The Effectiveness of the Compliance Function

The ultimate purpose of the monitoring and reporting obligations allocated to the Compliance Function is to ensure that the compliance risks inherent in the investment activities and services undertaken by the regulated entity are duly mitigated and the applicable laws and regulations are properly adhered to.

A broad set of skills, ample knowledge, and a high level of experience and expertise play an essential role in enhancing the effectiveness of the function.  Our write up on Compliance Talent highlights the importance of these attributes that the Compliance Function, and in particular the compliance officer, shall possess in order to properly discharge its obligations.

However, for the Compliance Function to be able to assume responsibility for its role and ensure that it operates effectively, appropriate resources, human and otherwise, should be allocated to the role. The extent of these resources should reflect the nature, scale, and type of the investment services, activities, and ancillary services undertaken by the regulated entity.

A company that provides an extended range of services or deals in complex transactions is normally expected to dedicate a larger number of staff to the Compliance Function and to, consequently, have an extended Compliance Function. The said proportionally is justifiable in view of the presence and constant changes of significant risk factors that the company faces. It should be the responsibility of the senior management to regularly monitor the proper and sufficient allocation of staff and to provide for further human resources dedicated to the compliance role. The senior management should make any reasonable effort to guarantee that the number of staff allocated to the Compliance Function remains adequate for the fulfilment of the Compliance Function.

In addition to human resources, other resources such as IT resources, including equipment, networks, hardware, software, technical knowledge and expertise and computer systems, held, owned, or used by the Company should be provided to the Compliance Function to support and facilitate the completion of allocated tasks more effectively.

The budget allocated to the Compliance Function should take into account and should be consistent with the above-mentioned required resources and should contemplate the extent of compliance risk that the regulated entity is exposed to. The budget allocation shall be carried out in proper consultation with the Compliance Officer. It is considered good practice for the regulated entity to record and have available written evidence of these processes. Furthermore, in line with ESMA’s guidelines, all decisions for significant cuts in the allocated budget should be documented in writing and contain detailed explanations.

The effectiveness of the Compliance Function also depends on the extent of information and access granted to it in relation to the services, activities, and transactions undertaken by the regulated entity. The entity shall ensure, by having its policies documenting in writing and by regularly monitoring, that the Compliance Function is given the required access to all the relevant and pertinent information at all times. In this regard, the Compliance Function shall have a permanent overview of the areas where sensitive or relevant information might arise. Access should also be granted to information systems available, databases, internal or external audit reports, risk management reports etc. Where relevant, the Compliance Officer should also be able to attend meetings of senior management or bodies exercising supervisory functions. The Compliance Function shall also be granted the possibility to conduct on-site inspections and whenever these rights are not granted, the rationale should be documented and explained in writing.

While the authority and independence of the Compliance Function is required to be maintained at all times in order to enhance the effective performance of its compliance duties, the support provided by the senior management is equally crucial in this respect. The senior management should decide which organisational measures, level of resources, and extent of information access are best suited to ensure the effectiveness of the Compliance Function taking into consideration the particular circumstances of each regulated entity. In deciding this, ESMA suggests regulated entities to ensure that at least the following criteria should be taken into account:

  • the types of investment services, activities, ancillary services, and other business activities provided;
  • the interaction between the investment services, activities and ancillary services, and other business activities carried out;
  • the scope and volume of the investment services, activities, and ancillary services carried out, balance sheet, income from commissions, fees, and other income in the context of the provision of investment services, activities and ancillary services;
  • the types of financial instruments offered to clients;
  • the types of clients targeted by the investment firm (professional, retail, eligible counterparties);
  • staff headcount;
  • the services provided through a commercial network;
  • the cross-border activities provided; and
  • the organisation and sophistication of the IT systems.

The application of these criteria as well as the extent of the Compliance Function may differ from one company to another, as the nature of the compliance risks to which each company may be exposed differs. Consequently, the application of these criteria should respect the fundamental rules of proportionality based on the nature, scale and complexity of the business, and on the nature and range of the investment services, activities and ancillary services offered. While a Compliance Function must always be established, the regulated entity is given the flexibility to assess the extent of the compliance unit considered necessary to its own organisational structure and risk profile. It follows that the regulated entity may end up having a significant Compliance Function, a part-time resource dedicated to compliance or it may even combine the legal and compliance function when the proportionality exemption allows for it. However, a regulated entity with more complex activities or greater size should generally avoid such combination if it could undermine the Compliance Function’s independence.

Where the regulated entity resolves to avail itself of the proportionality exemption, it should ensure that this choice does not impact the effectiveness of the Compliance Function. In addition, the rationale behind such a decision should be duly evidenced and recorded in writing and adequate arrangements should be put in place to address any potential risks of conflict of interest.


The information contained in this write up is provided for general informational purposes only. It does not, and is not intended to, constitute legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this write up without seeking legal or other professional advice for your individual situation.