The likelihood of the assessment of a company’s compliance management system (CMS) by a court is high once criminal conduct within a company is subject to investigation. To prevent management’s civil and criminal liability, a CMS shall be efficient and able to identify risks as well as to control and prevent compliance-related transgressions.

The fight against corruption has intensified over the past few years in Austria, highlighting the importance of corporate compliance. In line with this development, Austrian corporations are increasingly implementing compliance management systems (“CMS“) to ensure compliant behaviour. Since there is still a lack of case-law in Austria regarding what qualifies as being legally sufficient for such CMS, and for their effective implementation, a German landmark decision ruled by the District Court of Munich (No. 5 HK O 1387/10; the “Court“) is all the more important. The case was settled out of court, so the Court’s decision will never become legally effective. However, it is still likely that Austrian courts will refer to the German decision, as the legislation on director’s compliance obligations is essentially the same in Austria. Thus, the ruling is also highly relevant for Austrian directors and management bodies of corporations, regardless of whether they run a joint stock company, or a limited liability company.

The Court’s case in a nutshell

Since the 1980’s, Siemens had a system of so-called “black accounts” that around 2001, turned into a system of sham contracts for consulting services. The money running outside of bookkeeping was used to conduct bribes in foreign countries. These bribes were made over a long period of time, despite the fact that the company had an established CMS. This unlawful situation was repeatedly pointed out to the management board, which, consequently, reorganised the firm’s CMS in 2004. Still, those measures did not suffice to stop the non-compliant behavior.

In 2008, Siemens was penalised in terms of court rulings in Germany and the United States, as well as by the US Securities and Exchange Commission. Siemens was ordered to pay fines and penalties in the aggregate amount of approximately EUR 1.2 billion, as well as a further EUR 13 million in legal fees. Siemens sued numerous members of their management board for damages, but ultimately settled all cases. The case against the firm’s former CFO is the only one that went to trial before settlement, with Siemens claiming damages in the amount of EUR 15 million as a partial claim. The Court held the former CFO liable for breach of duty with regard to an inadequate CMS.

Legal basis for management’s liability

The Court based its decision on the so-called duty of legality (Legalitätspflicht), according to which a director is on the one hand not allowed to order a legal infringement, and on the other hand, has to ensure that the corporation is organised and supervised in such a way that a legal infringement may not occur. This duty of legality is also generally accepted under Austrian law. It is derived from the general duty of acting with the “diligence of a prudent and conscientious manager” (Sorgfalt eines ordentlichen und gewissenhaften Geschäftsleiters), which is codified in Article 84 para 1 of the Austrian Stock Corporation Act, and Article 25 para 1 of the Austrian Limited Liability Companies Act.

The Court held that – irrespective of its actual legal foundation – the duty of legality is only sufficiently met if the management board complies with its organisational duty (Organisationspflicht) to implement a CMS based on effective prevention and risk control. The scope of such CMS depends on the type of activity, the company’s size and organization, the relevant regulations, the geographical presence, and the (suspected) cases of non-compliance in the past.

By recognising these factors, the Court acknowledged that the specific form of what would constitute an effective and adequate CMS, is in fact at the management board’s discretion. Therefore, it would be wrong to assume that every legal infringement constitutes a breach of a director’s duty of legality. Such an assumption would imply a strict liability (Erfolgshaftung) for directors, which is not established in Austria.

Based on an objective standard of due care, the responsible CFO should have been aware that these measures were not sufficient to prevent further legal infringements – especially since further cases of suspected bribery came to his attention afterwards. As Austrian criminal law has established the liability of guarantor status (Garantenhaftung), it can be understood that this principle would be applicable in a criminal court case in Austria (see Article 2 of the Austrian Criminal Code). It is a guarantor’s obligation to protect the company from criminal offences and damages. An omission of such obligation is punishable by Austrian law.

Specific compliance measures arising from the Court’s decision

The Court’s decision established several key elements for an effective CMS which are transferable and applicable for Austrian corporations. It gives a glimpse into the requirements to be met by management when acting with the objective standard of “diligence of a prudent and conscientious manager”.

With regard to recurring bribery suspicions, the management board should review the efficiency of the existing CMS and take the steps necessary to improve it in a sufficient manner. The management board has the obligation to create clear rules about whose main responsibility it is to ensure compliant behavior within the company. In light of the firm’s size and its existing exposure to compliance breaches, a clear allocation of organisational compliance responsibility amongst the directors should be implemented. Furthermore, the management should ensure that the persons in charge of compliance have sufficient authority to draw the necessary consequences for violations.

Individuals may not rely on the argument that they have no right to instruct certain employees or departments, because this would contradict the overall responsibility of the management board for a functional compliance system. The management board should actively step in and create an organisational structure to ensure a direct reporting line with a corresponding disciplinary competence.

Further, the management board should make sure that it is being provided with the results of internal investigations, as well as information about consequences for personnel, and especially about how to avoid continued compliance breaches. Management’s investigation duties are quite extensive: it is not sufficient for them to take care only of a case at hand, but rather they must also make sure there are no other similar cases in existence.

Ultimately, the Court held that a director cannot rely on the fact that the term “compliance” had not yet been fully established during the time period in question: though the term itself may be quite new, the underlying principle, namely that the management board has to take care that the company and its employees comply with legal requirements, is not.

One cannot stress enough that the omission of implementing an efficient CMS, and reviewing its effectiveness is a breach of duty. It is the obligation of the entire management board to constantly review, and verify that the implemented system is suited to prevent infringements of mandatory laws.

Fortunately, both the Austrian (ONR 192050), and international (ISO 19600) standards now provide guidance to reduce liability, though it always depends on the individual case.

Challenge yourself

  • Is the CMS established within your corporation able to identify, control, and prevent compliance risks and transgressions?
  • Is the entire management board being kept in the loop, and do they have sufficient information and power to create, monitor, and – if necessary – adjust a functioning CMS?
  • Does the CMS provide clear reporting lines, and sufficient power for the person in charge to draw the necessary personnel and structural consequences for compliance violations?

The knowledge that measures are not sufficient to prevent legal infringements may lead to civil and criminal liability of the management.