The potential corporate criminal liability of gaming operators/suppliers is a hot topic at the moment in Italy for both Italian and foreign gambling entities.

The Italian corporate criminal liability regime

Italian law provides a regime of corporate criminal liability and sanctions in the event that the directors/managers/employees commit certain types of crimes in the interest of, and or to the advantage of, their companies (or group companies). In this context, the activity of gaming operators that

  • offer their games under a public gaming license;
  • are monitored by the Italian gaming authority, AAMS, and
  • communicate the data relating to gaming transactions through the protocols of communication to AAMS’ servers

creates the risk of commission of, among others, the crimes of

  1. corruption and bribery,
  2. misappropriation to the detriment of the State,
  3. informatics fraud (e.g. in case of notification of erroneous data to AAMS through the protocols of communication or installation of malware on the player’s pc) which includes also liabilities for a cybercrime,
  4. money laundering (also because Italian licensed operators shall comply with Italian AML law even if they are foreign entities) and
  5. breach of intellectual property rights.

Therefore, in the scenarios above, the personal criminal liability of the individuals that commit the crimes is in addition to the corporate criminal liability of the company itself.

Cybercrime liability after the EU Data Protection Regulation

I have already discussed about the massive fines that will be soon provided by the EU Data Protection Regulation. But, in addition to such fines, in case of data breach due to a cyber attack (i.e. unauthorized access to information systems), gaming operators will

  • have to notify the data breach to both the privacy regulator and the individuals whose personal data is affected by the data breach/cyber attack who in turn can bring a claim for damages; and
  • risk potential corporate criminal liabilities which not only triggers fines up to € 1,500,000, but also the termination/suspension of public licenses, including gaming licenses.

It is an issue also for foreign gaming operators/suppliers

These corporate criminal liability risks are relevant also for foreign online and land-based operators holding an Italian gaming license as well as suppliers. Italian law applies to crimes committed in Italy and such circumstance is met if

  • either the action or the omission that constitutes the crime is entirely or even partially committed in Italy;
  • or if the event or action occurs in Italy.

Therefore even if the action/omission (or part of it) is performed abroad such conduct can trigger the applicability of the Italian criminal liability regime if it triggers an event occurring in Italy.

How to limit such liability risk?

The sole available defence against potential corporate criminal liabilities is to adopt an internal corporate model of organisation and management of the company (or of the group if more companies are involved) aimed at preventing the commission of crimes:

  • identifying the potential risky areas/persons and their modalities of operation;
  • implementing an appropriate internal monitoring system to exclude/limit the potential risks; and
  • appointing an Audit Entity that shall monitor the proper adoption of the model.

The implementation of a corporate model of organisation and management places the company in a stronger position. The company will be able to prove to have adopted any possible defence against liabilities and that the criminal conduct is just the result of the misconduct of a few individuals who by-passed the internal controls.