Assessment of compliance management systems (CMS) has become an important aspect of acquisition due diligence, and fixing deficiencies a key component of an investor’s post-acquisition action plan. For some types of compliance risk – including bribery, competition law, and health and safety – there are tried and tested models that can be adapted to fit most companies’ needs, while in more emergent areas of perceived risk, such as human rights and tax evasion, those existing approaches can usually be adapted. Private equity investors – because they tend to diligence and acquire companies often, and have significant economies of scale – are generally focused on getting a CMS in place: after all, they have a lot to lose if a scandal blows up at a company they own.
The main purpose of a CMS is, of course, to prevent wrongdoing, or at least to detect it quickly so that it can be dealt with decisively. But it can also help in another way. If the worst happens, but a company can demonstrate that it has a robust CMS – which usually includes a regular audit of compliance and the use of “early-warning systems” to identify cultural deficiencies – a prosecutor, regulator or court may be willing to take that into account in determining liability or setting the level of fines. In some fields – most prominently European competition law – leniency programmes may give those who detect wrongdoing, “blow the whistle”, and then co-operate with the authorities, some very significant concessions.
For some types of wrongdoing, the UK and the US have gone so far as to issue fairly detailed guidance on the types of CMS that may give rise to mitigation, or even a complete defence (see, for example, guidance issued in the UK this week on a new corporate offence). But, until now, it has not been clear whether the German courts would even allow a CMS to be taken into account in determining the level of fines applicable to a company that found itself on the wrong end of a prosecution.
That changed earlier this year when the German Federal Court of Justice – in a landmark decision – ruled that an effective CMS, and any remedial action taken by a company, should count in a company’s favour when setting the amount of a fine (or disgorgement of profits) against the company. Consideration may also be given to any changes to the CMS made after the event that are designed to prevent similar compliance breaches or criminal offences in the future.
Providing companies with a clear economic incentive to put procedures in place is a step in the right direction. However, the German authorities would do well to take the next logical step and issue more detailed guidance on the features that a CMS ought to include in order to qualify for consideration by the courts. Companies find such guidance very helpful where it exists elsewhere, and it helps to spread best practices more widely in the corporate sector.
Most private equity firms and their advisers already have a pretty good idea how to develop a robust CMS, but more guidance – and increased confidence that they will mitigate liability – will probably lead to an increase in their adoption. In light of this recent case, portfolio companies in Germany should also review any existing compliance management systems to ensure that they are sufficiently effective to have the desired mitigating effect in a potential prosecution.