ESMA publishes principles for post-Brexit supervisory convergence

On 31 May 2017, the European Securities and Markets Authority (ESMA) published an Opinion, “General principles to support supervisory convergence in the context of the United Kingdom withdrawing from the European Union” (the Opinion), addressed to the national competent authorities within the EU - and, in particular, those of the Member States (the EU27) which will remain following the UK’s departure. 

Background to, and aim of, the Opinion

The Opinion is intended by ESMA to be "a practical tool to achieve supervisory convergence" after the UK’s departure from the EU (Brexit). This follows complaints from some Member States that others might be prepared to relax regulatory or supervisory requirements in order to attract business from the UK (the so-called “race to the bottom”).

Accordingly, the Opinion addresses the risk of regulatory and supervisory arbitrage that might result from the anticipated movement of entities, activities or functions from the UK to the EU27 with an associated increase, within a relatively short time frame, of requests from financial market participants looking to relocate in the EU27 in order to maintain access to EU financial markets.

However, it should be stressed that the Opinion (which is based on the premise that the UK, following Brexit will become a "third country") is subject to the terms of any deal struck in due course between the UK and the EU regarding the terms of exit.

Key issues raised in the Opinion

The Opinion has special relevance in the areas of authorisation and of delegation and will be of interest to asset managers which wish to continue to maintain business activities and operations in the UK as well as in the EU27 following Brexit. Its key points include:

(a)       Authorisation

• following Brexit, a UK firm wishing to continue to benefit from the EU passport would need to establish itself in an EU27 Member State and seek authorisation from that Member State’s competent authority
• however, once the UK has become a third country, an EU27 competent authority will not be able automatically to recognise an authorisation which the FCA had previously granted, though it will be able to take some aspects of the FCA’s assessment (such as fit and proper requirements) into consideration "where appropriate"
• since the authorisation process takes time and since the firm must be compliant with relevant legislation from day one, ESMA’s view is that firms which wish to relocate to an EU27 Member State should approach the relevant competent authority "as early as possible".

(b)       Outsourcing and delegation

• certain activities and functions which are key to the proper functioning of the regulated entity should remain in the EU27 and cannot be outsourced or delegated outside the EU - in ESMA’s view, these include internal control functions, IT control infrastructure, risk assessment, compliance functions, key management functions and sector-specific functions
• any outsourcing or delegation arrangement from an EU27-authorised firm to a third country entity must be strictly framed and consistently supervised
• outsourcing or delegation arrangements, under which a firm confers either a substantial degree of activities or critical functions to another entity, should not result in the former becoming a letter-box entity
• a relocation request which creates a letter-box entity should be rejected if extensive use of outsourcing and delegation is envisaged in order to benefit from an EU passport but where all substantial activities or functions are essentially performed outside the EU27, and 
• ESMA’s view is that EU27 regulators "should be able to conduct on-site inspections of outsourced or delegated activities or functions without any prior third party authorisation".

(c)       Other issues

• the main driver for relocation to a particular EU27 jurisdiction should be clear from the relevant entity’s programme of operations, for example, the location of its prospective investors - ie, firms should not be able simply to select jurisdictions which are perceived as being a lighter regulatory touch where the jurisdiction in question has little or no relevance to the firm’s business operations
• key executives and senior managers of EU authorised entities should be employed in the Member State of establishment and work there "to a degree proportionate to their envisaged role, if not on a full-time basis", and 
• an EU27 competent authority must satisfy itself that an entity applying for authorisation has decision-making powers in the relevant Member State of establishment - the competent authority should assess, inter alia, “the quality and the appropriate presence of executive board members and senior managers” of the applicant within the proposed Member State of establishment.

Next steps

The Opinion covers UCITS AIFMD and MiFID, although ESMA indicates that it intends to develop two sector-specific opinions concerning asset managers, investment firms and secondary markets" in due course. (The expectation is that these will be published in July 2017).

Similar Opinions are expected to be published by the other European Supervisory Authorities, the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) in respect of the areas which they regulate and/or supervise.

Summary of the Opinion

The Opinion sets out the following nine high-level "Principles":

Principle 1 - No automatic recognition of existing authorisations

• following Brexit, a UK firm wishing to continue to benefit from the EU passport must establish itself in an EU27 Member State and seek authorisation from that Member State’s competent authority
• an EU27 competent authority will not, under EU law, be able automatically to recognise an authorisation which a third country authority had granted - although, in its Principle 2 (below), ESMA notes that the EU27 competent authority will be able to take some aspects of that authority’s assessment (such as fit and proper requirements) into consideration "where appropriate", and 
• firms wishing to relocate to an EU27 Member State should approach the relevant competent authority "as early as possible".

Principle 2 - Authorisations granted by EU27 NCAs should be rigorous and efficient

• conditions set by the relevant legislation must be met from day one of the authorisation - the EU27 competent authority should satisfy itself that the entity has provided sufficiently detailed information to allow the authority  to assess that the entity complies with the requirements under the relevant legislation and ESMA guidance
• the EU27 competent authority should scrutinise carefully, inter alia, the governance structure, human and technical resources of the applicant entity, its geographical distribution of activities, as well as outsourcing and delegation arrangements, and
• authorisation should not be granted where the activity carried out indicates clearly that the entity has opted for the legal system of a Member State for the purpose of evading the stricter standards in force in another Member State, within the territory of which it intends to carry on the greater part of its activities.

Principle 3 - NCAs should be able to verify the objective reasons for relocation

• the EU27 competent authority is expected to check that the planned EU27-based activity is the main driver for the relocation of entities, activities and functions - an entity’s programme of operations should provide a "clear justification" for relocating to the Member State of establishment
• to establish a clear view on the geographical distribution of planned activities, the EU27 competent authority should obtain information on, for example:
  • prospective investors or marketing and promotional arrangements, and
  • location of development of products or services
• the EU27 competent authority should also establish whether the applicant entity has engaged with, or had its application rejected by, another EU27 competent authority, and 
• an application for authorisation should be subject to particular scrutiny where the entity concerned appears to intend to pursue the greater part of its activities in other Member States - the EU27 competent authority is expected to grant authorisation only where it is "fully satisfied that the Member State of establishment was not chosen for the purpose of evading stricter standards in force in other Member States". 

Principle 4 - Special attention should be granted to avoid letter-box entities in the EU27

• ESMA’s view is that challenges (both for entities and for the competent authority supervising them) arising from outsourcing or delegation are heightened where the service provider is located outside the EU, since the ability of entities and the competent authority to, respectively, control and supervise may be significantly impacted, and 
• an EU27 competent authority should reject a request for authorisation which creates letter-box entities where extensive use of outsourcing and delegation is envisaged "with the intention of benefitting from an EU passport, while essentially performing all substantial activities or functions out-side the EU27".

Principle 5 - Outsourcing and delegation to third countries is only possible under strict conditions

• firms wishing to outsource or delegate tasks or functions remain fully responsible for these - the ability to direct and control outsourced or delegated functions must always be retained by the firm which initiates the outsourcing or delegation, and 
• an EU27 competent authority should be "prudent" when determining the extent to which an entity can rely on outsourcing or delegation - under certain EU legislation, such arrangements involving a third country entity are conditional on there being a cooperation agreement in place between the authorities of the EU Member State and of the third country.

Principle 6 - NCAs should ensure that substance requirements are met

• an EU27 competent authority should require that any outsourcing or delegation arrangements are clearly structured and set up in a way that does not hinder its ability to efficiently and effectively supervise 
• "comprehensive information" should be provided by the firm to ensure that the EU27 competent authority has “sufficient knowledge” of the outsourcing and delegation arrangements as well as the ability to properly supervise them
• the EU27 competent authority should have effective access to all data related to the outsourced or delegated activities or functions and to the business premises of the entity to which the activities or functions are outsourced or delegated
• outsourcing and delegation arrangements should not have an impact on business continuity, confidentiality and conflicts of interest, which have to be appropriately managed
• in particular, "certain key activities and functions" should be present in the EU27 - these activities are "key to the proper functioning of the regulated entity and consequently cannot be outsourced or delegated outside the EU".  ESMA’s view is that this is “at least the case for the substance of decision-making", and 
• "some important activities and functions" in “certain sector specific circumstances” cannot be outsourced and delegated without threatening the activity of the regulated entities and the possibility of effective supervision by the EU27 competent authority. Such activities and functions include, in ESMA’s view, internal control functions, IT control infrastructure, risk assessment, compliance functions, key management functions and sector-specific functions.

Principle 7 - NCAs should ensure sound governance of EU entities

• board members and senior managers in the EU27 must have effective decision-making powers in relation to compliance with EU law even where the entity is part of a corporate group.
• ESMA expects key executives and senior managers of EU authorised entities to be employed in the Member State of establishment and work there "to a degree proportionate to their envisaged role, if not on a full-time basis"
• in satisfying itself that an applicant for authorisation disposes of decision-making powers in the targeted Member State of establishment, the EU27 competent authority should assess, inter alia
  • the quality, and
  • the appropriate presence
• of executive board members and senior managers in the Member State of establishment, so the EU27 competent authority may ensure that executive board members and/or senior management can effectively carry out their responsibilities
• the EU27 competent authority must check that EU entities comply with governance requirements and that they are able to effectively control the outsourced or delegated activities or functions – this means, among other things, having the technical knowledge and capability to request necessary changes to outsourced or delegated services, to monitor the relevant deployment and to assess the quality of those services provided, and
• in respect of risk management, EU entities should have adequate levels of own funds as well as liquidity, and these should be readily available to them, taking into account possible insolvency.

Principle 8 - NCAs must be in a position to effectively supervise and enforce Union law

• an EU27 competent authority should have adequate resources and capacity both to (a) monitor the effective application of the relevant legislation and (b) respond to market developments
• it should be in a position to ensure effective supervision of entities and, in particular, ensure that initial conditions set at the moment of authorisation are met on a continuous basis, including those relative to outsourcing and delegation arrangements (and such arrangements must not impact the competent authority’s ability to enforce the relevant legislation), and 
• ESMA states that "[t]his implies that NCAs should be able to conduct on-site inspections of outsourced or delegated activities or functions without any prior third party authorisation".

Principle 9 - Coordination to ensure effective monitoring by ESMA

• ESMA will establish a new forum for reporting and discussions among NCAs regarding market participants seeking to relocate entities, activities or functions to the EU27 and to promote "consistent decisions" by EU27 competent authorities, and
• authorisation and supervision of, and potential enforcement against, supervised entities is and remains a competence of the national competent authorities.