53 free CySEC Advanced Chapter 3 flashcards. Tap a card to flip, or use the arrow keys to move through the deck.
Card 1 of 53Organisational requirements
1 / 53
Tap the card to flip · use ← → arrow keys to navigate
All 53 cards in this deck
Organisational requirements
How must a CIF specify its reporting lines and the allocation of functions?
Clearly and in a documented manner at all times — not merely verbally or on request from CySEC. The organisational structure must always exist in writing.
What must a firm take into account when meeting its organisational requirements?
The nature, scale and complexity of its business and the nature and range of investment services and activities it provides — the proportionality principle. A small boutique and a large bank carry different obligations.
What are the three systems-and-procedures requirements under the organisational rules?
Safeguarding the security, integrity and confidentiality of information; business continuity (preserving essential data and functions, with timely recovery after interruption); and delivering timely financial reports that give a true and fair view.
What training must a newly hired employee of a CIF receive?
Induction training on the firm's own procedures and obligations, regardless of prior experience at another firm. Each firm has its own procedures, so awareness of them is a core requirement.
Compliance function
What are the responsibilities of a CIF's compliance function?
Monitor compliance on a permanent basis; advise and assist relevant persons in meeting their MiFID obligations; report to the management body (annually and ad-hoc); and monitor the handling of complaints. It advises — it does not issue binding front-office instructions.
Who is responsible for appointing and replacing the Compliance Officer of a CIF?
The management body (Board of Directors), not the CEO acting alone. This gives the Compliance Officer sufficient authority and independence, with the board directly accountable.
When must the compliance function report to the management body on an ad-hoc basis?
When it detects a significant risk that the firm will fail to comply with its obligations. This is separate from the annual report and alerts the board immediately to serious regulatory risks.
What condition secures the independence of the compliance function?
Relevant persons in compliance must not be involved in the activities they monitor, and their remuneration must not compromise (or be likely to compromise) their objectivity.
What must a Compliance Officer of a CIF possess?
Knowledge of the applicable law and legislation together with prior relevant experience in applying it. Academic qualifications alone are insufficient.
What must happen when senior management significantly reduces the compliance budget?
The reduction must be documented in writing with detailed explanations, creating an audit trail. The Compliance Officer's prior approval is not required, but the decision must be formally justified.
Recording & durable medium
In what form must a CIF's policy for recording telephone and electronic communications be set out?
In writing, appropriate to the size, organisation and complexity of the firm, and reviewed on a periodic basis. A verbal policy provides no audit trail and does not satisfy the requirement.
For how long must recordings be retained and made available to clients on request?
Five years as the default, which CySEC may extend to a maximum of seven years. The five-year period must be communicated to clients.
When must a firm inform a client that conversations are being recorded?
Prior to providing investment services relating to the receipt, transmission and execution of orders. The notification is proactive, not a response to a client request.
When is email an acceptable durable medium for client communications?
Only where there is proof of the client's regular use of email. The firm must be able to demonstrate this — merely holding an email address is not enough.
Outsourcing
When a CIF outsources a critical or important function, who remains responsible for it?
The firm's senior management — responsibility cannot be delegated. A firm can outsource the activity but not the accountability or its licence.
Name functions explicitly excluded from the definition of 'critical or important' for outsourcing.
Legal advice, training of personnel, billing services, physical security, and standardised services such as market-information services and price feeds.
What conditions apply when outsourcing portfolio management to a third-country provider?
The provider must be authorised and supervised in its home country, and a cooperation agreement must exist between CySEC and that country's supervisory authority to allow regulatory access.
Under what condition may a service provider sub-outsource an outsourced function?
Only with the investment firm's explicit written consent. This preserves the firm's control over its supply chain.
What oversight rights must the written outsourcing agreement preserve for the firm?
Rights of instruction and termination, information rights, and rights of inspection and access to the service provider's books and premises. Without access rights, effective supervision is impossible.
When may a firm terminate an outsourcing arrangement with immediate effect?
When immediate termination is in the interests of its clients — for example where the provider's conduct harms clients. Client protection is the trigger, not commercial considerations.
Safeguarding client assets
When must a CIF inform a client that safekeeping of client assets is outsourced?
Whenever the service is outsourced, regardless of location. Location affects the additional warnings required, but the basic duty to inform is universal.
What must a client be told when their funds may be held in an omnibus account by a third party?
They must be informed of the arrangement and specifically warned of the risks — particularly the difficulty of tracing individual ownership if the third party becomes insolvent.
Before using client instruments in a securities financing transaction, what must the firm do?
Inform the client in advance of the terms for restitution and the risks involved. This is a pre-transaction disclosure, not a post-transaction notification.
What control must a CIF perform when safekeeping client assets?
Regular reconciliations between its internal records and the external records of third-party custodians, to detect discrepancies from errors or misuse early.
Risk management & internal audit
What must a firm do if it does not establish a formal risk management function?
Be able to demonstrate on request that its adopted policies and procedures meet the substance of a risk management function. The function can be embedded, but the substance cannot be absent.
How must the internal audit function be positioned within a CIF?
Separate and independent from all other functions and activities of the firm — including compliance and risk management. Its independence gives its findings credibility.
Which task is NOT a responsibility of the internal audit function?
Setting the firm's risk tolerance levels — that belongs to the management body and risk management function. Internal audit plans, executes, recommends and verifies compliance with its recommendations.
Conflicts of interest
Give one of the defined conflict-of-interest scenarios under MiFID II.
Where the firm is likely to make a financial gain, or avoid a financial loss, at the expense of the client. This zero-sum dynamic is the core conflict.
What is the common name for procedures that control the exchange of information between staff where it could harm clients?
A Chinese wall (information barrier). It stops, for example, a corporate finance team sharing inside information with the trading desk.
How should disclosure of a conflict of interest to a client be used?
As a measure of last resort, only when organisational and administrative measures cannot prevent damage to client interests with reasonable confidence. It is not the first line of defence.
How often must the conflicts-of-interest policy be reviewed?
At least annually. Over-reliance on disclosure instead of prevention is treated as a policy deficiency to be caught in the review.
Investment research
What distinguishes investment research from a marketing communication?
Investment research recommends or suggests an investment strategy — explicitly or implicitly — regarding specific financial instruments or issuers, and is intended for distribution channels or the public. General market commentary without such a recommendation is a marketing communication.
What independence requirement applies to the issuer when a CIF disseminates investment research?
The issuer must not have reviewed the draft research recommendation before publication, as issuer review could influence content and compromise independence.
Client communications
What standards must all information addressed to clients meet regarding risk?
It must be accurate and give a fair and prominent indication of any relevant risks. The font size describing risks must be at least equal to that used for the rest of the material — risks cannot be buried in small print.
What minimum period must past-performance information cover, and in what units?
At least the preceding five years, in complete 12-month periods (or the full life of the product if shorter). This prevents cherry-picking short periods of strong performance.
On what basis must future-performance indications be presented?
On reasonable assumptions supported by objective data, showing both positive and negative scenarios in different market conditions. They may not be based on simulated past performance.
Client categorisation
What are the three client categories under MiFID II?
Retail (highest protection), professional, and eligible counterparty (lowest protection). 'Intermediate' and 'private' are not MiFID II categories.
What are the three size thresholds for a large undertaking to be a professional client?
Balance sheet total ≥ €20m, net turnover ≥ €40m, and own funds ≥ €2m. Meeting any two of the three qualifies the undertaking as professional.
What must a retail client satisfy to be treated as an elective professional client?
A portfolio of at least €500,000; at least 10 significant transactions per quarter over the preceding four quarters; and at least one year of relevant professional experience in the financial sector. All three conditions must be met.
Who is responsible for requesting reclassification from professional to non-professional treatment?
The client. The firm must inform professional clients that this option exists, but the initiative must come from the client — the firm cannot unilaterally reclassify a professional client.
Is an individual investment adviser employed by an investment firm automatically a professional client?
No. The employer may be professional, but the individual's personal investment capacity is assessed separately. Authorised entities, national/regional governments and central banks are automatically professional.
Information on instruments
What must the description of an instrument's risks cover, where relevant?
The risks associated with leverage and the risk of losing the entire investment, including scenarios such as issuer insolvency and bail-in.
What must a firm provide when an instrument is composed of two or more instruments or services?
An adequate description of the components and of how their interaction affects the overall investment risks, since combined risk may differ from the sum of the individual risks.
Costs & charges
How must the aggregated total of costs and charges be expressed to a client?
Both as a cash amount and as a percentage of the investment. The dual presentation gives the clearest picture of the cost impact on returns.
When must the illustration of the cumulative effect of costs on return be provided?
Both on an ex-ante basis (before the investment) and on an ex-post basis (in the annual costs report). Both timeframes are required.
Investment advice & suitability
What must a firm do if it cannot meet the criteria for independence in its selection process?
It may not present itself as providing independent investment advice. Misrepresenting non-independent advice as independent is a regulatory breach.
What must a firm do if it cannot obtain sufficient information for a suitability assessment?
It must not recommend investment services or financial instruments to the client. No information, no recommendation — assumptions do not meet the suitability standard.
When must a firm update a client's suitability information?
Whenever an event changes the client's circumstances (income, objectives, risk tolerance). It is event-driven, and the frequency of routine updates depends on the client's risk profile.
Is asking a client for written consent confirming an investment is 'suitable' compliant with CySEC's Suitability Guidelines?
No. Suitability is the firm's responsibility, not the client's to confirm; obtaining such consent improperly shifts responsibility and is specifically identified as non-compliant.
Best execution & order handling
Which venues count as execution venues where a CIF may execute client orders?
Regulated markets, MTFs, OTFs, systematic internalisers, and market makers or other liquidity providers (including equivalent third-country entities).
When must a firm review its order execution policy?
At least annually, and additionally whenever a material change occurs that affects its ability to obtain best execution — such as the closure of a major execution venue.
In what order must a firm carry out otherwise comparable client orders?
Sequentially and promptly (a time-priority rule), unless the characteristics of the order or prevailing market conditions make this impracticable, or the client's interests require otherwise.
What is required before aggregating client orders, and who has priority in a partial fill?
The client's prior consent is required to aggregate orders. Where an aggregated order combining client and firm own-account transactions is only partially executed, client transactions take priority over the firm's own account.