After I had already examined the so-called “Know Your Customer, KYC” – audit some time ago at least roughly from the point of view of receivables management (here), it is necessary to take another look at this area at the interface between risk management and compliance in view of the coming German Supply Chain Compliance Act (“Lieferkettensorgfaltspflichtengesetz, LkSG”), which will be in force from 2023, the constantly tightened regulations on money laundering (cf. here, in German) and the extensive sanctions now also imposed on Russia (previously already on Iran, for example):
Legal background
Although German law does not provide for an explicit obligation to audit business partners, § 91 (2) of the German Stock Corporation Act (AktG) requires the management board of a stock corporation to “take appropriate measures, in particular to set up a monitoring system, to ensure that developments jeopardizing the continued existence of the company are identified at an early stage.” Part of the obligation to maintain a risk management system resulting from these provisions is the obligation to audit business partners. In addition, the Munich Regional Court I (“Landgericht München I“), in its so-called “Neubürger“-Decision (see below for the ruling, in German) from 2013, in connection with the conviction of bribery payments by the Siemens Group, states in its guiding principles that “companies must be organized and supervised in such a way that no violations of the law, such as bribery payments to public officials of a foreign state or to foreign private individuals, take place. In the event of a corresponding risk situation, a member of the Executive Board only fulfills his organizational obligation if he sets up a compliance organization based on loss prevention and risk control. Decisive for the scope in detail are the type, size and organization of the company, the regulations to be observed, the geographical presence as well as suspicious cases from the past.” In addition (para. 108 of the decision), the court points out that “a functioning control system must also ensure that every payment transaction can be traced at any time.“
The corresponding concrete obligation to check business partners can be derived from § 5 LkSG in the case of the LkSG, from §§ 4 and 5 German Money Laundering Act (“Geldwäschegesetz, GWG“) in the case of issues relevant to money laundering, and at least from § 4 (2) of the German Foreign Trade and Payments Act (“Aussenwirtschaftsgesetz, AWG“) in the context of sanctions audits. In addition, the anti-corruption laws of the USA (Foreign Corruption Practices Act, FCPA) and the UK (Bribery Act), for example, claim compliance that goes beyond their actual legal sphere.
Practical implementation
While the inclined reader from the compliance department of a large corporation will go over to his corresponding daily business after this “raised forefinger” – because the previous explanations simply represent the current standard in risk management and compliance – the managing director of a medium-sized company will probably ask himself rather uneasily how he is supposed to tame the (further) “bureaucracy monster” in his company resulting from these explanations. Before discussing the practical implementation of the obligations, we would therefore refer you once again to the comments made at the beginning of this article on the benefits of checking business partners as part of receivables management (again here). After all, auditing a business partner can also help the company to avoid bad debt losses before they occur. Perhaps also a hint for the management of overambitious sales departments.
When designing the KYC rule processes, the above-mentioned statements of the LG München I should also be taken into account, according to which “the type, size and organization of the company, the regulations to be observed, the geographical presence and also suspicious cases from the past are decisive for the scope in detail […]“. Ergo, the specific design of the audit process depends on the size of the respective company and the type and scope of the intended business relationship. Accordingly, the review process will be different for the sale of a bicycle to a consumer than for the sale of notorious turbines or centrifuges to countries on sanctions lists.
Against this background, a “one-size-fits-all” approach to setting up the relevant processes is of course out of the question; instead, an analysis of existing and intended business relationships should be the starting point. Based on this, the process then deemed necessary (possibly with gradations of audit intensity) should not only be standardized to increase efficiency, but also grouped into existing business processes to ensure and, if possible, facilitate “compliance” (i.e., adherence) to these rules by the executing employees. To prevent “paralysis by compliance”, reporting obligations should also be structured in such a way that not every business partner audit ultimately ends up with the management. In any case, it is more important than a strict set of rules to increase “awareness” among individual employees – because it is not uncommon for problems with business partners to become known through attentive employees who simply pass on their own “accidental findings”.
If one does not want to carry out the entire process within the company – e.g., evaluate sanctions lists oneself (see only (incomplete) here), there is now an unmanageable number of service providers available who offer to carry out the necessary checks. But here too, of course, the following applies: it should be checked who wants to bind himself to these service providers.
Conclusion
Even if the recently publicized case of an intentional boycott breaker (here, in German) is probably the exception rather than the rule, it is a drastic reminder of the potential consequences of sanctions violations. One may lament the fact that the obligation to check business partners is now becoming more and more concrete – but it will not disappear again. That much is certain. And in addition to simple compliance with government and supranational regulations, it also serves to safeguard the company’s own liquidity and profitability.
Against this backdrop, every business manager – especially in view of the LkSG coming into force on January 1, 2023 – should start thinking about their business partner screening processes now at the latest. Conversely, potential service providers or suppliers should not be surprised, let alone view it negatively, if they themselves are subjected to a business partner audit as part of the initiation of business relationships (see, for example, the corresponding comments of Rheinmetall (here)). Rather, it should be seen as a sign of professionalism and the seriousness of the negotiations.