3.01  The regulation of the governance of investment firms—for present purposes to be understood as referring to the internal corporate governance, that is, the rules and arrangements relating to the board, the organization, and internal procedures¹—is by no means a post-financial-crisis phenomenon, and MiFID II is not the first European law instrument to prescribe relevant requirements in this regard. In fact, their history reaches back beyond MiFID I² and, to a considerable extent, has been part of the regulatory framework for the prudential supervision of banks and investment firms generally. Long before the financial crisis reinforced concerns about the management of financial intermediaries, the first components of the regulatory concept were already laid down in the Investment Services Directive (ISD) of 1993³—then, as continues to be the case to date, in the form of fundamental prudential requirements that must be met both as a precondition for authorization as a licensed investment firm and on a day-to-day basis in the course of the firm’s operations.⁴ In addition, non-bank investment firms have been subject to the governance-related provisions applicable to banks in particular after the implementation of the Basel II capital accord in Europe from 2006.⁵ In short, governance-related regulations have been part and parcel of the European framework regulation of investment intermediaries from the start, as a precondition for authorization and a complement to conduct-of-business regulation.

3.02  Against this backdrop, a superficial observer could be forgiven for concluding that governance-related regulatory requirements appear to have been both an uncontroversial and a rather immutable component of the relevant EU framework for the setting-up and operation of financial intermediaries engaged in the business of investment services to date. On closer inspection, however, neither holds true. As will be discussed in detail in subsection II below, both the rationale of governance-related regulatory requirements and their technical content have changed significantly over time. It is also as a result of this rather complex history that some of the technical regulatory concepts, reinforced and expanded under MiFID II, continue to pose significant challenges to the diverse range of financial intermediaries that are subject to these requirements across the European Union. Again, as will be discussed below, these challenges are reinforced by the absence of clear-cut policy foundations, which has been a characteristic of the regulatory framework for the pursuit of investment services ever since the adoption of the ISD 1993.

3.03  The present chapter seeks to explore both the relevant policy background and the technical content of governance-related regulation of investment firms under MiFID II and, in addition, secondary legislation complementing the Level 1 requirements,⁶ and the CRD IV package, which extends not just to credit institutions but also to investment firms. Section II below will first analyse the rationale for governance-related regulation against the backdrop of the historic emanation of governance-related requirements for investment firms in European financial regulation. Section III then examines the technical features of the new regime, and identifies some challenges for transposition and enforcement. Section IV concludes.

3.04  Judging from the preamble to MiFID II, the case for governance-related regulation would appear to be rather straightforward. In addition to the general policy objective to combat ‘weaknesses in the functioning and in the transparency of financial markets’,⁷ the Directive expressly identifies ‘weaknesses in corporate governance in a number of financial institutions, including the absence of effective checks and balances within them’, as a ‘contributory factor to the financial crisis’, and then continues to set out the rationale for regulatory interference by arguing that

3.05  Starting from this wording, governance-related regulation of investment firms can thus be said to serve a dual objective, namely (i) the prevention of failures of financial institutions with a view to protecting systemic stability, and (ii) the prevention of losses to investors and the protection of investor confidence. On the surface, this is hardly surprising, as it merely reflects the traditional set of—interrelated—objectives of financial regulation generally: the preservation of the economic functions of financial markets (in particular, the effective allocation of capital within a market economy), and the protection of customers (whose confidence is essential for the preservation of financial stability).⁹ Irrespective of this general background, however, the relevance of the above statement of policy objectives goes far beyond stating the obvious. It is worth noting that, although the relevant regulations under MiFID I are expressly referred to as a starting point for the reform, systemic stability considerations, for the first time in the history of European securities regulation, are expressly mentioned as a key driver for the further refinement of the relevant requirements. This takes up corresponding considerations first laid down in the Commission’s 2010 Green Paper on the governance of financial institutions.¹⁰ By contrast, as will be examined in further detail below, neither the ISD 1993 nor MiFID I made any reference to such considerations in the context of governance-related regulation. To be sure, neither of these earlier instruments were very outspoken with regard to the motives for governance-related regulation. This was consistent with the original objective to realign the prudential requirements pertaining to non-bank investment firms with those applicable to credit institutions in the interest of equal market access,¹¹ but indicates that the rationale for regulatory intervention was rather obscure under the predecessors of the present regime.

3.06  In view of lessons learnt from the global financial crisis, the reinforcement and expansion of governance-related requirements by MiFID II therefore reflect not just a desire for further refinement of existing regulatory requirements and strategies but also, importantly, a shift in the underlying policy objectives: In addition to the protection of investors and investor confidence, systemic considerations have entered the scene—and seem to play a more important role than the traditional focus on investor protection as such. To be sure, this development reacts to widespread concerns about the quality of governance arrangements in financial intermediaries generally. These have arisen as a result of (well-founded or perceived) lessons learnt from the global financial crisis and have inspired not just the substantive overhaul of the governance-related provisions in the MiFID regime but also, and to a larger extent, the corresponding reforms of governance-related requirements for banks under the CRD IV package of 2013.¹² As illustrated, in particular, by the Lehman Brothers failure in September 2007, systemic implications triggered by the insolvency of financial intermediaries are not necessarily confined to licensed banks. They arise out of the relevant firm’s size, its connectedness to other market participants and to providers of market infrastructure, and the complexity of its operations and legal structure, as well as the market perception of the relevance of the firm—rather than out of the nature of its business (deposit-taking, provision of investment services) as such.¹³ On closer examination, however, the available evidence is mixed. While it is generally agreed that risk management systems failed to mitigate excessive risk-taking in financial intermediaries in the run-up to the crisis,¹⁴ empirical findings with regard to other aspects of corporate governance are, at best, inconclusive.¹⁵ In particular, it is far from settled that those corporate governance standards that had been established already prior to the financial crisis can be said to have contributed to safer organizational arrangements.¹⁶ Specifically to what extent prudential concerns about firm soundness and, ultimately, financial stability implications are warranted in the case of (different types of) investment firms is still rather uncharted territory. As international regulatory standards, in response to the global financial crisis, have understandably focused on systemically important financial institutions,¹⁷ it is, in principle, hardly surprising that the relevant provisions under MiFID II and secondary legislation, as a rule, are intended to apply indiscriminately across the full range of investment firms operating within the European Union. Given the high level of diversity of market participants in terms of size, business models and interconnectedness with counterparties, the underlying rationale is nonetheless somewhat questionable.¹⁸ Against this backdrop—and somewhat in contrast to the exposition of the policy rationale expressed in the preamble to MiFID II—the case for governance-related regulation of financial intermediaries in general thus seems to be less clear than might be expected in view of the wave of failures of investment banks experienced globally in recent years. The same applies, and to a greater extent, to the technical design of the reformed regulatory framework under MiFID II.

3.07  To understand the full dimension of the considerations presented above, it is appropriate to explore the historical evolution of governance-related regulations for investment firms in some more detail. In this context, the political objective to realign the regulatory frameworks for banks and non-bank financial intermediaries with the ISD 1993 deserves particular attention (infra II.2.A). Arguably, neither this Directive nor the subsequent amendments to existing requirements under MiFID I (infra II.2.B) fully acknowledged the functional parallels and differences between banking regulation, from which the relevant concepts were adapted, on the one hand, and investment services on the other hand.

3.08  In the context of governance-related requirements, specific references to the objective of investor protection in the ISD 1993 are rare. To be sure, the Preamble did acknowledge the need ‘to protect investors and the stability of the financial system’¹⁹ as key policy objectives generally. In addition, it argued that

3.09  Beyond these few—and erratic—remarks, however, the rationale for governance-related regulations received no further explanation. Instead, the focus clearly was on the equal treatment of banks and investment firms under the new framework.²¹ As such, the rationale for governance-related prudential requirements in the industry—as distinct from corresponding regulations for credit institutions in the technical sense—was mentioned neither in the Directive nor in contemporary literature. Consequently, governance-related regulation under the ISD 1993 remained somewhat haphazard, and limited to very few specific requirements.

3.10  Among these, the requirement that ‘the direction of a firm’s business must be decided by at least two persons’ of ‘sufficiently good repute and […] sufficiently experienced’²² was an early predecessor of today’s fit-and-proper regime,²³ modelled after the corresponding provisions in the Second Banking Directive of 1989.²⁴ In addition, the Directive prescribed a regime for supervisory scrutiny of owners of qualified holdings in investment firms,²⁵ which again took up earlier precedents established in the area of banking regulation.²⁶

3.11  By comparison with subsequent developments, the ISD 1993 did not prescribe any substantive requirements with regard to business models or organizational issues. As part of the licensing process, however, enterprises seeking to be recognized as investment firms had to submit a ‘programme of operations setting out inter alia the types of business envisaged and the organizational structure of the investment firm’.²⁷ While this ensured access of supervisory authorities to the relevant information, the definition of more specific requirements was left to the Member States, which were to ‘draw up prudential rules which investment firms shall observe at all times’,²⁸ a serious and ‘systematic’ infringement of which could result in the revocation of the respective firm’s licence.²⁹ Specifically, investment firms, in this context, were to be required to

3.12  In addition, Member States had to draw up requirements with regard to the protection of client assets and funds as well as the documentation of transactions, and had to prescribe institutional arrangements designed to minimize the impact of conflicts of interest on clients.³¹ It is in this regard that the ISD 1993 went beyond the level of governance-related requirements already present in contemporary European banking regulation, reflecting earlier US American precedents.³² And it is here that the development of a specific organizational regime for investment firms in European financial regulation, distinct from governance-related requirements for banks, can be said to have its roots—a regime that goes beyond a mere replication of the organizational requirements for banks and specifically addresses the agency problems characteristic for investment firms which, because of the wide range of different types of investment services, are more complex than within the relationship between a bank and depositors.³³ In these provisions, the functional link between prudential regulation and conduct-of-business regulation,³⁴ discussed above, is particularly obvious. However, it is also in this regard that the lack of a consistent rationale for governance-related regulation of investment firms in early European regulation is evident. While investor protection is clearly the key motive for most of the organizational requirements stipulated by Article 10, the case for the remaining provisions examined above—and the rationale for the substantive synchronization of governance requirements for investment firms with those for banks generally—remains somewhat obscure. At least for the early stages of European regulation of investment firms and, specifically, the ISD 1993 it can only be explained on the grounds of the general motive

to create a separate but equal single licence for the non-bank securities firms while ensuring that they do not have a competitive advantage in terms of funding requirements vis-à-vis credit institutions when such institutions are providing investment firms.³⁵

3.13  In other words, in addition to the general objective of investor protection, concerns about the conditions for fair competition among different types of providers of investment services—more specifically, universal banks and non-bank investment firms—and considerations of equal market access across the Common Market rather than concerns for financial stability, have to be considered as a key rationale for the early regulatory framework for the governance of investment firms.

3.14  In principle, the substitution of the ISD 1993 by MiFID I as such hardly changed this picture. To be sure, the new Directive, just as its predecessor, quoted both the protection of investors and the ‘stability of the financial system’ as key policy objectives.³⁶ Whether and to what extent financial stability concerns actually warranted regulation of the corporate governance of investment firms was not discussed, however. Just as under the ISD 1993, governance-related requirements under MiFID I, in principle, mainly reflect investor protection concerns and, to the extent that they replicate corresponding requirements in banking regulation, merely continue to synchronize both regimes with a view to ensuring a level playing field between universal banks and specialized investment firms.³⁷ In principle, the Directive carried forth the main elements of governance-related regulations already established by the ISD 1993. Directors and shareholders as well as members with qualifying holdings continued to be subject to suitability tests in order to prevent undue influence on the firms’ management.³⁸ In terms of organizational requirements, Article 13 also took up the requirements established by the ISD 1993, but with some alterations to the catalogue stipulated by Article 10 ISD 1993 that reflected more specific concerns about operational risks.³⁹

3.15  Notwithstanding the continuity of substantive regulations visible in the wording of ISD 1993 and MiFID I, the latter clearly triggered a conceptual departure from the earlier instrument in that it formed the basis for extensive Level 2 legislation on organizational requirements and operating conditions.⁴⁰ In addition to these rather general provisions, the governance and organization of investment firms now were subjected to a complex, harmonized regime of institutional and procedural substantive requirements, compliance with which would be monitored by the licensing authorities. In addition to general requirements relating to the internal organization,⁴¹ Directive 2006/73/EC on organizational requirements and operating conditions, insofar as it is of interest for the purposes of this chapter, stipulated detailed provisions and definitions on compliance,⁴² risk management,⁴³ internal audits,⁴⁴ the corresponding responsibility of senior management,⁴⁵ and on specific organizational requirements designed so as to ensure the safeguarding of client funds.⁴⁶

3.16  Irrespective of the substantial increase in detail brought about by the Organisational Requirements Directive 2006/73/EC, however, the fundamental policy basis for governance-related requirements did not deviate conceptually from earlier regulation. Just as in MiFID I, considerations of equal market access on one hand and investor protection on the other hand can be identified as the key motives inspiring the technical specifications stipulated by the Organisational Requirements Directive. If the new regime differed at all from its predecessor in this respect, ensuring a level playing field for all providers of investment services throughout the (then) European Community—rather than systemic stability concerns—appears to have been an even stronger determinant of governance-related requirements than under the ISD 1993. This motive was expressly mentioned as the objective for technical harmonization of organizational requirements and conditions for authorization, as well as for the principle of maximum harmonization imposed by the Implementing Directive,⁴⁷ whereas investor protection was identified as a key rationale for requirements for operating conditions⁴⁸ (i.e. conduct-of-business rules)—and systemic stability concerns were not quoted at all in either MiFID I or the Organisational Requirements Directive 2006/73/EC.

3.17  To stop the analysis at this point would be misleading, however, as it was outside the MiFID I regime that governance-related requirements for investment firms first received a much more comprehensive treatment in EU financial services regulation. With the transposition of the Basel II capital accord of 2004⁴⁹ into European law by the CRD I package in 2006,⁵⁰ not just credit institutions but also investment firms became subject to a reformed set of comprehensive governance-related requirements, which reflected the Basel Committee’s emphasis on the need for sound and robust governance arrangements in addition to reliable capital cushions in financial intermediaries.⁵¹ In particular, Article 22(1) of the recast Banking Directive, which was supplemented with complex technical requirements in Annex V to that Directive, required banks to establish and maintain

3.18  The scope of these provisions was extended to investment firms pursuant to Article 34 of the recast Capital Adequacy Directive. In 2010, the new regime was supplemented by new rules on remuneration policies as part of the CRD III reform in November 2010.⁵² To be sure, particularly this latter reform can be characterized as a first step towards the subsequent comprehensive overhaul of the regulatory framework for banks and investment firms by the CRD IV package and MiFID II, in that the Preamble discusses at length weaknesses in remuneration policies and risk governance as a determinant for failures in the financial crisis and also reflects the Commission’s plans for extensive enhancements of governance-related provisions developed in its 2010 Green Paper.⁵³

3.19  In short, the modern trend for comprehensive regulation of investment firms’ governance arrangements clearly had its roots already in the CRD I package (as recast in 2006), which implemented the Basel II Accord within the European Union. As such, the new regime clearly was motivated by systemic stability considerations and did not reflect specific investor protection concerns. By and large, the extension of the organizational requirements not just to credit institutions but also to non-bank investment firms continued to reflect the traditional rationale of ensuring equal market access and a level playing field for both types of financial intermediaries. Until the 2010 reform of the CRD III package, which reflected already the more comprehensive insights into the determinants of financial crisis gained during 2007–9, the inclusion of investment firms in the general regulatory framework for credit institutions cannot be said to have been based on an analysis of the functional parallels and differences in the respective business models, and on the resulting challenges to financial stability associated with them.

3.20  In retrospect, the policy rationale for the treatment of investment firms in European financial regulation can be said to have oscillated between three rather different aspects: investor protection, the protection of financial stability, and the creation of a ‘level playing field’, that is, the harmonization of requirements for market access for investment firms in the Internal Market. As a closer analysis of the emanation of governance-related regulations in European law reveals, their conceptual basis has been rather weak from the early stages of EC Securities Law to the present day. The recent shift towards systemic risk considerations as the key rationale formulated in MiFID II is certainly consistent with a broader trend in post-crisis financial regulation, which started to influence the regulation of governance arrangements in financial intermediaries already under the CRD I package in the form of the 2006 reforms. Specifically with regard to the governance of non-bank investment firms, however, the relevant policy foundations continue to be open to doubts, mainly in two respects: First, as discussed above, their historical emanation since 1993 has by no means been organic. In contrast to the wording of the relevant Recitals in the Preamble to MiFID II, the key drivers for the EU-wide harmonization of relevant standards until MiFID II have been considerations of equal market access within the Common Market, and also, to a somewhat lesser extent, investor protection. Systemic stability concerns, by contrast, were cited only superficially in the earlier documents, with no significant role in the design of the relevant provisions. In this respect, the new emphasis on systemic stability concerns in MiFID II, now expressly identified as key determinants for the governance-related regulation of investment firms, appears to mark a significant shift in the underlying policy foundations, whereas the relevant technical instruments, to a large extent, are mere adaptations of the earlier regime. It remains to be seen whether and to what extent the rearranged and expanded set of regulatory requirements can be reconciled with the specific challenges posed by non-bank investment firms. Second, empirical evidence as to concrete deficiencies in existing arrangements is rather limited, which further weakens the case for specific regulatory interventions in the organizational choices of regulated firms. Both aspects will have to be considered in the course of the analysis of specific technical requirements discussed in Section III below.

3.21  In principle, the governance-related requirements stipulated by MiFID II—and, in addition, the new Organisational Requirements Regulation⁵⁴—continue to combine general prudential requirements established in the field of banking regulation with specific additions designed to address the specific characteristics of investment services (as distinct from banking activities). This is particularly visible with regard to the Directive’s provisions on the management body, which expressly adapt the regime set out in the CRD IV of 2013⁵⁵ and add further requirements in the interest of investor protection⁵⁶ (see infra III.2). Just as in EU banking regulation, these duties are inextricably intertwined with organizational and procedural requirements, which are directed both to the firm and to the management body and, again, address both general prudential concerns and issues specific to the provision of investment services (as distinct from core banking services) (infra III.3). With regard to regulatory requirements for shareholders and owners with qualifying holdings, the new regime builds on, and develops further, the corresponding provisions under MiFID II,⁵⁷ showing significant similarities with, but no direct cross-references to, the corresponding provisions in EU banking regulation (infra III.4). Finally, investment firms are subject to certain governance reporting requirements (infra III.5).

3.22  In terms of technical content, the departure from earlier policy concepts, at least at first sight, thus seems to be far less dramatic than the changes in the underlying policy would suggest. This finding, in turn, triggers a number of interrelated questions, to be addressed in the overal assessment (infra III.6): If it is true that the reformed set of governance-related requirements under the MiFID II regime (unlike the corresponding requirements under the earlier instruments) focuses on the preservation of systemic stability rather than the protection of individual investors, to what extent is that change in policy reflected in the substantive content of the relevant provisions, and what are the practical implications in terms of construction, implementation, and enforcement of the new regime?

3.23  To be sure, the policy objectives formulated in MiFID II⁵⁸ (in conjunction with those set forth in the CRD IV) still do not quite reflect a clear-cut understanding of the relationship between systemic concerns and investor protection, or at least fail to present a consistent case for regulation in this regard. However, they certainly do highlight the functional link between prudential regulation, that is, institutions-oriented regulation aiming at enhancing the resilience and soundness of intermediaries, and conduct-of-business regulation, that is, transactions-oriented standards for the provision of financial services. ‘Detriment’ to investors, in the words of the Directive, can result both from the failure of individual firms and ‘incorrect conduct’; and both types of risks, in the view of the authors of MiFID II, can be traced back to ‘weaknesses in corporate governance’.⁵⁹ While these considerations are consistent with the determinants of the reformed governance-related requirements under the CRD IV,⁶⁰ they deserve some attention especially in the present context, as it is for the first time in the history of EU securities regulation that the functional link between the two regimes has been spelled out with such clarity. From this perspective, governance-related regulation of investment firms almost by definition serves a dual objective—the protection both of the interests of systemic stability and of individual investors. This clearly goes back to the considerations formulated above—and it suggests that, indeed, the crisis has helped to refine the understanding of relevant risks as well as to recalibrate the regulatory responses to such weaknesses. In this respect, securities regulation appears finally to have caught up with the area of banking regulation, where the dual objective of (prudential) regulation has always been defined as encompassing both the preservation of financial stability and the protection of depositors. In sum, based on the construction of the formulation of relevant policy objectives quoted above, the concept of governance-related regulations under MiFID II, in comparison with its predecessors in the ISD 1993 and MiFID I, can be said to have converged with the rationale of the corresponding requirements in the area of banking regulation: In European (and international) banking regulation, requirements for the internal governance of regulated institutions have been an integral part of the prudential toolbox since the implementation of the Basel II Capital Accord—and, as such, have been aiming at the protection of both systemic stability and depositors.⁶¹ This, again, evokes some key questions for further exploration in the present chapter: In view of the functional differences between the economic nature of banking activities and those associated with the provision of investment services, should that conceptual convergence be welcomed? Similarly, and even more far-reaching: To what extent is the underlying rationale corroborated by the available evidence on governance failures? As discussed before,⁶² the empirical case for enhanced governance-oriented regulation after the global financial crisis is, at best, mixed, making a refined understanding of the specific governance standards for non-bank investment services even more desirable.

3.24  Finally, in a more technical respect, the following analysis will have to address the question of whether the new regime, despite the increase in technical detail in comparison with its predecessors, continues to be sufficiently flexible with regard to the variety of regulated investment firms across the EU. Just as is the case in the area of the reformed regime for the prudential regulation of banks under CRD IV,⁶³ this is not just a question of proportionality in view of differences in terms of size and complexity of the regulatees, but also of flexibility with regard to differences in terms of their legal nature and respective governance structures. Under the MiFID II regime, these concerns are particularly pressing because implementing Level 2 instruments no longer take the form of Directives but now come in the form of regulations.

3.25  Just like banks, investment firms under the new regime are subject to a rather complex set of fundamental requirements as to the organizational structure of the board. In this respect, MiFID II does not establish independent criteria, but merely incorporates the corresponding requirements prescribed by CRD IV (Article 9(1) in conjunction with Article 88 CRD IV). In this regard, it should be noted that the reference to the CRD IV in Article 9(1) MiFID II is of a declaratory nature for the majority of investment firms within the EU, which are covered by the definition of ‘investment firms’ set out in Article 4(2) of the Capital Requirements Regulation (the ‘CRR’)⁶⁴ and therefore qualify as ‘institutions’ as defined in Article 4(1)(3) of the CRR which in turn includes them directly in the scope of the CRD IV requirements anyhow.⁶⁵ Consequently, Article 9(1) MiFID II merely extends the CRD IV regime to (non-CRR) investment firms not covered by the CRD IV package.⁶⁶

3.26  Within this framework, Article 88 CRD IV lays down specific requirements both for the division of responsibilities and for the organization of the board. In principle, although both the CRD IV and MiFID II seek to establish a neutral system for adaption across different systems of corporate governance,⁶⁷ this framework is tailored primarily to one-tier board models, where board management and supervisory functions are exercised from within a single board of directors (as distinct from—German-style—two-tier board systems, which separate management and supervisory boards). Both Directives leave it to the Member States to make the necessary adjustments for two-tier boards.⁶⁸ Nonetheless, the prescription whereby

clearly addresses two-tier board systems⁷⁰ and imposes a separation of functions which, while commonly practised at least within the United Kingdom for some time, has never been established as preferable over a combination of the two functions in one person.⁷¹

3.27  Within the board, firms must establish a risk committee, a nomination committee, and a remuneration committee, if they are ‘significant in terms of their size, internal organization and complexity of their activities’. This, again, follows directly from provisions in the CRD IV,⁷² of which only Article 88 is expressly referred to in Article 9(1) of the MiFID II.

3.28  The duties of the management body in general and its committees—in a rather complex and partly duplicative way—are set forth in both the CRD IV and MiFID II, as well as in the provisions of Chapter II of the Commission Delegated Regulation of 25 April 2016.⁷³In line with the concept of functional neutrality with regard to different legal structures in the national laws on corporations and partnerships,⁷⁴ neither the CRD IV nor MiFID II lays down a positive definition of the board’s duties, which are determined exclusively by autonomous legislation in the Member States. This is clearly reflected in the identical definition of the term ‘management board’ in both Directives, which expressly refers to those strategic, oversight, and management duties that are determined by the applicable national laws.⁷⁵ While accepting the general duties of management (and supervisory) boards as prescribed by national legislation in principle, both the CRD IV and the MiFID II lay down additional specifications with regard to, in particular, organizational duties, however. For regulated entities, the organizational duties of management (and supervisory) boards form a two-tier system, with the first level consisting of general principles under the applicable national law of business associations (companies or partnerships, as the case may be), which are then complemented and, in part, superseded by specific organizational duties prescribed by European financial regulation. It is worth noting that the requirements addressed directly to the management body in both CRD IV and MiFID II are, to a large extent, of a procedural rather than a substantive nature; they specify the responsibility of the board for the definition of strategies and procedures and for the implementation of relevant standards, rather than defining the relevant standards themselves (which are specified in other provisions and in additional Level 2 legislation⁷⁶).

3.29  Generally, pursuant to the identical formulation in both Article 88(1) CRD IV (referred to in Article 9(1) MiFID II) and Article 9(3) MiFID II, the management body⁷⁷ is required to

to which Article 9(3) MiFID II adds the further specification that the management body must exercise these functions ‘in a manner that promotes the integrity of the market and the interest of clients’.

3.30  Article 88(1)(2) CRD IV then specifies these functions further and requires the board, in particular, to

3.31  These requirements are then complemented by additional, albeit to some extent duplicative, specifications in Article 9(3) MiFID II, pursuant to which the management board shall

3.32  Moreover, the management board is required

3.33  Both Article 88 of the CRD IV and, to an even larger extent, Article 9 MiFID II thus formulate a rather comprehensive catalogue of standards for the board’s responsibilities with regard to organizational and compliance aspects. In principle, the set of functions thus defined does not significantly deviate from the allocation of powers and responsibilities under general company or partnership law (whereby the relevant functions will usually be allocated to the board, even if, in many cases, the applicable law will be much less detailed than its regulatory counterpart⁷⁹). However, the far more explicit definitions of responsibilities in regulatory law, a breach of which may ultimately trigger the revocation of the licence,⁸⁰ evidently not only seek to enhance legal certainty, but also to facilitate effective supervisory control of the different aspects. This is reflected in the specific sanction provided for breaches of the requirements set forth in Article 91 CRD IV, which may trigger administrative penalties of up to €5 million or double the loss that has been incurred as a consequence of the breach, with the sanction, as a rule, to be made public.⁸¹ When assessing compliance, authorities will apply a specific standard of care that has been defined in Article 91(8) CRD IV, within the context of requirements on the suitability of board members.⁸²

3.34  All in all, the reformed set of specific board duties primarily reflects prudential concerns about the soundness of risk profiles and operational arrangements of institutions (i.e., credit institutions and investment firms) and, as such, systemic stability considerations. This is illustrated, first and foremost, by the fact that the most important part of the relevant duties is set forth in the CRD IV rather than MiFID II—without any differentiation whatsoever between the business models characteristic for credit institutions and those of non-bank investment firms. Even the additional requirement to a similar effect imposed by Article 9(3) MiFID II evidently focuses on the definition of standards aiming at the soundness of operational arrangements and risk sensitivity rather than on such aspects that may directly benefit the position of investors, with the limited exception of Article 9(3)(c) MiFID II (quoted above, paragraph 3.31). As indicated above, this is not inconsistent with lessons learnt from the global financial crisis, which clearly reinforced the notion that systemic risk is not confined to commercial banking but attributable to other factors (size, interconnectedness, complexity of business organizations).⁸³ Against this backdrop, it may be considered helpful that the new regulatory framework, by specifying the board’s responsibility for organizational and strategic decisions and risk management in most comprehensive terms, clarifies the delineation of powers and duties in regulated firms, which could potentially lead to increased awareness among board members as to the specific challenges and needs associated with their respective supervisory and management functions.

3.35  Just as with credit institutions, investment firms, pursuant to Article 88(2) CRD IV (in conjunction with Article 9(1) MiFID II, where applicable), are subject to detailed requirements with regard to the formation and tasks of the nomination committee. The committee is not only responsible for the selection of candidates for management body positions and the evaluation of the knowledge, skills, and experience, as well as periodical assessments and reviews of the policy for the selection and appointment of senior management, but also for the promotion of gender equality.⁸⁴ Remuneration committees are responsible for ‘the preparation of decisions regarding remuneration, including those which have implications for the risk profile and risk management of the institution concerned’.⁸⁵ Risk committees are to advise the management body with regard to the ‘risk appetite and strategy’, and to assist with the implementation of the strategy. The risk assessment also has to review the impact of prices of liabilities and assets on the firm’s business model and risk strategy, and to propose remedies if deficiencies are detected.⁸⁶ By contrast, no specific requirements are set forth in either the CRD IV or MiFID II with regard to the duties of audit committees, which credit institutions and investment firms are required to establish under Article 41 of Directive 2006/43/EC.⁸⁷

3.36  Reflecting widespread concerns about the quality of management and supervision in the boards of financial institutions before and during the global financial crisis,⁸⁸ enhanced requirements for the eligibility for board membership and for board diversity have become a central aspect of the reformed regulatory framework for both credit institutions and securities. Just as in the area of board duties, discussed above, the relevant requirements are laid down partly in the CRD IV (for credit institutions and investment firms alike), with—again, to some extent duplicative—additions stipulated by MiFID II.

3.37  Generally, all board members, executive and non-executive, are subjected to a rigorous fit-and-proper test. Pursuant to Article 91(1) and, in identical wording, to Article 9(4), they are required at all times ‘[to] be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties’ and to commit sufficient time to perform their functions.⁸⁹

3.38  Moreover, pursuant to a requirement that links personal qualifications with a standard of care for the execution of the board duties, each member of the management body is required

3.39  In addition to the individual requirements, the board as a whole is required to have ‘adequate collective knowledge, skills and experience to be able to understand the [firm’s] activities, including the main risks’.⁹¹ In order to maintain the standard, regulated firms are required to ‘devote adequate human and financial resources to the induction and training of members of the management body’.⁹² Particular attention has been given to ensuring board diversity, which is reflected not only in the requirement to

but also in the definition of tasks of the nomination committee, which must not simply strive for ‘diversity’ in its proposals for vacant management body positions, but is also required to

3.40  Pursuant to Article 91(12) CRD IV, the relevant criteria are to be complemented by EBA guidelines in due course.⁹⁵

3.41  With these requirements, the new regime clearly goes far beyond the design and content of traditional ‘fit-and-proper’ tests in the area of financial regulation, which usually set a rather broadly defined set of benchmarks against which supervisory authorities would have assessed the qualifications and character of persons nominated for board positions.⁹⁶ To be sure, these earlier requirements already facilitated a significant degree of supervisory control over board decisions, if and to the extent that the relevant authority, under the applicable national law transposing the European requirements, was willing to use board members’ readiness to comply even with informal supervisory guidance as indicative for the purposes of the ‘fit and proper’ test.⁹⁷

3.42  Under the reformed regime, by contrast, the traditional, flexible approach, which left further specification to the discretion of national legislators and authorities, has been complemented with a considerable range of new procedural and substantive elements. Among these, requirements that the personal qualification of board members be commensurate with the cognitive and strategic problems to be expected in the performance of their respective functions can surely be said to be rather uncontroversial, although it remains to be seen whether the more prescriptive approach really yields a more effective enforcement of qualitative standards by relevant authorities. In particular, it remains open to doubt whether the (still rather abstract) standard of ‘honesty, integrity and independence of mind’ can be operationalized in a way that substantively adds to the effectiveness of authorities’ scrutiny of board composition.⁹⁸

3.43  More controversial, however, has been the policy decision to promote gender diversity as a means to foster good corporate governance in financial institutions. The underlying rationale is to prevent ‘groupthink’, which, according to a widely held view of the global financial crisis, can supposedly be traced back not least to a greater risk appetite of male management than could be expected to be found among a gender-diverse board.⁹⁹ As empirical analysis of what has become known as the ‘Lehman Sisters Hypothesis’ (insinuating that, with a female board of directors, excessive risk-taking and the ensuing crisis would not have happened) appears to be inconclusive,¹⁰⁰ the effectiveness of mandatory board diversity as a precaution against excessive risk-taking practices can, at best, be described as doubtful. It is to be expected that regulated firms, in redefining their diversity policies, will attend to the relevant supervisory authority’s expectations rather than to what they themselves would perceive to be an optimal balance.¹⁰¹

3.44  At any rate, just as has been diagnosed for the highly prescriptive set of board duties above,¹⁰² the focus of the reformed personal requirements applicable to board members under the new CRD IV/MiFID II regime clearly reflects systemic stability rather than investor protection considerations. Also in this context, credit institutions and non-bank investment firms are indiscriminately subjected to a regime which seeks to improve the quality of corporate governance in the interest of the individual firm’s soundness of operations and, ultimately, the prevention of contagious effects that would arise from their financial failure. To be sure, clients that have an ongoing relationship with the firm (e.g. in the context of asset-management contracts) could benefit as well, but rather indirectly.

3.45  Among the different policy initiatives to foster effective corporate governance in financial institutions in recent years, prescriptive requirements for remuneration (or ‘compensation’) arrangements have clearly played a major, albeit somewhat independent, role. This is particularly visible in the EU Commission’s 2010 Green Paper, which discusses remuneration policies as a distinct part of the regulatory agenda on issues related to the corporate governance of financial institutions.¹⁰³ At the international level, sound remuneration standards, designed to remove incentives to engage in excessive risk-taking, have been promoted as a priority within the post-crisis reform agenda of the Financial Stability Board,¹⁰⁴ whose recommendations have been influential not just for the design of relevant provisions at the European level, but also—prior to EU-wide harmonization—within individual Member States.¹⁰⁵ Under the European framework harmonized by the CRD IV, investment firms are subject to the regime applicable also to credit institutions, to which MiFID II adds the requirement that the management board has to develop a specific ‘remuneration policy’ for persons involved in the provision of services to clients,¹⁰⁶ while more detailed requirements for the development of remuneration policies and practices, including on the protection of client interests in this context, are prescribed in Article 27 of the Delegated Council Regulation of 25 April 2016.¹⁰⁷ Leaving this aside, investment firms have to comply with the general qualitative principles governing the remuneration policies for senior management, so-called risk-takers, staff in control functions, and any employee whose remuneration is equivalent to that of senior management and risk-takers and persons whose decisions have a material impact on the firm’s risk profile stipulated in Article 92(1) CRD IV. Specifically, Article 94 delineates the extent to which variable elements may be included. As mentioned before, remuneration committees must be established within ‘significant’ firms¹⁰⁸ as an institutional means to ensure sound remuneration policies.

3.46  The substance of these requirements, as well as the underlying rationale, has been discussed extensively elsewhere.¹⁰⁹ This and the fact that investment firms, to the extent that they are included in the scope of application of the CRD IV,¹¹⁰ are subjected to the same regime as credit institutions hardly necessitates in-depth treatment of the remuneration regime within the present chapter. It should be noted, however, that the extension of the relevant requirements to investment firms does not reflect a careful analysis of the similarities and the differences existing between remuneration practices in credit institutions and investment firms, respectively—and of their implications for risk-taking and, ultimately, systemic risk. In this regard, the same applies as to other parts of the regulatory framework for investment firms, which also extend the regulatory regime for banks without a sound empirical basis. While it may be possible to address such differences under the proportionality test prescribed by Article 92(1) CRD IV, the policy foundations for the equal treatment still appear to be rather weak.

3.47  To be sure, the governance-related provisions for investment firms, as laid down in MiFID II, follow a more autonomous approach with regard to organizational duties and risk management than with regard to the regulation of the board and its duties (infra III.3.B). Nonetheless, the CRD IV regime also lays down a general basis applicable without discrimination to banks and non-bank investment firms in this respect. The substantive requirements on risk management in Articles 74–87 CRD IV clearly form the core of the Directive’s provisions on internal governance arrangements and clearly aim at enhancing the soundness of its business as a whole.¹¹¹ This becomes obvious from the very first provision on governance arrangements, which builds on the wording of Article 22 of the recast Banking Directive of 2006 and requires that

3.48  While the relevant arrangements, processes, and mechanisms are to be specified further by EBA Guidelines,¹¹³ the following provisions of the CRD IV themselves continue to lay down a rather tight framework of procedural and substantive requirements for the different aspects of risk governance. As mentioned before, this includes the need to establish a risk committee with both advisory and assistant functions in the formulation and implementation of risk strategies.¹¹⁴ In addition, ‘significant’ credit institutions and investment firms covered by the CRD IV are required to establish a ‘risk management function’ with independent resources and access to the management body.¹¹⁵ But these requirements are ‘without prejudice to the application of Directive 2006/73/EC to investment firms’, which in Article 7(2) already prescribes the creation of an independent risk management function and thus prevails over the CRD IV. The management body itself is expressly required to

and has to ‘devote[ ] sufficient time to consideration of risk issues’.¹¹⁷ These core provisions are then complemented with detailed technical requirements in Articles 77–84.

3.49  In general, the approach to risk management taken by the CRD IV can best be described as a multi-tier concept, which seeks to incentivize the firms (or, more specifically, management boards) to actively define, control, and improve the culture of their respective firms, the substantive standard for which is defined in rather abstract terms (‘robust’ arrangements; ‘clear’ structure; ‘well-defined, transparent, and consistent’ lines of responsibility, etc.). While this is clearly reflective of a principles-based approach to governance regulation, the Directive is much more specific with regard to organizational features designed to bolster the firms’ own efforts. In particular, the specialist risk-management function that has to be established under the new regime has rightly been explained by the desire to create an institutionalized ‘antidote to overcome certain risk management flaws observed in the banks and financial institutions that suffered in the global financial crisis’,¹¹⁸ and other features designed to increase the board’s sensitivity vis-à-vis the risk culture fit into the picture too.¹¹⁹ In particular, the new approach evidently seeks to allocate specific responsibilities and to formulate qualitative standards for the risk-management organization and the resources (financial and human) dedicated to it, in order to activate the boards that are perceived to have been too passive and complacent before the crisis.¹²⁰ Whether or not this concept is enough to overcome residual deficiencies remains to be seen, however. It could well be the case that firms’ future behaviour may be driven more by the need to demonstrate compliance with the regulator’s expectations rather than a genuine effort to improve the quality of existing arrangements. In this context, it is worth noting that proceduralist, principles-based approaches of corporate and financial behaviour have repeatedly been criticized on account of their structural tendency to foster ‘compliant non-compliance’¹²¹—to provoke formalistic efforts to ‘tick the boxes’ in generic to-do lists rather than encourage the regulatees’ creativity with a view to accomplishing the regulatory objectives through instruments that match the needs of the individual case.¹²² At any rate, specific models for the design of risk-management arrangements, which could be referred to as ‘best practice’ by both authorities and regulated institutions, have evolved rather slowly, and widely advocated standards are still far from universally accepted.¹²³

3.50  Although the CRD IV regime on risk management is highly prescriptive and rather detailed, the corresponding requirements stipulated by MiFID II go still further. The relevant provisions are to be found in Articles 16 and 17 MiFID II, of which the former lays down general requirements applicable for all investment firms, while the latter (not to be examined in detail hereafter) specifically addresses risk-management issues in firms engaging in algorithmic trading. As noted before, this regime is supplemented by implementing Level 2 legislation promulgated by the Commission pursuant to Article 16(12) MiFID II, which has adopted a rather abstract approach and does not provide very detailed specification, however.¹²⁴ Thus, the regulatory framework for organizational duties for investment firms—which takes up the coexistence of general requirements applicable to both credit institutions and non-bank investment firms under the predecessors of the present regime¹²⁵—will continue to reflect a complex interplay of different sources of law. Conceptually, the new regime will become even more complex to implement than its predecessors because of the fact that, unlike under MiFID I, implementing legislation now takes the form of a Council Regulation rather than a Directive. Investment firms regulated under both CRD IV and MiFID II will thus simultaneously be subject to risk-management requirements under the national laws transposing the CRD IV and MiFID II (and Directive 2006/73/EC) and the Council Regulation Implementing MiFID II. This requires, at the very least, a careful design of national regimes with a view to minimizing the potential for interferences, but will still prove problematic in cases where the provisions of CRD IV and MiFID II overlap.

3.51  In substantive terms, part of the relevant provisions reflect, again, prudential concerns aiming at enhancing the stability and soundness of the individual firms, while others focus on improving the legal and commercial position of investors and other clients. With respect to the former, MiFID II requires investment firms

3.52  Moreover, in what is in part a (redundant) repetition of the general CRD IV requirements examined above, investment firms must

as well as

3.53  To be sure, the latter requirement aims not exclusively at the soundness of the relevant firm as such, but also at the protection of the commercial relationships with investors and other clients. The same applies to the duty to establish a compliance organization within the firm, which must include

In this context, Article 22 of the Commission Delegated Regulation of 25 April 1016¹²⁹ provides a considerable degree of further specification, including on the responsibilities and duties of the compliance function (Article 22(2)) and the requirements that must be satisfied in terms of organizational design (Article 22(3)). Generally, firms must ensure that the management board has access to all relevant information.¹³⁰

3.54  Exclusively in the interest of investors, the Directive prescribes a detailed set of procedural requirements which build on Article 21 MiFID I but are considerably more detailed and prescriptive. These include institutional arrangements designed to prevent conflicts of interest,¹³¹ product approval processes for the ‘manufacturing’ (!) of financial products for sale to clients,¹³² and obligations to review the financial instruments offered or marketed by the firm.¹³³ They supplement, but are without prejudice to, the general requirements of MiFIR relating to disclosure, suitability or appropriateness, identification, and management of conflicts of interests and inducements.¹³⁴ Additional requirements are made with regard to record keeping and documentation¹³⁵ and to the preservation of ownership and other rights of clients.¹³⁶

3.55  While the underlying policy rationale of the organizational provisions stipulated by MiFID II thus differs in part from those set out in the CRD IV, with investor protection coming into play as a second determinant in addition to systemic stability concerns, the regulatory strategy employed is essentially the same in both instruments.¹³⁷ Just like in the CRD IV, we find a combination of substantive standards in the form of a multitude of rather vague criteria (‘reasonable’ steps, ‘sound’ mechanisms and processes, ‘effective’ procedures, ‘adequate’ policies, etc.), which leave a considerable discretion to supervisory authorities, with procedural requirements that expressly allocate responsibilities and require the implementation of specific organizational arrangements, such as the creation of a compliance function. Just like the CRD IV in this respect, the MiFID II organizational framework can thus be said to reflect the expectation that the management board’s sense of responsibility can be activated in a way that ultimately may yield improvements in the corporate culture—the attitude of directors and senior and junior management with regard to risk-taking and qualitative standards in the provision of investment services to clients. Just as with the CRD IV regime, however, doubts as to the efficacy of proceduralist approaches may also be warranted in this context.

3.56  With regard to the supervisory scrutiny of shareholders and owners of qualifying holdings, the new regulatory framework takes up the previous regime established by Articles 9 and 10 MiFID I. The new framework adopts a far more complex approach, however, underlining the relevance of shareholder control as a means to promote sound business practices and good corporate governance. Significantly, the new provisions are broadly in line with the corresponding requirements under Articles 14 and 22–27 of the CRD IV (on the disclosure and supervisory assessment of shareholders and owners prior to authorization and in connection with a proposed acquisition at a later stage, respectively). Both regimes cover ‘the shareholders or members, whether direct or indirect, natural or legal persons, that have qualifying holdings’,¹³⁸ defined as

3.57  As a condition for authorization, the competent authorities must be ‘satisfied as to the suitability’ of the holders of such positions, ‘taking into account the need to ensure the sound and prudent management of an investment firm’.¹⁴⁰ With regard to the acquisition of positions in an already authorized firm, these requirements are supplemented with specific qualitative criteria including, inter alia, the reputation of the proposed acquirer, the reputation and experience of persons who will direct the business as a result of the acquisition, the financial soundness of the acquirer, and the likely impact of the acquisition on future compliance with regulatory requirements.¹⁴¹ Articles 12 and 13 MiFID II lay down the procedural framework for the assessment process in this context, which is clearly modelled on the corresponding provisions of Articles 22–24 CRD IV.

3.58  Again, just as with credit institutions, investment firms covered by the CRD IV/CRR framework are subject to the governance reporting requirements stipulated by Articles 435 and 450 CRR, which provide for the disclosure on the risk-management function and certain aspects of board organization, as well as remuneration policies, respectively.¹⁴² While details remain outside the scope of this chapter, it should be noted that the general approach to using external disclosure as a means to foster compliance with prudential standards is thereby also extended to the governance-related regulation of investment firms.

3.59  As has been discussed above, the policy rationale for governance-related provisions in the CRD IV/MiFID II regime remains somewhat obscure, in particular if measured by the formulations of the respective Preambles. For the first time, specific systemic stability considerations explicitly have made their way into the policy foundations of the organizational framework set out in MiFID II, reflecting a departure from the earlier approach which was informed mainly by the motive to realign the regulatory frameworks for non-bank investment firms with those applicable to universal banks, and, in addition, to introduce some specific requirements addressing the principal–agent conflicts characteristic for the provision of investment services.¹⁴³ Although the new regime still falls short of providing a fully consistent and convincing regulatory answer to the functional parallels and differences of universal banks and non-bank investment firms regarding the two fundamental objectives of securities regulation—market stability and investor confidence—it should be noted that the functional relationship between systemic stability considerations on one hand and investor protection on the other has become more balanced, and the policy mix pursued with regard to the regulation of investment firms is more convincing than under the predecessors. Both Directives jointly seek to address a list of shortcomings in the governance arrangements of financial intermediaries that have come to be perceived as drivers for the excessive risk-taking and insufficient control of risks that ultimately triggered the global financial crisis. Rightly, unlike under the ISD 1993 and MiFID I, the inclusion of investment firms into the governance-related regulatory framework for credit institutions is no longer justified merely on the grounds of equal market access (a concept that had been rather unconvincing from the start), but reflects genuine considerations of the risks pertaining to the legal and economic nature of the commercial relationships between (non-bank) investment firms and their clients and other counterparties. In many ways, the shift in policy rationales is also reflected in the substantive and procedural technical framework established by both Directives, as both the technical requirements aiming at enhancing the soundness of strategies and operations and those aiming at improving investor protection have become more refined, compared to the earlier concept.

3.60  In sum, the CRD IV/MiFID II framework, at a very abstract level, should therefore be regarded as an improvement of the status quo ante. It should be noted, however, that this positive assessment is confined to the policy foundations as such; that is, to the concept of addressing systemic risk wherever it occurs and, therefore, irrespective of the commercial nature of the relevant entity (‘credit institution’ or ‘investment firm’). To be sure, as noted before, this approach reflects a broader, international approach to dealing with systemic relevance of financial institutions generally, which effectively removes the traditional sector-specific boundaries in financial regulation in response to lessons learnt during the global financial crisis.¹⁴⁴ Whether the rather indiscriminate treatment of both types of institutions within the scope of the CRD IV is actually justified is a different story, however. In this regard, it should be noted that the empirical basis for the assessment of systemic risk associated with the specific activities undertaken by investment firms continues to be extremely weak. On closer inspection, the decision to include a wide range of diverse firms, which engage in an equally diverse range of activities, within the scope of a legal framework whose main focus still remains on the activities of commercial banks may well turn out to be too simplistic to actually satisfy the test of proportionality. In this context, it should be noted that the categorization of investment firms laid down in MiFID II and the CRD IV is far from uncontroversial even within the European regulatory landscape. It is particularly telling that the European Banking Authority, in a recent report, strongly promotes the introduction of a new approach, which would be more sensitive to the implications of the firms’ activities not just in terms of their individual soundness, but also in terms of systemic stability.¹⁴⁵

3.61  Irrespective of these general considerations, it is far from clear whether the technical design draws the right conclusions; that is, whether the new framework addresses real deficiencies with adequate, effective remedies. While the need for enhanced systemic stability and investor protection can hardly be disputed as such, the first doubts arise just below this rather high-level set of objectives. As noted before, it is not just the empirical evidence of weaknesses in governance arrangements prior to the global crisis that is rather thin, but also the available body of ‘best practice’ that could be referred to by both supervisors and regulated firms in the course of implementing the new regime. In this respect, while it is true that the CRD IV/MiFID II reflects a sound definition of fundamental policy objectives, the question of whether the same could also be said of the corresponding mix of policies and strategies remains open.