AMF: outsourcing of compliance controls effective 31st March 2023

Manon Anglade

In our last newsletter, we briefly mentioned the AMF’s focus on the outsourcing of internal controls by an asset management company (“AMC”) which resulted from the AMF’s concerns that not enough control is being retained by them. This was emphasized in the report of the AMF 2020 SPOT control (AMF SPOT).

Note that following the amendment of the AMF Position DOC 2014-06 (Guide to the organisation of risk management, compliance and control systems within portfolio asset management companies) effective from 21st March 2022, the market is now poised for further changes regarding the provisions relating to the outsourcing of compliance controls are applicable from 31st March 2023.

The changes afoot concern in particular:

  • The organisational model of the permanent control system (see 3.4 of the AMF Position DOC 2014-06);
  • The separation of level 2 (permanent) and 3 (periodic) controls (see 3.5 of the AMF Position DOC 2014-06);
  • The selection and monitoring of external service providers (see 3.6 of the AMF Position DOC 2014-06).

What is the role of the compliance function?

Looking at the various parts we will try to establish here how this all comes together. To start with the role of the compliance and internal control officer is to monitor the implementation of the corrective measures one recommends and to inform senior management, via the compliance reports about the measures taken.

Depending on the size of the AMC, this can be done during the internal control and compliance committee.

Although senior managers can outsource their compliance and internal control functions they remain fully responsible for them (i.e., the RCCI Dirigeant concept).

The AMF in Section 3.6 of the Position 2014-06 sets out the need for “a digital system that allows the AMC to monitor the progress of the control plan at any time and to have access to all the reports submitted to its executive management and to the items analysed in order to assess the quality of the control system”.

Access to compliance data in real time is crucial therefore, to remain compliant and for the senior managers to demonstrate their own “capture” of their compliance infrastructure as delivered by the outsourced service provider. If data is not shared in real time, it may expose AMCs to serious risks of compliance breaches which, if they remain unremedied, may lead to irreversible damage. Senior managers should bear in mind that  service providers, regardless of how thorough they are, would not be able to  detect all compliance risks as they are a third party not embedded in the AMC’s business. That is what the AMF is pointing to. Therefore, compliance tools allowing both, the in-house team and the outsourced function instant access to data become indispensable.   

When does outsourcing become appropriate for any AMC?

In most cases, the AMCs outsource the compliance and internal control functions when it does not reasonably have the financial resources to recruit a full-time person for this role but also if a person handling compliance also performs financial management functions, commercial functions or other activities likely to generate conflicts of interest.

When the AMF SPOT was released, it laid out the following problematic issues that it identified and which are interesting to note (this is a non-exhaustive list):

  • the profile of the consultant in charge of performing second‐level permanent controls is very junior. At the time when she was hired by the service provider, she had only eight months’ experience in activities related to asset management regulations.”;
  • the number of days allocated in practice to periodic control does not correspond to what is mentioned either in the programme of operations or in the “FRA‐RAC” report”;
  • “The distinction between permanent control and periodic control is not very clear, or even artificial. It was noted that the periodic control diligence did not concern the control work carried out in the framework of second‐level control. In particular, the inspections highlighted the very poor practice consisting of not allocating strictly different human resources to permanent control and periodic control in a given firm in charge of outsourcing.”;
  • “It is found that AMCs do not have sufficiently precise and operational procedures covering the conduct of control”.

In light of the above, the AMF has introduced in its Position 2014-06 a proportionality principle with regards to the second level of monitoring functions. The principle of proportionality implies that AMC takes into account the following elements to calculate the budget allocated to outsourced permanent control:

  • The size (measured, in the context  of asset management, by the amount of assets under management valued in terms of capital deployed and not in terms of capital employed and including leverage) of the management activities and other activities or services carried out by the AMC;
  • The diversity and complexity of management activities and other activities or services exercised by the AMC;
  • The instruments used within the scope of its programme of operations and the complexity of the strategies implemented; and
  • The types of clients targeted by the AMC (professional or equivalent clients, retail clients, eligible counterparties).

The AMF also added some examples to further guide AMCs:

  • AMCs with total assets under management (collective and discretionary) of less than EUR 200 million must have an annual budget of at least 18 man-days for outsourcing second-level monitoring (excluding any further support function);
  • AMCs that cater to non-professional clients with assets of between EUR 200 million and EUR 500 million, and those that cater exclusively to professional or equivalent clients with assets of between EUR 200 million and EUR 1 billion, shall determine their budgets in accordance with the table provided by the AMF (see section 3.4 of Position 2014-06) for calculating man-days.
  • The AMC will be deemed to have the economic resources to assign a staff member (employee, corporate officer or staff made available by its group) to carry out second-level monitoring for at least half of his/her time, once its assets under management (collective management and discretionary management) exceed EUR 1 billion for AMCs whose clientele is composed exclusively of professional or equivalent clients, and EUR 500 million if this clientele is made up of retail clients. This staff member may also have to carry out assistance and advisory functions that are not included in the calculation of these thresholds. He/she may also perform certain non-operational activities such as risk management or administrative monitoring, provided that these activities are reviewed by an external internal audit function.

It is recommended that AMCs consider the above guidance and begin building a resilient infrastructure to avoid breaches in the near future. Whilst the AMF leaves the time to focus on compliance as a whole, and does not consider the aid of compliance software, it is clear that they are keen on compliance software as we reported.

Leo, the all-in-one compliance software can help you to meet the AMF recommendations. By integrating a digital control plan, automated second or third level of control on one digital platform, it allows you tracking in real time any potential risks and recommendations; who is responsible for addressing them and when any corrective measures are planned for.


For more information, please do not hesitate to contact us on the link below.

The FCA Tightens the Grip: Stricter Crypto Regulations and Enforcement Actions

Read more
Transforming AI: Labour’s Vision for a New Era

Read more
EU 28/03/24
Navigating EMIR Refit 2024: changes, challenges, and an upcoming deadline

Read more
EU 26/10/23
The AI Sliding Scale – A Tool or a Threat?

AI regulation feels unclear to say the least. We seek to delve into what has been done and what is intended to be done...

Read more
EU 31/08/23
GDPR Accountability: avoid fines, adherence is easier than you think – part 1

While updating Leo’s privacy and GDPR governance modules in our RegTech Software we realised that one of the most important principals of GDPR-...

Read more