Compliance & Ethics Programmes: Criminal liability of organisations – How can US sentencing guidelines help us?
Article by Oana Piticas, Senior Associate, Coordinator White Collar Crime Practice Bucharest, Noerr
Although Romanian law established criminal liability of organisations in 2006, thus adopting a liability model very similar to that of France, Belgium and Portugal, there is still a lot of confusion when it comes to determining when an organisation is to be held criminally liable. From what we see in our day-to-day activity, the courts are still struggling to determine when offences committed by the management of an organisation can also trigger the criminal liability of the organisation itself[1].
Therefore, as we do every time our legal provisions prove to be insufficient and unclear or case law remains confusing and inconsistent, we lawyers look at similar legislative systems or liability models that have often been the “inspiration” for our laws to best learn how they are intended to function and be implemented.
With this in mind, we believe that our legislative system will prove the wisdom of Dr Martin Luther King Jr.’s famous quote “We are not makers of history. We are made by history.” and Romania will not implement an entirely new liability model for organisations, but will rather reflect on existing ones and adapt them to its own social and economic context.
For this purpose, we decided to take a closer look at the liability model implemented by the US, since we all know that they are the Motherland of compliance”. The US Sentencing Guidelines[2] soon came to mind, especially since they dedicate an entire section (Chapter VIII) to sentencing organisations. We found the following core principles to be extremely helpful for Romanian organisations (in the light of Romanian case law):
The existence of an effective compliance and ethics programme is a mitigating factor.
In other words, the existence of such a programme will not, in itself, determine whether an organisation should be held criminally liable or not, but will function as a mitigating factor in sentencing those organisations found to be guilty.
So why did we consider this to be a core principle for Romanian organisations, especially since there is absolutely no express legal obligation for organisations to implement such a compliance programme? The following quotes, extracted from Romanian case law involving the acquittal of an organisation[3], are particularly enlightening:
“In order to consider the criminal liability of an organisation, there must have been deficiencies and failures to act on its part and particularly on the part of its board of administrators, shareholders and legal representatives that created the context for such behaviour” and
“Moreover, the organisation has implemented an organized supervision and control system, a complex mechanism for reporting and verification, on every decisional level, but also between such”.
Compliance and ethics programmes are to be tailored specifically to each organisation
This means that (i) general and “alibi” programmes, i.e. “template programmes”, are not considered efficient and (ii) every compliance and ethics programme must be specifically designed for each organisation, taking into consideration its size and applicable industry practices or standards.
The “made to fit” core principle also includes recommendations with regard to the resources an organisation is supposed to allocate to implement effective compliance and ethics programmes: while both large and small organisations are supposed to promote the same compliance culture, large organisations are expected to devote more formal operations and greater resources to meeting the requirements of compliance standards.
The existence of compliance and ethics programmes is not enough
US sentencing guidelines specifically state that the effectiveness of such programmes is what counts in the end. In order to ensure effectiveness, an organisation should consider at least the following:
- The organisation’s governing authority, i.e. its board of directors, should exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics programmes;
- Individuals within the high level personnel should be assigned overall responsibility for compliance and ethics programmes;
- The organisation’s standards and procedures should be communicated periodically through effective training programmes or similar means;
- Periodical evaluation of the programme’s effectiveness is essential; and
- Whistleblowing mechanisms, i.e. anonymous and confidential reporting systems designed for employees and business partners who suspect or detect criminal conduct, are mandatory and should encourage anyone to report such conduct without fear of retaliation.
Therefore, organisations should remember that showing a degree of interest in the effectiveness of a compliance and ethics programme determines how prosecutors and courts of law view actual criminal conduct within the organisation. However, the failure of the organisation to prevent or detect individual offenses does not necessarily mean that the programme is not generally effective in preventing criminal conduct.
The organisation’s response to criminal conduct
Last but not least, organisations should remember that the effectiveness of a compliance and ethics programme also refers to an organisation’s response to actual criminal conduct.
While it is clear that recurrent misconduct raises doubts with regard to an organisation’s commitment to compliance and with regard to the oversight (or rather, the lack of it) exercised by its board of directors, several other factors should also be taken into consideration. The bottom line is this: ignoring and tolerating criminal conduct reflects the absence of an appropriate compliance culture and can lead to severe penalties for the organisation itself, its management or employees.
Of course, one may wonder why principles of common law should be considered by Romanian companies, regardless of their shareholder structure. The answer lies in the remarks of the Romanian courts cited above which prove that effective compliance programmes, although not specifically required by applicable legal provisions, are what prosecutors and judges turn to in order to determine the degree of an organisation’s culpability and, ultimately, its criminal liability.
This is not an easy task: whenever an offence is committed by someone acting in the name, in the interest or on behalf of an organisation, especially if that someone is a manager or director vested with the power to represent the organisation, authorities will and should try to determine whether this criminal conduct represents an isolated breach of the organisation’s compliance programmes which does not fit into its overall compliance culture or tolerated behaviour encouraged, at least indirectly, by the organisation’s governing instance.
[1] Note to the reader: This article does not analyse the criminal liability of organisations found to have a criminal purpose, i.e. founded solely for criminal purposes. The vast majority of these companies are convicted by the Romanian courts and dissolved as a result of the conviction.
[2] Published by the US Sentencing Commission and available at https://www.ussc.gov/guidelines.
[3] Decision no. 1294/2016, issued by the Bacau Court of Appeal.