Tone from the top

Compliance responsibilities of management bodies, directors and officers of domestic and foreign subsidiaries of German groups

By Dr. Robert Weber, Dr. Michael Müller and Darryl Lew, White & Case, Frankfurt, Washington, D.C.

Download article as PDF

After 10 years of discussion about the legal need for German companies to introduce compliance structures and how the content of such structures should be designed, “compliance” can now be said to have arrived. While there are—with a few industry-specific exceptions—no explicit legal obligations requiring the management of a German company to establish a compliance management system (CMS), there now appears to be a consensus that the organizational duties incumbent on the management of every company of a certain size include the duty to take organizational precautions to ensure that the company’s management bodies, directors, officers and employees conduct themselves in compliance with the many legal duties arising from the activities of the company. Compliance is a top priority for management. It has come to be seen as common sense that ultimate responsibility for setting up a CMS and making sure it works lies with a company’s management and that when management comprises several individuals one of them must be allocated that responsibility explicitly under the terms of a corresponding allocation of duties. When it comes to the decision on what to include in the CMS, no executive board in today’s world would choose to introduce anything less than the bare minimum of a code of conduct applying to all employees, an anticorruption policy, a whistleblower system and compliance training. Finally, the Institute of Public Auditors in Germany (IDW) has also created a formalized way of evaluating the functionality of a CMS and obtaining certification by introducing its IDW PS 980 auditing standard.

Recent compliance developments as a result of the Siemens/Neubürger judgment

The relative calm that had in recent years returned to discussion among members of the compliance community as to whether and how a CMS should be established has now been disturbed by the Munich Regional Court’s so-called Siemens/Neubürger judgment of Dec. 10, 2013. Over the years since 1999, a system of “slush funds” had been set up at Siemens AG, with the moneys parked in those funds being used to make corrupt payments. The members of the Siemens AG management board—among them Heinz-Joachim Neubürger who had1998—had been repeatedly informed about the large number of bribery cases occurring abroad and the poor organization of the compliance organization, yet failed to take adequate measures to clarify what happened and to review the system, at least according to the view expressed by the Munich Regional Court. Former CFO Neubürger was sued for the costs incurred by Siemens AG for the services of a U.S. law firm performed in connection with internal investigations. Because of a payment made to a recipient in Nigeria for an allegedly invalid consultancy contract, he was subsequently ordered by the court to pay damages to Siemens AG totaling €15 million. Although not yet final, the judgment has led to a controversial debate and a sharpened general awareness that the management of a company can be held liable for damages by that company if they fail to comply with their duties to set up a CMS or fail to do so sufficiently. In addition—as one of the many individual aspects of this decision—the Siemens/ Neubürger judgment has focused attention on group-related issues. Both the system of “slush funds” established at Siemens AG and the corrupt payments themselves took place mainly at the level of the Siemens AG subsidiaries.

CMS requirements for group subsidiaries

Is the management of a German group parent company required to set up a CMS covering not only the parent company but also the group’s affiliated companies? Again, there are no legal provisions explicitly addressing this question. According to the prevailing opinion in Germany, however, the compliance duties incumbent on the management of a company also extend to that company’s (domestic and foreign) subsidiaries. This is also the premise assumed by the German Corporate Governance Code, which requires the management board of an exchangelisted stock corporation (Aktiengesellschaft, or AG) to work toward ensuring group companies’ compliance with the law and the company’s internal policies. There are some situations, however, where working toward achieving group companies’ compliance is not a simple matter. If there is a control agreement in place between parent and subsidiary, then the parent is at all times entitled to issue instructions to the management of the subsidiary and obtain information on the activities of the subsidiary regarding their management. The instruction and information rights enable the management board of the parent company to readily integrate the subsidiary into a group-wide CMS.

>> Company managers can be held liable for damages arising from compliance offenses if they had failed to set up a proper CMS <<

If there is no control agreement in place between parent and subsidiary, in other words if they form a so-called de facto group, then a distinction has to be made between a subsidiary organized as an AG and a subsidiary organized as a limited liability company (Gesellschaft mit beschränkter Haftung, or GmbH). In the case of a subsidiary GmbH, compliance measures can be affected either by exercising the rights a shareholder has under the GmbH Act to issue instructions and be kept fully informed. In contrast to the management of a subsidiary GmbH, however, the management board of a subsidiary AG in a de facto group is not bound by instructions from the parent company. In that case the subsidiary’s management board is independently responsible for managing the subsidiary. This means that such a subsidiary AG cannot be compelled by its parent company to accept integration within a group-wide CMS. Similarly, according to the generally held opinion, the parent company does not have the right to obtain the information necessary for the purpose of enforcing compliance-related reporting by the subsidiary. The question of how to deal with the resulting compliance control deficits in a de facto group remains largely unresolved. Legally speaking, the parent company has to rely on the subsidiary AG’s management board deciding more or less voluntarily to agree to the company being included within the group-wide CMS. Although they are not obliged to implement parent company directives in the field of compliance, they do have the right to do so, provided that the measures proposed by the parent are in the company’s best interests. In this context, it is generally considered especially helpful if the persons appointed to the board of a subsidiary AG are also directors or managers in the parent company. At the very least, the management board of the parent company should make sure it is represented on the supervisory board of the subsidiary AG so as to be able to use that position to persuade the management board of the subsidiary AG that acting in the best interests of the subsidiary AG entails giving favorableconsideration to the option of integrating the subsidiary AG within the group’s CMS. Can the management of a subsidiary integrated into a group-wide CMS simply sit back and relax with regard to their compliance responsibilities? Definitely not. As group companies will always retain a degree of legal independence, it follows that the fundamental compliance obligation will also remain at the level of the group companies and not be substituted by a group-wide compliance organization set up at the parent company. This does not mean that each subsidiary must establish and maintain an independent compliance organization of its own. Rather, the management of a subsidiary is entitled to rely on the compliance organization of the parent company. However, they must first satisfy themselves that the group-wide compliance standards are appropriate and sufficient for the subsidiary company. For example, if a company is the only subsidiary in the group that exports sensitive goods (such as dual-use items) and if the group’s CMS does not include special export control mechanisms, then the management of the subsidiary must compensate for this deficit, for example, by implementing an export control policy and appointing an export control officer. As a result, the compliance responsibilities of the subsidiaries’ management bodies remain in place in principle, but are modified. The more decentralized the respective group is and the more fragmentary and incomplete the control of group-wide compliance by the top management, the greater the compliance duties incumbent on subsidiaries’ management bodies. Even if the group does have an effective group-wide compliance system in place, the management of a subsidiary is nevertheless required to have a minimum level of compliance resources available at their own company, so as to be able to carry out compliance duties themselves if necessary.

Implementation of a CMS in foreign group subsidiaries

Do these principles also apply to the management of a foreign subsidiary affiliated with the group, for example, the directors of a U.S. corporation belonging to a German group? Can they be instructed to integrate their company into a group-wide CMS designed by the German group parent? And if so, which basic compliance duties must nevertheless be still fulfilled by the U.S. companies themselves? The extent to which a German parent can mandate the implementation of a group-wide CMS at its U.S. subsidiary largely depends on the contents of the subsidiary’s governing documents, such as its bylaws. Typically, a U.S. company’s board of directors or managers is responsible for adopting a compliance plan. If a German parent company has the right to appoint and/ or replace members of its U.S. subsidiary’s board of directors and if the U.S. subsidiary’s board of directors has the authority to implement a compliance plan, then the German parent effectively can instruct the subsidiary’s directors to implement a group-wide CMS so long as the CMS complies with applicable U.S. federal and state law and does not interfere with the directors’ fiduciary duties to the shareholders. These general principles apply regardless of whether the U.S. subsidiary is a private or publicly listed company. If the U.S. subsidiary is a wholly owned subsidiary of a German parent, then the parent could appoint its own board members to the U.S. subsidiary’s board and in this way afford a high level of control over the implementation of a group-wide CMS. However, if the U.S. subsidiary is a publicly listed company in which the German parent owns a controlling interest, then the subsidiary’s board would generally need to comply with applicable listing rules (NYSE, NASDAQ) regarding independent directors. According to NASDAQ Marketplace Rules 4000 et seqq., NASDAQ-listed companies have to establish certain mechanisms involving independent directors to provide transparency for their (potential) investors. While independent directors can also be replaced by the shareholders (including the German parent acting in its role as shareholder), these listing requirements limit, to some extent, the replacements who may be selected, because the parent company’s board members generally do not fulfill the requirements of an independent director according to the NASDAQ Rules. As for a U.S. subsidiary’s compliancerelated obligations apart from any applicable to the German parent under German law, U.S. requirements and standards for a compliance program can arise from a variety of federal and state laws, including, for example, the 1934 Securities Exchange Act (applicable to publicly listed companies), the U.S. Sentencing Commission Guidelines Manual, the Sarbanes- Oxley Act, the Foreign Corrupt Practices Act and applicable state corporate law. In addition to requirements arising under U.S. law, a subsidiary’s governing documents could also mandate requirements for a compliance program.

Outlook

Although no German law provisions obliging corporations to set up a CMS exist, the Siemens/Neubürger judgment has clarified that if they fail to do so, company managers can be held liable for damages in case of compliance offenses. The requirement to establish an effective CMS also extends to the affiliated subsidiaries in a company group. The approach to implementing an effective CMS in a company group depends on whether a control agreement between the parent company and its subsidiary is in place or whether the company group is a so-called de facto group. In the event that the affiliated companies are comprised of U.S. subsidiaries, the compliance situation is yet more complicated. In this case the subsidiaries’ management has not only to comply with the centralized CMS but also to obey specific U.S. legislation. As publicly listed U.S. subsidiaries have to appoint independent directors, it is more difficult for a German parent to enforce a CMS in the subsidiary. The parent company’s managers generally do not fulfill the criteria for becoming independent directors, which is why the possibility to maintain influence over the subsidiary by integrating the parent company’s own management personnel is more challenging.

 

rweber@whitecase.com

mmueller@whitecase.com

dlew@whitecase.com