The Government Commission has decided on amendments of the DCGK that lead to higher demands on Compliance Management Systems.
On February 7, 2017, the Government Commission German Corporate Governance Code (the ‘Commission’) decided on several modifications of the Code (hereinafter ‘GCGC’ or the ‘Code’). For the first time, the Code explicitly requires the establishment of a Compliance Management System (CMS) and amends subsection 4.1.3 GCGC significantly by recommending:
Sec. 4.1.3 sentence 1 GCGC already referred to the obligation of the Executive Board to ensure compliance with statutory regulations and company guidelines prior to the revision. This shows that the Commission undoubtedly recognizes compliance duties resulting from the principle of legality (‘Legalitätsprinzip’).
The new sec. 4.1.3 sentence 2 GCGC provides that the Executive Board should take appropriate measures based on the risk situation of the company (Compliance Management System) and disclose the main features of such system.
The wording ‘should’ shows that the establishment of a CMS is not required by law, but is only a recommendation by the Commission. However, on the basis of the “Comply-or-Explain” principle under sec. 161 subsection 1 sentence 1 AktG, companies have to explain when deviating from a Commission’s recommendation and publish such explanation on the company’s website (sec. 161 subsection 2 AktG). This explanation requirement might lead to a ‘de facto’ obligation to implement such CMS as it can be expected that management boards do not want to explain why they have decided not to comply with the CMS recommendation.
It remains unclear whether such “obligation” comprises the whole group of companies (‘Konzern’). However, in view of the wording of subsection 4.1.3 sentence 1 GCGC that refers to the whole group of companies, this may be assumed when reading both sentences together.
With respect to the structure of the CMS, the Code remains vague – the CMS should be appropriate and based on the company’s legal risks. This abstract approach is in accordance with the common view, that there is no “one-size-fits-all” CMS. Rather, every CMS must be preceded by a detailed risk assessment. Such risk assessment is a precondition in order to identify ‘red flags’ (especially legal risks) and to subsequently address and control them by means of tailored compliance measures.
Furthermore, the Code stipulates that the main features of the CMS shall be disclosed. In this regard, the Code intentionally leaves the choice of media to the Executive Board. A disclosure on the company’s website or in the Corporate Governance Report (according to subsection 3.10 GCGC) are two of the conceivable options.
Para. 4.1.3 sentence 3 GCGC stipulates the establishment of a whistleblower system:
‚Employees shall be granted the opportunity to report statutory violations in a secure and proper way.‘
This provision for the first time includes the recommendation to set up a protected information system (whistleblower system) for employees. Most companies already have a more or less substantial CMS. However, numerous companies forego the establishment of a whistleblower system (also known as ‚Whistle-Blower-Hotline‘) so far, as it leads to further data protection, labor law and organizational implications (e.g. IT infrastructure). Moreover, anonymous hints need to be investigated, which in turn implicates further effort. Even though the recommendation for a whistleblower system may be very surprising for some, it is worth its weight in gold, because only a living compliance organization (this includes a whistleblower system) can result in avoidance of liability (monetary fines due to compliance violations are in most cases based on sec. 30, 130 OWiG or sec. 81 GWB).
Further, the Commission suggests the establishment of a whistleblower system for third parties. According to the Code’s expectation, third parties shall also be granted the opportunity to report irregular practices or suspected cases. As this is only a suggestion (‘should’), there is no need to execute a compliance or non-conformance statement according to sec. 161 subsection 1 AktG if such system is not introduced.
The Code is considered as a commitment of good corporate governance and primarily addresses German listed companies and companies with access to capital markets according to sec. 161 subsection 1 sent. 2 AktG. However, the practice shows that market standards – also for other legal entities – have been created due to the Code’s guidelines and their implementation. The development of market standards can also be expected for the implementation, content and range of influence of a CMS.
We are pleased to provide you with more detailed information on the implications of the Code’s revision and to assist you in case of questions concerning your own CMS.
|www.deloitte-tax-news.de||Diese Mandanteninformation enthält ausschließlich allgemeine Informationen, die nicht geeignet sind, den besonderen Umständen eines Einzelfalles gerecht zu werden. Sie hat nicht den Sinn, Grundlage für wirtschaftliche oder sonstige Entscheidungen jedweder Art zu sein. Sie stellt keine Beratung, Auskunft oder ein rechtsverbindliches Angebot dar und ist auch nicht geeignet, eine persönliche Beratung zu ersetzen. Sollte jemand Entscheidungen jedweder Art auf Inhalte dieser Mandanteninformation oder Teile davon stützen, handelt dieser ausschließlich auf eigenes Risiko. Deloitte GmbH übernimmt keinerlei Garantie oder Gewährleistung noch haftet sie in irgendeiner anderen Weise für den Inhalt dieser Mandanteninformation. Aus diesem Grunde empfehlen wir stets, eine persönliche Beratung einzuholen.
This client information exclusively contains general information not suitable for addressing the particular circumstances of any individual case. Its purpose is not to be used as a basis for commercial decisions or decisions of any other kind. This client information does neither constitute any advice nor any legally binding information or offer and shall not be deemed suitable for substituting personal advice under any circumstances. Should you base decisions of any kind on the contents of this client information or extracts therefrom, you act solely at your own risk. Deloitte GmbH will not assume any guarantee nor warranty and will not be liable in any other form for the content of this client information. Therefore, we always recommend to obtain personal advice.