This relatively low number, however, is deceptive: nowhere has compliance been in the spotlight for longer than in the securities business and nowhere is it more regulated. This year, securities compliance is celebrating its 20th anniversary – what better time to look back?

Compliance development milestones until 2007

The compliance requirements for investment services enterprises have risen steadily over the past twenty years. In January 1995, compliance requirements were first included in the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG). With that, the European directive on investment services in the securities field of 1993 was transposed into national law. The WpHG required investment services enterprises to maintain effective organisational arrangements for the provision of investment services in the securities field and to have in place appropriate internal control procedures to prevent any breaches of the WpHG. The German Federal Supervisory Office for Securities Trading, one of BaFin's predecessors, put these requirements in concrete terms within guidelines which were in force until 31 October 2007.

Compliance development milestones on an international level at that time included first and foremost a document of the International Organization of Securities Commissions (IOSCO) of 2003 and the guidance paper of the Basel Committee on Banking Supervision (BCBS) of 2005. On a European level, the most progress in terms of compliance was achieved with the Markets in Financial Instruments Directive (MiFID) of 2004 and the corresponding implementing directive of 2006.

On 1 November 2007, the transposition of this European legislative act came into force within the WpHG and the Investment Services Rules of Conduct Regulation (Wertpapierdienstleistungs-Verhaltens- und Organisationsverordung – WpDVerOV). With the transposition of MiFID, the national legislators used the term "compliance function" for the first time as an integral part of an internal control mechanism as well as the term "compliance officer" for a person responsible for the compliance function.

More recent developments

In 2010 BaFin published the MaComp, a circular on the minimum requirements for the compliance function and additional requirements governing rules of conduct, organisation and transparency pursuant to sections 31 et seq. of the WpHG. It serves as a handbook of administrative practices and puts in concrete terms the special requirements for the compliance function in addition to the general organisational obligations. The MaComp have been updated numerous times since then, with the latest version dating back to 2014. They took into account, among other things, the remarks delivered in 2012 by the European Securities and Markets Authority (ESMA) in its guidelines on certain aspects of the MiFID compliance function requirements. Another crucial milestone was section 34d of the WpHG, which came into force on 1 November 2012, together with the WpHG Employee Notification Regulation (WpHG-Mitarbeiteranzeigeverordnung). It set out the statutory requirements for the expert knowledge, competence and reliability of compliance officers.

Compliance function and compliance officer

In the past twenty years, investment services enterprises have had to tackle continually increasing compliance requirements. Consequently, the compliance function and compliance officer now enjoy a significantly higher profile at these enterprises than ever before. Back in 1995, compliance staff were responsible for little more than preventing insider trading by checking personal account dealings. The units tended to be very small and were rarely independent within the organisation, instead usually being subsumed under the legal department. The most common exceptions to the rule were companies in the English-speaking world, where the compliance function had always enjoyed a higher profile.

Since then, the nature of tasks of the compliance function has changed fundamentally. Today, these tasks are regulated by law, as is the question of who is allowed to become a compliance officer. In accordance with the regulations, the compliance function must, among other things, monitor and regularly evaluate the arrangements supposed to ensure compliance with the WpHG. To this end, the MaComp set out the requirement that the compliance function conduct its own on-site inspections, particularly in the enterprise's branches. Incidentally, this is a crucial difference between compliance as laid down in the WpHG and industry compliance for other enterprises, for which the law does not prescribe on-site inspections. Another peculiarity of securities compliance is the fact that the WpHG Employee Notification Regulation describes in detail the professional profile of a compliance officer. The MaComp describe in greater detail the expert knowledge requirements for the other employees of the compliance function.

Effective, permanent, independent

The status of the compliance function is also regulated in the WpHG and MaComp. The compliance function must be effective, permanent and independent. It can only be effective if it has at its disposal the necessary personnel and material resources, among other things. Staffing is a subject BaFin has paid special attention to in the past few years, since some companies understaffed their compliance functions relative to inherent risks or the extent of their securities business. BaFin has followed up on these cases and pushed for increased staffing levels. In terms of material resources, the compliance function must in principle receive its own budget, under certain conditions (MaComp BT 1.3.1.1) .

A permanent compliance function requires, among other things, that its tasks and competencies be laid down in work and organisational instructions. In this way, the compliance function receives a working basis and a clearly defined area of responsibility. Moreover, the compliance function must prepare a monitoring plan based on a risk analysis.

The requirement that the compliance function be independent has sparked discussion with investment services enterprises due to the interpretation of some of its aspects by BaFin. The compliance function is not independent of the management board, since it is the board that assigns the compliance function its tasks and competences. However, the units subordinate to the management board may not issue any instructions to the compliance function.

Separation of functions

The debate that followed the introduction of the MaComp on the relationship between the compliance function and the legal department was particularly heated. BaFin's administrative practice has followed the approach that these functions must, in principle, not be joined at larger investment services enterprises or those carrying out complex activities, in order to avoid any possible conflicts of interest between the two units. This is because, while the legal department supervises the legality of business activities, the compliance function takes into account other aspects, too, including the question: "What is legitimately in the client's interest?" In principle, the compliance function focuses much more on client interests than the legal department, which first and foremost acts in the company's interest. Consequently, the compliance function may object to products that, while legally unobjectionable, are nevertheless unsuitable to the enterprise's customer structure with regard to investor protection.

An integration of the compliance function and internal audit function is not allowed a priori, because the latter audits the former. To strengthen the independence of the compliance function, the MaComp also recommend that the status, powers and remuneration of the compliance officer are based on those of the heads of the internal audit function, risk control and legal department of the investment services enterprise. In this way, the compliance officer is supposed to be able to face the representatives of other units, for instance the head of sales, on an equal footing.

Powers

Under the MaComp, the compliance officer is to be involved in numerous tasks. In particular, he or she should have the power to intervene, for instance in the process of product approval, but without having to shoulder the responsibility of operating units in the form of "co-signing".

Also, by law, the compliance officer must be able to initiate measures to prevent concrete threats to client interests. Compliance therefore operates on a hands-on basis, not just from afar.

Seeking qualified staff

In order to fulfil the compliance requirements, many investment services enterprises are currently urgently seeking qualified staff who could become compliance officers. There are now specialist university courses available to furnish future compliance officers with the required knowledge.

A good compliance officer, however, does not only boast expert knowledge. He or she must also be able to enforce the interests of compliance at the investment services enterprise without breaching his or her duty of loyalty to the management board. This requires a certain professional experience (seniority).

Support from the management board is crucial in this context. Only in companies where a compliance culture is established can the compliance function carry out its tasks in full.

Outlook

As the regulatory framework becomes more and more international, compliance will move even further into the spotlight with regard to the implementation of additional conduct of business obligations and new consumer protection rules. MiFID II in particular is worth a mention in this context, as the new European financial markets directive, which will come into force in 2017. With it, the importance of the compliance function at investment services enterprises will grow further.