The fight against corruption has intensified over the past few years, causing the issue of corporate compliance to become ever more important. In step with this development, corporations are increasingly implementing compliance management systems to ensure compliant behavior. However, there is still a lack of case-law in Austria as to the legal sufficiency of such systems and their effective implementation. For this reason, a recent decision on this issue by the District Court of Munich No I (Landgericht München I; the "Court") is all the more important.

In its landmark decision of 10 December 2013 (Case No. 5 HK O 1387/10), the Court ordered a former Siemens CFO to pay EUR 15 million in damages for breach of duty with regard to an inadequate compliance organization. It is now known that the case was settled out of court, so the Court's decision will never become legally effective. Nevertheless, the ruling is highly relevant for both German and Austrian directors, regardless of whether they run a joint stock company or a limited liability company. It is likely that Austrian courts will take reference to the German decision, as the legislation on director's compliance obligations is essentially the same in Germany and in Austria and there is not yet any Austrian case-law in this regard.

Facts of the case

Since the 1980's, Siemens had a system of so-called "black accounts" that later, around 2001, turned into a system of sham contracts for consulting services. The money running outside of bookkeeping was used to conduct bribes in foreign countries. These bribes were made over a long period of time, despite the fact that the company had an established compliance system.

This unlawful situation was repeatedly pointed out to the management board, which is why the board reorganized the firm's compliance system in 2004. Amongst other measures, Siemens introduced a Chief Compliance Officer and restricted the amount of cash withdrawals from the company's bank accounts. Still, those measures did not suffice to stop the non-compliant behavior.

In 2008, court rulings in Germany and the United States as well as penalties by the U.S. Securities and Exchange Commission forced Siemens to pay fines and penalties in the aggregate amount of approximately EUR 1.2 billion, as well as a further EUR 13 million in legal fees. Siemens sued numerous members of their management board for damages, but ultimately settled all cases. The case against the firm's former CFO is the only one that went to trial before settlement, with Siemens claiming damages in the amount of EUR 15 million as partial claim. The Court fully agreed with Siemens and held the former CFO liable for breach of duty.

The Court's decision

The Court based its decision on the so-called duty of legality (Legalitätspflicht), according to which a director is on the one hand not allowed to order a law infringement, and on the other hand has to make sure that the corporation is organized and supervised in such a way that a law infringement may not occur. This duty is not codified, but generally accepted. The duty of legality is only sufficiently met if the management board complies with its organizational duty (Organisationspflicht) to implement a compliance system based on effective prevention and risk control. The scope of such compliance systems depends on the type of activity, the company's size and organization, the relevant regulations, the geographical presence, and the (suspected) cases of non-compliance in the past.

By recognizing these factors, the Court acknowledged that the specific form of an effective and adequate compliance system is at the management board's discretion. Therefore, it would be wrong to assume that every law infringement constitutes a breach of a director's duty of legality. Such an assumption would imply a strict liability for directors, which is not established in Germany and Austria.

With regards to recurring compliance breaches in the past, the Court held that the implementation of an inadequate compliance system and the insufficient supervision thereof establishes a breach of duty. Especially since it was informed about bribery suspicions time and again, Siemens' management board should have reviewed the efficiency of the existing compliance system and taken the steps necessary to improve upon it.

It is the obligation of the management board to constantly review and verify that the implemented system is suited to prevent infringements of mandatory laws. Such obligation can neither be delegated onto divisional directors, since they are not directors in the meaning of corporate law, nor can a director invoke that another board member had the responsibility to ensure a functioning compliance system, especially if the system is clearly not functioning. In such case, it is part of each board member's monitoring obligation to work towards a board resolution on the implementation of a functioning compliance system. If an individual board member fails to persuade the other members of the board, they even cannot invoke that the management board was not able to agree on such a board resolution. Instead, the outvoted director may need to notify the supervisory board about the situation and thereby trigger an escalation process.

Finally, the Court established that the former CFO cannot rely on the fact that the term "compliance" had not been fully established yet during the time period in question: though the term itself may be quite new, the underlying principle, namely that the management board has to take care that the company and its employees comply with legal requirements, is not.

Since simple negligence is sufficient for a breach of duty according to Article 93 para 1 of the German Stock Corporation Act (identical to Article 84 para 1 of the Austrian Stock Corporation Act), the Court held that the former CFO culpably breached the duty of acting with the diligence of a prudent and conscientious manager (Sorgfalt eines ordentlichen und gewissenhaften Geschäftsleiters). The same standard applies to directors of limited liability companies (Article 25 para 1 of the Austrian Limited Liability Companies Act).

Though the Court recognized that the former CFO had made some efforts to improve upon the implemented compliance system, it ruled that those measures were insufficient. Based on an objective standard of due care, the former CFO should have known that these measures were not sufficient to prevent further law infringements – especially since further cases of suspected bribery came to his attention afterwards.

Key take-aways

  • The establishment of a functioning compliance system and the review of its suitability is the obligation of the management board as a whole. This obligation cannot be delegated to a specific board director or onto an employee.
  • A functioning compliance system has to be based on and enable effective prevention and risk control. The specific form of such a compliance system is at the management board's discretion.
  • In case the management board either fails to establish a functioning compliance system or adapts a non-functioning compliance system, its members may be individually (and collectively) liable for damages.