Compliance

For Fresenius, compliance means more than acting in accordance with the law. As we see it, Compliance rather means doing the right thing. We aim to comply not only with all kinds of regulations, but also with ethical principles. With our compliance activities, we want to ensure that everyone can rely on us as a trustworthy partner of integrity.

We have set-up risk-based compliance management systems, which are aligned with the business of each of our business segments. It is our key ambition to prevent corruption and bribery in our business environment. Beyond that, prohibiting violations of antitrust law, data protection regulations, trade restrictions, anti-money-laundering laws as well as the prevention of potential human rights violations are key areas, which we address with dedicated compliance measures.

Our approach

GRI 205-3 and GRI 419

At Fresenius, we strongly believe that compliance protects what is most important to us: the well-being of the patients we care for. Compliance is firmly anchored in our corporate culture and guides us in our everyday work. Integrity, responsibility and reliability form the core of our understanding of compliance. Thereby, we design all our measures in such a way that they best prevent compliance violations.

As stated in our Fresenius Code of Conduct, we are fully committed not only to adhere to statutory regulations, internal guidelines, voluntary commitments, but also to act in accordance with ethical standards. Violations will not be tolerated. If a violation is detected, we perform an investigation, initiate the measures necessary to remediate the misconduct and impose sanctions if applicable. In addition, incidents prompt us to anchor ethical and compliant behavior even more firmly in our corporate culture as well as further sharpen our compliance programs and prevention mechanisms.

In all four business segments and at Fresenius SE & Co. KGaA, we have set up dedicated risk-oriented compliance management systems. These are based on three pillars: Prevention, detection and response. Our compliance measures are primarily aimed at using preventive measures to avoid compliance violations. Key preventive measures include comprehensive risk identification and risk assessment, appropriate and effective policies and processes, regular training, and ongoing consultation. We also carry out internal controls to identify possible compliance violations and ensure that we act in accordance with the rules.

The design of our compliance management systems is based on international regulations and guidelines, such as the ISO-norms on the set-up of compliance management systems and applicable audit standards of the IDW (PS 980). When implementing measures, we take into account the respective national or international legal frameworks.

Organization and responsibilities
Involvement of the Management Board

Responsibility for Compliance within the Fresenius Group lies with the Management Board and has been assigned to the board member responsible for Legal Affairs, Compliance, and Human Resources of Fresenius Management SE. The Management Board member assumes the function of Chief Compliance Officer of Fresenius SE & Co. KGaA.

In our four business segments, Chief Compliance Officers or Compliance Committees are responsible to develop and monitor the Compliance management system in their business segment They report to the respective management of the business segment.

The organizational structure

The business segments have established compliance organizations, which are based on the business organization. This includes respective Corporate Compliance departments, which develop global compliance initiatives for their business segment and support their respective compliance officers. More than 400 employees throughout the Group are responsible for compliance tasks and support Fresenius managers and employees in all compliance-related matters.

Corporate Compliance Department of Fresenius SE & Co. KGaA

The Corporate Compliance Department of Fresenius SE & Co. KGaA sets minimum standards for the Compliance management systems, especially for those Compliance risks that are relevant to all business segments. The department supports the work of the compliance officers of the four business segments with standardized management tools, processes and methods, and develops overarching compliance initiatives with them.

Compliance Steering Committee

The Compliance Steering Committee (CSC) is the central advisory body of Fresenius SE & Co. KGaA for Corporate Compliance matters. The CSC is composed of the Chief Compliance Officer, the Chief Financial Officer, and the heads of the Legal, Internal Audit and Corporate Compliance departments. If necessary, representatives of other governance departments attend the meetings of the CSC. The Compliance Steering Committee discusses the further development of the Corporate compliance management system as well as important compliance initiatives and relevant Compliance risk areas. The members of the committee also discuss severe Compliance cases and their remediation. All four business segments report annually to the CSC on the progress of their compliance management systems. The meetings of the CSC take place every six to eight weeks. In 2020, seven meetings took place - due to the COVID-19 pandemic, most of them virtual.

Best practice exchanges and compliance expert panels

To ensure ethical conduct, we continually review our business practices and exchange on best practices with our compliance colleagues worldwide. While in 2020 travel restrictions did not permit an in-person meeting, the regular exchange in cross-divisional expert panels continued. Areas of collaboration included antitrust and foreign trade law as well as cross-border investigations.

Reporting structures

The Chief Compliance Officer of Fresenius SE & Co. KGaA is informed on initiatives driven by the Corporate Compliance department on a weekly basis. Compliance case reports of medium severity for the segment Corporate are reported to the Chief Compliance Officer immediately. The Management Board of Fresenius Management SE receives reports on the status of the corporate compliance management system and selected initiatives regularly, at least twice a year. The Corporate Compliance Department also prepares an annual compliance report in text form. This report provides a comprehensive overview of all Corporate Compliance initiatives. The Supervisory Boards of both Fresenius SE & Co. KGaA and Fresenius Management SE are regularly informed about progress of Compliance measures, at least once a year, most recently in December 2020. The business segments have established individual reporting lines to their respective management. The management teams of the business segments receive regular reports on compliance by their Compliance Officers.

Despite the differences in business and risk profile in each business segment, we strive to evaluate the design of the compliance management systems using a uniform approach. In 2020, the Corporate Compliance department of Fresenius SE & Co. KGaA reviewed the maturity of the compliance measures of the business segments and Fresenius E & Co. KGaA for all compliance risk areas by using a uniform methodology (Compliance Management System Reporting). The results were presented to the Compliance Steering Committee as well as the Management Board and Supervisory Board. This assessment is expected to be continued on a regular basis.

Guidelines and regulations
GRI 102-16, -25

The Fresenius Code of Conduct forms the framework for all rules applicable at Fresenius Group. The Code of Conduct lays out the principles of conduct for all employees, including managers at all levels and members of the Management Board. The Code is aligned with international regulations (see Our Approach) and was adopted by the Management Board of Fresenius Management SE. In addition, the four business segments have implemented their own Codes of Conduct. These reflect the Fresenius Code of Conduct principles and cover the individual characteristics of each business segment. The Codes of Conduct are available to all employees at all management levels and are also available on the internet. Guidelines, organizational directives and process descriptions supplement and further define the rules of the Code of Conduct.

Our Principles:

  1. We intend to compete fairly and stipulate clearly that we do not engage in any practices that restrict competition. We do not exploit our position in the market to disadvantage others through unfair business practices. In addition to the Fresenius Code of Conduct, we have set out our commitment to compliance with worldwide antitrust regulations in a guideline for all business segments. These guidelines describe principles of antitrust compliance and important elements of the antitrust compliance program, such as training, dedicated checks, and monitoring concepts. Since 2019, all of the four business segments have implemented their own measures for the continuous implementation of the directive. They take into account the specifics of their business models, the respective risk profiles, and local legal requirements.

  2. We must not jeopardize the trust of our patients, business partners, or the public through unfair behavior. We do not tolerate any transactions initiated or carried out by unfair means and expressly oppose corruption and bribery. Our Fresenius Code of Conduct is very clear: "We do not offer undue advantages to business partners or third parties. Undue means: with the intention of influencing the recipient's actions or decisions. We avoid even the appearance of inappropriate behavior. We also do not grant any undue advantages over third parties". With this clear policy, we prohibit both advantages with the intention of obtaining an unreasonable advantage and advantages for e.g. routine process acceleration, so-called facilitation payments. Our Code of Conduct strictly forbids any form of manipulation through unfair behavior. Appropriate remuneration, transparent contracts and clear rules on granting gifts, donations, invitations and other benefits help us to act with integrity. We exclude political donations - with the exception of the U.S. market. We take special care to cooperate with health care professionals and organizations as well as patient organizations and public customers in a transparent way. For this reason, we set high standards worldwide in our dealings with these partners, which we have laid out in a number of guidelines in our business segments. We comply with anti-money laundering laws and trade restrictions at all times. Those business segments affected by these laws and regulations – such as Fresenius Medical Care and Fresenius Kabi – have implemented dedicated money laundering prevention policies.

  3. We represent our interests in a transparent manner. Private interests must not influence professional decisions. In our Code of Conduct, we have clearly defined how we deal with secondary employment, financial investments, political involvement, and family or personal relationships in order to avoid conflicts of interest. Each business segment also has supplementary guidelines and measures in place to identify and resolve conflicts of interest. At Fresenius Kabi, e.g., there is a specific conflict of interest guideline for purchasing, while Helios Germany regulates this in their corporate transparency policy.
Risk assessment

By using standardized methods, we regularly record, analyze and evaluate compliance risks in each business segment and at Fresenius SE & Co. KGaA. These risk assessments cover more than 20 risk groups depending on the business segment. Once a year, the Compliance responsibles exchange information on key findings from the respective risk assessments. In addition to core Compliance risks such as bribery and corruption, antitrust violations, money laundering, data protection violations, trade restrictions and human rights violations, the risk assessment also includes other significant business risks such as information security, environmental and occupational safety, quality assurance, and the protection of intellectual property, which can be in the responsibility of other functions.

Dealing with third parties

Our Code of Conduct and the related guidelines for Fresenius Group employees also regulate our relations to business partners and suppliers. We expect them to comply with applicable laws and standards as well as ethical standards of conduct in daily business and have specified this in our Fresenius Code of Conduct for Business Partners. Among other topics, the Code explicitly prohibits corruption and bribery and obliges our partners to comply with relevant national and international anti-corruption laws. We inform our business partners about these requirements before entering a business relationship. The business segments Fresenius Medical Care and Fresenius Kabi specify their requirements for suppliers in additional Codes of Conduct.

Our goals

With our compliance activities, we pursue our self-set goal of integrating our comprehensive understanding of compliance into our daily business and making compliance a matter of course. The aim is to prevent violations, continuously improve our compliance management systems, and to establish a "living compliance culture" throughout Fresenius. Exchange on best practices from our business segments plays a key role here. Each year, all business segments develop operational goals and measures to further strengthen their compliance management systems. These are coordinated by the compliance responsibles and presented to the Compliance Steering Committee.

Progress and measures in 2020

GRI 205-3
Risk assessment

In 2020, the business segments began to supplement their risk assessments with an assessment on single entity level. Fresenius Kabi has already introduced this bottom-up risk assessment in 2019. In this reporting year, Helios Spain integrated the content on compliance into the existing medical quality and risk management tool, thus implementing bottom-up risk assessment in the clinics. Implementation is to be continued in the other divisions in the coming year. With the introduction of a harmonized IT tool, we merged existing risk processes in 2020. In this way, we ensure improved Group-wide compliance risk reporting.

Training

Compliance training have a high priority for Fresenius. All employees are offered training on compliance issues. The training courses cover basic topics such as our Code of Conduct and corporate guidelines, but also specific aspects such as anti-corruption, antitrust law, money laundering, data protection, and information security. In 2020, Vamed focused on the prevention of money laundering and terrorist financing as well as antitrust, competition and public procurement law, while Fresenius Helios and Fresenius Kabi focused on the prevention of corruption. Fresenius Medical Care also conducted a general e-learning class on anti-bribery and anti-corruption as well as over 20 specialized training courses for specific target groups in 2020.

In order to convey the contents in a targeted manner, we rely on individual concepts tailored to the respective department and the respective target group of the employees. We also use various formats such as in-house training, live webinars, on-demand video training, and traditional online training. Participation in essential basic training, such as on the Code of Conduct, is mandatory.

Employees are prompted and reminded to participate in mandatory training courses. Depending on business segment and format, this is done in different ways: in some cases as a technical obligation with automatic registration, in others as manual registration by compliance departments, Human Resources, or managers. In addition, there is the possibility to link parts of the variable remuneration to participation in compliance training. To promote a risk-conscious and value-oriented corporate culture, we train managers using a dialog-based approach.

Review of business partners and investments

In all business segments and at Fresenius SE & Co. KGaA, risk-based due diligence reviews of business partners are carried out before entering a business relationship. Selection of business partners for due diligence is based on defined risk-based criteria in each business segment. A risk profile of the partner is created. On this basis, we initiate targeted measures. Thereby, contractual clauses are based on the risk profile of the partner. We also reserve the right to terminate the contract in case of misconduct. If we suspect misconduct on the part of a business partner, we take additional measures. Depending on the severity of the misconduct, these may include audits or certifications.

We also consider compliance risks in specific due diligence measures when deciding on possible acquisitions and investments. If necessary, we initiate safeguarding measures and include, e.g., compliance declarations and guarantees in the contracts. Following an acquisition, we integrate the new company into our compliance management systems as quickly as possible.

Trade restrictions

We also supply products to countries that are subject to trade restrictions. It is particularly important to us to comply with all currently applicable legal provisions, e.g., with regard to sanctions or export controls. To this end, we have introduced various measures in the business segments concerned, such as monitoring processes and special IT system checks for deliveries that are subject to import or export restrictions. The measures depend on the specific risk in the country concerned. We aim to ensure that we can comply with all applicable sanctions and requirements for export controls, even in the event of short-term changes in legislation.

Money laundering

Based on the risk profiles of our business segments, we have established measures to address money laundering risks in the Fresenius Group as part of the implementation of the requirements of the Money Laundering Act for traders in goods. These measures include anti-money laundering guidelines, specific topic-related risk analyses, internal controls such as the prohibition of certain cash payments, as well as auditing processes for relevant transactions. We have anchored the implemented controls in our guidelines and conduct training on them.

Financial transactions

We have implemented dedicated controls, such as the four eye principle, for cash transactions and banking transactions. We also monitor cash transactions that exceed a certain threshold. In this way, we ensure that all financial transactions are correctly accounted for, authorized and processed. Thanks to automated processes, we can identify compliance risks at an early stage. Evaluations of compliance with threshold values as well as other verification processes for supplier master data in affected business segments also provide valuable guidance.

Dealing with conflicts of interest
GRI 102-25

At Fresenius SE & Co. KGaA, we support our employees in dealing responsibly with conflicts of interest. We answer their "Frequently Asked Questions" (FAQs) on the intranet. Our Corporate Compliance Department is also available as a contact partner for all questions.

At Helios Germany, e.g., product decisions and price negotiations are strictly separated. Procurement decisions for products and services are made by the responsible medical specialist groups or departments. The purchasing department then negotiates the exact conditions with suppliers and service providers. In this way decisions about products and prices are strictly separated. In addition, all managers at Helios Germany must disclose investments and appointments via transparency declarations. In 2020, around 90% percent of the more than 1,000 medical specialist group members of Helios Germany have done so (see also Helios Germany Sustainability Report).

Transparency in health care
GRI 102-13, -43

Through our membership in various associations, we are actively committed to continuously improving transparency in the health care sector. For example, business segments are involved in Medicines for Europe and MedTech Europe. We are committed to respecting the codes and principles associated with these activities. In addition, we disclose all donations to health care professionals in our business segments, in accordance with the publication requirements applicable to us.

New measures, projects and processes

This year, we have continued to work on expanding our compliance management systems and strengthening existing measures.

At Fresenius Vamed, the focus was on the prevention of money laundering and terrorist financing. To this end, in addition to the establishment of dedicated responsibilities, a corresponding guideline was put into effect, which further defines the issues of risk analysis, due diligence and reporting of suspected money laundering.

Like Fresenius Vamed, Fresenius Kabi has focused on the further development of testing processes for business partners. While at Fresenius Vamed this concerned the revision of the Code of Conduct for business partners, Fresenius Kabi worked on the introduction of methodological improvements and the automation of the review processes. In addition, Fresenius Kabi has proceeded with the preparation of a global anti-corruption guideline which provides a framework for the various guidelines on individual aspects of the fight against corruption and extends these guidelines.

This year, Helios Spain revised and updated the Code of Conduct in order to further strengthen areas of increasing importance, such as the health of its own employees. In addition, the integration of the Latin American clinics into the compliance management system was continued.

The implementation of the new Group-wide regulations on cash and banking transactions was a major project across all business segments. In addition to additional controls for payments, the new regulations mainly relate to controls to prevent money laundering.

In the course of the reporting year, Fresenius Medical Care completed the review of their third-party due diligence concept and rolled out an updated process. As part of this roll-out, some 37,000 third parties were assessed for compliance risks. This process is currently being extended to cover additional measures in relation to selected external partners. Fresenius Medical Care is also building on existing local programs for selected third parties, such as distributors, to develop a globally consistent training approach in 2021.

Evaluation

GRI 205-3, GRI 406-1 and GRI 418-1
Audits and inspections

Our compliance measures are monitored by the responsible Internal Audit Department in independent audits. They review the implementation of policies and procedures as well as the effectiveness of the compliance measures in the business segments and group companies. If these audits reveal potential for improvement, the Internal Audit department, in consultation with the responsible managers, determines which remediations measures are to be taken by management. In 2020, Internal Audit departments worldwide conducted numerous compliance-related audits at Fresenius SE & Co. KGaA and in the business segments, which also included audit steps regarding relevant risk areas for Fresenius.

At Helios Germany, adherence to the business segment's transparency regulations is monitored on a spot check basis in regular transparency reviews.

With the Compliance Cockpit, Fresenius Kabi has a tool that provides managers of each subsidiary with an annual overview of compliance-relevant key parameters based on external and internal indicators. Fresenius Kabi reviews these key parameters annually and defines monitoring measures for those subsidiaries with an increased risk profile. Fresenius Kabi also conducts regular reviews of compliance initiatives in the form of workshops. Fresenius Kabi's compliance organization organized a total of 14 international workshops in 2020. Some of these were supported by the Corporate Compliance Department of Fresenius SE & Co. KGaA. The workshops not only served as intensive training for local employees, but also enabled Compliance Officers to review and, if necessary, improve their understanding of compliance, the effectiveness of local implementation of internal guidelines, and the development and, if necessary, the improvement of central compliance initiatives.

Reporting channels

If Fresenius employees suspect misconduct, e.g., violations of laws, regulations or internal guidelines, they can contact their supervisor or the responsible Compliance Officer and report the possible compliance incident. In addition, they can also report potential compliance incidents anonymously, e.g., by telephone or online via whistleblower systems, or designated e-mail addresses. All business segments have established appropriate mechanisms. The reporting systems of Fresenius SE & Co. KGaA, Fresenius Medical Care and Fresenius Kabi are available via the corporate websites not only to employees but also to third parties, e.g., customers, suppliers, and other partners, in more than 30 national languages.

In 2020, a total of 1,7291 Compliance reports were received via the reporting channels of the Fresenius business segments (status: full year 2020). The compliance reports received can be distributed by various input channels as the graph above shows.

The compliance reports could be allocated to the following reporting categories, e.g.: Business integrity including anti-corruption (110 reports), data protection (368 reports) and human resources/workplace (999 reports).

1 Fresenius Medical Care in North America, the hotline system was used for multiple reporting purposes: In addition to the reporting of compliance concerns, reports can also be made on patient care and safety. These patient-related cases were not included in the Group-wide number of compliance reports.

Dealing with possible compliance violations

We take all potential compliance violations seriously. In an initial assessment, we first focus on the plausibility and possible severity level of the potential violation. We take every indication of possible misconduct as an opportunity to review our corporate processes for improvements. The severity of the compliance violation determines who is responsible for further investigation. If necessary, a dedicated investigation team takes over the investigation, which may include internal professionals or external support. Measures are implemented by the responsible management in close cooperation with the responsible Compliance Officers, in a timely manner. Depending on the type and severity of the misconduct, disciplinary sanctions or remedies under civil or criminal law may be imposed. After completion of the investigation, we implement measures to prevent or impede similar misconduct in the future. Further information pursuant to § 289c (3) No. 6 HGB on the Non-Prosecution Agreement of Fresenius Medical Care can be found in the Notes to the Consolidated Financial Statements.

Diversity and equal opportunities

Data Protection