Compliance & Internal Investigations02.07.2021 Newsletter
Sometimes less is more - requirements for an "appropriate and effective" compliance system
It looks like the prayers of compliance officers, legal departments and managing directors have finally been heard: Within the scope of this year's amendment of German antitrust law (Gesetz gegen Wettbewerbsbeschränkungen - GWB), the legislator has expressly stipulated for the first time in the new § 81d (1) No. 4 GWB that already existing compliance systems can be taken into consideration when determining fines with the effect of reducing sanctions. Outside of antitrust law, however, legal offenders are denied the consideration of preventive compliance measures (for the time being), now that the Coalition buried the German Corporate Sanctions Act (Verbandssanktionengesetz - VerSanG) this summer.
No assistance from the legislator
A first glance at the new provisions and our anticipation rises. There, we read that "appropriate and effective precautions that were taken prior to the infringement to prevent and detect infringements" are to be given favourable consideration.
“Appropriate and effective" compliance measures - that sounds feasible! After all, there is a multitude of providers of professional compliance management systems ("CMS") that are having themselves certified to the latest ISO standard 37301. Various CMS providers even advertise that a certified system serves as “proof” of compliance with corporate due diligence obligations. That should mean you’re on the safe side, shouldn’t it?
However, a glance at the explanatory memorandum quickly brings the euphoric reader back down to earth. For the legislator has chosen to remain silent about the specific characteristics of "appropriate and effective" measures. Moreover, it does not want to accept the purchase of a compliance programme or certifications as a hard benchmark and in case of doubt even considers them unnecessary. Rather, the "appropriateness" of compliance measures depends on the respective "individual case", whereby the "type, size and organisation of a company, the dangerous nature of the corporate purpose, the number of employees, the regulations to be observed as well as the risk of their violation" must be taken into account. Furthermore, if the company’s management personnel is involved in the infringement, then the compliance measures are not "effective” any way.
So what are "appropriate and effective" measures? The purchase or certification of a CMS is obviously not enough.
Assistance from the German Federal Cartel Office (FCO)
The legislator may not wish to enlighten us, but perhaps the authority in whose area of competence the new § 81d GWB falls can. What we are looking for can be found after a little browsing on the website of the FCO (Bundeskartellamt - BKA): In early June, the FCO published draft guidelines and practical recommendations on premature deletion from the Competition Register (here). In the practical recommendations, the authority publicly comments for the first time on the requirements for an effective compliance standard - unprecedented! The two papers, which are currently still going through the consultation process, do not refer directly to the new § 81d GWB. However, the FCO’s “sailing instructions”, which are actually intended as a guide to the rapid self-cleaning process within the meaning of the Competition Register, provide valuable assistance in setting up effective compliance measures.
The Federal Cartel Office’s catalogue of requirements
In summary, the FCO deems the following measures necessary for effective compliance:
- Risk analysis: Companies need to identify and address the circumstances, risks and reasons that led to past breaches of the law. Was the organisational or supervisory structure to blame? Was it perhaps the business model or corporate guidelines that were responsible?
- Adjustment of the organisational and supervisory structure: After conducting its risk analysis, the company has to make the necessary adjustments to its organisational and supervisory structure. For example, do procedural and decision-making processes need to be changed (e.g. introduction of a dual-control principle or staff rotation)? Are adjustments to the IT system necessary?
- Commitment of the company’s management to acting in accordance with the law: The company's management (including middle management) must unequivocally commit to acting in accordance with the law. This commitment should not only be documented, but also clearly communicated to the workforce. It should also include clarification to the effect that the maxim of acting in accordance with the law always takes precedence over other corporate objectives (such as increasing turnover).
- Careful selection, training and monitoring of company employees: The company must carefully select, train and monitor employees who work in identified risk areas and have decision-making authority. The employees should be adequately informed about the rules that have to be observed (e.g. through individual instruction, the issue of guidelines or training measures). These information measures should be designed in a comprehensible and practical manner and tailored to the company’s individual risk situation. Employees should regularly participate in training sessions and receive clear instructions on how to act in the event of suspicious circumstances. Specific contact persons are to be named for this purpose.
- Whistleblower system: The company must ensure that internal and external reports of possible misconduct are effectively followed up. The FCO recommends setting up a confidential whistleblower system. It should be clearly communicated which consequences whistleblowers do not have to fear and from which consequences they cannot be protected. Companies should also establish clear rules on how to respond to reports.
- Adequate resources and competences of the responsible persons: The persons responsible for compliance measures must be provided with adequate resources and competences. Persons in charge must be able to perform their functions independently and assertively (position in the company, expertise, competencies granted, financial resources). They should always directly report to the company management.
- Incentives for observing the compliance requirements and penalties for violations: The company should actively demand legally compliant behaviour from its employees. To this end, incentives should be provided for observing the compliance requirements. In contrast, violations must be consistently punished. The obligation to observe legal requirements should already be anchored in the employment contracts.
- Evaluation and adjustment of compliance measures: The necessary compliance measures may change over time. For this reason, the company should now already establish rules for evaluating and adapting its compliance measures.
In case of doubt, an "off-the-shelf" CMS is not enough
The Federal Cartel Office's catalogue appears very comprehensive at first glance. However, the FCO also emphasises in its practical recommendations that effective compliance does not consist of schematically implementing as many measures as possible. It even considers the establishment or adaptation of a formal CMS to entail the risk that, in the face of an overzealous regulation frenzy, the measures that would actually be appropriate are not even implemented. CMS - also according to the new ISO standard 37301 - can be helpful. However, they are not a "cure-all" and certainly not a "safe bet" against fines or sanctions. In case of doubt, the FCO will not recognise an "off-the-shelf" CMS that has not been specifically adapted to the respective company as an "appropriate and effective" compliance system.
For this reason, all companies should undergo an evaluation process that takes into account their individual situation and risk exposure. Such an individualised risk analysis and implementation of compliance measures requires not only sufficient legal knowledge, but also a good understanding of the processes and structures in the respective company. The end of this process does not always have to be the implementation of the usual ISO standards, as long as it is ensured that the compliance measures are implemented seriously, continuously and in consideration of the company’s individual risk position.
Sometimes less is indeed more.