Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

In general, German law is not prescriptive with regard to the nature and content of compliance programmes; however, the KWG and the WpHG require regulated entities to implement appropriate measures to ensure sufficient compliance standards and to generally have a specified compliance function. This is also required for securities trading firms under article 22(2) of the Delegated Regulation (EU) 2017/565, which is directly applicable in Germany.

As regards the compliance function of German regulated institutions, the MaRisk requires any institution to ensure that it adheres to statutory, regulatory and other legal requirements. According to BaFin, this does not mean, however, that all legal areas must be scrutinised to the same extent by separate organisational functions or units; instead, it is customary to only assign certain legal areas, namely those that relate to special compliance-related risks, to a compliance function. From BaFin’s point of view, these necessarily include investment services, money laundering, prevention of (internal and external) fraudulent conduct, data protection and general consumer protection. Moreover, institutions are responsible, in accordance with MaRisk, for examining which areas present additional special compliance risks that are to be handled by the compliance function.

In addition, the MaComp contains more specific requirements for the compliance function of investment services undertakings, in particular on their structural and operational arrangements. In addition, MaComp specifies the tasks of the compliance function and sets out monitoring and organisational requirements as well as reporting obligations and individual requirements (in particular as regards the trustworthiness and competences of the compliance function).


How important are gatekeepers in the regulatory structure?

See question 13.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Managing directors of a German regulated institution are jointly responsible for the proper business organisation and its further development, irrespective of the internal allocation of responsibilities. This particularly covers all material elements of risk management. In addition to the overall responsibility of the managing directors, the managing directors are responsible for the establishment of appropriate control and monitoring processes in their respective area of competence. According to BaFin, managing directors can fulfil this responsibility only if they are able to assess risks and take the necessary measures to limit them.

In particular, the managing directors have the duty to:

  • establish a business strategy;
  • gain an overview of the risks faced by the institution in the context of a risk inventory (overall risk profile), regularly and on an ad hoc basis;
  • implement a risk strategy;
  • set up a strategy process that includes, in particular, the steps for planning, implementing, assessing and adjusting the strategies;
  • approve audit planning as well as any material modifications thereto; and
  • provide the supervisory board at least once a year with concise information on the serious findings identified by the internal audit function.

When are directors typically held individually accountable for the activities of financial services firms?

Senior managers can be individually subject to criminal or administrative sanctions for various reasons. The senior management of an institution can be held liable for criminal or administrative offences, if the relevant manager itself commits a crime or offence and the manager is the factual leader of the offence or crime.

A manager can be considered a factual leader, for example, if the offence or crime:

  • is ordered by the manager;
  • is the direct consequence of a policy of the manager; or
  • is committed and the manager, although he or she knows or should know about the breach of law, does not prevent the crime or offence from happening, while he or she had the power to do so.

In addition, as described under question 15, senior managers are ultimately responsible for the proper business organisation of the regulated entity as such. Therefore, they might face administrative sanctions for breaches of personal legal obligations.

If senior managers are liable to prosecution, they might face civil claims for compensation of damages by their company.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Generally, the violation of national financial services authority rules and regulations does not result in private rights of action, as these provisions only serve public purposes and thus an individual cannot assert a claim because of a violation of such provisions. In exceptional cases, where a regulatory law provision also serves to protect individual rights, an individual may assert a claim against the regulated institution.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

As regards the required standard of care to be observed when providing financial services to German clients, German law generally does not differentiate between wholesale and retail clients.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Generally, regulated entities must apply due care when interacting with any counterparty. However, the applicable rules as set out in the WpHG that implement the requirements set out by MiFID II on the provision of financial services, provide for different treatment of professional clients, eligible counterparties and retail clients. Hence, it is of utmost importance that financial services providers classify their clients correctly.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

Laws affecting the financial services industry are usually subject to a consultation process. In the course of the consultation process, the first draft of the respective act is usually published by the German government and then consulted and amended before it is finally adopted by the German parliament. Some laws are also directly adopted by the German government, but these laws are usually also subject to a consultation process.

The same generally holds true for regulatory decrees that are published by BaFin. Before adopting a new circular (such as, for example, MaRisk or MaComp), BaFin typically initiates a consultation process and publishes a draft of the circular that is consulted and then results in new final guidance. During the consultation process, industry groups as well as other market participants may comment on the envisaged rules to be adopted and bring forward any concerns or suggestions that may exist. Such consultation plays an important role in the rulemaking of the German regulators, and it is not uncommon that provisions may be materially changed as a result of the feedback received.