Rivista Corporate Governance ISSN 2724-1068 / EISSN 2784-8647
G. Giappichelli Editore


stampa articolo indice fascicolo leggi articolo leggi fascicolo

Payment Management and Siphoning Prevention as Directors' duties of care - A study on fake president fraud (di Chris Thomale, Professor of International Corporate and Business Law at the University of Vienna and Professor of Comparative Law at the Università degli Studi Roma Tre)

Companies have to protect their assets, especially liquid assets like bank deposits, from unauthorized transfers of any kind. This requires a set of procedural safeguards, conveniently summarized by the term “good payment governance”, comprising, notably, a payment authorization scheme, IT security, staff training and insurance protection. The article explores directors’ duty of care with regard to good payment governance. In doing so, it takes into consideration numerous jurisdictions but with a focus on Europe, notably recent developments in Germany and Austria.


Gestione dei pagamenti e prevenzione delle frodi come dovere di diligenza degli amministratori - Uno studio sulla frode del “falso CEO”

Le aziende devono proteggere i propri beni, soprattutto quelli liquidi come i depositi bancari, da trasferimenti non autorizzati di qualsiasi tipo. Ciò richiede una serie di tutele procedurali, opportunamente riassunte con il termine buona governance dei pagamenti, che comprendono, in particolare, uno schema di autorizzazione dei pagamenti, la sicurezza informatica, la formazione del personale e la protezione assicurativa. L'articolo analizza il dovere di diligenza dei direttori in materia di buona governance dei pagamenti. Nel farlo, prende in considerazione numerose giurisdizioni, ma si concentra sull'Europa, in particolare sui recenti sviluppi in Germania e Austria.

Keywords: fake president fraud – internal control system – payment governance – payment manual – duty of care – business judgment rule.


1. Introduction - 1.2. Fake President Fraud – a closer look - 1.3. Impact on Companies as well as Practical and Academic Relevance - 1.4. Legal Implications and the Prosecution Issue - 1.5. Role of corporate management - 2. Good payment governance – preventing damages efficiently - 2.1. Payment clearance system - 2.2. IT-Security - 2.3. Employee awareness training - 2.4. Insurance Coverage - 3. Payment Governance Obligations and Liability of a Sole Managing Director - 3.1.1. ICS as Substantiation of General Managerial Duties consisting of accounting, insolvency prevention and comprehensive asset protection - The “ICS” as a cipher for asset protection - Payment systems and ICS - 3.1.2. Protective Measures outside of the ICS: Employee awareness training and insurance - 3.2. Management’s general duty of care - 3.2.2. Employee Awareness Training - 3.2.3. Insurance - 4. Conclusion - NOTE

1. Introduction

1.1. Companies as Targets for Criminals Reliable and secure incoming and outgoing payment flows (henceforth: payment governance) are one of the essential responsibilities of good corporate management. With the introduction of electronic banking and digital authentication systems, the essential procedural steps of payment transactions have reverted to the account-holding company. [1] This makes payment transactions vulnerable to fraud and breaches of trust that originate in the sphere of the company itself. The range of potential cases extends from the accountant who authorizes salary payments to her fictitiously employed partner, [2] a deputy accountant, who exploits her electronic authentication to simply “reach into the till,” [3] down to a financial manager who finances private luxury expenses from the companies’ funds. Further problems emanate from a growing field of organized crime: Criminal syndicates identify internal organizational weaknesses and exploit them by means of social engineering schemes in order to induce unauthorized money transfers to their own foreign accounts. [4] A particularly frequently encountered version of such social engineering fraud schemes is the so-called fake president fraud: [5] Here, forged or tampered digital communication, typically under the name of a business manager (“president”), is used by means of e-mail spoofing, [6] e-mail hacking, [7] or even by means of a simple telephone call using a technically imitated voice [8] in order to entice personnel with de facto access to the authentication codes to effectuate payments believed to be authorized, but which are in fact unauthorized by the competent management. [9] Generally speaking, the strategy is not to collude with corporate personnel, but to trick that very personnel into believing that they were simply following superiors’ orders, hence acting in accordance with organizational requirements. [10] In other cases, fraudsters pose as permanent business partners and try to redirect recurring payments to a new clearing account [11] or deliveries of goods to new shipping addresses. [12] Similarly, fraudsters have claimed to be the partner of an asset manager and withdrew the invested capital. [13] Since such social engineering attacks systematically exploit control gaps in corporate management in order to induce human failure, they require considerable [continua ..]

1.2. Fake President Fraud – a closer look

Fake President Fraud, also known as CEO Fraud, denotes a scheme in which fraudsters, posing as a member of the management board, approach an employee of the finance or accounting team, usually by long-distance communication like a phone call or an e-mail. They typically demand a large money transfer to a foreign account. The matter is said to be enormously important, strictly confidential, and extremely urgent. The pretext for the transfer may be, e.g., some alleged merger or acquisition. The typical incident can be described as follows: [18] Firstly, a lawyer of a well-known law firm introduces himself and elaborates that he is representing the management in a strictly confidential company acquisition. [19] Often, it is first emphasized that the called employee was chosen because of their longstanding loyalty to the company and integrity in this highly confidential matter. In addition, the employee’s competence in finding solutions is charmingly alleged. Under this pretext, the employee is asked to perfect a short notice money transfer and to maintain strict confidentiality for a breach of that confidentiality would constitute some violation of some made-up legal obligation, like inside-trading, breach of trust or the like. To conclude the first step, the caller typically names another person involved, who will contact the employee later, as the CEO and the caller himself would be tied up in negotiations or other tasks. Secondly, the employee of the company receives an e-mail with specific information for the transfer. In this context, questions are often raised about the fastest way to execute this exceptional transfer and what the maximum instantaneously transferable amount is. In many cases, the attack technique of e-mail spoofing is also used, which means that the recipient is misled into believing that the sender’s address is trustworthy. Usually, an employee expresses concerns at various points in the communication, given the extraordinary nature of the request. Therefore, attackers almost always address those concerns proactively. For example, a confirming text message from the CEO acknowledging the request for payment is common. Often, it is claimed that the CEO is tied up in negotiations and therefore cannot be reached. The attacker (e.g., the alleged “lawyer” involved) confirms the instruction via fax e-mail or the like and typically also shows the CEO’s scanned signature as proof of [continua ..]

1.3. Impact on Companies as well as Practical and Academic Relevance

The incidence of fake president fraud has increased sharply since 2015. [22] US companies seem to be particularly frequently affected. [23] Due to over 23,000 complaints about email fraud to the FBI Crime Complaint Centre and billions of losses, the FBI named CEO fraud one of the most relevant topics of 2019. [24] CEO fraud has already caused great damage in Europe as well: Among others, German police reported CEO fraud cases more than doubled between 2016 and 2017 in the German state of North Rhine-Westphalia alone. [25] Smaller, high-revenue companies have been particularly targeted since mid-2017. Those often suffer from insufficient professional governance and protection mechanisms. The Austrian Federal Criminal Police Office (Bundeskriminalamt) also warned Austrian companies of the threats posed by CEO fraud back in 2017. In Austria alone, CEO fraud had resulted in the loss of tens of millions of euros in recent years. Moreover, such fraud causes immense uncertainty among affected employees and investors, thus exceeding the actual damage done by successful attacks. [26] Companies that fall victim to such scams not only suffer huge financial losses, but are also damaged in their reputation. Even the disruption of their entire operation is plausible. In addition to the direct costs of the scam, expenses are also incurred during the recovery process, e.g. the costs of hiring forensic investigators or implementing new security measures. Due to numerous social engineering attacks, the phenomenon has been covered so far by media such as daily newspapers as well as academic publications from numerous countries. [27] Moreover, several court rulings already deal with the issue from a private law perspective.

1.4. Legal Implications and the Prosecution Issue

Fake president fraud, like other forms of fraudulent behaviour, is generally illegal. The specific penalties for fraud and other crimes vary by jurisdiction. In Austria [28] for example, fraud is defined as “deception of facts into an act, acquiescence or omission” that leads to damage to the assets of the deceived or a third party. [29] CEO fraud particularly is grouped within the umbrella term “prepayment fraud (Vorauszahlungsbetrug).” Depending on the amount stolen, potential consequences are prison sentences up to ten years [30] or monetary fines. [31] A victim company, however, typically encounters severe enforcement problems in going after the perpetrators themselves. For those are often located in far-away off-shore jurisdictions and stolen funds, too, are quickly transferred beyond the immediate reach of the victim company or its home jurisdiction. Moreover, delinquents are typically hardly traceable, insolvent or difficult to prosecute due to the many confines of international civil and criminal procedure and jurisdiction. [32] Effective criminal or civil prosecution regularly has little chance of success. [33] Therefore, the focus of injured companies shifts to their management directors [34] and employees, [35] as well as to insurance companies [36] and banks [37] involved in the transaction. In other cases, employees, who have been dismissed as a result of a successful fake president fraud, sued their former employers for severance payments. [38] Of all these many litigational variations, this article primarily deals with the internal liability of managers towards their company.

1.5. Role of corporate management

Because of the above-mentioned issues, it appears straightforward for the damaged company to claim compensation from those employees who “allowed” the scam to happen in the first place through deliberate or negligent breaches of due diligence. In this regard, however, many jurisdictions protect ordinary employees, viewing them as vulnerable parties deserving legal privileges. For example, according to Section 2 I of the Austrian Employee Liability Act (Dienstnehmerhaftpflichtgesetz), the court may, for equitable reasons, reduce the company’s claim for compensation in the event of simple negligent conduct on the part of the employee or even waive it in its entirety in the event of only slight negligence. For this reason, in many cases, it is not promising to seek compensation from the company’s frontline employees, not for an amount that even remotely approximates the millions of damage caused by the attack anyway. [39] However, according to rulings e.g. of the Austrian Supreme Court, the above-mentioned employee liability privilege does typically not apply to managing directors, who can thus be held fully liable for damages incurred by the company as a result for their lack of diligence and precaution. [40] This and the fact that managing directors have a broader liability fund and insurance coverage than ordinary employees would typically prompt the injured company to claim damages from the (former) managing director. Therefore, managing directors of corporations rightfully wonder, which requirements exactly they must fulfil in terms of good payment governance, in order to protect their company from social engineering attacks and syphoning in general. In addition, legal certainty and clarity is needed as to how these requirements transpose into individual behavioural obligations of the competent Chief Financial Officer (CFO) and other non-competent managers, when a management board is departmentalized. In the following, these questions will be dealt with from a doctrinal point of view. The starting point is to determine the existing practice and the general view of the market with regard to good payment governance (II.). Based on this, a clearly defined programme of organizational duties can be formulated for individual directors and officers (III.). This warrants a brief conclusion (IV.).

2. Good payment governance – preventing damages efficiently

The general understanding of good payment governance can neither be derived from statutes nor from corporate governance codes or any available guidelines. Rather, it is the result of an overall consideration of the payment governance practised. That practice provides the factual basis for normative reflection, be it in court decisions [41], official guidelines [42] or other legal communication, including business management [43] and jurisprudential studies. The central principle for the doctrinal development of concrete requirements is the principle of economic efficiency: [44] Prima facie, good payment governance could be defined by a comparison, namely that the control costs incurred must be lower than the expectancy value of potential future harm. [45] Thus, good payment governance appears to be an optimisation problem between control costs and security gains. However, taken into account the constant increase of fraudulent social engineering activities as well as the hardly limited damage potential, [46] the security gain is so overwhelmingly more valuable than any reasonable control measures could possibly cost, that [47] – leaving aside completely disproportionate control paranoia – the main focus can be on the effectiveness of certain protective measures in relation to others: The optimisation problem, by approximation, can be treated as a problem of effectiveness. [48] Consequently, the prevalent question is this: What measures constitute good payment governance so that compliance with them protects as effectively as possible against social engineering attacks including fake president fraud? The answer is a clearly structured payment approval system, flanked by measures for (IT) security as well as awareness training and supervision of staff and, if necessary, insurance coverage.

2.1. Payment clearance system

It is a primary task of the management to organize and secure the clearance of payments, by implementing a payment clearance system [49] In such a payment clearance system, internal responsibilities have to be clearly assigned in a manner, that there is no doubt whose authorization is required and in what form, for which payments. [50] Since social engineering attacks typically start with the psycho-manipu­lative isolation of individual employees, it is important to set down this payment clearance system in a written payment manual [51] and to make and keep it available internally, so that employees can ascertain the required authorization procedure and any exceptions at any time [52] To ensure this, the payment manual should be distributed by the managers to all employees involved in the payment processes. [53] It is not sufficient to leave the implementation of the payment clearance system, to the departments and employees who are internally involved in the payment process. Especially not in the form of self-determinated “best-practice” manuals, because this could give rise to the wrongful impression that it is also the departments or employees decision to deviate from said systems in certain situations. Indeed the written manual for the payment clearance system has not only to provide the procedural rules, but also comprehensive rules of exceptions from them. This need rises from the nature of exceptional situations, in which organizational safeguards fall short if they do not clearly state their applicability in such exceptional situations. Specific and ex ante formulated exceptions of the payment clearance system strengthen the compelling conclusion, that there is no room for further deviations, even in exceptional situations and thereby strengthen the binding nature of the payment clearance system. Regarding the content and scope of payment clearance systems and their respective manuals, a certain practice has developed. This practice mainly rests on two principles, which aim to simultaneously reduce the risk of negligence and embezzlement: The principle of thrift and the four-eyes principle. [54] Combined they lead to a payment clearance structure in which the power to authorize payments is limited d to the smallest possible group of people [55] and each payment in principles requires two separate formal authorizations, given by two employees. Usually these systems also add devolutive [continua ..]

2.2. IT-Security

Modern social engineering attacks exploit vulnerabilities of the information technology systems used by companies. Therefore the technical implementation of the payment clearance system has to be protected and secured by state of the art measures. [61] Especially the adequate protection and secure storage of payment-related authentication codes, in particular passwords, PINs, TANs etc., is of fundamental importance. Evident safety measures to achieve this are sufficient encryption, digital storage without any connection to the internet, and the secure physical storage of devices used for the authentication of payment authorizations. Needless to say, that the payment manual has to stipulate rules for the storage and management of the codes, and that these rules have to be compatible with the authorization requirements, stated in the payment manual. [62] Under no circumstances should it be possible to interpret or construe the rules for the management and storage of the authentication codes and devices, in a manner that could undermine the authorization requirements: If, for example, a certain threshold is surpassed and hence a personal authorization by superior management personnel via an internal system is required, it must be ensured that a payment without the required personal authorization is impossible. In no case the authentication codes of several members of the management, may be stored in a manner that would allow their simultaneous accessibility by any single executive. Such storage would enable the single executive to authorize the payment unsupervised and therefore would violate the four-eyes principle. In addition, good payment governance depends on the protection of internal, nowadays mostly digital communication channels. With the appropriate software the risk of successful hacking attacks, the infiltration of the internal system by Trojan viruses or phishing, can at least be significantly mitigated or even substantially reduced. [63] For example, the deceptive element of e-mails sent under false digital identities can be eliminated by “identity spoof recognition” systems. [64]

2.3. Employee awareness training

The ultimate weak point of any company is the conditio humana. [65] The deterrent effect of criminal law (see above), a careful selection of employees and the implementation of barriers, like the four-eyes-principle, are usually the only available protection from theft, embezzlement and criminal actions. Against social engineering attacks, additional measure are available to companies: Regular training sessions for employees involved in payment processes and simulations of social engineering scenarios in role-playing excerises and guides to identify the hallmarks of forged or copied e-mails, signatures and letterheads, [66] are suitable measure to enhance the resilience and vigilance of employees against attacks. [67] Already a number of specialized consultancies offer to draft security concepts and even simulate [68] fraud attacks on behalf of the company, in order to identify weak points and revise existing security systems. Typical social engineering attacks depend on the isolation of the targeted individual within the company. [69] To this end, scammers try to create the impression that the target is not allowed to talk with anyone about the payment, for legal or other reasons and that the addressed employee is only included because of his or her proven trustworthiness. [70] In case of fake president frauds, the attackers must even avoid that employees contact their superiors outside of communication channels which are controlled by the scammers. A trained and vigilant employee will immediately become suspicious and report the incident without further ado.

2.4. Insurance Coverage

Some degree of residual residual risk of social engineering attacks being successful cannot be eliminated. For this reason, appropriate insurance against such attacks is an obvious complementary measure to good payment governance. [71] Fidelity guarantees (Vertrauensschadensversicherung) could cover intentional damages caused by employees, [72] while negligent damages could be covered by other types of insurances. [73] The details of an adequate insurance coverage of course must be assessed individually, on a case-by-case basis. In general however it is doubtful, whether or not a good payment governance without any complementary insurance coverage could actually offer sufficient protection. On the other hand no company should exclusively rely on insurance coverage, since the lack of a good payment governance may trigger exclusions from the coverage.

3. Payment Governance Obligations and Liability of a Sole Managing Director

3.1. The Managing Director’s Responsibility to establish an Internal Control System The responsibility for the operational compliance with any good payment governance or payment clearance system lies with the management of the company. Especially in smaller and medium sized companies there might exist only a single managing director, in which case this single individual is responsible for the protection of the company against unauthorized transfers of wealth. [74] Accordingly, the director has to implement and monitor internal payment procedures in a manner, which reduces the risk of unauthorized transfers. Additionally protective measures have to be taken against specific threats, arising from the organizational structure. If the organizational structure grows more detailed and complex, a single managing director will not be able to fulfil all these responsibilities by himself. [75] Rather, his duty of care evolves into an organizational duty, to ensure good payment governance. [76] While simple enough in concept, the details of this evolution of obligations, as well as their legal basis and scope remain still open: It seems possible that these obligations result from specific legal norms, like the obligation to set up an internal control system (hereinafter: ICS), [77] or whether they are to be derived from the general duty of care of managing directors. [78]

3.1.1. ICS as Substantiation of General Managerial Duties consisting of accounting, insolvency prevention and comprehensive asset protection Conceptual Origin Some jurisdictions stipulate specific obligations for managing directors, which have direct influence on the directors’ responsibilities and substantiate them, in regard to good payment governance and payment clearance systems. Examples of such provisions are Secs. 22 I of the Austrian Limited Liability Corporation Code (GmbHG) or Sec. 82 Austrian Stock Corporation Code (AktG), which oblige the director to implement an internal control system. The concept of the ICS was legally introduced in Austria in 1997 [79] and was meant to substantiate the rather broadly defined managerial duty of care by stipulating a minimum of organisational responsibility. [80] The ICS is described by the legislator in the explanatory notes as “all coordinated methods and measures in a company which serve to safeguard assets, ensure the accuracy and reliability of accounting data and support compliance with the prescribed business policy. (see WP Handbook 1996 I11 pg. 43)”. [81] This description can be traced back to a 1949 report of the AICPA [82] and a work on internal control cited therein. [83] The AICPA report describes internal control as follows: “Internal control comprises the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies”. This definition illuminates that the ICS is not only intended to prevent insolvency in the narrower, event-related sense or to strengthen accounting, but also to “safeguard assets”, i.e. to ensure comprehensive protection of the company’s assets. [84] In total any ICS has to fulfil three elementary requirements simultaneously, with each of these requirements possessing an accounting, an insolvency prevention and a general asset protection dimension. The “ICS” as a cipher for asset protection

In Austria, the vague definition of the ICS by the legislator and the literally translated reference to the AICPA report in the explanatory notes suggest that the ICS was originally not a legal concept, [85] whose transformation into a legal term has not been entirely successful. [86] In fact, the term originates from business administration. [87] The reference to the Handbook of Certified Public Accountants [88] leaves no doubt about its conceptual origin. [89] In business administration, the term ICS comprises of first and foremost all governance measures which ensure the safety and economic efficiency of the company. [90] This gave rise to a similar and common description of the ICS as a package of measures to ensure the safety, regularity and economic efficiency of the company. [91] Safety in this regard is understood as the requirement to establish an economically reasonable package of measures that minimizes the risk of damages to the company. [92] The requirement of regularity comprises the material and formal correctness, completeness and timely execution of internal processes, their documentation and traceability, as well as compliance with statutory regulations. [93] The requirement of economic efficiency addresses the company’s need to act profitable and its charged relationship with the aforementioned safety requirement. [94] The ICS is therefore also concerned with the repressive correction and prevention of risks which individually or in accumulation [95] could endanger the continued existence of the company. [96] In total the understanding of the term ICS in its original context of business administration at least illuminates, that the ICS indeed includes all measures that strive to protect the company’s assets. This understanding can be supported by a comparative analysis of similar rules in Germany. In contrast to Austria, the German legislator constitutes at the corresponding systematic point in the German Stock Corporation Act (AktG), a “monitoring system”, which is intended to “identify developments endangering the continued existence of the company at an early stage”. [97] Thereby German legislator intended to clarify, that the management board is obliged to set up systems that allow entrepreneurial risks to be identified in good time, so that suitable countermeasures can be taken to ensure the company’s continued [continua ..] Payment systems and ICS

The specific requirements for an ICS depend on the size of the company and the industry or fields of business in which it operates. [109] As outlined above, the ICS pursues a tripartite purpose of insolvency prevention, accounting and clearing security as well as general asset protection in regard to neuralgic business processes. It is questionable whether measures of good payment governance are just another part of the ICS or are rather a manifestation of the general duty of care of the management board. [110] If a measure of good payment governance is a requirement for achieving one of the objectives of the ICS, it seems reasonable to see it as part of the ICS. Measures of good payment governance do not only affect neuralgic points of the company, but concern all regulatory objectives of the ICS, insofar as the system generally aims to prevent irregularities and misappropriations in payment transactions. Because of the particular fungibility of liquid assets, these are particularly at risk. [111] However, intentional misappropriations as well as honest incorrect transfers do not only threaten liquid assets. [112] Due to their theoretically unlimited damage volume, [113] malversations may cause insolvency or over-indebtedness of the company. Measures of general malversation and error prevention in payment transactions therefore also serve as an insolvency prevention tool. [114] An unauthorised transfer of liquid assets also affects the company’s accountants, so good payment governance also includes a certain accounting dimension. The absence of any measures of general malversation and error prevention in payment transactions therefore violates the obligation to establish an ICS. In respect of the individual substantive requirements, a distinction needs to be made: The payment clearance system is part of the ICS because it regulates the rights to access the company’s liquid funds and authorize transfers and payments from them. In this manner it as an important part of the company’s general prevention system against malversation, specifically embezzlement, and honest mistakes in processing payments: [115] By interpositioning authorization and monitoring procedures the protection of the company’s liquid funds can be enhanced. [116] Because of the low cost and high efficiency, every company is obliged to record the responsibilities and competences to authorize payments and the applicable [continua ..]

3.1.2. Protective Measures outside of the ICS: Employee awareness training and insurance

Employee trainings, while useful to prevent social engineering attacks from being successful and insurance cover for damages from potential attacks are not part of the ICS: First of all, insurance solutions are not strictly measures to prevent the misappropriation of funds, but rather instruments for damage control. Employee training and other awareness-raising measures to prevent specific threats have a complementary protective function. If payment transactions are protected abstractly against internal and external misappropriations to a minimum extent (payment manual, four eyes principle, staggering of amounts), this already significantly reduces the risk posed by social engineering attacks. Only this minimum standard alone is covered by the ICS; more extensive payment governance obligations arise from the managements’ general duty of care. [126]

3.2. Management’s general duty of care

3.2.1. Duty of Care Standard and Liability of Board Members – Business Judgment Rule The obligations and corresponding liability of Management Directors are not harmonized in Europe, as the European directive on company law [127] neither includes specifications for the liability of board members in stock (stock corporation) nor closed corporations. [128] Even for the supranational European Company Societas Europaea different liability schemes exist, as the SE-Regulation [129] refers to the national provisions of the Member State in which the SÈs registered office is situated (Article 51 SE-Regulation). Both in Austria and Germany members of the Management Board have to act in matters of the company with the due care of a responsible and conscientious manager. This general duty of care includes an organizational duty, which becomes more distinct when the company expands, the division of labour increases and the organizational structure grows more complex. [130] As soon as the company increase its size, the organizational structure has to be further developed, to avert harm. [131] Besides the rules regarding the establishment of a sufficient ICS, there are few specific norms, which substantiate this general duty of care. Rather the members of the management board are entitled to a margin of discretion in entrepreneurial decisions. Even more so if they act within the limits of the Business Judgment Rule. In both jurisdictions a member of the management board acts with sufficient care in an entrepreneurial decision, if he or she could reasonably believe to act in the best interest of the Company on the basis of appropriate information (Business Judgment Rule). [132] This form of the Business Judgment Rule is similar and derived from, but not identical with the common law principle of the same name. Rather the Austrian and the German type of the Business Judgment Rule intends to create a safe harbour, to give a company’s management sufficient discretion to make entrepreneurial decisions. In contrast to the Anglo-American model, the liability exemption is only applicable to entrepreneurial decisions, and explicitly not if certain provisions constitute a specific legal obligation. [133] The standard of an objectively diligent management director stipulates that members of the management body must implement economic measures to protect the assets of the company against risks. The duties subsumed above [continua ..]

3.2.2. Employee Awareness Training

As already outlined above, employee awareness training and sensitization are crucial to avoid payment malversations because employees pose a weakness insofar as they could be potentially deceived by psychosocially as well as technically. From the company’s point of view, this risk can be efficiently reduced by increasing employees’ awareness and vigilance. In addition to specific information campaigns, trainings are suitable for this purpose. [136] The choice of a specific approach lies within the margin of discretion enjoyed by managing directors in their entrepreneurial decisions. The minimal protection offered by the implementation of an ICS alone however not sufficient, as it only creates a minimum level of protection that is neutral to attacks. A diligent business director would therefore supplement the general measures of loss prevention with specific employee training measures to ward off social engineering activities. [137]

3.2.3. Insurance

As a supplementary measure, insurance can mitigate or completely compensate for the consequences of a successful social engineering attack. Whether the general duty of care can give rise to an obligation to enter into an insurance contract depends on the individual case. The available insurance conditions, in particular the premium amount, deductible and scope of coverage, [138] as well as the specific needs of the company must be weighed up carefully. Outlook. Unfortunately, the next generation of social engineering attacks is already rapidly evolving in the form of “deep fake technology,” i.e., voice and video falsification by artificial intelligence. [139] In Europe, one recent case received particular attention. The mayors of Vienna, Berlin and Madrid were under the impression that they were in video conferences with mayor of Kiev Vitali Klitschko. [140] Later it turned out that it was an imposter using deep fake technology. Because of the rapid spread of video-conferencing in business and board meetings due to the COVID-19 pandemic, there already is a need for additional security measures to combat deep fake enabled frauds in companies. New and more detailed procedures will be needed to shield companies from this variation of frauds, which exploit the conditio humana extremely effectively.

4. Conclusion

The analysis above has shown that the components of good payment governance have to be differentiated from each other: Payment clearance system and general security, especially IT security, are parts of the ICS. Employee awareness trainings as well as the insurance coverage against social engineering attacks are additional protective measures. The obligation to establish them arise from the general managerial duty of care. The specific requirements for a sufficient ICS and the fulfilment of the general duty of care vary according to the industry and size of the company. As a minimum standard, firstly, a written payment manual must be drafted which establishes at least a four-eye principle for outgoing payments and sets thresholds with a corresponding devolutive effect up to including mandatory authorisation by the CEO. Secondly, from the point of (IT) security, an up-to-date Information Security Management System (ISMS) is required. The type and extent of, thirdly, employee awareness training and sensitisation and, fourthly, insurance coverage are difficult to formulate in general terms. However, it seems certain that the complete lack of any awareness-raising measures and an absence of insurance against social-engineering attacks have to be considered a breach of managers’ duty of care.