The adopted German Supply Chain Duty of Care Act ('the Act') has attracted a lot of attention from the legal and business worlds. What has received less attention is how the Act affects the set up and design of German corporates’ compliance management systems (CMSs).

Three issues to highlight

1. From 'risk-based' to 'standardised'

To date, it is central to corporate compliance in Germany that the design of a CMS rests at the discretion of a company’s management ('Business Judgment Rule') – apart from where there are specific regulated industry requirements. Setting up a compliance department, appointing compliance officers (with particular expertise in different compliance areas), the appropriate cycle for risk analyses and reporting to management – all of this is key to management’s responsibility. Pursuant to German corporate law, management is responsible for ensuring that not only the company but also its staff comply with laws and regulations when acting on the company’s behalf or with regard to the company’s operations. 

With the new Act, the legislator now imposes specific duties on companies to act with regard to human rights and environmental protection. But the legislator even goes beyond this and reaches into the inner design of corporate CMSs by requiring (among other things) an annual risk analysis, as well as an annual assessment of the effectiveness of applied means. Although, some compliance measures mentioned in the Act are already required with regard to money laundering prevention (by companies falling under the scope of the German Anti-Money Laundering Act), the planned Act even specifies the regular cycle of such measures, and in doing so strips the company’s management of its discretion to assess the measures’ adequateness on an individual risk basis.

2. CMSs in the courtroom

Another important point to highlight in this respect is the significance of CMSs in court. German jurisprudence took a long time before confirming that well-established CMSs can have an effect with respect to sanctioning at all. Prior to the first German Supreme Court decision in this regard in 2017, there was no meaningful hint by the court whether a CMS can be useful for companies in proceedings. Yet it was always common sense that a CMS is key to a company’s business, especially when operating globally.

The Act now explicitly includes the consideration of preventative and reactive measures taken by a corporation with regard to sanctioning. The provision is twofold: on the one hand, an effective CMS can be considered as a mitigating factor; on the other, the lack of such a system could also be regarded as an aggravating circumstance. The explicit reference in a German piece of legislation will certainly boost the establishment and extension of CMSs in general. It is aligned with this year’s novel sentencing guidelines incorporated into the German Competition Act. The same rules were found in the formerly planned German Corporate Sanctioning Act that – for political reasons in the aftermath of the COVID-19 pandemic – was not pursued anymore by the now outgoing Federal Government.

3. Liability and enforcement risks

These additional compliance duties – which includes the extension of third-party due diligence – will expand management’s liability exposure. For example, it might become easier to prove that management has breached its duty (to prevent the company from suffering any losses) since respective compliance duties are clearly laid down in the Act. And potential fines imposed due to the breach of a duty of care might be considered as loss to the company, which should be compensated by its management.

Additionally, due to broadened reporting duties under the new Act – as well as under the European Commission’s proposal for a Corporate Sustainability Reporting Directive, amending and expanding the current Non-Financial Reporting Directive from 2014 – evidence gathering in preparation for legal action will be facilitated in practice.

Moreover, the Act grants the Federal Office for Economic Affairs and Export Control (BAFA), as the competent supervisory authority, extensive powers, including to:

  • summon people to testify;
  • request the handover of relevant documents (including information of and by suppliers);
  • order a company to develop a detailed strategy and schedule to remedy grievances; and
  • impose specific measures on a company to meet its duty-of-care obligations. 

Conclusion

It’s probably too early to speculate about the extent to which the BAFA as the competent authority will enforce the Act. However, the Act might give other agencies new ways to gather evidence for their own enforcement agendas. For example, it could help anti-money laundering authorities, given how money laundering and human rights violations are often linked. The same holds true for the offence of corruption.

It is our forecast that the new Act is only the beginning of further regulation in Germany regarding compliance systems, and that this Act may well serve as a blueprint for further ESG legislation (eg on CO2 reduction and climate change mitigation), which is sure to come.