Regulating intra-firm processes: the case of Product Governance

My article on Product Governance as a case study on the regulation of intra-firm processes claims that contract law principles are being used by transnational financial regulation – such as that provided by the International Organization of Securities Commissions (IOSCO) – to set a world-wide (proto)normative framework regulating intra-firm processes. This practice comes close to the European Regulatory Private Law (ERPL) phenomenon already employed by the EU lawmaker in quite technical fields, such as banking and financial services law. 

As mentioned by Micklitz (2014), the ERPL is to be viewed as (the emergence of) self-sufficient European private law, where ‘private’ implies the aim to facilitate private relationships, and ‘regulatory’ hints at the (not-at-all-secondary) effort to realise public policy goals (as also clarified by Mak, 2015). When looking at the law governing financial services and markets, this effort is represented by the EU’s legislative activity in regulating the EU wholesale financial market and in driving the integration of local retail financial services markets towards a single retail market. As highlighted by Micklitz (2009), to achieve its purposes, the ERPL uses two different tools, usually viewed in contrast to one another (rules of private law and rules of public administrative law) and increases the level of harmonization (from minimum to full). 

The article focuses on the new Product Governance rules under the 2014 Market in Financial Instrument Directive II (MiFID II) – which may be viewed as the most recent example of ERPL – and it draws parallels with IOSCO documents also regarding product governance. What the article discovers is that the predecessor of MiFID II, i.e. 2004 MiFID I, and an early 2013 IOSCO document named ‘Suitability Requirements with Respect to the Distribution of Complex Financial Products’ already required financial firms to internally proceduralise – through ad hoc internal policies and procedures – specific issues arising from the client-provider contractual relationship and to focus on the ‘point of sale’ moment, such as best execution, conflicts of interests, and suitability and appropriateness requirements, with the Compliance Function being tasked with carrying out second-level controls. However, Product Governance takes a bold step forward. This normative framework – as provided for by MiFID II and heralded by the late 2013 IOSCO ‘Report on Regulation of Retail Structured Products’ – not only internalises the very same duties flowing from the client-provider contractual relationship but moves the boundaries much further by regulating the entire ‘value chain’ process of the product, with the Compliance Function being in charge of directly overseeing the whole process. 

As stated by the IOSCO Board (2013) in “Regulation of retail structured products – Final Report”, the ‘old’ disclosure standards and suitability requirements are still deemed essential but no longer ‘necessarily sufficient to prevent mis-sales’ in an environment characterised by the retailisation of increasingly complex financial products. The IOSCO Board implies that the ‘Leitmotiv’ driving the adoption of Product Governance provisions is that the investor’s welfare ‘may be improved through setting requirements for firms earlier in the value chain’. Product governance, being an internal pre-point-of-sale requirement, thus complements rather than replaces disclosure-based duties by bringing them forward in formalised intra-firm procedures of an investment service provider.

IOSCO’s normative production is usually based on international regulatory discussions that are strongly inspired by the innovative ideas emerging from the most developed financial centres.  Although there is no formal link between IOSCO’s reports – in particular the late 2013 one – and the MiFID II provisions, Product Governance looks like a set of rules triggered by the regulatory debate within IOSCO (with the London-based regulators likely to have played a key role) and then channelled into a normative approach that is, by and large, coherent with the ERPL theory: from negative harmonisation (barriers imposed by national laws on the establishment of the unified market are removed) to positive harmonisation of, first, disclosure-based duties and, then, conduct-of-business requirements (which are used as public enforcement tools rather than private remedies), eventually resulting in public regulation of intra-firm processes led by contract-law principles.

Within this new context, the agent’s duties flowing from the principal’s fiduciary relationship are being ‘poured into’ the agent’s internal processes and procedures and result in pure administrative liability, regarding which public enforcers will have the last say. On the other side of the spectrum, the Compliance Function is asked to ensure that such duties are performed correctly so as to avoid enforcement procedures which may impair business activity and cause reputational damage. The outcome seems to be that civil liability risk is only addressed indirectly. 

Antonio Marcacci is PhD in Laws, European University Institute and a Compliance Professional, Banking and Financial Industry in Milan, Italy.


With the support of