BaFin - Navigation & Service

Go to:

Erscheinung:28.10.2004, Stand:updated on 06.09.2019 | Topic Compliance Regulation on the Audit of Investment Services Enterprises in accordance with Section 89 of the Securities Trading Act

Content

Wertpapierdienstleistungs-Prüfungsverordnung - WpDPV

Please note:Ger­man ver­sion is bind­ing

This translation is furnished for information purposes only and may refer to an older version of the text. The original German text is binding in all respects.

By virtue of section 89 (6), sentence 1 of the Securities Trading Act (Wertpapierhandelsgesetz) as amended by Article 3 no. 90 (e) of the Act of 23 June 2017 (Federal Law Gazette I, p. 1693) in conjunction with section 1 no. 1 of the Regulation Transferring the Authority to Issue Regulations to the Federal Financial Supervisory Authority (Verordnung zur Übertragung von Befugnissen zum Erlass von Rechtsverordnungen auf die Bundesanstalt für Finanzdienstleistungsaufsicht) last amended by Article 21 no. 1 of the Act of 23 June 2017 (Federal Law Gazette I, p. 1693), the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht) issues the following Regulation:

Part 1
General provisions


Section 1
Scope

This Regulation applies to the audit of

  1. compliance with the obligations under section 89 of the Securities Trading Act,
  2. compliance with the obligations applicable mutatis mutandis under Section 90 (1) sentence 1 of the Securities Trading Act by branch offices within the meaning of section 53b of the Banking Act (Kreditwesengesetz - KWG) providing investment services, and
  3. safe custody business and limited custody business in accordance with section 89 (1) sentence 2 of the Securities Trading Act.

Section 2
Error, deficiency, other findings

(1) An error within the meaning of this Regulation is any deviation from the requirements laid down in section 89 (1) sentences 1 and 2 of the Securities Trading Act.

(2) Within the meaning of this Regulation, an error concerning the following obligations or actions is deemed a deficiency:

  1. the obligations to maintain systems and procedures as set out in Article 16 of Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (OJ L 173 of 12 June 2014, p. 1; L 287 of 21 October 2016, p. 320; L 306 of 15 November 2016, p. 43; L 348 of 21 December 2016, p. 83), last amended by Regulation (EU) 2016/1033 (OJ L 175 of 30 June 2016, p. 1), each as last amended,
  2. the obligations under section 63 (1) to (6) and (10) sentence 3, section 64 (3) sentence 2, (5), (6) sentence 2, (7) and (8), section 67, section 70 (1) sentence 2, in section 72 (1) to (3) and (6) to (8), section 74, section 75 (1) to (4) and (6), sections 77 and 78, section 80 (1) sentence 2 nos. 1 to 4, (2) to (4), (6) and (8) to (13), in section 81 and in sections 84 and 87 (1) to (5) of the Securities Trading Act,
  3. the prohibitions by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht) under section 92 (1) of the Securities Trading Act,
  4. the obligations under sections 10 to 12 of the Investment Services Rules of Conduct Regulation (Wertpapierdienstleistungs-Verhaltens- und Organisationsverordnung),
  5. the obligations under Articles 21, 22, 26, 27, 30 to 35, 37 to 43, 45 and 52 to 56 of Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive (OJ L 87 of 31 March 2017, p. 1), each as last amended, and
  6. the obligations under the first subparagraph of Article 4(1) and Article 5a(1) of Regulation (EC) No 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies (OJ L 302 of 17 November 2009, p. 1; L 350 of 29 December 2009, p. 59; L 145 of 31 May 2011, p. 57; L 267 of 6 September 2014, p. 30), last amended by Regulation 2014/51/EU (OJ L 153 of 22 May 2014, p. 1; L 108 of 28 April 2015, p. 8), each as last amended.

(3) With regard to the other obligations under section 89 (1) sentences 1 and 2 of the Securities Trading Act, a deficiency is deemed to exist if in a total of 5 percent or more of the transactions examined during a spot check conducted with regard to one of these obligations at least one error is identified. Where a spot check cannot be conducted with regard to the obligations referred to in sentence 1, a deficiency is deemed to exist if the auditor, with regard to one of the obligations, identifies errors in any other way that they, at their discretion, deem to be equivalent to the result of a spot check.
(4) Other findings within the meaning of this Regulation are deemed to exist if the auditor finds that the guidance on Union law requirements developed and published by the European Securities and Markets Authority has not been taken into account at all, or only incompletely.

Part 2
Audit

Section 3
Audit period, duration of audit, interruption of audit

(1) The audit period starts on the day the first on-site audit activities take place and ends on the day of the last on-site audit activities.
(2) The audit is to be concluded within an appropriate period of time.
(3) Any deviation from the audit schedule for more than two weeks is considered to be an interruption of the audit.
(4) If the auditor interrupts the audit, the Supervisory Authority must be notified of the interruption in writing without delay. The reasons and the expected duration of the interruption must be indicated in the notification.
(5) The interruption must be documented in the audit report. This also applies in cases where individual deviations from the audit schedule lasted less than two weeks but the audit was interrupted for more than four weeks in total.

Section 4
Cut-off date for the audit and reporting period

(1) The auditor is to exercise due discretion in determining the cut-off date for the audit.
(2) The reporting period for the first audit is the period between the date when the investment services enterprise commences operations and the cut-off date for the first audit.
(3) The reporting period to be covered by the first audit after a period for which the Supervisory Authority has waived the requirement for an annual audit under section 89 (1) sentence 3 of the Securities Trading Act is the period between the end of the exemption period and the cut-off date for the audit following the exemption period.
(4) The reporting period to be covered by all other audits is the period between the cut-off date for the previous audit and the cut-off date for the audit that follows.

Section 5
Start of the audit

(1) The audit must have been initiated at the latest 15 months after the start of the relevant reporting period. In individual cases and with good reason, the Supervisory Authority may set a different time period.
(2) The auditor determines the point in time for the start of the audit. Under section 89 (4) sentence 5 of the Securities Trading Act, the auditor must notify the Supervisory Authority of the start of the audit if the investment services enterprise to be audited has not notified the Supervisory Authority beforehand. Within four weeks of receiving the notification, the Supervisory Authority may, under section 89 (4) sentence 5 of the Securities Trading Act, determine a different point in time for the start of the audit from that determined by the auditor.
(3) The auditor must inform the Supervisory Authority if the investment services enterprise to be audited repeatedly requests postponement of the start of the audit.
(4) The auditor must inform the Supervisory Authority without delay if the investment services enterprise refuses to be audited or impedes the conduct of the audit.
(5) Notifications to the Supervisory Authority must be made in writing to the Supervisory Authority’s Frankfurt office.

Section 6
General requirements for the audit; determining points of focus

(1) The audit covers compliance with the requirements referred to in section 89 (1) sentences 1 and 2 of the Securities Trading Act in all parts of investment services and ancillary services. It must cover the entire reporting period and must be proportionate in relation to the scope of the transactions and tasks in question.
(2) The auditor is to exercise due discretion when auditing compliance with the requirements referred to in section 89 (1) sentences 1 and 2 of the Securities Trading Act. The assessments made in the audit report are to take into account the supervisory provisions for the individual areas. The assessments are to be justified in a comprehensible manner.
(3) Subject to the stipulations set forth by the Supervisory Authority in respect of the content of the audit under section 89 (4) sentences 1 and 2 of the Securities Trading Act, the auditor may, exercising due discretion, determine points of focus for the audit.
(4) In the parts of the investment services and ancillary services where the auditor does not determine a point of focus, the minimum requirement is that system checks are carried out, including tests of controls and, at the auditor’s due discretion, spot checks. If any errors are identified during a system check, the audit must be extended until the auditor is able to clarify whether these errors are deficiencies. If there are doubts about whether or not these errors are deficiencies, the Supervisory Authority is to be informed without delay.
(5) The possibility to determine points of focus also includes the possibility to choose specific parts in the context of a multi-year audit plan.

Section 7
Branches, branch offices, local offices and outsourcing

(1) Where investment services enterprises have branches, branch offices or local offices that execute material parts of investment services or ancillary services or produce analyses of financial instruments, these branches, branch offices or local offices are also to be audited. Local offices are all permanent establishments where investment services are provided.
(2) Exercising due discretion, the auditor decides the extent to which branches, branch offices or local offices must be audited on site.
(3) The auditor may choose not to audit individual branches, branch offices or local offices, especially if

  1. the parts of investment services or ancillary services provided by them are insignificant and
  2. the investment services enterprise proves that all branches, branch offices or local offices are subject to regular effective internal controls and that these controls have not revealed any significant shortcomings.

(4) The Supervisory Authority may, with or without a specific reason, request that branches, branch offices or local offices be included in the next audit.
(5) The Supervisory Authority is to be informed of an audit of a foreign branch or branch office not later than four weeks before the start of the audit.
(6) Subsections 1 – 4 apply mutatis mutandis with regard to activities and processes which are outsourced to other enterprises and which are material for the provision of investment services and ancillary services and in particular with regard to activities and processes outsourced to tied agents within the meaning of section 2 (10) of the Banking Act and those outsourced in connection with the compliance function under Article 22(2) of Commission Delegated Regulation (EU) 2017/567 of 18 May 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to definitions, transparency, portfolio compression and supervisory measures on product intervention and positions (OJ L 87 of 31 March 2017, p. 90), each as last amended.

Section 8
Audits in accordance with section 88 (1) of the Securities Trading Act

(1) If an audit in accordance with section 88 (1) of the Securities Trading Act was carried out during the reporting period, the auditor, exercising due discretion, must take the result of that audit into account in their own audit.
(2) With regard to matters covered in the audit under section 88 (1) of the Securities Trading Act, the reporting may be limited to changes that occurred after the cut-off date for the audit.

Section 9
Records and documents

(1) The auditor is obliged to record the audit on paper or by means of data media and to take with them documents necessary for drawing up the report. The information to be recorded includes in particular:

  1. the details of the audit schedule and the points of focus for the audit,
  2. the criteria for system checks, tests of controls and tests of details, as well as
  3. the manner in which spot checks are conducted, their exact scope and their findings.

(2) Business documents of the investment services enterprise being audited may only be taken by the auditor with the consent of the investment services enterprise. Upon the auditor’s request, copies of the documents necessary for drawing up the report must be made available to the auditor.
(3) The auditor is obliged to retain the records for six years from the time the questionnaire under section 89 (2) sentence 2 of the Securities Trading Act is submitted.

Part 3
Audit report and questionnaire

Section 10
Scope of reporting

(1) The audit report must set out the reporting and audit periods. It must be complete and sufficiently clear to make evident the extent to which the investment services enterprise has observed the requirements named in section 89 (1) sentences 1 and 2 of the Securities Trading Act. The scope of the reporting must be proportionate to the significance of the matters in question.
(2) Any identified deficiencies must be described in detail in the audit report. Subject to the provisions below, the scope of the reporting depends on the due discretion of the auditor.
(3) Matters of particular significance that arose in the period between the cut-off date for an audit and the end of the audit period are to be described in the audit report.

Section 11
Rules of conduct, organisational requirements, record-keeping obligations

(1) Details of the following are to be included in the audit report if they are applicable to the investment services or ancillary services provided:

  1. the nature and extent of the investment services and ancillary services provided in the reporting period, in particular the number of securities held in custody accounts, the number of transactions, the number of clients, forms of investment and type of financial instruments sold; plausible information provided by the investment services enterprise, in particular information taken from the last annual or monthly financial statements, may be used in this context;
  2. compliance with the obligation to report transactions in accordance with Article 26 of Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173 of 12 June 2014, p. 84; L 6 of 10 January 2015, p. 6; L 270 of 15 October 2015, p. 4), amended by Regulation (EU) 2016/1033 (OJ L 175 of 30 June 2016, p. 1), each as last amended;
  3. compliance with the obligation to supply reference data under Article 4 of Regulation (EU) No 596/2014 and with Article 27 of Regulation (EU) No 600/2014;
  4. compliance with the obligation to establish and maintain arrangements, systems and procedures aimed at preventing and detecting insider dealing and market manipulation under Article 16(1) to (3) of Regulation (EU) No 596/2014 and the assessment of these systems and procedures by the auditor;
  5. compliance with the obligation to maintain records on orders and transactions under Article 25 of Regulation (EU) No 600/2014;
  6. compliance with the obligation to publish and keep records under Article 31(2) and (3) of Regulation (EU) No 600/2014;
  7. compliance with the obligations under section 57 (1) to (4) of the Securities Trading Act on reporting positions in commodity derivatives;
  8. compliance with the general rules of conduct under section 63 of the Securities Trading Act and the specific rules of conduct regarding the provision of investment advice and financial portfolio management under section 64 of the Securities Trading Act and compliance with sections 11 and 12 of the Investment Services Rules of Conduct Regulation (Wertpapierdienstleistungs-Verhaltens- und Organisationsverordnung - WpDVerOV) and with Articles 27, 44, 46 to 50, 52 to 56 and 58 to 62 of Commission Delegated Regulation (EU) 2017/565;
  9. compliance with the obligations under section 69 (2) of the Securities Trading Act regarding the handling of client orders;
  10. permissibility of accepting or granting inducements and compliance with disclosure requirements under section 70 of the Securities Trading Act;
  11. compliance with the requirements under section 72 and sections 74 and 75 of the Securities Trading Act and with Articles 3 to 13 of Regulation (EU) No 600/2014
    when operating a multilateral or organised trading facility including the arrangements and procedures as required by section 72 (1) nos. 3, 6 and 11, section 74 (3) and section 75 (1) of the Securities Trading Act and the assessment of these arrangements and procedures by the auditor;
  12. compliance with the requirements of section 77 of the Securities Trading Act when offering direct electronic access, including the arrangements required under section 77 (1) of the Securities Trading Act with regard to the systems and controls that investment services enterprises must have in place, and the assessment of these systems and controls by the auditor;
  13. compliance with the notification requirements under section 79 of the Securities Trading Act and compliance with the requirements under Articles 14, 15, 17 and 18 of Regulation (EU) No 600/2014 for systematic internalisers within the meaning of section 2 (8) sentence 1 no. 2 (b) in conjunction with section 2 (8) sentences 3 to 5 of the Securities Trading Act;
  14. compliance with the disclosure requirements under Articles 20 and 21 of Regulation (EU) No 600/2014;
  15. compliance with the trading obligation under Article 23 of Regulation (EU) No 600/2014;

  16. the arrangements and measures as required by sections 67, 69 (1) and 80 of the Securities Trading Act and by Articles 21 and 22 of Commission Delegated Regulation (EU) 2017/565 and the organisation of the investment services enterprise, particularly with regard to client categorisation and the handling of client orders, and the assessment of these arrangements and measures by the auditor; in particular, the following are to be described separately:

    a) the organisational and operational structure of the investment services enterprise as well as business units with special requirements for the organisational structure;

    b)compliance with the requirements under Article 22(2) and (3) of Commission Delegated Regulation (EU) 2017/565; the report is to include in particular the number of employees allocated to the compliance function;
    c) compliance with the requirements under section 80 (1) sentence 2 no. 3 of the Securities Trading Act;
    d) compliance with the requirements under section 80 (2) to (4) of the Securities Trading Act;
    e) compliance with the requirements with regard to outsourcing under section 80 (6) of the Securities Trading Act and in Articles 30 to 32 of Commission Delegated Regulation (EU) 2017/565;

  17. compliance with additional requirements regarding the management of conflicts of interest arising in relation to underwriting or placing business under Articles 38 to 43 of Commission Delegated Regulation (EU) 2017/565;
  18. compliance with the requirements under Article 26 of Commission Delegated Regulation (EU) 2017/565;
  19. the systems and controls as required by section 78 of the Securities Trading Act for providing clearing services as a general clearing member, and the assessment of these systems and controls by the auditor;
  20. the arrangements for best execution of client orders as required by section 82 of the Securities Trading Act and by Articles 64 to 66 of Commission Delegated Regulation (EU) 2017/565, and their assessment by the auditor;
  21. compliance with the requirements under section 81 of the Securities Trading Act;
  22. the resources and procedures for compliance with the obligations under Article 29 of Commission Delegated Regulation (EU) 2017/565 for employees and their personal transactions, and the assessment of these resources and procedures by the auditor;
  23. compliance with the record-keeping and retention obligations under section 83 (1) and (2) of the Securities Trading Act and in Articles 72 to 75 of Commission Delegated Regulation (EU) 2017/565;
  24. compliance with the obligation to record telephone conversations and electronic communications and to produce a record in writing under section 83 (3) to (6) of the Securities Trading Act and with Article 76 of Commission Delegated Regulation (EU) 2017/565;
  25. compliance with the obligations under section 84 of the Securities Trading Act, in section 10 of the Investment Services Rules of Conduct Regulation and in Articles 49 and 63 of Commission Delegated Regulation (EU) 2017/565, including the arrangements and measures to be taken as required in section 84 (1) and (9) of the Securities Trading Act, and the assessment of these arrangements and measures by the auditor;
  26. compliance with the requirements under Article 37 of Commission Delegated Regulation (EU) 2017/565, and assessment by the auditor of the arrangements under Article 37(2) of Commission Delegated Regulation (EU) 2017/565 and compliance with the requirements of Article 20(1) of Regulation (EU) No 596/2014 in conjunction with Commission Delegated Regulation (EU) 2016/958 of 9 March 2016 supplementing Regulation (EU) No 596/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the technical arrangements for objective presentation of investment recommendations or other information recommending or suggesting an investment strategy and for disclosure of particular interests or indications of conflicts of interest (OJ L 160 of 17 June 2016, p. 5), each as last amended;

  27. compliance with the requirements under section 87 of the Securities Trading Act, with a particular focus on whether

    a) the employees entrusted with the provision of investment advice, the sales force staff, the employees entrusted with financial portfolio management, the sales supervisors and the compliance officers have the expertise and the requisite reliability for the activity in accordance with section 87 (1) sentence 1, (2), (3), (4) sentence 1 and (5) sentence 1 of the Securities Trading Act,
    b) notifications are submitted to the Supervisory Authority in accordance with section 87 (1) sentence 2 and 3, (4) sentences 2 and 3 and (5) sentences 2 and 3 of the Securities Trading Act regarding the employees entrusted with the provision of investment advice, the sales representatives and the compliance officers and
    c) complaints under section 87 (1) sentence 4 of the Securities Trading Act are reported to the Supervisory Authority;

  28. compliance with the obligations arising from the first subparagraph of Article 4(1) and from Article 5a(1) of Regulation (EC) No 1060/2009 to the extent that the investment services enterprises use ratings when providing investment services or ancillary services;
  29. the subject of the audit and the audit activities with regard to branches, branch offices and local offices included in the audit in accordance with section 4 (3) and with regard to the activities and procedures outsourced to other companies.

The details described in no. 28 regarding Article 5a(1) of Regulation (EC) No 1060/2009 must also contain an evaluation of the adequacy of the credit risk assessment processes and an assessment of the use of contractual references to credit ratings, taking into account the nature, scale and complexity of the investment services enterprise.

(2) The details provided under (1) must also, wherever applicable with regard to the kind of investment services or ancillary services provided, report on the respective obligations resulting from

  1. the Investment Services Rules of Conduct Regulation
  2. the WpHG Employee Notification Regulation (WpHG-Mitarbeiteranzeigeverordnung - WpHGAnzV)
  3. the Securities Trading Reporting Regulation (Wertpapierhandelsanzeigeverordnung - WpAV)
  4. Commission Delegated Regulation (EU) 2016/909 of 1 March 2016 supplementing Regulation (EU) No 596/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the content of notifications to be submitted to competent authorities and the compilation, publication and maintenance of the list of notifications (OJ L 153 of 10 June 2016, p. 13) as last amended,
  5. Commission Implementing Regulation (EU) 2016/378 of 11 March 2016 laying down implementing technical standards with regard to the timing, format and template of the submission of notifications to competent authorities according to Regulation (EU) No 596/2014 of the European Parliament and of the Council (OJ L 72 of 17 March 2016, p.1) as last amended,
  6. Commission Delegated Regulation (EU) 2016/957 of 9 March 2016 supplementing Regulation (EU) No 596/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the appropriate arrangements, systems and procedures as well as notification templates to be used for preventing, detecting and reporting abusive practices or suspicious orders or transactions (OJ L 160 of 17 June 2016, p.1) as last amended,
  7. Commission Delegated Regulation (EU) 2016/958,
  8. Commission Delegated Regulation (EU) 2017/567 of 18 May 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to definitions, transparency, portfolio compression and supervisory measures on product intervention and positions (OJ L 87 of 31 March 2017, p. 90; L 251 of 29 September 2017, p. 30) as last amended,
  9. Commission Delegated Regulation (EU) 2017/569 of 24 May 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards for the suspension and removal of financial instruments from trading (OJ L 87 of 31 March 2017, p. 122) as last amended,
  10. Commission Delegated Regulation (EU) 2017/572 of 2 June 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards on the specification of the offering of pre- and post-trade data and the level of disaggregation of data (OJ L 87 of 31 March 2017, p. 142) as last amended,
  11. Commission Delegated Regulation (EU) 2017/575 of 8 June 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council on markets in financial instruments with regard to regulatory technical standards concerning the data to be published by execution venues on the quality of execution of transactions (OJ L 87 of 31 March 2017, p. 152) as last amended,
  12. Commission Delegated Regulation (EU) 2017/576 of 8 June 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards for the annual publication by investment firms of information on the identity of execution venues and on the quality of execution (OJ L 87 of 31 March 2017, p. 166) as last amended,
  13. Commission Delegated Regulation (EU) 2017/577 of 13 June 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council on markets in financial instruments with regard to regulatory technical standards on the volume cap mechanism and the provision of information for the purpose of transparency and other calculations (OJ L 87 of 31 March 2017, p. 174) as last amended,
  14. Commission Delegated Regulation (EU) 2017/578 of 13 June 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council on markets in financial instruments with regard to regulatory technical standards specifying the requirements on market making agreements and schemes (OJ L 87 of 31 March 2017, p. 183) as last amended,
  15. Commission Delegated Regulation (EU) 2017/580 of 24 June 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the maintenance of relevant data relating to orders in financial instruments (OJ L 87 of 31 March 2017, p. 193) as last amended,
  16. Commission Delegated Regulation (EU) 2017/583 of 14 July 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council on markets in financial instruments with regard to regulatory technical standards on transparency requirements for trading venues and investment firms in respect of bonds, structured finance products, emission allowances and derivatives (OJ L 87 of 31 March 2017, p. 229) as last amended,
  17. Commission Delegated Regulation (EU) 2017/584 of 14 July 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards specifying organisational requirements of trading venues (OJ L 87 of 31 March 2017, p. 350) as last amended,
  18. Commission Delegated Regulation (EU) 2017/585 of 14 July 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the data standards and formats for financial instrument reference data and technical measures in relation to arrangements to be made by the European Securities and Markets Authority and competent authorities (OJ L 87 of 31 March 2017, p. 368) as last amended,
  19. Commission Delegated Regulation (EU) 2017/587 of 14 July 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council on markets in financial instruments with regard to regulatory technical standards on transparency requirements for trading venues and investment firms in respect of shares, depositary receipts, exchange-traded funds, certificates and other similar financial instruments and on transaction execution obligations in respect of certain shares on a trading venue or by a systematic internaliser (OJ L 87 of 31 March 2017, p. 387; L 228 of 2 September 2017, p. 33) as last amended,
  20. Commission Delegated Regulation (EU) 2017/589 of 19 July 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards specifying the organisational requirements of investment firms engaged in algorithmic trading (OJ L 87 of 31 March 2017, p. 417) as last amended,
  21. Commission Delegated Regulation (EU) 2017/590 of 28 July 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the reporting of transactions to competent authorities (OJ L 87 of 31 March 2017, p. 449) as last amended.

Section 12
Safe custody business

In the case of an audit of safe custody business under section 89 (1) sentence 2 of the Securities Trading Act, the audit report must, in particular, contain information on whether the following is adhered to:

  1. the orderly conduct of the safe custody and management of securities for others, the custody ledger, the access to customer securities and the authorisations insofar as this is not evident from the information given in compliance with section 11 (1) sentence 1 no. 25, and
  2. compliance with sections 128 and 135 of the Stock Corporation Act (Aktiengesetz - AktG).

Section 13
Stipulations on the content of the audit; determined points of focus for the audit

(1) If in individual cases the Supervisory Authority has made stipulations relating to the content of the audit or has determined points of focus for the audit, the audit report must contain a detailed description of the audit activities conducted in this context and the relevant conclusions.
(2) The audit report must explain which parts were examined in accordance with the points of focus determined at the discretion of the auditor and whether such examinations were system checks including performance tests and spot checks or individual audits. The report must also state the manner in which spot checks were executed, the number of the spot checks and their findings.

Section 14
References to previous audit reports

(1) References to the contents of previous audit reports are not permitted as a rule.
(2) In order to avoid extensive repetition, such references are, in exceptional cases, permitted if the auditor

  1. attaches to the audit report the respective excerpts from the previous audit
    reports or from the annual financial statements and
  2. explains why the previous conclusions or statements being referenced are still relevant to the current report.

Section 15
Deficiencies identified in the previous audit

The audit report must contain a description of how the deficiencies identified during the previous audit have been remedied or what remedial action has been initiated. If the deficiencies were of an organisational nature the organisational measures taken by the investment services enterprise to avoid such deficiencies in future must be explained.

Section 16
Concluding summaries

In a concluding summary, the report must assess whether the investment services enterprise has complied with the obligations under section 89 (1) sentences 1 and 2 of the Securities Trading Act. Any identified deficiencies are to be listed with an indication of where they are to be found in the report.

Section 17
Auditor; signature

It must be evident from the audit report who headed the on-site audit. The auditor must sign the audit report, stating the place and date.

Section 18
Questionnaire; description of identified deficiencies and other findings

(1) The questionnaire that must accompany the audit report as required by section 89 (2) sentence 2 of the Securities Trading Act is to be compiled and completed in accordance with the annex to this regulation.
(2) It is to be accompanied by a short description of the identified deficiencies and other findings with regard to the guidance developed and published by the European Securities and Markets Authority.
(3) The description must identify conduct categorised as a deficiency and the statutory provisions that have been violated.

Section 19
Submitting the audit report and the questionnaire

(1) The questionnaire and, where it has been requested in accordance with section 89 (2) sentence 1 of the Securities Trading Act, the audit report, are to be sent without delay, as single copies and in electronic form, to the Frankfurt office of the Supervisory Authority and to the competent office of the Deutsche Bundesbank. The Supervisory Authority may determine the data format and the submission procedure in which the electronic version of the questionnaire and the audit report are to be submitted to it. The Supervisory Authority and the Deutsche Bundesbank may each forgo submission of the questionnaire in written form.
(2) Questionnaires are deemed not to have been submitted without delay within the meaning of section 89 (2) sentence 4 of the Securities Trading Act if they have not been received by the Supervisory Authority and the competent office of the Deutsche Bundesbank within two months from the end of the audit period. In individual cases and with good reason, the Supervisory Authority may set a different time period
(3) If the audit report has been requested in accordance with section 89 (2) sentence 1 of the Securities Trading Act, it is to be submitted within two weeks of the request by the Supervisory Authority or the competent office of the Deutsche Bundesbank. However, the audit report is to be submitted two months after the end of the audit period at the earliest.

Section 20
Draft report

(1) If the Supervisory Authority participates in the audit in accordance with section 89 (4) sentence 4 of the Securities Trading Act, the auditor must, at the Supervisory Authority’s request, send the draft audit report to the Supervisory Authority prior to its completion.
(2) If the Supervisory Authority announces its participation in a final meeting, the auditor must, at the Supervisory Authority’s request, send the corresponding draft audit report to the Supervisory Authority in good time ahead of the meeting.

Section 21
Explanation of the audit report

At the Supervisory Authority’s request, the auditor must explain the audit report to the Supervisory Authority.

Part 4
Final provisions

Section 22
Entry into force, repeal

This regulation enters into force on the day after its promulgation. Simultaneously, the Regulation on the Examination of Investment Services Enterprises pursuant to Section 36 of the Securities Trading Act (Wertpapierdienstleistungs-Prüfungsverordnung) of 16 December 2004 (Federal Law Gazette I, p. 3515), last amended by Article 27 (4) of the Act of 4 July 2013 (Federal Law Gazette I, p. 1981), is repealed.

Additional information

Attachments

More on this topic

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field