Germany's Criminal Corporate Liability Bill - some tips for compliance officers
Florian Nitschke and Martin Fischer, Duff & Phelps, Directors, London, 10 June 2020
The German government has published a Bill to make corporations criminally liable and this is likely to have far-reaching implications for wealth managers based in Germany if, as expected, it becomes law in 2021. This article looks at its main points and asks how private banks and others might prepare for it.
However, the Bill does target crimes committed outside Germany and by people who are not German citizens. Indeed, any act committed on behalf of a German company falls into its purview if the act is punishable both in Germany and at the place of the crime. This is, in Anglo-Saxon legal parlance, the concept of dual criminality.
What penalties can be expected?
The Bill proposes to allow German courts to fine companies with average global revenues of more than €100 million up to 10% of their global revenues.
In cases where a significant amount of people have probably suffered damage as the result of a bank’s behaviour, the court might make a public announcements as part of its punishment. This measure aims to inform potential victims and help them to prepare their own (civil) claims against the bank - an alarming prospect that bedevils many banks that have to endure regulatory penalties as well.
The German legal system normally goes to great lengths to protect the identities of all parties involved in criminal litigation; this proposal to make public announcements introduces an element of “name and shame” to the proceedings. As a side effect, this is likely to damage many a company’s reputation.
What can a bank do to protect itself?
The legislation clearly concentrates liability on the actions or inactions of a firm’s senior managers. In doing so, it follows a trend seen in several industries and countries. One area in which such initiatives are most advanced is financial services, as evidenced by the Senior Managers and Certification Regime (SM&CR) in the UK, the manager-in-charge regime in Hong Kong and the Banking Executive Accountability Regime (BEAR) in Australia.
Although the German regime is less specific than these and includes "proportionality clauses," it is the clear intention of the legislator to create strong incentives for effective compliance. The Bill proposes to make senior managers responsible for it because it proposes to make their failure to oversee things properly, to set up compliance systems and controls and to provide clear leadership to their underlings lead to liability for their firms.
Conversely, the legislation is designed to ensure that a strong system of compliant measures that is based on a bespoke risk assessment will help a bank when various officials are deciding how severely to punish it. Indeed, it could make the difference between a hefty fine and a warning. In addition, the Bill calls on companies to open internal investigations, either manned by its own teams or with the help of external investigators.
Under certain circumstances, a parent company may also be liable for acts committed by one of its subsidiaries. This becomes particularly relevant in M&A (merger and acquisition) situations, where a new parent may assume liabilities for acts committed before an acquisition. In this sense, the corporate criminal liability law is likely to increase the importance of fact-checking in the run-up to a merger or acquisition.
In designing a compliant plan of action, a bank would be well-advised to take the following steps.
Assess risks
Once a bank has assessed the rules and regulations applicable to its business and operations, it should then assess the risks to which it is exposed. To take the example of Germany's recently-augmented anti-money-laundering law (The Anti-Money-Laundering Act/Geldwäschegesetz 2020), a German police union has been very vocal in expecting the police to prosecute more people in connection with the new law.
Establish and keep a record of controls
Once it has assessed risks, a firm should establish appropriate systems and controls. The legislators clearly want these to be commensurate with the risks and the size and complexity of the business in question. They ought to concern the following areas.
- The governance and overseeing of things. The firm should draw up a clear line of oversight and responsibility that travels upwards to the top. More complex, more risky organisations might want to set up committees and assign specific duties to senior managers. Smaller businesses might content themselves with regular reporting lines to their general managers.
- Lines of defence. As all compliance officers know, there are three. Various functions at every firm do different jobs in their attempts to control particular risks. In a three-line system, the business typically forms the first line, while a compliance and/or risk function oversees and tests the business from the line behind. Internal audit forms the third line of defence, reviewing both the first and second lines regularly. Again, smaller and less complex firms may be able to combine these functions and assign their responsibilities to two-hatted people such as a senior manager of operations who acts as a "second linesman" to the activities of sales and marketing teams. Many other businesses ought to review the ways in which they check the backgrounds and details of their partners and perform “extra due diligence” on customers who warrant it.
- Policies and procedures. If it does nothing else, every firm must set out its approach to compliance with all applicable laws and rules. It typically does this through a set of policies, often supported by a code of ethics with which all employees must swear that they comply. The Germans have written some 'guidance' to go with their Bill and this says that compliance systems (which may include IT systems) ought not to be compulsory for all firms. A set of manual procedures might therefore suffice.
- Training and awareness. Although policies and procedures are a prerequisite for effective compliance, so is the training of employees in the main rules in each area, with an emphasis on examples for the areas of the business that they inhabit.
Review and update your compliance efforts regularly
An established compliance regime at a bank can only be effective if that bank reviews it regularly and updates it to take account of changes in rules and regulations, the bank’s business model, the products that the bank provides and recommends, and the environment in which it operates. The frequency of reviews has to depend on the complexity of the bank and the risks who which it is already exposed. If it runs many risks it should carry out an annual review, although a bank with a lower risk profile might only need to review things once every three years. The bank should also be prepared to carry out an ad hoc review whenever a significant change to its business model, product range or business environment occurs.
* Florian Nitschke can be reached on +44 207 089 0860 or at florian.nitschke@duffandphelps.com