In many regards, Germany is following a global trend in favour of the introduction of corporate criminal liability, although it proposes to criminalise a wider range of offences than other European countries do and issue harsher penalties of up to 10% of global revenues. The German Government, however, scrapped the most severe measure, a corporate death penalty, which appeared in an earlier draft. It is incredible to think, then, that less than 20 years ago Germany businesses were complaining that the bribes and kickbacks they paid to foreigners would no longer be tax-deductible.

Although the law may not be ratified before 2021, companies with operations in Germany must act now to assess their risks and take steps to offset them, the better to shield themselves from criminal prosecution. The Bill's title is “Law for the Strengthening of the Integrity of the Economy” (Gesetzes zur Stärkung der Integrität in der Wirtschaft).

Why does Germany want to make corporations liable for crimes?

Germany is unusual in the Western world for not having a corporate criminal liability law, despite several attempts by previous governments to introduce one. Companies can only be fined for regulatory offences, with penalties capped at €10 million - a figure that nobody views as an effective deterrent for multinational corporations any more.

Some German lawyers have in the past argued that companies are not able to commit crimes and that responsibility for them must instead always lie with individuals. In recent years, however, the debate has shifted, with the public coming to believe that some wrongdoing is systematic rather than merely the result of the actions of individuals. High-profile scandals, such as diesel emissions fraud or the “cum-ex” tax fraud, have clearly contributed to this.

What crimes does the new law target?

The draft law has a wide reach and applies the criminal code to companies. However, in practice, enforcement of the law will likely focus on economic crimes. There are two ways in which an entity can be found liable:

First, the law considers acts committed by a senior manager to be made on behalf of the company. A senior manager can be a company director, a member of a board, an authorised representative or any other senior manager with responsibility for the running or operation of the company.

Second, the law proposes to hold a company liable for crimes committed by any employee if the act would have been prevented, or would have been significantly less likely to happen, had appropriate compliance steps been taken. The include measures related to organisation, governance and oversight.

The UK has laws that contain elements of corporate criminal liability such as the Bribery Act 2010 and the tax-focused Corporate Criminal Offences Act 2017, but plans to widen legislation in the UK have been delayed. The German proposal is more ambitious than anything yet proposed in the British Isles.

Might the law have any effect on operations outside Germany?

The Bill targets German legal entities with a commercial purpose, such as banks, but excludes charities. A foreign bank is only a target if it has a registered entity or branch in Germany. The scope of the law is therefore not as extraterritorial as the US Foreign Corrupt Practices Act 1977, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act 2001 and other American laws.

However, the Bill does target crimes committed outside Germany and by people who are not German citizens. Indeed, any act committed on behalf of a German company falls into its purview if the act is punishable both in Germany and at the place of the crime. This is, in Anglo-Saxon legal parlance, the concept of dual criminality.

What penalties can be expected?

The Bill proposes to allow German courts to fine companies with average global revenues of more than €100 million up to 10% of their global revenues.

In cases where a significant amount of people have probably suffered damage as the result of a bank’s behaviour, the court might make a public announcements as part of its punishment. This measure aims to inform potential victims and help them to prepare their own (civil) claims against the bank - an alarming prospect that bedevils many banks that have to endure regulatory penalties as well.

The German legal system normally goes to great lengths to protect the identities of all parties involved in criminal litigation; this proposal to make public announcements introduces an element of “name and shame” to the proceedings. As a side effect, this is likely to damage many a company’s reputation.

What can a bank do to protect itself?

The legislation clearly concentrates liability on the actions or inactions of a firm’s senior managers. In doing so, it follows a trend seen in several industries and countries. One area in which such initiatives are most advanced is financial services, as evidenced by the Senior Managers and Certification Regime (SM&CR) in the UK, the manager-in-charge regime in Hong Kong and the Banking Executive Accountability Regime (BEAR) in Australia.

Although the German regime is less specific than these and includes "proportionality clauses," it is the clear intention of the legislator to create strong incentives for effective compliance. The Bill proposes to make senior managers responsible for it because it proposes to make their failure to oversee things properly, to set up compliance systems and controls and to provide clear leadership to their underlings lead to liability for their firms.

Conversely, the legislation is designed to ensure that a strong system of compliant measures that is based on a bespoke risk assessment will help a bank when various officials are deciding how severely to punish it. Indeed, it could make the difference between a hefty fine and a warning. In addition, the Bill calls on companies to open internal investigations, either manned by its own teams or with the help of external investigators.

Under certain circumstances, a parent company may also be liable for acts committed by one of its subsidiaries. This becomes particularly relevant in M&A (merger and acquisition) situations, where a new parent may assume liabilities for acts committed before an acquisition. In this sense, the corporate criminal liability law is likely to increase the importance of fact-checking in the run-up to a merger or acquisition.

In designing a compliant plan of action, a bank would be well-advised to take the following steps.

Assess risks

Once a bank has assessed the rules and regulations applicable to its business and operations, it should then assess the risks to which it is exposed. To take the example of Germany's recently-augmented anti-money-laundering law (The Anti-Money-Laundering Act/Geldwäschegesetz 2020), a German police union has been very vocal in expecting the police to prosecute more people in connection with the new law.

Establish and keep a record of controls

Once it has assessed risks, a firm should establish appropriate systems and controls. The legislators clearly want these to be commensurate with the risks and the size and complexity of the business in question. They ought to concern the following areas.

• The governance and overseeing of things. The firm should draw up a clear line of oversight and responsibility that travels upwards to the top. More complex, more risky organisations might want to set up committees and assign specific duties to senior managers. Smaller businesses might content themselves with regular reporting lines to their general managers.
• Lines of defence. As all compliance officers know, there are three. Various functions at every firm do different jobs in their attempts to control particular risks. In a three-line system, the business typically forms the first line, while a compliance and/or risk function oversees and tests the business from the line behind. Internal audit forms the third line of defence, reviewing both the first and second lines regularly. Again, smaller and less complex firms may be able to combine these functions and assign their responsibilities to two-hatted people such as a senior manager of operations who acts as a "second linesman" to the activities of sales and marketing teams. Many other businesses ought to review the ways in which they check the backgrounds and details of their partners and perform “extra due diligence” on customers who warrant it.
• Policies and procedures. If it does nothing else, every firm must set out its approach to compliance with all applicable laws and rules. It typically does this through a set of policies, often supported by a code of ethics with which all employees must swear that they comply. The Germans have written some 'guidance' to go with their Bill and this says that compliance systems (which may include IT systems) ought not to be compulsory for all firms. A set of manual procedures might therefore suffice.
• Training and awareness. Although policies and procedures are a prerequisite for effective compliance, so is the training of employees in the main rules in each area, with an emphasis on examples for the areas of the business that they inhabit.

Review and update your compliance efforts regularly

An established compliance regime at a bank can only be effective if that bank reviews it regularly and updates it to take account of changes in rules and regulations, the bank’s business model, the products that the bank provides and recommends, and the environment in which it operates. The frequency of reviews has to depend on the complexity of the bank and the risks who which it is already exposed. If it runs many risks it should carry out an annual review, although a bank with a lower risk profile might only need to review things once every three years. The bank should also be prepared to carry out an ad hoc review whenever a significant change to its business model, product range or business environment occurs.

* Florian Nitschke can be reached on +44 207 089 0860 or at florian.nitschke@duffandphelps.com