When is a company’s compliance management system (“CMS”) appropriate in Germany? This is a question to be raised by the purchaser of a company or its advisors when conducting a compliance due diligence on the target company in the context of a M&A-transaction. However, this question also concerns a managing director of a company who wants to or has to introduce a CMS in order to fulfil his/her duty of care and make the company fit for the future.

In both cases, the question is linked to the intention to minimise or even exclude the liability of the company and or the managing director as far as possible, in the event of a compliance violation within the company. The fact that this is possible is now widely recognised by case law, even if there is still no specific provision on this in Germany. Accordingly, in the end, it is the conviction of the court that matters in liability proceedings whether the CMS was appropriate at the company.

However, in the absence of general legal regulation, there are no easy answers. Instead, the question repeatedly refers to the fact that there is and may not be a one-size-fits-all solution for the introduction of compliance structures, since it always depends on the size and structure of the company and in which industry it operates.

In this respect, various standards and guidelines have been developed in recent years that provide companies with guidelines for the structure of a CMS.

DIN ISO 37301:2021

The DIN ISO 37301:2021 is an international ISO standard and describes requirements for a CMS. It is the successor to DIN ISO 19600:2016-12 and sets out requirements and provides guidance for the establishment, development, implementation, evaluation, maintenance and improvement of an effective compliance management system within an organisation (cf. DIN ISO 37301:2021, Sec. 1). To this end, the classic topics are included such as setting compliance goals, identifying compliance risks, compliance risk assessment, management responsibility, delegating responsibility, adapting the CMS if necessary, training employees, introducing a complaints system and conducting internal investigations as well as monitoring and improving the CMS are addressed. The ISO standard provides a framework for a compliance organisation within which companies can structure their CMS. In this respect, the ISO standard serves as the basis for the possibility of having a CMS certified in accordance with international standards, provided that all criteria mentioned in the ISO standard are fulfilled.

IDW PS 980

IDW PS 980 is an auditing standard developed by the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer) based on the principles of proper auditing of compliance management systems. The existing auditing standard dates from 2011 and is currently being revised. The Institute of Public Auditors in Germany (IDW) has already published a draft of a new version (“EPS 980 n.F.”), on which comments can be submitted until the end of May 2022. According to EPS 980 n.F., a new version is necessary because there have been further developments in the establishment and auditing of compliance management systems in corporate and auditing practice, which have been taken into account accordingly in the revision of the basic elements of a CMS and the audit procedure. EPS 980 n.F. describes the following basic elements of a CMS: The compliance culture as the basis for the appropriateness and effectiveness of the CMS, the definition of compliance objectives as the basis for the assessment of compliance risks, the identification of compliance risks, the introduction of a compliance programme based on the identified compliance risks, the compliance organisation as part of the corporate organisation, compliance communication to employees and third parties, and compliance monitoring and improvement. In this respect, specific compliance measures are addressed and the company receives concrete information on the requirements for a CMS. The auditors apply the auditing standard within the scope of a voluntary audit of compliance management systems. Accordingly, EPS 980 n.F. states that an audit of the effectiveness of these systems by an independent auditor in accordance with this IDW auditing standard can serve as objective proof that the executive board and the supervisory board have exercised their organisational and due diligence duties without any abuse of discretion.

DICO Standard Compliance Management Systems

The Compliance Management Systems Working Group of the German Institute for Compliance (Deutsches Institut für Compliance - DICO), together with the Viadrina Compliance Center under the leadership of Prof. Dr Bartosz Makowicz, published a DICO Standard in March 2021. According to the standard CMS it comprises general recommendations for the design of a CMS in a brief form. It is applicable to all types of companies, regardless of their size, structure and complexity. Under the headings of planning, prevention, recognition, reaction, as well as regular system evaluation and continuous optimisation, essential parts of a CMS are described. These include the role of management, a compliance risk analysis, compliance functions, code of conduct and compliance guidelines, communication and training, competence assurance, monitoring, whistleblowing system, sanctioning, reporting and crisis management. Compliance measures are dealt with very specifically, so that the standard can be a very good starting point for the introduction of a CMS, especially for small and medium-sized enterprises. In any case, it provides a clear overview of the individual possible measures, without listing a conclusive catalogue here.

German Corporate Governance Code

One of the first standards is the German Corporate Governance Code (“DCGK”). It “presents essential statutory regulations for the management and supervision of German listed companies and contains, in the form of recommendations and suggestions, internationally and nationally acknowledged standards for good and responsible corporate governance.” The current DCGK dates from 2019. On 21 January 2022, the Government Commission adopted the draft of the German Corporate Governance Code 2022, on which comments can be submitted until mid-March. The previous version only contains the requirement for a suitable and effective internal control and risk management system in the principles and then specifies in the recommendations on the principles that the executive board should ensure that the CMS is aligned with the risk situation of the company. This has now been significantly expanded in the draft of the new version. Accordingly, it is already stated in the principles that the internal control and risk management system also includes a CMS that is aligned with the risk situation of the company. The recommendations on these principles then state, among other things: “[…] Employees shall be given the opportunity to report, in a protected manner, suspected breaches of the law within the enterprise; third parties should also be given this opportunity. The management report shall describe the main characteristics of the internal control and risk management system, and provide comment upon the adequacy and effectiveness of these systems.” Even though the DCGK does not provide for specific compliance measures, it explicitly emphasises the need for a CMS, and will do so even more strongly in the future. The DCGK itself does not constitute mandatory law. However, it is closely linked to mandatory law through the regulation of the declaration of compliance in section 161 of the German Stock Corporation Act, so that section 161 of the German Stock Corporation Act is also referred to as the “transmission belt” of the DCGK. According to this regulation, the executive board and supervisory board of a listed company are obliged to declare annually that the recommendations of the Government Commission on the DCGK have been and are being complied with or which recommendations have not been or are not being applied and why not. However, this only applies to a limited group of companies, yet the DCGK has also gained a high status beyond these companies.

Statutory obligations

There is no general obligation to introduce a CMS. Only companies providing investment services as well as credit and financial services institutions have a legal obligation to establish a proper business organisation in order to comply with the legal provisions according to Section 80 German Securities Trading Act (WpHG) and Section 25a German Banking Act (KWG). Accordingly, a proper business organisation must also include appropriate and effective risk management, comprehensive documentation of business activities and a whistleblowing system. In addition, capital market-oriented “large” companies within the meaning of section 267 (3) sentence 1 of the German Commercial Code (HGB) with more than 500 employees on an annual average, are obliged to provide information on combatting corruption and bribery as part of their non-financial reporting obligations whereby the information may, for example, relate to the existing instruments for combatting corruption and bribery (cf. Section 289c para. 2 no. 5 HGB). In this respect, the laws address individual elements of a CMS to a very limited extent but the importance of these measures for a CMS is underlined.

The content of the guidelines on the early deletion of an entry from the competition register due to self-cleaning as well as the relevant practical information of the Bundeskartellamt go beyond this. These refer to Section 8 of the Competition Register Act, which provides for the early deletion of an entry from the competition register due to self-cleaning of the companies. In this context, reference is made, among other things, to Section 125 of the Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen), which states in Paragraph 1 No. 3 that self-cleaning also requires that the company has taken concrete technical, organisational and personnel measures that are suitable to prevent further criminal offences or further misconduct. In this respect, the guidelines and practical advice describe “compliance measures” as the necessary technical and organisational measures. This includes risk analysis, the adaptation of the organisational and supervisory culture, the commitment of the company management to legally compliant behaviour, the careful selection, training and control of company employees, the handling of whistle-blowers and whistle-blower systems, adequate resources and competences of the responsible persons as well as the evaluation and adaptation of compliance measures. The Bundeskartellamt thus describes the requirements for a CMS in great detail in order to provide companies with assistance for self-cleaning. However, the Bundeskartellamt also makes clear in the guidelines that the question of the appropriateness of the measures always depends on the individual case.

Foreign regulations

In addition to the German standards mentioned above, there are two important foreign guidelines that deal with the structure of a CMS. These are, on the one hand, the guidance on the UK Bribery Act 2010 (The Bribery Act 2010 - Guidance (MoJ)) and the guidance of the U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (as of June 2020)).

The UK Bribery Act 2010 guidance sets out six principles for organising companies to prevent corruption. These are: proportionate procedures, top-level commitment, risk assessment, due diligence, communication (including training), monitoring and review.

The U.S. Department of Justice’s guidance focuses on three questions: (i) Is the CMS well designed? (ii) Does the CMS have sufficient resources and authority to be effective? and (iii) Does the company’s compliance programme work in practice? For the first question, the topics of risk assessment, policies and procedures, training and communications, third party management, confidential reporting structure and investigation process are addressed. The second question deals with the commitment of management, the provision of resources as well as incentives and disciplinary measures. The third question then deals with the control of the CMS and the investigation and sanctioning of misconduct.

Even though they are not legal regulations, the guidelines are very important in the UK and the USA. For German companies, they indicate what the international standard looks like and which measures are important. It is interesting that both guidelines address compliance due diligence in M&A transactions as part of the CMS, which is still often of little importance in Germany. This shows once again how important compliance due diligence is, especially in an international comparison.

Lessons Learned

First the good news: Yes, they do exist - the standards, regulations, guidelines against which compliance management systems can be measured. This applies both in the context of a transaction when examining the CMS as part of the compliance due diligence as well as when introducing compliance management systems. When comparing the contents of the standards mentioned above, it becomes clear that they all describe the essential components of a CMS in a very similar way. It is undisputed that the basic elements of a compliance management system include a compliance risk analysis, a code of conduct, various compliance guidelines, tone from the top, a whistle-blowing system, the review of the CMS and the sanctioning of compliance violations.

Now for the bad news: The question of whether the corresponding CMS existing in a company is actually appropriate ultimately remains a case-by-case decision. None of the standards and guidelines are binding, so that even if the CMS is certified or audited, liability cannot automatically be ruled out. If a liability case arises, it is at the discretion of the court to decide whether a compliance management system is appropriate. In this context, not only the initial implementation, but also the implementation in practice of the CMS within the company is decisive.

Nevertheless, if you do not introduce a CMS, you have already lost, because you will never be able to claim release of liability on the basis of internal compliance structures. However, those who introduce a CMS and align it with the existing standards and guidelines have a good chance of at least minimising, if not excluding, liability.