Mandatory not voluntary: Compliance management systems at mid-sized enterprises.

 The lack of an internal control system opens up liability risks, even at SMEs.

Pflicht, nicht Kür: Compliance-Management-Systeme im Mittelstand.

Managing directors are personally liable if they fail to implement adequate compliance measures and employees violate the law. A ruling from the Nuremberg Higher Regional Court clearly states that this applies to companies of any size. This also covers risks arising from M&A transactions.

An internal control system must ensure lawful action

Although the law does not prescribe an original legal duty for managing directors to implement a compliance management system (CMS), the case law is derived from the duty of due diligence of a prudent managing director: The management must create an organizational structure within the company which ensures that actions are both legal and efficient. The obligation includes ensuring that the managing director maintains a constant overview of the company’s economic and financial situation. This requires a monitoring system with which documents and monitors the company’s continuing existence, as set forth in a ruling by the German Federal Court of Justice (BGH) dated February 20, 1995 – II ZR 9/94. Furthermore, an internal control system of this nature is also mandatory pursuant to Section 1 of the Act on the Stabilization and Restructuring Framework for Companies (StaRUG), which has been in force since 2021.

SMEs also need a compliance management system

A ruling by the Nuremberg Higher Regional Court dated March 30, 2022 also clearly states that the managing director of a GmbH must establish a CMS. The same applies to a mid-sized company with 13 employees. The managing director is personally liable if criminal acts or other misconduct by employees are made possible or even facilitated by inadequate organization, instruction or supervision. This arises out of the duty of legality pursuant to Section 43 (1) of the Act on Limited Liability Companies (GmbHG).

According to the judges in Nuremberg, the business activities must be monitored or supervised in such a way that, under normal circumstances, the management can assume that business is being conducted properly. The management must also intervene immediately if any indications of misconduct arise and must investigate any suspicions without delay. Furthermore, in its ruling dated October 8, 1984 (II ZR 175/83), the Federal Court of Justice ruled that the managing director is required to implement suitable organizational precautions which prevent any breaches of duty by company employees from the outset.

Implement clear structures and processes for supervisory activities

In the case before the Nuremberg Higher Regional Court, a GmbH & Co. KG claimed damages against the managing director of the general partner GmbH pursuant to Section 43 of the Act on Limited Liability Companies (GmbHG). The plaintiff distributed petroleum products and issued fuel cards to customers with a credit limit. The fuel cards authorized customers’ drivers to make cashless payments at the plaintiff’s fueling stations. The employee responsible for the customers and fuel cards was aware that a number of customers were unable to settle their invoices due to financial difficulties and had exhausted their credit limits. However, the employee did not block the cards but instead concealed the circumstances. The plaintiff justified its claim for damages by arguing that the defendant managing director had failed to adequately supervise the employee. In particular, he should have required compliance with the dual control principle. Moreover, the managing director is alleged to have neglected supervisory and monitoring measures within the company organization.

The control system must clearly state that violations will be punished

The Nuremberg Higher Regional Court confirmed the plaintiff’s argument and decided that the managing director had breached his duty of due diligence by neglecting to implement a functioning supervisory and monitoring system. For example, there was a lack of both a dual control principle and checks consisting of spot checks or surprise audits which would clearly show employees that violations would be discovered and punished. The judges stated that if the managing director can foresee that the measures will not be adequate to achieve the specified effect, the managing director must implement other appropriate supervisory measures. The limit here is oriented on objective reasonableness, such as the dignity of the employees or the working atmosphere, which should not be characterized by an extensive level of mistrust.

Furthermore, the judges in Nuremberg also stated that a greater monitoring obligation with even more intensive supervisory measures arises if any irregularities have already occurred at a company.

Delegation does not exempt from overall supervision

If managing directors delegate their supervisory tasks, the obligation is reduced to monitoring the direct subordinates along with their management and supervisory conduct. In other words: supervising the supervisors or meta-supervision. Nevertheless, managing directors remain responsible for the overall supervision and they bear a particular responsibility for the organization and system of the internal delegation processes. As such, managing directors cannot escape their overall supervisory responsibilities.

Caution with M&A transactions

Given that breaching these duties can result in severe fines and personal liability for managing directors, the compliance structures of the target company require particular attention in the due diligence reviews during M&A transactions, because the buyer assumes responsibility for a functioning CMS as of the closing at the latest. The managing directors appointed by the buyer of the target company as of the closing also assume the liability risk from then on. Even if a Directors & Officers (D&O) insurance policy exists, the coverage depends on the specific circumstances. Insurance companies also closely examine whether the systems are correct and, ideally, whether an efficient CMS has been established. In the worst case, managing directors may be forced to foot the bill for the damages themselves.

Lacking compliance measures can lead to the personal liability of the managing director in the event of legal violations by employees. The case law in recent years leaves no doubt about the matter. This can even mean fines or imprisonment in areas such as social security or taxes. Not least of all, companies face the risk of fines pursuant to Section 30 of the German Act on Regulatory Offenses (OWiG) along with damage to its reputation, which often has a more serious impact. The ruling by the Nuremberg Higher Regional Court highlights the importance of clear structures and documented processes to minimize liability risks for companies of all sizes.