77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Compliance in the bank: Duties, roles and auditable evidence according to MaRisk and WpHG
Governance & Compliance

Compliance in the bank: Duties, roles and auditable evidence according to MaRisk and WpHG

2 June 202612 min readBy Dr. Henrik Bauer
CIVAC

Compliance in a bank is more than a guideline on the intranet. It is an appointed function with clear reporting obligations in accordance with MaRisk AT 4.4.2, WpHG § 80 and GwG. This article shows which obligations apply and how an institution achieves audit robustness operationally.

Compliance in a bank has been an appointed, independent function with a direct reporting line to management since MaRisk AT 4.4.2 and Section 80 WpHG. Any institution that confronts the Federal Financial Supervisory Authority (BaFin) must not only have guidelines in place, but also be able to provide complete evidence of the order, task description, risk assessment and ongoing monitoring. Audit practice has noticeably tightened in recent years, especially after the supervisory announcements on MaComp and money laundering prevention as well as in the course of preparation for DORA and AMLR.

This article classifies the most important duties, describes the roles of compliance officers, money laundering officers and information security officers in the banking context and shows how institutions manage orders, reporting lines and evidence in such a way that they stand up to scrutiny. The focus is on audit robustness, clear documentation and the clean transition between line, compliance and internal audit. We avoid generalities and specifically state which documents must be kept at what level and where the typical gaps arise in practice.

Key Takeaways

  • Compliance officers in banks must be appointed in accordance with MaRisk AT 4.4.2, are independent and must report directly to management.
  • According to Section 7 of the GwG, money laundering officers must be appointed in writing and reported to BaFin.
  • Compliance is only verified when the appointment certificate, task description, risk analysis and version-controlled reports are available.

Legal framework: MaRisk, WpHG, GwG, MaComp and DORA

The set of obligations for compliance in credit institutions comes from several sources. MaRisk AT 4.4.2 requires a compliance function to identify and monitor significant legal risks associated with business activities. For investment services, Section 80 of the WpHG applies, interpreted by the minimum requirements for the compliance function (MaComp). Money laundering prevention is regulated by the GwG, in particular Sections 4 to 9, with risk management, internal security measures and the appointment of the money laundering officer. In addition, § 25a and § 25b KWG shape the requirements for business organisation and outsourcing.

In addition, there are institution-specific obligations from the GDPR, the KWG as well as from European regulations such as MiFID II, the DORA Regulation (EU) 2022/2554 and the EU Money Laundering Regulation (AMLR). The bundling of these sources creates considerable documentation pressure: Every obligation needs a person responsible, a description of the control and verifiable proof of implementation. CIVAC sees compliance at this interface as an appointed compliance officer function with clearly defined reporting lines, not as a loose collection of guidelines on the intranet. Anyone who keeps the sources in a uniform matrix of obligations can argue consistently with BaFin and internal audit and avoids duplication of work between compliance, law and risk. Such a matrix assigns each obligation to a legal source, a control, a responsible party, a frequency and a document. This means that the jump from the standard to the file is understandable for auditors at every point.

Appointment and independence of the compliance function

According to MaRisk AT 4.4.2 No. 2, a compliance officer must be appointed who is responsible for the effectiveness of the compliance function. The order is made in writing by the management. The function must be organizationally independent, i.e. free from instructions from operational business, with sufficient resources, its own budget and unhindered access to information in all relevant areas. The task description specifies which legal areas are monitored, how risk assessments are carried out and how the reporting system is designed.

In practical terms this means: appointment certificate, signed, filed, verifiable. In addition, the institute documents the qualifications, a replacement plan, the escalation channels in the event of conflicts of duties and the reporting line. MaRisk requires at least an annual compliance report to the management and a report to the supervisory body. The function must also report on an ad hoc basis when serious violations or new regulatory requirements require it. What is important is the clear separation between the second line of defence of the risk function and the third line of internal audit. Institutes that manage their compliance function via a workspace combine orders, task descriptions and report templates in a file with clear version statuses. This means that independence is not only formally but comprehensibly documented and can be accessed in the audit without any search effort. Anyone who additionally provides evidence of job descriptions, target agreements and remuneration elements that are not linked to operational business success closes a key audit gap in advance. It also makes sense to have an internal proof of resources per quarter: approved positions, vacancies, training days and the ratio of personal effort to external support, each with a brief assessment by the function itself and by management.

Money laundering officer, deputy and BaFin report

Obligated parties according to Section 2 of the GwG, including all credit institutions, must appoint a money laundering officer and a deputy in accordance with Section 7 of the GwG. The order is made in writing and the person must be reliable and knowledgeable. BaFin must be informed about the order and any changes. The function reports directly to the management, with access to information and access to all business areas. The report is made via the BaFin reporting portal MVP and becomes part of the supervisory file.

The tasks include risk analysis in accordance with Section 5 GwG, the management of internal security measures (Section 6 GwG), reporting suspicious activity to the FIU (Section 43 GwG) and the regular training of employees. The deadline begins as soon as we become aware of it; this applies to suspicions as well as to reportable matters. Group-wide responsibility in accordance with Section 9 of the GwG must be observed within the group, including the appointment of a group money laundering officer. Any institution that keeps the order, the annual risk analysis, the training register and the suspicious activity reporting paths in a file can provide BaFin with evidence within hours. Using the Money Laundering Officer function, the role can either be filled internally and supported with templates or ordered externally as an officer-as-a-service. In both models, personal suitability is documented, regularly retrained and verified to supervisors. This is the difference between a role on paper and a role with proven effectiveness.

Reporting lines, MaRisk compliance report and ad hoc escalation

The effectiveness of the compliance function is reflected in the reporting lines. According to MaRisk AT 4.4.2 No. 7, the compliance function reports to the management and the supervisory body at least once a year. The report describes the activity, the main findings, the status of implementation of measures, the changes in the risk situation and the planning for the following year. For investment services, MaComp supplements the report in accordance with Section 80 of the WpHG, which presents the content, methodology and findings from the monitoring of conduct of business obligations.

In addition, ad hoc reports on serious violations, sanctions or supervisory measures are planned. The separation between the annual report, event-related reporting and escalation to internal audit must be clearly defined. A resilient practice combines a report template with mandatory fields, a list of deadlines and tasks with those responsible, and a version-controlled storage of all reports and reactions. This makes it clear which issues were escalated to whom, when, which measures were agreed and which implementation deadlines were set. The auditor calls, the evidence is ready. without the institute having to search through emails. It is precisely this reproducibility that MaRisk audits demonstrate the maturity of the compliance function. In addition, the reporting line includes a brief assessment of the situation on new legal developments, such as DORA, the AMLR or national legislative changes, so that management can incorporate changes at an early stage and there is no gap between entry into force and implementation.

Interface to information security, DORA and NIS-2

Banks are also the KRITIS financial sector and will be subject to DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) from 2026. The requirements for ICT risk management, incident reporting and third-party risks intertwine with the national NIS 2 obligations and with ISO/IEC 27001:2022. Compliance, information security and outsourcing management must therefore be coordinated in terms of content, but must not coincide in one hand because MaRisk AT 4.4 requires the functions to be separated.

In practical terms, this means that the compliance officer is responsible for the legal framework, while the information security officer controls security management. Incident reports according to DORA Art. 19 and NIS-2 24- and 72-hour reporting paths must move smoothly between functions. CIVAC maintains an NIS-2 24/72 reporting path and ISO 27001:2022 ISMS templates that are linked to the compliance files. This reduces the risk of an incident being categorised in different ways several times and ensures that the legal and safety assessments come from the same database. Audit-proof, documented, § 80 WpHG-proof. The third-party register is also important: DORA requires a list of all ICT third-party service providers with a criticality rating. Anyone who connects this register to the institute's existing outsourcing database and links it to the compliance obligations avoids a shadow IT list next to the MaRisk outsourcing file and significantly reduces the audit burden for the compliance function. Supplemented by a common classification system for incidents (obligation to report, threshold values, escalation levels), an incident file is created that also reflects DORA, NIS-2, MaRisk AT 4.4 and Section 33 Paragraph 1 BSIG.

Sanctions, fines and personal liability

Violations of compliance obligations in banks affect the institution and management. According to Section 56 of the KWG, there is a risk of fines for intentional or negligent breaches of duty. Section 130 OWiG allows breaches of supervisory duties to be sanctioned with fines of up to 1 million euros, supplemented by the skimming of economic advantages in accordance with Section 17 Paragraph 4 OWiG. The WpHG provides for additional fines for violations of § 80, the GwG sanctions violations of the security measures according to § 56 GwG with up to 150,000 euros, in serious cases with up to 5 million euros or 10 percent of the annual turnover.

The management assumes personal liability via § 25c KWG for money laundering prevention and the general duty of care § 93 AktG or § 43 GmbHG. Supervisory measures range from orders to requests for dismissal to the prohibition of business activities in accordance with Section 36 of the KWG. Reliable orders, documented risk analyses and comprehensible reporting lines act as the most important protective shield here. They shift the direction of evidence: instead of refuting the lack of control, the institute can prove its effectiveness. In practice, this difference determines the level of the sanction and the external impact in the supervisory process. Added to this is the publication practice: BaFin and the ECB publish sanctioning measures, which has reputational consequences that regularly exceed the financial damage. Anyone who can prove effectiveness in the file shortens supervisory procedures and reduces the likelihood of publication with attribution.

Outsourcing the Compliance Function: What's Allowed

Complete outsourcing of the compliance function is not permitted in banks because MaRisk AT 9 requires management to have ultimate responsibility. However, it is permissible to outsource partial tasks or to fill the position externally with a qualified officer-as-a-service, provided that the institute's responsibility is maintained. The outsourcing agreement must regulate content, reporting lines, information rights, termination and emergency planning. Section 25b KWG and EBA guidelines on outsourcing (EBA/GL/2019/02) set the framework, supplemented by DORA Art. 28 ff. for ICT-related outsourcing.

CIVAC works with a dual model here. Licence the workspace for your internal representatives, or have our representatives order it. In the first case, the institute uses audit templates, reporting structures and EU data residency, without external mandate. In the second case, an external person takes on the function, for example as a compliance officer or money laundering officer, integrated into the reporting line to management. In both cases, the institute remains the addressee of BaFin. What is important is the clean interface to internal audit, which checks the compliance function in accordance with MaRisk BT 2 at least annually. Outsourcing without interface clarification creates more risk than relief. The agreement should also include access rights for supervision and auditing, data residency, confidentiality obligations, service levels for inquiries and exit plans so that the function remains operational even if the service provider changes provider or goes bankrupt. Quarterly outsourcing monitoring with key figures on response times, service levels and identified defects should be included in the compliance file and in the annual report to management.

Minimum operational requirements for an auditable compliance file

A compliance file is auditable if an auditor understands without question what was done, by whom, when and with what result. The following components are typically expected from a supervisory perspective: appointment certificate with date and signature; task description; List of obligations with legal sources; annual risk analysis according to MaRisk and AMLA; compliance plan; Report templates for annual and ad hoc reports; training certificates; Escalations with date and status; Outsourcing contracts and their monitoring; representation plan; Minutes of regular coordination with risk, legal and internal audit.

There are also procedural documents: sanctions screening, KYC updates, suspicious activity reports, MAR insider directory, complaint and complaint management files, suspected cases according to the WpHG, gift and invitation registers, whistleblowing reports according to HinSchG. If you sort these components into a version-controlled file, you drastically reduce the preparation time for BaFin and audit inquiries. Others run compliance like a filing cabinet. We run it like software. The CIVAC workspace bundles 490 ready-to-use audit templates and connects them to the assignee roles so that orders, task descriptions, reports and training certificates do not have to be collected from three systems. This creates a file that can be reliably audited. It is also important to have a uniform versioning scheme that links changes to the date, author and reason so that the supervisory authority can trace the maturation path of an obligation over several years. A short reading aid for auditors, such as a two-page file card with references to the order, risk analysis, most recent report and outstanding measures, significantly speeds up the start of every audit.

Lead compliance function with CIVAC

Banks operate under close supervision. The expectation is not perfection, but verifiability. CIVAC is a compliance platform and officer-as-a-service, designed for the officer roles that an institution leads: compliance officer, money laundering officer, information security officer, data protection officer, supplemented by audit templates, a reporting line to management and EU data residency for the storage of sensitive documents. If you want to cleanly combine an NIS-2 24/72 reporting path and ISO 27001:2022 ISMS, you will find both in one file. In this way, the regulatory burden can be transferred to routines instead of being processed on a project-by-project basis.

Licence the workspace for your internal representatives, or have our representatives appoint you. Both paths end in the same auditable file. Three questions make sense for the next steps: Which functions have been ordered, in writing, with a date? Where are the reports from the last 24 months? Which interfaces between compliance, information security and internal auditing are formally regulated? Anyone who identifies gaps here can close them in just a few weeks. Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de. You will receive structured feedback within two working days with templates and a procedure outline for your institution, tailored to its size, business model and the relevant supervisory practice. In this way, regulatory vagueness becomes a concrete file structure that can be used on a daily basis and at the same time withstands scrutiny.

FAQ

What legal basis obliges banks to have a compliance function?

Relevant are MaRisk AT 4.4.2, § 80 WpHG with MaComp, the GwG as well as the KWG, MiFID II and, from 2026, the DORA regulation. These sources result in ordering obligations, reporting lines and the requirement for independence and resources for the function.

Does a compliance officer always have to be appointed internally?

The ultimate responsibility of the management remains within the institution. However, the person can also be appointed externally as an officer-as-a-service, provided independence, access to information and reporting lines are contractually secured and MaRisk AT 9 for outsourcing is observed.

How often does the compliance function report to management?

At least once a year in accordance with MaRisk AT 4.4.2 No. 7 and on an ad-hoc basis in the event of serious violations or significant changes in the risk situation. The report is sent to management and the supervisory body, supplemented by the MaComp report for investment services in accordance with Section 80 of the WpHG.

What sanctions are there for breaches of duty in the banking sector?

Fines according to Section 56 KWG, Section 56 GwG (up to 5 million euros or 10 percent annual turnover) and Sections 30, 130 OWiG. In addition, there are supervisory orders, requests for dismissal and personal liability of the management in accordance with Section 93 AktG and Section 43 GmbHG.

How does the money laundering officer differ from the compliance officer?

The money laundering officer is responsible for the obligations under the AMLA, including risk analysis, security measures and suspicious activity reports. The compliance officer monitors the entire legal risk according to MaRisk. Both functions must be managed separately and cannot be combined in one person without a justified exception.

What characterizes an auditable compliance file?

An auditable file contains the appointment certificate, task description, catalogue of duties, risk analysis, reports, proof of training, outsourcing documents and escalation processes, version-controlled and with clear responsible persons. The aim is for an auditor to understand, without question, who did what, when and with what result.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles