Nicole Willms (nwillms@pohlmann-company.com) is a partner at Pohlmann & Company in Frankfurt/Main, Germany.
Compared to other jurisdictions, first and foremost the United States, compliance management is a fairly new corporate governance topic among German companies. For decades the concept of compliance was a “legal transplant” mainly recognized and taken seriously by large global companies having to comply with foreign standards. Lately, however, more and more increasingly complex compliance requirements are finding their way into German law, becoming applicable for medium-sized and even smaller German companies. Maintaining an adequate compliance program is evolving from a best practice fiduciary measure of self-control and protection of a company’s assets and reputation to a legally promoted instrument of prevention and relief from regulatory, if not even criminal, liability.
No regulatory roots for compliance programs
Germany has been approaching the concept of compliance management in a rather reactive manner. The demand for implementing comprehensive compliance programs clearly came from abroad. In the 2000s, German globally active companies became subject to US governmental investigations and settlements for systematic corruption and, as a matter of remediation, needed to demonstrate mature compliance programs.
At the same time, no such request or relevant standards were reflected in German legislation. There was no mention of compliance, compliance measures, or compliance management systems in any German law. A formal legal obligation to maintain a compliance program did not exist. Due to the immaturity of German corporate criminal law, no compliance program expectations or standards had been formed in this legal area either.
US enforcement sets the tone
In 2008, the Siemens corruption scandal marked a beginning. Siemens reached a settlement with the US Department of Justice and Securities and Exchange Commission, agreeing to pay a $450 million fine conditioned upon implementing and maintaining a solid compliance program worldwide.[1] The US compliance measures and standards required under the settlements, at the time, did not resonate to any German requirement or regulation. The evident regulatory vacuum quickly led to the legal question and controversial discussion in practice and academia as to whether a German corporation’s management must implement a compliance program at all.
In the wake of its remediation efforts, Siemens then was the first to sue its former managers and board members for a breach of their organizational and supervisory duties by not having taken care of an adequate compliance program.[2] While 11 out of 12 defendants entered out-of-court settlements with Siemens, the remaining case of former managing director Heinz-Joachim Neubürger was finally decided by the Munich District Court in 2013. After a lengthy lawsuit, the court found Neubürger liable for compensation of damages in the amount of €15 million. His liability was based on the argument that as part of his fiduciary duty vis-à-vis the company, he should have initiated sufficient measures to clarify and investigate violations, to put a stop to them, and to take actions against the employees involved.[3] Yet, Neubürger failed to do so even though repeated violations of the law and shortcomings in the control system had been brought to his attention, the court ruled.
Germany’s acceptance of a general compliance management duty
The Siemens/Neubürger judgment is considered a landmark decision and sets a milestone for compliance management in Germany. Today, as part of its fiduciary duties, management is considered obliged to thoroughly evaluate the company’s need for a compliance program. According to the Munich District Court’s ruling, the questions of whether and to what extent a compliance program must be implemented is, however, a discretionary management decision to be taken based on the size and structure of the company, the sector in which it operates, and the individual compliance risks to which it is exposed.
And it does not go further. No German law or regulatory guidance actively takes up the judgment on the compliance management duty, and no details or regulatory expectations are determined regarding its scope or extent—at least not in a general manner. While the concept of compliance management becomes introduced based on European law for banks and the overall finance and insurance sectors, the wider German industry is left with a general discretionary obligation not further specified.
Also, with the management’s fiduciary duty to be the only legal gateway for discussing compliance programs, assessments were mainly made reactively and retrospectively (i.e., in the context of deciding on alleged management failures). Consequently, rare, related case law only provides for the rather self-evident observations that certain compliance measures taken by management in individual cases were not sufficient, failing to set out, however, what specific measures would have been necessary or expected.
Even though, of course, a great deal of specialist legal literature on the components and requirements of a compliance program evolved, no German standards nor legislative requests were set, which would have served German companies as a reliable guideline or encouragement to take a more proactive approach. In fact, many German companies considered preventive compliance programs to be relevant for huge global corporations like Siemens and Deutsche Bank only, but certainly not for themselves.
Compliance programs might be needed
In 2015, a new scandal shook the corporate landscape and German politics: the internationally known Volkswagen emissions scandal. The initiation of various international criminal proceedings on suspicion of systematic fraud fueled the discussion in Germany as to whether a more rigorous corporate criminal law would be needed in Germany and how preventive compliance measures could and should have been in place to prevent Volkswagen’s systematic wrongdoing.
As a direct consequence, at the start of 2018, the newly built coalition finally took up the topic and promised in its coalition agreement to strengthen German corporate criminal liability and to create legal incentives for clarification assistance through internal investigations as part of an adequate compliance program.[4] The so-initiated legal development was undoubtedly influenced also by an important decision of the Federal Court of Justice (BGH) in May 2017: In an obiter dictum, the court recognized the fine-reducing effect of an effective compliance program designed to prevent violations.[5] Though the court did not define any further requirements on the design or implementation of compliance programs, the decision formed quite a development since until that time the concept of a “compliance defense” had not been recognized in Germany, neither in statues nor in jurisdictions.
And related development continued: Following its former bribery scandal that led to US investigations, a deferred prosecution agreement, and a five-year compliance monitorship, in 2018, Bilfinger filed claims for damages amounting to €111 million against 12 of its former management board members. Even broader than in the early Siemens/Neubürger case, claims for breach of fiduciary duties were based on the argument that the managers had failed to implement a reasonable compliance program that would have helped avoid the noncompliant transactions resulting in the US proceedings.[6] A verdict was not attained, as the parties reached an out-of-court settlement with the managers finally paying a total of €18.2 million to the company.[7]
Only recently, the Wirecard scandal has made calls for corporate liability, compliance programs, and their continuous and independent monitoring louder again. In view of the massive intentional fraud that came to light, the virulent question in German politics and society is whether and, if so, what measures could have prevented or at least unmasked it earlier. Should Wirecard’s supervisory board, the external auditor, and governmental supervisor have taken a closer look at the company’s compliance culture and processes? And if so, against which benchmarks? In response to the scandal, balance sheet control procedures are now reformed, and far-reaching amendments are made with respect to supervisory boards’ and external auditors’ composition and duties. But this is a whole different story.
Compliance programs should be incentivized
In the wake of these scandals, discussions, and continuing international legislative developments, the German legislator finally showed a changed approach with a view to requesting and even incentivizing compliance measures and programs. This new approach became particularly evident in the latest (however, ultimately unsuccessful) attempt to introduce a “new criminal sanctions law for companies” in Germany.
Following the coalition promise, a draft Corporate Sanctioning Act (Draft CSA) was developed mid-2019. While it was to introduce a specific criminal law for corporations, it simultaneously expressed the aim of promoting and rewarding companies’ preventive compliance management efforts. It, therefore, provided for detailed regulation on corporate crimes and their potential sanctioning in addition to several compliance incentives well-known in the international landscape:
-
Compliance defense: The existence and state of a company’s compliance program was to be considered when assessing whether a corporate crime existed and was to be prosecuted but also with regard to the amount of a potential fine. A company’s mere efforts to comply were to have a potential mitigating effect. Criminal proceedings were to be stopped or suspended and sanctions to be reduced if a compliance program was in place.
-
Prosecution agreements: Nonprosecution and deferred prosecution agreement concepts were foreseen to be used for the first time, inter alia, in case companies were able to demonstrate the misconduct to be an outlier and that they otherwise had a sound compliance program, had improved it after the misconduct, and/or showed willingness to further remediate.
-
Compliance instructions and monitorship: As part of the sanctioning, courts and prosecutors could impose specific compliance instructions meant to prevent similar misconduct in the future. If deemed necessary, the actual implementation of such compliance instructions should also be subject for review and certification by a competent body selected by the company and approved by the court.
-
Investigation and collaboration bonus: Lastly, the Draft CSA included an unambiguous call to companies to conduct internal investigations and make all their results available to the governmental proceedings. Any fine to be imposed was foreseen to be reduced by half in case of a company’s unrestricted transparent disclosure and cooperation with the authorities. To be recognized by the state and to qualify for this extensive fine reduction, the internal investigations were to meet certain legal requirements.
Although the Draft CSA had already passed most of the legislative process, there had been intensive discussions, including during periods of high COVID-19 infection rates. One of the main disagreements obviously was on how to deal with internal investigations. In particular, the planned separation between criminal defense on the one hand and legal advice and support for internal investigations on the other, and the associated limited prohibition on the confiscation of any investigation results, proved to be obviously incapable of consensus.[8]
Even though the legislative project for a new German corporate criminal law finally failed—at least for the previous legislative period—the Draft CSA clearly demonstrated a change in thinking about compliance programs and outlined in detail where developments in Germany are headed. It remains to be seen whether and to which extent a new attempt will be made to introduce corporate criminal law after the German parliamentary elections. At least some election programs suggest that corporate criminal law will be on the agenda again in the next legislative period, and it seems likely that the earlier compliance-related mechanisms will be further pursued therein.
Setting the scene: Parallel, like-minded legislative developments
This forecast seems very realistic also because more and more regulations on taking preventive compliance measures and the relevance of compliance programs in official investigations and proceedings are nowadays finding their ways into German law.
Since 2017, the German Anti-Money Laundering Act, for example, explicitly requires companies to conduct dedicated group-wide risk analyses and to implement special business partner management and incoming payment oversight procedures. Failure to comply constitutes a misdemeanor and may result in notable fines.
The same is true for the German Supply Chain Due Diligence Act, which has just been enacted in June 2021. As of 2023/2024, companies of a certain size will have to identify and address the human rights and environmental risks in their direct supply chains, set up grievance mechanisms, and report on their related activities. German authorities will be empowered to initiate administrative action or impose fines in case such obligations are not fulfilled.
With the latest amendment of the German Act Against Restraints of Competition earlier this year, the legislator also introduced the concept of “compliance defense” into written law. According to an entirely new provision, a company’s compliance measures aimed at preventing future anti-trust violations are to be considered when assessing an antitrust fine. In the amendment’s reasoning it was explicitly acknowledged that anti-competitive behavior is often discovered and reported only due to effective preventive compliance programs.[9] Following the same logic, it is envisaged that companies which due to antitrust violations are listed in the newly established Competition Register for Public Procurement may apply for premature deletion from the register by taking self-cleaning measures. The competent authority has already announced that the introduction or adaption of a compliance program can be considered an appropriate measure in this context.[10]
Germany’s promising future in compliance legislation
Though Germany is taking its time to come closer to the idea of explicitly requiring, promoting, or even incentivizing compliance programs, recent developments have shown that Germany is in the middle of a cultural change and that the concepts last expressed in the Draft CSA will most likely prevail, sooner or later. Preventive compliance management has gained a different status meanwhile and is attracting more attention nowadays—by the law but also, likewise effective, by supervisory boards, investors, employees, and the international public.
With this tailwind Germany has started to make up for opportunities missed in the past and has demonstrated its determination to promote; oversee; and, if necessary, enforce solid compliance programs more consistently in the future. Slowly but surely, it will get there.
About the author
Nicole Willms has extensive experience in the field of international preventive and investigative compliance and was, among other things, a senior member of the US independent compliance monitor team for the Department of Justice and Securities and Exchange Commission for VEON (former VimpelCom), as well as the German counsel to the compliance monitor for Volkswagen AG, Larry Thompson. Recently named a “Best Lawyer” in corporate governance and compliance practice (Germany Edition 2022), Nicole currently serves as a leadership team member on the compliance monitorship for Ericsson.
Takeaways
-
Compliance programs in Germany had a slow start initially around management duty and liability.
-
For a long time, there were only academic discussions and few regulations on compliance programs.
-
In the wake of noticeable scandals, there has been an increase in case-by-case decisions and the demand for compliance programs.
-
Lately, the German legislator’s attempt for a new corporate criminal law included notable incentivization regulations for compliance programs.
-
Other new legislation indicates a cultural change toward clear compliance requirements and promotion of preventive compliance programs.