Entrepreneurial success is only ensured by effective compliance. In addition to risk avoidance, it is above all about gaining and maintaining the trust of shareholders, customers and business partners. Therefore, the aim is to effectively reduce risks through compliance management systems that also cover the area of tax compliance. We explain which standards can be used for the design of future-proof compliance management systems.

1st Basics of Compliance

1.1. No legal basis for compliance

Apart from the financial services industry, the legislature has not provided companies with any specific requirements for the design of compliance. Section 91 (3) AktG merely obliges the Executive Board of a listed public limited company to set up an internal control and risk management system appropriate to the scope of the company’s business activities and risk situation. This includes compliance. A Compliance Management System (CMS) is also part of the corporate governance of the company.

The design of compliance is otherwise the responsibility of the company management. If standards for the fulfillment of due diligence and organizational obligations are sought, it is advisable to use transferable structures from other, already more legally regulated areas. It is therefore helpful to take a look at the financial services industry.

1.2. Benefits of Effective Compliance

1.2.1. Criminal tax advantages

With regard to tax compliance, the tax administration has granted an internal control system a tax offence and tax offences preventing effect. According to the regulations in the application decree on § 153 AO, an internal control system can at least constitute an indication that speaks against the existence of intent or frivolity.

1.2.2. Administrative advantages

The company management can also exculp themselves through a functioning compliance management system from the accusation of organizational fault and thus an administrative offence within the meaning of § 130 OWiG. An administrative offence according to § 130 (1) sentence 1 OWiG is committed by anyone who, as the owner of a company or operation, intentionally or negligently omits the supervisory measures necessary to avoid breaches of duty of his employees. The supervisory duty can be transferred to a compliance officer. However, here too, as it results from § 130 (1) sentence 2 OWiG, there is always a monitoring obligation on the company management.

Compliance: Model of the three lines of defense

2.1 Design of the model

A model for regulating compliance is the so-called model of three lines of defense. This is based on the fact that procedural thinking and procedure serves to avoid liability risks of a company with a high degree of maturity and especially not the punctual resolution of legal issues. For this purpose, the first two lines of defence form the so-called internal control system (ICS). This is checked in a process-neutral manner at the third stage by the respective internal audit.

2.2. First line of defense

On the first line of defense, all organizational units of a company that have the responsibility for the processes running in the company can be found. They are thus primarily responsible for monitoring and reducing these risks as the first line of defense. They therefore also bear the risks that can result from these processes.

The respective responsibilities of the defense lines are also to be described in detail and coordinated. Then duplications in the tasks and the emergence of risk-relevant gaps can be avoided. Risk-relevant training and specific training are an essential basis.

2.3. Regular errors

In practice, it is often recognizable that the organizational units of the first line of defense are not aware of tax risks. Therefore, they also neglect the reduction of these risks and thus reveal corporate organizational fault. Error-prone are usually the interfaces that are upstream of the bookkeeping, such as cash registers, enterprise resource planning systems or digital sales tax tools.

In the now largely digitalized business processes, a business unit triggers a turnover, which is automatically booked into the ERP system using tax codes. The automated customer invoice is then transferred to the accounting system.

The same applies to incoming sales in which it is the responsibility of the customer to process the VAT-relevant data that are relevant for a VAT deduction. Among other problems are cases in which errors in the tax treatment of recurring situations detected by the audit do not lead to a change in the erroneous practice, but are discovered again as errors in a subsequent audit. Since the incorrect handling of the facts is known from the past, the accusation of intentional action or omission will be difficult to resolve here.

2.4. Second line of defense

The second line of defense is taken up by tasks of risk management and compliance. Risk management and compliance differ according to the risks. The organizational unit of risk management is focused on the management of financial risks. On the other hand, the organizational unit compliance concerns non-financial risks. These two functions advise and monitor risk-based organizational units in the first line of defense with a view to reducing business model-related potential risks. Therefore, in particular, the compliance function has to carry out so-called second level controls on the existing controls of the first line of defense. They shall therefore examine the existence, adequacy and effectiveness of the relevant controls.

3rd Compliance in the Financial Services Industry

Some requirements for the compliance system have developed in the financial services industry. These principles existing for the financial services industry have been developed more and more as universal principles in recent years. Compliance functions must be set up independently, permanently and effectively.

3.1. Independent compliance function

The compliance function must perform its tasks independently of the other business units and its monitoring tasks independently of the management. Other business units must therefore not have any instruction rights vis-à-vis the employees of the compliance function and cannot otherwise influence their activities.

Overlaps of material assessments and recommendations of the compliance officer shall be documented and included in the compliance report. Such an essential recommendation is, for example, the recommendation of the compliance officer not to allow a particular product to be included in the distribution. In this regard, an escalation process to the management must also be set up.

In order to maintain independence, the appointment of the Compliance Officer is recommended in the banking industry for a period of at least 24 months. A suitable means of strengthening the compliance officer is also the agreement of a twelve-month notice period on the part of the employer. An orientation of the position, powers and remuneration of the compliance officer to the head of internal audit, risk controlling and legal department of the company is also recommended in the banking industry.

3.2. Lasting compliance

The compliance function must also be permanently set up. Therefore, the compliance officers must also be assigned a sufficiently qualified representative.

3.3 Effective compliance

In particular, the following criteria must be included: nature and interactions of the products, services and other business activities offered, their range and volume in absolute and relative comparison to the other business activities. Also disclose the balance sheet total and income from commissions, fees and other sources of income related to the offering of products and services. Furthermore, the type of products and services offered and addressed customers must also be listed.