Germany: Pressing Enforcement Issues Affecting Listed Companies and Securities Market Intermediaries

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


Issuers, as well as other German securities market participants, are subject to the requirements imposed by EU and German securities laws. Compliance with these requirements is supervised by the German Federal Financial Supervisory Authority (BaFin). With respect to possible sanctions against listed companies and market intermediaries, in particular sales-related fines and confiscation orders, it is important for those entities to comply with the requirements. Since Wirecard AG’s fraudulent activities and insolvency in 2020, the Financial Market Integrity Strengthening Act (FISG) was introduced to increase the integrity of the German financial market by expanding, in particular, BaFin’s supervisory powers.

This chapter provides a brief overview of the most important issues affecting listed companies and securities market intermediaries in connection with the enforcement of securities laws in Germany.

What are the relevant statutes?

The German securities market is highly regulated with a number of relevant laws in place. The most important laws are as follows.

  • The German Securities Trading Act (WpHG): this Act lays down the key regulations governing national and international trading in various securities. The WpHG imposes obligations on issuers of financial instruments and market intermediaries. At the same time, BaFin has extensive powers to enforce the WpHG. It provides for special rules designed to protect investors and stipulates various criminal and regulatory offences.
  • Regulation (EU) No. 596/2014 (the Market Abuse Regulation): this Regulation aims to combat insider trading and market manipulation. Together with Directive 2014/57/EU (the Market Abuse Directive), which sets out criminal sanctions for market abuse, it forms the European legal framework against market abuse. The three main subject areas of the Market Abuse Regulation are the prohibition of insider trading, the timely disclosure of inside information by issuers and the prevention and combat of market manipulation.
  • The German Securities Institutions Act (WpIG): the WpIG imposes key requirements of prudential regulation for market intermediaries such as broker-dealers and investment advisers (collectively referred to as investment firms). The WpIG mainly imposes requirements – proportionate to the size and importance of the relevant investment firm – regarding regulatory capital, liquidity and internal business organisation as well as certain notification obligations. BaFin is the competent supervisory authority to supervise compliance with the requirements imposed by the WpIG. Further, the WpIG regulates the internal governance of investment firms (e.g., by introducing fit and proper requirements for board members, must have internal functions, rules on risk management, outsourcing, etc.).
  • The German Regulatory Offences Act (OWiG): this Act establishes general supervisory duties for management and enables fines to be imposed on companies. These can amount to up to €10 million or – in some cases, according to the WpHG – up to 15 per cent of the company’s total annual revenues. In addition, tainted benefits can be fully confiscated without any upper limit (see ‘Remedies and sanctions applicable to all companies (issuers and other market participants)’, below).
  • The German Criminal Code (StGB): depending on the specific case, the Criminal Code may apply and prison sentences of several years may be imposed on the relevant individuals.

Which government authorities are responsible for investigating and enforcing these statutes?

BaFin oversees the securities markets, issuers and intermediaries. The central tasks of securities supervision include (1) combating insider trading and market manipulation, (2) reviewing the publication of ad hoc disclosures, (3) monitoring directors’ dealings and significant voting rights announcements, (4) overseeing corporate takeovers and (5) monitoring financial reporting by issuers. In this respect, BaFin is particularly responsible for enforcing the WpHG, the WpIG and the Market Abuse Regulation, as well as investigating potential infringements and other misconduct. BaFin may impose regulatory fines and other sanctions for actions that constitute regulatory offences. Within the framework of the FISG, BaFin has now been given extensive auditing and enforcement rights. For example, it can summon and interrogate members of executive bodies, employees and auditors of an audited company under certain circumstances. BaFin now also has the right to search and seize documents.

If BaFin becomes aware of evidence that a criminal offence might have been committed, it has to transfer the matter to the public prosecutor’s office, which subsequently initiates criminal proceedings. The public prosecutor then takes the lead in the investigations and enforcement of the law. If the suspicion of the criminal offence proves to be unfounded, the original regulatory offence proceedings are continued. For this purpose, the public prosecutor’s office hands the case back to BaFin. Against the background of this division of responsibilities between the public prosecutor’s office and BaFin, there is generally no double sanctioning by both authorities at the same time.

At federal state level, stock exchange supervisory authorities oversee the individual stock exchanges (e.g., the Frankfurt Stock Exchange, the Stuttgart Stock Exchange and the Munich Stock Exchange), which are semi-official bodies. These federal state authorities supervise the proper conduct of trading on the individual exchanges in accordance with the provisions of the Stock Exchange Act. In particular, these bodies supervise the price formation processes in cooperation with the trading surveillance offices. They are also responsible for supervising alternative trading platforms, such as multilateral trading facilities (MTFs) or organised trading facilities (OTFs). Federal state stock exchange supervisory authorities may also investigate and fine acts that constitute regulatory offences.

Finally, the public prosecutor’s office is responsible for prosecuting criminal offences under the WpHG (in particular, market manipulation and insider trading), the WpIG and the German Stock Exchange Act. Furthermore, the public prosecutor’s office is exclusively responsible for prosecuting other criminal offences (e.g., investment fraud, according to the StGB). The jurisdiction of the public prosecutor’s office generally extends to acts committed in Germany (i.e., carried out or having effects in Germany). In this context, it can be sufficient for a German company to benefit (financially) from the act. German criminal law may also be applicable if a German citizen has committed a crime abroad. The aforementioned authorities responsible for the investigation of regulatory offences do not have any jurisdiction in criminal offences.

Which parties are most likely to be the targets of investigations and enforcement?

Issuers of securities (shares and bonds) are the most likely to become targets of investigations and enforcement. Regulated market participants (e.g., brokers, custodians, underwriters and investment advisers) may also become subject to audits and enforcement actions as they deal directly with investors and are subject to the strict business conduct rules imposed by the WpHG.

The management boards and supervisory boards of issuers and regulated market participants are also likely to become the subject of an investigation. The same applies to executive employees (e.g., department heads) and, inter alia, compliance officers.

Usually, the authorities first initiate proceedings against members of the management board. However, proceedings are often subsequently expanded to cover the whole company (see examples in the following section). In addition, other employees of an issuer or a regulated market participant may be the subject of an investigation, in particular if the employee is charged with a criminal or regulatory offence.

What conduct is most commonly the subject of securities enforcement?

The most common subject of securities enforcement is market manipulation as prohibited by the Securities Trading Act in conjunction with the Market Abuse Regulation. If the manipulating conduct has an actual impact on prices, it is classified as a criminal offence punishable with imprisonment of up to five years or a monetary fine. Otherwise, market manipulation is a regulatory offence.

Another common subject is insider trading pursuant to the WpHG in conjunction with the Market Abuse Regulation. Insider trading or the unlawful disclosure of inside information is punishable with imprisonment of up to five years or a monetary fine. If committed negligently, insider trading is classified as a regulatory offence.

Furthermore, the violation of duties to publish inside information by issuers can be the subject of securities enforcement. If an issuer does not inform the public as soon as possible of inside information that directly concerns the issuer, or publishes inside information late, incorrectly or incompletely, this constitutes a regulatory offence.

In recent years, in particular, the following cases have been investigated in this context.

  • Both the public prosecutor’s office and BaFin conducted investigations against the former chief executive officer (CEO) of a German financial institution in connection with insider trading. The case followed the purchase of company shares worth €4.5 million in December 2015 as part of an executive compensation programme. This purchase was approved at the time by the company’s supervisory board. Approximately two months later, it became public that the company and a foreign company were discussing a potential merger. The discussions were subsequently abandoned but, at the time, increased the company’s share price. The allegation by the public prosecutor’s office was that the former CEO knew of the possibility of merger discussions before he purchased the shares, which could have constituted insider trading. The proceedings against the former CEO were discontinued on condition that he pay approximately €5 million. In addition, the company had to pay a fine of €10.5 million for violation of insider trading laws and failure to inform the market early enough about the planned merger with the foreign financial undertaking.
  • In another case, BaFin initiated proceedings against the former chairman of the supervisory board of a company because he purchased shares in the company two months before it was announced that the company was negotiating a merger with a US competitor. BaFin investigated a possible violation of insider trading laws by the chairman of the supervisory board as well as a possible violation of ad hoc obligations by the company. However, after BaFin sent a status report to the public prosecutor’s office, the latter decided not to initiate proceedings.

These cases show that the supervisory authorities critically review director dealings by members of the management board or supervisory board. BaFin, in particular, tends to initiate proceedings even where suspicions are not particularly strong.

Even if proceedings end up being discontinued, payments are often levied on the defendants. Therefore, issuers, directors and market participants should be particularly cautious when inside information could be involved in a transaction. Moreover, the cases show that CEOs and other board members are particularly exposed to investigations by the authorities.

When it comes to regulated market participants, alleged violations of business conduct rules and fiduciary duties towards investors are often the subject of securities enforcement. These violations include failure to provide adequate information as required under the WpHG to clients before they engage in securities transactions or recommending financial instruments to clients that are not in line with the clients’ risk objectives or do not comply with the clients’ customer classification. Further, advising a client in spite of conflicts of interest (triggered, for example, by instructions from third parties) is an infringement of business conduct rules. These cases are investigated and sanctioned by the authorities, particularly if they are due to organisational weaknesses (for example, poor compliance policies and procedures) or are otherwise systemic in nature. In these cases, directors and senior management are subjects of investigation.

What legal issues commonly arise in enforcement investigations?

Legal privilege

German case law is inconsistent on when a company can claim legal privilege. In principle, protection against seizure depends on whether:

  • the company is already under official investigation or is at least objectively likely to be officially investigated; and
  • the relevant documents have been drafted for defence purposes.

This applies in principle only to defence-related communication with external counsel. Protection from seizure can also cover the work product of foreign lawyers drafted in their capacity as defence counsel.

To protect potentially privileged material, companies may adopt the following measures:

  • enter into an attorney–client relationship with the company affected by an investigation (and not, for example, its holding company) and document that the purpose of the mandate is (at least) to defend the company;
  • take organisational steps to separate documents that are expected to be seizable from documents that are expected to be privileged; and
  • label correspondence and documents as ‘privileged’ or similar.

The question as to the extent to which assistance should also be included in protection against seizure has not yet been conclusively clarified by case law. As a rule, the further documents are from the sphere of an external counsel, the weaker their protection.

The disclosure of privileged documents is generally regarded as a cooperative step by national authorities. However, there is no general concept of waiving privilege under German law. Waiving privilege in another country has no direct legal effect on privilege claims in Germany. However, it is possible that the waived documents may be seized from the third party abroad if that party does not enjoy protection against seizure under German law.

These principles apply to both BaFin and public prosecutor office investigations. When it comes to regulatory offence proceedings, BaFin has similar powers of intervention as the public prosecutor’s office in criminal proceedings. Therefore, the German Criminal Procedure Code essentially applies in both cases.


In December 2019, the EU Whistleblowing Directive came into force (the Directive).[2] The Directive is not directly binding on companies; instead, Member States must pass specific regulations on whistleblower protection. The EU Member States had two years to implement laws aimed at strengthening whistleblower protection in line with the Directive by 17 December 2021. In principle, EU directives only become effective when they are transposed into national law. As several Member States had not transposed the Directive in time, the EU took action at the end of January 2022. The European Commission initiated formal infringement proceedings against Germany and 22 other Member States on 27 January 2022. At the time of writing, all but two Member States have adopted laws to implement the Directive. In Poland and Estonia, corresponding drafts are in the legislative process. In Germany, the Whistleblower Protection Act (HinSchG) entered into force on 2 July 2023.

The Directive requires legal entities of a certain size in the private and public sectors to establish specific internal reporting functions. This means that companies with more than 50 employees will have a duty to implement a whistleblowing system. It has not been conclusively clarified whether the requirement of 50 employees relates to the individual companies or to the group as a whole. The wording ‘legal entity’ suggests that it is the individual companies that matter, as the group is not a legal entity.

In addition, Member States must designate competent authorities to establish external channels for reporting potential breaches; therefore, there may be competition between the internal and external reporting channels as whistleblowers may choose to directly report through external reporting channels.

Basically, whistleblowers who had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that the information fell within the scope of the Directive will be protected from any retaliation if they report misconduct through the internal or external reporting channels. In practice, a large number of the cases investigated have their beginnings in (anonymous) whistleblowing reports or criminal complaints. We assume that this trend will continue to increase due to the legal innovations described, particularly if legal entities enable anonymous reporting.

With the implementation of whistleblowing laws on a national level, it is also likely that we will see a positive change in corporate culture in the EU; whistleblowing is still largely associated with negative sentiments and is not seen as a vital element of a speak-up culture in European companies.

Cooperation with authorities

When it comes to securities enforcement, German law does not provide guidelines as to how cooperation by the defendant will be considered by the investigating authority in its decision (as is the case, for example, in antitrust law). Thus, the extent to which cooperation is rewarded when setting the amount of a fine is a matter for the discretion of the investigating body – or, later on, the deciding court.

In practice, when determining the amount of a regulatory fine or issuing an order for confiscation, German public prosecutors usually take into account a company’s cooperation with the authorities in the form of an internal investigation of the facts and subsequent disclosure of the findings. For companies that cooperate, the sanction is usually significantly lower. In its guidelines on the imposition of fines in connection with the WpHG, BaFin explicitly mentions cooperation in the investigation of the facts as a mitigating factor. Furthermore, according to a recent judgment of the German Federal Court of Justice, the authorities have to consider the efficiency of the compliance management system in place in the company and its efforts to optimise this and remedy existing shortcomings in the aftermath of a compliance violation as mitigating factors when calculating a fine.

Challenging and curbing investigatory powers of regulatory authorities

Regulatory authorities, such as BaFin, often carry out informal investigations by requesting specific information. Even where these requests have been presented to the market participant in a non-binding way, regulated market participants tend to comply with them to ensure a good and transparent relationship with BaFin, unless potential misconduct on the part of the company itself is involved or the requests conflict with crucial interests of clients. If non-binding, informal requests are not sufficient to obtain all required information, BaFin may issue a formal administrative order to request information or produce pertinent documentation. BaFin may also order on-site inspections such as special audits.

These orders may be challenged in administrative courts. However, this legal action does not prevent authorities from enforcing the disputed orders. If the addressee of an order wants to suspend enforcement, it must file for injunctive relief. Courts, however, often reject these motions as they consider that the authorities’ interest in investigating outweighs the applicant’s interest in protecting sensitive information. Petitions for injunctive relief must be carefully prepared to have a reasonable chance of success.

If the addressee does not comply with informal requests for information, BaFin may turn to the public prosecutor’s office. The latter can then seize the required documents (often as part of a search). It is only possible to seek subsequent legal redress with respect to the public prosecutor’s office’s measures (i.e., they basically cannot be prevented in advance). Depending on the individual case, it may therefore make sense for companies to comply with informal requests for information, as this gives the company a certain degree of control. The company can decide for itself what information it wants to make available to the authorities or, under certain circumstances, withhold for the time being. On the other hand, in the case of a search or seizure, the public prosecutor’s office will take all the documents and information it needs.

Duties to disclose inside information

As part of its duty to disclose inside information, a company can be required to disseminate information about ongoing securities enforcement investigations by the authorities. The ad hoc obligation applies to new circumstances directly affecting a company but unknown to the public if they are likely to have a significant effect on the price of the financial instruments issued by the company or the price of related derivative financial instruments. In these cases, the company must publish the relevant information without delay.

In some cases, it is assumed that major incidents in connection with breaches of the law or unethical behaviour and the resulting loss of reputation may constitute inside information. Even the initiation of internal investigations by the company’s directors can constitute inside information. According to BaFin’s Issuer Guidelines the suspicion of accounting fraud, the announcement of the auditor’s refusal to issue an audit opinion or an unexpected change of auditor may qualify as potential inside information.

Criminal acts by one or more members of the issuer’s management board or by third parties who have been incited to commit these acts by members of the issuer’s management board may also qualify as inside information and obligate the issuer to disclose the information to the public. This particularly applies if the company can be held liable for the breach of law or other non-compliance.

What remedies and sanctions are available to government authorities?

Remedies and sanctions applicable to all companies (issuers and other market participants)

Under the current German law governing regulatory offences, a company can be held liable for a previous act of misconduct on the part of a company employee.

For a company to be liable, (1) a manager of the company must have committed a criminal or regulatory offence and (2) thereby violated company-related duties or enriched the company. Management includes members of the company’s executive bodies (in particular, the board of directors) and managing personnel, heads of business units, general counsel and the chief compliance officer.

If such an act has been committed, a fine may also be imposed on the company, and any profits made may be subject to a confiscation order. Fines are generally capped at €10 million but may amount to up to 15 per cent of the company’s total annual revenues in certain infringements of securities laws. However, the fine will exceed the economic benefit derived by the offender from the regulatory offence. Therefore, if the maximum fine for an offence as provided for by law is not sufficient for this purpose, it may be exceeded. In this case, the law does not prescribe an upper limit for the fine.

Further, profits obtained from a criminal or regulatory offence may be subject to a confiscation order against the company, whereby tainted profits can be fully confiscated without any upper limit.

The measures (fine or confiscation, or both) ultimately imposed by the competent authorities are at their discretion. In practice, it is fair to say that companies are rarely fined and subjected to confiscation in parallel.

Regulatory authorities, such as BaFin, may also issue orders requiring the perpetrator to cease the unlawful conduct and to desist from repeating infringements of securities laws. Furthermore, the authorities may order that trading of the securities issued by a company be suspended if the company has violated applicable securities laws (e.g., regarding prospectus or disclosure requirements). In serious cases, the securities issued by the company may be permanently removed from trading on stock exchanges.

All the aforementioned orders, as well as the fact that regulatory fines or other sanctions have been imposed, may be published on BaFin’s website (naming and shaming).

Remedies and sanctions unique to regulated market participants

Regulated market participants (such as brokers, custodians, underwriters and investment advisers) have been licensed and are supervised by BaFin. In this respect, BaFin has certain regulatory remedies at its disposal to rectify or sanction regulatory misconduct. BaFin may, for instance, withdraw the licence or order the dismissal of directors from their positions, or prohibit the extension of the regulated entity’s business activities to new customers or business areas. In addition, the regulated entity may be banned from participating in trading on a stock exchange or other trading venue.

Many infringements are the result of organisational deficiencies and a lack of adequate oversight by the management board. In this respect, directors are often subject to BaFin measures. BaFin may, for example, appoint special commissioners to monitor the business conduct of the regulated entity. Directors who are dismissed may be subject to a temporary ban on exercising management functions in regulated entities for up to two years.


When it comes to individuals, criminal liability pursuant to the WpHG (e.g., insider trading and market manipulation), the WpIG (e.g., providing investment services without the required licence) and the Stock Exchange Act (e.g., inducement to engage in speculative transactions on the stock exchange or to participate in these types of transactions) is possible. These criminal offences are punishable by severe fines and imprisonment (of up to five years in some cases).

In addition, liability pursuant to the OWiG is possible if a company’s directors or senior management failed to adequately supervise the company’s operations; representative bodies of a legal entity or its members as well as representative shareholders may be subject to liability. Corresponding fines may amount to up to €1 million.

As a further legal consequence, profits obtained from the offence may be subject to a confiscation order against the individual.

Finally, the individual may be prohibited from exercising management functions in regulated entities as any sanctions imposed on the individual due to failing to comply with applicable requirements may count in future fit and proper assessments by authorities inside and outside Germany.


[1] Eike Bicker, Marcus Reischl, Christoph Skoupil and Christian Hissnauer are partners at Gleiss Lutz.

[2] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

Unlock unlimited access to all Global Investigations Review content