Crime Law Soc Change (2008) 49:349364

DOI 10.1007/s10611-008-9116-6

Kai-D. Bussmann & Sebastian Matschke

Published online: 8 May 2008 # Springer Science + Business Media B.V. 2008

Abstract The spectacular business scandals in recent years have led both the legislative and business companies to rethink and redesign their strategies. This article analyzes the worldwide impact of reforms in economic crime legislation emanating from the USA. Empirical data are reported showing that the US regulations are generating a spillover effect spreading beyond its sphere of operation. It is particularly notable that international stock-exchange-listed companies are orienting themselves increasingly toward the legal standards of the USA.

Introduction

In the USA, criminal liability for economic crime has gained a reach that is unattained in other legal systems and is still being extended continuously. The empirical effects of these legal measures can be sought not only in terms of preventive impact but also in their legal dissemination worldwide. Both issues are an object of research at the Economy and Crime Research Center located at the Martin-Luther University of HalleWittenberg.1 This article focuses on how far these US regulations possess an impact that goes beyond the US economy and influences the prevention practice of companies throughout the world. Hence, the main premise is that, emanating from the USA, an international standard is gradually becoming established in the field of internal company measures of control and prevention. This would not be the first time that the US legislative has served as a vanguard for other

1On the impact of whistleblower systems, see [9]; on prevention through company ethics, [10]. Translated from the German by Jonathan Harrow, Bielefeld.

K.-D. Bussmann (*) : S. Matschke

Faculty of Law and Economics, Martin-Luther-University HalleWittenberg, Halle, Germany e-mail: [email protected]

S. Matschkee-mail: [email protected]

The impact of the US legislation on company measures of control and prevention

350 K.-D. Bussmann, S. Matschke

jurisdictions in the field of business law and economic crime law: The Foreign Corrupt Practices Act of 1977 served as the forerunner for much legislation outside the USA.

A comparison of company criminal liability across legal systems

The origins of criminal liability

Differences in the criminal liability of companies are particularly marked between Germany and the USA. Unlike most other countries in the world, criminal law in Germany does not recognize any true punishment of corporations. Only natural persons are viewed as criminally liable, and not, in contrast, corporate actors. The principal phrase is societas delinquere non potest. Liability for units greater than the individual is only possible for forfeiture as well as in the special case of transferring excess proceeds defined in Sections 8, 10 of the Economic Offences Act (WiStG). Existing law also recognizes a penalty for associations in the form of administrative fines according to Section 30 of the Regulatory Offences Act (OWiG).

In other countriesparticularly in the USAcompanies can themselves be made criminally liable. This criminal liability was derived from liability in civil law, the so-called respondeat superior doctrine [31]. Within the ruling on New York Central & Hudson River Railroad v. US, the US Supreme Court confirmed that liability for an employee's actions within the framework of his or her work can be assigned to the employer and serve as the starting point for punishing that employer. This is based on the notion that a company could otherwise gain advantages from the criminal behaviors of its employees while simultaneously evading criminal responsibility for them [26].

To evade this criminal liability or at least exert a positive influence on sentencing, a number of companies in the USA have introduced compliance programs whose mitigating influence is also codified in the US Sentencing Guidelines (USSG). These regulations based on the Sentencing Reform Act of 1984 are an attempt to deliver an algorithm for sentencing by including bonus and malus criteria2 through whichby referring to bonus criteria such as compliance programseconomic and thereby calculable incentives should be given for a company's own preventive activities [20, 11]. The eighth section of these guidelines addresses the interesting issue in the present context of apportioning punishments to companies. Put simply, it lays down the following steps: Depending on the corpus delicti, a base offence level should be calculated to which malus points have to be added for certain facts, circumstances, and consequences. The outcome is used to compute a base fine that has to be multiplied by a culpability score in order to attain the range of punishment to be appliedwithin which the concrete sentencing proceeds according to the usual criteria. One aspect taken into account in the culpability score is the existence of an

2 In its ruling on US v. Booker or US v. Fanfan in 2005, the US Supreme Court found the USSG to be incompatible with the US constitution, so that they no longer can claim direct validity. Nonetheless, they basically continue to provide an orientation for judges, making their impact undeniabledespite the rulings mentioned, cf. [11, 20, 22].

The impact of the US legislation on company measures 351

effective compliance program. Many US companies have probably introduced compliance programs merely because of these advantages in criminal law. However, even without the USSG, the presence of compliance programs has an impact. For example, the costs of defense can be reduced if the prosecutor restricts the charge or quashes proceedings. Moreover, several US-American insurance companies view a lack of compliance programs as a risk factor and raise the costs of insurance policies accordingly [26].

Stiffening of liability following the SarbanesOxley Act

Background

The most recent blow to economic crime in the USA occurred in the year 2002 when the SarbanesOxley Act became law in response to the major business scandals involving Enron and WorldCom,3 two companies that had to file bankruptcy following gross irregularities of their books. Since then, all stock-exchange-listed companies have had to implement numerous internal control and prevention measures. This reform of the Security Exchange Act of 1934, which, even today, forms the foundation of US-American capital market law, does not just reveal an attempt to regain trust in the fairness of companies and the capital market for investors. It is far more an instrument for crime prevention.

Balance sheet oath

A key element of the SarbanesOxley Act is Section 302 This section obliges both the principal executive officers and principal financial officers of a company to confirm in writing that they have gone through the business reports and that, to the best of their knowledge, these contain all relevant and no false or misleading information, thereby correctly reflecting the financial condition and results of operation of their company [16].

German business law has comparable requirements. For many years, Section 264 II of the Federal Commercial Code (HGB) has demanded that the annual balance sheet should convey a picture of the financial situation, the financial standing, and the earnings situation of a company that reflects the true state of affairs. Although all managers were long obliged to sign the annual balance sheet [34], the law implementing the EU Transparency Directive (TUG) additionally requires the legal representatives of a corporation to guarantee in writing that the annual balance conveys, to the best of their knowledge, a picture corresponding to the actual situation.

Section 302 of the SarbanesOxley Act goes further than this. It requires confirmation of the presence of internal controls within the signer's domain of responsibility [29]. Insofar, this norm indirectly establishes the obligation to set up, equip, and maintain a control system that, as a further object of certification, also has to be evaluated regularly in terms of its effectiveness [25, 16]. German law lacks a

3 For a detailed account, see [5, 18].

352 K.-D. Bussmann, S. Matschke

comparable norm. Section 91 II of the Federal Companies Act (AktG) [24] requires corporations under German law to implement monitoring systems for the early detection of incidents that threaten their existence, whereas the US-American type of control system need to be designed to detect all potential circumstances for which reporting is obligatory [25]. Nonetheless, legislators on the European side of the Atlantic are now catching up. The fourth and seventh EU directives have been reformed. By September 5, 2008, all EU member states are required to introduce national laws obliging companies to include a declaration on the management of the company in their annual report. This declaration must include a description of the most important features of the internal control and risk management system that a company uses to monitor the accounting process.

Finally, the SarbanesOxley Act also requires reporting to the auditors and the audit committee of any issues. This would include any design and application weaknesses that come to light in the evaluation of the internal control system, as well as cases of fraud committed by management and staff holding important posts

By signing the declaration required by Section 302 of the SarbanesOxley Act, management exposes itself to new risks of liability [25]. Although the norm does not establish any new probable grounds in civil lawthese had already been established in the Security Exchange Actit does lead to an increase in the degree of diligence that has to be applied [13, 16]. The problem of liability has also produced some echoes outside the USA. The directives for the reform to the fourth and seventh EU regulations also discuss the problem of the liability of company organs, including for the accuracy of the annual balance sheet and the annual report. These have left far-reaching liability issues to the discretion of the individual member states [25]. Moreover, Section 331 Nr. 3a HGB, which supplements Section 264 II HGB in German criminal law, should also be viewed as a protective legislative provision in the sense of the German civil code (BGB) [13].

The criminal offence matching Section 302 of the SarbanesOxley Act can be found in Section 906. This stipulates that the CEO and the CFO have to confirm in writing that the reports to be handed in to the SEC comply with legal requirements and provide an acceptable account of the business situation of the company and its operating profit or loss. The declarations according to Section 302 and Section 906 are not identical; they are interdependent [30]. Infringements of Section 906 can lead to fines of up to five million US dollars or up to 20 years imprisonment. The corresponding regulations in German criminal law and regulatory offences law are far more moderate [13, 25]. Section 331 Nr. 3a Federal Commercial Code (HGB) imposes fines or imprisonment up to 3 years for incorrectly completing the declaration according to Sections 264 II, 289 I, 297 II or Section 315 I HGB. Failure to provide this declaration is a regulatory offence according to Section 39 II Nr. 19i.V.m. Section 37v II Nr. 3 Securities Trading Act (WpHG) that can result in fines of up to 200,000 Euro.

Internal control systems

The second decisive regulation for companies is to be found in Section 404 of the SarbanesOxley Act. This lays down the obligation to accompany the annual balance sheet with an internal control report that has to be attested by the auditor and is

The impact of the US legislation on company measures 353

therefore not just subject to an assessment by management [24]. The idea behind this attestation ruling for internal control systems is nothing new. It is also recognized in the German Federal Commercial Code Section 317 IV HGB and applies to corporations quoted on the stock exchange; it stipulates a monitoring system under Section 91 II Federal Companies Act (AktG). However, its rangeas mentioned aboveis much more restricted than that of its US counterpart, because the US-American understanding of a control system is also more far-reaching. It considers the basis of any effective internal control system to be the presence of a control environment [29]. This is established particularly through the leadership style of the management; through its integrity, ethical values, and professional competence [15]. If management attitudes are unsatisfactory in this sense, lower ranking staff may feel encouraged to commit criminal acts [29].

The internal control report also has to contain an assessment of the risks to previously defined company goals. The countermeasures applied have to be tested for their effectiveness; this includes establishing sufficiently secure and fast-moving information and communication systems [15].

Empirically confirmed impact

Methods

The research findings presented here are based on the results of 536 interviews with companies in the USA, 1,512 interviews with companies in Germany,4 and a total of 5,521 interviews with companies in 34 countries in all continents of the world carried out as part of the Global Economic Crime Survey by PricewaterhouseCoopers International in 2005.5 The German sample distinguished between US subsidiaries in Germany (N=548)6 and German companies without majority foreign ownership (non-US companies; N=964). Interviews with respondents claiming responsibility for this topic within their company were carried out by phone in summer/fall 2005 using a computer-aided standardized questionnaire in the appropriate national language.

In order to also tap worldwide differences in trends, the comparison was not restricted to a simple Germany versus the USA research design. Instead, various comparison groups were formed to study the effects of US-American liability law. First, a distinction was made between whether the company headquarters is inside or outside the USA. Second, stock exchange listing was taken as a guide with a fine distinction being made between whether non-US companies are listed only in the

4 The comparison between the United States and Germany is drawn from the study Internal business innovation processes for crime prevention and sanctioning of economic crime funded by the Volkswagen Foundation.

5 For details, see [8, 9]. We wish to thank the international staff on the Editorial Board of PwC International, particularly Claudia Nestler, PwC Frankfurt; James Parker, PwC London; and Steffen Salvenmoser, PwC Frankfurt for their practical suggestions.

6 The sample of US companies in Germany was recruited using the address files of the GermanAmerican Chamber of Commerce.

354 K.-D. Bussmann, S. Matschke

country of origin or also in the USA. This distinction was based on the premise that the more companies relate to the legal framework in the USAeither through their location or through raising capital therethe more strongly they will be influenced by its legal reforms. Through being listed as so-called foreign private issuers, they subject themselves voluntarily to the jurisdiction of the SEC and US-American capital market law. As a result, this is also not an extraterritorial application of a jurisdiction that would be inadmissible under international law [15, 16].

Moreover, under some circumstances, the law is also applicable for subsidiaries of companies listed on US stock exchanges [24]. For example, Section 302(a)(4)(B) contains the legal obligation to implement internal control systems in consolidated subsidiaries [25, 16]. The same also applies in Section 404 [16]. As a result, according to a study by the auditing company Ernst & Young, a total of approximately 300 companies are subject to this law in Germany alone [12].

Alongside the direct effects on companies listed on US stock exchanges, we also anticipated spillover effects of US regulations and, in particular, the SarbanesOxley Act spreading far beyond their legal sphere of operation. The first sign of this is in legislation. In addition to Germany and the EU reaction to the SarbanesOxley Act, Japan has a draft Financial Instruments and Exchange Law, and Canada already passed similar regulations in 2002 as part of Bill 198. Australia has adopted some features in its Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, and laws to strengthen confidence in fiscal reporting have come into force with both the Irish Companies Act and the French Loi de Scurit Financire [24].

In addition to prompting such foreign legislation, the SarbanesOxley Act has impacted decisively on the culture of companies, because even companies that are not subject directly to its legal obligations cannot evade them [16]. The many scandals in their sector have made auditors particularly sensitive about being subject to special obligations due to the SarbanesOxley Act and the legislation it has inspired. Therefore, in daily business practice, they introduce the new standards even in companies that are not subject to the specific laws [15].

Finally, a motivating force to bring company cultures into alignment can also be discerned in globalization itself. Nonconsolidated subsidiaries that are not obliged to comply with the SarbanesOxley Act or its counterparts, when having a parent company that is so obliged, will take over the parent company's cultureeither voluntarily or through pressure from aboveand further disseminate the standards propagated by the SarbanesOxley Act.

Although there are any number of other reasons for companies to strengthen their control and prevention measures, additional analyses revealed that, from all possible alternatives, they named legal reasons as by far the most frequent trigger.7

To test these different premises, we formed the five subgroups presented in Table 1.8

7 Other reasons were damage to the company, bad experience with law enforcement, external consulting, external recommendation by trade or nongovernmental organizations, and public discussion/media [10].

8 Company size did not have any significant effect on the following findings.

The impact of the US legislation on company measures 355

Table 1 Sample distribution

Company nationality

Non-US companies (outside the USA)

US companies

Non-US companies (outside the USA)

Non-US companies

US companies

Stock exchange listing

Not listed Not listed Only in home country

In the USA In the USA

Sample size 2,436 215 921 705 269

Impact on compliance programs

To avoid criminal liability or at least exert a positive influence on sentencing, a number of US companies have introduced corporate compliance codes. German companies, in contrast, have had no comparable reason to do this. Even though it did not explicitly demand the introduction of compliance programs, the SarbanesOxley Act increased the pressure to do this indirectly by requiring ethical guidelines for senior financial officers (Section 406) and principal executive officers. The impact is well confirmed empirically in the study reported here. It showed that 83% of US companies in the USA and 75% of their subsidiaries in Germany possess a compliance program, whereas this is the case in only 54% of German companies (worldwide: 68% of the companies surveyed).

This discrepancy is also found in the international comparison. One can find positive effects of both a stock-exchange listing and a US location. In the present sample, it is only non-US companies, which may well have branches in several locations outside the USA but are not listed on any stock exchange, that reveal by far the lowest proportion of compliance programs (57%). The highest proportion of programs is found when both features merge positively: A total of 91% of US companies listed on a US stock exchange possess such a program. The second-highest proportion is in foreign companies listed on a US stock exchange (86%), and the third most frequent is US companies that are not listed on a stock exchange (74%).

Trends since 2000 can be seen in Table 2. The introduction of compliance programs has undergone a rapid expansion since the SarbanesOxley Act became

Table 2 Worldwide implementation of compliance programs

Company nationality Non-US companies (outside the USA)

US companies

Non-US companies (outside the USA)

Non-US companies

US companies

Stock exchange listing

Not listed Not listed Only in home country

In the USA In the USA

Compliance programs introduced

Up to 2000 37% 56% 37% 49% 63% 2001/2003 14% 12% 23% 25% 20% 2004/2005 6% 7% 11% 11% 8% Total in

2005a

57% 75% 71% 85% 91%

a Reports for 2005 give total numbers at the time of the survey in Fall 2005.

356 K.-D. Bussmann, S. Matschke

Table 3 Allocation of US and German companies to groups A and B

Control level USA (%) Germany: US subsidiary (%)

law. Nonetheless, it can be seen that the growth rate in nonlisted companies has been weaker (ca. 20%).

This comparison shows how strongly listed companies are oriented toward each other, even when their national laws do not always require the particular measure of preventionin this case, compliance programs. A total of 33% of non-US companies that are listed in their home countries only, introduced such programs after the year 2000, which brings them in line with US levels (over 70%).

Impact of control measures on the prevalence of fraud

Companies have long been applying a variety of measures to control and detect economic crime. The most widespread worldwide are internal and external audits (in more than 80% of companies). However, a number of further control measures have also been implemented in recent years. The criminal liability that US law and particularly the SarbanesOxley Act imposes on companies and their managers exerts a major pressureas shown abovemaking it no surprise that the search for irregularities and errors is particularly intensive in the USA. The comparison with Germany reveals that German companies possess fewer such measures. The control density of US subsidiaries takes an intermediate level. For ease of comparison, companies were divided into two levels of control. Group A contains companies with up to five control measures and Group B companies with more than five [10].

The relation between these two groups within each of the two countries is already very informative. The majority of companies in the USA (84%) belong to Group B. To a somewhat lesser extent, the same holds for US-American subsidiaries in Germany (57%). In contrast, the majority of German companies in the survey are in Group A (59%). Hence, the majority of US companies possess a greater variety of control measures, and, to a lesser extent, this also extends to US subsidiaries in Germany (Tables 3, 4, 5, 6 and 7).

In line with the empirically confirmed greater density of their control environments, US companies themselves provide more frequent reports of having been victims of economic crime, although there are no indications that the USA has a higher economic crime load.9 This is due to what is known as a control paradox.It would seem plausible for prevention measures such as increased controls to lead to a reduction in crime. That is also the intention of the SarbanesOxley Act. However, in the first years, the opposite seems to occur. The effects of controls and prevention on

9 Victimization rates for companies with more than 1,000 employees: United States 60%, Germany 55% [10].

Global (%)

Group A (low) 16 43 59 41 Group B (dense) 84 57 41 59

Germany: national company (%)

The impact of the US legislation on company measures 357

Table 4 Control level and victimization through fraud

Company nationality Non-US companies (outside the USA)

US companies

Non-US companies (outside the USA)

Non-US companies

US companies

In the USA In the USA

Stock exchange listing

Not listed Not listed Only in home country

Group B (dense control environment)

45% 71% 70% 85% 96%

Victimization rate for fraud

10% 15% 12% 13% 18%

Mean number of incidents per company

4 6 4 5 8

so-called control offences differ greatly and initially even take the opposite direction. This is because a better control environment leads to the detection of more offences without having an immediate crime-reducing impact. From a criminological perspective, this is a control paradox, because the probability of detection depends not only on the size of the so-called dark figure but also on the intensity of control. Hence, the frequency of offences correlates with the degree of control and detection activity.

Basically, our studies on economic crime have shown that the more sensitive companies become to the risks of economic crime the more these seem to increase [10]. The initial outcome of improving the control environment is therefore disturbing: More and more cases come to light. More offences are detected solely due to greater sensitivity and a better control environment, thereby casting more and more light on the dark figure. This paradox only gradually begins to weaken as time goes by. The light figure converges increasingly with the dark figure. This is because, as we know from decades of deterrence research on the impact of punishment, the highest deterrent effect is gained not so much from the threat of severe consequences and punishment, but far more from an increase in the subjectively perceived risk of being caught.

Table 5 International implementation of audit committees

Company nationality Non-US companies (outside the USA)

US companies

Non-US companies (outside the USA)

Non-US companies

US companies

Stock exchange listing

Not listed Not listed Only in home country

In the USA In the USA

Audit committee introduced

Up to 2000 26% 50% 40% 54% 81% 2001/2003 9% 10% 22% 14% 5% 2004/2005 3% 2% 7% 4% 4% Total in

2005a

39% 62% 69% 71% 90%

a Reports for 2005 give total numbers at the time of the survey in Fall 2005.

358 K.-D. Bussmann, S. Matschke

Table 6 International implementation of whistleblowing systems

Company nationality Non-US companies (outside the USA)

Stock exchange listing

Whistle

-blowing system introduced

For this reason, an examination of the worldwide effects of US-American law on the detection rate for cases of fraud reveals an impressive relationship.10 Since Enron and Worldcom, companies in the USA have become particularly sensitive to such offences in general, regardless of whether or not they are subject to the stiffer regulations of the SarbanesOxley Act. Most of them belong to the group of companies with a comparatively dense control environment (Group B). As a result, they most frequently reported incidents of fraud. The group of stock-exchange-listed US companies in the USA stood out particularly through a high number of individual incidents within the last 2 years (an average of 8 incidents per company).

Moreover, as anticipated, being listed on a US stock exchange also impacts on the level of control in non-US companies. Remarkably, there is a similar effect in companies that are listed only in their home country. This strengthens the above premise that stock-exchange-listed companies orient themselves toward the largest capital market in the world. Non-US companies that are not listed on any stock exchange, in contrast, gave the least frequent reports on such events (21%), because they also more frequently had a weaker control environment.

Here as well, there are no indications that the dark figure for fraud might be higher in the USA, perhaps because of the more frequent stock-exchange listings. Both non-listed US companies and non-US companies listed in their home countries have higher victimization rates. This supports the premise that these higher detection rates are due to more intensive efforts to detect fraud in recent years in the USA and in stock-exchange-listed companies in general.

Impact on the international implementation of audit committees

The demand for an audit committee and specifications on its organization result from Section 301 of the SarbanesOxley Act and the specially formulated SEC regulations. These stipulate the delisting of all issuers of securities who do not

10 The present study asked about victimization due to incidents of fraud during the last 2 years (2004/ 2005) and thereby within a time period relatively soon after the introduction of this legal reform. Statements on earlier trends are not possible due to a lack of time-series data.

US companies

Non-US companies (outside the USA)

Non-US companies

US companies

In the USA In the USA

Not listed Not listed Only in home country

Up to 2000 11% 29% 10% 22% 40% 2001/2003 8% 17% 21% 28% 37% 2004/2005 4% 10% 14% 20% 18% Total in

2005a

23% 56% 45% 70% 94%

a Reports for 2005 give total numbers at the time of the survey in Fall 2005.

The impact of the US legislation on company measures 359

Table 7 International implementation of ethics codes

Company nationality Non-US companies (outside the USA)

Not listed Not listed Only in home country

Up to 2000 45% 72% 47% 61% 73% 2001/2003 17% 10% 24% 24% 19% 2004/2005 7% 9% 10% 10% 6% Total in

2005*

possess an audit committee that performs its legally ordained tasks [2, 21, 25]. Such a committee should strengthen the role of the board of directors as a representative of the interests of stakeholders [4]. The legislation defines what is meant by an audit committee in Section 2(a)(3). It is an organ11 of the board of directors that monitors the company's bookkeeping and finance and controls its financial statements [2]. Beyond this, the audit committee is also responsible for approving any nonauditing activities by the auditors within a company in order to avoid conflicts of interest [16].

The German Corporate Governance Codex recognizes a comparable institution as a Prfungsausschuss (audit committee) in Subsection 5.3.2. This is also the intention of Art. 41 of the reformed 8th EU directive [2, 21]. The tasks of the Prfungsausschuss specified in the reformed EU directive correspond to their US-American model. The key tasks are to monitor the accounting, the final auditing, and the effectiveness of the internal control system. In Germany, comparable regulations can be found in Sections 319, 319a HGB.

According to these US-Regulations, it has to be suspected that all listed US companies must have possessed an audit committee already. Indeed, by far the highest introduction quota is to be found in stock-exchange-listed US companies (90%). Moreover, there is, once again, a spillover effect both in and outside the USA for listed companies. As to be expected, the most dynamic changes are to be found in stock-exchange-listed companies.12

Although the finding that not all US companies possess an audit committee may be due, in part, to the survey method13 it may also indicate a real proportion of norm deviation. With regard to the time of introduction, it can be seen that most companies already possessed an audit committee before the year 2000 and the great business scandals. While this may seem surprising at first glance, it is easy to explain, because the admission regulations of the New York Stock Exchange

11 If such an autonomous organ does not exist, the entire board of directors represents the audit committee.

12 76% of the US companies and 53% of their subsidiaries in Germany possess an audit committee compared with only 33% of German companies.

13 Surveys always have a degree of fuzziness, and a 100% quota cannot be expected in any study.

Non-US companies (outside theUSA)

Non-US companies

US companies

US companies

Stock exchange listing

Ethics codes introduced

In the USA In the USA

69% 91% 81% 96% 98%

a Reports for 2005 give total numbers at the time of the survey in Fall 2005.

360 K.-D. Bussmann, S. Matschke

(NYSE) have already required an audit committee since July 1, 1978, and it had also been recommended practice even before this [2].

Impact on the international implementation of whistleblowing systems

A further important task of the US-American audit committee is, according to Section 301, to serve as a receiver of information on questionable account-balancing and auditing procedures and to process such information appropriately. In other words, this is a call to provide the organizational prerequisites for an internal whistleblowing system [21, 32].

In such a system, the informant addresses a post within the organization internally, eliminating the need to fear damage to the organization's reputation through irregularities becoming public. Initially, this benefits a company: It not only avoids negative public reactions but also satisfies its vital interest in information about crimes that disadvantage it. Without such internal procedures, covert actions with criminal intent will continue, the company will be subject to further damage, and its competitiveness will suffer [6, 35].

The initial premise on the presence of whistleblowing systems was the same as that for the audit committee. It was confirmed: Stock-exchange-listed US companies attained the highest introduction quota at 94%. The second highest was in non-US companies listed on US stock exchanges (70%), whereas, in contrast, such systems tended to be the exception in nonlisted non-US companies (23%).14 In this group,

the rates of increase also tend to be marginal. They seem to be almost completely

unaffected by the US regulations or the discussion that has risen up around them.

Whistleblowing systems also benefit employees, motivating them to disclose abuses. Through fear of the negative implications of being purportedly disloyal, employees frequently do not disclose their knowledge of crimes committed by superiors or colleagues. A system designed to ensure anonymity can remedy this.15

The SarbanesOxley Act also provides a further, special protection for whistle-blowers in Section 806. This forbids reprisals against informants. Infringements of this ruling are open to redress through civil law [6]. Whistleblowers also enjoy the protection of criminal law through 18 USC 1513(e) [35]. Finally, whistleblowing systems are also advantageous because they eliminate doubts regarding the independence of those receiving the information. Instead of having to address a superior who may also be involved in the crime, whistleblowers can be certain that their information will receive the attention it deserves. In this sense, the system put forward by the SarbanesOxley Act benefits all parties. It presents a winwin situation for prevention.

Germany, like many other countries, has no legal obligation to introduce whistleblowing systems or to protect whistleblowers [17]. Frequently, if such a system has not been introduced to a company, charges brought by employees will even clash with the duty of nondisclosure embedded in employment contracts [27]. In view of the different legal requirements, it is not surprising that 63% of US

14 To provide a comparison: 17% of German companies possess whistleblowing systems.

15 For research on the risks facing whistleblowers, see [14, 33].

The impact of the US legislation on company measures 361

companies and only 32% of German companies report that they provide a reliable form of protection for whistleblowers. There is a clear need for the German legislature to also set up a legal framework for whistleblowing.

Impact on the international implementation of ethics codes

Finally, Section 406 of the SarbanesOxley Acts addresses ethical guidelines and is an expression of the principle of comply or explain to be found so frequently in the field of corporate governance. It obliges companies to declare whether they subject their senior financial officers to an ethics code, and if not, why not. The initial target group here was managers responsible for finance, accounting, and controlling, but it was extended to cover principal executive officers, because, as the superiors of the senior financial officers, they should be required to behave just as ethically. A more extensive obligation to cover other staff was rejected.

Which requirements written standards to prevent misdemeanor have to meet in order to be accepted as an ethics code is defined by the law itself and the corresponding Final Rule of the Section Decisive aspects are the specification of correct behavior in cases of conflict of interest, and the demand for complete, precise, and timely business reports. The target persons are held personally responsible for this and are obliged to report violations of the ethics code by others, should they occur.

The interplay with the Sentencing Guidelines mentioned above should not be ignored. These also focus on crime prevention through such programs. Regulations on the field of ethics and compliance programs can be found in USSG Sections 8C2.5(f), 8C2.8(a)(11), Section 8C4.10, and Section 8D1.1(a)(3). The prerequisite in each case is an effective ethics and compliance program, and this is given, roughly speaking, when a company exercises the necessary diligence in preventing or detecting criminal behavior and cultivates a company culture that promotes staff compliance with ethical principles and the law.

The comparison reveals essentially the same picture for ethics codes as that found in other fields. Most US companies already possessed ethics codes before the year 2000, and the remaining listed companies quickly followed. We can also see the strong impact of US law not only on non-US companies listed in the USA but also on companies listed elsewhere (81%).16

Conclusion: Worldwide legal reforms emanating from the USA

The comparison between US companies, their subsidiaries in Germany, and German companies reveals how much German companies lag behind in the realm of crime prevention. In contrast, the US legislature has been pursuing a very rigorous policy of zero tolerance for decades. It does not do this purely punitively, because it in no way just threatens criminal punishmentas German law doesbut demands the introduction of numerous control and prevention measures in order to minimize the risk of such offences occurring. Although the threat of sanctions serves to implement

16 In comparison, 52% of German companies have implemented ethical guidelines.

362 K.-D. Bussmann, S. Matschke

a comprehensive crime prevention strategy, incentives to internal company crime prevention are also given, as illustrated by the criminal liability criteria of the US Sentencing Guidelines.

Nonetheless, there is no denying that the US legislature is not following a liberal constitutional philosophy like Germany does, of sanctioning without getting involved in other aspects of business life. Hence, it is no surprise that criticisms are heard in the USA as well. Critics complain that the costs of implementing SarbanesOxley are much higher than the benefits [7, 15]. Furthermore, the law is seen to be a panic reaction leading to overregulation by the state [23, 32]. With SarbanesOxley, the state is becoming involved in corporate governance to an unprecedented degree [4]. All these criticisms are expressions of the realization that there is basically no synchronization between the expectations placed in a law and its actual effectiveness [19, 28].

Nonetheless, the preliminary results of our studies indicate that US regulations on the introduction of numerous prevention and control measures can justifiably claim to have a preventive effect on crime [10]. One can also counter the German critics of the dynamic growth in economic crime law by pointing out that the obligation to introduce ethics codes and compliance programs has encouraged companies to pay increased attention to economic crime norms. This should also not be undervalued in the sense of positive general prevention, even when it cannot be expected to lead to an absolute compliance with normssomething that will never be attained in any field of crime.

Hence, it is necessary to ask more generally whether the US-American approach is in many ways taking on the character of an ideal model. Compared with a German jurisprudence discourse still characterized by the concept of a competition between prevention and repression,17 the US legislature has developed a model that synthesizes both strategies. It does not restrict itself to simply communicating values and deterring through the threat of punishment,18 as is primarily the case in German criminal and regulatory offences law, but calls on companies to adopt an active role in the fight against economic crime. Interestingly, the US legislature does not just trust in the self-regulating powers of the market,19 but is intervening increasingly with controls and forcing companies to implement concrete control and prevention measures whose efficiency also has to be evaluated on a regular basis.

As a result of the dominant role of the US economy in world business, this is simultaneously setting worldwide standards in the fight against economic crime not only in legal terms (see US-listed and US-subsidiary companies) but also in practice (the spillover effect). As a result, European and German legislators are no longer able to ignore US-American reforms, but will at least have to carefully examine their suitability for European conditions. Although there is certainly a great deal of scope in the details, a synthesis of prevention and repression seems to be indicated more than ever in the fight to combat economic crime.

17 CF, for a discussion [1].

18 For a detailed account of modern economic crime law as a project, see [3].

19 A series of mechanisms could be considered here by which economic crises as a consequence of a loss of trust on the side of stakeholders, damages to reputation, and major financial losses could force smaller and medium-sized companies into bankruptcy.

The impact of the US legislation on company measures 363

References

1. Achenbach, H. (2004). Zur aktuellen Lage des Wirtschaftsstrafrechts in Deutschland. Goltdamme's Archiv, 559574.

2. Altmeppen, H. (2004). Der Prfungsausschuss: Arbeitsteilung im Aufsichtsrat. Zeitschrift fr Unternehmens- und Gesellschaftsrecht, 390415.

3. Alwart, H. (2007). Modernes Wirtschaftsstrafrecht als Projekt. In G. Dannecker, W. Langer, O. Ranft,R. Schmitz, & J. Brammsen (Eds.), Festschrift fr Harro Otto, zum 70. Geburtstag am 1. April 2007. Cologne, Germany: Heymanns.4. Atkins, P. (2003). Der US-SarbanesOxley Act: Zielsetzungen, Inhalt und Implementierungsstand. Der Konzern, 260264.

5. Benston, G., & Hartgraves, A. (2002). Enron: What happened and what we can learn from it. Journal of Accounting and Public Policy, 21, 105127 (Summer).

6. Berndt, T., & Hoppler, I. (2005). Whistleblowing: ein integraler Bestandteil effektiver Corporate Governance. Betriebsberater, 26232629.

7. Bswald, T., & Figlin, G. (2006). Rckzugsmglichkeit auslndischer Kapitalgesellschaften vom USamerikanischen Eigenkapitalmarkt. Die Aktiengesellschaft,6679.

8. Bussmann, K.-D., & Salvenmoser, S. (2006). Internationale Studie zur Wirtschaftskriminalitt. Neue Zeitschrift fr Strafrecht, 203209.

9. Bussmann, K.-D., & Werle, M. (2006). Addressing crime in companies. British Journal of Criminology, 46(6), 11281144.

10. Bussmann, K.-D. (2007). The control paradox and the impact of business ethics: A comparison of US and German companies. Monatsschrift fr Kriminologie und Strafrechtsreform, 260276.

11. Demleitner, N., Berman, D., Miller, M., & Wright, R. (2007). Sentencing law and policy. New York: Aspen.

12. Ernst & Young (2003). SarbanesOxley Act: Die Regelungen zur Section 404. Stuttgart: Ernst & Young.

13. Fleischer, H. (2007). Der deutsche Bilanzeid nach Section 264 Abs 2 S 3 HGB. Zeitschrift fr Wirtschaftsrecht und Insolvenzpraxis,97106.

14. Friedrichs, D. (2006). Trusted criminals. New York: Wadsworth.15. Glaum, M., Thomaschewski, T., & Weber, S. (2006). Auswirkungen des SarbanesOxley-Acts auf deutsche Unternehmen. Frankfurt am Main, Germany: Deutsches Aktieninstitut.

16. Gruson, M., & Kubicek, M. (2003). Der SarbanesOxley Act, Corporate Governance und das deutsche Aktienrecht. Die Aktiengesellschaft, 393406.

17. Hauschka, C. (2006). Die Voraussetzungen fr ein effektives Compliance System i.S. von Section 317 Abs.4 HGB. Der Betrieb, 11431146.

18. Healy, P., & Palepu, K. (2003). The fall of Enron. Journal of Economic Perspectives, 17,326 (Spring).19. Hefendehl, R. (2004). Enron, WorldCom, and the consequences: Business criminal law between doctrinal requirements and the hopes of crime policy. Buffalo Law Review, 8(1), 5188.

20. Hutchison, T., Hoffman, P., Young, D., & Popko, S. (2007). Federal sentencing law and practice. St. Paul, MI: West Group.

21. Kersting, C. (2003). Auswirkungen des SarbanesOxleyGesetzes in Deutschland: Knnen deutsche Unternehmen das Gesetz befolgen? Zeitschrift fr Wirtschaftsrecht und Insolvenzpraxis, 233242.

22. Klein, S. (2005). The return of federal judicial discretion in criminal sentencing. Valparaiso University Law Review, 39(3), 693740.

23. Kley, K.-L. (2003). Neue Corporate Governance Regeln in den USA und Europa: Mehr Probleme als Lsungen? Der Konzern, 264268.

24. Kretzler, C. (2005). Der SarbanesOxley Act und sein Einfluss auf europische Unternehmen. Zeitschrift fr Versicherungswesen, 716717.

25. Lanfermann, G., & Maul, S. (2002). Auswirkungen des SarbanesOxley Acts in Deutschland. Der Betrieb, 17251732.

26. Linklater, W., & McElyea, J. (1994). Die Auswirkungen von Corporate Compliance Codes auf die strafrechtliche Haftung eines Unternehmens unter den US-amerikanischen Federal Sentencing Lines. Recht der Internationalen Wirtschaft,117122.

27. Maschmann, F. (2007). Vermeidung von Korruptionsrisiken aus Unternehmenssicht. In D. Dlling (Ed.), Handbuch der Korruptionsprvention (pp. 93184). Munich, Germany: Beck.

28. McBarnet, D. (2006). After Enron will whiter than white-collar crime still wash? British Journal of Criminology, 46(6), 10911109.

364 K.-D. Bussmann, S. Matschke

29. Menzies, C. (2004). SarbanesOxley Act. Stuttgart, Germany: Schffer-Poeschel.30. Regelin, F. P., & Fisher, R. (2003). Zum Stand der Umsetzung des SarbanesOxley Act aus deutscher Sicht. Zeitschrift fr europische und internationale Steuer- und Wirtschaftsberatung, 276288.31. Ries, P. (1993). Strafrechtliche Verantwortlichkeit von Kapitalgesellschaften in den USA. Recht der Internationalen Wirtschaft, 544547.

32. Romano, A. (2005). SarbanesOxley Act and the making of quack corporate governance. Yale Law Journal, 114, 15211611.

33. Rothschild, J. Whistleblowing. In C. Bryant (Ed.), Encyclopedia of criminology and deviant behavior (Vol. 1, pp. 421423). Philadelphia, PA: Routledge.

34. Strieder, T. (2001). Sonderprobleme der kapitalmarktorientierten Zwischenberichterstattung: Unterzeichnung und Rumpfgeschftsjahr. Betriebsberater, 19981999.

35. Weber-Rey, D. (2006). Whistleblowing zwischen corporate governance und better regulation. Die Aktiengesellschaft, 406411.