Fri, May 22, 2020
After internal stakeholder consultations within ministries, the German government published a draft law introducing the concept of corporate criminal liability which will have far-reaching implications for German businesses and international companies operating there. The proposed legislation is titled “Law for the Strengthening of the Integrity of the Economy” (Gesetzes zur Stärkung der Integrität in der Wirtschaft), hinting at the dual purpose of increasing accountability for businesses whilst also creating incentives to enhance compliance programs. Here we provide an overview of the key requirements and present our views on how firms might prepare.
In many regards, Germany is following a global trend of introducing corporate criminal liability. However, in contrast to some other European countries, Germany proposes to criminalize a wider range of offences and issue harsher penalties of up to 10% of global revenues. However, the most severe measure, a corporate death penalty, has been scrapped from an earlier draft. The ambitious law shows the steep progress made in Germany’s compliance efforts, where less than 20 years ago businesses protested that their foreign bribes and kickbacks would no longer be tax-deductible.
While the law may not be ratified before 2021, companies with a footprint in Germany must act now to assess their risks and create appropriate compliance measures to shield themselves from criminal prosecution.
Germany has been an outlier for not having a corporate criminal liability code, despite several attempts by previous governments to introduce such a law. Currently, companies can only be fined for regulatory offences, with penalties capped at EUR 10 million, which is no longer viewed as an effective deterrent for multinational corporations.
Some in the German legal community previously questioned whether companies are even able to commit crimes, or if responsibility must instead always lie with individuals. However, in recent years the debate has shifted, with the public increasingly believing that some wrongdoing is systematic rather than merely the result of the actions of individuals. High profile scandals have clearly contributed to this, such as diesel emissions cheating or the “cum-ex” tax fraud.
The draft law has a wide scope and applies the criminal code to companies. However, in practice, enforcement of the law will likely focus on economic crimes. There are two ways in which an entity can be found liable:
First, the law considers acts committed by a senior manager to be made on behalf of the company. A senior manager can be a company director, member of a board, an authorised representative or any other senior manager with responsibility for the running or operation of the company.
Second, a company will be held liable for crimes committed by any employee if the act would have been prevented or significantly less likely to happen had appropriate compliance measures been implemented . This includes, for example, organisational, governance and oversight measures.
Overall, the German law is more ambitious in its scope than many comparable European regimes. For example, the UK introduced the tax-focused Corporate Criminal Offences Act in 2017 and has elements of corporate liability in other economic crime-related laws, such as the UK Bribery Act. But plans to widen legislation in the UK have been delayed.
The proposed law targets German legal entities with a commercial purpose, but excludes charities. Foreign companies are only targeted if they have a registered entity or branch in Germany. Therefore, the scope of the law is more restricted than the extraterritorial approach taken by other countries, such as the U.S. Foreign Corrupt Practices Act (FCPA).
However, a crime does not need to be committed within Germany or by a German national to be considered. Instead, any act committed on behalf of a German company falls under the legislation if the act is punishable both in Germany and the place of the crime.
If companies are found to be committing a criminal offence, they can be fined or issued a warning. In the most recent legal draft, corporate capital punishment (i.e. the forced liquidation of a firm) is no longer planned to be included in the law.
A declared goal of the new law is to reduce the perceived injustice posed by the current regime in which regulatory offences can be fined by up to EUR 10 million; this is now only viewed as an effective punishment for smaller and medium-sized businesses. Under the proposed corporate criminal liability law, companies with average global revenues of over EUR 100 million can be issued penalties of up to 10% of their global revenues.
In cases where a significant amount of people are likely to have been damaged by a company’s behaviour, public announcements can also be part of a punishment. This measure aims to inform potential victims and help them prepare their own (civil) claims against a company.
The public announcements introduce an element of “name and shame” to the German legal system that normally goes to great lengths to protect the identity of all parties involved in criminal litigation. As a side effect, this has the potential to significantly damage a company’s reputation.
The legislation clearly focuses liability on the actions or inactions of a firm’s senior management. In doing so, it follows a trend seen in a number of industries and across a number of countries whereby the lack of accountability for past misconduct by firms has resulted in tougher rules for the senior managers overseeing them, such as the U.S. FCPA and the UK Bribery Act. An area where such initiatives are most advanced is financial services, e.g. the Senior Managers and Certification Regime (SM&CR) in the UK or the Banking Executive Accountability Regime (BEAR) in Australia.
While the German regime is less specific and includes proportionality clauses, it is the clear intention of the legislator to create strong incentives for effective compliance programs. Senior managers are responsible for implementing such a program as their failure to carry out proper oversight, set up compliance systems and controls and provide clear guidance to lower-ranking employees will trigger liability of the firm.
Conversely, a strong system of compliance measures that is based on a bespoke risk assessment will be a mitigating factor for authorities to consider when determining the appropriate penalty and could be the difference between a substantial fine and a warning. In addition, companies will be expected to launch internal investigations, either through an in-house team or with the help of external investigators.
Under certain circumstances, a parent company may also be liable for acts committed by a subsidiary. This becomes particularly relevant in M&A situations, where a new parent may assume liabilities for acts committed before an acquisition. Therefore, the corporate criminal liability law increases the importance of due diligence ahead of corporate transactions.
In designing a compliance program, firms would be well-advised to take the following steps:
Carry Out a Risk Assessment
Once the rules and regulations applicable to its business and operations have been established, a firm should carry out an assessment of the risks it is exposed to. To take the example of the newly increased anti-money laundering requirements (2020 German Anti-Money Laundering Act/Geldwäschegesetz 2020), a firm taking regular cash payments or operating with clients or suppliers from certain jurisdictions is likely to be exposed to higher levels of risk. We also note that a police union has already singled out money laundering as an area where it expects increased enforcement under the proposed law.
Establish and Document Controls in Place
Based on the risk assessment, a firm should then establish appropriate systems and controls. The legislation clearly envisages these to be proportionate both to the risks and the size and complexity of the business. They will typically be focused on the following areas:
Review and Update the Compliance Program Regularly
An established compliance program can only be effective where it is reviewed regularly and updated to reflect changes in rules and regulations, a firm’s business model and products, and the environment it operates in. The frequency of review will depend on the complexity of the firm and the risks it is already exposed to. Firms exposed to high levels of risk should carry out an annual review while others might only need to review once every three years. Firms should also be prepared to carry out an ad-hoc review whenever a material change to its business model, product range or business environment occurs.
Contact Kroll Compliance Risk and Diligence and Duff & Phelps Compliance and Regulatory Consulting to learn more about how our services can assist you.
Complying with anti-money laundering and anti-bribery and corruption regulations.
Comprehensive spectrum of background checks, screening and due diligence services.