In its decision 8 ObA 109/20t, the Supreme Court addressed the legal consequences of a Fake President Fraud, in the context of which a company was defrauded of tens of millions of euros, and on this occasion specified the principles of managing director liability.
Fake President Fraud is a fraud method in which employees are manipulated - mostly via email - under the pretence of a false identity of the sender into making money transfers. In the case at hand, one of the fraudsters pretended to be the (defendant) managing director of the company vis-à-vis the team leader of the company's financial accounting department and asked her to make money transfers due to an alleged secret takeover of a company. The team leader finally complied with this request, bypassing the prescribed security mechanism of the four-eyes-principle, and eventually transferred approximately EUR 54 million.
In the event of a breach of the duty to maintain an Internal Control System (ICS) pursuant to section 22 GmbHG, the managing director is liable pursuant to section 25 GmbHG.
Such liability of the managing director is a fault-based liability and not a strict liability. Fault on the part of an employee of the company is in general not attributable to the managing director, because employees are not vicarious agents of the managing director, but only of the company. A managing director is only liable for an employee if the managing director culpably violated his organisational and supervisory duties and if this adequately caused the damage.
Adequacy is a question of law. With regard to causality, the company has the burden of assertion and proof. The managing director, on the other hand, has to assert and prove that his conduct was not contrary to the required standard of diligence.
The shape of the Internal Control System is a discretionary decision. The standard of diligence of the managing director in this regard is based on the Business Judgment Rule. Decisions do not give rise to liability simply because they have turned out to be disadvantageous ex post. Only conduct that is in breach of duty ex ante is potentially grounds for liability.
The Internal Control System must aim at securing assets, ensuring the accuracy and reliability of accounting and supporting compliance with business policy. The Internal Control System is based on organisational or IT monitoring measures such as signature regulations, IT access restrictions or work instructions and control measures such as manual or automated plausibility checks in accounting software. In addition, guidelines and rules exist for the definition, documentation and internal revision of standard processes. The efficiency of an Internal Control System is monitored through recurring audits.
Such measures alone cannot prevent Fake President Fraud, which seeks to mislead employees into circumventing the control mechanisms. Nevertheless, the defendant managing director – who was not directly responsible for the Internal Control System – was under no obligation to check the department of his responsible colleague managing director without reason and merely out of mistrust, because he had been duly informed by this managing director responsible for the respective department about the Internal Control System, and because this method of fraud was at that time not yet known in German-speaking countries. However, the non-responsible managing director would have had to take action if the responsible managing director had not informed him or if there had been concrete doubts about the correctness and completeness of the information.
It will be interesting to see how the competent (foreign) courts will decide on the parallel proceedings against the former managing director who was responsible for bank transfers. Here, the courts will have to determine whether the measures taken ex ante were sufficient and justifiable and how the fact that Fake President Fraud was not yet known in German-speaking countries at that time has to be assessed.