Circular 1/2014 of the CNMV on Internal Organization and Control Functions of Investment Service Entities

OFFICIAL STATE GAZETTE No. 81 Thursday, April 3, 2014 Sec. I. Page 28319 I. GENERAL PROVISIONS NATIONAL SECURITIES MARKET COMMISSION 3559 Circular 1/2014, of February 26, of the National Securities Market Commission, on the internal organization requirements and control functions of entities providing investment services.

STATEMENT OF MOTIVES Paragraph 2 of the Final Provision of Royal Decree 217/2008, of February 15, on the legal regime of investment service companies and other entities providing investment services, as amended by Royal Decree 1082/2012, of July 13, approving the implementing regulation of Law 35/2003, of November 4, on collective investment institutions, empowers the National Securities Market Commission to specify and develop the organizational structure requirements and establish minimum internal organization and control requirements appropriate to the nature, volume, and complexity of the investment and auxiliary services provided by investment service companies. It also details the tasks to be carried out by the units performing risk management, compliance, and internal audit functions.

In exercise of this empowerment, this Circular develops and clarifies the provisions regarding the internal organization requirements and control functions of entities providing investment services in an orderly and coherent manner with Law 24/1988, of July 28, on the Securities Market (LMV), and its implementing provisions included in the aforementioned Royal Decree 217/2008, as well as in solvency regulations. It also constitutes an update of Circular 1/1998, of June 10, of the National Securities Market Commission, on internal control systems, continuous risk monitoring, and evaluation, which is now repealed.

Attending to the principle of proportionality, the Circular specifies the organizational structure and internal control requirements of entities providing investment services to ensure that, in general, their organization responds to the range of services they provide. Furthermore, to reinforce measures aimed at investor protection, it specifies the responsibilities and tasks to be carried out by the units responsible for performing compliance functions, as well as those for risk management and internal audit.

In its drafting, some of the recommendations collected by the European Securities and Markets Authority (ESMA) have been taken into account, in the guidelines of February 24, 2012, regarding systems and controls applied by trading venues, investment firms, and competent authorities in an automated trading environment, in the guidelines on certain aspects of the MiFID compliance verification organ requirements and suitability, published on June 25, 2012, as well as in the guidelines on remuneration practices (MiFID) published on June 3, 2013.

The duty to comply with the provisions of this Circular does not exempt entities from complying with other specific internal control regulations applicable to them, such as the obligations established in Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing.

The Circular consists of ten rules distributed in four sections, one additional provision, one repealing provision, and five final provisions. cve: BOE-A-2014-3559

OFFICIAL STATE GAZETTE No. 81 Thursday, April 3, 2014 Sec. I. Page 28320 The first section covers its scope of application, which includes Spanish and non-EU investment service companies operating in Spain, credit institutions, branches of investment service companies and credit institutions from EU Member States, as well as agents established in Spain of entities constituted in other Community States.

The second section states that the governing body of entities providing investment services shall be responsible for establishing and maintaining an adequate organizational structure and developing internal organization requirements, among which it is required to create and maintain a unit performing the compliance function. When it comes to investment service companies, they must have a unit performing the internal audit function and may create a single control unit within the organization, responsible for compliance and risk management functions, except when this is not proportional to the nature, scale, and complexity of the activity carried out. This unit may also perform the internal audit function in those investment service companies where the only investment services included in their activity statement are investment advice and the reception and transmission of client orders in relation to one or more financial instruments, provided that the mandate conferred by clients does not grant them disposal power over the financial instruments or funds thereof, and provided that it is proportional to the volume and nature of their activities. For financial advisory companies that are natural persons, the control functions shall be deemed fulfilled with the mandatory submission of the annual activity report, prepared by an independent expert.

The third section details the tasks that units performing compliance, risk management, and internal audit functions must carry out, as well as the reporting obligations to senior management and the CNMV.

The fourth section addresses the requirements to which the delegation of compliance, risk management, and internal audit functions must be subject, and requires entities to have internal manuals detailing the established policies and procedures, which must be available to the National Securities Market Commission.

The sole additional provision foresees the adaptation of the electronic procedure associated with the "Report on Compliance with Internal Control Standards" (ICI).

The Circular includes a repealing provision of Circular 1/1998, of June 10, of the National Securities Market Commission, on internal control systems, continuous monitoring, and risk evaluation.

The first final provision modifies Circular 1/2010 on reserved states of conduct standards so that securities companies and agencies and portfolio management companies submit to the National Securities Market Commission the T4 state on gross income received in the provision of investment services. The second final provision modifies the scope of the independent expert's report to which natural person EAFIs are obliged. The third final provision modifies certain formal aspects of the information required in the (ICI) procedure. The fourth final provision modifies paragraph 5 of rule four of Circular 3/2013, of June 12, of the National Securities Market Commission, on the development of certain information obligations to clients to whom investment services are provided, regarding the evaluation of the appropriateness and suitability of financial instruments. In particular, its scope is reduced by excluding professional clients referred to in paragraph 3 of Article 78 bis, except those referred to in letter e) of Law 24/1988, of July 28. Entities shall not request the handwritten expression referred to in said paragraph when carrying out operations with this type of client. Finally, the fifth final provision establishes that entities providing investment services must have adapted their structure to the requirements imposed by the Circular by December 31, 2014. cve: BOE-A-2014-3559

OFFICIAL STATE GAZETTE No. 81 Thursday, April 3, 2014 Sec. I. Page 28321 In virtue thereof, the Council of the National Securities Market Commission, in its session of February 26, 2014, prior to the report of the Advisory Committee, has ordered the following:

First Section. Scope of Application Rule One. Scope of Application. This Circular shall apply to: a) Spanish and non-EU investment service companies defined in Articles 64 and 71 quater of Law 24/1988, of July 28, on the Securities Market, respectively.

Without prejudice to what is established in Rule Two of Circular 10/2008 of December 30, of the National Securities Market Commission, on Financial Advisory Companies, the provisions of this Circular shall also apply to financial advisory companies (EAFI). b) Spanish credit institutions and credit institutions from States that are not members of the European Union operating in Spain, which, in accordance with Article 65.1 of Law 24/1988, of July 28, provide investment services or auxiliary services, exclusively with respect to the scope related to such provision and taking into account the nature, scale, and complexity thereof. They shall only be subject to the provisions of this Circular regarding the internal organization requirements indicated in paragraph 1 of Article 70 ter of Law 24/1988, of July 28, and in paragraphs 1 and 2 of Article 27 of Royal Decree 217/2008, of February 15, on the legal regime of investment service companies and other entities providing investment services, as well as in what is provided in Rule Two, Rule Three, Rule Five except paragraphs 1.3, 2.3 regarding cash funds, 2.7, and 3.1, Rule Ten, and the Fifth Final Provision. c) Branches of investment service companies and credit institutions from EU Member States, as well as agents established in Spain of entities constituted in other EU Member States, in relation to the measures necessary to comply with the obligations of Article 70 ter, paragraph 1, letter e), of Law 24/1988, of July 28, regarding registers of all operations on securities and financial instruments and investment services provided.

Second Section. Organizational Structure Rule Two. Organization, Means, and Internal Controls Requirements.

1. Entities must have organizational measures, technical means, personnel, and internal controls, adequate and sufficient to guarantee compliance with the requirements established in Article 70 ter of Law 24/1988, of July 28; in Royal Decree 217/2008, of February 15, and in solvency regulations.
2. The organizational structure shall comprise a unit performing the compliance function, a unit performing the risk management function, and a unit performing the internal audit function and supporting the senior management of entities in their responsibility for evaluating and improving the effectiveness of all control systems and procedures established by the entity, including those for risk management and compliance.
3. In addition to the procedures established in Rules Five and Six of this Circular, entities must adopt, among others, administrative and accounting procedures, procedures related to the management of risks associated with the delegation of functions, procedures to safeguard the security, integrity, and confidentiality of information, and procedures to reduce the risk derived from the unexpected interruption of functions essential for the provision of investment services. They must also have measures and procedures to safeguard the security and preservation of all records required by Law 24/1988, of July 28, and its implementing provisions, in the event of the entity's cessation of activity.
4. In the development of procedures, the provisions of the guidelines published by the European Securities and Markets Authority (ESMA) shall be taken into account, such as the guidelines of February 24, 2012, regarding systems and controls applied by trading venues, investment firms, and competent authorities in an automated trading environment, as well as the guidelines on certain aspects of the MiFID compliance verification organ requirements and suitability published on June 25, 2012, and the guidelines on remuneration practices (MiFID) published on June 3, 2013, or others, provided that the National Securities Market Commission has confirmed to ESMA its compliance or intention to comply with them.

Rule Three. Responsibility of Senior Management and Control Units.

1. The governing body of entities providing investment services, auxiliary services, and ancillary activities shall be responsible for establishing and maintaining an adequate and proportional organizational structure according to the nature, scale, and complexity of the investment and auxiliary services they provide, with well-defined, transparent, and coherent lines of responsibility.
2. Senior management, as defined in letter h) of Article 2 of Royal Decree 217/2008, of February 15, shall define and adopt the necessary measures to ensure that adequate policies and procedures are applied to guarantee that the entity, its directors, personnel, and agents comply with the obligations imposed by Law 24/1988, of July 28, and its implementing provisions, particularly with what is established in Articles 28, 29, and 30 of said Royal Decree. The responsibilities resulting from such obligations, as well as the entity's policies and procedures, shall be clearly defined and recorded in a document duly approved by the governing body.
3. Senior management shall evaluate and review the effectiveness of the policies, measures, and procedures established to comply with the obligations imposed on the entity by Law 24/1988, of July 28, and development regulations, and adopt measures to address possible recommendations made or deficiencies detected by the units referred to in paragraph 2 of Rule Two.
4. Units responsible for compliance and risk management functions shall be responsible for controlling compliance with the procedures assigned to them in Rules Five and Six, respectively, of this Circular. However, when internal organization reasons deem it advisable, the effective implementation and control of any of the mentioned procedures may be carried out interchangeably by either of the two units indicated, provided that responsibility remains with the unit designated in the referenced rules and the effectiveness and independence of the control functions are not compromised.

Rule Four. Principle of Proportionality.

1. Generally, entities providing investment services may create and maintain a single unit, operating independently, performing compliance and risk management functions, provided that the assumption of responsibilities and the performance of tasks associated with each function are ensured.

However, when it is demonstrated to be proportional based on the nature, scale, and complexity of their activities, as well as the characteristics and extent of the investment services and activities they provide, entities providing investment services must have a unit performing the compliance function and a unit performing the risk management function in accordance with Article 29.2 of Royal Decree 217/2008, of February 15. 2. When it comes to EAFIs that are natural persons, the obligations to have compliance, risk management, and internal audit functions shall be deemed fulfilled with the work performed by the independent expert referred to in the report referenced in the First Additional Provision of Circular 1/2011, of January 21, of the National Securities Market Commission, which modifies Circular 12/2008, of December 30, on solvency of investment service companies and their consolidatable groups, provided that these EAFIs have an effective internal control system that guarantees compliance with applicable conduct standards, the accuracy and reliability of their financial information, and the adequate management of operational, technological, and strategic risks to which they may be exposed. Otherwise, natural person EAFIs must have an organizational structure that ensures compliance with the control functions referred to in paragraph 2 of Rule Two. 3. Notwithstanding what is established in paragraph 2 of Rule Two of this Circular, it shall not be mandatory for investment service companies to have a unit performing the internal audit function, when the only investment services included in their activity statement are investment advice and the reception and transmission of client orders in relation to one or more financial instruments, provided that the mandate conferred by clients does not grant them disposal power over the financial instruments or funds thereof, and provided that it is demonstrated to be proportional based on the nature, volume, and complexity of the service provided. In these cases, the internal audit function may be performed by the unit referred to in the previous paragraph 1, provided that responsibilities and tasks associated with each function are adequately guaranteed, or delegated to the entity in which the compliance and risk management functions have also been delegated.

Third Section. Control Functions Rule Five. Compliance Function.

1. In accordance with Article 28 of Royal Decree 217/2008, of February 15, the unit, within the organization of entities providing investment services, that performs the compliance function in the scope of such provision, must: 1.1 Have a person or body in the organization responsible with sufficient training and authority to promote its independence, have personnel with sufficient professional knowledge and experience, have adequate technical means, and have access to internal processes, necessary information, and entity activities to guarantee broad coverage of the compliance function on a permanent basis. 1.2 Act with independence in the exercise of their profession. To this end, persons responsible for performing the compliance function cannot participate in the provision of the services and activities they control so that they are not subjected or disadvantaged by the undue influence that persons from other areas of the entity's activity might exert. Furthermore, and in case they receive variable remuneration, this must be based primarily on the achievement of objectives related to their functions, independent of the results of the business area they control. 1.3 However, when it comes to entities that, in accordance with paragraph 3 of Rule Four, meet the conditions to have a unit performing compliance, risk management, and internal audit functions, they are not obliged to comply with the requirements indicated in the previous paragraph 1.2. 1.4 Identify and periodically evaluate compliance risks in different business areas and contribute to their efficient management. In this sense, it must design a review plan of established procedures, adequate to prevent, detect, correct, and minimize any risk of non-compliance with obligations imposed by regulations applicable to entities providing investment services, and in particular, the risk of such entities suffering sanctions, material financial loss, or reputational damage as a result of violating applicable laws, regulations, standards, self-regulation norms, and codes of conduct. 1.5 Establish, in accordance with the previous paragraph 1.4, an updated supervision and control program that takes into account all investment services, activities, and auxiliary services provided by the entities, and have adequate control tools and methodologies, which may include on-site visits to operational areas, to verify that policies and procedures are effectively implemented.
2. The unit, within the organization, that performs the compliance function in the scope of the provision of investment services, must check, at least, compliance with: 2.1 The regime of personal transactions, in accordance with letter d) of paragraph 1 of Article 70 ter of Law 24/1988, of July 28, and Articles 34 and 35 of Royal Decree 217/2008, of February 15, regarding directors, executives, employees, and attorneys or agents of entities, established in its internal code of conduct, and the specific functions that, if applicable, said code attributes to it. 2.2 Conflict of interest management procedures and related party transactions to avoid harming clients, in accordance with letter d) of paragraph 1 of Article 70 ter of Law 24/1988, of July 28, and Articles 44 to 47 of Royal Decree 217/2008, of February 15. In any case, these procedures must contemplate the existence of a regularly updated register of those operations and activities in which a conflict of interest has arisen or may arise. 2.3 Procedures for the safeguarding of financial instruments and funds entrusted by clients in the scope of the provision of investment services, in accordance with letter f) of paragraph 1 and letter c) of paragraph 2 of Article 70 ter of Law 24/1988, of July 28, respectively, and in Circular 5/2009, of November 25, of the National Securities Market Commission, which regulates the report