The critical role of governance, risk and control in the successful implementation of MiFID II
17 March 2017
Many questions remain regarding MiFID II and further level 3 guidance is anticipated across much of the wide ranging regulation. However, one matter that both the industry and regulators can agree on is that very little time remains to implement the vast amount of required changes before the 3rd January 2018 deadline.
It is understandable that firms are immersed in the detailed interpretation, business requirement documents, technical specifications and build out of MIFID II. However, focusing solely on process implementation has cost implications which are all too visible in the short-comings of firms today with respect to their implementation of MiFID I. The ‘I’s were dotted and ‘T’s crossed on MiFID implementation in 2007 but ten years on, firms are continuing to battle to comply and adhere to its requirements.
The answer is simple - the framework of governance, policies and controls was an after-thought and not properly embedded around MiFID, therefore, the successful operation of its component requirements remains brittle and prone to deterioration.
Today’s regulators are less tolerant and there is an expectation that the MiFID II work streams currently beavering away on implementation should be equally considering how their control environment needs to change to support compliance sustainably after 3 January. We believe regulators will ask to see the governance, risk and controls framework around MIFID II and they will expect compliance and internal audit functions at firms to have prepared for this.
Firms should be assessing and building out the required changes to their control, policy and governance environment alongside the technical implementation. But this needs thought and precision to be effective.
What makes implementation of a governance, policy and control framework for MiFID II successful?
- Central coordination/control environment work stream - ensures a consistent standard of controls are implemented across the myriad of content and impacted businesses, functions and processes.
- Traceability to regulatory requirements - allows for a clear audit trail for both internal oversight/audit functions and external regulators.
- Continuous interaction with the broader MiFID II programme – enables a congruence of control framework with the underlying regulatory requirements.
Don’t leave it too late - some work now can protect the risk of non-compliance in years to come.