[Return To Selected Articles]
November/december 2006 - By Francesca Chiara Bevilacqua
Corporate Compliance Programs Under Italian Law
Because of a law passed in Italy in 2001—modeled in part after the U.S. Sentencing Guidelines for Organizations—corporate compliance programs are increasingly becoming an important
feature in Italian companies as well as the focus of decisions in Italian courts. This article will review Italian law and business practices relating to compliance programs.
While in the U.S. corporate criminal liability has existed for almost a century, Italian law adopted a system establishing responsibility of corporations for the crimes perpetrated by their employees only in 2001.
The main reason for this late adoption was the difficulty posed by Italian law in finding in
a corporation the intent element required for criminal liability, due to the fact that the Italian Constitution states that “Criminal liability is personal” and that punishments must be imposed in order to re-educate the sentenced.
However, corporate criminal liability became the law in Italy with Legislative Decree No. 231 (June, 8, 2001), which sought to avoid any conflict with the Constitution by focusing on the corporation’s organizational culpability—using an approach that,
as we will see, draws heavily from the U.S. Sentencing Guidelines.
The legislative decree was passed, in part, to meet the requirements of various treaties, such as the Convention on the protection of the European Communities’ Financial Interests (Brussels, 1995); the Convention on the Fight Against Corruption Involving Officials of the European Communities or Officials of Member States of the European Union (Brussels, 1997); and the OECD Convention on Combating Bribery of Foreign
Public Officials in International Business Transactions (Paris, 1997).
Corporations are responsible
Under the 2001 law, corporations (and other organizations) are responsible for the offenses of their directors and other high ranking officials as well as that of their subordinate employees. But a corporation can avoid liability, in part, by showing that it had taken appropriate steps to prevent and monitor the commission of
It is easier to avoid liability when the crime was perpetrated by low-echelon employees than by managers/directors because the legislature believes that the actions of these managers and directors usually represent and embody the corporation’s policy and ethos. However, under the law, it is still possible to avoid corporate liability for crimes by high-level persons—where such individuals commit crimes against their company after having disrupted or avoided controls in a
The proof of the corporation’s innocence is harder to establish in these latter cases because the corporation must demonstrate not only the existence of good compliance programs, but also that the high-level persons fraudulently eluded them even though the compliance-related work of the “controlling body” (discussed below) was proper. More specifically, to avoid liability in these cases, the corporation needs to show that:
- The managing
body adopted and established a model of organization and management able to prevent crimes (i.e., a compliance program);
The duty to supervise the functioning and observance of the compliance program was given to an appropriate “controlling body”;
- The offender avoided the compliance program using fraudulent means; and
The controlling body effectively performed its duties.
The law further explains that the compliance programs must:
- Identify activities where crimes could be perpetrated (something like a risk assessment);
- Provide for specific procedures to prevent the commission of crimes;
- Identify a means to manage financial resources so as to be able to avoid the perpetration of crimes—meaning that since the use of the corporation’s
money is a delicate activity there should be a way to ensure that people do not use corporate funds inappropriately, e.g., they do not hide funds in order to bribe someone, etc.;
- Provide for reporting to the controlling body;
- Implement a disciplinary system to apply sanctions when the measures set by the organizational model (compliance program) are not observed.
cases concerning lower level employees—where the identification with the corporation is less clear—the legislature shifted burden of proof. The onus is on the prosecutor to show the existence of a general and structural organizational culpability in the prevention and protection of the corporation from the risk of crime, meaning, for example, that the compliance program was defective.
Additionally, the law provides that a compliance program must be tailored to the company’s
specific business circumstances, such as the nature and the size of the organization, and the kind of activity in which it is engaged. Also, a company must re-examine and modify its compliance program whenever significant violations are detected or whenever the nature of the organization or its activity changes.
The task of supervising the compliance program and updating it must be entrusted to a body provided with autonomous powers of initiative and control. The composition and
characteristics of this body have been debated, since the decree does not say much about what is required. The majority view is that the function cannot be externalized. The body cannot be the board of auditors (‘collegio sindacale’), because it does not have the continuity of action necessary for really effective control. Some scholars think the most appropriate choice would be to use the internal audit function.
Alternatively, some suggest the creation of a mixed composition body,
consisting of members of the legal division, of the human resources unit, or also of auditors and independent directors or internal auditors.
The compliance program can be structured on the basis of what is stated in codes established by trade associations. These codes provide general guidelines designed to help the individual corporation to build its own model. These programs, however, must always be adapted to the specific organization and therefore cannot simply reproduce others’
Five years have now passed, since the adoption of the decree, and there have been some interesting judicial decisions, although it is probably too early to say that there is a complete and clear body of case law. Initially, prosecutors and judges seemed reluctant to use the new tools set by the No. 231 decree. But that is beginning to change.
Concerning the core of the decree—the compliance
programs—the first decisions seem to stress the importance of building effective programs that are tailored to a company’s needs. “Make-up” models that simply utilize the guidelines provided by some trade associations and do not make any effort to adapt them to the specific company will not be positively evaluated by the judge.
For example, a 2004 decision by the Milan Trial Court stated that “the models”—that is, compliance programs—“as instruments of the corporation’s life, must have
a concrete and specific effectiveness and dynamism, and they must come out of a realistic and economic vision of the business activity, not just a formal juridical one.”
Moreover, the models must have some important characteristics: “a deep analysis of the corporation; the ability to find the risky areas for the different types of crimes and ways to hinder illegal acts, keeping in mind the history [re judiciary] of the company and the characteristics of other companies that operate in
the same sector. The model has to determine what moments in the company’s life are exposed to the risk of crimes, study specific procedures to use in those moments that allow for effective control, and use preventive controls and specific protocols to plan the company’s decision making. The [program] must guarantee the autonomy, independence and professionalism of the controlling body; adopt tools to make accountability transparent; and ensure that managers and employees know, understand and
apply the model. It must create a disciplinary system that is able to sanction violations of the model. It must follow the corporation’s changes updating the model as soon as the risk structure evolves.” (Trib. Milano, Uff GIP, ord 9-20-2004, Guide Secchi, IVRI holding-COGEFI).
In another decision, also from 2004, the Court of Milan affirmed that “Effectiveness, specificity and dynamism are structural characteristics of compliance programs. The effectiveness of a model depends on its
concrete fitness to create decision mechanisms able to eliminate or at least to diminish significantly the risky areas, to punish offenses, but also to identify the risk areas and the wrongdoing areas. Absolutely necessary is the total transparency of the balance sheets; without it the model would be ineffective and would be only a conventional recommendation to respect the ethical code of conduct.” (Trib. Milano, sez. XI Giud. Riesame, Pres. Rel. Mannocci, ord. 10-28-2004, Siemens AG).
A model found ‘unfit’
In this case the Court found the company’s model unfit, because there were “reserved” (i.e., hidden) accounts, because the corporation used a foreign intermediary as a screen of the origin of payments and of their periodicity, and finally because the corporation did not co-operate and had not controlled its employees nor sanctioned them.
In 2003 the Rome Trial Court listed some necessary requirements
of the organizational models. It stated that “The compliance program cannot be considered able to prevent crimes when: It doesn’t specifically address the corporation’s area where the crime for which the corporation is currently prosecuted was perpetrated; it doesn’t ensure effective autonomy and independence of the controlling body; and, it doesn’t state that only a qualified majority of the board of directors can modify it.” (Trib. Roma, Uff. GIP, ord. 4-14-2003, Giud. Finiti, Soc. Finspa).
Structure of the supervising body
Another critical aspect of the construction of the models seems to be the structure and the composition of the supervising body. The same decision by the Rome Court stated that: “The controlling body must not have management functions because otherwise, being part of the decision-making process, it would lose the neutrality necessary to perform effective controls. It is better that the body
is not composed of members of other bodies of the corporation. It is possible to put in the controlling body external consultants. If the corporation has large dimensions, the body must be collegial. It is necessary that the body assures a continuity of action and that it focuses only on the surveillance of the concrete enforcement of the model.”
Finally, in a decision that was criticized by some academic scholars, a court stated that the new body of law can be applied also to foreign
companies (German-based Siemens AG, in that case): “Decree no. 231/2001 applies to foreign juridical entities operating in Italy too. It doesn’t matter whether the foreign country has a similar corporate liability system or not.” (Trib. Milano, Uff. GIP., ord. 4-27-2004, n. 950, Est. Salvini, Siemens AG).
Moreover, the re-examination of the decision (Giud. Mannocci, quoted earlier) concluded: “Whoever operates in Italy—individual or corporate entity—has to respect Italian law. Here an
administrative offense is imputed to a foreign corporation connected to a crime made in Italy. The jurisdiction is Italian, even if the corporation adopted a compliance program in a foreign context. If a corporation does not adopt a compliance program, it is not per se illegal. Its relevance is on the corporation’s culpability.”
Understanding the impact of No. 231
To understand the impact of Legislative Decree No. 231 it is
important also to take a look at some empirical data. The first survey on the adoption and realization by Italian corporations of the organizational models regulated by 231 was conducted by the “Auditing e Controllo Interno” Master of Pisa University, together with the “231 Area Committee” of the Associazione Italiana Internal Auditor. The sample considers 97 listed companies that were interviewed and submitted a written form at the end of 2004.
The survey showed that 59 percent of the
97 companies adopted a compliance program, that 25 percent were currently adopting one, and only 16 percent had no program or current plans to adopt one. The large majority of the companies that operate in the financial and utilities sectors had adopted a model. It is worth noting that all of the companies said they followed the guidelines prepared by trade associations.
The most frequent element in the models is the risk analysis of the areas most exposed to the commission of crimes.
Ninety five percent of the companies follow these steps:
- •Identifying the business activities potentially exposed to the “231 risk.”
- •Surveying and analyzing existing controls in these areas.
- •Identifying possible gaps.
- •Defining the actions necessary to fill the identified gaps.
characteristic of the compliance program is the ethical code. In conforming to the rules of Decree No. 231 many companies have reviewed their ethical codes and codes of conduct, often adding specific rules about the relationship with the public administration (meaning anti-corruption issues).
Seventy percent of the companies’ models have specific information and reporting flows towards the controlling body. Only about a half of the sample has started a specific informative
activity—meaning training—to explain the 231 rules and the corporate compliance program to employees.
Surprisingly—given the importance of this characteristic—only 38 percent of the sample has created a specific disciplinary system.
Regarding the type and composition of the supervising body, 68 percent of companies chose a collective body. Thirty-two percent preferred a body composed of representatives of only one function (which is—in 7 percent of the cases—the responsibility
of the internal audit function). Of the collective bodies, the composition most typically involves Internal Audit (75 percent of companies), members of the Committee for the Internal Control (40 percent), and the board of auditors (‘collegio sindacale’) (18 percent).
Less frequently members of the Legal Division and of the Human Resources Division are involved (19 percent and 7 percent of the cases, respectively). External consultants appear only in the collective bodies, and there
only in 12 percent of the cases. Usually these consultants are legal experts or persons who have or had institutional roles in the company.
It is also clear that the drafting of the compliance program requires multidisciplinary skills. Internal Audit is the function most frequently involved (69 percent), followed by the Legal Department (56 percent) and Human Resources (37 percent). But it is also quite common to utilize external consultants (57 percent) because the internal structures
can lack the necessary competencies and it’s often necessary to have an independent and professional evaluation of the program and of its adoption process.
A study of 72 companies
A more recent study, conducted again by the 231 Area Committee of the Italian Internal Auditor Association (together this time with Ernst & Young) and released April 12, 2006, showed some other interesting data. Seventy-two companies, both
listed and not listed, from a variety of economic sectors were involved. Twenty-five of them were lending institutions or financial intermediaries, eleven were insurance companies, sixteen were industrial companies, sixteen utilities and four were in the media/telecommunications sector.
Eighty-two percent of the sample had adopted a compliance program, and 91 percent of these companies has or is developing a specific ‘231’ supervision activities program. Regarding the composition of
the controlling body, the results of the previous survey seem to be substantially confirmed, with a majority of collective bodies including a high presence of the Internal Audit function.
What is probably the most interesting finding in this study is that companies have adopted a compliance program mostly to prevent crimes with regard to the Public Administration (corruption, first of all), and only afterwards have some of them extended the programs to “corporate crimes.” This is
perhaps due to the fact that corruption prosecutions can lead to a complete suspension of business activity.
For other types of offenses (e.g. “corporate crimes”) the maximum penalty is a fine of 1.5 million Euros, not a large sum for a major corporation.
It is not yet clear how companies feel about the compliance program requirement of Legislative Decree No. 231. On one hand, the potential liability is alarming for a company because of the seriousness of the potential
sanctions and the harm to its reputation. The compliance program can help avoid or mitigate a conviction, so it is seen as a useful tool.
On the other hand, such programs are also seen as an invasion of the freedom of organization, and an intrusion by the criminal law system. One must keep in mind that the liberty of private economic initiative is protected by Article 41 of the Italian Constitution. Also, the movement towards ethics that arose out of the recent corporate scandals—that
spurred companies to develop ethical codes, compliance programs, and corporate social responsibility initiatives—is sometimes viewed by the public and investors simply as corporate advertising. It doesn’t reflect a serious commitment to ethics and compliance, in this view. It is still too early to say whether this “carrot and stick” approach will prove an effective deterrent to business crimes.
That said, Italian corporations are today more conscious about the risk involved in the
commission of crimes, and this—together with fall-out from the recent corporate scandals—is hopefully shining a new light on the importance of ethics in business.
Francesca Chiara Bevilacqua is a Ph. D. candidate in Law of Business and Commerce at Bocconi University in Milan, Italy (firstname.lastname@example.org).
Reprinted from the November/December 2006 issue of ethikos
© 2006 Ethikos, Inc. All rights reserved.
[Return To Selected Articles]