A new corporate liability law is emerging in Germany: the last federal government had already drafted a law on sanctioning companies, the adoption of which only failed at the end of the legislative period and the election of a new German Bundestag. The German Administrative Offenses Act (OWiG) has long been criticized for not being suitable for sanctioning companies and for lagging behind international developments in legal standards and compliance requirements. In September 2020, the German Federal Ministry of Justice presented a "Draft Law to Strengthen Integrity in Business," the centerpiece of which was the draft Corporate Liability Act (VerSanG-E). The current German government is also working on a timely reform of corporate liability law. Other laws at European level, such as the whistleblower directive to be implemented or the draft of a new directive on supply chain due diligence, place new compliance requirements on companies. That is why anyone who has not yet done so should take a detailed look at the main contents and changes.
Why do we need new rules to sanction companies?
In its coalition agreement from December 2021, the current German government promises to revise "the regulations on corporate liability, including the level of sanctions," "in order to improve the legal certainty of companies with regard to compliance obligations and to create a precise legal framework for internal investigations." The last coalition government had already paved the way for a new legal framework with the draft bill "Act to Strengthen the Integrity of Business", ("Gesetz zur Stärkung der Integrität in der Wirtschaft") which will have far-reaching consequences for all business enterprises. But why is this necessary?
Currently, companies are still sanctioned under the German Administrative Offenses Act (OWiG). However, there are various loopholes in this law that make it very difficult to impose proper sanctions. It lacks both proper assessment rules for association fines and any approach to promoting compliance measures in business. In addition, it sets a maximum sanction of EUR 10 million. This puts small and medium-sized companies in particular at a severe disadvantage, as large corporations can usually easily cope with the maximum sanction. As a result, the fine hardly contributes as a deterrent to reducing violations of the law. Another problem with the OWiG is that prosecution is at the discretion of the responsible authorities (opportunity principle). This means that the respective authority can decide for itself whether to further investigate a committed association offense - or the suspicion thereof. All this will change very soon. The coming corporate liability law will both remedy the abuses of the OWiG and create a new basis for sanctions, but it will also recognize measures to comply with rules, such as effective compliance management systems.
Who does it affect and what needs to be considered?
The legislator intends to introduce a general corporate liability law that will in principle cover all business enterprises regardless of their size. The draft Corporate Liability Act ("VerSanG-E") of 2021 serves as an important reference point here and offers a preview of what is to come. Specifically, the VerSanG-E provided for new and more stringent sanction measures for associations whose business purpose is geared toward commercial business operations. Associations with a non-profit purpose were to remain subject to the OWiG. An "association" ("Verbände") is defined as legal entities under public or private law, associations without legal capacity and partnerships with legal capacity. Thus, small and medium-sized enterprises should also be covered by the term "association", which means that they, too, will have to prepare for new and more severe sanction measures if an association offense is committed. But what exactly is hidden behind the term "association offense" ("Verbandstat")?
Up to now, the legislator has described as an association offense all "criminal offenses by which the association's duties have been violated or by which the association has been or was intended to be enriched. Association sanctions should apply if a management person of the association has committed an association offense or could have prevented or aggravated it through a lack of precautions in the area of organization, selection, guidance or supervision. It should be noted here that it should be sufficient for an association offense to be established that it has occurred in the company. It is not necessary for a specific perpetrator to be known in order for a Verbandstat to be prosecuted. The VerSanG-E included the following cases as association offenses, among others:
- Tax offenses (e.g., tax evasion, illegal employment);
- Environmental offenses (e.g., violations of the Immission Control Act, Chemicals Act);
- Compliance offenses (e.g. violations of Securities Trading Act, Banking Act, Money Laundering Act);
- Property offenses (e.g. theft, property damage, fraud);
- Competition offenses (e.g. price fixing, industrial espionage, corruption);
- Occupational health and safety offenses (e.g., industrial accidents caused by negligent behavior).
It is likely that the forthcoming corporate liability law will also fully encompass the direct actions of management personnel. In principle, any person who holds a managerial role counts as a management person. This includes:
- Members of a governing body of a legal entity with power of representation;
- Members of the board of directors of an unincorporated association;
- general representatives and, to the extent that they hold a managerial position, authorized signatories and authorized agents of an association;
- any other person acting responsibly for the management of the business or enterprise of an association (including supervision of the management or other exercise of controlling powers in a managerial position).
This would include, for example, members of the management board of an AG or members of the supervisory board, managing directors of a GmbH or a Komplementär GmbH & Co. KG, general partner of a limited partnership, shareholder of an oHG and compliance or money laundering officers would be potential perpetrators of a Verbandstat. In addition, the VerSanG-E also provided that companies could also be sanctioned for the actions of ordinary employees if the company management failed to have established sufficient company-wide preventive measures. Such a provision, which will most likely also be included in the new corporate liability law and is in line with the international trend in legal development, de facto means the extension of liability under sanctions law to the actions of all employees, depending on the compliance processes established in the company.
What do companies have to be prepared for?
The German government is not expected to adopt the Corporate Liability Act in its current form, but will either draft a new law based on the content of the VerSanG-E or integrate its core content into the existing legal framework. These core contents include the creation of a proper legal basis to sanction corporate offenses more severely, legally secure assessment rules for association fines, and greater incentives to invest in compliance systems.
Monetary sanction ("Verbandsgeldsanktion")
The current upper limit for fines of EUR 10 million in the OWiG does not represent an appropriate instrument for punishment and deterrence. The VerSanG-E provided for an increase in the level of sanctions here to 10% of the Ø annual turnover. It is likely that the upcoming new regulation will also aim for this level; the same sanction level is already anchored for serious violations in the Money Laundering Act or in the neighboring Dutch corporate criminal law. In the case of negligent association offenses, companies must expect a financial sanction of up to 5% of the average annual turnover under the VerSanG-E. This puts large companies in particular, which may have hardly been harmed by the current maximum, at financial risk. 10% of the average annual turnover is no longer a negligible fine, but can lead to a considerable economic burden and even to insolvency in serious cases.
The legality principle ("Legalitätsprinzip")
The discretion of the authorities to prosecute, which has been based on the opportunity principle, is no longer considered to be up-to-date and will probably be replaced by a duty to prosecute - the principle of legality. This would mean that the responsible authorities would no longer be free to decide for themselves whether to pursue a crime or suspicion of a crime, but would be obliged to initiate investigations.
New sanction instruments/measures
In addition to the fine, other sanction options are likely to be used: the VerSanG-E provided for the warning with sanction provision and the possible publication of a conviction in this regard. The former allows a company to be warned by a court determining but not yet imposing an association fine. The warning may be subject to conditions and/or instructions. Publication in an accessible association sanctions register is intended to act as an instrument of "naming and shaming" as an additional sanction.
Sanction mitigation measures
A central, international development in corporate liability law is the move toward greater emphasis on established preventive measures in companies. Although sanction mitigation measures have already been recognized by the highest courts in Germany, too, if effective measures are proven, these have never been laid down in law to date. In the coalition agreement, the German government explicitly mentions compliance obligations and internal investigations as targets. The VerSanG-E also already provided that effective compliance measures and internal investigations that make a comprehensive contribution to clarifying the association offense should have a sanction-reducing effect. Companies should be able to achieve a reduction of the fine by up to 50% and the non-disclosure of the conviction as a result. Although some specific points - for example, the role of the defense and the conduct of the internal investigation - are still the subject of open discussion, a comparable regulation is foreseeable.
Overall, the upcoming corporate liability law will include significantly tougher and more comprehensive instruments than the OWiG. To date, companies have partially accepted certain compliance risks and ignored them on the basis of the current legislation or, in extreme cases, have even considered it more economically advantageous to consider criminal offenses. This can therefore not only result in far-reaching financial damage for companies in the future, but also cause lasting damage to their reputation. Companies can already respond to these developments by setting up and implementing compliance management systems with foresight.
How can sanctions be prevented or mitigated?
Measures to mitigate sanctions will be an integral part of the law in the future. As already covered by the VerSanG-E, these will include both effective compliance measures and investigations that make a comprehensive contribution to clarifying the association's offense.
It is already common practice for authorities to take into account the precautions taken to prevent and detect criminal acts, as well as the efforts made by management to uncover and redress them, when determining sanction levels. The foreseeable (due diligence) obligation of the company management to take appropriate precautions to prevent criminal acts by ordinary employees also represents a gateway for the sanction-law significance of compliance measures. The compliance measures required for this purpose should depend on the type, size and organization, the dangerousness of the company's object, the number of employees, the regulations to be observed and the risk of their violation. In other words, only an effective compliance management system (CMS) adapted to the individual compliance requirements of the association can lead to the hoped-for reduction in sanctions. In line with these legal developments, the new international CMS certification standard ISO 37301 has been available since April 2021. This has replaced the old ISO 19600, includes more concrete descriptions of how to develop, implement and maintain a CMS within an organization, and is certifiable as a Type A standard. This enables companies to have the effectiveness of their compliance management systems certified by independent third parties, which can be recognized as a mitigating circumstance or appropriate preventive measure in the event of sanctions.
In addition to compliance measures, internal investigations will take on a second, central role. Here, too, it is foreseeable that circumstances mitigating sanctions may be recognized, provided that the internal investigation makes a significant contribution to clarification. The VerSanG-E also provided that the authority may refrain from prosecution until an investigation has been completed. However, qualitative requirements must be met for this, which have yet to be specified by the legislator in the new corporate sanctions law. It is also conceivable here that the content of the VerSanG-E will be adopted, such as that of the materiality of the clarification contribution - the concrete significance of which, however, only practice will be able to show - or that the principles of a fair trial have been complied with and the entire process has been comprehensively documented. Until recently, major points of contention such as the separation of defense and management of the internal investigation or the management of the latter by independent third parties are once again open as a result of the non-adoption of the VerSanG and its possible revision. For companies, this poses the challenge of establishing forward-looking compliance management systems at an early stage that are flexible enough to adapt to any legal changes.
What other legal requirements are coming?
The new corporate liability law is the centerpiece of the upcoming compliance regulation, but it is already not the only legislative initiative. Germany should have implemented the European Whistleblower Directive as early as December 2021. This provides for the obligation to set up internal reporting systems and to issue protective measures for persons who report legal violations. Here, too, companies will face further liability risks and compliance requirements with the imminent transposition into German law.
Of even greater importance are the forthcoming regulations on the prevention of human rights violations in supply chains: Starting next year, the Supply Chain Due Diligence Act, enacted in July 2021, will take effect, imposing comprehensive new requirements for due diligence, risk management and analysis, and preventive and remedial measures. Here, too, non-compliance is subject to penalties of up to 2% of global annual sales. In 2024, the law will be extended to a wider group of companies with a size of 1000 employees or more. In parallel, the EU Commission published a draft of its own directive on supply chain due diligence in February 2022, which will, among other things, expand the circle of affected parties, require the alignment of corporate strategy with the Paris climate targets, and, in particular, enable civil lawsuits by affected parties.
In general, these developments show that ESG (environmental, social, governance) issues are becoming increasingly embedded in legal regulation and thus more relevant for compliance departments. Until now, ensuring respect for human rights in supplier countries and climate protection were largely voluntary commitments. This is about to change. Also, the disclosure rules on non-financial reporting, which the upcoming European CSR Directive will transform into globally mandatory, uniform accounting standards for the first time from 2023, and the Commission's "Green Finance" legislative packages show that today's ESG issues are tomorrow's regulation. It will therefore be all the more important for companies to act with foresight, establish flexible compliance management systems and integrate these with the other corporate functions in a meaningful way.
How can we support you?
New, modernized and stricter corporate liability law is just around the corner. You should therefore take a close look at your compliance-relevant processes and systems - not only to protect yourself from heavy fines and avoid damage to your image, but also to identify, assess and actively manage your individual risks. Effective compliance management makes an essential contribution to an economically sustainable business model.
It has never been more important to be properly positioned in compliance. Processes and systems need to be analyzed for compliance risks and compliance due diligence needs to be given significant importance - ideally before new legislation comes into force.
We support you in analyzing your current compliance risks as well as in designing and implementing preventive measures, such as setting up and developing compliance management systems. Based on our expertise and many years of experience in the implementation of Risk & Compliance projects, we know how to effectively identify compliance risks and at the same time define measures to prevent these risks in a targeted and successful manner.