Consequences of Wirecard Scandal: New Requirements for Corporate Governance and Audit of German Listed Companies

June 7, 2021

Click for PDF

As a reaction to the spectacular collapse of Wirecard, a then-DAX-listed financial service provider, in June 2020, an Act on Strengthening the Financial Market Integrity (Finanzmarktintegritätsstärkungsgesetz – FISG) has now been adopted following several months of intense discussions. It enters into effect on 1 July 2021 with a transitional period for certain provisions. The Act establishes new requirements for the corporate governance and the audit of listed companies as well as other public-interest entities.

Corporate Governance

  • Mandatory audit committee comprising at least two financial experts

Although German law already now addresses the composition, role and functions of audit committees in several regulations and the recommendations by the German Corporate Governance Code (see D.3 German Corporate Governance Code), it had been, until now, up to the discretion of the supervisory board whether to form an audit committee. The FISG now requires all listed companies and other public-interest entities (PIE), including in particular certain financial institutions and insurance companies as defined in the new § 316a German Commercial Code (Handelsgesetzbuch – HGB), to establish a mandatory audit committee no later than 1 January 2022 (§ 107 (4) Stock Corporation Act (Aktiengesetz -AktG) (new version), § 324 HGB (new version)). In order to ensure compliance with the obligation to form an audit committee, a (periodic) penalty payment of up to € 5,000 can be imposed on each individual member of the supervisory board (§ 407 AktG (new version)). Since the formation of audit committees is already best practice for listed companies, however, the implications of this for the vast majority of the listed companies will be limited.

The FISG further requires that the audit committee (or, if the supervisory board comprises only three members, the supervisory board itself) shall comprise at least two financial experts, with one member having expertise in the fields of accounting and another member in the fields of auditing (§ 100 (5) AktG (new version), 107 (4) AktG (new version)). Previously, the law required only that at least one supervisory board member (who, if an audit committee was formed, must have been also a member of the audit committee) must qualify as a financial expert with expertise in the fields of auditing or (alternatively) accounting. The new qualification requirements shall ensure that both kinds of expertise are represented, and with different board members. The consequences in case the new qualification requirements are not met are not further stipulated by the law and thus remain unclear. According to the prevailing view in legal literature, the election of a supervisory board member which results in a violation of this special requirement for the composition can be challenged in court within the usual one-month period after the election takes place; if no legal action is brought within this term, the election is finally valid.

The new qualification requirements must be met for elections taking place on or after 1 July 2021, but do not apply retroactively.

  • Extended information rights and functions for audit committee members

Each audit committee member shall have the right to request information from the heads of the company’s central services that fall within the audit committee’s responsibilities, e.g. the head of risk management, the head of internal audit or the head of the compliance department. Any such requests must be channeled via the chair of the audit committee, who must then provide the requested information to all other audit committee members and must also inform the management board of the information request without undue delay) (§ 107 (4) AktG (new version)). Furthermore, the Act now also explicitly stresses that the responsibilities of the audit committee in relation to the audit also include the quality of the audit (§ 107 (3) AktG (new version)). The new information rights and functions apply starting 1 January 2022.

  • Separate meetings with the auditor without the management board

In order to foster the confidentiality of communications between the auditor and the supervisory board or the audit committee, respectively, the law explicitly stipulates that if the auditor is consulted as an expert by the supervisory board or a supervisory board committee, from 1 July 2021 on, the management board shall only participate in such a meeting if the supervisory board or its committees deems its participation necessary (§ 109 (1) AktG (new version)).

  • Legal obligation to establish an internal control system and a risk management system

The new law explicitly requires the management board of a listed company to establish an effective internal control system and a risk management system which are appropriate for the size and the risk position of its business (§ 91 (3) AktG (new version)). The implications of this new statutory obligation, which will be applicable immediately starting 1 July 2021, will be limited since most listed companies already have such systems in place (see also principle 4 of the German Corporate Governance Code).


  • Mandatory external auditor rotation after ten (10) years and internal auditor rotation after five (5) years

The maximum duration for an audit engagement of public-interest entities shall be ten (10) years. The currently existing option to extend this period under the exemption of the Member State option of Regulation (EU) /No 537/2014 (hereinafter EU Regulation) will be abolished (elimination of § 318 (1a) HGB). Abolishing this exemption also re-synchronizes the maximum term for listed companies with the maximum ten-year term applicable to CRR institutes and insurance companies.

For a transition period audit engagements may still be renewed after expiry of the ten (10)-year term for the business year beginning after 30 June 2021 and the following business year, provided the requirements for a renewal of the engagement have been fulfilled prior to 30 June 2021. If the business year equals the calendar year this means that the auditor needs to be changed for the business year 2024 at the latest.

Furthermore, the maximum term for the internal rotation of the key audit partner will be reduced from currently seven (7) to five (5) years (§ 43 (6) Public Accountant Act (Wirtschaftsprüferordnung – WPO) (new version)). In the absence of any transitional period the shortened term will be immediately applicable starting 1 July 2021.

  • Tightening of the prohibition of non-audit services

In order to further strengthen the independence of auditors, the Member State option of the EU regulation to allow certain tax and valuation services when such services are immaterial or have no direct effect on the audited financial statements (see § 319a HGB) will be rescinded. As a consequence, all black-listed non-audit services of Article 5 (1) sub-paragraph 2 of the EU Regulation will now be prohibited. In addition, the exemption relating to the fee cap (§ 319a (1a) HGB) will also be abolished. In case of noncompliance with the prohibition of non-audit services, shareholders holding five percent (5%) per cent of the voting rights or share capital or shares with a stock market value of at least € 500,000 can request the court to replace the auditor (§ 318 (3) HGB (new version)). The new rules will apply to the audit of business years starting on or after 1 January 2022.

  • Increase of the liability caps for auditors and tightened criminal liability

Previously, the civil liability of auditors was capped at one (1) million Euro for listed companies to four (4) million Euro, respectively, for negligence (including gross negligence), and higher damages could only be recovered by the company or its group of companies in case of intent on the auditors’ part. In the future, the civil liability of auditors for negligence will be capped at sixteen (16) million Euro for the audit of listed and other capital market companies, at four (4) million Euro for other PIEs and at one point five (1.5) million Euro for all other companies. In addition, in case of intent or gross negligence no liability cap will apply for listed companies and other capital market-orientated companies. With regard to other PIEs and other companies, the cap for gross negligence will be thirty-two (32) million Euro or twelve (12) million Euro, respectively (§ 323 (2) HGB new version)). The new rules will be applicable for the audit of business years starting on or after 1 January 2022.

One should note, however, that under German law, shareholders, absent any tort, normally do not have liability claims against the statutory auditors of companies. Thus, absent exceptional circumstances, only the company can raise such claims. It remains to be seen whether this will change in the aftermath to the Wirecard accounting fraud.

Furthermore, the FISG also provides for a significant tightening of criminal liability for accounting and auditing offences.

  • Election of auditors of insurance companies by the shareholders

The auditors of insurance companies will now be elected by the shareholders and not by the supervisory board (cancellation of § 341k (2) HGB). This shall apply for business years starting on or after 1 January 2022.

Financial Reporting Enforcement

The current two-tier enforcement system will be fundamentally changed. With effects as of 1 January 2022, the private-law Financial Reporting Enforcement Panel (FREP) (Deutsche Prüfstelle für Rechnungslegung – DPR) will be abolished, and financial reporting enforcement will be bundled at the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) (§§ 106 et seq. Securities Trading Act (Wertpapierhandelsgesetz – WpHG) (new version)). In addition, the competences of BaFin will be extended, and will include, amongst others, a right of BaFin to search business and residential premises as well as to confiscate documents and other evidence. The competent court for issuing the required search warrant and confiscation order will be the local court of Frankfurt/Main.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. For further information, please feel free to contact the Gibson Dunn lawyer with whom you usually work, any member of the team in Frankfurt or Munich, or the following authors:

Silke Beiter – Munich (+49 89 33371, [email protected])
Ferdinand Fromholzer – Munich (+ 49 89 33270, [email protected])
Johanna Hauser – Munich (+49 89 33272, [email protected])
Finn Zeidler – Frankfurt (+49 69 247411530, [email protected])

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.