MiFID – IT and Operations

December 16, 2006

The Markets in Financial Instruments Directive, 2004/39/EC (MiFID) is regarded as the most wide-ranging piece of EU legislation covering the financial markets to emerge in the last decade.  Replacing the current Investment Services Directive, it is a key part of the EU’s plan to create a single market in financial services.  For those who operate in the financial services sector, it has become a common topic of conversation and, in some areas, the subject of much consternation. What impact does it have on IT and outsourcing contracts?


MiFID in a nutshell


What is it?


MiFID basically comes in two halves.  The first half is MiFID itself and an Implementing Directive, also known as a Level 2 Directive (2006/73/EC), which covers issues such as client categorisation and ensuring the suitability and appropriateness for investors of transactions in financial instruments.  These Directives, like other EU Directives, must be implemented into the local law of each EU Member State.  The second half is a pan-European set of Implementing Regulations, or Level 2 Regulations (Regulation 1287/2006), that cover issues such as price transparency in the equity markets and reporting of transactions to regulators.


Both the Implementing Regulations and the Implementing Directive were finalised at a European level in September 2006.  However, whilst the Regulations are fixed and not subject to further change, there is some scope for the Directives to be ‘gold plated’ when transposed into local law by the different EU Member States.


In the UK, MiFID is being implemented into UK legislation through amendments to the Financial Services and Markets Act 2000 and regulations under it, as well as through changes to the FSA Handbook.  The FSA has produced various consultation papers with proposed rule changes.   Most of these changes are still in the consultation phase, but are expected to be finalised by 31 January 2007 and then come into force on 1 November 2007.


However, the majority of MiFID firms will also need to comply with the FSA Handbook changes implementing the Capital Requirements Directive (CRD), which in turn implements Basel II.  The CRD sets out new rules for calculating and maintaining financial resources and new systems and controls requirements.  The CRD changes come into force from 1 January 2007 and some of them overlap with MiFID (eg on conflicts of interest or outsourcing).  The FSA has, therefore, produced a joint set of rules (‘common platform rules’) which cover both the MiFID and CRD requirements, as well as a separate set of rules that cover the CRD requirements only.  Firms that will be caught by both MiFID and CRD (common platform firms) can elect to move to the common platform rules at any time between 1 January and 1 November 2007.


Who is affected?


The financial instruments caught by MiFID include shares, bonds, money market instruments, units in collective investment schemes and derivatives, but it does not cover ‘pure’ deposits, loans, insurance or mortgage products.  Firms carrying on certain activities (eg advising, managing, receiving and transmitting orders, executing orders and/or operating a market, exchange or trading platform) in relation to these financial instruments will be caught by MiFID.  Therefore, in broad terms, MiFID will affect banks (retail and wholesale), investment firms (broker/dealers, corporate finance and advisory firms, commodities/derivative traders), investment managers, financial advisers and the operators of markets, exchanges and trading platforms.


For some regulatory issues, the FSA will apply different rules to MiFID business (eg providing share dealing services) and non-MiFID business (eg selling life insurance investment products) carried on by a MiFID firm.  However, for certain issues, the FSA has decided to impose MiFID standards on the whole of a MiFID firm’s activities, whether for MiFID business or non-MiFID business.


MiFID also applies across the EEA, and therefore businesses with branches in more than one jurisdiction will need to co-ordinate compliance.  In theory, MiFID makes life easier for firms incorporated in and operating from one EEA Member State (their ‘home state’) on a cross border services basis into other EEA Member States.  After MiFID, they will generally need to comply solely with the ‘home state’ rules rather than certain rules in each ‘host state’ as they do at present.


What changes does it bring?


The changes and new rules cover a broad range of areas including the following:


What gets regulated in each EEA Member State – what activities need FSA authorisation.  In the UK, there will be relatively little change.  However, in some jurisdictions, certain activities will become regulated for the first time (eg providing investment advice in Spain).


Conduct of business rules. There will be significant changes to rules governing client categorisation, best execution, suitability and appropriateness, client information and agreements, financial promotions and client assets/money.


Organisational rules. The MiFID requires changes to systems and control rules for governance, risk and compliance, outsourcing, staffing requirements and conflicts of interest.


Markets and securities. Here there are changes to the regulation of different types of execution venues – regulated markets, multilateral trading facilities (alternative trading systems such as Instinet) and systematic internalisers (basically, off-exchange market makers such as the large sell-side investment banks).  MiFID tries to encourage competition between the different types of execution venues, and regulated markets lose their monopoly over the trading of equities (the abolition of the so-called concentration rule).  However, as a result, there are common rules that apply to all of them (eg on pre- and post-trade transparency in relation to equities markets) and revised rules on transaction reporting.


Key Areas for IT and Operations


MiFID has two main consequences for IT and operations.  First, the revised rules mean that firms and suppliers’ IT systems, services and processes will need to change in a number of important areas to be MiFID compliant.  Second, for those advising on outsourcing transactions, there are new rules to be followed when advising on and negotiating outsourcing agreements with MiFID firms.


Impact on Operations


Client Categorisation[1]


Client categorisation and its consequences are subtly, but significantly altered from current regulation.  Category definitions are different, including the nomenclature (eg there are now retail and professional clients, and eligible counterparties, instead of private and intermediate customers, and market counterparties).  The rules for moving a client “up” and “down” a category, and the consequences of categorisation (ie the regulatory protections available) are different.  A client could fit into different categories for different types of business, including for different types of MiFID business (eg trading in shares, or trading in derivatives) as well as for MiFID and non-MiFID business (eg trading in shares, or buying life insurance investment products).  Firms, systems will have to cope with the application of these new categories and criteria, for both new and existing clients.


Order Execution


MiFID firms are required to keep a record of all clients’ orders in MiFID instruments whether executed or not.  They need to ensure prompt and sequential execution of comparable orders.  This means sequential execution for telephone orders can be different to online orders.  There must be prompt and accurate recording and allocation, settlement and delivery to client accounts.


Best Execution


Firms executing client orders in financial instruments must establish and implement a ‘best execution’ policy designed to provide retail and professional clients with the best possible result on a consistent basis, taking into account a number of factors such as the range of possible execution venues for the relevant instrument, price, costs, speed of execution, likelihood of execution and settlement etc, as well as factors specific to the client.  For retail clients, the overall cost is paramount.  Firms will need to monitor compliance with their policy as well as periodically review it to ensure that it remains appropriate.  Clients will be entitled to ask firms to demonstrate compliance with the best execution policy on any particular trade, which has record keeping and systems implications.  Under the new regime, professional clients will not be able to opt-out of the best execution requirements as intermediate customers do at present, and so many firms could face obligations here for the first time.


Reporting to Clients[2]


Firms must provide reports to clients on orders executed containing prescribed information, which is more detailed than the current requirements.  For retail clients, firms will need to provide prescribed content by the next business day following execution, and the client cannot waiver or defer the receipt of such reports as they may under the present rules.  For firms providing investment management services, they will be required to enable clients to evaluate and compare their performance (eg by reporting their performance by reference to a benchmark), and their systems will need to be able to cope with this new requirement.


Pre-trade and Post-trade Transparency in the Equity Markets


A consequence of MiFID’s drive to ensure competition between different execution venues in the equities markets – regulated markets, multilateral trading facilities and systematic internalisers – is that they will be subject to similar rules on pre-trade transparency (ie the public disclosure of the details of transactions at which transactions may be conducted).  For regulated markets and multilateral trading facilities, this will not be a significant change.  For systematic internalisers (ie certain large investment banks) this will be a new requirement and will involve a great deal of work to ensure that they are able to make their prices publicly available in real time.  The different types of execution venues and firms executing transactions in equities off exchange will also be subject to post-trade transparency requirements (ie the public disclosure of the details of transactions that have been carried out).  Again, this will be a new requirement for systematic internalisers and other firms executing transactions in equities off exchange.


Transaction Reporting


MiFID changes the scope of transactions reportable to the FSA and other EEA regulators, the prescribed content of these reports and the recipients of such reports (ie whether the FSA or another EEA regulator).  FSA is shortly to publish a technical paper on how this new reporting is meant to take place.


Impact on IT Applications and IT Infrastructure


For software applications, new client categorisation and data collection from suitability and appropriateness checks (which tie into best execution and reporting requirements) will require increased automation of front-office activity and a bundling of existing products.


Operations specialists in the sector also consider that the combined effect of the MiFID rule changes will result in material changes to IT infrastructure requirements.  This is particularly as a result of pre-trade and post-trade transparency data collection and reporting, the increased range of execution venues and instruments, and the requirement to retrieve and hold data to comply with the best execution requirement.  Operations specialists also estimate that firms will need to meet increased availability, processing power and data storage requirements.  Increased data also demands networks with increased capacity.


System Rules


MiFID specifies minimum security and business continuity requirements.[3]  These are in any event in accordance with good practice, and similar to rules for other regulated firms in the financial services industry such as insurers.  A firm must establish, implement and maintain systems and procedures (in the broad sense, but this includes IT systems) that are adequate to safeguard the security, integrity and confidentiality of information.  Firms must also establish, implement, and maintain an adequate business continuity policy, including ensuring,  in the case of interruption to systems and procedures, any losses are limited, essential data and functions are preserved, and that there is provision for the maintenance or, where not possible, timely recovery and resumption of regulated activities.


Outsourcing Rules


There are, of course, existing rules and guidance on outsourcing for regulated firms in the financial services industry.  High-level standards are supplemented by more detailed guidance, in particular for banks contained in IPRU (BANK) – Outsourcing (OS) and for insurers contained in SYSC 3A.9.  The latter is regarded as good practice for all FSA authorised firms.


MiFID provides a further list of rules[4] to follow-on outsourcings, which outsourcing lawyers will need to follow as a checklist.  These rules apply to the entire operations of a MiFID firm.


These new rules are slightly different to the existing outsourcing rules for banks and insurers. They do, however, reflect good practice and should not cause compliance concerns.  It should be noted, however, that these new outsourcing rules are precisely that, rules, as opposed to guidance for the current regime for banks in IPRU (BANK) – Outsourcing (OS) (and the guidance for insurers in SYSC 3A which most other firms follow anyway as a matter of good practice).


What is an outsourcing?


Outsourcing is defined as an arrangement of any form between a MiFID firm and a service provider by which that service provider performs a process, a service or any activity which would otherwise be undertaken by the firm itself.  The rules apply to ‘critical or important’ operational functions.  If a function is not ‘critical or important’ the firm should still take the rules into account.[5]  If a defect or failure in performance would materially impair the continuing compliance of a firm with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities, then the outsourcing satisfies the ‘critical or important’ test.


Intra-Group / Notification/ Written contract


The rules apply to intra-group arrangements, as well as arrangements with third-party suppliers, although with intra-group agreements the firm may take into consideration its controls over or its ability to influence the affiliate’s actions.  Firms must also notify the regulator of their intention to outsource critical or important operational functions.  The rules require that the respective rights and obligations need to be clearly allocated and set out in a written agreement.


Requirements for Outsourcing Contract


MiFID rules do not specify requirements for contractual documentation per se.  Instead, they demand that certain conditions are satisfied.  The conditions are slightly different to the equivalent in SYSC 3A but should form part of good practice in any outsourcing in any event.  Listed below are the main conditions, accompanied by proposed contractual provisions, which firms should require as part of their compliance to the conditions.


1.      The service provider must have the ability, capacity and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally. Proposed provisions: firms to require a warranty to this effect.

2.      The service provider must carry out the outsourced services effectively, and the firm must assess the standard of performance of the service provider.  Proposed provisions: firms to require performance to certain standards to be monitored by reporting and auditing.

3.      The service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing.  Proposed provisions: firms to include a provision to this effect.

4.      The firm is expected to take appropriate action if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements.  Proposed provisions: firms to include provisions on remediable action in case of non-compliance, rights of step-in and termination.

5.      The firm must retain the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing and must supervise those functions and manage those risks.  Proposed provisions: firms to include provisions on reporting, delivery of information and training and governance.

6.      The service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements.  Proposed provisions: firms to include provisions requiring the service provider to report breaches and other events affecting its ability to provide the services.

7.      The firm must be able to terminate the arrangement for outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients.  Proposed provisions: firms to include provisions ensuring assistance with step-in/DR arrangements, and continuity on exit arrangements.

8.      The service provider must cooperate with the competent authorities of the firm in connection with the outsourced activities.  Proposed provisions: firms to include provisions requiring service provider compliance with regulatory audits and requirements.

9.      The firm, its auditors and the relevant competent authorities must have effective access to data related to the outsourced activities, the business premises of the service provider, and the competent authorities must be able to exercise those rights of access.  Proposed provisions: firms to include provisions on access to records and audit rights.

10.  The service provider must protect any confidential information relating to the firm and its clients.  Proposed provisions: firms to include provisions on confidentiality concerning this issue.

11.  The firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities, where that is necessary having regard to the function, service or activity that has been outsourced.  Proposed provisions: firms to include provisions on service continuity and disaster recovery.


Next steps


Unfortunately, MiFID firms will have to review existing critical or important outsourcing agreements before they move to the Common Platform (ie by 1 November 2007 at the latest).  If a firm’s current outsourcings do not meet the proposed new requirements in SYSC then it must review/change the agreement and/or its own systems to meet these requirements.  The FSA considers that MiFID does not allow it to exempt existing agreements. 


However, the FSA also considers that most firms will already meet the majority of requirements as they mainly relate to appropriate supervision to ensure that firms continue to meet their regulatory obligations despite outsourcing (which is what the current obligation is, eg a firm cannot outsource out of its obligations).  Where a current agreement is not sufficient (eg it does not provide for the firm’s auditors to have access to the business premises of the service provider), the FSA considers that most agreements would provide for changes to the agreement where this is needed to ensure that firm is able to meet its regulatory obligations.


Therefore, as far as the FSA are concerned, applying the requirements to existing contracts should result in a limited impact for firms.  Clearly, however, there are the costs involved in simply identifying and reviewing relevant agreements and, possibly, re-negotiating these where they do not meet the new criteria.


Yuban Moodley is a senior solicitor in the TMT Group at CMS Cameron McKenna LLP.  He advises financial services institutions and suppliers on IT and business process agreements.

Ash Saluja is a partner in the Financial Services Group at CMS Cameron McKenna LLP. He advises financial services institutions and their suppliers on financial services regulation.

[1] Client categorisation: see draft NEWCOB 3, as published in CP06/19 Reforming Conduct of Business Regulation

[2] Reporting to Clients: see draft NEWCOB 17.2, as published in CP06/19 Reforming Conduct of Business Regulation

[3] Current draft of rules: See Rule 4.1 General Requirements in  Policy Statement 06/13, Organisational systems and controls, Common platform for firms, Feedback on CP06/9

[4] Current draft of rules: See SYSC 8 as published in PS06/13, Organisational systems and controls, Common platform for firms, Feedback on CP06/9

[5] SYSC 8.1.3 G as published in PS06/13, Organisational systems and controls, Common platform for firms, Feedback on CP06/9