Compliance
Management approach and targets
At DB Group, compliance is an integral element of our corporate culture and guides our actions in all our business activities. We are constantly refining our compliance management system (CMS) in order to remain at the cutting edge and ensure compliance in the long term. Compliance is embedded in the Strong Rail strategy.
Our CMS is based on national and international legal requirements and established standards such as the German Institute of Public Auditors (Institut der Wirtschaftsprüfer; IDW) auditing standard IDW PS 980. DB Group accordingly applies the Federal Governmentʼs directive on corruption prevention in the Federal administration. The CMS is designed to ensure that compliance risks are identified at an early stage and appropriate countermeasures are implemented. We continually monitor the effectiveness of our CMS and make any necessary adjustments. Compliance is a component of the internal control system (ICS). As a result, intra-Group auditors examine, among other things, the CMS within DB Group as part of the ICS audits under the German Accounting Law Modernization Act (Bilanzrechtsmodernisierungsgesetz; BilMoG).
After the Group-wide independent investigation into the effectiveness of DB Group’s CMS with regard to corruption and white-collar crime in the form of fraud and embezzlement was completed in 2022/2023 by an auditing and consulting firm in all business entities with an unqualified audit opinion, a follow-up process accompanied by the auditing and consulting firm was conducted to monitor the implementation of the recommendations made, which was completed at the beginning of 2025. In terms of structure and process organization, compliance management at DB Group is characterized by a combination of centralized and decentralized elements. The Chief Compliance Officer (CCO) manages the further development of our CMS and reports directly to the Chief Executive Officer (CEO). The CCO is assisted in his/her duties by more than 250 employees responsible for compliance issues (full-time or part-time). Group management focuses its compliance work on centralized governance activities in particular. In the business units and service units, operational responsibility is assumed while implementing the CMS minimum requirements by Group management. The intensive exchange of information between centralized and decentralized compliance officers is ensured through various formats such as a specialist conference, compliance officer meetings that are generally held on a monthly basis, the use of a compliance cockpit as a working platform and virtual information events for compliance officers and managers that are held at least quarterly.
DB Group is committed to compliance issues in the national and international environment. Corruption, in particular, may harm the confidence of the people in the functioning of the state and its institutions, among other things, and can also lead to financial damage to the state. DB Group is involved in the development of corruption prevention strategies through its cooperation with the German Institute for Compliance and as an active member of Transparency International. A communication campaign was launched together with Transparency International Deutschland e.V. on the occasion of International Corruption Day. DB Group also contributes its compliance expertise in regular exchanges of experience and benchmark rounds with other national and international companies.
Compliance instruments
Targeted compliance instruments have been developed to protect DB Group, its employees and executives. These include, for example, binding compliance regulations, risk and process analyses, a compliance reporting system, communication and training measures as well as a whistle-blower system.
The code of conduct of DB Group is the cornerstone of our CMS. It defines standards and expectations for the day-to-day actions of our executive bodies, executives and employees and is provided to the employees via the Group regulations database and relevant pages on the intranet. The compliance regulations are also included in an app that is installed on all centrally managed business mobile devices at DB Group. The DB Code of Conduct has also been part of the employment contracts of DB Group employees since 2018. The DB Code of Conduct is also published on DB Group’s website in German and English. The DB Code of Conduct was expanded by resolution of the Management Board in compliance with the German Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz; LkSG). The new version came into force on January 1, 2024. The DB Code of Conduct is supplemented by binding directives that specify the applicable legal provisions governing international and national business and contact with customers.
Compliance risk analyses are a key component of DB Group risk management and are conducted by the business units and service units. A Group-wide inventory of compliance risks is conducted in accordance with the governance requirements set by Group management. The binding framework concept sets out minimum requirements for planning, implementation, reporting and follow-ups. Within a three-year cycle, all Group companies with operational activities must be audited for risks of corruption. At the business unit level, reports on the relevant compliance risks are to be published annually in a predefined format.
Compliance risk analyses carried out show that the business units are affected by corruption risks in different ways. Some of our companies operate in foreign markets that are highly susceptible to corruption. In addition to DB Schenker and DB E.C.O. Group, this also applies to DB Cargo. For business units in the Infrastructure Board division, there are risks that corruption or fraud will be committed by suppliers or subcontractors at the expense of DB Group due to high procurement volumes. Proper handling of grants is also the subject of compliance work. This applies to various business units. The Management Board is informed about compliance risks in a compact annual compliance report. The report separately sets out the risk exposure of business units, service units and Group management functions and highlights existing risk-reducing factors and countermeasures.
During the year, the Management Board is also regularly informed about the further expansion of the compliance program and significant compliance cases and briefed on risks and new legal developments. The CCO also reports on compliance issues, including Group-relevant and critical issues, once a quarter in the Audit and Compliance Committee formed by the Supervisory Board. Independently of this, the intra-Group auditors report the key findings of the respective financial year – including the key findings of the audit areas and the status of the execution of the audit program – to the Audit and Compliance Committee in March and present the audit planning for the Group audit for the coming financial year in the December meeting. The General Counsel of DB Group reports on significant legal cases in the March meeting. Depending on the circumstances, the various committees are also informed directly about Group-relevant/critical matters in individual cases.
To achieve our compliance objectives in the long term, we seek to continually improve our instruments and provide advice on compliance issues. This requires compliance specialists to be informed of current technical developments. The Compliance Academy, a learning area implemented within DB’s own learning platform, is available as a central knowledge transfer tool for regular training. The completion of defined courses is mandatory.
Executives have a particular role to play in shaping our corporate culture. Various programs have been implemented to train them in compliant conduct to protect DB Group and themselves from compliance risks. The mandatory training program for top management executives was expanded to include a new module in 2024. This supplements the established compliance coaching provided by the heads of DB Groupʼs compliance, internal audit and legal functions. As part of the personnel selection procedure, pre-employment applicant checks were also carried out for executives below the level of top management in 2024.
The compliance awareness plan follows a risk and needs-based approach that specifies the intervals at which all executives and employees are to be trained. By holding in-person events or conducting e-learning sessions, it is possible to train almost all executives and employees who either need to be trained or are exposed to medium and high risk, over a period of two to two and a half years. About 36,000 executives and employees took part in events with instructors on the topic of corruption prevention in 2024 alone. E-learning modules were also extensively used. Together with the e-learning modules developed specifically for DB Schenker, more than 108,000 e-learning units on preventing corruption were completed in 2024.
The further intensification of sanctions against Russia and Belarus in 2024, as well as against Iran, meant that ongoing consulting, the adaptation of processes and contractual clauses and raising awareness of foreign trade law issues were once again a focus of compliance work. The growing requirements in the area of foreign trade law, which also result from the occasionally divergent requirements of different legal systems, were also reflected in the involvement of the central compliance function in numerous contract negotiations and discussions with insurance companies and banks. In this context, the business partners of DB Group were continually reviewed using DB Groupʼs sanctions list tool.
There is a Group-wide whistle-blower system to obtain information about potential violations of laws or internal regulations. The way in which submitted tip-offs are handled is regulated in detail. The processes implemented are intended to protect whistle-blowers. Clearly defined requirements regarding the rigor and relevance of whistle-blowing tip-offs serve to take account of the interests of the persons concerned.
There are various ways of submitting a tip-off. In addition to the compliance teams in Group management and in the business units and service units, this also includes three trusted legal practitioners who are legally bound to secrecy. There is also a Group-wide electronic whistle-blower system, which makes it possible to submit tip-offs anonymously. It can be used in 22 languages and is available not just to employees, but also to customers, suppliers and other stakeholders.
In 2024, tip-offs about cases of corruption in the lower double-digit range were received centrally via the whistle-blower system. These reports concerned acts of corruption or attempted corruption by business partners towards DB Group or its employees. They are processed internally in accordance with the established processes and, if sufficiently incriminatory, also in conjunction with the responsible investigating authorities. In 2024, there were no confirmations of allegations of corruption originating from DB Group. Accordingly, no labor law measures were taken against employees in this respect. There were also no ongoing court proceedings in 2024 for such corruption incidents.
In view of the German and European implementation laws for the EU Directive for better protection of whistle-blowers, further adjustments were made to processes and communication in the existing reporting system. Among other things, new reporting points were set up within DB Group at the beginning of 2024 to expand the options for reporting violations to include further issues, such as from the areas of Group security, procurement or information security. They complement the existing reporting points for corruption and white-collar crime as well as for data protection and environmental violations as well as violations of labor law protection regulations and LkSG complaints.
Executives and employees are advised by the compliance organization on questions relating to compliance issues. To this end, DB Group has been operating a compliance helpdesk for more than ten years.
In 2024, compliance activities workflows were analyzed in various projects to determine the extent to which workflows can be digitalized. In collaboration with the German Institute for Compliance, this resulted in a software program that can be used to automatically compare the codes of conduct of different companies. Furthermore, a Governance, Risk and Compliance (GRC) tool, i.e. a software application for managing measures and assessing risks, among other things, was procured and adapted to DB Groupʼs needs. The aim is to establish the platform as a central solution for compliance management and contribute to minimizing risk and increasing efficiency throughout the company.
Business partner compliance
Selecting business partners and suppliers carefully and informing them about the values and minimum requirements of DB Group are also necessary to ensure successful and sustainable business operations. DB Group has developed various formats to raise awareness among its business partners and establish sustainable action more firmly in the supply chain.
The e-learning module on the DB Code of Conduct for Business Partners, updated in 2023, is freely accessible online. It provides information about the topic of integrity, binding legal standards to be observed and ethical issues, and sets out clear compliance requirements as defined in our DB Code of Conduct for Business Partners. Real-world examples demonstrate how our principles should be applied. The DB Code of Conduct for Business Partners was amended in 2023 in compliance with the implementation of the German Act on Corporate Due Diligence Obligations in Supply Chains (LkSG) and adopted by the Management Board. The new version came into force on February 1, 2024.
Contracts and contractual partners are audited for compliance risks. The integrity clauses contained in the General Terms and Conditions of Purchase are used to counteract potential compliance risks. Other compliance regulations are agreed based on risks. This applies to the appointment of intermediaries, for example. If serious misconduct occurs, the group of decision makers for exclusions from tender procedures (Entscheiderkreis Vergabesperre; EKV) shall decide to suspend the awarding of tenders on the basis of clear criteria that stipulate how to deal with the contractor or supplier. In case of a suspension, the earliest that a business partnership can be reestablished or continued is after the suspension period expires or after the company takes action to clean up its practices, which the client body deems to be sufficient and which can often take many years to complete. In 2024, five companies were subject to an exclusion from tender procedures, along with one individual. None of the exclusions from tender procedures was due to corruption violations. In addition, an exclusion from tender procedures was imposed on one other sanctioned creditor.
The newly developed concept for Group-wide, standardized and IT supported compliance checks of business partners was further developed following the proof of concept carried out in 2022. The process is to be implemented as part of DB procurement processes as soon as the technical requirements for this have been met following completion of the ongoing SAP-related Group projects. Until then, an interim procedure for compliance business partner checks is to be used from the end of 2024 by way of incorporating an external service provider. In terms of quality, this largely corresponds to the newly developed concept for the final process.
Compliance with antitrust laws and preventing antitrust
damages
Virtual and face-to-face training courses ensure that executives and employees are kept aware of antitrust legislation. The formats of the training courses are individually tailored to the requirements of the business units and the central functions. The target group includes all executives and employees who are in contact with competitors or have other roles that are critical with regard to competition. The training courses are supplemented, in particular, by regulations specific to business units and close (antitrust) legal advice.
Measures to prevent antitrust damage are an important component of antitrust compliance. To this end, we operate a comprehensive antitrust damage prevention system. An important part of this system is to use contractual conditions in markets where antitrust violations are most likely, which obligate suppliers to introduce or maintain antitrust compliance programs.