77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Who needs a compliance officer in the company: duty, thresholds, risk
Governance & Compliance

Who needs a compliance officer in the company: duty, thresholds, risk

21 June 202612 min readBy Dr. Henrik Bauer
CIVAC

There is only an explicit obligation to appoint a compliance officer in a few industries. In fact, Section 130 OWiG forces every management to supervise. This article specifically explains who is responsible and when.

In Germany, an explicit legal obligation to appoint a compliance officer only exists in a few, clearly defined sectors, for example under Section 25a KWG for credit institutions, under Section 80 WpHG for investment service providers and under Section 7 GwG for those obliged to prevent money laundering. Outside of these special laws, the obligation actually arises via Section 130 OWiG, which obliges management to supervise compliance with obligations. Anyone who does not organise this supervision is personally liable for fines of up to 10 million euros and more. Insurers are reducing D&O coverage, banks are reducing credit lines, auditors are refusing to attest.

The question “Who needs a compliance officer?” can therefore rarely be answered with “only large corporations”. As soon as a company carries out regulated activities, processes sensitive data, does business abroad or is responsible for supply chains, the function becomes practically indispensable. This article organises the eight central mandatory sources, names typical thresholds between 50 and 1,000 employees, describes tasks, the appointment certificate and reporting line and shows how CIVAC's compliance platform and Officer-as-a-Service maps the role either as an internal licence or as an external order. You will then receive a decision-making aid for internal versus external staffing, an overview of management's liability and six FAQs on ordering practices. The appointment certificate, signed, filed, verifiable.

Key Takeaways

  • There is an express obligation to order according to Section 25a KWG, Section 80 WpHG and Section 7 GwG, and a de facto obligation according to Section 130 OWiG for every management with a fine limit of up to 10 million euros.
  • Thresholds are not uniform: money laundering from the first liable party, whistleblower protection from 50 employees, NIS-2 from 50 employees or 10 million euros in sales, LkSG from 1,000 employees.
  • The appointment certificate with a catalogue of tasks, resources and a direct reporting line to the management is the central evidence in the procedure according to Section 30 OWiG.

Legal mandatory sources: When there is an express obligation to order

An express obligation to appoint a compliance officer arises from several special laws. Section 25a Paragraph 1 Sentence 3 No. 3 KWG requires credit institutions to have a proper business organisation that expressly includes a compliance function. Section 80 (1) of the WpHG in conjunction with MaComp BT 1.1.1 requires securities service providers to have a permanent, independent compliance function with their own compliance officer. Section 7 of the GwG obliges all parties obliged to comply with the GwG, from the first employee onwards, to appoint a money laundering officer who also carries out compliance tasks. Section 29 VAG prescribes the compliance function for insurance companies as one of the four key functions under Solvency II.

There are also industry-specific requirements. Section 9 (2) ApoG requires pharmacies to have compliance-structured supervision of narcotics. Section 11 MPDG requires medical device manufacturers to have a person responsible for regulatory compliance. Section 14 AMG requires pharmaceutical companies to have a step-by-step plan officer who is responsible for pharmacovigilance compliance. Section 4 of the HinSchG obliges companies with 50 or more employees to set up an internal reporting office, which is regularly attached to the compliance officer. Anyone who works in one of these industries has no choice: the appointment is mandatory, the appointment certificate from the compliance officer must be documented and verifiable to management. Violations are sanctioned not only with a fine, but also with a regulatory warning, a ban on activities and, in an emergency, a licence revocation. The Federal Financial Supervisory Authority regularly checks whether the function, resources and independence of the officers meet the minimum regulatory standards. A missing or incomplete appointment certificate is considered a non-established function from a regulatory perspective and triggers the full cascade of sanctions. The substitute rule is also being examined: Anyone who does not have a designated substitute during vacation or illness periods risks a complaint with the requirement to re-order within four weeks.

§ 130 OWiG: The de facto obligation for every management

Outside the special laws, the obligation to organise a compliance organisation actually arises from Section 130 OWiG. The standard sanctions the violation of supervisory obligations in companies and businesses. Anyone who, as an owner or managing director, fails to take supervisory measures that would have prevented or made a breach of obligations significantly more difficult is acting unlawfully. According to Section 30 OWiG in conjunction with Section 130 OWiG, the fine can amount to up to 10 million euros for intentional offenses and up to 5 million euros for negligent offenses. In the case of antitrust violations, corruption and violations of foreign trade law, special standards with significantly higher fines are added.

The case law of the BGH (judgment of May 9, 2017 - 1 StR 265/16, "Siemens-Neubürger") has made it clear: A proper compliance organisation can reduce fines and reduce the personal liability of management. What constitutes a “proper” organisation depends on size, industry, risk profile and international focus. When the complexity reaches a certain level, the appointment of a dedicated compliance officer is no longer recommended, but is de facto required. CIVAC maps this function in a structured workspace: the task catalogue, reporting line, audit templates, training certificates and the appointment certificate are in one system. The auditor calls, the evidence is ready. Management can provide evidence to supervisory authorities, insurers and auditors at any time about which supervisory measures have been taken and who is responsible for them. Without this documentation basis, the defence in OWi proceedings is reduced to verbal assurances, which rarely convinces the public prosecutor in practice. Audit-proof, documented, § 130 OWiG-proof. The fine authorities of the federal states, the public prosecutor's offices and the sector supervisory authorities (BaFin, BNetzA, BSI) require consistent proof over several years. Anyone who only reconstructs the documentation during the trial has effectively lost the burden of proof.

Thresholds: When an order becomes practically unavoidable

The question of “when” can only be answered using several parallel thresholds. In terms of whistleblower protection, Section 12 of the HinSchG applies to 50 or more employees, and in particularly sensitive sectors such as financial services, insurance and securities trading, from the first employee. In the Supply Chain Due Diligence Act (LkSG), the threshold for 2024 is 1,000 employees; the scope of application will be gradually expanded to smaller companies by the CSDDD from 2027. In money laundering law, the appointment of the money laundering officer is mandatory from the first person obliged to do so, regardless of size.

NIS-2 covers, according to Section 28 BSIG-new, "essential" institutions with at least 250 employees or 50 million euros in sales and "important" institutions with 50 employees or 10 million euros in sales in 18 sectors. Around 29,500 companies in Germany are affected. The management is personally liable; a delegation does not provide relief. For multinational operations, US FCPA requirements, the UK Bribery Act and, since 2023, the EU sanctions regime are added. Medium-sized companies with export business, banking relationships or supply chain risk regularly reach this cumulative threshold with between 50 and 250 employees. Above this size, the appointment of a dedicated compliance officer is rarely negotiable, but rather mandatory from a liability perspective. If you cannot represent the function internally, you can have it filled by an external representative and document the outsourcing in a written agreement with a clear distribution of tasks. CIVAC provides the corresponding audit template for each threshold and checks during onboarding which mandatory sources apply in the specific company. The risk heatmap from the workspace shows where the thresholds have been exceeded and which functions need to be filled accordingly. The deadline expires as soon as it is known, the system records each threshold violation with a time stamp and triggers the associated order request to the management. If you want to grow, you should not discover the next threshold in the annual report, but in a quarterly review with the compliance officer.

Responsibilities of the Compliance Officer: What the role entails

The tasks of a compliance officer can be divided into five core areas: risk identification, regulations, training, monitoring and reporting. When identifying risks, the representative maps business processes, third parties, markets and legal areas. The framework includes guidelines on corruption, antitrust law, data protection, sanctions, money laundering, gifts, conflicts of interest and whistleblowing. The training documents mandatory online modules with confirmation of participation, usually annually, in high-risk functions every six months. In regulated industries, additional special training on MaRisk, MaComp, MAR or pharmacovigilance is provided.

Monitoring is carried out via random checks, supplier due diligence, transaction monitoring, KYC/AML screening and IT-supported evaluations. Reporting requires a direct reporting line to management, and in corporations often also to the supervisory board or audit committee. Section 25c (5) of the KWG prescribes a direct reporting line to management for the AMLA function. The function must be equipped with sufficient resources, professional qualifications and independence from instructions. CIVAC provides audit templates for each of these five pillars, a total of 490 ready-to-use templates, from the risk heatmap to training compliance to the quarterly compliance report to management. Licence the workspace for your internal representatives or have our representatives order it. In both models, the catalogue of tasks remains identical, documented and compliant with Section 130 OWiG. The reporting line is stored in the system; every escalation, every quarterly report and every suspicious activity report is archived with a time stamp and recipient. Management can see in the dashboard which duties are open, which are completed and which are in the red zone, without the representative having to report daily. Ad hoc escalations are triggered via a predefined workflow that informs management, legal counsel and, if necessary, the supervisory board at the same time. This multi-recipient logic prevents the typical weak point that an escalation remains on the desk of a single addressee and no one has reacted in the event of damage.

Appointment certificate and reporting line: The two central documents

The appointment certificate is the central document of the compliance function. It contains the catalogue of tasks, the resources, the direct reporting line to management, the right to issue instructions in compliance-relevant areas, the dismissal protection regime and the period of validity. Without a signed appointment certificate, the function is considered not to have been established for regulatory purposes. In the procedure according to Section 30 OWiG, the missing appointment certificate is usually the point at which the defence against an accusation of breach of supervisory duty collapses. During the investigation, the public prosecutor's office first checks whether a written order with date and signature is available.

The reporting line is the second key document. It regulates to whom the representative reports, at what frequency, in what format and with what escalation path in the event of suspected cases. Section 25h KWG, Section 81 WpHG and Section 7 GwG expressly require a direct reporting line to the management. This must not be weakened via intermediate stages. The reporting line of the money laundering officer is a special case: it is addressed to the management and must be reflected in parallel to the supervisory authorities. CIVAC provides both documents as an audit template. The appointment certificate is stored in the workspace, provided with a qualified electronic signature and linked to the representative's personnel file. The reporting line is hard-coded in the task catalogue, and each quarterly report runs via a predefined workflow. The appointment certificate, signed, filed, verifiable. Audit-proof, documented, § 130 OWiG-proof. If the management changes, the appointment certificate is supplemented by a follow-up order, and the workspace documents the change in an audit-proof manner. The change in reporting line (e.g. from Managing Director A to Managing Director B) is also reflected in a connection certificate without the functionality becoming incomplete during a transitional period. In M&A cases, such as carve-outs or integration, both documents are the central handover artifacts for buyers, sellers and supervisors.

Internal or external: The two ordering models in comparison

Companies can appoint a compliance officer internally, for example as a staff position for the board of directors, or appoint an external representative. Both models are permissible under supervisory law as long as the requirements for qualifications, independence and resources are met. Internal ordering offers short routes, deep business understanding and immediate availability. However, it requires full personnel costs, continuous training and a replacement arrangement in the event of illness or vacation. If there is a vacancy, there is a risk of a regulatory gap, which in the worst case scenario will lead to a complaint in the next special audit.

The external order via a specialised service provider offers immediate availability, broad industry experience, a representative in the team and predictable costs. Section 25h Para. 7 KWG expressly allows outsourcing, provided that control and responsibility remain in-house. For medium-sized companies with 50 to 500 employees, the external solution is often more economical because the function must cover several disciplines (data protection, corruption, money laundering, sanctions) and does not justify a full-time position. CIVAC offers both models in one system. The internal variant licences the workspace, the external representative works in the same workspace, so the transition is smooth. The SLA for external orders is 2 working days, instead of the classic 2 to 6 weeks via law firms. The catalogue of tasks, appointment certificate, reporting line and audit templates are activated with the order. Management can see in the dashboard which tasks are open, which have been completed and which have been escalated. Licence the workspace for your internal representatives or have our representatives order it, the choice is yours, the system supports both models. If a company switches from the external model to the internal one, all documentation remains in the workspace and the transition takes place without data migration.

Liability of management: What threatens without a compliance officer

Any managing director who does not set up a compliance organisation is personally liable. § 43 GmbHG and § 93 AktG require the care of a prudent businessman. If the managing director breaches this duty, he may be liable to the company for damages. Section 130 OWiG applies to personal fines, Section 30 OWiG applies to association fines against the company. In the case of intentional crimes, the maximum limit is 10 million euros, and in special cases such as violations of EU sanctions regulations, it is significantly higher. In the case of antitrust violations, fines of up to 10 percent of group sales are added, which can quickly reach three-digit million amounts for larger companies.

Internal liability under civil law is increasingly being treated restrictively by D&O insurers. Anyone who cannot provide evidence of a documented compliance organisation risks denial of coverage in the event of a claim. In the event of insolvency, the managing director may also be liable to the insolvent estate if breaches of compliance obligations have led to fines or claims for damages. Under criminal law, Section 14 of the Criminal Code can justify the representative's responsibility for failure to take supervisory measures. Prison sentences are possible for corruption offenses, money laundering, tax evasion or violations of foreign trade law. The appointment of a compliance officer is therefore not only a regulatory obligation, but also personal risk protection for management. It shifts the supervisory responsibility to a dedicated function, documents the resources and demonstrates the diligence of management in the process. CIVAC structures this risk protection via the workspace, with an appointment certificate, reporting line and audit-proof documentation of all supervisory measures. The deadline expires as soon as it is known, the workspace records receipt, evaluation and reaction with a time stamp so that management can prove in the process when they knew what and how the reaction was. The auditor calls, the evidence is ready. This shift of oversight into a documented function is the core contribution of a proper compliance organisation.

Special industry rules: banks, insurers, health, industry

Banks and savings banks are subject to Section 25a KWG, MaRisk AT 9 and MaComp BT 1. They require a compliance function with a compliance officer and deputy compliance officer, as well as a money laundering officer and a WpHG compliance officer. BaFin checks the function in regular special audits. Investment service providers also fall under Section 80 of the WpHG and MiFID II. Insurance companies are subject to Section 29 of the VAG and MaGo; they require an independent compliance function as one of the four key functions under Solvency II. Pension funds and pension funds follow a regime based on Solvency II with their own reporting obligations.

In the healthcare sector, Section 11 of the MPDG requires medical device manufacturers to have a person with responsibility for regulatory compliance who reports directly to management reported. Section 14 AMG requires pharmaceutical companies to have a step-by-step plan officer who takes on compliance tasks in pharmacovigilance. In industry, the obligation often arises from export controls (Section 22 AWV), antitrust law (Section 81 GWB) and corruption prevention (Section 299 StGB). Anyone who does business as a mechanical engineer or chemical company in the USA, China or the Middle East is also subject to the FCPA, the UK Bribery Act and the EU sanctions regime. CIVAC maps these industry rules in specialised workspace configurations. Banks receive MaComp-compliant templates, insurers receive Solvency II-compliant templates, and pharmaceutical companies receive MPDG/AMG workflows. The Overview of all 25 representative roles shows which configuration is used per industry. Licence the workspace for your internal representatives or have our representatives order it. The industry configuration is activated in onboarding, the task catalogue and audit templates adapt automatically. Anyone who covers several industries at the same time, such as an insurance asset manager with a banking licence, combines the configurations in one workspace without having to separate task catalogues or reporting lines.

From reading to ordering: How to fill the role with CIVAC

The answer to “Who needs a compliance officer?” can be answered with “you” for most medium-sized and larger companies. Whether derived from Section 25a KWG, Section 80 WpHG, Section 7 GwG or Section 130 OWiG, the function can rarely be dispensed with in everyday supervisory law. The question is not whether, but rather how quickly and in which model the order will be placed. CIVAC offers two ways: the internal licence of the Compliance Workspace or the external order via Officer-as-a-Service. Both paths lead to the same result: a signed appointment certificate, a documented reporting line, an audit-proof audit archive.

The internal licence is aimed at companies that already have or hire a compliance officer in-house, but want to take over the system, the audit templates and the reporting structures from him. The workspace includes appointment certificate, reporting line, 490 audit templates, risk register, training module and audit-proof documentation. The external appointment is aimed at companies that need to fill the role immediately or do not have their own resources. CIVAC representatives take on the role with an SLA of 2 working days, the workspace remains in the company, the reporting line goes to the management. Both models run with EU data residency, ISO/IEC 27001:2022 certified ISMS and audit-proof archiving. Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de. The next step is a 30-minute initial consultation in which we determine the risk radius, the mandatory sources and the appropriate ordering model. The appointment certificate, signed, filed, verifiable. The signed document is available within two working days, the workspace is activated, and the representative is required to report. For more complex configurations, such as group-wide orders with subsidiaries in several sectors, we plan the setup in the initial consultation and set a fixed activation date.

FAQ

Is there a general legal obligation to appoint a compliance officer in Germany?

No, there is no cross-sector obligation. Special laws such as Section 25a KWG, Section 80 WpHG and Section 7 GwG prescribe the appointment for regulated industries. Outside these sectors, the obligation actually arises from Section 130 OWiG, which obliges management to supervise and sanctions violations with fines of up to 10 million euros. CIVAC documents the function in an audit-proof workspace with an appointment certificate and reporting line.

At what size company is a compliance officer mandatory?

There is no rigid threshold. In whistleblower protection, the obligation applies to 50 employees, in the LkSG to 1,000 employees, and in money laundering law from the first obligated person. Based on Section 130 OWiG, the appointment of medium-sized companies with around 50 to 250 employees is regularly required from a liability perspective. For multinational activities or regulated industries, the threshold is significantly lower and often begins at the time of founding.

Can a managing director take on the compliance function on a personal basis?

Theoretically yes, but in practice it is not recommended. The function requires independence from operational decisions. In regulated industries such as banking and securities trading, personal unions are not permitted under supervisory law. In all other sectors it weakens the defence in the OWi procedure because the supervisory function coincides with the function to be supervised. CIVAC recommends a separate function, licensed internally or ordered externally.

How much does an external compliance officer cost in a medium-sized company?

The costs depend on the industry, size and risk profile. An external compliance officer appointment costs between 1,200 and 4,500 euros per month for medium-sized companies, depending on the hourly quota and scope of the order. CIVAC offers flat-rate models with a defined scope of services and an order SLA of 2 working days. Audit templates, reporting lines and workspace are included in the flat rate; additional work is billed transparently.

What qualifications does a compliance officer have to have?

It is only required by law in regulated industries, such as MaComp and MaRisk. The qualification usually consists of legal or economic training, relevant professional experience and certified compliance training. CIVAC representatives are trained and continuously trained in accordance with DIN ISO 19600 and specific industry standards. The qualification is documented in the appointment certificate and verified to management.

How long does it take to appoint a compliance officer via CIVAC?

The SLA for an external order is 2 working days from the order to the signed appointment certificate and activation of the workspace. Classic orders via law firms usually take 2 to 6 weeks. Within 2 working days, the appointment certificate, catalogue of tasks and reporting line are available, the representative is required to report, and the system is activated.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles