28 Nov 2016

PRA has issued its second consultation paper on implementation into its Rulebook of the revised Markets in Financial Instruments Directive and Regulation (MiFID 2). Its previous consultation had been focussed on the passporting aspects of MiFID 2 and the changes it would need to make to its rules to take account of MiFID 2's provisions on algorithmic trading. Now it is looking primarily at how it will enhance its governance requirements, and how to apply MiFID 2's management body and key organisational requirements to both MiFID and non-MiFID business.

In this article, Emma Radmore looks at the changes PRA proposes.

Structure of proposals

As a matter of principle, PRA proposes to apply the MiFID 2 governance and organisational requirements across all MiFID and non-MiFID business of relevant firms, and also to include many of the requirements within its rules, even though many of them are now contained in the MiFID 2 implementing Regulation (and therefore do not require implementation as they have direct applicability). In some places, the provisions of the Delegated Regulation will merely be signposted, however.

PRA proposes to amend several parts of its Rulebook to make relatively few substantial changes.

The changes to the relevant rules and the supervisory statements that support them will:

  • Implement the provisions of MiFID 2 (articles 9 and 16), relating to the management body and organisational requirements
  • Remove provisions currently in the rules that are superseded by new provisions in the Delegated Regulation
  • Update references to MiFID to reflect MiFID 2
  • Permit authorisations and changes to permissions in respect of the new regulated activity and investment, and for activities relating to structured deposits
  • Make consequential changes to the General Provisions and the Glossary.

OTF operation and emission allowances

PRA notes Treasury will be making amendments to the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO) to include operating an Organised Trading Facility (OTF) as a new regulated activity and to include emission allowances as a specified investment. As a result, firms wanting to operate an OTF or carry on activities relating to emission allowances will need to apply for variations of permission, in the normal way. PRA is waiting for Treasury to make these changes and decide whether firms will be able to apply for variations in advance of January 2018.

Structured deposits

MiFID 2 does not make structured deposits a new category of investment as such, but it does regulate the way in which firms deal with the product. Treasury plans to extend the regulated activities of dealing in investments as agent, arranging deals in investments, managing investments and giving investment advice so as to require firms to seek a variation of permission to include carrying on any of these activities in relation to structured deposits. PRA notes that firms that already have a deposit-taking permission will not require an additional permission to accept structured deposits. Additionally, over a grandfathering period, firms already carrying out these regulated activities will be deemed to have permission to carry them on in relation to structured deposits provided they tell the relevant regulator they wish to do so, and the regulator acknowledges the notification. PRA will put a form on its website for firms to use if they wish to make this notification.

Enhanced governance

PRA notes the emphasis in MiFID 2 on effective oversight and control that the management body should have over the activities of firms, particularly on risk strategy and internal governance. It also addresses the time commitment of board members and diversity. PRA proposes:

  • To implement the management body requirements in Article 9 of MiFID 2 by changes to the General Organisational Requirements and Skills, Knowledge and Expertise Parts of the Rulebook. It notes, though, that the European Supervisory Authorities are currently consulting on joint guidelines under the fourth Capital Requirements Directive (CRD 4) and MiFID 2 on the assessment of suitability of members of the management body and key function holders. Once these guidelines are finalised, PRA may change its rules or the supporting supervisory statements further
  • To require firms to implement the organisational requirements of MiFID 2 on the operation of the compliance function, outsourcing and record keeping. This will entail changes to the Compliance and Internal Audit, General Organisational Requirements, Outsourcing, Record Keeping and risk Control Parts. PRA will apply these requirements across all relevant firms, regardless of whether the business falls within MiFID 2, so that firms can apply the same standards across their business.

General rule changes

PRA proposes changes to several modules of its Rulebook.

Compliance and Internal Audit

Changes to this module will make reference to the requirements of the MiFID 2 Organisation Delegated Regulation (MODR). It will delete the current rule 2.2 – 2.5 and replace them with a new 2.2A and 2.2B that will require MiFID Investment Firms to extend the arrangements that are required by the "Article 22 (of the MODR)) Compliance Requirements" to apply broadly to a firm's obligations under the regulatory system, all financial services and activities and to PRA's General Organisational Requirements 4.2. Firms that are not MiFID investment firms must also comply with these requirements.

The internal audit requirements in 3.1 are replaced by a new provision 3.1A and B, making similar amendments in respect of the Article 24 (of the MODR) Audit Requirements.

General organisational requirements

PRA proposes new definitions in this part for "Article 21 Organisational Requirements", "Article 25 Senior Management Requirements" and "other matters" (the latter meaning any matters within the scope of General Organisational Requirements Rule 1.1 that are not specifically within the scope of any MODR requirement. It makes similar changes to those in the Compliance and Internal Audit part, and adds to rule 2.4 a requirement for firms to have in place sound security mechanisms to guarantee the security and authentication of the means of transfer of information, to minimise the risk of data corruption and unauthorised access and to prevent information leakage. It deletes part of the requirements around contingency planning and accounting policies, which stemmed from MiFID 1 but are not replicated in MiFID 2.

Part 4 is amended to reflect the Article 25 Senior Management Requirements, and the requirements on the management body in Part 5 will now expressly require the management body to monitor and periodically assess the adequacy and implementation of the firm's strategic objectives in the provision of its regulated activities, and the effectiveness of not only the firm's governance arrangements but also the adequacy of its policies relating to the provision of services to clients. A new 5.1A requires the arrangements a firm puts in place to ensure the management body defines, approves and oversees:

  • The organisation of the firm for providing regulated activities, including skills and knowledge of staff and resources required
  • The policy on services, activities, products and operations the firm offers taking into account its risk tolerance and needs of the clients to whom it will offer them – including necessary stress testing measures
  • The remuneration policy for those involved in providing services to clients, with the aim of encouraging responsible business conduct, fair treatment of clients and avoiding conflicts of interest.

A new rule 5.7 will require firms to ensure members of the management body have adequate access to information and documents that are needed to oversee and monitor management decision-making.


The Outsourcing Part will be amended to refer to the Article 30 and 31 Outsourcing requirements. As a result, the current rules 2.2 to 2.9, all of which stem from MiFID 1, have been deleted.

Record keeping

This part again is amended to refer to MiFID 2 and extend the requirements to all regulated business.

Risk control

Chapter 2 of Risk Control replaces the previous requirement for adequate and effective risk management policies (which stemmed from MiFID) to require that a firm's risk management procedures must include effective procedures for risk assessment, in line with MiFID 2. The monitoring requirements copied from the MiFID implementing Directive are also deleted, but the provisions on the Risk Committee remain with minor amendments.

Skills, knowledge and expertise

Again, this part is updated to refer to MiFID 2, and to extend the requirements to all business. The requirement in 3.1 on segregation of functions is deleted, as it section 4 and 5, but the duty to define arrangements on segregation of duties and prevention of conflicts remains.


PRA proposes a new Notifications Instrument to allow firms to make notification to PRA in respect of structured deposit activities.


There are several new defined terms (including MODR) and consequential amendments.

What next?

Consultation closes on 27 February 2017, and the rules will be effective from 1 January 2018, although where Treasury permits, PRA will be able to accept applications for variations of permission at an earlier date.