CMVM’s Guidelines on the Compliance Function and the Procedures for Assessing the Suitability of the Compliance Officer

1. Introduction

On 23 December 2024, the Portuguese Securities Market Exchange Commission (“CMVM”) published its Guidelines on the compliance function and the procedures for assessing the suitability of the compliance officer (the “Guidelines”), which came into force on 1 January 2025.

The Guidelines are the result of the CMVM’s Public Consultation No. 2/2024, which took place between 5 November 2024 and 25 November 2024, and follow on from the Guidelines on the Assessment of Suitability for the Exercise of Regulated Functions and of Qualifying Holders, published by the CMVM in September 2020, aiming to clarify and properly frame the regulatory framework applicable to financial sector companies.

The Guidelines apply to the following entities:

• Investment companies;
• Management companies of collective investment schemes;
• Venture capital companies;
• Self-managed collective investment companies;
• Credit securitisation companies;
• Credit securitisation fund management companies;
• Providers of crowdfunding services.

Financial sector companies must establish internal policies and procedures capable of identifying risks related to conflicts of interest and non-compliance with applicable regulations.

The Compliance Function (“CF”) plays a decisive role in assessing and monitoring internal policies and procedures designed to mitigate these risks. In this regard, it is responsible for advising the company’s management body and regularly providing information on the effectiveness of internal control procedures, identified risks, and mitigation measures.

As part of the “Control Functions” category, the compliance function must have the authority, independence, resources and technical capacity to perform its activities. Accordingly, the Compliance Function Manager (“CFM” or “compliance officer”) must be suitable, experienced, available and independent.

2. Compliance Systems

The implementation and maintenance of a compliance system, namely through the approval of internal policies and procedures designed to mitigate the risks of non-compliance with the regulatory framework, is the responsibility of the management body.

The supervisory body is responsible for evaluating the management body’s actions in implementing these measures. To this end, the supervisory body should consider the register of non-compliances maintained by the compliance function, and the consequent reports from the compliance function and the internal audit function. The internal audit function (if applicable) is responsible for assessing the adequacy and effectiveness of the compliance system.

The operational areas are also bound by internal policies and procedures and are the compliance system’s first line of defence. They play an active role in identifying risks of non-compliance and alerting the compliance function to the need for corrective actions, particularly regarding internal policies and procedures.

The compliance function is responsible for raising awareness within operational areas about the importance of adhering to applicable legal rules, ensuring that those responsible understand the risks and potential instances of non-compliance with the regulatory framework.

In addition, an annual compliance training plan must be approved by the management body. The management body must also structure and organise itself to ensure that compliance issues are adequately identified and debated at the level of the body and its members, including executive members. Furthermore, the management body must provide a written opinion on the annual compliance report presented by the compliance function, specifically addressing detected shortcomings, deficiencies, improvement opportunities, and recommended actions.

In these terms, the Guidelines point to a compliance system composed of the following players:

a) The management body;
b) The supervisory body;
c) The compliance function, including the compliance officer;
d) The person responsible for regulatory compliance regarding anti-money laundering and counter-terrorism financing, and individuals allocated internally and/or externally to regulatory compliance;
e) The person responsible for the internal audit function (if applicable) and individuals allocated internally and/or externally to the internal audit function;
f) Those responsible for the operational areas and the people allocated internally and/or externally to the operational areas.

3. Compliance Function

The compliance function must be exercised continuously and without interruption. If a compliance officer vacates their position, the supervised entity is responsible for appointing a new compliance officer by the date on which the termination takes effect. In the absence of an appointment by the date of termination, a replacement must be appointed. This person may be part of the structure (e.g. a director responsible for compliance or a senior employee in the compliance function), or external to it (e.g. a specialised external service provider).

The identity of the new compliance officer must be communicated to the CMVM no later than six months after the organisation becomes aware that the current compliance officer will be leaving.

The compliance function must have the necessary means to perform its tasks, including in particular the hiring of experienced professionals for required duties, and the implementation of mechanisms to increase task efficiency. Additionally, It must have access to all relevant information needed to fulfill its responsibilities.

The main characteristic inherent to the compliance function is its independence. To this end, it must be functionally and hierarchically independent from the operational areas it monitors, particularly regarding the organisation of the supervised entity’s physical space.

In line with the principle of proportionality, the cumulation of the compliance function with the operational areas it monitors may be permitted, provided that the cumulation does not undermine the effectiveness of the compliance function.

The cumulation of compliance functions with other internal control activities may be allowed in accordance with the principle of proportionality, as long as the independence of the compliance function is ensured. However, this function may not be combined with the function of internal auditor.

The compliance function is responsible for assessing internal policies and procedures as to their effectiveness in identifying, preventing, managing and monitoring the risks of non-compliance. The results of this assessment must be communicated to the management body, along with any proposed changes.

The compliance function is also responsible for monitoring the activities of the operational areas and sensitising them to compliance issues, verifying that the complaints and grievances handling process is operating within the parameters of the applicable legal framework, and providing prior opinions on operations that may involve conflicts of interest.

In its relations with the management body, the compliance function is particularly responsible for presenting an annual compliance plan for approval, offering advice on compliance matters, and providing prior opinion when the management body wishes to explore new products and services on the market.

In its relations with the supervisory body, the compliance function is responsible for alerting and transmitting all relevant information necessary for the supervisory body to perform its duties, particularly regarding situations of significant non-compliance risk for the supervised entity.

Regarding its relations with the CMVM, the compliance function is responsible for monitoring and following up on reporting obligations to the CMVM and communicating situations to the CMVM that could pose a risk of serious non-compliance.

A compliance report should be drawn up at least once a year, detailing the results of the actions and efforts carried out during the reporting period, as outlined in the annual compliance plan. Additionally, the compliance function must keep a complete register of non-compliances up to date, enabling it to identify any changes made to it, including the author and date of each change.

The compliance function, including the person responsible for the compliance function, may be subcontracted, provided that the effective exercise of the function is not compromised, especially in terms of its independence. The subcontractor must have the necessary resources for the function to be performed and be represented by individuals with proven experience.

4. Compliance officer suitability requirements

The person responsible for the compliance function must be suitable. Suitability refers to the individual’s qualifications as assessed through their personality, behavioural characteristics, actions, and their personal, professional, and financial situation.

The criteria for assessing suitability include: honesty and integrity; reputation and credibility; diligence and professionalism; punctual fulfilment of duties and obligations; as well as facts/evidence:

i) with criminal or administrative offence relevance;
ii) with regulatory or supervisory relevance;
iii) with disciplinary, deontological or professional relevance;
iv) with patrimonial relevance;
v) with reputational relevance;

As for the experience requirement, the compliance officer must possess in-depth, solid and up-to-date knowledge of the job they will be performing, particularly the responsibilities inherent to the position.

This criterion is assessed broadly, covering both the professional and practical experience gained in previous roles and the theoretical knowledge acquired through academic and training programs.

Regarding academic records, the following parameters are considered:

• Academic qualifications and their relationship to the role;
• Attendance and completion of specific or complementary courses, programs or training, including their duration and relationship to the role.

Regarding professional experience, the following parameters are considered:

• Previous roles and positions held, along with the respective levels of responsibility, especially the role of compliance officer in supervised entities
• Duration in current or past positions or functions;
• The nature, scale and complexity of the organisations in which the compliance officer holds or has held office; and
• Holding management, leadership or team co-ordination positions and number of employees involved.

These requirements are subject to the principle of proportionality, meaning that the degree of demand must be balanced against the nature of the role the compliance officer will assume.

The person responsible for the compliance function must be independent and must not hold positions that could affect their impartiality. The organisation should refrain from appointing as head of the compliance function an executive director, a holder of a direct or indirect qualifying holding, a person who has special links (e.g. family or economic) to an executive director or a holder of a direct or indirect qualifying holding that confers control over the supervised entity.

Nevertheless, a compliance officer may be appointed in the above situations, provided that the appointment is accompanied by a statement of reasons from the management body, demonstrating that this situation does not influence the compliance officer’s actions, and that measures will be implemented to mitigate the associated risks.

The compliance officer must fulfil the role on a full-time basis, unless such an arrangement is deemed disproportionate.  In such cases, the management body must document and justify the decision.

The compliance officer’s residence should preferably be in Portugal, unless residing abroad is justified by factors such as: (i) the business’s multi-location nature; (ii) being part of an international group; or (iii) the digitalisation of the business and its modus operandi.

5. Procedures for assessing the suitability of the compliance officer

The initial assessment of the suitability of the compliance officer should be carried out by the supervised organisation itself through a prior assessment report. The following elements will be considered: (i) criminal record certificate; (ii) qualification certificate; (iii) attendance at training courses; (iv) curriculum vitae, along with any other relevant elements, such as interviews.

The prior assessment report should indicate whether any “disreputable” facts have been detected. If so, the report must provide a justification for why these facts do not undermine the compliance officer’s suitability for the role.

The following should be identified: (i) the criteria for weighting the experience requirement; (ii) how the compliance officer’s knowledge of the applicable regulatory framework and technical capacity were assessed; (iii) the steps taken to determine if the compliance officer’s independence could be compromised; (iv) whether the person responsible for the compliance function will be exclusively dedicated to the role, and if not, what other responsibilities they will have, and the workload involved (v) in cases where it is possible to cumulate functions (by application of the principle of proportionality), the criteria inherent to the principle of proportionality that justify such cumulation and the reasons why such cumulation does not affect the independence of the function should be identified.

The CMVM’s assessment will take place within the authorisation process for the commencement of activities. In the event of a change in the person responsible for the compliance function of a supervised entity, the CMVM may assess the new person responsible for the compliance function before or after they assume their duties, depending on the regulatory framework applicable to the type of supervised entity, subject to prior notification with a deadline for opposition or mere notification, respectively.

The following elements will be considered in the CMVM’s assessment of the compliance officer’s suitability: (i) prior assessment report drawn up by the supervised entity; (ii) curriculum vitae; (iii) in cases of replacement of the compliance officer, information on the termination of the current compliance officer, including the reason and date for the termination; (iv) among other relevant elements.

The CMVM will invite the person responsible for the compliance function for an interview, in which the fulfilment of the requirements of suitability, independence and availability will be analyzed.

The results of the adaptation process could be:

i) “Adequate“;

ii) “Adequate with recommendations” (if the experience and availability requirements have been met, but shortcomings have been detected that should be remedied by issuing recommendations. For example, when gaps in experience have been detected, training may be recommended);

iii) “Adequate subject to reassessment” (if shortcomings are detected that require reassessment in the short term, typically within three to six months, but the nature of the deficiencies and the associated risks do not prevent the compliance officer from assuming their duties);

iv) “Adequate under condition” (in cases where: (i) the compliance officer cumulatively performs another activity that may compromise their independence, the CMVM may make the fulfilment of the requirement conditional on the cessation of the conflicting activity; (ii) the compliance officer performs the same function in several entities, compromising their availability, the CMVM may make the fulfilment of the requirement conditional on the cessation of the compliance officer function in other supervised entities);

v) “Not suitable” (if the evaluation elements do not meet the suitability requirements).

The CMVM must be notified within the time frame it sets, along with proof that the identified shortcomings have been addressed and the recommendations have been complied with.