Introduction

The fight against corruption has intensified in recent years and corporate compliance has thus become an increasingly important issue. As such, Austrian corporations have begun implementing compliance management systems to ensure compliant behaviour. As there is still a lack of Austrian case law regarding the legal sufficiency of compliance systems and their effective implementation, a recent landmark Munich District Court decision(1) in this regard is highly important. While the case was eventually settled out of court, it is likely that Austrian courts will refer to the German decision, as the legislation on directors' compliance obligations is essentially the same in Austria. Thus, the ruling is highly relevant for Austrian directors and management boards, regardless of whether they run a joint stock company or a limited liability company.

Facts

Since the 1980s, Siemens had a system of so-called 'black accounts' that later (around 2001) turned into a system of sham contracts for consulting services. The money was used to pay bribes in foreign countries. These bribes were paid over a long period, despite the fact that the company had an established compliance system. This unlawful situation was repeatedly pointed out to the management board, which led the board to reorganise the firm's compliance system in 2004. However, those measures were insufficient to stop the non-compliant behaviour.

The case against the company's former chief financial officer (CFO) was the only one that went to trial before settlement. Siemens claimed damages totalling €15 million as a partial claim. The Munich District Court agreed with Siemens and held that the former CFO was liable for breach of duty with regard to the organisation's inadequate compliance system.

Legal basis for management's liability

The court based its decision on the so-called 'duty of legality', according to which a director is on one hand not allowed to order an infringement of law and, on the other hand, must ensure that the corporation is organised and supervised in such a way that an infringement of law cannot occur. This duty of legality is generally accepted under Austrian law. It derives from the general duty of acting with the "diligence of a prudent and conscientious manager", which is codified in Article 84(1) of the Stock Corporation Act and Article 25(1) of the Limited Liability Companies Act.

The German court held that – irrespective of its actual legal foundation – the duty of legality is sufficiently met only if the management board complies with its organisational duty to implement a compliance system based on effective prevention and risk control. The scope of a compliance system depends on the company's:

  • activities;
  • size and organisation;
  • relevant regulations;
  • geographical presence; and
  • suspected cases of non-compliance in the past.

As Austrian criminal law has established the liability of guarantor status, this principle applies in Austrian criminal court cases (see Article 2 of the Criminal Code). Guarantors are obliged to protect the company from criminal offences and damages. A failure to meet this obligation is punishable under Austrian law.

Compliance measures

The decision establishes several key elements of an effective compliance management system that apply to Austrian corporations. Further, it highlights the management board's obligation to act with the "diligence of a prudent and conscientious manager".

With regard to recurring bribery suspicions, management boards must review the efficiency of their compliance systems and take steps to improve them in a sufficient manner. Further, they must establish clear rules about whose main responsibility it is to ensure compliant behaviour within the company. Considering the company's size and exposure to compliance breaches, a clear organisational allocation of compliance responsibility among the directors must be implemented. Further, management boards must ensure that the persons in charge of compliance have sufficient authority to take the necessary measures in case of violations.

Individuals may not rely on the argument that they have no right to instruct certain employees or departments, because this would contradict the overall responsibility of a management board in a functioning compliance system. Management boards must actively step in and establish an organisational structure to ensure that there is a direct reporting line and corresponding disciplinary competence.

Further, management boards must ensure that they are provided with the results of internal investigations, information about personnel misconduct and consequences of misconduct and, most importantly, how to fight the underlying system of continuing compliance breaches. Management boards have extensive investigation duties – they must not only consider the case at hand, but also ensure that there are no other similar cases.

Ultimately, according to the court, directors cannot rely on the fact that the term 'compliance' has not been fully defined. Although the term may be relatively new, the underlying principle – that is, that a management board must ensure that the company and its employees comply with legal requirements – is not.

The failure to implement an efficient compliance system and review its effectiveness is a breach of duty. The entire management board must review and verify that the implemented system is capable of preventing infringements of law.

Fortunately, there are now Austrian (ONR 192050) and international (ISO 19600) standards that provide guidance to reduce liability, although the circumstances of each case must always be considered.

Comment

It is important for businesses to ensure that their compliance management systems:

  • can identify, control and prevent compliance risks appropriate to the assessed risk of non-compliance;
  • keep the entire management board in the loop and provide the board with sufficient information and power to create, monitor and (if necessary) adjust the compliance system; and
  • provide clear reporting lines and sufficient power for the individuals in charge to take the necessary disciplinary and structural measures in case of compliance violations.

For further information on this topic please contact Heidemarie Paulitsch or Michail Fouzailov at Schoenherr by telephone (+43 1 53 43 70) or email (h.paulitsch@schoenherr.eu or m.fouzailov@schoenherr.eu).The Schoenherr website can be accessed at www.schoenherr.eu.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.