Securities Companies Organization and Operations

Circular

The circular applies to

Securities Companies

This circular replaces circulars 4/2015 and 5/2015.

1 Introduction

Securities companies must be organized and operated in a prudent manner. The Securities Trading Act together with its accompanying regulations contains a number of requirements that are intended to contribute to the prudent organization and operation of securities companies, including rules on management and the board of directors, handling of information and conflicts of interest, guidelines and procedures, internal control, documentation, and good business practice. The purpose of this circular is to clarify the Financial Supervisory Authority's interpretation and supervisory practice regarding the rules on the organization and operations of securities companies.

The requirements applicable to applications for permission to provide investment services, including requirements for procedures and guidelines, are described in a separate guide on the Financial Supervisory Authority's website. 1) This circular provides more detailed information on ongoing requirements for the organization and operations of securities companies.

The investment services defined in the Securities Trading Act (vphl.) § 2-1 (1) nos. 1 to 7 are referred to in this circular as follows: Reception and transmission of orders (no. 1), execution of orders (no. 2), proprietary trading (no. 3), portfolio management (no. 4), investment advice (no. 5) and placement (nos. 6 and 7). The circular also discusses two ancillary services mentioned in vphl. § 2-6 (1) nos. 3 and 5, namely corporate advice (no. 3) and analysis (no. 5).

By securities company is also meant in this circular credit institutions with permission to provide investment services, unless otherwise indicated by the context.

2 Governance and Control

2.1 Introduction

Board members, the managing director, and others who actually participate in the management of the securities company must at all times have sufficient qualifications and experience, have conducted themselves with integrity, and otherwise not have exhibited improper behavior that gives reason to assume that the position or office will not be able to be carried out in a prudent manner, cf. vphl. § 9-10 (1). Changes in management shall be reported to the Financial Supervisory Authority, cf. vphl. § 9-10 (9). 2) The same applies to changes in the compliance officer, anti-money laundering officer, and any branch managers and associated agents. 3)

This circular supplements circular 1/2020 regarding the suitability assessments of the management in securities companies. 4)

In its supervisory practice, the Financial Supervisory Authority also bases itself on the "Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU". 5)

The requirements that the Financial Supervisory Authority bases itself on in its supervisory practice related to the management and internal control of securities companies are described in sections 2.3 to 2.12.

2.2 Procedures and Guidelines

Securities companies must draw up a number of procedures and guidelines. These should function as a tool for the securities company in fulfilling the company's obligations under the Securities Trading Act and other regulations, cf. vphl. § 9-16 (1) no. 1. An overview of relevant procedural requirements is included in the guide mentioned in note 1.

2.3 The Board of Directors

To ensure that the securities company's board of directors as a whole has broad experience and sufficient knowledge and competence to understand the company's operations, cf. vphl. § 9-10 (5), the Financial Supervisory Authority bases itself on the requirement that the board of directors must have at least three members. Of these, at least one member must be external. This means that the person in question does not, as a general rule, have any connection to the company in the form of being an employee or owner (directly or indirectly). The external member may also not be employed in other companies in the same group as the company or in companies with ownership interests in the company. This is justified by the requirement for the board's independence, cf. vphl. § 9-10 (6) and § 9-11 (1) no. 4.

Each individual board member must satisfy the law's requirements for qualifications and experience, cf. vphl. § 9-10 (1). However, it is the board's collective competence that is decisive in the assessment of whether the board satisfies the conditions, cf. § 9-10 (5). It is therefore not required that all board members have experience from the securities sector. The external board member must, however, have such experience, possibly together with other external board members. It is not sufficient that the board's experience in the securities sector is maintained by board members who are either employees of the company or owners. What experience will be considered sufficient is assessed concretely, taking into account among other things the type of business the company conducts.

The managing director cannot be the chairman of the board of the company, unless this is satisfactorily justified by the company and approved by the Financial Supervisory Authority, cf. vphl. § 9-10 (11). The Financial Supervisory Authority further bases itself on the principle that other employees of the securities company generally cannot also be the chairman of the board of the company.

Whether the managing director or other senior employees in a securities company can be members of the company's board of directors will depend on a concrete assessment of the extent to which such an organization hinders the board from exercising its supervisory responsibility for the business. If the managing director or other senior employees are members of the board, the company must organize the board's work such that the processing of board matters is sufficiently independent of the daily management.

For credit institutions, there are specific requirements for the board of directors, cf. the Financial Undertakings Act §§ 3-5 and 8-4 and the Financial Undertakings Regulations § 9-2, cf. vphl. § 9-4. In credit institutions, the board of directors must have at least five members, and the managing director cannot be a board member. Furthermore, the chairman of the board and at least two-thirds of the board together must not be employed in the company or in companies in the same group. The Financial Supervisory Authority bases itself on the requirement that credit institutions with permission to provide investment services must have at least one board member with qualifications and experience from the securities market.

2.4 Daily and Actual Management

2.4.1 Requirements for Relevant Qualifications and Professional Experience

The actual manager in a securities company must normally have operational experience from the relevant investment service business. The experience should as a general rule have been acquired in two of the last five years.

What experience is considered relevant is assessed based on which investment services the person is to lead. General experience from the securities market will not necessarily be sufficient. In the assessment, the leader's theoretical background is also taken into account.

Persons who are to be leaders for the investment service portfolio management must as a general rule have operational experience from portfolio management in a securities company, a management company for securities funds, or an alternative investment fund manager. Persons who are to lead the investment service investment advice must as a general rule have operational experience from investment advice or portfolio management.

Whether experience from another investment service, or another area in the securities company than the one for which the person is to be the actual manager, is sufficient relevant experience is assessed concretely.

The requirements placed on the managing director depend on whether the company has actual manager(s) in addition. If the managing director's role involves an administrative leadership position and the company has other persons who are actual leaders for the investment services, fewer requirements are placed on the managing director's qualifications and professional experience within the securities sector.

2.4.2 Number of Leaders

The starting point is that the actual management of the securities company shall be exercised by at least two persons, and that the Financial Supervisory Authority can make exceptions to this requirement, cf. vphl. § 9-10 (10). By at least two persons in the actual management is meant the managing director and at least one actual manager. How many leaders the company should have will depend among other things on the scope and complexity of the business, the requirements for prudent handling of information and conflicts of interest (cf. section 3), and the duty to have a clear organizational structure and division of responsibilities.

2.4.3 Two Actual Managers for the Same Investment Service

The Financial Supervisory Authority bases itself on the principle that securities companies generally cannot have more than one actual manager for the same investment service. This is justified by the securities companies' duty to have a clear organizational structure and division of responsibilities.

Exceptions to this starting point are accepted if the securities company is large enough to be organized with clear separations between different departments that provide the same investment services. Two actual managers for the same investment service can, for example, be accepted if the company wishes to separate "equity desk" and "fixed income desk", and considers it appropriate to have separate actual managers for these units. A similar solution may be acceptable if the company separates the business under the placement investment service into separate units for equity and debt.

A prerequisite for such units to have their own suitability-assessed actual managers is that the organizational separations are fully implemented, and that the areas of responsibility for each actual manager are clear. There must be no doubt about which business belongs to each unit and manager, and which employees report to which manager. Employees cannot be moved between units unless there are special circumstances in individual cases that justify such movement.

2.5 Branch Manager

Securities companies must report to the Financial Supervisory Authority before establishing a branch in Norway. The branch must have a manager who meets the requirements in vphl. § 9-10 (1), cf. vphl. § 9-21 (1). The branch manager must normally have operational experience from the investment service business provided in the branch. If the branch manager's role involves an administrative leadership position and the branch has one or more other persons who are the actual leader for the investment services provided in the branch, fewer requirements are placed on the branch manager's qualifications and professional experience within the securities sector. The actual leader for investment services provided in the branch must in such cases also be suitability-assessed, and must as a general rule have operational experience from the investment services within their area of responsibility.

If a branch has a service spectrum that necessitates information barriers, the branch must have its own suitability-assessed actual managers for these investment services, cf. section 3.3.

All business offices through which a securities company provides investment services in addition to the head office shall as a general rule be considered branches. These must thus have a manager who satisfies the requirements in vphl. § 9-10 (1), cf. § 9-21 (1). Business offices established at a considerable geographical distance from the head office, for example in the same city, may under the circumstances still be considered as a unit directly subordinate to the head office without requirements for a separate suitability-assessed manager. Furthermore, the Financial Supervisory Authority has in practice based itself on the principle that so-called sub-offices of branches can be established without the sub-office itself being considered a branch with requirements for a suitability-assessed manager under vphl. § 9-21 (1). This presupposes that the sub-office is directly subordinate to a branch with a manager who satisfies the suitability requirements, that the branch manager actually exercises real control over the business at the sub-office, and that the sub-office only provides investment services related to non-complex financial instruments as defined in vphl. § 10-16 (1). Furthermore, the geographical distance from the sub-office to the branch, the number of employees at the sub-office, and the scope of the sub-office's investment service business will have significance for whether the sub-office must be considered a branch with requirements for a separate suitability-assessed manager.

2.6 Associated Agents

Securities companies may use associated agents, cf. vphl. § 10-22 and the Securities Regulations (vpf.) §§ 10-8 to 10-12. The securities company is fully and entirely responsible for business that the agent conducts on behalf of the securities company. The requirements placed on agent business are described in more detail on the Financial Supervisory Authority's website. 6) The managing director at the agent must satisfy the same suitability requirements as actual managers and branch managers in the securities company.

2.7 Deputy

According to vphl. § 9-16 (1) no. 3, securities companies must take reasonable measures to ensure continuity and regularity in investment service business, including having necessary systems, resources, and procedures. This implies among other things that the company must appoint deputies for the daily and actual managers in their absence. Also when appointing deputies, the company must be conscious of the requirements for prudent handling of information and conflicts of interest, cf. section 3.

Delegated Commission Regulation (EU) 2017/1943 Article 8 no. 1 letter c) and d) and no. 2, cf. vpf. § 9-3 (1), sets specific suitability requirements for deputies in companies with only one person in the actual management. In the assessment of the deputy's suitability, it is natural to start from the requirements placed on actual managers, but in light of the fact that the deputy's functioning is of a temporary nature, less strict requirements are placed on deputies.

Companies with only one person in management must keep the Financial Supervisory Authority continuously informed about who is the deputy for the managing director at any given time.

2.8 Reporting Lines

The Financial Supervisory Authority bases itself on the principle that the actual manager shall report directly to the managing director, who in turn reports to the board of directors. The manager of a branch/agent shall report directly to the actual manager(s) for the investment services provided by the branch/agent.

In larger companies, it may be appropriate for the actual manager to report to a manager directly subordinate to the managing director, for example a group director, who is responsible for the business area where the relevant investment service business is conducted. Whether such an organization can be accepted depends on a concrete assessment where the size, scope, and complexity of the business are weighed. It is further a prerequisite that the manager to whom the actual manager reports is suitability-assessed by the Financial Supervisory Authority. There will not be particularly extensive requirements for qualifications and professional experience within the securities sector for this manager.

In larger companies, it may further be appropriate for the branch manager to report to a manager directly subordinate to the actual manager, for example a regional manager. This manager will normally also be considered a branch manager within the meaning of the Securities Trading Act, and must be suitability-assessed by the Financial Supervisory Authority. Whether such an organization can be accepted depends on a concrete assessment where the size, scope, and complexity of the business are weighed.

2.9 Management Presence

The managing director and actual managers must have their fixed workplace at the securities company's head office, and the branch manager must have their fixed workplace in the branch. This does not prevent the company from reasonably allowing its managers and other employees to work from home offices, provided that confidentiality, information security, and other requirements for the business are observed.

If an investment service is only provided in one or more of the company's branches, the Financial Supervisory Authority has based itself on the principle that the actual manager for this investment service can have their workplace in one of the branches.

2.10 Compliance Function

Securities companies are obligated under vphl. § 9-16 (1) no. 1 to have sufficient and reassuring guidelines, procedures, and control methods that ensure that the company, its managers, employees, and associated agents comply with their obligations under laws and regulations. This includes among other things that the company must establish a permanent, effective, and independent control function (compliance function) that monitors the company's compliance with regulations. The company must have written procedures for the compliance function.

The detailed requirements for the compliance function in securities companies are set out in Delegated Commission Regulation (EU) 2017/565 Article 22, cf. vpf. § 2-2.

ESMA has prepared "Guidelines on certain aspects of the MiFID II compliance function requirements". The Financial Supervisory Authority will base itself on these guidelines and follow them up in its supervisory practice. 7) In the following, the Financial Supervisory Authority will give some further guidelines for the compliance function in Norwegian securities companies.

The securities company's management (the board of directors, managing director, and others who actually participate in the management of the company) must ensure that the company has a good compliance culture. A good compliance culture is crucial for making the company's employees conscious of the considerations behind the requirements for investor protection and for the company's compliance with its obligations. The company's management must make visible its support for the compliance function in the exercise of the function's tasks to ensure that the function has sufficient authority in the organization.

The securities company is responsible for all business that associated agents conduct on the company's behalf. If the company uses associated agents, the management is responsible for organizing the company such that special risk factors following from this are taken into account. The compliance function must be organized such that the company ensures compliance with regulations, also for the business carried out by associated agents.

Securities companies must draw up a periodic compliance plan for planned compliance activities. This is a necessary working tool to ensure that the entire company's business is subject to effective control. There must additionally be ongoing controls in connection with situations that arise. The compliance plan should be approved and regularly followed up by the board of directors.

The company must ensure both to document its control actions and to have a comprehensive register of events and deviations that occur independent of specific control actions. This as a necessary tool for appropriate reporting, and to create notoriety over what work is actually performed by the compliance function – both internally and towards the Financial Supervisory Authority. Such documentation will also enable the company to detect whether an individual event/deviation is a random error or a result of more systematic conscious or unconscious misjudgments. Such documentation is also necessary to detect whether there are certain departments, sections, or areas that stand out, and where it is necessary to implement measures to remedy a lack of compliance with regulations.

Securities companies must ensure appropriate internal compliance reporting. By this is meant here reporting where reporting lines, level of detail, and frequency are adapted to the nature, scope, and complexity of the business. Appropriate reporting is necessary to give the company's management a regular overall picture of compliance with regulations, and to provide a basis for possibly implementing necessary measures from the top level – both acute ad hoc interventions, but also when it comes to more systematic and long-term work related to compliance. Appropriate reporting is also important as a contribution to creating notoriety internally, and externally towards the Financial Supervisory Authority, over what work is actually performed by the compliance function. A direct reporting line from the compliance function to the board of directors must be established. The periodic reporting should be set in the procedures for the compliance function, and the board of directors must evaluate which reporting frequency is appropriate.

To ensure the independence of the compliance function, decisions regarding the dismissal of the compliance officer should be taken by the company's board of directors. Compliance employees cannot be board members in the company. The managing director or other persons involved in the provision of investment services can normally not be the compliance officer, unless the control tasks are simultaneously outsourced.

When outsourcing the compliance function, an employee must be appointed who is responsible for following up the outsourced tasks. In smaller companies, this can be the managing director. The company must ensure that a reporting line is established directly from the service provider to the board of directors, in addition to reporting to the compliance officer in the company. Normally, it will be necessary for the service provider to be regularly present in the company, including at any associated agents, to obtain the necessary proximity to the functions being controlled.

2.11 Risk Management Function and Internal Audit

All securities companies are subject to regulations on risk management and internal control. The risk management and internal control must be adapted to the nature, scope, and complexity of the company's business, cf. the regulation § 2. 8)

Securities companies must, if it is appropriate and proportionate to their business's nature, size, and complexity and the nature and scope of the investment services and investment activities they perform, introduce and maintain an independent risk management function, cf. Delegated Commission Regulation (EU) 2017/565 Article 23 no. 2, cf. vpf. § 2-2. The company must also, if necessary, introduce and maintain an independent internal audit function, cf. Article 24.

Small securities companies with limited business can have a combined compliance and risk management function. Larger companies with a broad service spectrum and complex risk profile must have separate compliance and risk management functions, and should under the circumstances also consider having an independent internal audit that reports to the board of directors. A duty for internal audit may also follow from the regulation on risk management and internal control § 9. 9)

2.12 Anti-Money Laundering Officer

Securities companies must prevent and detect transactions related to the proceeds of criminal activity or related to terrorist financing. Detailed rules on measures against money laundering and terrorist financing are found in the Anti-Money Laundering Act (hvhl.) and the Anti-Money Laundering Regulations. The company's procedures must be drawn up based on the risk assessment made for the business. Both procedures and risk assessment must be written, and they must be updated regularly, cf. hvhl. §§ 7 and 8.

The company must appoint an anti-money laundering officer in the management who is responsible for ensuring that the anti-money laundering procedures are implemented and complied with in the business, cf. hvhl. § 8 (5). If the company's nature and scope indicate it, the company must also appoint a compliance officer, cf. hvhl. § 35 (2) (a). The compliance officer cannot be the same person as the anti-money laundering officer.

The requirements in the Anti-Money Laundering Act are described in more detail in the Financial Supervisory Authority's circular 4/2022 Guide to the Anti-Money Laundering Act. 10)

2.13 Outsourcing

Securities companies must take reassuring measures so that operational risk is limited to a minimum when using a third party to perform operational functions, cf. vphl. § 9-16 (1) no. 4. The company cannot delegate important operational functions to a third party if this leads to the company's internal control and ability to monitor compliance with its obligations being noticeably deteriorated, or if the Financial Supervisory Authority's opportunity to supervise the business is noticeably deteriorated or made more difficult, cf. vphl. § 9-16 (2).

Supplementary rules on outsourcing are given in Delegated Commission Regulation (EU) 2017/565 Articles 30 to 32, cf. vpf. § 2-2.

Outsourcing of important or critical business must be reported to the Financial Supervisory Authority, cf. the Financial Supervisory Authority Act § 4c and the regulation on reporting obligations in connection with outsourcing of business etc. § 3. Such reporting must be given using the Altinn form KRT-1121. 11)

The outsourcing regulations are described in more detail in the Financial Supervisory Authority's circular 7/2021 Guide on Outsourcing. 12)

2.14 Cross-Border Business

Securities companies can conduct cross-border business in other EEA states either directly from a business location in Norway, cf. vphl. § 9-32, or by establishing a branch or using an associated agent in another EEA state, cf. vphl. § 9-33. 13) Information about this and the accompanying forms that must be used is available on the Financial Supervisory Authority's website. 14) Establishment of a subsidiary or branch outside the EEA requires permission from the Financial Supervisory Authority, cf. vphl. § 9-21 (3). Cross-border business outside the EEA without accompanying establishment is not regulated in the Securities Trading Act, but may be subject to restrictions in the relevant state. Such