Legal and regulatory framework
What legal role does corporate risk and compliance management play in your jurisdiction?
Corporate risk and compliance management is gaining ever more importance in Germany. The trend started in the late 1990s, when corruption of foreign officials became a criminal offence, fuelled by cases where the European Commission imposed massive antitrust fines and by the German Federal Court ruling that supervisory boards are obliged to assert and claim damage compensation from management board members if damage for the company results from an infringement of their duty of care.
Compliance management was believed to have reached its peak in Germany following the Siemens corruption scandal of 2006. In reality, as recent cases show, a peak has not yet been reached (see question 18). Nowadays, the main drivers are as follows. Firstly, financial industry regulation, which develops risk and compliance management concepts that are also implemented in other industries and in the public sector. Secondly, the commitment of tax and law enforcement authorities, high-volume damage claims as well as civil and criminal court rulings give reason to introduce and improve corporate risk and compliance management systems.
As fines and claims for damages have been causing losses of billions of euros in several cases because of violations of antitrust laws, capital market obligations or anti-corruption laws, this has attracted not only the attention of investors and the media in Germany but also of large companies and led to the introduction of comprehensive risk management and compliance structures. Today, the trend towards introducing systematic corporate risk and compliance management systems is also extending into German Mittelstand (medium-sized companies), particularly as the legal requirements are not predominantly differentiated according to company size.
It is important to note that corporate risk and compliance management is also of fundamental personal importance to management and supervisory board members and responsible employees, since they may personally be held liable - not only for violations of the laws (eg, anti-corruption legislation) but also for infringements of duty of care regarding proper risk and compliance management (eg, insufficient measures to prevent infringement of laws and failure to react when evidence for weaknesses in the systems arises). This in turn may result in damage claims, criminal prosecution and administrative fines against them.
Laws and regulations
Which laws and regulations specifically address corporate risk and compliance management?
The following legal provisions may be regarded as important rules addressing corporate risk and compliance management:
- Each member of the board of directors of a stock corporation is subject to the duty of legality, according to which due care includes both personal compliance with laws and taking care of the company’s compliance with laws and internal directives (common understanding based on sections 76 and 93 German Stock Corporation Act). Managers of companies of other legal forms, for example, limited liability companies, are also legally responsible for ensuring that the represented company complies with laws.
- Risk management is a specific duty for the management board of a stock corporation pursuant to section 91 paragraph 2 German Stock Corporation Act: the board must take appropriate measures - in particular, setting up a monitoring system so that developments that threaten the company’s existence are detected at an early stage.
- Inadequate supervision by the board of directors or company owner to prevent legal violations by employees of the company can be punished with massive fines against both the responsible manager and the company (sections 30 and 130 German Act on Regulatory Offences).
- Entities in the banking, financial services and insurance sectors are required to set up and maintain risk management and compliance functions in accordance with specific legal requirements.
- The German Corporate Governance Code (DCGK) contains certain recommendations regarding compliance governance for listed companies (see question 8).
Apart from the financial industry for which specific legal requirements exist, corporate law deliberately leaves open the organisational measures necessary to fulfil the compliance obligation. Each individual company is left to decide on the concrete structure governing all its compliance processes and systems and, subject to due examination and preparation, this decision lies within the entrepreneurial discretion of the board of directors.
Types of undertaking
Which are the primary types of undertakings targeted by the rules related to risk and compliance management?
Regulated financial institutions (including insurance companies), certain corporate entities such as stock corporations and limited liability companies, as well as listed companies, are within the focus of authorities that enforce risk management and compliance violations. In general, however, management board members and company owners, irrespective of company legal form, are obliged to take reasonable steps to avoid legal violations from their companies.
Regulatory and enforcement bodies
Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?
The Federal Financial Supervisory Authority (BaFin) is authorised to enforce measures with regard to credit institutions and regulated financial firms (including insurance companies). Risk and compliance management deficiencies of banks or other regulated financial institutions may have various consequences, for example, administrative fines, dismissal of the responsible members of the management board and, ultimately, withdrawal of the licence.
Independently from the industry sector, the public prosecutors are responsible for the prosecution of administrative offences, for example, failure to comply with the obligation to take appropriate measures against legal infringements (section 130 German Act on Regulatory Offences).
Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?
In Germany, there are no general legal definitions for ‘risk management’ and ‘compliance management’.
The DCGK addresses listed companies and provides a definition of compliance in clause 4.1.3 DCGK: The board of directors must ensure compliance with legal requirements and internal corporate guidelines and ensure that compliance is observed by subsidiaries. The provisions of the Code are not mandatory law, but as a general rule, the requirements are implemented by listed companies.
For credit institutions, a definition of risk management is provided by the BaFin (clause AT1 of the Minimum Requirements for Risk Management): risk management includes the establishment of appropriate strategies and the establishment of appropriate internal control procedures. The internal control procedures consist of the internal control system and internal auditing. The internal control system shall include in particular:
- rules on the organisational and operational structure;
- processes for identifying, assessing, managing, monitoring and reporting risks (risk management and risk control processes); and
- a risk control function and a compliance function.
Are risk and compliance management processes set out in laws and regulations?
For financial institutions, specific processes and rules are set out by BaFin in the Minimum Requirements for Risk Management (MaRisk). This framework includes specific regulations for risk management processes BaFin regards as standards to be obeyed. Pursuant to MaRisk, each institution must have a compliance function to counter the risks that may arise from non-compliance with legal regulations and regulations.
Standards and guidelines
Give details of the main standards and guidelines regarding risk and compliance management processes.
The Institute of Public Auditors in Germany have published an audit standard for voluntary audits of compliance systems (IDW PS 980). It serves as a non-governmental benchmark for examining compliance management processes. This auditing standard serves to orient responsible persons regarding the proper structure of a content management system and its examination. An audit will provide additional assurance as to the adequacy and effectiveness of the principles and measures introduced in the company for the purpose of preventively ensuring proper compliance with laws. At the same time, a corporate body documents that it has had the compliance system checked in accordance with its responsibilities.
One must note that the guidelines are nonbinding and that the board of directors has rather broad discretion in weighing the specific risks of the entity they represent and how to address them.
Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?
Generally, German law does not provide for specific rules as regards risk and compliance governance. Most larger undertakings implement a risk and compliance structure that reflects adequate governance obligations. However, which rules will be implemented depends on the specific case. Save the individual situation, best practice comprises the following (see also question 9):
- Typically, German companies have a management board and a separate supervisory board. Such two-board structure is mandatory for a German stock corporation, and most European companies also provide a two-board structure. A limited liability company must have a supervisory board if it has more than 500 employees. It is advisable to design a risk and compliance management system in such a way that there is direct access to the supervisory board for the heads of risk and compliance management. This will improve the effectiveness of such a system, in particular because of the possibility of prompt and uninfluenced reporting to the supervisory board, namely, the persons that control the management.
- The independence of the risk and compliance management system is also a decisive factor for a sound corporate compliance defence (see also question 17). This independence can be ensured, for example, by agreeing on longer employer-side notice periods with regard to the head of risk or compliance. Also, a fixed remuneration of the compliance officer, which is not dependent on the prosperity of the respective monitored area, contributes to the integrity of the system.
- Finally, a compliance system must always be equipped with sufficient effective powers and resources to effectively prevent violations. Examples include random and unannounced business process reviews, document controls, email checks (save the data protection and privacy rules), or the introduction of regular reporting obligations to the supervisory board. Last but not least, monitoring by documenting the implementation of measures also plays an important role.
German companies listed on the regulated stock market are subject to risk and compliance ‘governance’ obligations pursuant to the DCGK. Actually, such listed companies are required to provide a declaration of (non-)conformity regarding the obedience of the recommendations of the Code. If a recommendation is not being applied, the company needs to disclose and explain this in the annual declaration of conformity (‘comply or explain’). The largest listed companies in Germany typically obey all recommendations as they represent best practice. The Code states that compliance is a task of the management board and defines it as compliance with legal and internal provisions (section 4.1.3 DCGK). The Code further states that the management board should submit information on risk management and compliance to the supervisory board (section 3.4 DCGK). In addition, the Code recommends a regular exchange between the chairman of the supervisory board and the chairman of the board of directors on matters relating to risk assessment, risk management and compliance (section 5.2 DCGK), and that the supervisory board establishes an audit committee to supervise the effectiveness of the risk management and compliance systems (section 5.3.2 DCGK).
Regulated financial institutions
Financial institutions and other regulated undertakings in the financial industry are subject to specific risk and compliance governance obligations (see question 9, as regards regulated financial institutions).
What are the key risk and compliance management obligations of undertakings?
There is no standard set of obligations that must be implemented. Therefore, the implementation of a risk and compliance management system is a business decision of the board of directors. After due diligence, acting within the scope of a careful decision and without any conflict of interests, the board is free to decide on adequate measures without having to fear damage claims (‘business judgment rule’, section 93 German Stock Corporation Act). This general concept is also applicable to undertakings of other legal forms.
As a general practical approach, save an individual analysis and a set-up of customised rules, a risk and compliance management system is typically characterised by three core attributes:
- Assessment of the key risk areas in the company, addressing the risks through internal rules and living an integrity culture - including the board of directors and the supervisory board (‘tone from the top’) and also the employees - as well as adequate training and counselling. Thus, systematic misbehaviour can be ruled out.
- Immediate reaction by the responsible manager or board member or members as soon as there is evidence for individual misconduct or non-functioning of the systems; adequate reactions against lawbreakers and responsible supervisors.
- Proportionality: the system must be appropriate for the particular company and its risks (ie, individually tailored in scope, breadth and depth of regulation). It must not lead to risk-aversion or excessive, inappropriate formality.
As regards certain types of risks, typically the following areas are being addressed (alphabetical list): anti-corruption, anti-money laundering, antitrust, capital market issuer obligations (eg, ad hoc notices), data protection, employment, environmental protection, IT, product safety, tax, third parties and work protection.
Regulated financial institutions
Financial institutions and other regulated undertakings in the financial industry are subject to detailed risk and compliance management obligations set forth by BaFin in the Circular MaRisk. Even though this framework is legally not binding, undertakings de facto are obliged to adopt the rules as key risk and compliance management obligations. Pursuant to MaRisk, each institution shall have a risk control function in place that is responsible for independently monitoring and reporting risks. The risk control function shall be segregated organisationally, up to and including the management board level, from the organisational units that are responsible for initiating or concluding transactions. In particular, the risk control function shall meet the following requirements:
- support the management board in all risk policy issues, in deciding and implementing the risk strategy and evolving a risk limitation system;
- carry out the risk inventory and draw up the overall risk profile;
- support the management board in developing and improving the risk management and risk control processes;
- develop and improve a system of risk ratios and a procedure for the early detection of risks;
- monitor the institution’s risk situation and internal capital adequacy as well as compliance with the risk limits in place on an ongoing basis;
- draw up the regular risk reports for the management board; and
- assume responsibility for the processes for passing on material risk-related ad hoc information promptly to the management board, the responsible officers and, where applicable, the internal audit function.
Further key requirements are that the staff of the risk control function shall be granted independence and all necessary means to perform their tasks. The head of the risk control function shall be involved in important risk policy decisions of the management board. Certain powers and independence are required for the head of risk control.
In particular, the compliance function should meet the following requirements:
- Each institution should have a compliance function in place in order to counteract the risks that may arise from non-compliance with legal rules and regulations. The compliance function should ensure the implementation of effective procedures for complying with the legal rules and regulations that are material to the institution, and of corresponding controls. The compliance function should additionally support and advise the management board with regard to complying with these legal rules and regulations.
- The compliance function should regularly identify the material legal rules and regulations, non-compliance with which might jeopardise the institution’s assets, in the light of risk factors. The compliance function should be, in general, directly subordinate to and report to the management board. It may also be linked to other control units. It may also be assisted by other functions and units in the performance of its duties.
- The institution shall appoint a compliance officer who is responsible for carrying out the compliance function tasks. Depending on the nature, scale, complexity and riskiness of the business activities, as well as on the institution’s size, the compliance officer may in exceptional cases be a member of the management board. Compliance function staff shall be granted sufficient powers and unrestricted access to all information needed to perform their tasks. They shall be notified of instructions and decisions of the management board that are material to the compliance function. The compliance function staff shall be notified in due time of material amendments of the rules that are intended to ensure compliance with the material legal rules and regulations. The compliance function shall report to the management board on its activities at least once a year and on an ad hoc basis. Such reports shall address the appropriateness and effectiveness of the rules that are intended to ensure compliance with the material legal rules and regulations. The reports shall also cover information on potential deficits and on remedial measures. In addition, these reports shall be passed on to the supervisory board and the internal audit function.
The supervisory board shall be notified if the compliance officer or the head of the risk control function is replaced.
Liability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
The members of the board of directors are each personally responsible and liable for a proper risk and compliance management. The members of the management board of a group of companies are also responsible for appropriate measures of the subordinated entities fulfilling risk and compliance obligations.
The responsibilities may be delegated to a certain member of the board, and sub-delegation to a member of the senior management is possible and advisable. However, the ultimate responsibility remains with all members of the board of directors, meaning they have to supervise the person to whom the task has been conferred.
The supervisory board is responsible for supervising the board of directors. This includes checking and monitoring whether the board of directors has established a proper risk and compliance management system.
Risk and compliance manage obligations exist only for those senior managers who have been assigned these tasks (eg, chief compliance officer). Their tasks cannot be described abstractly. It depends on the results of the analysis of the company’s risks, which determine the individual tasks and the focus of the compliance measures to be taken.
Do undertakings face civil liability for risk and compliance management deficiencies?
Yes. If there are legal violations owing to inadequate risk and compliance management, customers may file damage claims, for example in cases such as antitrust violations (see truck cartel case, question 18) or bribery of public officials.
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
Yes. The Act on Regulatory Offences is applicable on any entity irrespective of the industry sector. Pursuant to this legislation, the management board or owner of an operation or undertaking shall be deemed to have committed a regulatory offence if they intentionally or negligently omit to take the supervisory measures required to prevent contraventions of laws within the operation or undertaking and such contraventions occur. A regulatory fine may be imposed on both the person and the entity. The fine to be imposed on the entity may generally amount to a maximum of €10 million. However, the regulatory fine shall exceed the financial benefit that the perpetrator has obtained from commission of the regulatory offence; the statutory maximum may therefore be exceeded if it does not suffice for this purpose.
There are specific rules for the financial industry: risk and compliance management deficiencies of banks or other regulated financial institutions may have various consequences, for example administrative fines, dismissal of the responsible members of the management board and, ultimately, withdrawal of the licence.
Do undertakings face criminal liability for risk and compliance management deficiencies?
No. In Germany only natural persons may be subject to criminal fines, undertakings may not. There is an ongoing discussion to introduce a criminal liability for undertakings. A major reason against introducing such liability is that administrative fines (see question 12) are considered sufficient.
Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
Each member of the board of directors of a stock corporation is responsible for ensuring that his or her company operates within the framework of the laws and internal directives and that any legal violations are avoided as much as possible. This obligation also applies to managers of companies of other legal forms.
If the management board violates these obligations, each individual member may face damage claims arising from this breach of duty by the company if the company suffered damage because of the breach. If tasks are delegated to a certain board member, the others may be held personally responsible for damages if they do not properly supervise the delegated member and the compliance officer repeatedly reported on compliance failures (eg, the Siemens corruption case). In accordance with the jurisprudence of the Federal Court of Justice (BGH), the supervisory board is obliged to analyse and enforce the company’s claims against members of the board of directors. Additionally, if the board of directors does not take actions against compliance failures and, in particular, systematic violations, the supervisory board knowing of such failure must take actions against the board of directors in order to restore proper risk and compliance management. If the supervisory board fails to do so and if damages occur or increase, the members of the supervisory board may be held liable for such damages.
Members of senior management - below the corporate board - may also be held liable by their company for damages resulting from the violation of risk and compliance management obligations. However, according to German judicial jurisprudence, being employees they bear a graduated liability. Liability therefore comes into practical consideration only when employees have deliberately violated their obligations. According to some court rulings, a special responsibility is assumed by the head of compliance.
According to section 93 paragraph 1 German Stock Corporation Act, no breach of duty exists if the member of the board of directors makes an entrepreneurial decision, assuming that he or she could act on the basis of appropriate information for the good of the company.
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
Inadequate supervision by the management or the owner of a company may be sanctioned with massive fines against the responsible person as well as the company (section 130 Act on Regulatory Offences).
Members of senior management also face administrative consequences, if the owner of a business or someone otherwise so authorised had commissioned this senior executive to manage a business or expressly commissioned a person to perform on his or her own responsibility duties that are incumbent on the owner of the business (section 9 German Act on Regulatory Offences).
As regards regulatory consequences, specific rules have to be observed, for example, for managers working in the banking sector (see above).
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
If the members of the management board of a stock corporation violate their duty of diligent care and damages arise therefrom, according to the jurisprudence of the German Federal Court, this may be regarded as a criminal offence pursuant to section 267 German Criminal Code (‘infidelity’). Even if this has not been ruled in the respective Court judgment, the failure to establish an appropriate compliance system or to react promptly on evidence for infringements of law may also be deemed a violation of duty in this regard.
Members of governing bodies may be subject to criminal proceedings because they did not prevent (further) infringements out of their corporate entity. This criminal liability may also apply to senior managers (below the board of directors) and to members of the supervisory board if and to the extent that they are responsible for the supervision or the functioning of the compliance system. If, for example, a foreign official has been bribed by a company representative and if the responsible board member has evidence for such bribery but does not react appropriately, this omission to react may be regarded as a criminal offence by the responsible board member. As a result, the board member may be punished for bribery because of an inappropriate compliance practice. As such, in a 2012 court trial the long-term former head of the MAN commercial vehicle division ultimately admitted that he had not done enough to prevent bribery payments in Slovenia in 2004-2005, and was convicted for accessory to corruption by omission.
Corporate compliance defence
Is there a corporate compliance defence? What are the requirements?
In Germany, there is no general statutory corporate compliance defence enabling a company, for example, to avoid vicarious liability for a violation of an anti-bribery provision by its management, employees or agents when implementing certain rules. Nor do compliance and risk management regulations applicable to financial institutions provide for corporate compliance defence. Hence, a financial institution may face civil liability claims even if it has obeyed all administrative legal compliance requirements.
However, a public prosecutor or court would consider whether an appropriate corporate compliance system was in place to prevent and detect violations of laws by employees and agents when determining the responsibility of the management for the infringement and the level of the financial penalty. Furthermore, they will also credit the firm for correcting the deficiencies in its compliance and risk management framework as part of a remediation programme. This could lead to a lower fine being imposed against the firm.
In the given context, one should recall that each individual company is left to decide on the concrete structure governing all its compliance processes and systems and, subject to due examination and preparation, the decisions on the actual setup of a risk and compliance management system lie within the discretion of the members of the board of directors (see questions 2 and 14). If the board members act within the limits of due care, they cannot be held liable for infringements of laws and resulting losses for the company. This, in a wider sense, may also be regarded as a corporate compliance defence.
Discuss the most recent leading cases regarding corporate risk and compliance management failures?
Volkswagen (VW) emissions scandal (‘Dieselgate’)
Public enforcement authorities and private plaintiffs worldwide are holding VW responsible in particular for illegal defeat devices in the engine control, false emission reports as a consequence therefrom and for delayed capital market information. VW CEO Martin Winterkorn has resigned over the scandal. German prosecutors launched an investigation into him and 36 other individuals. VW dismissed several top managers. Stock price damage claims in excess of €1 billion against VW are pending at German courts for violating its duty to publish ad hoc notices. Even if the scandal has not been settled yet, it has become clear that there has been a massive failure in the compliance system and culture at VW, resulting in damages in excess of €25 billion (as of December 2017).
Four European manufacturers of trucks, DAF, Daimler, Iveco/Fiat and Volvo/Renault, were fined by the European Commission in the summer of 2016 for unlawful collusion on prices and had to pay nearly €3 billion, most of them by Daimler (nearly €1 billion). Regarding other truck manufacturers, Scania has not accepted its fine and MAN remained unpunished as crown witness. First civil lawsuits have been filed by customers for damage compensation in excess of €120 million. The manufacturers had unlawfully agreed on prices for more than a decade, which can be regarded as an example of inappropriate risk preventive measures and a serious lack in compliance culture.
Corruptibility of a public official
One example of how severe personal consequences of violations of anti-corruption laws may be in Germany is a criminal ruling of February 2017 in Düsseldorf: the former head of the North-Rhine Westphalia state-owned BLB construction service company used his official powers to artificially increase prices for the construction of public buildings in order to enrich himself. He was sentenced to seven and a half years’ imprisonment for corruptibility and infidelity. Even if the conviction might be lowered by a higher court, the ruling demonstrates the willingness of the courts to answer non-compliance with high penalties.
Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?
Typically, the laws regarding risk management and compliance (including those imposing obligations that lead to the de facto obligation to implement such risk management tools) do not distinguish between private or governmental owned enterprises. For example, the key legal provision regarding the violation of obligatory supervision in operations and enterprises, section 130(1) German Act on Regulatory Offences, expressly states that ‘an operation or undertaking within the meaning of section 130(1) shall include a public enterprise.’
Framework covering digital transformation
What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?
The range of sanctions for criminal offences committed by public officials is slightly increased, for instance in the area of bribery.
Another difference is that rather specific rules exist at federal, state and municipal level regarding the prevention of corruption and the reaction to violations of anti-corruption laws by public officials. For example, the federal government published its ‘Directive concerning the Prevention of Corruption in the Federal Administration’. It addresses the key aspects of a preventive strategy, such as identifying administrative activities especially vulnerable to corruption, raising awareness among officials and creating principles for awarding contracts. Pursuant to a respective circular, rewards or gifts must not be accepted. There may be an exception for gifts of a maximum value of €25. However, in this case the recipient is obliged to notify the employer. Another regulation addresses sponsoring and donations.
Update and trends
Update and trends
Updates and trends
Deficient compliance system causes risk for directors’ and officers’ (D&O) insurance coverage
The trend continues that companies hold liable members (or former members) of governing bodies for damages resulting from a violation of duty of care. We see many cases where such members are facing multi-million euro claims. Whereas the members tend to rely on insurance coverage, reality teaches unpleasant lessons: insurance companies increasingly try to refuse to make D&O insurance payments because a proper compliance management system had not been set up. The (higher) courts have yet to decide on such exclusions for insurance payments. However, it is advisable to regularly check and improve the risk and compliance management system as well as the performance and standing of the chosen insurance partner.