The innovation of compliance insurance covering costly corporate investigations


Financier Worldwide Magazine

March 2018 Issue

Corporate criminal investigations can take years and sometimes cost hundreds of millions of dollars. There are lawyers, auditors, forensic accountants and others who need to be paid as they conduct the probe. The numbers, in some cases, are eye-popping.

Walmart Stores, which is still under investigation, has spent $865m since 2013. Avon Products spent about $350m on investigation-related costs before agreeing to pay US authorities $135m to settle its foreign-bribery probe. Siemens reported spending more than $1bn on legal costs before its Foreign Corrupt Practices Act (FCPA) resolution in 2008.

Over the years, internal investigations have turned out to be a wonderful billing experience for the appointed law firms. According to German news reports, the law firm Jones Day charged €140m for 18 months investigating the Volkswagen Dieselgate emissions scandal. And this is not the final bill for Volkswagen. VW also has to pay for the fees of former deputy US attorney general Larry Thompson who was named independent corporate monitor overseeing compliance reforms at Volkswagen AG by the US government. Many shareholders raise the question: at what point does a company reach the point of ‘boiling the ocean’ when conducting an internal investigation?

In Germany, executive and supervisory board members are in the unfortunate position of having to appoint outside investigators to conduct an internal investigation as part of the overall Compliance Management System (CMS) once there is reasonable suspicion of corporate or individual misconduct. Oftentimes, the flashpoint of such investigations is non-compliance conduct reported anonymously by employees on the corporate whistleblower hotline or to a trusted ombudsman.

Legal fees for corporate investigations are not covered by the D&O-insurance policy unless they are subject to damages suffered by the company which may be recovered by means of recourse litigation against executive board members acting in breach of their duties. Executive board members and supervisory board members can become targets of recourse litigation by the company for an insufficient CMS leading to administrative penalties and fees for an internal investigation. However, such litigation takes place subsequent to the closure of the investigation. Recovery of losses from the D&O insurer may not be available for non-compliance and misconduct conducted by employees below the executive board level.

The insurance markets are in the process of responding to the phenomenon of costly internal investigations. The legal fees for internal investigations are covered by a compliance insurance policy triggered (insured event) once the board takes the decision to appoint outside firms to conduct an internal investigation. Such a corporate entity cover directly ties in with an audit report from a certified public accountant reviewing the appropriateness and the efficiency of the policyholder’s CMS. In Germany, such CMS audits are conducted on the basis of the so-called standard IDW 980 issued by the Institute of Public Auditors in Germany (IDW).

IDW Standards contain requirements relevant to services provided by German public auditors other than in respect of audit engagements and accounting matters. The IDW Standard 980 has been issued by the relevant technical committee dealing with the particular subject of compliance. The IDW Standard PS 980 reflects the opinions of the committee and is based on applicable German legal foundations.

On the basis of the IDW standard PS 980, the auditor reviews the CMS to establish if is suitable to detect significant non-compliance events and to prevent such non-compliance conduct from happening (assessment of appropriateness), as well as if the CMS has been effective over the course of a specified period of time (effectiveness review). The IDW Standard PS 980 contains directions for an appropriate CMS but also states that other appropriate guidelines such as the ISO-Standard 19600 can be utilised.

The IDW PS 980 is in full harmony with the recommendations made by the German Corporate Governance Code. Section 4.1.3 of the German Corporate Governance Code stipulates: “The management board ensures that all provisions of law and the company’s internal policies are complied with, and endeavours to achieve their compliance by the group entities (compliance). It shall also institute appropriate measures reflecting the company’s risk situation and disclose the main features of those measures. Employees shall be given the opportunity to report, in a protected manner, suspected breaches of the law within the company, third parties should also be given this opportunity.”

In section 5.1.1 the German Corporate Governance Code stipulates: “The task of the supervisory board is to regularly advise and supervise the management board in its management of the company. It must be involved in all decisions of fundamental importance to the company.”

The German Federal Supreme Court assesses the adequacy of a CMS on a case-by-case basis (ex-ante approach) and adherence with the IDW or ISO standards is no ‘carte blanche’ for executive board members’ defence in litigation. However, the observance of the IDW standard can contribute significantly, in particular with regard to the required documentation.

Rolf Raum, presiding judge of the first criminal senate of the German Federal Supreme Court, has summarised the requirements of the German Supreme Court for an adequate CMS. First, pursuant to the principle ‘tone from the top’, employees should really feel the organisation’s general ethical climate, as established by its board of directors, audit committee and senior management. Having a ‘tone at the top’ helps prevent fraud and other unethical practices. Second, a whistleblowing system or ombudsman is an indispensable component of a CMS. Employees and third parties should be able to report misconduct anonymously and away from the traditional corporate reporting line. Finally, misconduct and non-compliance should be penalised.

In the landmark Siemens/Neubürger judgement, the District Court Munich as the first German court addressed in detail the requirements for a compliance organisation as well as the related obligations of the management board. The management board’s responsibility in the event of suspected cases coming to light can be described as a ‘three-fold obligation’. First, the obligation to clarify the case (detect). Second, the obligation to put an end to unlawful behaviour. Third, the obligation to impose appropriate sanctions in response to violations that have been discovered.

The European Banking Authority (EBA) has published guidelines on internal governance – which enter into force on 30 June 2018 – which expressly specify requirements aimed at ensuring the sound management of risks across all three lines of defence and, in particular, set out detailed requirements for the second line of defence (the independent risk management and compliance function) and the third line of defence (the internal audit function).

The CMS audit report is taken as an appendix to the compliance insurance policy. Such policies are bespoke and subject to negotiations relating to particular fields of compliance covered by the audit report subject of the auditor’s engagement letter, e.g., anti-bribery, cartel or anti-money laundering (AML) compliance. In addition, the geographical scope needs to be defined. With regard to cross-border investigations, it is of utmost importance whether or not foreign subsidiary companies have been subject to the compliance audit. Comparable to a warranty spreadsheet in a warranty & indemnity insurance policy, the compliance policy contains a ‘compliance spreadsheet’ exactly defining the compliance areas covered or not covered by the insurance policy. The pricing of such a compliance insurance policy and the rate on line (ROL) as a percentage derived by dividing reinsurance premium by reinsurance limit is of course subject to the insurer’s risk evaluation and market competition. With regard to the complexity, the underwriting process may in many cases involve outside expert counsel.

Within the agreed sum insured the legal fees for an internal investigation are covered by the compliance policy. Only fees charged by outside counsel and investigators are covered. The German Federal Supreme Court ruled in the context of legal advice that only renowned outside counsel can ensure credibility and an independent investigation report without prejudging the outcome towards the authorities and the stakeholders. The policyholder has access to a top-notch panel of law firms and auditors for the internal investigation, whereas the insurer accepts the hourly rates of such panel law firms. According to a survey conducted by the German legal publisher JUVE in 2016, the average hourly rate of a partner in the area of compliance was €395 and for associates €277. Executive and supervisory board members are ‘acting under compulsion’. Hence, their own existence is at stake, so the legal fees are oftentimes of secondary importance.

A compliance insurance policy covers all expenses across the wide repertoire of an internal investigation, such as document review, email screening, interrogation of employees, etc. In addition, the costs related to the implementation of an amnesty programme are covered. Subsequent to the investigation the insurer bears, within a sublimit, the costs for optimising the CMS, so that similar non-compliance events are significantly hampered in the future.

So far, mainly listed blue chip companies and large private corporations in Germany have appointed auditors to review the effectiveness and efficiency of their CMS. An innovative compliance insurance covering the legal expenses of corporate investigations by outside investigators can complement the overall CMS. It remains to be seen if the insurance markets respond to actual corporate demand with competitive pricing and skilful underwriting evaluating the underlying compliance risks. Most certainly, many more costly corporate investigations can be expected in the future.


Dr Frank Huelsberg is a senior partner at Warth & Klein Grant Thornton AG and Dr Burkhard Fassbach is a member of the Hendricks D&O-Lawyer Network. Dr Huelsberg can be contacted on +49 (211) 9524 8527 or by email: Dr Fassbach can be contacted on +49 (152) 5438 6727 or by email:

© Financier Worldwide

©2001-2019 Financier Worldwide Ltd. All rights reserved.