After completing the consultation procedure, BaFin has revised its MaComp circular. This revision deals with requirements for an outsourcing of the Compliance function to a third party.
The MaComp (Minimum Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organization and Transparency pursuant to Sections 31 et seq. of the Securities Trading Act (Wertpapierhandelsgesetz – “WpHG”) for Investment Services Enterprises) comprise all publications concerning the conduct of business rules set out in sections 31 et seq. of the WpHG.
The recent amendments reflect the results of BaFin’s audit concerning supervisory requirements for investment services firms for the outsourcing of their Compliance function or single Compliance activities.
The essential aspects of the amendments are:
- Indivisibility of the Compliance Officer’s responsibility in case of outsourcing
- Guarantee of the Compliance function’s independence in case of outsourcing
- No outsourcing of the Compliance function merely for economic reasons
- No interference with the functioning of the Compliance function in case of outsourcing
- Obligation of the outsourced Compliance Officer to carry out the Compliance function only in relation to the management of the outsourcing company.
- No fragmentation of the Compliance function due to partial outsourcing
According to the jurisprudence of the European Court of Justice, the definition of the term “outsourcing”, which appears in MiFID, implies a Union-specific interpretation and may not be prejudged or restricted by national civil law. Because of the harmonising effect of the EU directives, “outsourcing” has to be interpreted and applied autonomously. Consequently, every outsourcing arrangement (which is subject to unharmonised national civil law) has to follow the Union–specific definitions and intentions. Compliance with these requirements has to be done, supervised and documented by the management of the outsourcing company.
Appointment by the management:
Union law and its transposing national laws stipulate that the management has to appoint one single Compliance Officer who is responsible for the performance of the Compliance duties and for the respective reports. The selection and nomination of a person qualified for this position falls within the original (organisational) responsibility and duty of the outsourcing company’s management, which cannot be delegated. The same applies to the selection of a company to which the Compliance function is outsourced and which provides the necessary resources to the Compliance Officer.
Organisation and documentation:
In order to avoid conflicts of interests in case of an outsourcing of the Compliance function, the Compliance Officer shall not be employed at management level.
Even if certain Compliance activities are executed by the company to which the Compliance function has been outsourced, the employees executing these activities are directly subject to the professional directions of the Compliance Officer of the outsourcing Company. Otherwise, the outsourcing could interfere with the legally required responsibility of the Compliance Officer for the execution of the Compliance-function. The outsourcing company must supervise and monitor whether the company that it outsources to complies with its obligations under the “Service-level-agreement”. The structure and organisation of processes including the functions of the external Compliance function have to be adequately documented.
Outsourcing enhances Compliance risks. This results from the increased number of involved persons and enhanced complexity of supervision and control. However, this enhanced risk can be compensated by guaranteeing higher qualification and experience of the nominated (external) Compliance Officer and the respective employees. The concerned outsourcing companies should be aware of these effects and diligently examine whether partial outsourcing of the Compliance function is really necessary. The reasons for the decisions referring to this have to be documented.
By means of the revised Circular, BaFin gives clear instructions concerning an appropriate organisation of an outsourcing of the Compliance function. Hereby, BaFin intends to avoid (undesirable) developments motivated merely by economics.
You can read the (German) Circular here.