Third-party certification of compliance management systems—a route to limit the liability of the management board?
By Dr. Benno Schwarz and Dr. Sebastian Lenze
Gibson, Dunn & Crutcher LLP, Munich
The temperature has dropped in German corporate boardrooms and an atmosphere of uncertainty and sometimes “angst” can be sensed when discussing personal liability of management and supervisory board members in light of the myriad of compliance violations that can arise in the daily life of a globally operating company. No consulting business that is worth its name would let the opportunity pass to fill this void with excellent, good, and—sometimes—bad advice, providing guidance and support, and promising a safety net for businesses and their management. One fairly recent and important facet of this trend is the emergence of “compliance certificates” that come in various shapes and forms. The following article assesses the liability exposure that such certificates may address under German law and discusses the limits of these new products.
Sources of exposure for companies and management
While the specific source of exposure can be quite complex, it will always stem from a few fundamental violations. In the case of individual liability of a member of management or the supervisory board, liability can arise from criminal conduct, violation of administrative laws and regulations (including a lack of due organization of the business and due oversight), or civil liability for a negligent (or intentional) violation of the individual manager’s duty of office. In the case of corporate liability, under German law, a company cannot be subject to criminal liability: criminal acts committed by individuals on behalf of or for the benefit of the business expose the business to administrative fines (including the disgorgement of illicitly gained benefits). Additionally, the business may be exposed to civil liability, such as damage claims from contract partners, for example. When assessing the effectiveness of “compliance certificates” to limit the exposure of a business or its management, each of the key sources of liability need to be analyzed in more detail against the background of the specific review activities planned or undertaken by the issuer of the certificate.
Types of compliance certificates
An initial, high-level analysis shows two different approaches offered on the German market (and globally): (a) Compliance certificates in accordance with precisely described review standards, such as IDW AssS 980 (IDW AssS 980: Principles for the Proper Performance of Reasonable Assurance Engagements Relating to Compliance Management Systems), certificates rendered on the background of Compliance Management System Guidelines under ISO 19600, or under TR CMS 101:2011 (TR CMS 101:2011 – Standard for Compliance Management Systems (CMS) of TÜV Rheinland); and (b) tailored certifications and review reports prepared in an individualized fashion by law firms or expert consultants, whether in the context of a regulatory proceeding (such as an FCPA compliance monitorship) or upon special request by the company’s management or by the supervisory board.
Criminal exposure for an individual member of management is typically centered around a limited number of criminal offences: (a) criminal conduct qualified as fraud or breach of trust [Betrug und Untreue, Chapter 22 of the German Criminal Code (StGB – Strafgesetzbuch) with § 266 StGB (Untreue) being the central criminal provision in the context of criminal offences conducted by management.], (b) criminal books and records violations [§ 283b StGB – violation of book-keeping duties (Verletzung der Buchführungspflicht), § 400 Stock Corporation Act (AktG – Aktiengesetz) Misrepresentation (Falsche Darstellung)], and (c) criminal conduct for a violation of duties to prevent certain crimes (such as corruption crimes) as a guarantor (§ 13 StGB in conjunction with the respective criminal offence). Further, German criminal law does not only punish an individual who violates criminal laws by an act, but under certain circumstances also in case of an omission to act (§ 13 para 1 StGB.).
Exposure for administrative law violations Individual exposure for management or personnel in managerial roles
The German Administrative Offences Act (OWiG – Ordnungswidrigkeitengesetz) states that the failure to take adequate supervisory measures to prevent that crimes or administrative and regulatory offences are committed in connection with the respective business, constitutes an administrative offence (§ 130 para 1 OWiG.). The offence is committed if a representative of the business or a person with managerial responsibilities (Leitungsperson) fails to exercise due supervision and, thereby, enables that the offence is committed by the business or from within the business in the interest of the business (§ 130 para 1 OWiG in conjunction with § 30 OWiG). In such a scenario, a recent certification from an independent expert confirming that the compliance management system established in the business was well designed, duly implemented, and effective, and—in the normal course of business—would have prevented the offence from occurring in an undetected manner, can be a powerful tool to build a better defense for the individual manager.
Under the OWiG, a company is punishable if its managerial personnel (Leitungspersonen) had failed to establish an organization that in the normal course of business would prevent crimes or offences to occur from within the company or in the interest (or for the benefit) of the company (§ 130 in conjunction with § 30 OWiG), or if crimes or offenses have been committed by representatives of the company or business (Unternehmensvertreter, § 30 para 1 OWiG).
While an effective compliance system is not a defense expressly stipulated under German law, a well-designed and carefully implemented and executed compliance management system may be a strong argument to succeed in a declination of the charges against the business or to lower the fines under the OWiG for the company. Whether or not fines will be imposed and the amount of the fines is within the reasonable discretion of the deciding court. It should be noted, however, that in cartel matters, the fact that a company has a vigorous antitrust compliance management system is generally not considered a defense under German law (Activity report of the Federal Cartel Office, documented in the parliament’s papers, BT-Drs. 17/13675, para (46.)
Civil law exposure to damage claims Individual exposure for management
Even without a criminal or corporate offence being established, members of management (and supervisory boards) may be subject to damage claims raised by the company, if the company has incurred damage due to a violation of the manager’s duty of office (objektive Pflichtwidrigkeit). In these cases, a compliance certificate covering the design, implementation and effectiveness of the compliance management system of a company that has been established to prevent and detect the specific type of violation that has occurred can be an extremely important piece of evidence to support the defense of the board member. The possible protection that might be provided by the certificate, however, will heavily depend on the scope and level of detail of the compliance review
Corporations can be subject to civil claims stemming from a large array of violations and offenses. In corruption matters, for example, typical claims could stem from third parties that were co-bidders in a procurement procedure where they lost against the bidder that paid bribes. A compliance certificate will be of no help in this case if the corrupt activity has already been established as a fact It should be noted that a compliance certificate that may help an individual board member in a civil law claim brought against him or her by the company for failure to fulfill a duty of office does not necessarily add value for the corporate defendant in the typical civil law claims that stem from compliance violations. This can be attributed to the fact that by law, the employee’s or officer’s corrupt misconduct is attributed to the company according to § 31 or 278 German Civil Code (BGB – Bürgerliches Gestezbuch)
First experience with compliance certificates—lessons learned
Compliance certificates are aggressively sold in today’s corporate world. Some service providers suggest that an “anticipated expert report” will “eliminate the liability of management and supervisory board members in case of mistakes” (“Entlastung der Unternehmensleitung im Falle eines Fehlers durch unabhängige Bescheinigung der Konformität“, see TÜV Rheinland, http://www.tuv.com/de/deutschland/ gk/managementsysteme/nachhaltigkeit_csr/compliance_management/ compliance_management.html). Other marketing materials suggest that the review under a certain standard (IDW AssS 980, for example) itself is a guarantee for quality and protection. All these statements should be considered with necessary caution. As is true for so many things, when it comes to assessing compliance certificates, one has to consider the substance of the review rather than the form or name of the certificate.
WYPIWYG and GIGO
Review activities for obtaining compliance certificates lead from a mere “check-the-box-approach” and desk-top review of a company’s documentation of the compliance program to a sophisticated review of the design, implementation and effectiveness of a compliance management system, including a risked based real-life review and testing of the effectiveness on-site in markets that are considered critical. >> Compliance certificates of whatever name or nature will never be a “carefree-certificate” providing blanco insurance against the personal liability of a company’s management or the company itself. << For certificates that require only a very superficial desktop review of a company’s compliance system, in our view, the GIGO-principle (Garbagein-Garbage-out) is probably the best benchmark to assess the effectiveness. Corporate life is too colorful to provide protection by only checking boxes in an itemized list. The more sophisticated the design and the more detailed the review becomes, the more protection the respective compliance certificate can provide. In short, the WYPIWYG-principle applies here, namely, What You Pay Is What You Get. However, it is not the absolute number of review activities that makes the difference in quality, but rather the thoughtful and balanced scoping of the review, the risk-based selection of the review areas, and the approach to the analysis and testing methodology. In this respect, intellectual firepower will likely prevail over pure quantity of data crunching. An important aspect is frequently overheard in noisy sales pitches given by professional service companies and consultants: The mere standard for the process of conducting the review (such as IDW AssS 980) does not create a defined level of quality or protection by itself. While these standards are extremely helpful guidelines for the professional to plan and approach the review, the question whether or not the specific review provides more or less protection to the management board is fully contingent upon the respective scope, methodology and level of detail of the review.
Assessment of compliance certificates by German courts
The final jury regarding to what extent that compliance certificates protect individual members of the management board or the corporate defendant is still out. There are no decisions of the higher courts specifically addressing the question of certificates. The one decision that may provide some guidance on how courts in future may assess compliance certificates is the “Ision-Decision” rendered by the BGH in 2009 (BGH, Decision of 20. 9. 2011 – II ZR 234/09). The key question that had to be decided by the court in this case was when and to what extent members of the management board may rely on the opinion of experts in areas where the individual member (or the board collectively) lack the necessary experience or expertise to ensure that their decision is correct and does not lead to a violation of their duties of care towards the company. The court stated that to the extent a management decision requires expertise outside of the core expertise of management, it is reasonable and necessary to seek for outside advice and expertise that management can generally can rely upon. Further, the court developed a four-step test that needs to be satisfied before management can rely on outside expertise.
Firstly, the expert rendering the advice must be sufficiently qualified in the respective field of expertise. While this sounds trivial at first glance, it is important for the management to objectively establish the qualification of the expert (such as through reviewing the track record of the expert, seeking testimony from other experts and documenting the results, for example)
Independence is critical
Secondly, the expert should be independent. Again, at first sight a no-brainer, but in the context of the review of a compliance management system, some tricky situations may arise if the expert has designed the system it is reviewing, or if the expert handles other significant matters for the client that might lead to conflicts.
Company cooperation is crucial
Thirdly, the expert must be provided with all necessary information and support to carry out its work and to come to a fully unbiased opinion. In more complex matters, such as a compliance review of a globally operating company, this aspect puts a significant burden upon management and company seeking advice to establish a process that allows the expert to carry out its work with the required level of detail and based on all necessary information.
Management oversight remains front and center of the review
Lastly, management cannot simply take advice and implement recommendations without first critically reviewing the advice given and the basis underlying the expert’s conclusions. The final plausibility check is the essential step for management in exercising the required diligence and care. Management has to convince itself that the expert has come to a conclusion based on a reasonable process, a diligent review of the facts, and that the result appears to be reasonable and workable.
Where do we go from here?
While the Ision matter is certainly not the final word expressed by German courts on the viability of compliance certificates to limit liability; it should remind us that compliance certificates of whatever name or nature will never be a “carefree-certificate” providing blanco insurance against the personal liability of a company’s management or the company itself. However, when planned, designed and implemented thoughtfully with adequate resources and with the full support and cooperation of the company and its management, they can be powerful tools to limit the liability of both management and companies themselves stemming from charges of negligence in criminal matters, administrative offences, as well as limiting the personal liability of members of management and the supervisory board from civil damage claims.