MiFID II Compliance Checklist
Investment-firm perspective. Covers licensing, governance and record-keeping, product governance, investor protection, and MiFIR market and transaction obligations.
Counsel-grade external checklist for MiFID II (Directive 2014/65/EU) and MiFIR (Regulation (EU) 600/2014). Investment-firm perspective. Heavily layered — national transposition (Sweden: lag (2007:528) om värdepappersmarknaden) plus Delegated Regulation (EU) 2017/565 plus ESMA guidelines and Q&As. The post-2021 "Quick Fix" and the 2024 MiFIR review changed several items — verify current state before publishing. This checklist is a working reference, not legal advice.
A. Applicability and licensing gate
- Investment services and activities performed mapped to Annex I Section A (reception and transmission, execution, dealing, portfolio management, advice, underwriting, MTF / OTF operation) and instruments to Section C.
- Exemptions analysis documented (Arts. 2–3: group-internal, ancillary activity, etc.) — the analysis, not just the conclusion.
- Authorisation scope matches actual activities; passporting notifications current for cross-border business.
- Client-categorisation framework: retail / professional / eligible counterparty, with opt-up and opt-down procedures and records (Annex II).
B. Governance and organisational requirements (Arts. 9, 16; DR 2017/565)
- Management-body suitability, time commitment, and collective knowledge documented; nomination process per ESMA / EBA suitability guidelines.
- Compliance function (DR Art. 22): permanent, independent, resourced; risk-based monitoring programme; annual compliance report to the management body.
- Risk-management and internal-audit functions proportionate to size and complexity.
- Outsourcing of critical functions: due diligence, written agreements, no empty-shell delegation, register of arrangements.
- Record-keeping (Art. 16(6)-(7)): all services and transactions retrievable; telephone and electronic-communications recording for transaction-related conversations — 5-year retention (up to 7 on authority request), including mobile and approved channels; private-channel (WhatsApp) policy enforced.
- Conflicts-of-interest policy: identification map, register, management measures, disclosure only as a last resort (Arts. 16(3), 23).
- Remuneration policy not incentivising recommendations against client interest.
- Complaints-management function and reporting; staff knowledge and competence per ESMA guidelines for advisors and information-givers.
- Safeguarding of client funds and instruments: segregation, reconciliations, third-party custody due diligence, annual auditor report.
C. Product governance (Arts. 16(3), 24(2); ESMA guidelines)
- Manufacturer: product-approval process; target market (positive and negative) per product; scenario analysis; distribution strategy consistent with the target market.
- Distributor: obtains manufacturer information, defines its own target market, sales-outside-target-market monitoring.
- Periodic product-review cycle with feedback loop between distributor and manufacturer.
D. Investor protection and conduct (Arts. 24–25)
- Information to clients fair, clear, and not misleading; marketing communications identified as such.
- Costs and charges disclosure: ex-ante and annual ex-post, aggregated, with illustration of the cumulative effect on return.
- Suitability (advice and portfolio management): knowledge and experience, financial situation, objectives including risk tolerance and sustainability preferences; suitability report delivered before the transaction (advice); periodic suitability for ongoing relationships.
- Appropriateness (non-advised complex products): assessment plus warnings; execution-only conditions documented for non-complex products.
- Inducements (Art. 24(7)-(9)): quality-enhancement test per payment, inducements register; independent advice and portfolio management — full ban and rebate mechanism; research-payment treatment per the current post-Quick-Fix regime.
- Best execution (Art. 27): execution policy per instrument class, venue analysis, client consent, annual review, monitoring evidence — verify current status of RTS 28 reporting (abolished in the review) before building disclosures.
E. Market and transaction obligations (MiFIR)
- Transaction reporting (MiFIR Art. 26): complete and accurate T+1 reports via an ARM or direct; field-level reconciliation and error-remediation process; LEI hygiene ("no LEI, no trade").
- Pre- and post-trade transparency obligations mapped to trading capacity (SI status assessed and, if thresholds are crossed, notified).
- Order record-keeping and clock synchronisation (RTS 25) where applicable.
- Algorithmic trading (Art. 17), if applicable: system resilience, kill functionality, annual self-assessment, notification to the authority; DEA controls.
- Position limits and reporting for commodity derivatives, if applicable.
F. Cross-regime interplay
- MAR: personal-account dealing, insider lists, STOR reporting wired into the same surveillance stack.
- SFDR / Taxonomy sustainability disclosures aligned with suitability sustainability-preferences capture.
- DORA now covers this entity's ICT risk (investment firms are in scope) — one incident may trigger DORA + GDPR + MiFID record-keeping duties simultaneously.
Last reviewed: July 2026. The MiFIR review (Regulation (EU) 2024/791) and Directive (EU) 2024/790 change several items including consolidated tape, SI regime and best-execution reporting — verify current ESMA guidance before relying on specific values.