Compliance with statutory capital market regulations – one of the central tasks of investor relations – is becoming increasingly widespread. Whether the expansion and tightening of directors’ dealings, ad hoc publicity, insider lists, voting rights notifications, annual and semi-annual reports, corporate governance – the list of requirements is becoming longer and longer. The sanctions imposed by BaFin are becoming ever stricter. Courts impose penalties on issuers and company employees in the millions. And more and more often, IROs have the task of avoiding precisely such sanctions – i.e. ensuring compliance with the rules. How can this be achieved? A compliance management system can help to maintain an overview here.
Requirements of BaFin for a Compliance Management System
What are the requirements for a Compliance Management System? To this end, the BaFin, as the supervisory authority, formulates five areas which are important for functioning and successful compliance:
- Personnel selection: Suitable personnel must be selected for the specific task profile,
- Distribution of tasks and organisation: Clearly structured processes and a clear and appropriate distribution of responsibilities must be defined,
- Instruction and education: staff shall be properly instructed and continuously trained,
- Monitoring and control: the issuer must carry out general controls and reviews. Regular spot checks may be required,
- Threat and imposition of operational sanctions: The company must impose (labour) legally permissible threats of sanctions on its employees.
Model of a process-oriented Compliance Management System (CMS)
What can a compliance management system look like that can meet these requirements? The following is a process-oriented compliance management system of TÜV Rheinlands, which has been modified for IR work:
Model of a process-oriented CMS
Source: According to TÜV Rheinland: Standard for Compliance Management Systeme (CMS), p. 4: https://www.tuv.com/media/germany/60_systeme/csr_nachhaltigkeit_compliance/compliance/faktenblaetter/compliance_standard_tr.pdf
- Under point 1 the Compliance-requirements are to be seized. Here it concerns to collect all “rules” which must be kept: This includes aspects such as ad hoc publicity, directors’ dealings, closed period, voting rights, insider lists, voting rights notifications, etc. It is important to record the many details and details of the rules. A glance at BaFin’s ‘Naming&Shaming’ website shows that many rule violations tend to concern details such as the preliminary announcement of (half-)annual reports or the failure to meet deadlines.
- After all necessary rules have been compiled, manuals, guidelines and procedural instructions have been developed within the framework of planning & documentation. How is a directors dealing process to be defined? What are the deadlines for the Director? Who is responsible for the preannouncements to the (half-)annual reports? Which approval processes are to be observed for ad hoc announcements? Who is the Reporting Officer, who represents the Reporting Officer? What documentation is required?
- The implementation is about getting the ‘people on board’. Are all participants aware of the (1) legal rules and their details? Do you know the (2) procedures, processes, documentation? Do the participants master the necessary software for the reporting processes? It is important that during the implementation – e.g. of a directors dealing report a directors dealing report. This is the only way to ensure monitoring (4) by a compliance officer.
- During monitoring, the Compliance Officer uses the documentation to check whether there have been deviations between planning (2) and implementation (3). If this is the case, why did deviations occur? Possibly the acting persons lack knowledge and/or routine? The planning itself can also be the cause of the deviation, perhaps tasks have not been assigned to specific persons or processes have not been clearly defined? Or participants such as insiders do not attach as much importance to individual aspects as the signing of information forms?
- Within the scope of the improvement, consequences are then to be drawn from the target/actual deviations documented under (4). Appropriate corrective measures help to continuously improve the overall compliance management system. Employees may need further training, planning may need to be refined, documentation may need to be revised or individual employees and/or insiders may need to be sensitised if they do not take individual issues seriously.
- The management of resources is then specifically about the ‘human resource’. It is about systematically determining training needs and expanding competencies. The effectiveness of training measures must be assessed. Have training courses led to a reduced target/actual deviation? Or have conversations with people led to a greater understanding of how to behave in accordance with the rules?
- The person in charge, who keeps the system running continuously, monitors and constantly develops it, stands above all these requirements.
Such a CMS is a dynamic system, which continuously develops itself further. It can help to ensure that all employees behave in accordance with the rules. And if a violation should occur by mistake, BaFin is often prepared to turn a blind eye to an existing and well-developed compliance system.
 According to BaFin: Umgang mit kapitalmarktrechtlichen Sanktionsrisiken, 21. DIRK-Konferenz 2018 am 04./05. Juni, Becker, Ralf, David, Daniel, S. 27; Publication courtesy of BaFin
 Source: Becker, Ralf, Head of Government at BaFin, Supervision of securities in: Börsen-Zeitung vom 02. Juni 2018, Page B 6: https://www.boersen-zeitung.de/index.php?li=1&artid=2018103810, Website accessed on 10th, August 2018