The increasing interest of governments and law enforcement authorities in the conduct of corporations is resulting in new compliance requirements for companies worldwide. There has been a global trend towards the expansion of "corporate criminal liability", i.e. the introduction of laws which make it easier for law enforcement to hold companies to account for crimes. Corporate liability for crimes such as bribery and corruption is common to multiple jurisdictions globally, but the recent trend has been to cast the net much wider than that to a broader range of criminal offences, or to cover any crime committed by senior personnel for the benefit of the organisation.
In this article, we look at recent developments in this space in the UK, Germany and Poland, but corporate entities and partnerships should take note of global developments and the extra-territorial reach of some of the recent legislation.
The UK Perspective – recent widening of corporate criminal liability
The UK Economic Crime and Corporate Transparency Act 2023 (the "2023 Act") (addressed in detail in this series) is designed to make it easier for law enforcement agencies to investigate and prosecute body corporates and partnerships for the acts of those associated with them, including for the conduct of senior managers and, in the case of large body corporates and partnerships, for a failure to prevent fraud.
These legislative changes have been driven by a wider strategy to address the threat that fraud poses to the UK economy if left unchecked, and the focus on corporate liability is part of a wider concern that bad actors can use and abuse corporate structures to disguise fraudulent practices and avoid accountability.
Previously, a corporate entity could only have criminal liability where a person who constituted the "directing mind and will" of an organisation had committed an offence in circumstances where their actions could properly be attributed to the organisation. The 2023 Act lowered that threshold for certain economic crimes, such that the conduct of a senior manager may be attributed to the organisation, making the organisation liable for a criminal offence. A senior manager is someone who plays a significant role in making decisions about the management or organisation of, or who actually manages or organises, a substantial part of the activities of any corporation or partnership.
The 2023 Act also introduced a new failure to prevent fraud offence, which will come into force on 1 September 2025. Large corporations and partnerships (i.e. those which satisfy at least two of three minimum criteria: 250 employees, £36 million in turnover or £18 million in assets) will be guilty of an offence if an associated person commits certain fraud offences while intending to benefit them or anyone to whom they provide services, such as clients or customers. The fraud offences include those under the Fraud Act 2006, cheating the public revenue, false accounting and fraudulent trading (among others). A defence is available where an organisation has reasonable procedures in place to prevent fraud, underscoring the importance of proactive preventative measures. Organisations should therefore revisit their commitment to fraud deterrence and detection, including by having robust and well-documented fraud detection processes covering risk-assessment, due diligence, monitoring and review, and by ensuring they have clear communication and whistleblowing policies, as well as adequate training.
International organisations should bear in mind that the 2023 Act may apply to conduct where a victim suffers loss in the UK, even if the company is not incorporated, or the conduct does not occur, in the UK. In practical terms, this means that non-UK based organisations should ensure that any proactive preventative measures extend to any UK-based subsidiaries and associated third parties (such as contractors or agents) operating in the UK on its behalf.
Developments in Germany
The UK is not the only jurisdiction which is seeking to strengthen the integrity of its economy through legislative change. In Germany, the introduction of corporate criminal law has been discussed for several years.
Currently, companies are not directly subject to criminal liability. Corporate sanctions are available under the "Act on Regulatory Offences" (Gesetz über Ordnungswidrigkeiten) ("OWiG") which provides for the imposition of fines on companies and other organisations if a leading person commits a criminal offence or an administrative offence, thereby violating the duties of the company (Section 30 OWiG). Corporate liability may also arise in cases of a breach of a duty of supervision (cf. Sec. 130 OWiG). However, the sanctions under the OWiG are limited to fines, which in practice are sometimes considered insufficient to effectively counter large companies.
As a result, there have been calls to strengthen the position. A draft bill was developed in 2019 and was presented as a legislative proposal in in 2021 which would extend the sanctions under OWiG. However, due to various disagreements between the responsible parties, the legislative proposal, that would have been a major milestone for German corporate criminal liability law, was not adopted, but that is not likely to be the end of the matter. The adoption of a specific corporate criminal law or supplementary standards in the OWiG is likely in the future and we would expect that to be in line with the previous legislative proposals. That would cover all forms of business that pursue an economic purpose and would see the adoption of a more prescriptive financial sanctions regime - if intentional corporate offences were committed, the company could be sanctioned with a corporate fine of between EUR 1,000 and EUR 10 million. Corporations with an average annual turnover of more than EUR 100 million could be fined a minimum of EUR 10,000 and a maximum of 10% of the average annual turnover. Negligent offences would be fined from EUR 500 up to EUR 5 million. In addition to financial sanctions, sanctions such as profit disgorgement or public notification of convictions were also provided for. Companies with an effective compliance management system in place would likely be subject to milder sanctions in the event of a conviction.
Despite the fact that direct corporate criminal liability has not yet been adopted in Germany, companies have been subject to increasing regulatory requirements in recent years. For example, companies are subject to the Supply Chain Due Diligence Act (LKSG), the Whistleblower Protection Act (HinSchG) and the General Data Protection Regulation (DSGVO). The Whistleblower Protection Act, for example, requires a company with usually at least 50 employees to set up and operate an internal reporting office that employees can turn to.
Poland: wide reaching liability for corporate entities
Corporate criminal liability has much broader scope in Poland. An extensive regime for enforcement of criminal liability of companies has been in place for a number of years, as the issue is regulated in the 2002 Act on the Liability of Collective Entities for Criminal Offences.
The Act has a broad scope of application. Criminal liability may be imposed not only on companies but also on entities such as foundations and associations. Liability of foreign entities (in particular branches of foreign companies) is also possible.
A catalogue of offences that a company can be held liable for comprises typical offences related to business operations (e.g. fraud, money laundering, false documentation, tax offences, breach of competition rules) and numerous less obvious offences, such as environmental offences and offences against sexual integrity of individuals.
The offence needs to have been committed by a natural person linked to the company. Importantly, the link is not limited to the natural person being the "directing mind and will" of the organisation. It may be a sufficient link that the company profitably cooperates with the perpetrator in the conduct of day-to-day business (so the company may be held liable for the acts of not only directors but also other persons, such as employees or B2B-contractors). As a rule, the commission of the offence should be confirmed through a final conviction of the perpetrator.
The offence needs to be at least potentially beneficial to the company. A non-pecuniary benefit (e.g., the offence solves an important organisational problem) is enough. Moreover, the company’s negligence needs to be proved. Depending on the relationship with the natural person, this may be the company’s fault in selection, fault in supervision or organisational fault (organising the business in such a way as not to prevent the offence). Thus, proper compliance procedures should be effectively implemented to limit the risk of liability.
If the company is held liable under the Act, the criminal court may in particular (a) impose a fine in the amount of up to approx. EUR 1,150,000, (b) order the financial gain from the offence to be confiscated and (c) impose bans on advertising, using state aid or bidding for public contracts.
In recent years, there have been numerous discussions on possible amendments to the Act on the criminal liability of companies in Poland. In particular, it was proposed that, in the case of large entities, there would be no requirement to first obtain a conviction of a natural person. However, no significant amendments have been adopted so far.
What next?
As corporate crime remains a major concern globally, the legal landscape of corporate criminal liability is likely to evolve further. The UK's expanding use of the "failure to prevent model", Germany's push for stronger corporate sanctions and Poland's ongoing discussions on tightening corporate criminal liability are just a few examples of a broader global trend towards corporate accountability. Compliance and risk management are therefore business critical issues, and it is essential for corporate entities to understand the regimes they are subject to globally in order to ensure their compliance programs adequately address the relevant risks. It is advisable to periodically conduct global risk assessments and compliance reviews to ensure that all global operations and risks have been considered and that compliance policies remain fit for purpose.
