Jump to Content Jump to Main Navigation
Signed in as:

Part II Investment Firms and Investment Services, 3 Governance of Investment Firms Under MiFID II

Jens-Hinrich Binder

From: Regulation of the EU Financial Markets: MiFID II and MiFIR

Edited By: Danny Busch, Guido Ferrarini

From: Oxford Legal Research Library (http://olrl.ouplaw.com). (c) Oxford University Press, 2023. All Rights Reserved. Subscriber: null; date: 07 June 2023

Credit risk — Enforcement — Investment business — Regulated activities — Supervision

Governance of Investment Firms Under MiFID II

I.  Introduction

3.01  The regulation of the governance of investment firms—for present purposes to be understood as referring to the internal corporate governance, that is, the rules and arrangements relating to the board, the organization, and internal procedures1—is by no means a post-financial-crisis phenomenon, and MiFID II is not the first European law instrument to prescribe relevant requirements in this regard. In fact, their history reaches back beyond MiFID I2 and, to a considerable extent, has been part of the regulatory framework for the prudential supervision of banks and investment firms generally. Long before the financial crisis reinforced concerns about the management of financial intermediaries, the first components of the regulatory concept were already laid down in the Investment Services Directive (ISD) of 19933—then, as continues to be the case to date, in the form of fundamental prudential requirements that must be met both as a precondition for authorization as a licensed investment firm and on a day-to-day basis in the course of the firm’s operations.4 In addition, non-bank investment firms have been subject to the governance-related provisions applicable to banks in particular after the implementation of the Basel II capital accord in Europe from 2006.5 In short, governance-related regulations have been part and parcel of the European framework regulation of investment intermediaries from the start, as a precondition for authorization and a complement to conduct-of-business regulation.

3.02  Against this backdrop, a superficial observer could be forgiven for concluding that governance-related regulatory requirements appear to have been both an uncontroversial and a rather immutable component of the relevant EU framework for the setting-up and operation of financial intermediaries engaged in the business of investment services to date. On closer inspection, however, neither holds true. As will be discussed in detail in subsection II below, both the rationale of governance-related regulatory requirements and their technical content have changed significantly over time. It is also as a result of this rather complex history that some of the technical regulatory concepts, reinforced and expanded under MiFID II, continue to pose significant challenges to the diverse range of financial intermediaries that are subject to these requirements across the European Union. Again, as will be discussed below, these challenges are reinforced by the absence of clear-cut policy foundations, which has been a characteristic of the regulatory framework for the pursuit of investment services ever since the adoption of the ISD 1993.

3.03  The present chapter seeks to explore both the relevant policy background and the technical content of governance-related regulation of investment firms under MiFID II and, in addition, secondary legislation complementing the Level 1 requirements,6 and the CRD IV package, which extends not just to credit institutions but also to investment firms. Section II below will first analyse the rationale for governance-related regulation against the backdrop of the historic emanation of governance-related requirements for investment firms in European financial regulation. Section III then examines the technical features of the new regime, and identifies some challenges for transposition and enforcement. Section IV concludes.

II.  Governance-related Regulation of Investment Firms between Prudential and Conduct-of-Business Regulation

1.  The Case for Governance-Related Regulation According to MiFID II—Some Preliminary Observations

3.04  Judging from the preamble to MiFID II, the case for governance-related regulation would appear to be rather straightforward. In addition to the general policy objective to combat ‘weaknesses in the functioning and in the transparency of financial markets’,7 the Directive expressly identifies ‘weaknesses in corporate governance in a number of financial institutions, including the absence of effective checks and balances within them’, as a ‘contributory factor to the financial crisis’, and then continues to set out the rationale for regulatory interference by arguing that

[e]xcessive and imprudent risk taking may lead to the failure of individual financial institutions and systemic problems in Member States and globally. Incorrect conduct of firms providing services to clients may lead to investor detriment and loss of investor confidence. In order to address the potentially detrimental effect of those weaknesses in corporate governance arrangements, Directive 2004/39/EC should be supplemented by more detailed principles and minimum standards.8

3.05  Starting from this wording, governance-related regulation of investment firms can thus be said to serve a dual objective, namely (i) the prevention of failures of financial institutions with a view to protecting systemic stability, and (ii) the prevention of losses to investors and the protection of investor confidence. On the surface, this is hardly surprising, as it merely reflects the traditional set of—interrelated—objectives of financial regulation generally: the preservation of the economic functions of financial markets (in particular, the effective allocation of capital within a market economy), and the protection of customers (whose confidence is essential for the preservation of financial stability).9 Irrespective of this general background, however, the relevance of the above statement of policy objectives goes far beyond stating the obvious. It is worth noting that, although the relevant regulations under MiFID I are expressly referred to as a starting point for the reform, systemic stability considerations, for the first time in the history of European securities regulation, are expressly mentioned as a key driver for the further refinement of the relevant requirements. This takes up corresponding considerations first laid down in the Commission’s 2010 Green Paper on the governance of financial institutions.10 By contrast, as will be examined in further detail below, neither the ISD 1993 nor MiFID I made any reference to such considerations in the context of governance-related regulation. To be sure, neither of these earlier instruments were very outspoken with regard to the motives for governance-related regulation. This was consistent with the original objective to realign the prudential requirements pertaining to non-bank investment firms with those applicable to credit institutions in the interest of equal market access,11 but indicates that the rationale for regulatory intervention was rather obscure under the predecessors of the present regime.

3.06  In view of lessons learnt from the global financial crisis, the reinforcement and expansion of governance-related requirements by MiFID II therefore reflect not just a desire for further refinement of existing regulatory requirements and strategies but also, importantly, a shift in the underlying policy objectives: In addition to the protection of investors and investor confidence, systemic considerations have entered the scene—and seem to play a more important role than the traditional focus on investor protection as such. To be sure, this development reacts to widespread concerns about the quality of governance arrangements in financial intermediaries generally. These have arisen as a result of (well-founded or perceived) lessons learnt from the global financial crisis and have inspired not just the substantive overhaul of the governance-related provisions in the MiFID regime but also, and to a larger extent, the corresponding reforms of governance-related requirements for banks under the CRD IV package of 2013.12 As illustrated, in particular, by the Lehman Brothers failure in September 2007, systemic implications triggered by the insolvency of financial intermediaries are not necessarily confined to licensed banks. They arise out of the relevant firm’s size, its connectedness to other market participants and to providers of market infrastructure, and the complexity of its operations and legal structure, as well as the market perception of the relevance of the firm—rather than out of the nature of its business (deposit-taking, provision of investment services) as such.13 On closer examination, however, the available evidence is mixed. While it is generally agreed that risk management systems failed to mitigate excessive risk-taking in financial intermediaries in the run-up to the crisis,14 empirical findings with regard to other aspects of corporate governance are, at best, inconclusive.15 In particular, it is far from settled that those corporate governance standards that had been established already prior to the financial crisis can be said to have contributed to safer organizational arrangements.16 Specifically to what extent prudential concerns about firm soundness and, ultimately, financial stability implications are warranted in the case of (different types of) investment firms is still rather uncharted territory. As international regulatory standards, in response to the global financial crisis, have understandably focused on systemically important financial institutions,17 it is, in principle, hardly surprising that the relevant provisions under MiFID II and secondary legislation, as a rule, are intended to apply indiscriminately across the full range of investment firms operating within the European Union. Given the high level of diversity of market participants in terms of size, business models and interconnectedness with counterparties, the underlying rationale is nonetheless somewhat questionable.18 Against this backdrop—and somewhat in contrast to the exposition of the policy rationale expressed in the preamble to MiFID II—the case for governance-related regulation of financial intermediaries in general thus seems to be less clear than might be expected in view of the wave of failures of investment banks experienced globally in recent years. The same applies, and to a greater extent, to the technical design of the reformed regulatory framework under MiFID II.

2.  Governance-Related Regulation since the ISD 1993

3.07  To understand the full dimension of the considerations presented above, it is appropriate to explore the historical evolution of governance-related regulations for investment firms in some more detail. In this context, the political objective to realign the regulatory frameworks for banks and non-bank financial intermediaries with the ISD 1993 deserves particular attention (infra II.2.A). Arguably, neither this Directive nor the subsequent amendments to existing requirements under MiFID I (infra II.2.B) fully acknowledged the functional parallels and differences between banking regulation, from which the relevant concepts were adapted, on the one hand, and investment services on the other hand.

A.  Governance-Related Regulation under the ISD 1993

3.08  In the context of governance-related requirements, specific references to the objective of investor protection in the ISD 1993 are rare. To be sure, the Preamble did acknowledge the need ‘to protect investors and the stability of the financial system’19 as key policy objectives generally. In addition, it argued that

[…] it is necessary, for the protection of investors, to guarantee the internal supervision of every [investment] firm, either by means of two-man management or, where that is not required by this Directive, by other mechanisms that ensure an equivalent result.20

3.09  Beyond these few—and erratic—remarks, however, the rationale for governance-related regulations received no further explanation. Instead, the focus clearly was on the equal treatment of banks and investment firms under the new framework.21 As such, the rationale for governance-related prudential requirements in the industry—as distinct from corresponding regulations for credit institutions in the technical sense—was mentioned neither in the Directive nor in contemporary literature. Consequently, governance-related regulation under the ISD 1993 remained somewhat haphazard, and limited to very few specific requirements.

3.10  Among these, the requirement that ‘the direction of a firm’s business must be decided by at least two persons’ of ‘sufficiently good repute and […] sufficiently experienced’22 was an early predecessor of today’s fit-and-proper regime,23 modelled after the corresponding provisions in the Second Banking Directive of 1989.24 In addition, the Directive prescribed a regime for supervisory scrutiny of owners of qualified holdings in investment firms,25 which again took up earlier precedents established in the area of banking regulation.26

3.11  By comparison with subsequent developments, the ISD 1993 did not prescribe any substantive requirements with regard to business models or organizational issues. As part of the licensing process, however, enterprises seeking to be recognized as investment firms had to submit a ‘programme of operations setting out inter alia the types of business envisaged and the organizational structure of the investment firm’.27 While this ensured access of supervisory authorities to the relevant information, the definition of more specific requirements was left to the Member States, which were to ‘draw up prudential rules which investment firms shall observe at all times’,28 a serious and ‘systematic’ infringement of which could result in the revocation of the respective firm’s licence.29 Specifically, investment firms, in this context, were to be required to

have sound administrative and accounting procedures, control and safeguard arrangements for electronic data processing, and adequate internal control mechanisms including, in particular, rules for personal transactions by […] employees.30

3.12  In addition, Member States had to draw up requirements with regard to the protection of client assets and funds as well as the documentation of transactions, and had to prescribe institutional arrangements designed to minimize the impact of conflicts of interest on clients.31 It is in this regard that the ISD 1993 went beyond the level of governance-related requirements already present in contemporary European banking regulation, reflecting earlier US American precedents.32 And it is here that the development of a specific organizational regime for investment firms in European financial regulation, distinct from governance-related requirements for banks, can be said to have its roots—a regime that goes beyond a mere replication of the organizational requirements for banks and specifically addresses the agency problems characteristic for investment firms which, because of the wide range of different types of investment services, are more complex than within the relationship between a bank and depositors.33 In these provisions, the functional link between prudential regulation and conduct-of-business regulation,34 discussed above, is particularly obvious. However, it is also in this regard that the lack of a consistent rationale for governance-related regulation of investment firms in early European regulation is evident. While investor protection is clearly the key motive for most of the organizational requirements stipulated by Article 10, the case for the remaining provisions examined above—and the rationale for the substantive synchronization of governance requirements for investment firms with those for banks generally—remains somewhat obscure. At least for the early stages of European regulation of investment firms and, specifically, the ISD 1993 it can only be explained on the grounds of the general motive

to create a separate but equal single licence for the non-bank securities firms while ensuring that they do not have a competitive advantage in terms of funding requirements vis-à-vis credit institutions when such institutions are providing investment firms.35

3.13  In other words, in addition to the general objective of investor protection, concerns about the conditions for fair competition among different types of providers of investment services—more specifically, universal banks and non-bank investment firms—and considerations of equal market access across the Common Market rather than concerns for financial stability, have to be considered as a key rationale for the early regulatory framework for the governance of investment firms.

B.  Governance-Related Regulation under MiFID I and the CRD II package

3.14  In principle, the substitution of the ISD 1993 by MiFID I as such hardly changed this picture. To be sure, the new Directive, just as its predecessor, quoted both the protection of investors and the ‘stability of the financial system’ as key policy objectives.36 Whether and to what extent financial stability concerns actually warranted regulation of the corporate governance of investment firms was not discussed, however. Just as under the ISD 1993, governance-related requirements under MiFID I, in principle, mainly reflect investor protection concerns and, to the extent that they replicate corresponding requirements in banking regulation, merely continue to synchronize both regimes with a view to ensuring a level playing field between universal banks and specialized investment firms.37 In principle, the Directive carried forth the main elements of governance-related regulations already established by the ISD 1993. Directors and shareholders as well as members with qualifying holdings continued to be subject to suitability tests in order to prevent undue influence on the firms’ management.38 In terms of organizational requirements, Article 13 also took up the requirements established by the ISD 1993, but with some alterations to the catalogue stipulated by Article 10 ISD 1993 that reflected more specific concerns about operational risks.39

3.15  Notwithstanding the continuity of substantive regulations visible in the wording of ISD 1993 and MiFID I, the latter clearly triggered a conceptual departure from the earlier instrument in that it formed the basis for extensive Level 2 legislation on organizational requirements and operating conditions.40 In addition to these rather general provisions, the governance and organization of investment firms now were subjected to a complex, harmonized regime of institutional and procedural substantive requirements, compliance with which would be monitored by the licensing authorities. In addition to general requirements relating to the internal organization,41 Directive 2006/73/EC on organizational requirements and operating conditions, insofar as it is of interest for the purposes of this chapter, stipulated detailed provisions and definitions on compliance,42 risk management,43 internal audits,44 the corresponding responsibility of senior management,45 and on specific organizational requirements designed so as to ensure the safeguarding of client funds.46

3.16  Irrespective of the substantial increase in detail brought about by the Organisational Requirements Directive 2006/73/EC, however, the fundamental policy basis for governance-related requirements did not deviate conceptually from earlier regulation. Just as in MiFID I, considerations of equal market access on one hand and investor protection on the other hand can be identified as the key motives inspiring the technical specifications stipulated by the Organisational Requirements Directive. If the new regime differed at all from its predecessor in this respect, ensuring a level playing field for all providers of investment services throughout the (then) European Community—rather than systemic stability concerns—appears to have been an even stronger determinant of governance-related requirements than under the ISD 1993. This motive was expressly mentioned as the objective for technical harmonization of organizational requirements and conditions for authorization, as well as for the principle of maximum harmonization imposed by the Implementing Directive,47 whereas investor protection was identified as a key rationale for requirements for operating conditions48 (i.e. conduct-of-business rules)—and systemic stability concerns were not quoted at all in either MiFID I or the Organisational Requirements Directive 2006/73/EC.

3.17  To stop the analysis at this point would be misleading, however, as it was outside the MiFID I regime that governance-related requirements for investment firms first received a much more comprehensive treatment in EU financial services regulation. With the transposition of the Basel II capital accord of 200449 into European law by the CRD I package in 2006,50 not just credit institutions but also investment firms became subject to a reformed set of comprehensive governance-related requirements, which reflected the Basel Committee’s emphasis on the need for sound and robust governance arrangements in addition to reliable capital cushions in financial intermediaries.51 In particular, Article 22(1) of the recast Banking Directive, which was supplemented with complex technical requirements in Annex V to that Directive, required banks to establish and maintain

robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and adequate internal control mechanisms, including sound administrative and accounting procedures.

3.18  The scope of these provisions was extended to investment firms pursuant to Article 34 of the recast Capital Adequacy Directive. In 2010, the new regime was supplemented by new rules on remuneration policies as part of the CRD III reform in November 2010.52 To be sure, particularly this latter reform can be characterized as a first step towards the subsequent comprehensive overhaul of the regulatory framework for banks and investment firms by the CRD IV package and MiFID II, in that the Preamble discusses at length weaknesses in remuneration policies and risk governance as a determinant for failures in the financial crisis and also reflects the Commission’s plans for extensive enhancements of governance-related provisions developed in its 2010 Green Paper.53

3.19  In short, the modern trend for comprehensive regulation of investment firms’ governance arrangements clearly had its roots already in the CRD I package (as recast in 2006), which implemented the Basel II Accord within the European Union. As such, the new regime clearly was motivated by systemic stability considerations and did not reflect specific investor protection concerns. By and large, the extension of the organizational requirements not just to credit institutions but also to non-bank investment firms continued to reflect the traditional rationale of ensuring equal market access and a level playing field for both types of financial intermediaries. Until the 2010 reform of the CRD III package, which reflected already the more comprehensive insights into the determinants of financial crisis gained during 2007–9, the inclusion of investment firms in the general regulatory framework for credit institutions cannot be said to have been based on an analysis of the functional parallels and differences in the respective business models, and on the resulting challenges to financial stability associated with them.

3.  Some Preliminary Conclusions

3.20  In retrospect, the policy rationale for the treatment of investment firms in European financial regulation can be said to have oscillated between three rather different aspects: investor protection, the protection of financial stability, and the creation of a ‘level playing field’, that is, the harmonization of requirements for market access for investment firms in the Internal Market. As a closer analysis of the emanation of governance-related regulations in European law reveals, their conceptual basis has been rather weak from the early stages of EC Securities Law to the present day. The recent shift towards systemic risk considerations as the key rationale formulated in MiFID II is certainly consistent with a broader trend in post-crisis financial regulation, which started to influence the regulation of governance arrangements in financial intermediaries already under the CRD I package in the form of the 2006 reforms. Specifically with regard to the governance of non-bank investment firms, however, the relevant policy foundations continue to be open to doubts, mainly in two respects: First, as discussed above, their historical emanation since 1993 has by no means been organic. In contrast to the wording of the relevant Recitals in the Preamble to MiFID II, the key drivers for the EU-wide harmonization of relevant standards until MiFID II have been considerations of equal market access within the Common Market, and also, to a somewhat lesser extent, investor protection. Systemic stability concerns, by contrast, were cited only superficially in the earlier documents, with no significant role in the design of the relevant provisions. In this respect, the new emphasis on systemic stability concerns in MiFID II, now expressly identified as key determinants for the governance-related regulation of investment firms, appears to mark a significant shift in the underlying policy foundations, whereas the relevant technical instruments, to a large extent, are mere adaptations of the earlier regime. It remains to be seen whether and to what extent the rearranged and expanded set of regulatory requirements can be reconciled with the specific challenges posed by non-bank investment firms. Second, empirical evidence as to concrete deficiencies in existing arrangements is rather limited, which further weakens the case for specific regulatory interventions in the organizational choices of regulated firms. Both aspects will have to be considered in the course of the analysis of specific technical requirements discussed in Section III below.

III.  The Technical Framework under MiFID II

1.  General Principles and Problems

3.21  In principle, the governance-related requirements stipulated by MiFID II—and, in addition, the new Organisational Requirements Regulation54—continue to combine general prudential requirements established in the field of banking regulation with specific additions designed to address the specific characteristics of investment services (as distinct from banking activities). This is particularly visible with regard to the Directive’s provisions on the management body, which expressly adapt the regime set out in the CRD IV of 201355 and add further requirements in the interest of investor protection56 (see infra III.2). Just as in EU banking regulation, these duties are inextricably intertwined with organizational and procedural requirements, which are directed both to the firm and to the management body and, again, address both general prudential concerns and issues specific to the provision of investment services (as distinct from core banking services) (infra III.3). With regard to regulatory requirements for shareholders and owners with qualifying holdings, the new regime builds on, and develops further, the corresponding provisions under MiFID II,57 showing significant similarities with, but no direct cross-references to, the corresponding provisions in EU banking regulation (infra III.4). Finally, investment firms are subject to certain governance reporting requirements (infra III.5).

3.22  In terms of technical content, the departure from earlier policy concepts, at least at first sight, thus seems to be far less dramatic than the changes in the underlying policy would suggest. This finding, in turn, triggers a number of interrelated questions, to be addressed in the overal assessment (infra III.6): If it is true that the reformed set of governance-related requirements under the MiFID II regime (unlike the corresponding requirements under the earlier instruments) focuses on the preservation of systemic stability rather than the protection of individual investors, to what extent is that change in policy reflected in the substantive content of the relevant provisions, and what are the practical implications in terms of construction, implementation, and enforcement of the new regime?

3.23  To be sure, the policy objectives formulated in MiFID II58 (in conjunction with those set forth in the CRD IV) still do not quite reflect a clear-cut understanding of the relationship between systemic concerns and investor protection, or at least fail to present a consistent case for regulation in this regard. However, they certainly do highlight the functional link between prudential regulation, that is, institutions-oriented regulation aiming at enhancing the resilience and soundness of intermediaries, and conduct-of-business regulation, that is, transactions-oriented standards for the provision of financial services. ‘Detriment’ to investors, in the words of the Directive, can result both from the failure of individual firms and ‘incorrect conduct’; and both types of risks, in the view of the authors of MiFID II, can be traced back to ‘weaknesses in corporate governance’.59 While these considerations are consistent with the determinants of the reformed governance-related requirements under the CRD IV,60 they deserve some attention especially in the present context, as it is for the first time in the history of EU securities regulation that the functional link between the two regimes has been spelled out with such clarity. From this perspective, governance-related regulation of investment firms almost by definition serves a dual objective—the protection both of the interests of systemic stability and of individual investors. This clearly goes back to the considerations formulated above—and it suggests that, indeed, the crisis has helped to refine the understanding of relevant risks as well as to recalibrate the regulatory responses to such weaknesses. In this respect, securities regulation appears finally to have caught up with the area of banking regulation, where the dual objective of (prudential) regulation has always been defined as encompassing both the preservation of financial stability and the protection of depositors. In sum, based on the construction of the formulation of relevant policy objectives quoted above, the concept of governance-related regulations under MiFID II, in comparison with its predecessors in the ISD 1993 and MiFID I, can be said to have converged with the rationale of the corresponding requirements in the area of banking regulation: In European (and international) banking regulation, requirements for the internal governance of regulated institutions have been an integral part of the prudential toolbox since the implementation of the Basel II Capital Accord—and, as such, have been aiming at the protection of both systemic stability and depositors.61 This, again, evokes some key questions for further exploration in the present chapter: In view of the functional differences between the economic nature of banking activities and those associated with the provision of investment services, should that conceptual convergence be welcomed? Similarly, and even more far-reaching: To what extent is the underlying rationale corroborated by the available evidence on governance failures? As discussed before,62 the empirical case for enhanced governance-oriented regulation after the global financial crisis is, at best, mixed, making a refined understanding of the specific governance standards for non-bank investment services even more desirable.

3.24  Finally, in a more technical respect, the following analysis will have to address the question of whether the new regime, despite the increase in technical detail in comparison with its predecessors, continues to be sufficiently flexible with regard to the variety of regulated investment firms across the EU. Just as is the case in the area of the reformed regime for the prudential regulation of banks under CRD IV,63 this is not just a question of proportionality in view of differences in terms of size and complexity of the regulatees, but also of flexibility with regard to differences in terms of their legal nature and respective governance structures. Under the MiFID II regime, these concerns are particularly pressing because implementing Level 2 instruments no longer take the form of Directives but now come in the form of regulations.

2.  The Board

A.  Organizational Structure

3.25  Just like banks, investment firms under the new regime are subject to a rather complex set of fundamental requirements as to the organizational structure of the board. In this respect, MiFID II does not establish independent criteria, but merely incorporates the corresponding requirements prescribed by CRD IV (Article 9(1) in conjunction with Article 88 CRD IV). In this regard, it should be noted that the reference to the CRD IV in Article 9(1) MiFID II is of a declaratory nature for the majority of investment firms within the EU, which are covered by the definition of ‘investment firms’ set out in Article 4(2) of the Capital Requirements Regulation (the ‘CRR’)64 and therefore qualify as ‘institutions’ as defined in Article 4(1)(3) of the CRR which in turn includes them directly in the scope of the CRD IV requirements anyhow.65 Consequently, Article 9(1) MiFID II merely extends the CRD IV regime to (non-CRR) investment firms not covered by the CRD IV package.66

3.26  Within this framework, Article 88 CRD IV lays down specific requirements both for the division of responsibilities and for the organization of the board. In principle, although both the CRD IV and MiFID II seek to establish a neutral system for adaption across different systems of corporate governance,67 this framework is tailored primarily to one-tier board models, where board management and supervisory functions are exercised from within a single board of directors (as distinct from—German-style—two-tier board systems, which separate management and supervisory boards). Both Directives leave it to the Member States to make the necessary adjustments for two-tier boards.68 Nonetheless, the prescription whereby

the chairman of the management body in its supervisory function must not exercise simultaneously the functions of a chief executive officer within the same institution, unless justified by the institution and authorised by competent authorities,69

clearly addresses two-tier board systems70 and imposes a separation of functions which, while commonly practised at least within the United Kingdom for some time, has never been established as preferable over a combination of the two functions in one person.71

3.27  Within the board, firms must establish a risk committee, a nomination committee, and a remuneration committee, if they are ‘significant in terms of their size, internal organization and complexity of their activities’. This, again, follows directly from provisions in the CRD IV,72 of which only Article 88 is expressly referred to in Article 9(1) of the MiFID II.

B.  Duties

i.  The Board as a Whole

3.28  The duties of the management body in general and its committees—in a rather complex and partly duplicative way—are set forth in both the CRD IV and MiFID II, as well as in the provisions of Chapter II of the Commission Delegated Regulation of 25 April 2016.73In line with the concept of functional neutrality with regard to different legal structures in the national laws on corporations and partnerships,74 neither the CRD IV nor MiFID II lays down a positive definition of the board’s duties, which are determined exclusively by autonomous legislation in the Member States. This is clearly reflected in the identical definition of the term ‘management board’ in both Directives, which expressly refers to those strategic, oversight, and management duties that are determined by the applicable national laws.75 While accepting the general duties of management (and supervisory) boards as prescribed by national legislation in principle, both the CRD IV and the MiFID II lay down additional specifications with regard to, in particular, organizational duties, however. For regulated entities, the organizational duties of management (and supervisory) boards form a two-tier system, with the first level consisting of general principles under the applicable national law of business associations (companies or partnerships, as the case may be), which are then complemented and, in part, superseded by specific organizational duties prescribed by European financial regulation. It is worth noting that the requirements addressed directly to the management body in both CRD IV and MiFID II are, to a large extent, of a procedural rather than a substantive nature; they specify the responsibility of the board for the definition of strategies and procedures and for the implementation of relevant standards, rather than defining the relevant standards themselves (which are specified in other provisions and in additional Level 2 legislation76).

3.29  Generally, pursuant to the identical formulation in both Article 88(1) CRD IV (referred to in Article 9(1) MiFID II) and Article 9(3) MiFID II, the management body77 is required to

define[ ], oversee[ ] and [be] accountable for the implementation of the governance arrangements that ensure effective and prudent management of the [firm], including the segregation of duties in the [firm] and the prevention of conflicts of interest,

to which Article 9(3) MiFID II adds the further specification that the management body must exercise these functions ‘in a manner that promotes the integrity of the market and the interest of clients’.

3.30  Article 88(1)(2) CRD IV then specifies these functions further and requires the board, in particular, to

  1. (a)  approve and oversee the firm’s ‘strategic objectives, risk strategy and internal governance’,

  2. (b)  ensure ‘the integrity of the accounting and financial reporting systems’,

  3. (c)  oversee ‘the process of disclosure and communications’, and

  4. (d)  effectively oversee senior management.

3.31  These requirements are then complemented by additional, albeit to some extent duplicative, specifications in Article 9(3) MiFID II, pursuant to which the management board shall

define, approve and oversee

  1. (a)  the organisation of the firm for the provision of investment services and activities and ancillary services, including the skills, knowledge and expertise required by personnel, the resources, the procedures and the arrangements for the provision of services and activities, taking into account the nature, scale and complexity of its business and all the requirements the firm has to comply with;

  2. (b)  a policy as to services, activities, products and operations offered or provided, in accordance with the risk tolerance of the firm and the characteristics and needs of the clients of the firm to whom they will be offered or provided, including carrying out appropriate stress testing, where appropriate;

  3. (c)  a remuneration policy of persons involved in the provision of services to clients aiming to encourage responsible business conduct, fair treatment of clients as well as avoiding conflict of interest in the relationships with clients.

3.32  Moreover, the management board is required

to monitor and periodically assess the adequacy and the implementation of the firm’s strategic objectives in the provision of investment services and activities and ancillary services, the effectiveness of the investment firm’s governance arrangements and the adequacy of the policies relating to the provision of services to clients and take appropriate steps to address any deficiencies.78

3.33  Both Article 88 of the CRD IV and, to an even larger extent, Article 9 MiFID II thus formulate a rather comprehensive catalogue of standards for the board’s responsibilities with regard to organizational and compliance aspects. In principle, the set of functions thus defined does not significantly deviate from the allocation of powers and responsibilities under general company or partnership law (whereby the relevant functions will usually be allocated to the board, even if, in many cases, the applicable law will be much less detailed than its regulatory counterpart79). However, the far more explicit definitions of responsibilities in regulatory law, a breach of which may ultimately trigger the revocation of the licence,80 evidently not only seek to enhance legal certainty, but also to facilitate effective supervisory control of the different aspects. This is reflected in the specific sanction provided for breaches of the requirements set forth in Article 91 CRD IV, which may trigger administrative penalties of up to €5 million or double the loss that has been incurred as a consequence of the breach, with the sanction, as a rule, to be made public.81 When assessing compliance, authorities will apply a specific standard of care that has been defined in Article 91(8) CRD IV, within the context of requirements on the suitability of board members.82

3.34  All in all, the reformed set of specific board duties primarily reflects prudential concerns about the soundness of risk profiles and operational arrangements of institutions (i.e., credit institutions and investment firms) and, as such, systemic stability considerations. This is illustrated, first and foremost, by the fact that the most important part of the relevant duties is set forth in the CRD IV rather than MiFID II—without any differentiation whatsoever between the business models characteristic for credit institutions and those of non-bank investment firms. Even the additional requirement to a similar effect imposed by Article 9(3) MiFID II evidently focuses on the definition of standards aiming at the soundness of operational arrangements and risk sensitivity rather than on such aspects that may directly benefit the position of investors, with the limited exception of Article 9(3)(c) MiFID II (quoted above, paragraph 3.31). As indicated above, this is not inconsistent with lessons learnt from the global financial crisis, which clearly reinforced the notion that systemic risk is not confined to commercial banking but attributable to other factors (size, interconnectedness, complexity of business organizations).83 Against this backdrop, it may be considered helpful that the new regulatory framework, by specifying the board’s responsibility for organizational and strategic decisions and risk management in most comprehensive terms, clarifies the delineation of powers and duties in regulated firms, which could potentially lead to increased awareness among board members as to the specific challenges and needs associated with their respective supervisory and management functions.

ii.  Board Committees

3.35  Just as with credit institutions, investment firms, pursuant to Article 88(2) CRD IV (in conjunction with Article 9(1) MiFID II, where applicable), are subject to detailed requirements with regard to the formation and tasks of the nomination committee. The committee is not only responsible for the selection of candidates for management body positions and the evaluation of the knowledge, skills, and experience, as well as periodical assessments and reviews of the policy for the selection and appointment of senior management, but also for the promotion of gender equality.84 Remuneration committees are responsible for ‘the preparation of decisions regarding remuneration, including those which have implications for the risk profile and risk management of the institution concerned’.85 Risk committees are to advise the management body with regard to the ‘risk appetite and strategy’, and to assist with the implementation of the strategy. The risk assessment also has to review the impact of prices of liabilities and assets on the firm’s business model and risk strategy, and to propose remedies if deficiencies are detected.86 By contrast, no specific requirements are set forth in either the CRD IV or MiFID II with regard to the duties of audit committees, which credit institutions and investment firms are required to establish under Article 41 of Directive 2006/43/EC.87

C.  Personal Requirements

3.36  Reflecting widespread concerns about the quality of management and supervision in the boards of financial institutions before and during the global financial crisis,88 enhanced requirements for the eligibility for board membership and for board diversity have become a central aspect of the reformed regulatory framework for both credit institutions and securities. Just as in the area of board duties, discussed above, the relevant requirements are laid down partly in the CRD IV (for credit institutions and investment firms alike), with—again, to some extent duplicative—additions stipulated by MiFID II.

3.37  Generally, all board members, executive and non-executive, are subjected to a rigorous fit-and-proper test. Pursuant to Article 91(1) and, in identical wording, to Article 9(4), they are required at all times ‘[to] be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties’ and to commit sufficient time to perform their functions.89

3.38  Moreover, pursuant to a requirement that links personal qualifications with a standard of care for the execution of the board duties, each member of the management body is required

to act with honesty, integrity and independence of mind to effectively assess and challenge the decisions of the senior management where necessary and to effectively oversee and monitor decision-making.90

3.39  In addition to the individual requirements, the board as a whole is required to have ‘adequate collective knowledge, skills and experience to be able to understand the [firm’s] activities, including the main risks’.91 In order to maintain the standard, regulated firms are required to ‘devote adequate human and financial resources to the induction and training of members of the management body’.92 Particular attention has been given to ensuring board diversity, which is reflected not only in the requirement to

engage a broad set of qualities and competences when recruiting members to the management body and for that purpose to put in place a policy promoting diversity on the management body,93

but also in the definition of tasks of the nomination committee, which must not simply strive for ‘diversity’ in its proposals for vacant management body positions, but is also required to

decide on a target for the representation of the underrepresented gender in the management body and prepare a policy on how to increase the number of the underrepresented gender in the management body.94

3.40  Pursuant to Article 91(12) CRD IV, the relevant criteria are to be complemented by EBA guidelines in due course.95

3.41  With these requirements, the new regime clearly goes far beyond the design and content of traditional ‘fit-and-proper’ tests in the area of financial regulation, which usually set a rather broadly defined set of benchmarks against which supervisory authorities would have assessed the qualifications and character of persons nominated for board positions.96 To be sure, these earlier requirements already facilitated a significant degree of supervisory control over board decisions, if and to the extent that the relevant authority, under the applicable national law transposing the European requirements, was willing to use board members’ readiness to comply even with informal supervisory guidance as indicative for the purposes of the ‘fit and proper’ test.97

3.42  Under the reformed regime, by contrast, the traditional, flexible approach, which left further specification to the discretion of national legislators and authorities, has been complemented with a considerable range of new procedural and substantive elements. Among these, requirements that the personal qualification of board members be commensurate with the cognitive and strategic problems to be expected in the performance of their respective functions can surely be said to be rather uncontroversial, although it remains to be seen whether the more prescriptive approach really yields a more effective enforcement of qualitative standards by relevant authorities. In particular, it remains open to doubt whether the (still rather abstract) standard of ‘honesty, integrity and independence of mind’ can be operationalized in a way that substantively adds to the effectiveness of authorities’ scrutiny of board composition.98

3.43  More controversial, however, has been the policy decision to promote gender diversity as a means to foster good corporate governance in financial institutions. The underlying rationale is to prevent ‘groupthink’, which, according to a widely held view of the global financial crisis, can supposedly be traced back not least to a greater risk appetite of male management than could be expected to be found among a gender-diverse board.99 As empirical analysis of what has become known as the ‘Lehman Sisters Hypothesis’ (insinuating that, with a female board of directors, excessive risk-taking and the ensuing crisis would not have happened) appears to be inconclusive,100 the effectiveness of mandatory board diversity as a precaution against excessive risk-taking practices can, at best, be described as doubtful. It is to be expected that regulated firms, in redefining their diversity policies, will attend to the relevant supervisory authority’s expectations rather than to what they themselves would perceive to be an optimal balance.101

3.44  At any rate, just as has been diagnosed for the highly prescriptive set of board duties above,102 the focus of the reformed personal requirements applicable to board members under the new CRD IV/MiFID II regime clearly reflects systemic stability rather than investor protection considerations. Also in this context, credit institutions and non-bank investment firms are indiscriminately subjected to a regime which seeks to improve the quality of corporate governance in the interest of the individual firm’s soundness of operations and, ultimately, the prevention of contagious effects that would arise from their financial failure. To be sure, clients that have an ongoing relationship with the firm (e.g. in the context of asset-management contracts) could benefit as well, but rather indirectly.

D.  Remuneration of Board Members and Senior Management

3.45  Among the different policy initiatives to foster effective corporate governance in financial institutions in recent years, prescriptive requirements for remuneration (or ‘compensation’) arrangements have clearly played a major, albeit somewhat independent, role. This is particularly visible in the EU Commission’s 2010 Green Paper, which discusses remuneration policies as a distinct part of the regulatory agenda on issues related to the corporate governance of financial institutions.103 At the international level, sound remuneration standards, designed to remove incentives to engage in excessive risk-taking, have been promoted as a priority within the post-crisis reform agenda of the Financial Stability Board,104 whose recommendations have been influential not just for the design of relevant provisions at the European level, but also—prior to EU-wide harmonization—within individual Member States.105 Under the European framework harmonized by the CRD IV, investment firms are subject to the regime applicable also to credit institutions, to which MiFID II adds the requirement that the management board has to develop a specific ‘remuneration policy’ for persons involved in the provision of services to clients,106 while more detailed requirements for the development of remuneration policies and practices, including on the protection of client interests in this context, are prescribed in Article 27 of the Delegated Council Regulation of 25 April 2016.107 Leaving this aside, investment firms have to comply with the general qualitative principles governing the remuneration policies for senior management, so-called risk-takers, staff in control functions, and any employee whose remuneration is equivalent to that of senior management and risk-takers and persons whose decisions have a material impact on the firm’s risk profile stipulated in Article 92(1) CRD IV. Specifically, Article 94 delineates the extent to which variable elements may be included. As mentioned before, remuneration committees must be established within ‘significant’ firms108 as an institutional means to ensure sound remuneration policies.

3.46  The substance of these requirements, as well as the underlying rationale, has been discussed extensively elsewhere.109 This and the fact that investment firms, to the extent that they are included in the scope of application of the CRD IV,110 are subjected to the same regime as credit institutions hardly necessitates in-depth treatment of the remuneration regime within the present chapter. It should be noted, however, that the extension of the relevant requirements to investment firms does not reflect a careful analysis of the similarities and the differences existing between remuneration practices in credit institutions and investment firms, respectively—and of their implications for risk-taking and, ultimately, systemic risk. In this regard, the same applies as to other parts of the regulatory framework for investment firms, which also extend the regulatory regime for banks without a sound empirical basis. While it may be possible to address such differences under the proportionality test prescribed by Article 92(1) CRD IV, the policy foundations for the equal treatment still appear to be rather weak.

3.  Organization and Risk Management

A.  General Requirements Laid Down in the CRD IV Regime

3.47  To be sure, the governance-related provisions for investment firms, as laid down in MiFID II, follow a more autonomous approach with regard to organizational duties and risk management than with regard to the regulation of the board and its duties (infra III.3.B). Nonetheless, the CRD IV regime also lays down a general basis applicable without discrimination to banks and non-bank investment firms in this respect. The substantive requirements on risk management in Articles 74–87 CRD IV clearly form the core of the Directive’s provisions on internal governance arrangements and clearly aim at enhancing the soundness of its business as a whole.111 This becomes obvious from the very first provision on governance arrangements, which builds on the wording of Article 22 of the recast Banking Directive of 2006 and requires that

[i]nstitutions shall have robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks they are or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management.112

3.48  While the relevant arrangements, processes, and mechanisms are to be specified further by EBA Guidelines,113 the following provisions of the CRD IV themselves continue to lay down a rather tight framework of procedural and substantive requirements for the different aspects of risk governance. As mentioned before, this includes the need to establish a risk committee with both advisory and assistant functions in the formulation and implementation of risk strategies.114 In addition, ‘significant’ credit institutions and investment firms covered by the CRD IV are required to establish a ‘risk management function’ with independent resources and access to the management body.115 But these requirements are ‘without prejudice to the application of Directive 2006/73/EC to investment firms’, which in Article 7(2) already prescribes the creation of an independent risk management function and thus prevails over the CRD IV. The management body itself is expressly required to

approve[ ] and periodically review[ ] the strategies and policies for taking up, managing, monitoring and mitigating the risks the institution is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle,116

and has to ‘devote[ ] sufficient time to consideration of risk issues’.117 These core provisions are then complemented with detailed technical requirements in Articles 77–84.

3.49  In general, the approach to risk management taken by the CRD IV can best be described as a multi-tier concept, which seeks to incentivize the firms (or, more specifically, management boards) to actively define, control, and improve the culture of their respective firms, the substantive standard for which is defined in rather abstract terms (‘robust’ arrangements; ‘clear’ structure; ‘well-defined, transparent, and consistent’ lines of responsibility, etc.). While this is clearly reflective of a principles-based approach to governance regulation, the Directive is much more specific with regard to organizational features designed to bolster the firms’ own efforts. In particular, the specialist risk-management function that has to be established under the new regime has rightly been explained by the desire to create an institutionalized ‘antidote to overcome certain risk management flaws observed in the banks and financial institutions that suffered in the global financial crisis’,118 and other features designed to increase the board’s sensitivity vis-à-vis the risk culture fit into the picture too.119 In particular, the new approach evidently seeks to allocate specific responsibilities and to formulate qualitative standards for the risk-management organization and the resources (financial and human) dedicated to it, in order to activate the boards that are perceived to have been too passive and complacent before the crisis.120 Whether or not this concept is enough to overcome residual deficiencies remains to be seen, however. It could well be the case that firms’ future behaviour may be driven more by the need to demonstrate compliance with the regulator’s expectations rather than a genuine effort to improve the quality of existing arrangements. In this context, it is worth noting that proceduralist, principles-based approaches of corporate and financial behaviour have repeatedly been criticized on account of their structural tendency to foster ‘compliant non-compliance’121—to provoke formalistic efforts to ‘tick the boxes’ in generic to-do lists rather than encourage the regulatees’ creativity with a view to accomplishing the regulatory objectives through instruments that match the needs of the individual case.122 At any rate, specific models for the design of risk-management arrangements, which could be referred to as ‘best practice’ by both authorities and regulated institutions, have evolved rather slowly, and widely advocated standards are still far from universally accepted.123

B.  Specific Organizational Requirements under MiFID II

3.50  Although the CRD IV regime on risk management is highly prescriptive and rather detailed, the corresponding requirements stipulated by MiFID II go still further. The relevant provisions are to be found in Articles 16 and 17 MiFID II, of which the former lays down general requirements applicable for all investment firms, while the latter (not to be examined in detail hereafter) specifically addresses risk-management issues in firms engaging in algorithmic trading. As noted before, this regime is supplemented by implementing Level 2 legislation promulgated by the Commission pursuant to Article 16(12) MiFID II, which has adopted a rather abstract approach and does not provide very detailed specification, however.124 Thus, the regulatory framework for organizational duties for investment firms—which takes up the coexistence of general requirements applicable to both credit institutions and non-bank investment firms under the predecessors of the present regime125—will continue to reflect a complex interplay of different sources of law. Conceptually, the new regime will become even more complex to implement than its predecessors because of the fact that, unlike under MiFID I, implementing legislation now takes the form of a Council Regulation rather than a Directive. Investment firms regulated under both CRD IV and MiFID II will thus simultaneously be subject to risk-management requirements under the national laws transposing the CRD IV and MiFID II (and Directive 2006/73/EC) and the Council Regulation Implementing MiFID II. This requires, at the very least, a careful design of national regimes with a view to minimizing the potential for interferences, but will still prove problematic in cases where the provisions of CRD IV and MiFID II overlap.

3.51  In substantive terms, part of the relevant provisions reflect, again, prudential concerns aiming at enhancing the stability and soundness of the individual firms, while others focus on improving the legal and commercial position of investors and other clients. With respect to the former, MiFID II requires investment firms

to take reasonable steps to ensure continuity and regularity in the performance of investment services and activities. To that end the investment firm shall employ appropriate and proportionate systems, resources and procedures.126

3.52  Moreover, in what is in part a (redundant) repetition of the general CRD IV requirements examined above, investment firms must

have sound administrative and accounting procedures, internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for information processing systems

as well as

[…] sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.127

3.53  To be sure, the latter requirement aims not exclusively at the soundness of the relevant firm as such, but also at the protection of the commercial relationships with investors and other clients. The same applies to the duty to establish a compliance organization within the firm, which must include

adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and tied agents with its obligations under this Directive as well as appropriate rules governing personal transactions by such persons.128

In this context, Article 22 of the Commission Delegated Regulation of 25 April 1016129 provides a considerable degree of further specification, including on the responsibilities and duties of the compliance function (Article 22(2)) and the requirements that must be satisfied in terms of organizational design (Article 22(3)). Generally, firms must ensure that the management board has access to all relevant information.130

3.54  Exclusively in the interest of investors, the Directive prescribes a detailed set of procedural requirements which build on Article 21 MiFID I but are considerably more detailed and prescriptive. These include institutional arrangements designed to prevent conflicts of interest,131 product approval processes for the ‘manufacturing’ (!) of financial products for sale to clients,132 and obligations to review the financial instruments offered or marketed by the firm.133 They supplement, but are without prejudice to, the general requirements of MiFIR relating to disclosure, suitability or appropriateness, identification, and management of conflicts of interests and inducements.134 Additional requirements are made with regard to record keeping and documentation135 and to the preservation of ownership and other rights of clients.136

3.55  While the underlying policy rationale of the organizational provisions stipulated by MiFID II thus differs in part from those set out in the CRD IV, with investor protection coming into play as a second determinant in addition to systemic stability concerns, the regulatory strategy employed is essentially the same in both instruments.137 Just like in the CRD IV, we find a combination of substantive standards in the form of a multitude of rather vague criteria (‘reasonable’ steps, ‘sound’ mechanisms and processes, ‘effective’ procedures, ‘adequate’ policies, etc.), which leave a considerable discretion to supervisory authorities, with procedural requirements that expressly allocate responsibilities and require the implementation of specific organizational arrangements, such as the creation of a compliance function. Just like the CRD IV in this respect, the MiFID II organizational framework can thus be said to reflect the expectation that the management board’s sense of responsibility can be activated in a way that ultimately may yield improvements in the corporate culture—the attitude of directors and senior and junior management with regard to risk-taking and qualitative standards in the provision of investment services to clients. Just as with the CRD IV regime, however, doubts as to the efficacy of proceduralist approaches may also be warranted in this context.

4.  Shareholders and Owners with Qualifying Holdings

3.56  With regard to the supervisory scrutiny of shareholders and owners of qualifying holdings, the new regulatory framework takes up the previous regime established by Articles 9 and 10 MiFID I. The new framework adopts a far more complex approach, however, underlining the relevance of shareholder control as a means to promote sound business practices and good corporate governance. Significantly, the new provisions are broadly in line with the corresponding requirements under Articles 14 and 22–27 of the CRD IV (on the disclosure and supervisory assessment of shareholders and owners prior to authorization and in connection with a proposed acquisition at a later stage, respectively). Both regimes cover ‘the shareholders or members, whether direct or indirect, natural or legal persons, that have qualifying holdings’,138 defined as

a direct or indirect holding in an investment firm which represents 10% or more of the capital or of the voting rights, as set out in Articles 9 and 10 of Directive 2004/109/EC […], taking into account the conditions regarding aggregation thereof laid down in Article 12(4) and (5) of that Directive, or which makes it possible to exercise a significant influence over the management of the investment firm in which that holding subsists.139

3.57  As a condition for authorization, the competent authorities must be ‘satisfied as to the suitability’ of the holders of such positions, ‘taking into account the need to ensure the sound and prudent management of an investment firm’.140 With regard to the acquisition of positions in an already authorized firm, these requirements are supplemented with specific qualitative criteria including, inter alia, the reputation of the proposed acquirer, the reputation and experience of persons who will direct the business as a result of the acquisition, the financial soundness of the acquirer, and the likely impact of the acquisition on future compliance with regulatory requirements.141 Articles 12 and 13 MiFID II lay down the procedural framework for the assessment process in this context, which is clearly modelled on the corresponding provisions of Articles 22–24 CRD IV.

5.  Governance Reporting

3.58  Again, just as with credit institutions, investment firms covered by the CRD IV/CRR framework are subject to the governance reporting requirements stipulated by Articles 435 and 450 CRR, which provide for the disclosure on the risk-management function and certain aspects of board organization, as well as remuneration policies, respectively.142 While details remain outside the scope of this chapter, it should be noted that the general approach to using external disclosure as a means to foster compliance with prudential standards is thereby also extended to the governance-related regulation of investment firms.

6.  Assessment

A.  Systemic Stability Concerns versus Investor Protection: A Reappraisal of Policy Rationales

3.59  As has been discussed above, the policy rationale for governance-related provisions in the CRD IV/MiFID II regime remains somewhat obscure, in particular if measured by the formulations of the respective Preambles. For the first time, specific systemic stability considerations explicitly have made their way into the policy foundations of the organizational framework set out in MiFID II, reflecting a departure from the earlier approach which was informed mainly by the motive to realign the regulatory frameworks for non-bank investment firms with those applicable to universal banks, and, in addition, to introduce some specific requirements addressing the principal–agent conflicts characteristic for the provision of investment services.143 Although the new regime still falls short of providing a fully consistent and convincing regulatory answer to the functional parallels and differences of universal banks and non-bank investment firms regarding the two fundamental objectives of securities regulation—market stability and investor confidence—it should be noted that the functional relationship between systemic stability considerations on one hand and investor protection on the other has become more balanced, and the policy mix pursued with regard to the regulation of investment firms is more convincing than under the predecessors. Both Directives jointly seek to address a list of shortcomings in the governance arrangements of financial intermediaries that have come to be perceived as drivers for the excessive risk-taking and insufficient control of risks that ultimately triggered the global financial crisis. Rightly, unlike under the ISD 1993 and MiFID I, the inclusion of investment firms into the governance-related regulatory framework for credit institutions is no longer justified merely on the grounds of equal market access (a concept that had been rather unconvincing from the start), but reflects genuine considerations of the risks pertaining to the legal and economic nature of the commercial relationships between (non-bank) investment firms and their clients and other counterparties. In many ways, the shift in policy rationales is also reflected in the substantive and procedural technical framework established by both Directives, as both the technical requirements aiming at enhancing the soundness of strategies and operations and those aiming at improving investor protection have become more refined, compared to the earlier concept.

3.60  In sum, the CRD IV/MiFID II framework, at a very abstract level, should therefore be regarded as an improvement of the status quo ante. It should be noted, however, that this positive assessment is confined to the policy foundations as such; that is, to the concept of addressing systemic risk wherever it occurs and, therefore, irrespective of the commercial nature of the relevant entity (‘credit institution’ or ‘investment firm’). To be sure, as noted before, this approach reflects a broader, international approach to dealing with systemic relevance of financial institutions generally, which effectively removes the traditional sector-specific boundaries in financial regulation in response to lessons learnt during the global financial crisis.144 Whether the rather indiscriminate treatment of both types of institutions within the scope of the CRD IV is actually justified is a different story, however. In this regard, it should be noted that the empirical basis for the assessment of systemic risk associated with the specific activities undertaken by investment firms continues to be extremely weak. On closer inspection, the decision to include a wide range of diverse firms, which engage in an equally diverse range of activities, within the scope of a legal framework whose main focus still remains on the activities of commercial banks may well turn out to be too simplistic to actually satisfy the test of proportionality. In this context, it should be noted that the categorization of investment firms laid down in MiFID II and the CRD IV is far from uncontroversial even within the European regulatory landscape. It is particularly telling that the European Banking Authority, in a recent report, strongly promotes the introduction of a new approach, which would be more sensitive to the implications of the firms’ activities not just in terms of their individual soundness, but also in terms of systemic stability.145

3.61  Irrespective of these general considerations, it is far from clear whether the technical design draws the right conclusions; that is, whether the new framework addresses real deficiencies with adequate, effective remedies. While the need for enhanced systemic stability and investor protection can hardly be disputed as such, the first doubts arise just below this rather high-level set of objectives. As noted before, it is not just the empirical evidence of weaknesses in governance arrangements prior to the global crisis that is rather thin, but also the available body of ‘best practice’ that could be referred to by both supervisors and regulated firms in the course of implementing the new regime. In this respect, while it is true that the CRD IV/MiFID II reflects a sound definition of fundamental policy objectives, the question of whether the same could also be said of the corresponding mix of policies and strategies remains open.

B.  Principles-Based Regulation versus Ever Tighter Rules: Some Observations on Regulatory Strategy

3.62  As noted previously in respect of organizational requirements,146 the preference for a combination of a large amount of vaguely defined principles (compliance with which will be monitored by authorities enjoying a rather high level of discretion) with highly prescriptive procedural requirements has become characteristic for both the CRD IV and the MiFID II. This could well turn out to be a major problem for the effective implementation in future practice. If anything, this approach is likely to reduce the flexibility associated with a genuine principles-based strategy, where the supervisor is free to act on the basis of a few, broad principles rather than the present array of detailed qualitative standards. Effective implementation will succeed only if the regulated firms and their supervisors manage to interpret, and apply, the new framework in ways flexible enough to cater for the needs arising out of individual business models and the legal and organizational structures of firms. This in turn will happen only if supervisors abstain from one-size-fits-all approaches that would streamline existing arrangements without any positive yield in terms of either systemic resilience or improved investor protection.147 In this context, it should not go unnoticed that the complex set of vague definitions is likely to give rise to substantial legal uncertainty on the part of regulated firms. This in turn could incentivize board members to strive for uncontroversial, if formalistic, compliance with the supervisor’s expectations rather than creative, albeit perhaps controversial, independent solutions which might be preferable not just for the firm itself but also for systemic stability.148

C.  Technical Inconsistencies with Company and Partnership Law

3.63  These concerns are aggravated by the technical inconsistencies between the governance framework laid down by both the CRD IV and MiFID II on one hand and the real-life variety of different legal and organizational structures in investment firms on the other hand, which in turn reflect differences in the underlying national company and partnership laws. Such inconsistencies are resolvable, although perhaps not in the most efficient way; the Directives clearly restrict the scope for organizational choices of firms. For example, as investment firms must introduce a separation of the functions of chairman of the board and chief executive officer,149 it is clear that a combination of functions is not permissible from the regulatory perspective, even where general company or partnership law would allow it and although the rationale may well be debatable.150 Technical inconsistencies between the regulatory framework and the applicable national regimes for the formation of business enterprises are more difficult to resolve in cases where the Directives’ approach is too inflexible to take account of the mandatory restrictions of national law. As pointed out by Peter O. Mülbert and Alexander Wilhelm in a careful analysis of the applicable CRD IV provisions, this is particularly the case with regard to the Directive’s organizational duties for the management board, which cannot easily be adapted to the legal environment of two-tier boards or corporate forms without any mandatory supervisory functions.151

D.  Impediments to Effective Enforcement: The Public–Private Dichotomy

3.64  From a company law perspective, the new regulatory framework for the governance of investment firms can be characterized as a complex supplement to the existing company (or partnership) law provisions relating to the formation of business enterprises, board duties, and, in particular, organizational requirements that have hitherto been defined exclusively by the applicable laws of the country of registration. As discussed above, these provisions do not necessarily conflict with the regulated firms’ best interests. Viable risk-management systems, for example, are surely desirable not just for financial intermediaries and, indeed, will be required by some national company laws.152 In certain cases, regulatory requirements may nonetheless conflict with the commercial interests of a regulated firm.153 At any rate, the management board may, rightly or wrongly, find a particular organizational measure required by the supervisory authorities to be undesirable commercially, for example because the costs of implementation are high while the possible benefits appear to be rather abstract. In any such cases, the management board will find themselves in a conflict of interest between the need to comply with supervisory requirements on one hand and the duty to best serve the company’s commercial interests on the other. If that is the case, the effective enforcement of regulatory requirements may be compromised by the interference with private-law duties of directors under the applicable company law. At the very least, private enforcement of regulatory standards is unlikely to happen in such circumstances, which could well weaken the de facto influence of regulatory standards.154

IV.  Conclusions

3.65  Compared with credit institutions, investment firms under the reformed framework laid down in the CRD IV and MiFID II have been subjected to an even more complex set of corporate governance requirements, which extend not just to the composition and organization of the board of directors and risk management, but also to remuneration issues and the supervisory scrutiny of qualified holdings. The underlying rationale to address systemic risk wherever it occurs—irrespective of the character of an intermediary’s business—is certainly sound as such, and MiFID II clearly constitutes a step forward in terms of consistency of the underlying policy objectives. However, as argued in the present chapter, the equal treatment of banks and investment firms in the area of corporate governance requirements should clearly be justifiable on the grounds of systemic risk considerations and, in this regard, the empirical evidence supporting the convergence of regulatory approaches in the fields of banking and securities regulation remains weak. The notion that all investment firms covered by MiFID II, irrespective of size and business models, should be required to comply with rules designed to address governance failures in large, systemically important firms is open to doubt. At the very least, this calls for a careful handling of the proportionality tests required to be applied under both the CRD IV and MiFID II, while calls for a recategorization of the scope of application, so as to enhance sensitivity to potential systemic implications of firm failures, should be taken up in the medium and long run. Moreover, this chapter has identified a number of general concerns as to the effectiveness of the new framework, which are not only confined to the regulation of investment firms. Whether or not the new set of requirements will succeed in promoting sound corporate governance of financial intermediaries remains to be seen. This chapter argues that there are reasons to remain sceptical.


The author would like to thank Guido Ferrarini and Victor de Seriere, as well as other participants in the International MiFID II Working Group conference in Amsterdam, for insightful comments. The usual disclaimer applies.

1  See, for a similar approach, e.g., Klaus J. Hopt, ‘Corporate Governance of Banks and Other Financial Institutions After the Financial Crisis’, (2013) Journal of Corporate Law Studies 13, 219, 222; Klaus J. Hopt, ‘Corporate Governance of Banks after the Financial Crisis’ in Eddy Wymeersch, Klaus J. Hopt, and Guido Ferrarini (eds) Financial Regulation and Supervision—A Post-Crisis Analysis (Oxford: OUP, 2012), para. 11.01.

2  Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments amending Council Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the European Parliament and of the Council and repealing Council Directive 93/22/EEC, OJ L 145 p. 1 (hereafter: ‘MiFID I’).

3  Council Directive 93/22/EEC of 10 May 1993 on investment services in the securities field, OJ L 141 p. 7 (hereafter: ‘ISD 1993’).

4  See, in particular, ISD 1993, Article 3(3)(1), second indent (directors of investment firms to be ‘of sufficiently good repute and … sufficiently experienced’) and 3(3)(2) (at least two responsible directors required), Article 3(4) (organizational structure to be submitted to supervisory scrutiny before authorization), Article 4 (identity of owners and qualifying holdings to be disclosed and their ‘suitability’ to be assessed prior to authorization), Article 9 (notification procedure for the acquisition of qualifying holdings), and Article 10 (specific governance requirements, including ‘sound administrative and accounting procedures, control and safeguard arrangements for electronic data processing, and adequate internal control mechanisms’).

5  See infra II.2.B.

6  Commission Delegated Regulation (EU) no. …of 25 April 2016 on Directive 2014/65/EU of the European Parliament and of the Council as regards organizational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive. As of end October 2016, the document has not yet been published in the Official and has not entered into force. The version adopted by the Commission is document no. C (2016)2398 final.

7  MiFID II, Preamble, Recital 4.

8  MiFID II, Preamble, Recital 5.

9  See generally, e.g., Rüdiger Veil, ‘Concept and Aims of Capital Markets Regulation’ in Rüdiger Veil (ed.) European Capital Markets Law (Oxford: Hart Publishing, 2013), pp. 18–19.

10  Commission, Green Paper on Corporate Governance in Financial Institutions, COM(2010) 284 final. See also Niamh Moloney, EU Securities and Financial Markets Regulation, 3rd edn (New York: OUP, 2014), 357–8.

11  See further infra II.2.

12  Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC, OJ L 176, 27.6.2013, p. 338. For an in-depth analysis of that regime, see Peter O. Mülbert and Alexander Wilhelm, ‘CRD IV Framework for Banks’ Corporate Governance’ in Danny Busch and Guido Ferrarini (eds) European Banking Regulation (Oxford: OUP, 2015), Chapter 6.

13  Cf., for useful analyses of the Lehman collapse and its systemic implications, e.g., Michael Fleming and A. Sarkar, ‘The Failure Resolution of Lehman Brothers’ (2014) Special Issue: Large and Complex Banks, FRBNY Econ. Pol’y Rev. 20, 175; Stephen J. Lubben and Sarah Pei Woo, ‘Reconceptualizing Lehman’ (2014) Texas International Law Journal 49, 297; Rainer Kulms, ‘Lehman’s Spill-over Effects’ (2012) Peking University Journal of Legal Studies 3, 3. And see, from a policy perspective, Basel Committee on Banking Regulation, ‘Report and Recommendations of the Cross-border Bank Resolution Group’ (March 2010), available at http://www.bis.org/publ/bcbs169.pdf, paras 49 and 50; Centre for Economic Policy Research, A Safer World Financial System: Improving the Resolution of Systemic Institutions, Geneva Reports on the World Economy No. 12 (London: CEPR, 2012) (available online at <http://www.cepr.org/active/publications/books_reports/viewreport.php?cvno=P210>), pp. 42–6.

14  E.g., Marco Becht, Patrick Bolton, and Ailsa Röell, ‘Why Bank Governance is Different’ (2011) Oxford Review of Economic Policy 3, 437, 455.; Klaus J. Hopt, ‘Corporate Governance of Banks after the Financial Crisis’ in Wymeersch, Hopt, and Ferrarini (eds) (n. 2), paras 11.16 et seq., 11.45 et seq.; see also René M. Stulz, ‘Governance, Risk Management, and Risk-Taking in Banks’ (2014), available at http://ssrn.com/abstract=2457947.

15  Cf., e.g., Becht, Bolton, and Röell (n. 15), 437 (discussing both board incompetence and deficient risk management); on the relationship between shareholder-friendly governance structures and risk appetite of intermediaries, see (with mixed results) Deniz Anginer et al., ‘Corporate Governance and Bank Insolvency Risk. International Evidence’ (2014), available at http://ssrn.com/abstract=2491490; Andrea Beltratti and René M. Stulz, ‘Why Did Some Banks Perform Better During the Credit Crisis? A Cross-Country Study of the Impact of Governance and Regulation’ (2012) Journal of Financial Economics 105, 1; David H. Erkens, Mingyi Hung, and Pedro P. Matos, ‘Corporate Governance in the 2007–2008 Financial Crisis: Evidence from Financial Institutions Worldwide’ (2012) Journal of Corporate Finance 18, 389; Luc Laeven and Ross Levine, ‘Bank Governance, Regulation and Risk Taking’ (2009) Journal of Financial Economics 93, 259. For comprehensive reviews of the available literature, see, e.g., James R. Barth, Chen Lin, and Clas Wihlborg (eds) Research Handbook on International Banking and Governance (Oxford: OUP, 2012); Jakob de Haan and Razvan Vlahu, Corporate Governance of Banks: A Survey (Oxford: OUP, 2013), available at <http://www.dnb.nl/en/binaries/Working%20Paper%20386_tcm47-294339.pdf>. See also, discussing possible implications from a legal perspective, Andreas Kokkinis, ‘A Primer on Corporate Governance in Banks and Financial Institutions: Are Banks Special?’ in Iris Chiu (ed.) The Law on Corporate Governance of Banks (Cheltenham: Edward Elgar, 2015), paras 1.37 et seq.; Klaus J. Hopt, (2013) JCLS 13, 219, 237 ff.; Klaus J. Hopt, in Wymeersch, Hopt, and Ferrarini, (n. 2), paras 11.16–11.22; Peter O. Mülbert, ‘Corporate Governance of Banks’ (2009) European Business Organization Law Review 10, 411, 433–4; Peter O. Mülbert and Ryan Citlau, ‘The Uncertain Role of Banks’ Corporate Governance in Systemic Risk Regulation’ in Hanne S. Birkmose, Mette Neville, and Karsten E. Sørensen (eds) The European Financial Market in Transition (Aalphen aan den Rijn: Kluwer, 2012), p. 275; Christoph Van der Elst, Corporate Governance and Banks: How Justified is the Match? (Oxford: OUP, 2015), available at <http://ssrn.com/abstract=2562072>.

16  Contrast, e.g., Aslɩ Demirgüç-Kunt and Enrica Detragiache, ‘Basel Core Principles and Bank Soundness’, World Bank Policy Research Working Paper No. 5129 (2009), available at <http://ssrn.com/abstract=1509196> (reaching a rather negative conclusion); with the more positive assessment by Richard Podpiera, ‘Does Compliance with Basel Core Principles Bring Any Measurable Benefits?’, IMF Working Paper WP/04/204 (2004), available at <www.imf.org/external/pubs/ft/wp/2004/wp04204.pdf>.

17  Starting with the 2009 London summit, G20 Finance Ministers and Governors have called for guidance on the assessment of the systemic importance of financial institutions and special regulatory measures to address relevant risks; see International Monetary Fund, Bank for International Settlements and Financial Stability Board, ‘Report to G20 Finance Ministers and Governors: Guidance to Assess the Systemic Importance of Financial Institutions, Markets and Instruments: Initial Considerations’, October 2009, available at <http://www.fsb.org/wp-content/uploads/r_091107c.pdf>; and see further Financial Stability Board, ‘Reducing the moral hazard posed by systemically important financial institutions’, 20 October 2010, available at <http://www.fsb.org/wp-content/uploads/r_101111a.pdf>, and see Financial Stability Board, Press Release: ‘G20 Leaders endorse Financial Stability Board policy framework for addressing systemically important financial institutions’, 12 November 2010, available at <http://www.fsb.org/wp-content/uploads/pr_101111a.pdf> For an industry perspective, cf. also Institute of International Finance, ‘Systemic Risk and Systemically Important Firms: An Integrated Approach’ (May 2010), available at <https://www.iif.com/file/7099/download?token=MEOyTkEA>, in particular pp. 17–40.

18  See further infra III.6.A.

19  ISD 1993, Preamble, Recitals 2 and 41.

20  ibid., Preamble, Recital 5.

21  ibid., Preamble, Recital 6.

22  ibid., Article 3(3) sentences 1 and 2.

23  As to which, see infra III.2.

24  First Council Directive 77/780/EEC of 12 December 1977 on the coordination of the laws, regulations, and administrative provisions relating to the taking up and pursuit of the business of credit institutions, OJ L 322, 17.12.1977, p. 30, Article 3(2). The origins of this requirement can be traced to earlier precedents in national legislation, e.g., in Germany, see Jens-Hinrich Binder, ‘Organisationspflichten und das Finanzdienstleistungs-Unternehmensrecht: Bestandsaufnahme, Probleme, Konsequenzen’ (2015) ZGR—Zeitschrift für Unternehmens- und Gesellschaftsrecht, 667, 677.

25  ISD 1993, Articles 4 and 9.

26  See Second Council Directive 89/646/EEC of 15 December 1989 on the coordination of laws, regulations, and administrative provisions relating to the taking up and pursuit of the business of credit institutions and amending Directive 77/780/EEC, OJ L 386, 30.12.1989, p. 1, Articles 5 and 11.

27  ISD 1993, Article 3(4).

28  ibid., Article 10, sentence 1.

29  ibid., Article 3(7)(e).

30  ibid., Article 10 sentence 2, first indent.

31  ibid., Article 10 sentence 2, indents 2–5, respectively.

32  Binder (n. 25), 688. The organizational requirements for banks under the Second Banking Directive of 1989 (Second Council Directive 89/646/EEC of 15 December 1989 on the coordination of laws, regulations and administrative provisions relating to the taking up and pursuit of the business of credit institutions and amending Directive 77/780/EEC, OJ L 386, 30.12.1989, p. 1) were confined to the very vaguely defined rule ‘that every credit institution have sound administrative and accounting procedures and adequate internal control mechanisms’ (Article 13(2)). Taking an even narrower perspective, Article 8(1) of the ISD 1993 required that ‘institutions’ internal control mechanisms and administrative and accounting procedures permit the verification of their compliance with [the Directive’s requirements] at all times.’

33  See, for an excellent overview of the relevant issues, Moloney (n. 11), 320–3. And see further infra III.6.A.

34  As prescribed by Article 11 of the Directive.

35  In the words of a contemporary analysis, see Marc Dassesse, Stuart Isaacs, and Graham Penn, EC Banking Law, 2nd edn (London: Lloyd’s of London Press, 1994), para. 7.2.

36  MiFID I, Preamble, Recital 17, see also Recital 25 (scope of prudential regulation to be confined to ‘those entities which, by virtue of running a trading book on a professional basis, represent a source of counterparty risk to other market participants’).

37  For an exposition of the underlying policy considerations, cf. MiFID I, Preamble, Recitals 18–19, 22, and 24.

38  MiFID I, Articles 9 and 10, respectively.

39  Significantly, Article 13(4) MiFID I now required specific precautions in the interest of business ‘continuity and regularity in the performance of investment services and activities’, while Article 13(5) stipulated more detailed provisions for the outsourcing of operational functions.

40  See Commission Directive 2006/73/EC of 10 August 2006 implementing Directive 2004/39/EC of the European Parliament and of the Council as regards organizational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive, OJ L 241, 2.9.2006, p. 26 (hereafter: ‘Implementing Directive 2006/73/EC’), Chapters 2 and 3.

41  ibid., Article 5 (specifying the requirements under Article 13(2) to (8) MiFID I).

42  ibid., Article 6 (specifying the requirements under Article 13(2) MiFID I).

43  ibid., Article 7 (specifying the second subparagraph of Article 13(5) MiFID I).

44  ibid., Article 8 (specifying the second subparagraph of Article 13(5) MiFID I).

45  ibid., Article 9 (specifying Article 13(2) MiFID I).

46  ibid., Article 16 (specifying Article 13(7) and (8) MiFID I).

47  ibid., Preamble, Recitals 4 and 7.

48  ibid., Recital 5.

49  Basel Committee on Banking Supervision, ‘International Convergence of Capital Management and Capital Standards—A Revised Framework’ (June 2004).

50  Directive 2006/48/EC of the European Parliament and of the Council of 14 June 2006 relating to the taking up and pursuit of the business of credit institutions, OJ L 177, 30.6.2006, p. 1 (the ‘recast Banking Directive’); Directive 2006/49/EC of the European Parliament and of the Council of 14 June 2006 on the capital adequacy of investment firms and credit institutions (recast), OJ L 177, 30.6.2006, p. 201 (the ‘recast Capital Adequacy Directive’).

51  See, e.g., Mülbert and Wilhelm (n. 13), para. 6.05.

52  Directive 2010/76/EU of the European Parliament and of the Council of 24 November 2010 amending Directives 2006/48/EC and 2006/49/EC as regards capital requirements for the trading book and for re-securitizations, and the supervisory review of remuneration policies, OJ L 329, 14.12.2010, p. 3, Article 1(3).

53  ibid., Preamble, Recitals 7–10 and 17–22. As for the Green Paper, see ibid., Recital 17 and supra text and n. 11.

54  Supra n. 7.

55  See MiFID II, Article 9(1), referring to CRD IV, Articles 88 and 91.

56  MiFID II, Article 9(3)–(6).

57  MiFID II, Articles 10–13.

58  See, again, supra text accompanying n. 9.

59  See, again, MiFID II, Preamble, Recital 5 (quoted supra text accompanying n. 9).

60  See, for further discussion, Mülbert and Wilhelm (n. 13), paras 6.75 and 6.76.

61  See, for further discussion, infra III.6.A.

62  Supra II.A.

63  For a good introduction to the problem and analysis of the CRD IV framework in this respect, see Mülbert and Wilhelm (n. 13), paras 6.38–6.47.

64  Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012, OJ L 176, 27.6.2013, p. 1. Article 4(2) CRR extends to persons subject to the

requirements imposed by [MiFID I], excluding (a) credit institutions; (b) local firms; (c) firms which are not authorized to provide the ancillary service referred to in point (1) of Section B of Annex I to Directive 2004/39/EC, which provide only one or more of the investment services and activities listed in points 1, 2, 4 and 5 of Section A of Annex I to that Directive, and which are not permitted to hold money or securities belonging to their clients and which for that reason may not at any time place themselves in debt with those clients.

Obviously, this definition must now be read as referring to the definition of investment firms as stipulated by Article 4(1)(1) MiFID II, with the exception of firms specified in Article 4(1)(2)(a)–(c) MiFID II; see Mülbert and Wilhelm (n. 13), para. 6.11 notes 23 and 24.

65  Cf. Articles 88, 91 in conjunction with Article 2(1) CRD IV.

66  That is, those firms mentioned in CRR, Article 4(1)(b) and (c): ‘local firms’ and ‘firms which are not authorized to provide the ancillary service referred to in point (1) of Section B of Annex I to Directive 2004/39/EC, which provide only one or more of the investment services and activities listed in points 1, 2, 4 and 5 of Section A of Annex I to that Directive, and which are not permitted to hold money or securities belonging to their clients and which for that reason may not at any time place themselves in debt with those clients’.

67  Cf. CRD IV, Preamble, Recital 55; replicated in MiFID II, Preamble, Recital 55. Consequently, the definition of a ‘management body’ set out in Article 3(1)(7) CRD IV and, in almost identical wording, Article 4(1)(36) MiFID II follows a functional approach, referring to the ‘body or bodies […] which are appointed in accordance with national law, which are empowered to set the institution’s/entities strategy, objectives and overall direction, and which oversee and monitor management decision-making, and include the persons who effectively direct the business of the institution/entity’.

68  Cf. Article 3(2) CRD IV and Article 4(1)(36) MiFID II, pursuant to which, ‘Where this Directive refers to the management body and, pursuant to national law, the managerial and supervisory functions of the management body are assigned to different bodies or different members within one body, the Member State shall identify the bodies or members of the management body responsible in accordance with its national law, unless otherwise specified by this Directive’. See, for an in-depth discussion and critique, Mülbert and Wilhelm (n. 13), paras 6.38–6.47.

69  CRD IV, Article 88(1)(e).

70  Mülbert and Wilhelm (n. 13), paras 6.38.

71  See, critiquing the underlying policy decision against the available empirical evidence, Luca Enriques and Dirk Zetzsche, ‘Quack Corporate Governance, Round III? Bank Board Regulation Under the New European Capital Requirement Directive’ (2015) Theoretical Enquiries in Law 16, 211, 233–5; similarly Mülbert and Wilhelm (n. 13), para. 6.77 (expressing their preference for a more flexible comply-or-explain approach).

72  CRD IV, Articles 76(3), 88(2), and 95(1).

73  Supra n. 7.

74  See supra n. 69.

75  See, again, CRD IV, Article 3(1)(7) and MiFID II, Article 4(1)(36), quoted supra n. 68.

76  To be discussed in detail infra III.3.

77  At least two persons, cf. CRD IV, Article 13(1) and MiFID II, Article 9(6)—note the exception in the second subparagraph of the latter provision.

78  MiFID II, Article 9(3)(3).

79  Contrast, e.g., the requirements pursuant to Article 88 CRD IV and Article 9 MiFID II with the general exposition of tasks of the management body in Sections 76, 77, 91, and 93 of the German Aktiengesetz (Stock Corporation Act), which are formulated in much more general terms and, with the exception of Section 91(1) (on bookkeeping) and Section 91(2) (on risk-control arrangements) hardly mention any specific responsibilities at all.

80  Cf. MiFID II, Article 8(d).

81  CRD IV, Article 67(2)(f)–(g).

82  As to which, see infra text accompanying n. 90.

83  See supra text accompanying n. 18.

84  See, for details, CRD IV, Article 88(2)(2)(a)–(d). For a discussion of the diversity requirement as such, see infra 3.

85  CRD IV, Article 95(2).

86  CRD IV, Article 76(3).

87  Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC, OJ L 157, 9.6.2006, p. 87. But cf. CRD IV, Article 76(3), pursuant to which non-significant institutions may combine their risk committee and their audit committee in one committee. For further discussion, see Mülbert and Wilhelm (n. 13), para. 6.13.

88  Cf., e.g., Hopt, in Wymeersch, Hopt, and Ferrarini (n. 2), para. 11.18; for empirical assessments, see again supra n. 16.

89  CRD IV, Article 91(2) and MiFID II, Article 9(4).

90  CRD IV, Article 91(8).

91  CRD IV, Article 91(7).

92  CRD IV, Article 91(9).

93  CRD IV, Article 91(10).

94  CRD IV, Article 88(2)(a).

95  Promulgation of which was required by 31 December 2015. As of October 2016, however, the guidelines have yet to be published.

96  Cf., e.g., the much less complex requirements under the ISD 1993, Article 3(3) (quoted supra text accompanying n. 23).

97  Cf., discussing the German practice in banking supervision in this regard, Jens-Hinrich Binder, ‘Vorstandshandeln zwischen öffentlichem und Verbandsinteresse—Pflichten- und Kompetenzkollisionen im Spannungsfeld von Bankaufsichts- und Gesellschaftsrecht’ (2013) ZGR Zeitschrift für Unternehmens- und Gesellschaftsrecht, 760, 774–5.

98  See, expressing similar doubts, also Mülbert and Wilhelm (n. 13), para. 6.67; see also Jaap Winter, ‘The Financial Crisis: Does Good Corporate Governance Matter and How to Achieve It?’ in Wymeersch, Hopt, and Ferrarini (eds) (n. 2), para. 12.28; Enriques and Zetzsche (n. 72), 226.

99  Cf. CRD IV, Preamble, Recital 60, according to which board composition ought to be ‘sufficiently diverse as regards age, gender, geographical provenance and educational and professional background to present a variety of views and experiences’.

100  Contrast, e.g., Irene van Staveren, ‘The Lehman Sisters hypothesis’ (2014) Cambridge Journal of Economics 38, 995 (finding that women in boards tend to perform better than men when deciding under uncertainty), with Renee B. Adams and Vanitha Ragunathan, ‘Lehman Sisters’ (2015), FIRN Research Paper, available at SSRN: <http://ssrn.com/abstract=2380036> (finding that this is not necessarily the case). For an extensive review of the available economic literature without a special focus on the financial sector, see Enriques and Zetzsche (n. 72), 219–25. For a general analysis of ‘groupthink’ as a corporate governance problem, cf. Andrew Howard, ‘Groupthink and Corporate Governance Reform: Changing the Formal and Informal Decision-making Processes of Corporate Boards’ (2011) S. Cal. Interdisc. L. J. 20, 425.

101  Enriques and Zetzsche, ibid., pp. 224–5.

102  Supra paragraph 3.34.

103  Green Paper (n. 11), 17–18.

104  Cf. Financial Stability Board (then Financial Stability Forum), Principles for Sound Compensation Practices (2 April 2009), available at <http://www.fsb.org/wp-content/uploads/r_0904b.pdf>, and FSB, Principles for Sound Compensation Practices—Implementation Standards (25 September 2009), available at <http://www.fsb.org/wp-content/uploads/r_090925c.pdf>.

105  Cf., e.g., discussing the introduction of relevant regulations in Germany, Jens-Hinrich Binder, ‘Steuerung und Kontrolle von Vergütungssystemen durch die BaFin’ in Volker Rieble, Abbo Junker, and Reinhard Giesen (eds) Finanzkriseninduzierte Vergütungsregulierung und arbeitsrechtliche Entgeltsysteme (Munich: ZAAR-Verlag, 2011), p. 63.

106  Cf. MiFID II, Article 9(3)(c), pursuant to which the policy has to aim ‘to encourage responsible business conduct, fair treatment of clients as well as avoiding conflict of interest in the relationships with clients’.

107  Supra, n. 7.

108  Supra n. 73 and accompanying text.

109  See, for introductions to the regime, e.g., Moloney (n. 11), 388–90; Mülbert and Wilhelm (n. 13), at paras 6.16–6.20. And see generally Tom Dijkhuizen, ‘The EU’s Regulatory Approach to Banks’ Executive Pay: From Pay Governance to Pay Design’ (2014) European Company Law 11, 30; Eilís Ferran, ‘New Regulation of Remuneration in the Financial Sector in the EU’ (2012) ECFR 9, 1; Guido Ferrarini and Maria Cristina Ungureanu, ‘An Overview of the Executive Remuneration Issue Across the Crisis’ in Birkmose, Neville, and Sørensen (eds) (n. 16), 349; Guido Ferrarini and Maria Cristina Ungureanu, ‘Lost in Implementation: The Rise and Value of the FSB Principles for Sound Compensation Practices at Financial Institutions’ (May 2011) Revue Trimestrielle de Droit Financier, 1–2, 60; Andrew Johnston, ‘Preventing the Next Financial Crisis? Regulating Bankers’ Pay in Europe’ (2014) Journal of Law and Society 41, 6; for a US perspective, cf. Lucian Bebchuk and Holger Spamann, ‘Regulating Bankers’ Pay’ (2010) Geo. L. J. 98, 247.

110  See, again, supra n. 65 and accompanying text.

111  See, for a brief comparison with the CRD I–III regimes, Mülbert and Wilhelm (n. 13), para. 6.21.

112  CRD IV, Article 74(1).

113  CRD IV, Article 74(2), The present version dates back to the corresponding provision of Article 22 in the recast Banking Directive of 2006 (supra text and n. 51), see EBA, Guidelines on Internal Governance (GL 44) (27 September 2011).

114  CRD IV, Article 76(3) and (4), see supra text accompanying n. 86.

115  See, for details, ibid., Article 76(5); Mülbert and Wilhelm (n. 13), para. 6.23.

116  CRD IV, Article 76(1). Note the similarities with the formulation of board duties in Article 88(1), quoted supra text accompanying n. 77.

117  ibid., Article 76(2).

118  Iris H.-Y. Chiu, Regulating (from) the InsideThe Legal Framework for Internal Control in Banks and Financial Institutions (Oxford: Bloomsbury, 2015), p. 87.

119  See, again, supra III.2.A.

120  For an excellent, in-depth analysis see Chiu (n. 119), 77–118.

121  In the words of John Braithwaite, ‘Rules and Principles: A Theory of Legal Certainty’ (2002) Australian Journal of Legal Philosophy 27, 47, 55–6.

122  See generally, e.g., Jens-Hinrich Binder, Regulierungsinstrumente und Regulierungsstrategien im Kapitalgesellschaftsrecht (Tübingen: Mohr Siebeck, 2012), p. 181; Jens-Hinrich Binder, ‘Prozeduralisierung und Corporate Governance—Innerbetriebliche Entscheidungsvorbereitung und Prozessüberwachung als Gegenstände gesellschaftsrechtlicher Regulierung’, (2007) ZGR Zeitschrift für Unternehmens- und Gesellschaftsrecht 745, 783–7. And see, stressing similar potential weaknesses in the context of governance-related regulation of financial institutions, also Chiu (n. 119), 30–3. For a more optimistic call for a regulatory focus on board processes, cf. also Nicola Faith Sharpe, ‘Process Over Structure: An Organizational Behavior Approach to Improving Corporate Boards’, (2011) S. Cal. L. Rev. 85, 261.

123  Binder (n. 25), 703.

124  See Commission Delegated Regulation of 25 April 2016 (n. 7), in particular Articles 21 (general requirements), 22 (on compliance requirements), 23 (on risk management), 24 (on internal audit), and 25 (responsibilities of senior management).

125  See, again, the summary of organizational requirements under the ISD 1993 and MiFID I supra II.B.

126  MiFID II, Article 16(4).

127  ibid., Article 16(5), subparas 2 and 3, respectively. These requirements are complemented—again, in rather abstract and vague terms—by corresponding implementing provisions in Articles 23 and 24 of Commission Delegated Regulation of 25 April 2016 (n. 7).

128  ibid., Article 16(2).

129  Supra, n. 7.

130  ibid., Article 9(3)(4).

131  ibid., Article 16(3), first subparagraph. This requirement, in conjunction with Article 23 of the Directive, is specified further in Articles 33–35 of the Commission Delegated Regulation of 25 April 2016 (n. 7).

132  MiFID II, subparas 2 and 3.

133  ibid., subpara. 4.

134  ibid., subpara. 7.

135  ibid., Article 16(6) and (7).

136  ibid., Article 16(8)–(10).

137  It is perhaps telling, in this context, that the relevant international standards on risk-management approaches for securities firms have been developed in line with prudential standards developed for credit institutions—compare, e.g., International Organization of Securities Commissioners, ‘Risk Management and Control Guidance for Securities Firms and their Supervisors’ (May 1998), available at <http://www.iosco.org/library/pubdocs/pdf/IOSCOPD78.pdf>, with Basel Committee on Banking Supervisors, ‘Risk Management Practices and Regulatory Capital’ (November 2001), available at <http://www.bis.org/publ/joint04.pdf>.

138  Article 10(1) MiFID II and CRD IV, Article 14(1).

139  MiFID II, Article 4(1)(31), see also CRD IV, Article 3(1)(33), referring to CRR, Article 4(1)(36).

140  MiFID II, Article 10(1)(2), cf. CRD IV, Article 14(2).

141  MiFID II, Article 13(1), cf. CRD IV, Article 23(1). Note that—convincingly, but in contrast to the MiFID II, where Article 10 makes no reference to Article 13—these requirements are also to be applied in conjunction with the supervisory scrutiny of qualifying holdings in the initial authorization process (CRD IV, Article 14(2)). In practice, however, authorities are also likely to apply the same criteria under the initial authorization process in a ‘pure’ MiFID II scenario.

142  See also Moloney (n. 11), 391.

143  See supra II.

144  See, again, supra n. 18 and accompanying text.

145  EBA, ‘Report on Investment Firms—Response to the Commission’s Call for Advice of December 2014’, EBA/Op/2015/20 (2015), available at <https://www.eba.europa.eu/documents/10180/983359/EBA-Op-2015-20+Report+on+investment+firms.pdf>. See also EBA, ‘Opinion of the European Banking Authority on the First Part of the Call for Advice on Investment Firms’, EBA-Op-2016-16 (2016), available at <http://www.eba.europa.eu/documents/10180/1629027/Opinion+of+the+European+Banking+Authority+on+the+First+Part+of+the+Call+for+Advice+on+Investment+Firms+%28EBA-Op-2016-16%29.pdf>.

146  See, again, supra III.3.

147  See, again, Binder, ZGR Zeitschrift für Unternehmens- und Gesellschaftsrecht (2015), pp. 667, 702–3; cf. also, discussing the prospect of governance-oriented regulation of banks participating in the Banking Union, Binder, ‘The Banking Union and the Governance of Credit Institutions: A Legal Perspective’ (2015) European Business Organization Law Review 16, 467, 478–87.

148  See, again, Binder, ZGR Zeitschrift für Unternehmens- und Gesellschaftsrecht (2015), pp. 667, 702–3, 707; Chiu (n. 119), 30–3; Enriques and Zetzsche (n. 72), 227–9.

149  See, again, CRD IV, Article 88(1)(e), on which, see supra III.2.A.

150  See, again, Enriques and Zetzsche (n. 72), 232; Mülbert and Wilhelm (n. 13), para. 6.77.

151  See, again, Mülbert and Wilhelm (n. 13), paras 6.38–6.47.

152  Cf., e.g., Section 91(2) of the German Stock Corporation Acts.

153  Cf. Binder, ZGR Zeitschrift für Unternehmens- und Gesellschaftsrecht (2015), pp. 667, 704 (discussing group-wide organizational requirements under EU and national banking regulation, which may conflict with limits to organizational choices within groups under German group law).

154  ibid., pp. 705–6.