FISG’s objective is to prevent Wirecard 2.0
What are the consequences for supervisory boards going forward?
In reaction to the Wirecard scandal, the German Act to Strengthen Financial Market Integrity (Finanzmarktintegritätsstärkungsgesetz (FISG)) will come into force on July 1, 2021. Following the Bundestag’s approval that was obtained on May 20, 2021, the Bundesrat also approved the government draft of the FISG as amended by the finance committee on May 28, 2021.
In addition to reforming balance sheet control procedure and BaFin’s supervisory structure, the FISG includes far-reaching amendments of the German Stock Corporation Act (Aktiengesetz (AktG)) to strengthen the corporate governance of undertakings:
- What are the most important new regulations?
- Obligation to establish an internal control system and a risk management system: The executive board of listed stock companies will be required to “establish an appropriate and effective internal control system and risk management system in view of the scope of the company’s business activity and the risk situation” (Section 93 (3) AktG new version).
- Supervisory Board expertise: The professional expertise of supervisory board members should be strengthened in public interest entities according to Section 316a sentence 2 HGB (German Commercial Code) new version, i.e., capital market orientated companies, specific credit institutions that are subject to the EU Capital Requirements Regulation (so-called CRR credit institutions) and insurance companies. In the future, at least one member should have experience in the field of accounting, and another should have experience in the field of audit (Section 100 (5) AktG new version).The current obligation requiring the supervisory board members to be familiar with the sector in which the company operates (Section 100 (5) 2nd half sentence AktG) will continue to apply.The new provision will be applicable to supervisory board members appointed after July 1, 2021 (Section 12 (6) EGAktG (Introductory Act of the Stock Corporation Act). However, should a member resign prior to the end of his/her term of office (for example, due to reaching an age limit) and, as a result thereof, a substitute member, who was already previously appointed now becomes a member of the supervisory board, the new provision would not be applicable in accordance with the explanatory memorandum from the FISG.
- Obligation to establish an audit committee: It will become mandatory for Public Interest Entities to establish an audit committee. It is meant to consolidate the expertise as explained above, whereby the transitional arrangement described above will also apply for members of the audit committee appointed before July 1, 2021.If the supervisory board consists of only three members, it will also function as the audit committee. Every member of the audit committee will be able to “obtain information directly from the heads of those central departments of the company that are responsible for tasks relating to the audit committee pursuant to Section 107 (3) sentence 2 [AktG] via the committee chairman”. The chairman of the audit committee must inform every member of the audit committee about the information that was obtained. In addition, the executive board must be informed, without delay, when obtaining of such information (Section 107 (4) AktG new version).The German legislator has granted the companies affected a transitional period for the establishment of an audit committee. Section 107 (4) sentences 1, 2, 4 to 6 AktG of the new version will be applicable as of January 1, 2022 (Section 26k (2) EGAktG new version).
- No participation by the executive board in supervisory board meetings with the annual auditor: After amendments by the finance committee, the version of the FISG adopted also provides that the executive board should no longer attend supervisory board and its committees’ meetings at which the annual auditor is called in as an expert. An exception can be made in the event that participation of the executive boards is deemed necessary by the supervisory board or the relevant committee (Section 109 (1) sentence 3 AktG new version).
In accordance with Section 107 (3) sentence 2 AktG, the audit committee is responsible, in particular, for monitoring the effectiveness of the internal control system (ICS), the risk management system (RMS) and the internal audit system (IAS). However, whether the audit committee may question employees of the company as part of its monitoring activities without the mediation of the executive board and without a concrete suspicion of irregularities, has been a matter of intense discussion.
For credit and financial services institutions, the provisions in Section 25d (8) sentence 7, (9) sentence 4 KWG (German Banking Act) already allows the chairman of the audit committee or risk committee to request information directly from the managers responsible for internal auditing and risk controlling. With the provision in Section 107 (4) AktG of the new version, the legislator now provided clarification by enabling the chairman of the audit committee of a Public Interest Entity – irrespective of the sector – to pose questions directly to those concerned. Even though the obligation to establish an effective corporate governance system remains with the executive board, the exclusive right of the executive board to pass on relevant information to the supervisory board will be abolished. According to the prevailing view, the new information right of the audit committee shall not only apply to the heads of ICS, RMS and IAS, but also to a possible head of compliance (Chief Compliance Officer) and with regard to the compliance management system (CMS).
- What needs to be done now?
With the upcoming changes brought about by the FISG, companies should take a critical look at their governance as well as their risk management and control systems:
- Assessment of the appropriateness and effectiveness of ICS/RMS/IAS/CMS through substantive referral
The audit committee should assess the appropriateness and effectiveness of the systems (ICS, RMS, IAS, CMS) assigned to the central departments. Regular exchange and continuous monitoring should provide the bases for such an assessment. The audit committee should, therefore, periodically as well as in the event of special occurrences (e.g., important personnel or structural changes) evaluate the individual systems and their integration/interlinking. It should be clear (and documented) within the audit committee who is responsible for evaluating the information provided. At the same time, it must be ensured that central units for ICS, RMS, IAS and CMS (irrespective of their name; here “central departments”) are structured at the first management level below the executive board and that the respective tasks and responsibilities are delegated to the corresponding function holders in a secure, compliant and clearly defined manner.
- Reporting by the central departments to the audit committee
It is not uncommon to encounter the problem that risk-relevant interfaces and references are not adequately presented by the managers of the central departments ICS, RMS, IAS and CMS as the reports are all made separately. Uncoordinated reports can, therefore, defeat the purpose of identifying significant weaknesses in the various control environments. The reporting done by the central departments forms the basis for the audit committee’s assessment of the appropriateness and effectiveness of the holistic risk management and control system. Therefore, the supervisory board should not only determine what content should be reported, but also require that the individual central departments exchange information and collaborate content wise. The required content, as well as underlying procedures, should be established formally in order to provide the audit committee with effective and direct insight from the start.
In addition, regular meetings between the managers of the central departments and the chairman of the audit committee – without the executive board’s presence – may help close potential gaps in coordination, understanding and information and prevent errors in reporting and evaluation thereof.
- Creation of information policies and provision of resources
It is recommended to implement an internal information policy which formally defines the audit committee’s right to information and specifies the resulting procedural details and, especially, the obligations for the central departments (e.g., when? How often? In what form?). This demonstrates the expectations and promotes the willingness to cooperate and the acceptance of all those involved. Such policy will also allow to identify resources required for the reporting to the audit committee and make them available at an early stage. Rules on compliance with the audit committee’s obligation pursuant to the new version of Section 107 (4) sentence 6 AktG to inform the executive board about obtaining information should also be included in the policy.
- Establishment of a cross-functional body
In order to ensure the aforementioned coordination of the central departments we recommend, in addition to the information policies, regular meetings across functional bodies consisting of the managers of ICS, RMS, IAS and CMS should be established. Under certain circumstances, it may be useful to also establish the “Chief Governance Officer” (CGO) function, who will act as a link between the managers of ICS, RMS, IAS and CMS and their areas of responsibilities. Establishment of regular coordination and information exchange between the central departments should assist in the identification of risks at an early stage and mitigation thereof.
- Focus on the essentials
In order to ask the right questions and identify any potential weaknesses, a sound understanding of the company’s business model is essential. In the evaluation of the ICS, RMS, IAS and CMS, the audit committee should take into consideration both, the business area and scope (in terms of content as well as regionally) as well as the company’s specific risk profile. This means, for example, elements such as the international focus, the type of business model or actual business processes, e.g., with regard to the use of “petty cash”, must be included in the assessment and should, therefore, also be specifically made the subject of reporting. Active requests for information and individual case-related queries by the audit committee are essential for a look “behind the scenes” and thus, facilitate an adequate assessment. When formulating its request for information, the audit committee should, therefore, also focus on specific operational issues. Experience has shown that the mere transmission of statistics or description of incidents are insufficient for this purpose.
Equally important is the ability to scrutinize and critically evaluate the data and information provided by the managers from the central departments. For example, the audit committee should have adequate knowledge on how the risk matrix from the risk management system is established and which factors are taken into consideration when assigning the different risk levels in the risk assessment. Furthermore, knowledge of current developments in compliance legislation and its significance for the company should be considered.
In light of the imminent applicability of the FISG, we would strongly recommend that companies review and re-assess their organizational and operational structures whilst taking into consideration the new legal requirements and, if necessary, adapt accordingly. It is to be expected that the new requirements and obligations of the FISG will establish themselves as “best practices” as well as good and effective corporate governance, even beyond the formal scope of application by public interest entities and, therefore, will be relevant for many other companies.
If you have any questions or require any assistance with regards to this, as an internationally experienced sparring partner, we are more than happy to support you on this from the very beginning. Feel free to contact us at any time!
Do you already know our Compliance Risk Monitor? With the help of the Compliance Risk Monitor, our clients can keep pace with rapidly changing legal requirements and monitor and manage their compliance activities worldwide. As a result, appropriate measures can be taken at an early stage to avoid compliance crises.