Pan-European compliance programmes?

In brief

• European countries are introducing tougher laws regarding corporate criminal liability, placing the focus on corporate failings in compliance policies and procedures.

• 2017 is likely to see new laws in France and the UK that will impact upon compliance programs, but other jurisdictions may also act in this area.

• International businesses need to consider cross-border compliance. Common policies across jurisdictions are more efficient and likely to be more effective, but local differences may not allow for a completely harmonised approach.

The compliance agenda

Across Europe, the ever-widening net of corporate criminal liability provides a strong incentive for corporate entities to enact and continually update compliance policies. Such policies, if adequate, may enable them to avoid prosecution, provide a defence to liability, or (at worst) mitigate any ultimate sentence should criminal wrongdoing be discovered.

In the UK, corporate criminal liability used to be rare - requiring culpability by the “directing mind and will” of the corporate entity - until section 7 of the Bribery Act 2010 introduced the strict liability offence of failing to prevent bribery. The only protection is the defence (as yet untested) of establishing that the company had “adequate procedures” in place to prevent persons associated with it from bribing. This type of criminal offence is soon to be transplanted to [tax evasion]https://www.simmons-simmons.com/publications/ck0a393e5chkr0b59garnl54l/21-criminal-finances-bill) (with a defence of reasonable prevention measures) and may be applied to economic crime more generally (see our related article). Such broad offences will place the spotlight of UK prosecutors on the adequacy and/or reasonableness of corporate systems and controls.

Continental consistency

It is not only UK legislation that is increasingly focused on failures in systems and controls as the determinant of corporate criminal liability. In many European countries, compliance efforts have become critical to decisions about prosecution or penalty. For instance:

• In Spain, following reforms to the Criminal Code in July 2015, companies that have adopted specific internal control procedures are exempt from criminal liability in respect of offending committed for their benefit by employees or in the exercise of corporate activities.

• In Italy, companies will be liable for specific offences committed by senior management unless they establish that the relevant employee(s) acted in breach of systems and controls that had been implemented and were adequate for preventing the commission of the offence.

• Companies in the Netherlands can argue against the attribution of an individual’s offending to them on the basis that they took reasonable care - in other words, implemented a robust compliance system - to prevent the misconduct.

• Finally, in France, Sapin II will introduce in 2017 a positive obligation to prevent corruption on companies (and their presidents, managing directors, managers and Board members) with either (a) at least 500 employees and turnover of over €100m in France; or (b) groups headquartered in France, with at least 500 employees worldwide and consolidated turnover of over €100m. To avoid administrative penalties, company representatives must implement numerous internal policies - including a corporate code of conduct, procedures for investigating whistleblower complaints and assessments to identify corruption risk - within a six-month window from 09 December 2016, the date the Act was published.

We anticipate that recent and forthcoming changes in the UK and European legislation may prompt many in-house counsel and compliance officers to consider developing a harmonised pan-European compliance framework that reflects best practices in control procedures. Certainly, common policies across Europe (and, indeed, globally) have the advantages of simplicity and consistency for any company. Nonetheless there is considerable variation in the European regimes. The Dutch regime offers a general defence that leaves it for the company to show that it took reasonable care, while the Spanish regime is highly prescriptive. Moreover, to be effective, internal procedures will necessarily have to take into account the particular challenges of operating in each country.

As well as Sapin II in France and the proposed extension of the failure to prevent offence in the UK, it is likely that other European nations will continue to develop the law relating to corporate compliance. When making any changes to compliance programmes in response to these new laws, it will be sensible to set common standards across borders wherever possible, but always to consider country-specific risks carefully and tailor policies according to risk assessments.