MiFID II – PRIIPs – GDPR – Transparency Register & No End in Sight for Luxembourg Investment Funds
ADMIN / September 27th
Since the beginning of the year, at least two new regulatory gems have been added to the Luxembourg investment fund community. In the following, we would like to reiterate their effects on Luxembourg investment funds. First, there is the second Directive 2014/65/EU on markets in financial instruments (“MiFID II”), immediately followed by the Regulation (EU) 1286/2014/EU[1] on key information documents for packaged retail and insurance-based investment products (“PRIIP Regulation”).
With effect from May 26, local investment funds should then implement the General Data Protection Regulation[2] (“GDPR”).
As the period between 2 January – the entry into force of the PRIIP Regulation – and 26 May is almost five months, Luxembourg lawmakers have also decided in the peaceful season before Christmas that, meanwhile, the financial market industry could also deal with the implementation of a transparency register applicable to companies established in Luxembourg.[3]
The good news about these four regulatory amendments is that all four are interconnected. Therefore, the respected user does not have to treat MiFID II, GDPR, the PRIIP Regulation, and the transparency register (the “Four”) separately; and it is best not to. The bad news is that these Four seem to not always want to “cooperate” harmoniously. All Four fall within the scope of the AIFMD. In this context, it is particularly important to consider the responsibility of the AIFM regarding the distribution of fund shares.[4]
Key Take-Away Points:
- MiFID II also partially applies to investment funds.
- MiFID II and the PRIIP Regulation overlap in some aspects.
- The growing demands for transparency require a better exchange of information in line with the GDPR.
- The transparency register will make information on the ultimate beneficial owner (UBO) accessible to the public.
- AIFMs, Boards of Directors, and managing directors of investment funds as well as capital management companies should think about how to implement these requirements (if not done already) and ensure that they are met.
MiFID II:
Regarding MiFID II, certain AIFMs, managing directors or Boards of Directors of a SICAV or a capital management company could refer to recital 34 and point (j) of Article 2(1) of MiFID II, explicitly excluding collective investment undertakings from the scope of MiFID II.[5]
Are you in luck? Have investment funds been spared? Well, yes, but…
First of all, the rules set out in MiFID II provide a legal framework for investment firms, market operators, data providers, and investment service providers. In this context, these include, inter alia, banks and often distribution partners of Luxembourg investment funds. An “investment firm” as defined in MiFID II means any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis.[6] In addition to financial portfolio managers, this target audience also includes, in particular, investment advisers and investment intermediaries. Under MiFID II, with respect to the managed or distributed investment funds, they are required, inter alia, to comply with the new remuneration policies and to provide a current so-called Product Governance Policy (“PGP”), including a so-called target market definition, as well as the corresponding documentation. The rules concerning Product Governance are one of the key elements of the provisions set out in MiFID II and apply to the entire life cycle of products, for example regarding a managed/distributed investment fund, from the product structuring, through its distribution, all the way to ongoing monitoring obligations. The investment firm must maintain, operate and regularly review a process for the internal approval of each financial instrument to be distributed.[7] One part of this process consists of specifying one or several target markets. The target market is an abstract description of the group of clients to whom the financial instrument is targeted.[8] Furthermore, the investment firm is required to provide every distribution partner with all the necessary and relevant information relating to the investment fund and the product approval process, including the specified target market. In addition, the investment firm must ensure that the investment fund is only distributed on the previously specified market.[9]
It is therefore not sufficient to merely meet the requirements laid down in MiFID II and then to sit back and relax. Following the initial implementation and after preparing the corresponding documentation, the investment firm must monitor the investment funds concerned on an ongoing basis and, if necessary, adjust the PGP, for example.
However, if an investment firm does not distribute its own products, but it is entrusted with distributing fund shares by an external AIFM, a capital management company, a general partner or a Board of Directors of a Luxembourg investment fund, in the light of past experience, it will, in return, demand that “the fund” provide a PGP, including a target market definition, in line with the requirements laid down in MiFID II. At the same time, the principal of the investment firm, i.e. the external AIFM, a capital management company, a general partner or a Board of Directors of a Luxembourg investment fund, should ensure that the entrusted investment firm also complies with the requirements set out in MiFID II. Otherwise, it could be accused of failing to exercise due diligence and to comply with the contractual conditions in line with the prevailing market standards.
In other words: The above requirements referred to in MiFID II, also indirectly apply to investment funds. It is the obligation of distribution partners to ensure that investment funds meet said requirements.
In existing and future distribution agreements, it should also be ensured (if not done so already) that, pursuant to point (a) of Article 24(4) of MiFID II, a distribution partner informs the potential investor whether the service provided is considered an investment advice on a “dependent” or an “independent” basis before providing advice to that investor. Investment advisers providing advice on an independent basis may not receive any financial payments from third parties or from the representative of a third party with respect to the distribution. This also and especially applies to the investment fund.[10] If financial payments are received from third parties, they must be fully and immediately paid out to the client.[11] Investment advisers providing advice on a dependent basis may only accept a remuneration within specified limits.
Also in this context, it can be considered the obligation of the external AIFM, a capital management company, a general partner or a Board of Directors of a Luxembourg investment fund (depending on who concluded the distribution agreements) to ensure that existing and future distribution agreements comply with the requirements of MiFID II.
PRIIP Regulation[12]:
Similar to MiFID II, the PRIIP Regulation also requires to specify a target market in the KID and to make a distinction as to whether it is a complex or a non-complex product.[13] Initial and running costs as well as transaction costs of the packaged product[14] should be presented in accordance with the provisions laid down in the PRIIP Regulation. Under MiFID II, investment firms are also required to adhere to “cost transparency” regulations vis-à-vis potential investors of an investment fund.[15] Thus, it becomes clear that both MiFID II and the PRIIP Regulation place a similar focus on various aspects relevant to Luxembourg investment funds. In this context, we believe that it is important a) to ensure that no contradictory information pertaining to the requirements set out in MiFID II and the PRIIP Regulation penetrates the market and, b) where possible, to take advantage of efficiencies in order to avoid performing the same work twice.
GDPR:
It should be evident by now that both MiFID II and the PRIIP Regulation impose more stringent transparency requirements on investment funds vis-à-vis (potential) investors, e.g. in respect of the target market definition, and hence regarding the “target” investor type and the costs of distribution services, for example. This also entails increased information needs of the parties involved. For instance, in order to ensure that an investment fund is, in fact, distributed to investors in line with the target market definition, like it or not, distributors and investment funds must exchange the relevant information. Under the PRIIP Regulation, a complaints board must be listed for each investor. If the investor calls or writes an email, he will most likely leave his contact details, which will be stored, transmitted and, in the best case scenario, used when creating a response.
This is where the GDPR comes into play as of 26 May 2018. It contains provisions on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The GDPR applies to any natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.[16] The GDPR provides for an increased level of transparency vis-à-vis the data subjects with regard to the processing of personal data, such as the transfer of client data to distribution partners, as well as for the consent of the data subjects to the processing of personal data to be given by a clear affirmative act in an “informed and unambiguous” way. According to point (1) of Article 4 of the GDPR “personal data” means “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Forwarding a personalized email address is already sufficient to meet this definition.
Unlike MiFID II, the GDPR does not provide for any derogations, for example relating to UCITS, AIFs or AIFMs. This means that, for the purposes of the GDPR, AIFMs, capital management companies, general partners or Boards of Directors of a Luxembourg investment fund must designate a data protection controller with effect from 26 May 2018 who ensures the compliance with the GDPR in the company or by the investment fund, as the case may be. Such requirements primarily include the consent of the data subjects that they have been informed about the use of their data in an “informed and unambiguous” way and that they have agreed to such use. This will often apply to investors, but also to distribution partners and managing directors or Boards of Directors of the investment fund.
For instance, if investors’ data is stored and processed by the transfer and registrar agent as well as by the depositary of an investment fund, which is generally the case, the investment fund must establish and document an appropriate outsourcing/controlling process.[17] In connection with the distribution of funds, investment funds or AIFMs and distribution partners regularly exchange data on existing investors or potential investors already contacted. This often concerns data of natural persons. Hence, the persons responsible for distribution on the part of the investment fund should establish an appropriate chain of documentation.
As a result, investment funds or AIFMs/capital management companies will not be able to avoid analyzing where personal data is stored, processed and/or transmitted, and they will have to determine how to obtain consent from the data subjects and how to provide evidence for it, if need be.
Transparency Register:
Last but not least, the upcoming transparency register will also revitalize the investment fund community. It aims to transpose Articles 30 and 31 of Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (“AML Directive”).[18] With the entry into force of the transparency register in Luxembourg, local companies will be required to publish their beneficial owners in the register, as laid down in the AML Directive. It becomes immediately clear that, in any case, the GDPR will be affected as this generally involves the personal data of natural persons. Furthermore, the persons responsible for the funds will have to determine who will have to meet these new obligations. What steps can be taken to ensure – initially and on an ongoing basis – that subsidiaries, for example, will also satisfy these requirements?
Role and Responsibility of the AIFM:
In accordance with the AIFM law, the AIFM is entitled to distribute the alternative investment funds it manages within the EU. If the AIFM does not perform the distribution activities itself, but resorts to an external distribution partner, such as an investment firm, it is still responsible for that distribution. In addition, the AIFM must also monitor the operational risks of AIFs as part of the risk management process, meaning that it must also ensure that the new regulatory requirements under MiFID II and the GDPR are implemented. In this context, it becomes evident that the new requirements described above should also give rise to corresponding processes and documentation obligations for the AIFMs. Ultimately, it is the responsibility of the Boards of Directors or managing directors, general partners and capital management companies to ensure that the new regulatory requirements will, in fact, be implemented.
Please contact us. We are happy to assist you.
Harald Strelen
+352 26202332
Legal note: AIQUNITED, 1C, rue Gabriel Lippmann · L-5365 Munsbach
[1] Regulation (EU) 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for packaged retail and insurance-based investment products (PRIIPs).
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
[3] Luxembourg bill no 7217 on the introduction of a transparency register. You can see the current status of the procedure here: https://www.chd.lu/wps/portal/public/Accueil/TravailALaChambre/Recherche/RoleDesAffaires?action=doDocpaDetails&id=7217
[4] Annex 1 of the AIFMD: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32011L0061&from=EN.
[5] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014L0065&from=DE
[6] Point (1) of Article 4(1) of MiFID II; however, Member States may, under certain conditions, include in the definition of investment firms undertakings which are not legal persons, as is the case in Germany.
[7] First sentence of paragraph 80(9) of the bill on the second FiMaNoG (German amendment act on financial markets).
[8] See https://www.esma.europa.eu/sites/default/files/library/esma35-43-620_report_on_guidelines_on_product_governance.pdf.
[9] Paragraph 63(4) of the second FiMaNoG (German amendment act on financial markets).
[10] Article 24(7) and (8) of MiFID II.
[11] Article 12(1) of the Delegated Directive (EU) 2017/593 with regard to the provision or reception of fees, commissions or any monetary or non-monetary benefits.
[12] For requirements as to the content of the PRIIP Regulation, please see our newsletter: https://aiqunited.com/b-l-o-g/.
[13] Article 2(3) of the PRIIP Regulation and Article 1(2) with regard to technical standards of the PRIIP Regulation: https://ec.europa.eu/finance/docs/level-2-measures/priips-delegated-regulation-2017-1473_en.pdf.
[14] Regarding the application of the PRIIP Regulation to AIFs, please see our previous newsletter: https://aiqunited.com/b-l-o-g/.
[15] See Article 24(4) of MiFID II.
[16] Point (7) of Article 4 of the GDPR.
[17] Until now, the transfer and processing of personal data was in general already being approved by the investor, e.g. when signing a subscription agreement. However, an adequate monitoring process to ensure that the data protection regulations are properly implemented by the investment fund, i.e. the Board of Directors, AIFM, capital management company, etc., has not always been documented. This will have to change in the future.
[18] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015L0849&from=DE