Fri, May 22, 2020

Steps Businesses Should Take to Prepare for The German Corporate Criminal Liability Act

After internal stakeholder consultations within ministries, the German government published a draft law introducing the concept of corporate criminal liability which will have far-reaching implications for German businesses and international companies operating there. The proposed legislation is titled “Law for the Strengthening of the Integrity of the Economy” (Gesetzes zur Stärkung der Integrität in der Wirtschaft), hinting at the dual purpose of increasing accountability for businesses whilst also creating incentives to enhance compliance programs. Here we provide an overview of the key requirements and present our views on how firms might prepare.

What Are the Key Implications of the Law?

In many regards, Germany is following a global trend of introducing corporate criminal liability. However, in contrast to some other European countries, Germany proposes to criminalize a wider range of offences and issue harsher penalties of up to 10% of global revenues. However, the most severe measure, a corporate death penalty, has been scrapped from an earlier draft. The ambitious law shows the steep progress made in Germany’s compliance efforts, where less than 20 years ago businesses protested that their foreign bribes and kickbacks would no longer be tax-deductible.

While the law may not be ratified before 2021, companies with a footprint in Germany must act now to assess their risks and create appropriate compliance measures to shield themselves from criminal prosecution. 

Why is Germany Introducing Corporate Criminal Liability?

Germany has been an outlier for not having a corporate criminal liability code, despite several attempts by previous governments to introduce such a law. Currently, companies can only be fined for regulatory offences, with penalties capped at EUR 10 million, which is no longer viewed as an effective deterrent for multinational corporations.

Some in the German legal community previously questioned whether companies are even able to commit crimes, or if responsibility must instead always lie with individuals. However, in recent years the debate has shifted, with the public increasingly believing that some wrongdoing is systematic rather than merely the result of the actions of individuals. High profile scandals have clearly contributed to this, such as diesel emissions cheating or the “cum-ex” tax fraud

What Crimes Are Targeted by the New Law?

The draft law has a wide scope and applies the criminal code to companies. However, in practice, enforcement of the law will likely focus on economic crimes. There are two ways in which an entity can be found liable:

First, the law considers acts committed by a senior manager to be made on behalf of the company. A senior manager can be a company director, member of a board, an authorised representative or any other senior manager with responsibility for the running or operation of the company.
Second, a company will be held liable for crimes committed by any employee if the act would have been prevented or significantly less likely to happen had appropriate compliance measures been implemented . This includes, for example, organisational, governance and oversight measures.
Overall, the German law is more ambitious in its scope than many comparable European regimes. For example, the UK introduced the tax-focused Corporate Criminal Offences Act in 2017 and has elements of corporate liability in other economic crime-related laws, such as the UK Bribery Act. But plans to widen legislation in the UK have been delayed.

Does the Law Have Any Impact on Operations Outside of Germany?

The proposed law targets German legal entities with a commercial purpose, but excludes charities. Foreign companies are only targeted if they have a registered entity or branch in Germany. Therefore, the scope of the law is more restricted than the extraterritorial approach taken by other countries, such as the U.S. Foreign Corrupt Practices Act (FCPA).

However, a crime does not need to be committed within Germany or by a German national to be considered. Instead, any act committed on behalf of a German company falls under the legislation if the act is punishable both in Germany and the place of the crime. 

What Penalties Can Be Expected?

If companies are found to be committing a criminal offence, they can be fined or issued a warning. In the most recent legal draft, corporate capital punishment (i.e. the forced liquidation of a firm) is no longer planned to be included in the law.

A declared goal of the new law is to reduce the perceived injustice posed by the current regime in which regulatory offences can be fined by up to EUR 10 million; this is now only viewed as an effective punishment for smaller and medium-sized businesses. Under the proposed corporate criminal liability law, companies with average global revenues of over EUR 100 million can be issued penalties of up to 10% of their global revenues.

In cases where a significant amount of people are likely to have been damaged by a company’s behaviour, public announcements can also be part of a punishment. This measure aims to inform potential victims and help them prepare their own (civil) claims against a company.

The public announcements introduce an element of “name and shame” to the German legal system that normally goes to great lengths to protect the identity of all parties involved in criminal litigation. As a side effect, this has the potential to significantly damage a company’s reputation.

What Can Companies Do to Protect Themselves?

The legislation clearly focuses liability on the actions or inactions of a firm’s senior management. In doing so, it follows a trend seen in a number of industries and across a number of countries whereby the lack of accountability for past misconduct by firms has resulted in tougher rules for the senior managers overseeing them, such as the U.S. FCPA and the UK Bribery Act. An area where such initiatives are most advanced is financial services, e.g. the Senior Managers and Certification Regime (SM&CR) in the UK or the Banking Executive Accountability Regime (BEAR) in Australia.

While the German regime is less specific and includes proportionality clauses, it is the clear intention of the legislator to create strong incentives for effective compliance programs. Senior managers are responsible for implementing such a program as their failure to carry out proper oversight, set up compliance systems and controls and provide clear guidance to lower-ranking employees will trigger liability of the firm.

Conversely, a strong system of compliance measures that is based on a bespoke risk assessment will be a mitigating factor for authorities to consider when determining the appropriate penalty and could be the difference between a substantial fine and a warning. In addition, companies will be expected to launch internal investigations, either through an in-house team or with the help of external investigators.

Under certain circumstances, a parent company may also be liable for acts committed by a subsidiary. This becomes particularly relevant in M&A situations, where a new parent may assume liabilities for acts committed before an acquisition. Therefore, the corporate criminal liability law increases the importance of due diligence ahead of corporate transactions.

In designing a compliance program, firms would be well-advised to take the following steps:

Carry Out a Risk Assessment

Once the rules and regulations applicable to its business and operations have been established, a firm should carry out an assessment of the risks it is exposed to. To take the example of the newly increased anti-money laundering requirements (2020  German Anti-Money Laundering Act/Geldwäschegesetz 2020), a firm taking regular cash payments or operating with clients or suppliers from certain jurisdictions is likely to be exposed to higher levels of risk. We also note that a police union has already singled out money laundering as an area where it expects increased enforcement under the proposed law.

Establish and Document Controls in Place

Based on the risk assessment, a firm should then establish appropriate systems and controls. The legislation clearly envisages these to be proportionate both to the risks and the size and complexity of the business. They will typically be focused on the following areas:

  • Governance and Oversight: Establish a clear line of oversight and responsibility going up to the top. For more complex, higher risk organisations, this might mean establishing committees and assigning specific duties to senior managers. For smaller businesses, it might be sufficient to put in place regular reporting to the general manager.
  • Lines of Defence: The concept of lines of defence means that various functions within a firm have different tasks in controlling a particular risk. In a three-line system, the business typically forms the first line, while a compliance and/or risk function will oversee and test the business from a second line. Internal audit forms the third line, providing regular reviews on both the first and second lines of defence. Again, smaller and less complex firms may be able to combine these functions and assign their responsibilities to individuals with dual roles, e.g. a senior manager of operations may act as a second line to the activities of sales and marketing teams. For many other businesses, it means they should review how they fulfil their duty to conduct ongoing due diligence on business partners and implement enhanced “know your customer” provisions.
  • Policies and Procedures: At a minimum, every firm must set out its approach to compliance with all applicable laws and rules. This is typically done through a set of policies, often supported by a code of ethics or similar which all employees must certify their compliance with. The guidance developed in relation to the German draft law explicitly mentions that compliance systems (which may include IT systems allowing the administration of certain policies) are not compulsory for all firms. Therefore, where proportionate, a set of relatively manual procedures might suffice to meet the legislator’s expectations.
  • Training and Awareness: While policies and procedures are a prerequisite to effective compliance, employees must also be trained on the key requirements for each area to understand how the risks highlighted might actually impact the area of the business they are in.

Review and Update the Compliance Program Regularly

An established compliance program can only be effective where it is reviewed regularly and updated to reflect changes in rules and regulations, a firm’s business model and products, and the environment it operates in. The frequency of review will depend on the complexity of the firm and the risks it is already exposed to. Firms exposed to high levels of risk should carry out an annual review while others might only need to review once every three years. Firms should also be prepared to carry out an ad-hoc review whenever a material change to its business model, product range or business environment occurs.

Contact Kroll Compliance Risk and Diligence and Duff & Phelps Compliance and Regulatory Consulting to learn more about how our services can assist you.

Compliance Risk and Diligence

The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.

Background Screening and Due Diligence

Comprehensive spectrum of background checks, screening and due diligence services.

Due Diligence Wizard Tool

Determine which due diligence product best fits your needs.