Commission Implementing Decision (EU) 2022/1297 of 22 July 2022 on the adequacy o... (32022D1297)
EU - Rechtsakte: 17 Law relating to undertakings

COMMISSION IMPLEMENTING DECISION (EU) 2022/1297

of 22 July 2022

on the adequacy of the competent authorities of the United States of America pursuant to Directive 2006/43/EC of the European Parliament and of the Council

(notified under document C(2022) 5113)

(Text with EEA relevance)

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC (1), and in particular Article 47(3), first subparagraph, thereof,
Whereas:
(1) By Commission Implementing Decision (EU) 2016/1156 (2), the Commission considered that the competent authorities of the United States of America, namely the Public Company Accounting Oversight Board and the Securities and Exchange Commission, meet requirements that are adequate for the purposes of Article 47(1), point (c), of Directive 2006/43/EC. That Implementing Decision will cease to apply on 31 July 2022. Therefore, it is necessary to determine whether the competent authorities of the United States continue to meet requirements that are adequate for the transfer to them of audit working papers or other documents held by statutory auditors or audit firms and inspection or investigation reports.
(2) When inspections or investigations are carried out, statutory auditors and audit firms should not be allowed to grant access to or to transmit their audit working papers or other documents to the competent authorities of the United States under any other conditions than those set out in Article 47 of Directive 2006/43/EC.
(3) Member States are to ensure that the working arrangements required by Article 47(1), point (d), of Directive 2006/43/EC to transfer audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports between their competent authorities and the competent authorities of the United States are agreed on the basis of reciprocity and include protection of any professional secrets and sensitive commercial information contained in such papers relating to the entities audited, including their industrial and intellectual property, or to the statutory auditors and audit firms that audited those entities.
(4) Where a transfer of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports to the competent authorities of the United States involves the transfer of personal data, such a transfer is lawful only if it also complies with the requirements for international data transfers laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council (3). Article 47(1), point (e), of Directive 2006/43/EC therefore requires Member States to ensure that the transfer of personal data between their competent authorities and the competent authorities of the United States complies with any applicable data protection principles and rules and, in particular, with the provisions of Chapter V of Regulation (EU) 2016/679. Member States should ensure that appropriate safeguards for the transfer of personal data are provided for, in accordance with Article 46 of that Regulation. In addition, Member States should ensure that the competent authorities of United States will not further disclose personal data contained in the documents transferred without the prior agreement of the competent authorities of the Member States concerned.
(5) Member States may accept that inspections by their competent authorities are carried out jointly with the competent authorities of the United States where this is necessary to ensure effective supervision. Member States may allow that cooperation with the competent authorities of the United States takes place under the form of joint inspections or through observers without inspection or investigation powers and without access to the confidential audit working papers, to other documents held by statutory auditors or audit firms, or to inspection or investigation reports. It is necessary that such cooperation always takes place under the conditions set out in Article 47(2) of Directive 2006/43/EC, in particular as regards the need to respect sovereignty, confidentiality and reciprocity. Any joint inspections carried out in the Union by their competent authorities and the competent authorities of the United States under Article 47 of Directive 2006/43/EC will be under the leadership of the competent authority of the Member State concerned.
(6) Pursuant to the Sarbanes-Oxley Act of 2002 (4), in the United States of America, the Public Company Accounting Oversight Board has competence in the public oversight, external quality assurance, investigation and sanctions of auditors and audit firms. The Public Company Accounting Oversight Board implements adequate safeguards prohibiting and sanctioning disclosure by its current and former employees of confidential information to any third person or authority. Under the laws and regulations of the United States, the Public Company Accounting Oversight Board may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Public Company Accounting Oversight Board continues to meet requirements which should be declared adequate for the purposes of Article 47(1), point (c), of Directive 2006/43/EC.
(7) Pursuant to the Sarbanes-Oxley Act of 2002, in the United States of America, the Securities and Exchange Commission has oversight and enforcement authority over the Public Company Accounting Oversight Board. The Securities and Exchange Commission has competence in investigating auditors and audit firms; this Decision should therefore only cover the competences of the Securities and Exchange Commission of the United States to investigate auditors and audit firms. The Securities and Exchange Commission implements adequate safeguards prohibiting and sanctioning disclosure by its current and former employees of confidential information to any third person or authority. Under the laws and regulations of the United States, the Securities and Exchange Commission may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC, which relate to investigations it may perform on such auditors and audit firms. On that basis, the Securities and Exchange Commission continues to meet requirements which should be declared adequate for the purposes of Article 47(1), point (c), of Directive 2006/43/EC.
(8) The Committee of European Auditing Oversight Bodies has reassessed the legal framework in the United States, based on the Sarbanes-Oxley Act, which has not fundamentally changed since the adoption of Implementing Decision (EU) 2016/1156. Taking into account the technical assessment of the Committee of European Audit Oversight Bodies referred to in Article 30(7), point (c), of Regulation (EU) No 537/2014 of the European Parliament and of the Council (5), the Securities and Exchange Commission and the Public Company Accounting Oversight Board continue to meet requirements that should be declared adequate for the purposes of Article 47(1), point (c), of Directive 2006/43/EC.
(9) This Decision should not affect the cooperation arrangements referred to in Article 25(4) of Directive 2004/109/EC of the European Parliament and of the Council (6).
(10) Any conclusion on the adequacy of the requirements met by the competent authorities of a third country pursuant to Article 47(3), first subparagraph, of Directive 2006/43/EC does not pre-empt any decision that the Commission may adopt on the equivalence of the public oversight, quality assurance, investigation and penalty systems for auditors and audit entities of that third country pursuant to Article 46(2) of that Directive.
(11) Several Member States’ competent authorities have working arrangements with the Public Company Accounting Oversight Board, as referred to in Article 47(1) of Directive 2006/43/EC. In most cases, there is also a Data Protection Agreement under Regulation (EU) 2016/679 or under national law based on Directive 95/46/EC of the European Parliament and of the Council (7), which was repealed by that Regulation.
(12) The ultimate objective of cooperation on audit oversight between Member States’ competent authorities and the competent authorities of the United States is to reach mutual reliance on each other’s oversight systems. In that way, transfers of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports should become the exception. Mutual reliance would be based on the equivalence of auditor oversight systems of the Union and of the United States.
(13) Following Implementing Decision (EU) 2016/1156, several Member States’ competent authorities and the competent authorities of the United States have organised joint inspections. Some competent authorities of the Member States have implemented partial reliance, including by performing quality control inspections on which the Public Company Accounting Oversight Board has placed some reliance, and by dividing some focus areas of file inspections between them. For the functioning of capital markets, it is important that the competent authorities of the Member States and the competent authorities of the United States are able to continue the good cooperation after 31 July 2022 with the objective of reaching mutual reliance on each other’s oversight systems. However, in absence of full reliance, considering that the derogation provided for in Article 46 of Directive 2006/43/EC is based on the principle of reciprocity, this Decision should be applicable for a limited period.
(14) Notwithstanding the time limitation, the Commission, assisted by the Committee of European Audit Oversight Bodies, will monitor on a regular basis the market developments, evolution of the supervisory and regulatory frameworks and the effectiveness and experience of supervisory cooperation. In particular, the Commission may undertake a specific review of this Decision at any time before the end of its period of application where relevant developments make it necessary to re-assess the declaration of adequacy granted by this Decision. Such re-assessment may lead to the repeal of this Decision.
(15) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (8) and delivered an opinion on 13 May 2022.
(16) The measures provided for in this Decision are in accordance with the opinion of the Committee established by Article 48(1) of Directive 2006/43/EC,
HAS ADOPTED THIS DECISION:

Article 1

The Public Company Accounting Oversight Board of the United States of America and the Securities and Exchange Commission of the United States of America meet requirements which shall be considered adequate within the meaning of Article 47(1), point (c), of Directive 2006/43/EC for the purpose of transfers of audit working papers or other documents held by statutory auditors or audit firms and of inspection and investigation reports under Article 47(1) of that Directive.

Article 2

1.   Where audit working papers or other documents held by statutory auditors or audit firms are exclusively held by a statutory auditor or audit firm registered in a Member State other than the Member State where the group auditor is registered and whose competent authority has received a request from any of the authorities referred to in Article 1, such papers or documents shall be transferred to the requesting competent authority only if the competent authority of the first Member State has given its express agreement to the transfer.
2.   Any bilateral working arrangements between the competent authorities of the Member States and the competent authorities of the United States of America shall comply with the conditions laid down in Article 47 of Directive 2006/43/EC.

Article 3

This Decision shall apply from 1 August 2022 to 31 July 2028.

Article 4

This Decision is addressed to the Member States.
Done at Brussels, 22 July 2022.
For the Commission
Mairead MCGUINNESS
Member of the Commission
(1)  
OJ L 157, 9.6.2006, p. 87
.
(2)  Commission Implementing Decision (EU) 2016/1156 of 14 July 2016 on the adequacy of the competent authorities of the United States of America pursuant to Directive 2006/43/EC of the European Parliament and of the Council (
OJ L 190, 15.7.2016, p. 83
).
(3)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(4)  Public Law 107–204, 30 July 2002, 116 Stat 745.
(5)  Regulation (EU) No 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding statutory audit of public-interest entities and repealing Commission Decision 2005/909/EC (
OJ L 158, 27.5.2014, p. 77
).
(6)  Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC (
OJ L 390, 31.12.2004, p. 38
).
(7)  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (
OJ L 281, 23.11.1995, p. 31
).
(8)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
Markierungen
Leseansicht