The market survey focused on the first level of controls. The objective of the survey was to gain a picture of the procedures institutions are currently using to fulfil the requirements of the German Securities Trading Act (Wertpapierhandelsgesetz – WpHG) with regard to the ICS. A second objective was to gain knowledge about the way the compliance function monitors the controls of the business units.

The result: generally speaking, all surveyed institutions have a functioning internal control system. In individual areas there is, however, still potential for optimisation.

Legal basis

The legal basis for establishing an internal control system in the institutions is section 25a (1) sentence 1 of the German Banking Act (Kreditwesengesetz - KWG). This provision stipulates that an institution shall have a proper business organisation in place. Pursuant to section 25a (1) sentence 3 no. 3 of the KWG, this comprises appropriate and effective risk management as well as the establishment of internal control mechanisms consisting of an internal control system and an internal audit function. According to section 80 (1) of the WpHG, investment services enterprises also have to comply with these organisational requirements.

The BaFin circular Minimum Requirements for the Compliance Function and Additional Requirements Governing Rules of Conduct, Organisation and Transparency for investment services enterprises (MaComp) also addresses the issue of internal controls of the operating business units at various points. Initial responsibility for complying with the provisions and for performing controls – in the form of internal controls – lies with the operating units (AT 6 no. 2 of the MaComp). The special requirements assigned to the compliance function in the MaComp include a duty to verify whether the control activities listed in the working and organisational instructions are being performed regularly and properly by the operating units. To this end, the compliance function also takes into account the reviews by the risk management function and the internal auditing function, controlling and other control functions in the investment services unit (BT 1.2.1.2 no. 6 of the MaComp).

Structuring of the ICS

While surveying the market with respect to ICS, BaFin came across both centralised and decentralised models. With centralised models, control activities take place in central units, such as market service or back office units. In such a central control unit, the employees are responsible specifically for performing control activities and are trained for the purpose. In decentralised models, the control activities are assigned to the branches and their managers, or to market areas and their managers. In these models, the control activities are therefore performed by employees of the organisation’s operating units, who take them on in addition to their primary marketing responsibilities.

There were also mixed forms of centralised and decentralised control units, which frequently form a combined organisational control structure. In these instances, identical controls are sometimes conducted in parallel, so that the division of labour only has an effect on quantitative parameters like the volume and cycle of control activities. But there were also cases where control activities were distributed in a qualitative division of labour with different priorities, for instance with a formal examination of certain components of the contract and a content assessment with regard to the suitability and appropriateness of the financial instruments recommended to the consumer.

Notable Findings

What was particularly interesting in the market survey was the concrete design of the procedures for the control activities and the interlinking of the individual implementation components as well as the resulting effect of the ICS on the overall system. To analyse these processes, BaFin focused its examination on the control activities related to the record-keeping and retention obligations resulting from the conduct requirements of the WpHG. In many institutions, the manager regularly reviews employees’ contact with clients for content and results, for instance, by comparing transaction lists and the diary entries of employees.

The market survey showed that the control activities were performed in a very heterogeneous manner. Their extent ranged from full controls (100 percent of advice documents) to random samples which differed widely in their qualitative focus, and they were performed continuously or at intervals. In most instances, control activities were performed on a specific date. In rare cases, it was up to the discretion of the employee performing the controls to do this within a given period of time, for instance within the quarter.

Centralised units downstream of distribution without direct contact to clients were typically characterised by a high proportion of random samples of 50 percent and more, as well as by a short time cycle – from continuous to weekly – while decentralised units, such as ones directly involved in the securities business at the operational level, performed control activities less intensively. In the latter, the proportion of random samples lay, as a rule, between ten and 25 percent, with controls being performed between once a month and once a quarter.

BaFin also noticed significant variations in terms of control documentation. Documentation ranged from formalised checklists and processing comments entered in the institution’s IT system to formalised records of results and individual control comments.

Where errors were found, the feedback to the originator was in most cases delivered directly and promptly. In this respect, too, the degree of formalisation varied significantly. There were instances both of face-to-face verbal communication and comments delivered via e-mail that could be sent manually or triggered by a system. In some institutions, control results were initially communicated to the employee concerned with the instruction to remedy the deficiencies as necessary. Only where a matter was not dealt with in a timely manner or where the deficiency was particularly grave were managers and other internal units involved in the reporting channel. Most institutions did not, however, have such an escalation procedure in place.

In all institutions, the compliance function controlled the work of the first level control units. To some extent, it made use of the results of systematic reporting processes.

Identified potential for optimisation

The functionality and effectiveness of the internal control system can normally only be assessed with regard to the individual institution. However, during the market survey it was possible to identify some components and interfaces that could certainly be optimised in terms of their design with the objective of achieving an efficient ICS.

By reviewing employees’ contact with clients, a manager would be able to efficiently ensure that all contact with clients that triggers, for instance, an obligation to submit a suitability statement, is properly documented. Furthermore, a comparison between the respective distribution units regarding the ratios of contact with clients with and without a resultant business transaction would hand downstream control units, i.e. the compliance function and the internal auditing function, an additional tool for achieving a more plausible advice ratio.

It has also become evident that the first level control units in institutions where controls are highly formalised function more reliably than in institutions where controls are performed and documented in an improvised manner and their concrete execution is left to the discretion of the controller. Checklists specifying the individual control items, meaningful documentation and execution on a fixed date have all proven expedient. Less successful were cases where, in the absence of concrete criteria and a structure for the control activities, certain obligations were not checked at all, or where compliance was taken for granted because of the known professional competence of the person subject to the controls.

As mentioned, control activities in some institutions are performed in parallel by different organisational units, with the extent and cycle of control activities often varying. It was also noticeable that centralised units favoured formal controls while decentralised controls tended to focus on content and quality. It is therefore very important to ensure a sufficiently tight and balanced design of these two components, extent and cycle, and of the content, quality and formal aspects in the control activities.

Feedback of the control results usually takes place immediately after the results have been ascertained. Here, too, it is noticeable that a high degree of technical formalisation, for example through an electronic task assignment system, prompts more reliable and more systematic follow-up processing.

In some institutions, it was occasionally difficult to follow the escalation stages in the feedback – be it in person, by phone or by e-mail. It therefore makes sense to implement escalation processes that are also transparent and comprehensible for the employees.

Outlook

The second Markets in Financial Instruments Directive (MiFID II) introduced many extensive innovations and obligations relevant to the proper business organisation of investment services enterprises (see, for instance, the December 2017 and January 2018 issues of the BaFinJournal (only available in German)).

This is why BaFin will continue to attach particular importance, in future on site visits to banks and savings banks, to efficient internal control systems being in place.