Minimum Requirements for Risk Management (MaRisk)
AT 4.4.2 Compliance function
1 Each institution shall have a compliance function in place in order to counteract the risks that may arise from non-compliance with legal rules and regulations. The compliance function shall ensure the implementation of effective procedures for complying with the legal rules and regulations that are material to the institution, and of corresponding controls. The compliance function shall additionally support and advise the management board with regard to complying with these legal rules and regulations.
Responsibility of the management board members and the business units
Notwithstanding the duties of the compliance function, the management board members and the business units remain fully responsible for complying with legal rules and regulations.
Relevance of other supervisory requirements
This is without prejudice to all other compliance function requirements arising from other prudential supervisory legislation (in particular, section 80 (1) of the Securities Trading Act and Article 22 of Delegated Regulation (EU) 2017/565 in conjunction with Circular “Minimum Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organisation and Transparency” (MaComp); section 25h of the Banking Act in conjunction with corresponding administrative provisions).
2 The compliance function shall regularly identify the material legal rules and regulations, non-compliance with which might jeopardise the institution’s assets, in the light of risk factors.
3 In general, the compliance function shall be directly subordinate to and report to the management board. It shall also be permitted to be linked to other control units as long as there is a direct reporting line to the management board. The compliance function shall also be permitted to be assisted by other functions and units in the performance of its duties. Depending on the institution’s size as well as the nature, scale, complexity and riskiness of the business activities, the compliance function shall be assigned to a unit that is independent of the front office and trading.
Link to other control units
Other control units may be, for example, the risk control function or the anti-money laundering officer, but not the internal audit function.
4 Significant institutions should, in general, set up an independent organisational unit for the compliance function.
Independent compliance unit
The proportionality criteria shall comply with the information set out in Title I of EBA/GL/2017/11. Other compliance-related control units (eg Securities Trading Act compliance, anti-money laundering officer, information security officer, data protection) may also be assigned to the independent unit for the compliance function.
5 The institution shall appoint a compliance officer who is responsible for carrying out the compliance function tasks. Depending on the nature, scale, complexity and riskiness of the business activities as well as on the institution’s size, the compliance officer may in exceptional cases be a member of the management board.
6 Compliance function staff shall be granted sufficient powers and unrestricted access to all information needed to perform their tasks. They shall be notified of instructions and decisions of the management board that are material to the compliance function.
The compliance function staff shall be notified in due time of material amendments of the rules that are intended to ensure compliance with the material legal rules and regulations.
7 The compliance function shall report to the management board on its activities at least once a year and on an ad hoc basis. Such reports shall address the appropriateness and effectiveness of the rules that are intended to ensure compliance with the material legal rules and regulations. The reports shall also cover information on potential deficits and on remedial measures. These reports shall be additionally passed on to the supervisory board and the internal audit function.
Supervisory board committees
Reports should generally be addressed to each member of the supervisory board. If the supervisory board has set up committees, the information may also be passed on solely to a committee. The preconditions for this are that a corresponding resolution was adopted to set up the committee and that the chair of the committee reports regularly to the entire supervisory board. Moreover, every member of the supervisory board must retain the right to inspect the reports that have been passed on to the committee.
8 The supervisory board shall be notified beforehand in due time if the compliance officer is replaced, stating the reasons for the replacement.