WpHG-Compliance Function

WpHG-Compliance Function

Circular 05/2018 (WA) – Minimum Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organisation and Transparency – MaComp

BT 1 Organisational requirements and tasks of the compliance function under section 80 (1) of the WpHG and Article 22 of the DR

This module explains the requirements relating to the organisation and activities of the compliance function under section 80 (1) of the WpHG and Articles 22 and 26(7) of the DR. In accordance with Article 22(1) of the DR, investment services enterprises shall apply the principle of proportionality when implementing these requirements.

BT 1.1 Status of the compliance function

1. The management board of an investment services enterprise shall establish and provide the resources for a permanent and effective compliance function that can perform its duties independently. The management board shall bear overall responsibility for the compliance function and shall monitor its effectiveness.

2. The compliance function is a management tool. It may also report to a member of the management board. Irrespective of this, the enterprise shall ensure that the chair of the supervisory body can obtain information directly from the compliance officer in consultation with the management board1.

3. The investment services enterprise shall appoint a compliance officer who is responsible for the compliance function and the reports provided to the management board and the supervisory body, without prejudice to the management board’s overall responsibility. The compliance officer is appointed and removed by the management board.

4. The significance of the compliance function is expected to be reflected by its position within the enterprise’s organisational structure.

5. The investment services enterprise shall encourage and reinforce an enterprise-wide compliance culture to create the conditions for promoting investor protection by the employees and appropriate awareness of compliance issues.

BT 1.2 Tasks of the compliance function

BT 1.2.1 Monitoring tasks of the compliance function

1. The compliance function monitors and assesses the policies and procedures established by the enterprise as well as the measures taken to remedy deficiencies, including the operations of the complaints-handling process.

2. The compliance function shall perform regular risk-based monitoring activities to ensure that the established policies and procedures, and hence the investment services enterprise’s organisational and working instructions, are being complied with, and that the employees of the business units that provide investment services have the necessary awareness of compliance risk.

3. The compliance function shall ensure that conflicts of interest are prevented or that unavoidable conflicts of interest are adequately taken into account. This applies in

1 Alternatively, if the investment services enterprise has established an audit committee, the enterprise may ensure that the chair of the audit committee can obtain the information.

particular to the protection of client interests. The goal of the compliance function is also to ensure that organisational measures are taken within the enterprise to prevent the prohibited disclosure of compliance-relevant information within the meaning of AT 6.1 of this Circular.

BT 1.2.1.1 Risk analysis

1. The scope and focus of the compliance function’s activities shall be defined on the basis of a risk analysis. The compliance function shall perform such a risk analysis at regular intervals in order to assess the relevance and appropriateness of the definition. In addition to the regular review of identified risks, an ad hoc assessment shall be made if necessary in order to include emerging risks in the analysis. Examples of emerging risks include risks from the development of new business areas and risks attributable to changes in the structure of the investment services enterprise.

2. As part of its regular risk analysis, the compliance function shall determine the risk profile of the investment services enterprise in relation to compliance risk. The risk profile shall be based on the nature, scale and complexity of the investment services and ancillary investment services offered, as well as the types of financial instruments traded and distributed, taking into account the information resulting from the monitoring of complaints-handling. This shall take into account the obligations under the WpHG to be complied with by the investment services enterprise and its employees, the existing organisation and working instructions and workflows, as well as all monitoring and control systems in the area of investment services. In addition, the results of previous monitoring activities by the compliance function and internal audit, the findings of audits by external auditors and all other relevant sources information, such as aggregated risk measurements, shall be included. Priorities shall be established in order to ensure the comprehensive monitoring of compliance risk.

BT 1.2.1.2 Monitoring activities

1. The compliance function shall assess whether the control activities stipulated in the organisational and working instructions are performed regularly and properly by the specialist departments.

2. In addition, the compliance function shall conduct its own on-site inspections or other own reviews. The compliance officer shall use risk-based criteria to determine which on-site inspections his or her organisational unit will perform itself (core compliance area)2. This shall be justified in an auditable form. The number of random samples shall be recorded.

3. The monitoring activities to be performed may not be based exclusively on audit findings of the internal audit function.

4. Appropriate sources, methodologies and tools shall be used for the necessary monitoring activities. For example,

• there should be an assessment of reports warranting the attention of the management board to material deviations between expected and actual processes (exceptions report) or to situations requiring action (issues log);

• workflows should be observed, files reviewed and/or interviews held with responsible staff;

2 Note, for example, that churning control is typically performed directly by compliance staff.

• trading surveillance is recommended.

5. The compliance function monitors the operations of the complaints-handling process and includes complaints as a source of information in the context of its general monitoring responsibilities. The investment services enterprise shall grant the compliance function unrestricted access to all complaints. However, the compliance function may not be involved in the operational handling of complaints.

6. The monitoring activities performed shall take into account the controls conducted by the business units, the supervisory requirements to be complied with by the investment services enterprise and the review procedures of the risk management function, internal audit, financial control or other control functions in the area of investment services.

7. It is recommended that other control functions should coordinate their review procedures with the monitoring activities performed by the compliance function, while taking into account the different functions’ mandate and independence. In contrast to the audits and reviews by the internal audit function, the compliance function monitors the policies and procedures established for investment services and ancillary investment services on a continuous basis, if possible in parallel with the processes, or at least in a timely manner.

8. If deficiencies in the policies and measures are identified, the compliance function shall determine the measures necessary to remedy the deficiencies in existing organisational measures and shall inform the management board about this, and shall monitor and regularly assess the implementation of measures. In turn, corresponding monitoring activities are also necessary to review this.

BT 1.2.2 Reporting obligations of the compliance function

1. The investment services enterprise shall ensure that the regular written compliance reports are sent to the management board. The reports shall contain a description of the implementation and effectiveness of the overall control environment relating to investment services, as well as a summary of risks that have been identified and the measures undertaken or to be undertaken to remedy or rectify deficits or deficiencies, and to reduce risk. The reports shall be prepared at appropriate intervals, and at least once a year.

2. In addition to disclosures in the regular reports, the compliance officer shall report significant findings, such as serious breaches of the provisions of the WpHG, promptly to the management board by means of an ad hoc report. The report shall contain a proposal for the remedial steps to be taken.

3. The reports shall also be sent to the supervisory body, if any. However, the management board is generally responsible for forwarding the report to the supervisory body. There is no obligation to submit compliance reports directly to the supervisory body without informing the management board in advance.

4. Amendments to the content of the report that have been made by the management board shall be documented separately. The chair of the supervisory body shall be informed of such amendments.

5. The compliance reports shall cover all business units involved in the provision of investment services and ancillary investment services and information about complaints-handling. If a report does not contain all of this information, this shall be justified in detail.

6. As a minimum, the compliance reports shall contain the following information, where relevant:

• a summary of the major findings of the review of the policies and procedures of the investment services enterprise;

• a summary of the reviews and inspections conducted by the compliance function (in particular on-site inspections and desk-based reviews), including information about breaches and deficiencies identified in the organisation and compliance processes, as well as the appropriate measures taken as a result;

• a description of the risks identified in the area monitored by the compliance function;

• if the management board has not been previously made aware through other channels: a description of the relevant changes and developments in regulatory requirements over the period covered by the report and the measures taken or to be taken to ensure compliance with the changed requirements;

• significant compliance issues that have occurred in the period covered by the report or other necessary measures and strategies resulting from knowledge gained in the reporting period;

• if the management board has not been previously made aware through other channels: information about material correspondence with the competent authorities;

• information about the appropriateness of the human and other resources allocated

to the compliance function;

• information about the review of the implementation of and compliance with requirements governing the expertise and reliability of employees;

• information about the financial instruments manufactured and recommended by the investment services enterprise, in particular about the distribution strategy.

7. At the time of preparation of each compliance report, the compliance function shall examine whether it is also necessary to report to the superordinate compliance function within the group of companies.

BT 1.2.3 Advisory tasks of the compliance function

1. The investment services enterprise shall ensure that the compliance function discharges its advisory responsibilities. These include providing support for staff training, providing day-to-day assistance for staff and participating in the establishment of new policies and procedures within the investment services enterprise.

2. The investment services enterprise shall ensure that its employees are adequately trained. The compliance function shall support the operating units (i.e. all employees involved directly or indirectly in the provision of investment services) in performing any training or shall provide that training itself. The compliance function shall focus in particular on the following areas:

• the internal policies and procedures of the investment services enterprise and its

organisational structure in the area of investment services;

• changes in the WpHG, the DR, the WpDVerOV and the WpHGMaAnzV, relevant publications by ESMA (especially guidelines), publications by BaFin and other relevant supervisory requirements, as well as any changes to these.

3. Training should be performed at regular intervals and on an as-needed basis where necessary. Depending on requirements, training should be delivered to all staff, individual business units or individual employees.

4. The content of the training shall be updated promptly to reflect relevant changes, such as legislative changes, new publications by ESMA (especially guidelines), publications by BaFin and changes in the investment service enterprise’s organisation and its organisational and working instructions.

5. The compliance staff shall advise and support the enterprise’s business areas and employees with regard to compliance with statutory requirements and the organisational and working instructions. They shall be available in particular to answer questions arising out of daily business activity.

BT 1.2.4 Involvement of the compliance function in processes

1. The investment services enterprise shall ensure that the compliance function is involved in the development of the relevant policies and procedures in the area of investment services and ancillary investment services, in particular in the development of internal organisational and working instructions and their continuous updating, to the extent that they are relevant for compliance.

2. Without prejudice to the operating areas’ responsibility, the compliance function shall be involved in this as early as possible, to ensure that the organisational and working instructions are appropriate for preventing violations of the statutory provisions.

3. The compliance function shall be integrated so that it is able to advise the operating areas in particular with regard to all strategic decisions, material organisational changes – for example as part of the decision-making process for developing new business lines, services, markets and trading venues, or developing new financial products and launching new advertising strategies in the area of investment services – and to contribute its expertise. The compliance function shall have the right to participate at an early stage in the product approval processes for financial instruments to be taken up in the distribution process – for example through a right of intervention. This shall not entail the transfer of responsibility from the operating areas to the compliance function.

4. In other respects, the management board shall encourage the business units to involve the compliance function in their activities. If material recommendations provided by the compliance function are not followed, the compliance function shall document this accordingly and present it in its compliance reports.

5. The investment services enterprise shall ensure that the compliance function is involved in all material, non-routine correspondence with the competent authorities in the area of investment services and ancillary investment services, and with the trading surveillance units at stock exchanges.

6. The compliance function shall also be involved in the following tasks in particular:

• defining the criteria for determining whether staff positions are compliance- relevant;

• determining the principles governing sales targets when designing the remuneration system for relevant persons within the meaning of BT 8; if the investment services enterprise is a subsidiary of an enterprise whose registered office is outside Germany and receives requirements from the parent company relating to these issues, the compliance function shall examine whether the parent company’s requirements are consistent with German supervisory requirements;

• establishing Chinese walls;

• designing processes to monitor personal transactions in the enterprise;

• determining best execution policies and, if appropriate, policies for transmitting orders executed by a third party;

• designing the product governance process.

BT 1.3 Organisational requirements relating to the compliance function  BT 1.3.1 Effectiveness

Investment services enterprise shall consider which measures, in particular with regard to the organisation and resources of the compliance function, are best suited to ensuring its effectiveness, taking into account the individual circumstances of the enterprise. The following criteria in particular shall be factored into this analysis:

• the type of investment services, ancillary investment services and other activities offered (including those that are entirely unrelated to investment services and ancillary investment services);

• the interaction between investment services, ancillary investment services and the other business activities;

• the scope and volume of the investment services and ancillary investment services carried out (absolute and relative to the other business activities), the total assets and the income of the investment services enterprise from commissions, fees and other sources of income in connection with the investment services and ancillary investment services offering;

• the type of financial instruments offered;

• the type of clients targeted by the investment services enterprise (professional, retail, eligible counterparties);

• the number of employees;

• whether the investment services enterprise is part of a group of companies within the meaning of Article 2(11) of Directive (EU) No. 2013/34;

• services provided through a commercial network, such as tied agents or branches;

• cross-border activities provided by the investment services enterprise;

• organisation and sophistication of the IT systems.

BT 1.3.1.1 Resources and budget

1. The compliance function shall have the appropriate resources to fulfil its tasks. When allocating human, material and other resources to the compliance function, the investment services enterprise shall take into account the business model, the scope and type of investment services, ancillary investment services and other services provided, and the resulting tasks of the compliance function. In particular, the investment services enterprise shall ensure that sufficient IT resources are allocated to the compliance function.

2. Where the investment services enterprise establishes budgets for specific activities or units, the compliance function shall generally be allocated a budget that is consistent with the level of compliance risk to which the enterprise is exposed. The compliance officer shall be consulted when the budget is being determined. An integrated budget may be determined for investment services enterprises that are part of a group.

Significant cuts in the budget shall be justified in writing. The supervisory body shall be informed of all significant cuts.

3. If the activities of business units are significantly expanded, the resources and activities of the compliance function shall be adapted to reflect the changed compliance risk. The management board shall regularly review whether the number of staff in the compliance function is still sufficient to perform its tasks.

BT 1.3.1.2 Authority of the compliance staff

1. The staff of the compliance function shall have the authority required to perform their tasks. They shall be granted access to all relevant information for their work and they shall be involved in all relevant information flows that may be significant for the compliance function’s tasks. They shall be granted unrestricted rights to information and rights of inspection and access with regard to all premises and documents, records, tape recordings, databases and IT systems, and other information that is required to investigate relevant issues. Employees may not refuse to hand over documents or provide compliance-relevant information. It must be possible to exercise the rights to information and of inspection and access on the compliance staff’s own initiative.

2. To ensure that the compliance officer has a permanent overview of the areas of the investment services enterprise where confidential information or information that is necessary for the compliance function to perform its tasks may arise, the compliance officer shall additionally have access to internal and external audit reports or other reports to the management board or supervisory body (if any) to the extent relevant for the compliance officer’s tasks. To the extent necessary for the performance of the compliance function’s tasks and permitted by law, the compliance officer should also be granted the right to attend meetings of the management board or the supervisory body (if any). Where this right is not granted, this should be documented and explained in writing. In order to be able to identify which meetings the compliance officer should attend, the compliance officer shall have in-depth knowledge of the investment services enterprise’s organisation, corporate culture and decision-making processes.

3. In order to ensure that the compliance staff have the authority required to perform their tasks, the management board shall support them in the exercise of their duties. The ability to exercise their authority requires the compliance staff to possess the necessary expertise and the relevant skills.

BT 1.3.1.3 Expertise of the compliance staff

1. The persons entrusted with the compliance function shall have the necessary specialist knowledge for the tasks assigned to them. This requires – at the latest after an induction period – knowledge in the following areas, to the extent that it is relevant for them to perform their tasks:

• knowledge of the statutory requirements to be complied with by the investment services enterprise in the provision of investment services and ancillary investment services, including directly applicable European legislation; knowledge of the European legislative basis of the requirements to be complied with is recommended;

• knowledge of the administrative provisions and publications issued by BaFin to expand on the requirements of the WpHG, as well as knowledge of the relevant ESMA guidelines and standards;

• knowledge about the key elements of BaFin’s organisation and responsibilities;

• knowledge of the requirements for and the structure of appropriate processes used by investment services enterprises to identify violations of regulatory provisions;

• knowledge of the compliance function’s tasks and responsibilities;

• knowledge of alternative structures for sales targets and the organisational and operational structure of the investment services enterprise and of investment services enterprises in general;

• knowledge of the functioning and risks of the types of financial instrument in which the investment services enterprise provides investment services or ancillary investment services;

• to the extent that the investment services enterprise provides investment services with an international element: knowledge of the specific legal requirements to be complied with in this case;

• to the extent that there are algorithmic trading systems and trading algorithms in the investment services enterprise: an understanding of at least the fundamentals of algorithmic trading systems and trading algorithms.

2. Compliance staff shall be regularly trained in order to maintain their specialist knowledge.

BT 1.3.2 Permanence

1. The compliance function shall be established permanently.

2. The compliance officer shall be assigned a deputy who shall be sufficiently qualified to perform the compliance officer’s duties during any absence of the compliance officer. In other respects, the organisational and working instructions shall ensure the adequate performance of duties during the absence of the compliance offer by means of corresponding stand-in arrangements.

3. The tasks and competences of the compliance function shall be laid down in the organisational and working instructions of the investment services enterprise. The competences comprise responsibilities and powers. They also include information on the monitoring programme and the reporting duties of the compliance function as well as a description of the risk-based monitoring approach, in particular of risk analysis. Relevant amendments to regulatory requirements shall be reflected promptly.

BT 1.3.2.1 Monitoring programme

1. Monitoring activities shall not only be performed as needed, but also regularly and on the basis of a monitoring programme (recurring or continuous). The monitoring programme shall regularly cover all key areas of investment services and ancillary investment services, taking into account the risks associated with the business units, as well as the area of complaints-handling. The compliance function shall respond promptly to unforeseen events, adapting the focus of its monitoring activities accordingly if necessary.

2. The monitoring programme shall provide for a review of whether the activities of the investment services enterprise comply with the requirements of the WpHG. It must also be geared to the review of whether the organisation, the established policies and procedures, and the control mechanisms of the investment services enterprise are still effective and appropriate.

3. The monitoring programme shall be designed to ensure that compliance risks are comprehensively monitored. It describes the priorities for the monitoring activities on the basis of the risk analysis.

4. The scope, scale and frequency of the monitoring activities established in the monitoring programme, as well as the choice of the appropriate tools and methodologies, are determined by the compliance function based on the risk analysis. The compliance function ensures that its monitoring activities are not only desk- or IT-based, but also use on-site inspections or other own reviews.

5. The monitoring programme shall be adapted continuously to reflect changes to the investment service enterprise’s risk profile (for example due to significant events such as corporate acquisitions, IT system changes, or reorganisations). The monitoring programme shall also extend to the implementation and effectiveness of remedial measures taken by the investment services enterprise in response to breaches of the WpHG.

BT 1.3.2.2 The compliance function in a group of companies

Even if an investment services enterprise is affiliated with other enterprises, responsibility for the compliance function remains with the investment services enterprise itself. The investment services enterprise therefore ensures that its compliance function remains responsible for monitoring its own compliance risk. This also applies if an investment services enterprise has outsourced the compliance function to affiliated enterprises. When performing its tasks, however, the compliance function should take into account any affiliation of the investment services enterprise to a group of entities, for example by working closely with the staff responsible for internal audit, regulatory affairs and compliance, and the legal department, in other parts of the group. Attention is drawn in this context to the fact that the shared use of an office building by the affiliated enterprises may lead to a better supply of information to the compliance officer and improved efficiency in the compliance function.

BT 1.3.3 Independence

1. The compliance function performs its tasks independently of the other business units of the investment services enterprise and performs its monitoring tasks independently of the management board. The investment services enterprise shall ensure that other business units cannot issue instructions to compliance staff and cannot otherwise influence their activities.

2. Significant assessments and recommendations by the compliance officer that are overruled by the management board shall be documented and included in the report defined in Article 22(2)(c) of the DR. A recommendation by the compliance officer not to permit a particular financial instrument to be included in distribution activities is an example of a significant recommendation.

3. If an investment services enterprise wishes to depart from the requirements of Article 22(3)(d) and (e) of the DR as described in the following on the basis of the principle of proportionality, it shall assess, in particular taking into account the criteria set out in paragraph 1.3.1, whether this compromises the effectiveness of the compliance function. The assessment shall be repeated at regular intervals.

BT 1.3.3.1 Involvement of compliance staff in processes to be monitored

1. To enable compliance duties to be performed effectively, compliance staff, including the compliance officer, may not be involved in the investment services that they monitor.

2. Exemptions are only permitted if it would be unreasonable to entrust the compliance function to a separate person who is not involved in the investment services due to the size of the enterprise or the nature, scale, complexity or risks of the enterprise’s business activities, or the nature and scope of the services offered. Conflicts of interest within the enterprise, the classification of the enterprise’s clients in accordance with section 67 of the WpHG and the financial instruments distributed or traded must be taken into account here in particular.

3. An investment services enterprises can make use of this exemption, for example, if the performance of the compliance function – including in combination with financial control functions – does not require a full-time position due to the nature, scale and complexity of the enterprise’s business activities or the nature and scope of the investment services or ancillary investment services.

4. In this case, the position of compliance officer can be held by a member of the management board, for example, even if that person is involved in the enterprise’s operations. However, the enterprise must still appoint a compliance officer if it makes use of the exemption. If a member of the management board is not involved in the enterprise’s operations, he or she can act as compliance officer without the exemption criteria being met within the meaning of this paragraph.

5. For example, appointing a dedicated compliance officer may be unreasonable for smaller enterprises that only employ auxiliary administrative staff in addition to member(s) of the management board. However, if an enterprise employs at least two people, they are required to monitor each other to comply with the principle of effective monitoring activities defined in AT 6 of this Circular. In the case of sole proprietorships, control activities may be conducted as part of the annual audit in accordance with section 89 (1) of the WpHG after consultation with BaFin. All monitoring activities and their results shall be documented even if the enterprise does not establish an independent organisational unit.

6. Instead of exercising the exemption, outsourcing the compliance function to a third party may also be an appropriate solution in individual cases, provided that the criteria for outsourcing under sections 25a (2) of the KWG and 80 (6) of the WpHG are observed.

7. The involvement of compliance staff in investment services that they monitor is generally prohibited to the extent that employees of the enterprise regularly have access to compliance-relevant information within the meaning of AT 6.1 of this Circular. Enterprises are individually responsible for determining whether the criteria in sentence 1 have been met and shall document this in an auditable form.

8. Exceptionally, after considering the conflicts of interest existing due to the compliance-relevant information within the meaning of AT 6.1 of this Circular, compliance staff may be involved in investment services they monitor even if employees regularly have access to compliance-relevant information within the meaning of AT 6.1 of this Circular if such a separation would be unreasonable due to the size of the enterprise or the nature, scale, complexity or risks of the enterprise’s business activities, or the nature and scope of the services offered.

9. To the extent that the enterprise makes use of an exemption on the basis of the principle of proportionality, it shall justify why the criteria for making use of the exemption have been met. Information on the additional activities that are performed by compliance staff and an assessment whether the effectiveness of the compliance function has been compromised shall be documented in an auditable form. In all cases, conflicts of interest arising from the different tasks performed by compliance staff shall be kept to an absolute minimum. The assessment of whether the compliance function has been compromised shall be performed regularly.

BT 1.3.3.2 Combining the compliance function with other control functions

1. The compliance function may be combined with other control units at the same level (also termed “compliance in the broader sense”), such as money laundering prevention or risk control, if this does not compromise the effectiveness and independence of the compliance function. Any such combination shall be documented in an auditable form, giving the reasons for the combination.

2. However, combination with the internal audit function is generally not permitted because the internal audit function is charged with the oversight of the compliance function and combining the two functions is likely to undermine the independence of the compliance function.

3. In certain circumstances, however, it may be appropriate to designate one person for both functions in consultation with BaFin. If the investment services enterprise makes use of this exemption, it shall ensure that both functions are performed properly, in particular soundly, honestly and professionally.

BT 1.3.3.3 Combining the compliance function with the legal department

1. Investment services enterprises may combine the compliance function with the legal department if they could make use of the exemption under Article 22(3)(d) and (e) due to the size of the enterprise or the nature, scale, complexity or risks of the enterprise’s business activities, or the nature and scope of the services offered.

2. However, such a combination is not generally permitted for larger investment services enterprises or those with more complex activities if this will undermine the independence of the compliance function. This is regularly the case if an investment services enterprise performs a not insubstantial volume of investment services in the form of proprietary trading as defined in section 2 (8) no. 2c) of the WpHG, underwriting business as defined in section 2 (8) no. 5 or ancillary investment services as defined in section 2 (9a) no. 3, no. 5 or no. 6 of the WpHG.

3. If the compliance function is combined with the legal department, this must be documented in an auditable form, explaining the reasons.

BT 1.3.3.4 Other measures for ensuring the independence of the compliance function

1. As a rule, it is generally necessary to establish the compliance function as an independent organisational unit if employees of the enterprise regularly have access to compliance-relevant information within the meaning of AT 6.1 of this Circular. Enterprises are individually responsible for determining whether the criteria in sentence 1 have been met and shall document this in an auditable form.

2. Exceptionally, after considering the conflicts of interest existing due to the compliance-relevant information within the meaning of AT 6.1 of this Circular, an enterprise shall not be required to establish an independent organisational unit even if its employees regularly have access to compliance-relevant information within the meaning of AT 6.1 of this Circular if it would be unreasonable to establish an independent organisational unit due to the size of the enterprise or the nature, scale, complexity or risks of the enterprise’s business activities, or the nature and scope of the services offered.

3. As a minimum, if an investment services enterprise performs a not insubstantial volume of investment services in the form of proprietary trading as defined in section 2 (8) no. 2c) of the WpHG, underwriting business as defined in section 2 (8) no. 5, or ancillary investment services as defined in section 2 (9) no. 3, no. 5 or no. 6 of the WpHG, the compliance officer shall report directly to the member of the management board responsible for the compliance function with regard to organisational and disciplinary matters.

4. To ensure independence, it is recommended that the compliance officer be appointed for at least 24 months. Additionally, an appropriate measure for strengthening the compliance officer’s position is to agree a 12-month notice period for the employer.

5. It is recommended that the position, powers and remuneration of the compliance officer is aligned to the position, powers and remuneration of the managers of internal audit, risk control and the legal department of the investment services enterprise. The differences relating to personnel and other responsibilities of the relevant position may be taken into account when determining the remuneration.

6. The remuneration of compliance staff (who are normally “relevant persons” within the meaning of BT 8) may not depend on the activities of the employees they monitor. However, performance-related remuneration may be permitted in individual cases if it does not give rise to conflicts of interest. In the case of performance-related remuneration that exceeds this in accordance with the exemption under Article 22(4) in conjunction with (3)(e) of the DR, for example where the remuneration of the compliance officer who has sole responsibility for monitoring all business areas is based on the enterprise’s performance, effective precautions are required to counter the resulting conflicts of interest. This shall be documented in an auditable form.

7. In other respects, the requirements of the Regulation on the Supervisory Requirements for Institutions’ Remuneration Systems (Verordnung über die aufsichtsrechtlichen Anforderungen an Vergütungssysteme von Instituten (Instituts- Vergütungsverordnung) – InstitutsVergV) shall apply.

BT 1.3.4 Outsourcing of the compliance function or of individual compliance activities

1. In the event of the partial or full outsourcing of the compliance function, all relevant supervisory requirements shall be complied with, regardless of whether it has been outsourced partially or fully. Civil law arrangements or agreements do not change or modify the relevant supervisory requirements; in particular they may not exclude the existence of outsourcing subject to supervisory law. The management board is responsible for compliance with the requirements, in particular for the specific, clear and transparent establishment of the fully or partially outsourced compliance function.

a. The management board of an investment services enterprise can either appoint one of its own employees or an employee of an external service provider or an independent/self-employed person as the compliance officer.

– The responsibility of the compliance officer for performing the entire compliance function of the investment services enterprise in accordance with the WpHG may not be assigned to more than one person, including in the event of outsourcing.

– The compliance officer can require both the outsourcing investment services enterprise and the external service provider to provide him or her with the human, material and other resources that could reasonably be considered to be necessary for proper performance of his or her function and the discharge of his or her responsibilities.

– The compliance officer performs his or her activity independently, including if the compliance function is outsourced; in his or her function as compliance officer, he

or she is also not subject to the instructions of the external service provider. The same shall apply to compliance staff of the investment services enterprise and/or the external service provider who report to him or her.

b. An investment services enterprise may combine its own staff, staff of the external service provider, staff of third-party enterprises and/or independent/self-employed specialists to form a specific, uniform compliance organisation under the responsibility and leadership of the compliance officer.

– The question of whether and in what form the outsourced activities of the compliance function are to interact organisationally under the responsibility and leadership of the compliance officer shall be addressed clearly and transparently with the compliance officer and the external service provider before outsourcing begins, especially in an institution-specific policy or a service level agreement.

– Even if individual compliance activities are performed by an external service provider, the service provider’s employees performing those activities are directly subject to the functional instructions of the compliance officer appointed by the management board of the investment services enterprise.

– The fragmentation of the compliance function through outsourcing and/or sub- outsourcing to more than one external service provider and/or through other supplementary external procurement should only be permitted if this is necessary for functional and/or technical reasons. This shall not affect the requirements of BT 1.3.2.2.

2. The requirements of sections 25b of the KWG, 80 (6) of the WpHG, Articles 30 and 31 of the DR, and of this Circular shall apply to and in the case of the partial or full outsourcing of the compliance function. Organisational, functional and operational areas outsourced by the investment services enterprise are subject to the same supervisory requirements at the external service provider as at the outsourcing investment services enterprise itself.

3. Before an investment services enterprise chooses a service provider for outsourcing, it shall assess with the necessary due diligence whether the relevant requirements of sections 25b of the KWG, 80 (1) and (6), and Articles 30 and 31 of the DR are also met in the case of outsourcing. The scope of the assessment shall be guided by the nature, scale, complexity and risk of the tasks and processes to be outsourced. The investment services enterprise is responsible for ensuring that the service provider has the necessary organisation and specialist expertise, and the human, material and other resources required in the specific circumstances, and that the employees of the service provider have the necessary expertise and access to all information necessary for the effective, and in particular the preventive, performance of the outsourced compliance functions, including IT systems and IT access.

4. If the compliance function is outsourced partially or fully, the investment services enterprise shall ensure its permanence in particular. Compliance with the requirements of this Circular governing the rights and obligations and the legal position of the compliance officer and his or her compliance staff shall also be ensured in the external service provider. The selected service provider shall be in a position to ensure the adequate exercise of the compliance activities of the compliance officer and the compliance staff continuously and not merely as needed, and in the necessary quality, including on-site at the investment services enterprise and its relevant branches.

5. Investment services enterprises shall effectively supervise the adequate performance of tasks by the service provider, in particular the quality and quantity of its services, based on appropriate material criteria to be defined on a case-by-case basis. The management board is responsible for continuously supervising and monitoring the outsourced compliance function and/or compliance activities and it shall have the necessary resources and expertise to be able to do this. The management board may appoint a specific person employed by the enterprise to supervise and monitor the outsourced function on its behalf.