juillet 02 2026

Part I: Managements Responsibility to Conduct Internal Investigations

Share

This first part of our Briefing Series concludes in clear terms: German companies must initiate and steer internal investigations promptly and proportionately once specific, objective indications of material misconduct arise. This mandate flows from general corporate legality and organizational duties of management and is concretized across specialized regimes, notably the German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG), the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, LkSG), the EU Market Abuse Regulation (MAR), the German Securities Trading Act (Wertpapierhandelsgesetz, WpHG), and the German Anti-Money Laundering Act (Geldwäschegesetz, GwG). In this first part, we review the legal bases, allocate responsibilities, clarify trigger thresholds and timing, and outline a practicable compliance-led plausibility screening with escalation and notification mechanics.

1. Legal Bases and Scope of the Duty to Investigate

1.1 Corporate legality and organizational duties of management

Management’s core investigation duty is anchored in the general obligation to ensure lawful operations and adequate organization. For stock corporations, the German Stock Corporation Act (Aktiengesetz, AktG) imposes a duty of care on the management board, and requires a system for early risk detection. For listed stock corporations, the AktG additionally requires the establishment of an appropriate and effective internal control system and risk management system, which extends beyond the early risk detection requirement. For limited liability companies, the German Limited Liability Act (GmbH-Gesetz, GmbHG) imposes analogous duties. These statutory obligations are operationalized by the expectation that credible indications of significant non-compliance are promptly clarified, documented, and remediated.

1.2 Administrative offenses and corporate fines

Failure to implement necessary supervisory measures can constitute an offense where corporate violations are not prevented or detected. A documented, risk-based internal investigation framework and timely responses to indications of wrongdoing are relevant to mitigation and, in some cases, to avoiding supervisory-failure findings. (For details on consequences and mitigation strategies, see Part VII of our Briefing Series.)

1.3 Whistleblowing: Follow-up duties and timelines

The HinSchG, which came into effect on 2 July 2023, requires organizations with at least 50 employees to maintain internal reporting channels and to follow up on reports within statutory timelines. The internal reporting unit must acknowledge receipt within seven days and provide outcome-oriented feedback within three months. The law emphasizes strict confidentiality, protection against reprisals, and an impartial, knowledgeable case handler.

1.4 Supply chains: Risk-based and occasion-based investigations

The LkSG requires in-scope companies to operate a risk management system, perform periodic and ad hoc risk analyses, implement preventive and remedial measures, and maintain a complaints mechanism. Within the company’s own operations and those of direct suppliers, duties are proactive. For indirect suppliers, an occasion-based duty to investigate arises upon “substantiated knowledge” of potential human-rights or environment-related breaches.

1.5 Market abuse: Insider Dealing and Suspicious Transactions

The EU Market Abuse Regulation (Regulation (EU) No 596/2014, MAR) imposes obligations on issuers to disclose inside information without undue delay and sets prohibitions against insider dealing and unlawful disclosure. For investment firms and trading venues, MAR requires Suspicious Transaction and Order Reports (STOR) to be submitted to the competent authority without undue delay once there are reasonable grounds to suspect insider dealing, market manipulation, or attempts thereof. The requirement to investigate internally and contemporaneously is inherent: firms must swiftly assess the suspicion, maintain confidentiality, manage insider lists, and, for issuers, weigh ad hoc disclosure or justified delay with duly documented conditions.

1.6 Anti-money laundering: Prompt suspicious activity reporting

Obliged entities under the GwG must implement risk-based preventive systems and submit suspicious activity reports (SARs) to the Financial Intelligence Unit (FIU) without undue delay if facts support suspicion of money laundering or terrorist financing. Recent guidelines clarify timing and documentation. As a baseline, the SAR should be filed the same working day or the next working day where the threshold is met; where more time is objectively necessary to assemble essential background so the FIU can analyze the report, a brief extension is tolerated.

2. Who Owns the Process: Roles and Responsibilities

2.1 Management’s ultimate accountability

The management board or managing directors hold ultimate responsibility for lawful operations, an effective compliance organization, and an adequate response to indications of wrongdoing. Even with delegation to compliance or internal audit, management must ensure resourcing, independence, clear mandates, and regular reporting. (For structuring the compliance organization, see Part II.)

2.2 Compliance, internal audit, and specialist functions

The compliance function is typically charged with intake, pre-selection, plausibility checks, and day-to-day coordination of investigations. Internal audit provides independent assurance and may lead fact-finding for systemic control issues. Legal, HR, IT forensics, and data protection are involved as needed. Specialized officers (e.g., the anti-money laundering officer under the GwG) fulfill regime-specific analysis and reporting responsibilities.

2.3 Specialized officers

The internal reporting unit under the HinSchG must be independent, impartial, and adequately skilled; it runs the intake, ensures confidentiality, requests clarifications, and proposes follow-up measures. The LkSG requires named responsibility for the risk management system and complaints handling. For groups, centralization is permitted if unimpeded access is guaranteed.

2.4 Supervisory board oversight

Where material compliance matters arise, the management board must inform the supervisory board without undue delay. The audit committee typically receives periodic reporting on investigations, metrics, and remediation.

3. Triggers, Thresholds, and Timing

3.1 What level of suspicion is required

The threshold is regime-specific but converges on objective, concrete indications that justify further inquiry. Under the HinSchG, any report that is not manifestly unfounded triggers follow-up. Under the LkSG, “substantiated knowledge” regarding indirect suppliers activates ad hoc risk analysis. Under the MAR, “reasonable grounds for suspicion” trigger immediate internal inquiry and a STOR. Under the GwG, “facts supporting suspicion” require a prompt SAR.

3.2 Regulatory timelines and documentation burdens

Under the HinSchG, the internal unit must acknowledge within seven days and provide case-status feedback within three months. Under the GwG, prompt SARs are expected, often within the same or next working day. Under the MAR, immediate action includes a STOR as soon as grounds exist and, for issuers, ad hoc disclosure without undue delay unless documented delay conditions are met. (For labor-law timelines affecting disciplinary measures, see Part III of our Briefing Series.)

Selected triggers and timelines for investigations and reports

 

Regime

Trigger/Threshold

Timeline

Core expectation

HinSchG (Whistleblowing)

Report appears plausible and within scope

Acknowledge within 7 days; feedback within 3 months

Confidential handling, impartial follow-up, anti-retaliation, documented measures

LkSG (Supply chains)

Substantiated knowledge at indirect supplier; ongoing duty for own operations/direct suppliers

“Without undue delay” for ad hoc risk analysis and measures

Risk analysis, prevention, remediation; effective complaints handling

MAR/WpHG (Market abuse, issuers and firms)

Reasonable grounds to suspect insider dealing/manipulation; possession of inside information

STOR without undue delay; ad hoc disclosure without undue delay or justified delay with documentation

Immediate internal review, STOR submission, manage insider lists; issuer disclosure governance

GwG (AML)

Facts supporting suspicion

SAR without undue delay (often same or next working day)

Prompt SAR, standstill up to 3 working days unless risk dictates otherwise; enhanced due diligence follow-up

 

4. Plausibility Screening and Pre-Selection by Compliance

4.1 Intake, registration and evidence preservation

A robust plausibility check begins with immediate registration of the report or signal, secured storage, and preservation of relevant evidence. Legal holds should protect email, messaging, and file repositories. Early IT-forensic scoping avoids chain-of-custody issues. Where SARs or STORs could be triggered quickly, compliance should prioritize collecting the minimum facts necessary to meet external-reporting requirements. (For detailed forensic protocols and data screening, see Part IV of our Briefing Series.)

4.2 Independence and conflicts management

The screening team must be independent and free of conflicts. Allegations implicating senior leadership or systemic control breakdowns often warrant internal audit leadership and external support. Specialized officers (e.g., the anti-money laundering officer) must be engaged at intake to ensure prompt regulator-facing actions.

4.3 Data minimization, confidentiality and communication discipline

Processing must be necessary and proportionate, with access limited to the core case team. The identities of reporters and affected individuals are subject to strict confidentiality. The HinSchG requires status feedback to reporting persons within certain deadlines. Tipping-off prohibitions under the GwG and the MAR restrict broader internal communications. (For data minimization principles and employee data processing, see Part V of our Briefing Series.)

4.4 Close, monitor or escalate?

After plausibility screening, the company should decide whether to close the matter with rationale, place it into monitoring, or open a formal investigation with scoped objectives and methods. Decision criteria include severity, likelihood, and potential harm. The rationale and supporting data must be captured for auditability.

5. Notification and Escalation Pathways

5.1 Informing the responsible executive function

Once plausibility screening confirms a relevant suspicion or a specialized regime requires immediate action, the designated management sponsor must be informed to authorize resources and take protective steps. In listed companies, issuer compliance and responsible board members should be engaged immediately to evaluate ad hoc disclosure and insider-list obligations.

5.2 Supervisory board engagement

Material matters (e.g., financially significant misconduct, systemic control failings, senior-leadership involvement) require supervisory board updates without undue delay. The audit committee is the natural forum for periodic oversight of the investigation and remediation tracking.

5.3 External notifications, regulators and law enforcement

Under the MAR, STORs must be filed without undue delay. Under the GwG, SARs must be lodged with the FIU promptly. Under both LkSG and HinSchG, there is no routine obligation to notify authorities of individual internal cases; however, supervisory inquiries can draw scrutiny to complaints-handling. Public communications should be tightly controlled; ad hoc announcements follow MAR’s prescriptive rules.

5.4 Closure, documentation and remediation

A formal closing memorandum should state the facts found, the standards applied, conclusions on responsibility, and the remedial actions taken. Remediation may include disciplinary measures, control redesign, training enhancements, and recovery actions. (For details on disciplinary consequences and amnesty programs, see Part VII. of our Briefing Series.)

Conclusion

Management’s responsibility to initiate and direct internal investigations in Germany rests on a layered legal foundation. General corporate duties require prompt clarification of compliance concerns. Specialized regimes add concrete obligations: the HinSchG mandates structured follow-up with fixed acknowledgment and feedback timelines; the LkSG imposes risk-based and occasion-based investigations triggered by substantiated knowledge; the MAR demands immediate internal inquiry and swift STORs upon reasonable suspicion; and the GwG requires prompt SARs to the FIU.

Responsibility lies with the management board, supported by compliance, internal audit, and specialized officers. Plausibility screening by compliance must be fast, impartial, and well documented, with immediate evidence preservation. Escalation to management and, where material, to the supervisory board must follow clear pathways. Throughout, confidentiality and tipping-off prohibitions must be observed.

In the following parts of this Briefing Series, we will examine how to structure the compliance organization (Part II), conduct employee interviews (Part III), screen employee data and documents (Part IV), navigate data processing rules (Part V), involve works councils (Part VI), and manage the risks and opportunities of internal investigations (Part VII).

Compétences et Secteurs liés

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe