The Australian Law Reform Commission (the “ALRC”) has proposed a number of reforms to Australia’s federal corporate criminal liability regime. The entire document bears close examination. In this article, we focus on the ALRC’s key proposal to reform corporate criminal liability by the imposition of a form of vicarious criminal liability on the corporation, with a defence available if it can prove that it exercised due diligence to prevent the conduct.

By way of introduction to these reforms, we first look at the background to the ALRC’s proposal, before moving on to examine two other models of corporate criminal liability found in the US and the UK, together with some of the issues these models create.


 In April 2019 the Attorney General of Australia asked the ALRC to review Australia’s corporate criminal responsibility regime. As the ALRC’s Discussion Paper on Corporate Criminal Responsibility (the “Discussion Paper”) notes, this came “at a time of renewed focus on protecting Australian consumers from egregious conduct by corporations and increasing regulation in the area of corporate wrongdoing”. It also followed a number of related reviews that had taken place over the years, including the Final Report of the Australian Securities and Investments Commission (“ASIC”) Enforcement Review Taskforce in December 2017 and the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry in February 20191.

The current federal regime for attributing corporate criminal liability is set out in Part 2.5 of the Commonwealth Criminal Code (found in Schedule 1 of the Criminal Code Act 1995 (Cth)). Unsurprisingly, the prosecution must prove beyond reasonable doubt that the corporations committed the act of the offence and had the requisite state of mind. It is the requisite state of mind that is here addressed – s12.3 of the Criminal code provides that for any offence that requires the offender to have acted with intention, knowledge or recklessness, “that fault element must be attributed to a body corporate that expressly, tacitly or impliedly authorised or permitted the commission of the offence”.

S12.3(2) of the Criminal Code provides an inclusive list of the ways a corporation may have “authorised” or “permitted” the offence. The first two ways required the prosecution to prove that the corporation’s board of directors or a “high managerial agent”2 “intentionally, knowingly or recklessly carried out the relevant conduct, or expressly, tacitly or impliedly authorised or permitted the commission of the offence”. As the Discussion Paper states, this allows criminal responsibility to be attributed to a corporation through the acts of its agents3. However, ultimately it requires the prosecution to “make criminal liability contingent upon individual liability”4. S12.3(2) also included the “novel approach” (as the Discussion Paper accurately describes it) that a “corporate culture”5 existed within the corporation that directed, encouraged, tolerated, or led to non-compliance with the relevant provision. This approach focuses on the corporation as an entity in and of itself and accepts the proposition that a corporation can be held blameworthy through its own practices, policies and procedures.

The Discussion Paper notes, however, that Part 2.5 of the Criminal Code is often excluded from Commonwealth statutes. In fact, the ALRC has found that for the vast majority of offences that are likely to be committed by a corporation, criminal liability is based on the state of mind and conduct of a director, employee or agent6. The majority of statutes reviewed by the ALRC expressly exclude the operation of Part 2.5 of the Criminal Code7. It is also noteworthy that the ALRC states it is only aware of one case in which the corporate culture provisions have been relied upon8.

The lack of one method of corporate criminal attribution has created a level of uncertainty as to the circumstances in which a corporation will be criminally liable. Given that situation and with the opportunity to address the issue with a clean slate, it is unsurprising that the ALRC has looked to consolidate the various methods of corporate criminal attribution and create one approach.

Comparative Analysis

Other jurisdictions around the world have grappled with the problem about how, and whether, to hold corporations criminally liable (see BCLP’s previous article Corporate Criminal Liability – Perspectives from the US, UK and France). Looking at various methods that have been adopted, we can see that there are currently three main models of corporate criminal liability in common law jurisdictions (including the current Australian approach):

  • Vicarious liability
  • Identification / directing mind and will
  • Corporate culture (discussed above)9

Vicarious Liability

Vicarious liability is the attribution method used in South Africa and for federal offences in the USA (developed from the doctrine respondeat superior). For the purposes of this article, we will be focusing on the US approach10.

It ascribes, to the corporation, responsibility for the actions taken by its employees (and certain other individuals) in the course and scope of their employment, where one of the intentions of the individual’s conduct was to benefit the corporation to an extent. It is notable that a corporation can be held liable for the actions of individuals even if they are only acting with apparent authority or are acting counter to express instructions not to engage in the relevant conduct11. There is no requirement that the employee has a specific degree of responsibility or managerial rank. This model is differentiated from the identification model in that it does not ascribe direct liability to the corporation through its own actions.

The US approach is also bolstered by the doctrine of “collective knowledge”. Under this doctrine, the government does not have to demonstrate that a single individual had the knowledge to satisfy the mens rea element of the offence. It recognises the practical difficulties in identifying, in modern companies which often have a complex and disaggregated structure, one individual responsible for all aspects of wrongdoing.

Unlike the Australian proposals, the US has no “due diligence” defence. Instead, corporate compliance programs may be a mitigating factor at both the charging and sentencing stages. This approach has led to criticisms that corporations with effective compliance programs expose themselves to a higher risk of criminal prosecution than those corporations with ineffective or no such programs. It could also create a positive lack of incentive for corporations in notifying, internally and externally, discovery of wrongdoing given that the compliance program that uncovered it would act as no defence to the possibility of criminal liability.

The US approach also provides prosecutors with immense leverage when it comes to negotiations with the corporation. From the moment prosecutors have obtained evidence of wrongdoing by an employee, it becomes a question of when and for how much the corporation will settle, rather than a question of whether it will. While this might be acceptable in some cases, it rankles when the corporation is otherwise blameless. A corporation that has taken appropriate steps (or put in place adequate procedures, to borrow a UK focused phrase) to try to prevent the wrongdoing committed by the individual, should not then be punished just because an individual acted completely contrary to the corporate approach. Employees are not automatons, whose every action can be controlled by the corporation. There should be recognition of this in any approach to corporate criminal liability. As we discuss later in this article, we consider the proposed Australian approach works well in this respect.

Identification / Directing Mind and Will

The identification model has been adopted (with certain variations) by, among others, the UK, New Zealand and Canada. For the purposes of this article, we will be focusing on the UK approach12.

Under the identification model, prosecutors must prove that the most senior individuals of the corporation, who represent the “directing mind and will” had the elements of criminal intent that the relevant offence provides. Should this intent be established then the corporation has direct liability, i.e. the state of mind of those senior individuals is considered the state of mind of the corporation.

This identification model has been the subject of trenchant criticism from both commentators13 and prosecutor14.

From the prosecutor’s point of view, it is much harder to bring a successful prosecution under the identification model compared to the vicarious liability model. This is especially the case in the modern corporate environment in which large companies often have decentralised decision making structures and disaggregated corporate structures. Prosecutors are, therefore, finding it evidentially difficult to link any potential criminal act committed by an employee of the corporation to the directing mind and will.

The identification model also hinges on an outdated idea that corporations can be reduced to the actions and intentions of the directing mind and will – which will often be found on the board of the corporation. While there continues to be academic debate as to the nature of the corporation, arguably given the “reality of modern corporate decision making which is often the product of corporate policies and procedures rather than individual decisions15, a corporation must be seen as an entity whose decision making process cannot be readily reduced to easily identifiable directing individuals but is often the result of a much broader array of inputs.

We have discussed the struggles the identification model has with large corporations. Conversely, the identification principle makes it much easier to convict smaller companies of offences committed by employees, who either are the directing minds of the corporation or report directly to those directing minds. The result is that there is a wholly distorted corporate liability landscape for smaller companies compared to larger companies. As a matter of principle, such a landscape in this important area is entirely unjustifiable.

While the criticism outlined above has been acknowledged by the UK Government16, it has so far resisted reform to the identification model. However, as we have previously pointed out, there has been some “erosion of the identification principle for economic crimes17.

This erosion has come in the form of the Bribery Act 2010 and the Criminal Finances Act 2017. Both of these statutes created new corporate offences of “failing to prevent” bribery / tax evasion respectively. If any person associated (which has a broader meaning than employee) with the corporation (i) pays a bribe to obtain or retain either business or an advantage in the conduct of business, or (ii) facilitates tax evasion, the corporation can be held criminally liable. Crucially, the corporation has a defence in respect of both of these offences if it proves (on the balance of probabilities) it had adequate procedures in place or taken reasonable steps to prevent the offence. This can be seen as analogous to the Australian proposal for a due diligence defence.

We noted above the criticism the UK’s identification model has received from prosecutors, particularly the UK’s SFO. However, prosecutors will always want to make life easier for themselves. A wholesale shift to vicarious liability, which the SFO appears to seek, is undesirable. The very recently published SFO Internal Guidance “Evaluating a Compliance Programme”18, while stressing the obvious importance of proper compliance programs within corporations, appears to do little but repeat the Bribery Act Guidance published in 2011 and will have little or no utility in the corporate liability test under the UK’s present laws. The lessons learnt from the US suggest that the vicarious liability model without any accompanying defence places far too much power in the hands of prosecutors and can result in otherwise blameless corporations (together with their shareholders, employees and customers) being criminally penalised for the actions of a rogue employee acting outside the bounds of company policy and procedure.

The ALRC’s Proposed Changes to Corporate Criminal Liability

The ALRC proposes that:

 “there should be a single method for attributing criminal (and civil) liability to a corporation for the contravention of Commonwealth laws, pursuant to which:

a) the conduct and state of mind of persons (individual or corporate) acting on behalf of the corporation is attributable to the corporation; and 

b) a due diligence defence is available to the corporate”.

Given the uncertainty currently caused by the various different methods of attributing criminal liability (described in the Discussion Paper as a “smorgasbord”19) the ALRC considers that the single method of attribution will simplify and provide certainty for corporations, regulators and prosecutors20.

The Discussion Paper proposes that the conduct of “associates” be attributed to the corporation. Associate is defined as:

any person who performs services for or on behalf of the body corporate, including:

a) an officer, employee, agent or contractor; or

b) a subsidiary (within the meaning of the Corporations Act 2001) of the body corporate; or

c) a controlled body (within the meaning of the Corporations Act 2001) of the body corporate.”

The Discussion Paper states that the broad definition set out above is appropriate to prevent the corporate structure being used to avoid criminal responsibility. In this way it deals with one of the criticisms of the identification model discussed above. The definition is described as one of “substance over form21. When considering whether someone is an “associate” the question will be what is the nature of the relationship between the individual and the corporation rather than the role or title.

The obvious impact of the new approach is that it is going to be much easier to attribute criminal liability to the company irrespective of the culpability of the corporation. This potentially wide exposure to criminal conduct requires a proper counterbalance.

Given the expansive definition of “associate” the proposed defence of due diligence is critically important to the fairness of the new approach to corporate criminal attribution and ensure corporations are not held liable for the rogue actions of such a broad category of individuals connected to the corporation. What is “due diligence”? The Discussion Paper states that “Due diligence is an elastic concept that takes its meaning from the context in which it must be exercised22. Some commentators may suggest that corporations are provided with certainty in respect of the actions they are required to take in order to have performed due diligence. However, that would, in our view, seek to straight-jacket corporations to follow one uniform model and would not take account of the myriad of types of corporations. Just as the UK Bribery Act and the Guidance to the Act specifically does not seek to define “adequate procedures”, so too should due diligence be given an elastic meaning. After all, what is due diligence for a multinational financial institution is not going to be appropriate to a two-man construction company and vice versa.


The ALRC Discussion Paper provides some welcome common sense in an area where common sense has not always been apparent. While we will need to see how the proposals are taken forward, they appear to avoid the pitfalls of the vicarious liability model and the identification model respectively. When considered in the round the proposal is neither too broad in its approach, nor too narrow. It also recognises the important shift over the last few years on considering corporate culture as a meaningful driver in all areas of corporate compliance. Additionally, it carries the inestimable advantages of being understandable, straightforward and just. It represents a positive step forward. We hope that it finds favour with Australian legislators and that other jurisdictions will take note.