Listed companies in Germany and other participants in the German securities market are subject to strict monitoring and control by the relevant supervisory authorities. In view of possible sanctions against listed companies and market intermediaries, in particular sales-related fines and confiscation orders, it is important for companies to comply with regulatory requirements. This is all the more true in light of plans to reform the German Federal Financial Supervisory Authority (BaFin) in the wake of the balance sheet fraud at German former fintech star and DAX 30 company Wirecard, which collapsed in 2020. State supervision is to be made more flexible and more effective. Furthermore, the area of balance sheet control will be expanded. The authority will also be given additional powers to strengthen financial supervision. For example, a unit is to be created where all relevant information on a listed company is collected centrally and can be made available at a glance.
This chapter is therefore intended to provide a brief overview of the most important issues affecting listed companies and securities market intermediaries in connection with the enforcement of securities law.
What are the relevant statutes and which government authorities are responsible for investigating and enforcing them?
The German securities market is highly regulated with a number of relevant laws in place. The most important laws are as follows.
- German Securities Trading Act: this Act lays down the key regulations governing national and international trading in various securities. It imposes obligations on both issuers of financial instruments and market intermediaries (such as brokers and dealers). At the same time, the authorities (outlined below) have extensive powers to enforce the law. Further, the law provides for special rules for the protection of investors. Finally, this Act covers criminal and regulatory offences.
- Regulation (EU) No. 596/2014 (the EU Market Abuse Regulation): this Regulation aims to combat insider trading and market manipulation. Together with Directive 2014/57/EU (the Market Abuse Directive), it forms the European legal framework against market abuse. The three main subject areas of the Regulation are the prohibition of insider trading, the timely disclosure of insider information by issuers, and the prevention and combating of market manipulation.
- German Securities Institutions Act: this Act is the cornerstone of the prudential regulation of market intermediaries such as brokers, dealers, investment advisers and portfolio managers (collectively referred to as securities institutions). The law mainly imposes requirements – proportionate to the size and importance of the security institution – regarding regulatory capital, liquidity, proper business organisation and certain notification obligations. The Act vests the competent supervisory authorities with considerable supervisory powers (in particular with regard to the solvency of securities institutions, as well as capital and liquidity requirements). Further, the Act regulates the internal governance of securities institutions (notably with respect to directors, who must have the required skills and expertise and must oversee all of the institution’s operations) and contains detailed rules on directors’ and employees’ compensation.
- German Regulatory Offences Act: this Act establishes general supervisory duties for management and enables fines to be imposed on companies. These can amount to up to €10 million or – in some cases according to the Securities Trading Act – up to 15 per cent of the company’s total annual revenues. In addition, tainted benefits can be fully confiscated without any upper limit (see the subsection ‘Remedies and sanctions applicable to all companies (issuers and other market participants)’ below).
- German Criminal Code: depending on the specific case, the Criminal Code may apply and prison sentences of several years may be imposed on the relevant individuals.
BaFin oversees the securities markets, issuers and intermediaries. The central tasks of securities supervision include (1) combating insider trading and market manipulation, (2) reviewing the publication of ad hoc disclosures, (3) monitoring directors’ dealings and significant voting rights announcements and (4) monitoring corporate takeovers and financial reporting by issuers. Therefore, BaFin is, inter alia, responsible for enforcing the Securities Trading Act, the Securities Institutions Act and the EU Market Abuse Regulation and investigating potential infringements and other misconduct. BaFin may impose regulatory fines and other sanctions for acts that constitute regulatory offences.
If BaFin sees evidence that a criminal offence might have been committed, it must transfer the matter to the public prosecutor’s office, which subsequently initiates criminal proceedings. The public prosecutor then takes the lead in the investigations and enforcement of the law. If the suspicion of the criminal offence proves to be unfounded, the original regulatory offence proceedings are continued. For this purpose, the public prosecutor’s office hands the case back to BaFin. Against the background of this division of responsibilities between the public prosecutor’s office and BaFin, there is generally no double sanctioning by both authorities at the same time.
At federal state level, stock exchange supervisory authorities, which are semi-official bodies, oversee the individual stock exchanges (e.g., the Frankfurt Stock Exchange, the Stuttgart Stock Exchange and the Munich Stock Exchange). These federal state authorities supervise the proper conduct of trading on the individual exchanges in accordance with the provisions of the Stock Exchange Act. In particular, these bodies supervise the price formation processes in cooperation with the trading surveillance offices. They are also responsible for supervising multilateral trading systems or organised trading systems operated on a stock exchange. Federal state stock exchange supervisory authorities may also investigate and fine acts that constitute regulatory offences.
Finally, the public prosecutor’s office is responsible for prosecuting criminal offences under the Securities Trading Act (in particular market manipulation and insider trading), the Securities Institutions Act and the Stock Exchange Act. Furthermore, the public prosecutor’s office is exclusively responsible for prosecuting other criminal offences (e.g., according to the Criminal Code). The jurisdiction of the public prosecutor’s office generally extends to acts committed in Germany (i.e., carried out or having ‘effects’ in Germany). In this context, it can be sufficient for a German company to benefit (financially) from the act. German criminal law may also be applicable if a German citizen has committed a crime abroad. The aforementioned authorities responsible for the investigation of regulatory offences do not have any jurisdiction in the case of criminal offences.
Issuers of securities are the most likely targets of investigations and enforcement. In the case of shares, these are listed companies; in the case of bonds, they may be listed and unlisted companies, public corporations, the state and other institutions that have issued bonds. Regulated market participants (e.g., brokers, custodians, underwriters and investment advisers) are also often targets of investigatory and enforcement actions as they deal directly with investors and are subject to strict business conduct rules.
The management boards and supervisory boards of issuers and regulated entities are also likely to become the targets of an investigation. The same applies to executive employees (e.g., heads of department) and compliance officers, among others.
In most cases, the authorities first initiate proceedings against members of the management board. However, the proceedings are often subsequently expanded to cover the company as a whole (see examples in the section below). In addition, other employees of an issuer or a regulated entity may be the subject of an investigation, in particular if the employee is charged with a criminal or regulatory offence.
What conduct is most commonly the subject of securities enforcement?
The most common subject of securities enforcement is market manipulation as prohibited by the Securities Trading Act in conjunction with the EU Market Abuse Regulation. If the manipulating conduct has an actual impact on prices, it is classified as a criminal offence punishable with imprisonment of up to five years or a fine. Otherwise, market manipulation is a regulatory offence.
Another common subject is insider trading pursuant to the Securities Trading Act in conjunction with the EU Market Abuse Regulation. Insider trading or the unlawful disclosure of insider information is punishable with imprisonment of up to five years or a fine. If committed negligently, insider trading is classified as a regulatory offence.
Furthermore, the violation of duties to publish insider information by issuers can be the subject of securities enforcement. If an issuer does not publish insider information as required under the ad hoc disclosure obligation, or publishes it late, incorrectly or incompletely, this constitutes a regulatory offence.
In Germany, the following cases, among others, have been investigated in this context in recent years.
- Both the public prosecutor’s office and BaFin conducted investigations against the former chief executive officer (CEO) of a German financial company in connection with insider trading. The case followed the purchase of €4.5 million of the company’s shares in December 2015 as part of an executive compensation programme. This purchase was approved at the time by the company’s supervisory board. Approximately two months later, it became public that the company and a foreign company were discussing a potential merger. The discussions were subsequently abandoned but, at the time, increased the company’s share price. The allegation by the public prosecutor’s office was that the former CEO knew of the possibility of merger discussions before he purchased the shares, which could have constituted insider trading. The proceedings against the former CEO were discontinued on the condition that he pays approximately €5 million. In addition, the company had to pay a fine of €10.5 million for violation of insider trading laws and failure to inform the market early enough about the planned merger with the London financial undertaking.
- In another case, BaFin initiated proceedings against the former chairman of the supervisory board of an industrial company because he purchased shares in the company, and two months later it was announced that the company was negotiating a merger with a US competitor. BaFin investigated a possible violation of insider trading laws by the chairman of the supervisory board as well as a possible violation of ad hoc obligations by the company. However, after BaFin sent a status report to the public prosecutor’s office, the latter decided not to initiate proceedings.
These cases show that the supervisory authorities critically review share purchases by members of the management board or supervisory board. BaFin, in particular, tends to initiate proceedings even where suspicions are not especially strong. Even if proceedings end up being discontinued, payments are often levied on the defendants. Therefore, issuers, directors and market participants should be particularly cautious when insider information could be involved in a transaction.
Moreover, the cases show that CEOs and other board members are particularly exposed to investigations by the authorities.
When it comes to regulated market participants, alleged violations of business conduct rules and fiduciary duties towards investors are often the subject of securities enforcement. Such violations include failing to provide adequate information to clients before they engage in securities transactions or recommending financial instruments to clients that do not meet their objectives or ability to bear risk. Further, advising a client in spite of material conflicts of interest (triggered, for example, by instructions from third parties) is a clear infringement of business conduct rules. Such cases are investigated and sanctioned by the authorities, especially if they are due to organisational weaknesses (e.g., poor compliance policies and procedures) or are otherwise systemic in nature. In these cases, directors and senior management are obvious subjects of investigation (and potential culprits).
What legal issues commonly arise in enforcement investigations?
German case law is inconsistent on when a company can claim legal privilege. In principle, protection against seizure depends on whether:
- the company is already under official investigation or is at least objectively likely to be officially investigated; and
- the relevant documents have been drafted for defence purposes.
This applies in principle only to defence-related communication with external counsel. Protection from seizure can also cover the work product of foreign lawyers drafted in their capacity as defence counsel.
To protect potentially privileged material, companies may adopt the following measures:
- enter into an attorney–client relationship with the company affected by an investigation (and not, for example, its holding company) and document that the purpose of the mandate is (at least) to defend the company;
- take organisational steps to separate documents that are expected to be seizable from documents that are expected to be privileged; and
- label correspondence and documents as ‘privileged’ or similar.
The question as to the extent to which assistance should also be included in protection against seizure has not yet been conclusively clarified by case law. As a rule, the further documents are from the sphere of an external counsel, the weaker their protection.
The disclosure of privileged documents is generally regarded as a cooperative step by national authorities. However, there is no general concept of waiving privilege under German law. Waiving privilege in another country has no direct legal effect on privilege claims in Germany. However, it is possible that the waived documents may be seized from the third party abroad if it does not enjoy protection against seizure under German law.
These principles apply to both investigative actions of BaFin and the public prosecutor’s office. When it comes to regulatory offence proceedings, BaFin has similar powers of intervention as the public prosecutor’s office in criminal proceedings. Therefore, the Criminal Procedure Code essentially applies in both cases.
In December 2019, Directive (EU) 2019/1937 (the EU Whistleblowing Directive) came into force. The Directive is not directly binding on companies; instead, Member States must pass specific regulations on whistleblower protection. Member States have two years to implement laws aimed at strengthening whistleblower protection in line with the Directive. In principle, EU directives only become effective when they are transposed into national law.
There is currently no general legal framework for whistleblowing in Germany or any other Member State.
The EU Whistleblowing Directive requires legal entities of a certain size in the private and public sectors to establish specific internal reporting functions. This means that companies with more than 50 employees will have a duty to implement a whistleblowing system. It has not been conclusively clarified whether the requirement of 50 employees relates to the individual companies or to the group as a whole. The term ‘legal entity’ suggests that it is the individual companies that matter, since the group is not a legal entity.
In addition, EU Member States are to designate competent authorities that must establish external channels for reporting potential breaches; thus, there may be competition between the internal and external reporting channels.
Whistleblowers who act in good faith will be protected from any retaliation if they report misconduct to the company or the competent authority.
In practice, it is (already) the case that a large number of the cases investigated have their beginning in an (anonymous) whistleblowing report or criminal complaint. We assume that this trend will continue to increase due to the legal innovations described.
With the implementation of whistleblowing laws on a national level, it is also likely that we will see a positive change in corporate culture in the European Union; whistleblowing is still largely associated with negative sentiments and is not seen as a vital element of a speak-up culture in European companies.
Cooperation with authorities
When it comes to securities enforcement, German law does not provide guidelines as to how cooperation by the defendant will be considered by the investigating authority in its decision (as is the case, for example, in antitrust law). Thus, the extent to which cooperation is rewarded when setting the amount of a fine is a matter for the discretion of the investigating body, or, at a later stage, the deciding court.
In practice, when determining the amount of a regulatory fine or issuing an order for confiscation, German public prosecutors usually take into account a company’s cooperation with the authorities in the form of an internal investigation of the facts and subsequent disclosure of the findings. For companies that cooperate, the sanction is usually significantly lower. In its guidelines on the imposition of fines in connection with the Securities Trading Act, BaFin explicitly mentions cooperation in the investigation of the facts as a mitigating circumstance. Furthermore, according to a recent Federal Court of Justice judgment, the authorities have to consider the efficiency of the compliance management system in place in the company and its efforts to optimise this and remedy existing shortcomings in the aftermath of a compliance violation as mitigating factors when calculating a fine.
Challenging and curbing investigatory powers of regulatory authorities
Regulatory authorities, such as BaFin, often carry out informal investigations through requests for information. Although these requests are not binding, regulated market participants tend to comply with them (for the sake of a good relationship with the regulator) unless potential misconduct on the part of the company itself is involved or the requests conflict with crucial interests of clients.
If informal requests are not sufficient to obtain all the required information, regulatory authorities may issue formal orders to disclose information or produce pertinent documentation. Authorities may also order on-site inspections or special audits.
These orders may be challenged in administrative courts; however, such legal action does not prevent authorities from enforcing the disputed orders. If the addressee of an order wants to suspend enforcement, it must file for injunctive relief. Courts, however, often reject such motions as they consider that the authorities’ interest in investigating outweighs the applicant’s interest in protecting sensitive information. In any event, petitions for injunctive relief must be carefully prepared to have a reasonable chance of success.
If the company does not comply with informal requests for information, the authority may turn to the public prosecutor’s office. The latter can then seize the required documents (often as part of a search). It is only possible to seek subsequent legal protection against these measures of the public prosecutor’s office (i.e., they cannot be prevented in advance). Depending on the individual case, it may, therefore, make sense for companies to comply with informal requests for information, as this gives the company a certain degree of control. The company can decide for itself what information it wants to make available to the authorities or, under certain circumstances, withhold for the time being. On the other hand, in the case of search and seizure, the public prosecutor’s office will take all the documents and information it needs.
Duties to disclose insider information
As part of its duty to disclose insider information, a company can be required to disseminate information about ongoing securities enforcement investigations by the authorities. The ad hoc obligation applies to new circumstances directly affecting a company but unknown to the public if they are likely to have a significant effect on the price of the financial instruments or the price of related derivative financial instruments. In such cases, the company must publish the relevant information without delay.
In some cases, it is assumed that major incidents in connection with breaches of the law or unethical behaviour and the resulting loss of reputation may constitute insider information. Even the initiation of internal investigations by the company’s directors can constitute insider information. In this context, guidance issued by BaFin states that the suspicion of accounting fraud, the announcement of the auditor’s refusal to issue an audit opinion or an unexpected change of auditor may qualify as potential insider information.
Criminal acts by one or more members of the issuer’s management board or by third parties who have been incited to commit such acts by members of the issuer’s management board may also qualify as insider information and obligate the issuer to disclose such information to the public. This applies in particular if the company can be held liable for the breach of law or other non-compliance.
What remedies and sanctions are available to government authorities?
Remedies and sanctions applicable to all companies (issuers and other market participants)
To date, German law does not provide for corporate liability under criminal or regulatory law. The German government’s draft bill on the Act to Strengthen Integrity in Business of 16 June 2020 provided for ‘corporate sanctioning’, which would have introduced such corporate liability for breaches of criminal law to a certain extent. To date, the draft bill has not been adopted. However, it is possible that the draft or its ideas will be picked up in the coming legislative period.
Under the current German law governing regulatory offences, a company can be held liable for a previous act of misconduct on the part of a company employee.
For a company to be liable, a manager of the company must have committed a criminal or regulatory offence, and thereby violated company-related duties or enriched the company. ‘Management’ includes members of the company’s executive bodies (in particular the board of directors) and managing personnel, heads of business units, general counsel and the chief compliance officer.
If such an act has been committed, a fine may be imposed on the company and any profits made may be subject to a confiscation order. Fines are generally capped at €10 million but may amount to up to 15 per cent of the company’s total annual revenues in case of certain infringements of securities laws. However, the fine will exceed the economic benefit derived by the offender from the regulatory offence. Therefore, if the maximum fine for an offence as provided for by law is not sufficient for this purpose, it may be exceeded. In such a case, the law does not prescribe an upper limit for the fine.
Further, profits obtained from a criminal or regulatory offence may be subject to a confiscation order against the company, whereby tainted profits can be fully confiscated without any upper limit.
The measures (fine or confiscation, or both) ultimately used by the competent authorities are at their discretion. In practice, companies are rarely fined and subjected to confiscation.
Regulatory authorities, such as BaFin, may also issue orders requiring the perpetrator to cease the unlawful conduct and to desist from repeating infringements of securities laws. Furthermore, regulatory authorities may order that trading of the securities issued by a company be suspended if the company has violated applicable securities laws (e.g., regarding prospectus or disclosure requirements). In extremely serious cases, the securities issued by the company may be permanently removed from trading on stock exchanges.
All the aforementioned orders and any regulatory fines or other sanctions that have been imposed may be published on BaFin’s website (naming and shaming).
Remedies and sanctions unique to regulated entities
Regulated entities (such as brokers, custodians, underwriters and investment advisers) are subject to a special regime. Therefore, BaFin has certain unique regulatory remedies at its disposal to rectify or sanction regulatory misconduct. For serious or repeated infringements, BaFin may suspend or even withdraw the authorisation or licence granted to the regulated entity that is in breach of securities laws. For less serious misconduct, the regulated entity may be barred from participating in trading on a stock exchange or other trading venue.
As many infringements are the result of organisational deficiencies and a lack of adequate oversight, directors are often targets of remedial measures. Regulatory authorities may, for example, order the removal of directors or appoint special commissioners to monitor the business conduct of the regulated entity. Directors who are removed may be subject to a temporary ban on exercising management functions in regulated entities for up to two years.
Finally, regulatory authorities have the right to freeze or seize assets of the regulated entity or prohibit them from making or receiving payments.
When it comes to individuals, criminal liability pursuant to the Securities Trading Act (e.g., insider trading and market manipulation), the Securities Institutions Act (e.g., provision of securities services without a licence) and the Stock Exchange Act (e.g., inducement to engage in speculative transactions on the stock exchange or to participate in such transactions) is possible. These criminal offences are punishable with severe fines and imprisonment (of up to five years in some cases).
In addition, liability pursuant to the Regulatory Offences Act is possible if a company’s directors or senior management failed to adequately supervise the company’s operations. Representative bodies of a legal entity or its members, as well as representative shareholders, may be subject to liability. Corresponding fines may amount to up to €1 million.
As a further legal consequence, profits obtained from the offence may be subject to a confiscation order against the individual.
Finally, the individual may be prohibited from exercising management functions in regulated entities.
1 Eike Bicker and Marcus Reischl are partners, Christoph Skoupil is an associated partner and Timo Bühler is a counsel at Gleiss Lutz.