On 10 October 2024, the Central Bank of Ireland (Central Bank) published a Dear CEO Letter to MiFID investment firms, credit institutions and fund management companies providing MiFID II services to retail clients.
In this, the second of three articles on the Dear CEO Letter, our Financial Regulation team examines some of the key themes identified in the Dear CEO Letter. For further information on the background to the Dear CEO Letter and the actions it requires of firms, please see our first article here.
Key Themes
We examine some Central Bank expectations/identified good practices in the following areas:
1. Marketing and Advertising Content not Clearly Identifiable as Such
- Marketing material – The Central Bank views any material, regardless of the means of dissemination, designed to promote or sell a financial instrument and/or an investment service, as marketing material. Any such material should be clearly identifiable as such.
- Policies and procedures – The foregoing expectation should be clearly articulated and reflected in firms' marketing and advertising policies and procedures. They should also be reviewed and approved by the Board annually and be updated (as necessary) to reflect any relevant legislative changes or regulatory guidance (e.g. updating to reflect the 'Guidance on Securing Customers' Interests' when finalised and published by the Central Bank in the context of the revised Consumer Protection Code). For further information on the revised Consumer Protection Code, please see our article here.
- Clear and prominent identification – Firms should clearly and prominently identify all published marketing and advertising content as, for example, a 'marketing communication' or an 'advertisement'. The Central Bank highlights it as good practice to clearly identify marketing and advertising content by using prominently placed text boxes containing the wording 'This is a Marketing Communication' or 'This is an Advertisement' in bold font.
- Checklists – Another good practice identified by the Central Bank is the use of a checklist to ensure marketing and advertising content is appropriately classified and clearly identifiable as marketing communication. The content and completed checklist should be reviewed and approved by the firm's Compliance function prior to publication.
- Review – Firms should regularly review published marketing and advertising content to ensure that it is clearly and prominently identifiable as such and that all information included therein is fair, clear, and not misleading, whether disseminated via digital or more traditional means.
- Social media – Social media channels should include a description/disclaimer stating that published content should be considered marketing material.
- Marketing, thought leadership, and educational content should be treated equally – Any published content, whether classified as marketing content, thought leadership content, or educational content, should be subject to the same level of governance and oversight and should always seek to secure investors' interests and support them in making informed investment decisions.
2. Poor Governance and Controls
- Governance and oversight – Firms must have robust marketing and advertising governance and oversight arrangements in place. They must communicate effectively and responsibly, ensuring that information is fair, clear and not misleading and always seek to secure investors' interests. Some firms were found to have implemented a risk-based approach to the review and approval of marketing and advertising content, whereby the first line of defence or subject matter experts reviewed and approved content in place of the Compliance function. There was clearly documented guidance in place setting out when the Compliance function sign-off was required.
- Internal control – Appropriately robust internal controls should be documented in a policy or procedure document for the Marketing and Advertising function. These should clearly articulate the governance framework and decision-making process, including roles and responsibilities regarding the production, approval, publication, review, and monitoring of marketing and advertising content.
- Responsible person – Firms should clearly define who is ultimately responsible for approving marketing and advertising content.
- Communication channel – Given the dynamic and rapidly changing online environment, firms' control functions and senior management must ensure that the firm's policies, procedures and internal control mechanisms comply with its regulatory obligations regardless of the communications channel. The Central Bank recommends having specific policies or guidance in place regarding digital marketing and advertising, such as the use of social media.
- Vulnerable customers – Firms must understand and account for the drivers of vulnerability relevant to their business and design their systems, processes, and procedures, including those relating to marketing and advertising so that investors who find themselves in vulnerable circumstances are reasonably protected from poor outcomes. The Central Bank encourages documenting policies and procedures for the provision of information to investors who find themselves in vulnerable circumstances.
- Annual Board review and approval – The Board should ideally review and approve marketing and advertising policies and procedures annually.
- Annual training – Firms should conduct annual training sessions for relevant employees on the applicable regulatory framework regarding marketing and advertising requirements.
- Checklist – It is good practice to use a Compliance function-approved checklist at both the content creation stage and the review and approval stage of the marketing and advertising process.
- Compliance final sign-off – Ideally, the business unit, Marketing team, and Compliance function would oversee the production and publication of compliant marketing and advertising content, with the Compliance function providing the final sign-off prior to publication.
3. Outsourcing arrangements
- Outsourcing policy – Firms must have a comprehensive, overarching outsourcing policy that is reviewed and approved by the Board at least annually. The Central Bank has identified a good practice of documenting a due diligence selection process for outsourced service providers in an overarching outsourcing policy or procedure.
- Service Level Agreements – Firms must have detailed, documented service level agreements (SLAs) with each outsourced service provider, capturing the methods and procedures for assessing the outsourced service provider's standards, the metric(s) for measuring the quality of the service provided and the firm's tolerance for error(s), if any.
- Supervising and managing risks – Firms should retain the necessary expertise and resources to supervise the outsourced functions effectively and mitigate any associated risks.
- Intra-group arrangements – Firms should apply the same rigour to any assessment of an intra-group outsourced service provider as would be applied to an external third-party outsourced service provider.
- Annual reviews – It is recommended to conduct an annual review of all outsourced service provider arrangements.
- Third parties – The Central Bank endorses choosing third parties based on their background, experience, qualifications and ability to effectively represent the firm. Such third parties should not be permitted to edit approved marketing and advertising content provided by the firm. Good practices mentioned include documenting this in the SLA and sending approved content to the third party only in PDF or printed format.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.