In each jurisdiction, we have observed a trend of increased focus on holding individuals criminally responsible for corporate misconduct.
In part I of this two-part series, we provided a brief overview of the state of play of the criminal enforcement risks for compliance officers as well as some of the implications—both practical and legal—for companies and their compliance departments in the United States, France and the the Netherlands. We discussed that these three jurisdictions have no specific regime for holding compliance officers criminally liable for offenses committed on their watch. In part II, which will focus on recent trends in the United Kingdom, Germany and Ukraine, it will become clear that compliance officers are more and more likely to find themselves in the front line—if not as a suspect, then as key witnesses to assessing the company's compliance program as well as in relation to the (potential) criminal conduct. We will finish off with takeaways based on the developments discussed in relation to all six jurisdictions.
Germany: considerable criminal and regulatory exposure
Compliance officers are exposed to considerable criminal law risks in Germany.
Firstly, under German criminal law, a compliance officer can be held personally criminally liable for offenses committed by company employees, provided that the compliance officer at least suspected a crime was ongoing and deliberately looked the other way.
More frequent, however, are cases where the compliance officer has no knowledge of an ongoing crime within the organization. In such cases, German prosecutors "only" accuse the compliance officer of a breach of supervisory duties—a regulatory offense that carries a personal fine against the compliance officer of up to EUR 1 million.
This is where a particular feature of German white-collar crime law comes into play: As of today, German law does not hold corporations criminally liable (note that in June 2020, the federal government adopted a draft corporate criminal law, which will likely become effective around 2023). For now, only a steep regulatory fine can be imposed on a corporation for employee misconduct. Since not every offense committed by a lower-level employee suffices for this purpose, prosecutors, in search of an infringement of a high-ranking manager, sometimes take a close look at the chief compliance officer and whether they can base a corporate fine on an alleged breach of supervisory duties.
Thus, in recent years, in a typical German white-collar crime investigation, the prosecution will initiate two proceedings. In criminal proceedings, the prosecutor will investigate the actual crime, such as a corruption offense. In addition, he or she then initiates regulatory fine proceedings against management, often against the chief compliance officer or other high-ranking legal/compliance managers, such as an anti-money laundering officer, because through a breach of his or her supervisory duties the manager failed to prevent the crime. On the back of this management misconduct, the prosecution can then impose a regulatory fine on the company (in some cases in the hundreds of millions of euros).
Not only has the number of such proceedings increased of late, but they are also conducted more forcefully. For some German prosecutions, the gloves are off when investigating white-collar cases. For example, investigators are increasingly targeting the compliance and legal departments directly during searches to find out how suspected employee misconduct was handled internally.
Overall, these developments mean that compliance officers in Germany are exposed to significant criminal law risks and are well-advised to perform their duties very carefully and conscientiously.
U.K.: increased spotlight on compliance officers
In December 2019, the U.K. Financial Conduct Authority's (FCA) Approved Person Regime was replaced for all FCA regulated firms with the Senior Managers and Certification Regime (SMCR). The new regime focuses on individual accountability; senior managers of a regulated business (which include compliance officers) have a statutory duty of responsibility. In the event of a breach, the senior manager responsible for that area could be held personally liable in regulatory proceedings if he or she did not take reasonable steps to prevent the breach. The FCA has a history of taking regulatory enforcement action against compliance officers including for failing to implement or monitor systems. With the SMCR focus on individual accountability, there is likely to be an increase in such proceedings.
Outside of the regulated sector, one of the central difficulties to prosecuting companies for fraud in England and Wales is the "identification" doctrine, i.e. the prosecution must prove that the alleged criminal behavior was committed with the knowledge of the directing mind and will of the company (i.e., senior management). Whilst the issue of corporate criminal liability looks set to be the subject of a government review, progress in dealing with this problem has been made by the introduction of the corporate offenses of "failing to prevent" bribery and the facilitation of tax evasion, through the Bribery Act of 2010 and the Criminal Finances Act of 2017, respectively. The only defense to such offenses is for the company to be able to demonstrate the adequacy (Bribery Act) or reasonableness (Criminal Finances Act) of the procedures in place to prevent such activity. This has only increased the need for companies to ensure their compliance programs are robust.
The net effect of this is that compliance officers are likely to find themselves at the front and center of any such investigation by U.K. authorities: not necessarily because of any individual criminal liability (although such a possibility cannot be ruled out), but because they will be a key witness for the authorities in both assessing the company's approach to compliance and the adequacy of any compliance program.
Ukraine: do compliance officers have a higher degree of liability than "simple" employees?
The concepts of compliance and the compliance officer function are still new to the Ukrainian market. Ukrainian law does not foresee any specific regulatory obligations or criminal liability for compliance officers.
In practice, a compliance officer located in Ukraine can be held criminally liable on the following bases:
- criminal misconduct as a "simple" employee
- criminal offense based on complicity in a crime committed by a third party and/or
- failure to report a crime to enforcement authorities.
A compliance officer, like any other individual, can face criminal liability based, for example, on the following:
- violation of personal privacy
- causing loss by deceit or breach of confidence
- forgery of documents, stamps, seals or letterheads and sale or use of forged documents and/or
- passive/active bribery of a public official/company officer
- the penalties for a criminal offense committed as an employee range from a small fine of UAH 850 (app. USD 32) up to 12 years' imprisonment.
A compliance officer could also be criminally liable as an accessory, which, under Ukrainian law, requires at least a promise to assist with the principal's criminal conduct. Such assistance can be by both act and omission. The penalties for accessory liability can by law be the same as those for principal liability.
Criminal liability is further possible if the compliance officer acts (at least) negligently when failing to report a serious or particularly serious crime (e.g., bribe of public officials and money laundering activities) to the competent authorities. The penalty for such misconduct ranges from an arrest (a short-term imprisonment) of one month, up to three years' imprisonment.
From a practical perspective, the case law of the last two years reflects only very few cases where individuals have been convicted under this non-reporting criminal offense. However, criminal courts often qualify instances of non-reporting as acts of accessory (e.g., concealment of a crime). This suggests an even higher risk for non-reporting compliance officers.
Moreover, the criminal act of a compliance officer can also lead to criminal liability for the company he or she works for. This corporate criminal liability is limited to a group of criminal offenses, including, money laundering, terrorism or bribery committed on behalf and in the interests of the company.
First of all, in only one of the six jurisdictions canvassed (Germany) in part I and II is there a specific regime for holding compliance officers criminally liable for offenses committed on their watch. Furthermore, outside of the regulated sector, in all jurisdictions holding a compliance officer liable for (corporate) wrongdoing would require his or her knowing involvement in the offending. Except for cases in which compliance officers had active and knowing involvement in violations, we are aware of no attempts to seek criminal convictions of compliance officers for anti-bribery and anti-corruption-related misconduct. However, in each jurisdiction, we have observed a more or less recent trend of increased focus on holding individuals criminally responsible for corporate misconduct. And when companies face proceedings, or have to conduct internal investigations into suspected misconduct, compliance officers are more and more likely to find themselves in the front line—if not as a suspect, then as key witnesses to assessing the company's compliance program as well as in relation to the (potential) criminal conduct. As discussed in part II, in Germany, for example, investigators are increasingly targeting compliance departments directly during searches to find out how suspected employee misconduct was handled. The role of the compliance function in relation to any suspected wrongdoing is therefore the subject of intensifying scrutiny.
In this respect, it is worth noting that the recent New York City Bar Association's report on chief compliance officer's liability in the U.S. financial sector signals that the increase in investigations of and enforcement actions against compliance officers may deter individuals from seeking or maintaining compliance positions for fear of bearing liability for the misconduct of others. The report further mentions that "these increases have not necessarily grown out of legislative action, but rather, by regulators deciding that they will use their considerable enforcement discretion to bring enforcement actions against compliance officers more frequently than in the past." Given the recent developments in the non-regulated sectors of the jurisdictions mentioned in this article, this trend could soon apply more broadly.
As discussed in part I, U.S. and French authorities have issued limited guidance on circumstances in which chief compliance officers would generally be the subject of enforcement action. Clear(er) guidance from authorities in more jurisdictions would certainly be a welcome development, if only to allay any unnecessary concerns within the compliance community.
Originally published August 12, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.