourcing by the service provider only takes place with the Firm’s written consent.

There are also changes in the provisions governing outsourcing to service providers located in third countries. Under the Implementing Directive a Firm can outsource the investment service of portfolio management provided to retail clients to a third country service provider once:

  • the third country service provider is authorised or registered in its home country to provide the service and is subject to prudential supervision; and
  • there is an appropriate cooperation agreement between the competent authority of the investment firm and the supervisory authority of the service provider.

Where either or both of these conditions are not satisfied, an investment firm may outsource investment services to a third country service provider if the firm gives prior notification to its competent authority about the outsourcing arrangement and the competent authority does not object to that arrangement within a reasonable time.

The Delegated Regulation changes these requirements in three important respects. Specifically, the MiFID II requirements on outsourcing to third country service providers apply when a Firm outsources functions related to the investment service of portfolio management provided to any client and not just retail clients. In addition, the Delegated Regulation not only requires the existence of a cooperation agreement as referred to above, but sets out certain provisions that must be contained in that agreement. Finally, the Delegated Regulation does not provide for the possibility for a Firm to notify its competent authority of its intention to outsource and to proceed with its outsourcing arrangement in the absence of an objection from that authority.

Next Steps

Each Firm will need to re-assess its compliance function and outsourcing arrangements to ensure that these meet the MiFID II requirements.

Firms should already be familiar with at least some of the new requirements regarding the compliance function set out in the Delegated Regulation as they reflect those set out in ESMA’s Guidelines on certain aspects of the MiFID compliance function requirements. Nevertheless, some will be less familiar and each Firm will need, in particular, to ensure that the compliance function has a direct line to the board so that it can meet the new reporting obligations. It will also need to review its complaint handling processes and procedures for both retail and non-retail clients.

Regarding outsourcing, Firms which outsource functions related to portfolio management for either retail or non-retail clients to third country service providers will need to ensure that their outsourcing arrangements comply with the MiFID II requirements. Each Firm should also verify that its written agreement complies with the requirements set out in the Delegated Regulation.