Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

Members of governing bodies and senior management have several responsibilities regarding risk and compliance. First, governing board members have responsibility for compliance programme oversight. This means that board members must ensure that the compliance programme is effective, designed to mitigate compliance risks and that it has sufficient resources to prevent, detect and respond to potential misconduct. Second, board members must hold both senior management and those responsible for the compliance programme accountable to implement the programme. Board members also must establish a ‘tone at the top’ that demonstrates to employees and external parties that the organisation expects all who are associated with it to act properly and in accordance with applicable laws and regulations as well as organisation policies.

With regard to senior management, the expectation is similar to that of members of the governing body. Senior management should ensure that the compliance programme has the resources and capabilities to implement a programme that prevents, detects and responds to potential misconduct. Senior management also has an obligation to demonstrate support for compliance through tone at the top. This requires management to show by verbal communication and their actions that they require all employees to act in a compliant way and that misconduct will not be tolerated. This tone can be demonstrated through written and verbal communication to employees by email, in other written communication, through presentations at meetings and through one-on-one interactions where employees are encouraged to only conduct business ethically and in accordance with applicable laws and organisation policies.

Additionally, certain sector-specific laws may set forth compliance obligations for members of senior management, such as certifications of accountability or certifications of the accuracy of required government filings. Case law in certain areas, such as pharmaceutical and medical device regulation, suggests that senior managers can be held vicariously accountable for regulatory violations committed through acts or omissions of junior employees or the corporation as a whole.

Do undertakings face civil liability for risk and compliance management deficiencies?

Organisations that engage in misconduct involving compliance obligations under law face potential civil liability, which could include fines, disgorgement of gains, restitution and debarment from participating in government programmes. Liability occurs from a violation of applicable law, or regulation, as opposed to a violation of a compliance programme requirement. For example, civil liability could occur if an organisation fails to obtain a required permit, but civil liability would not occur if an organisation’s employee failed to follow a policy requiring a permit to be obtained.

In addition, organisations may face the risk of civil liability from private litigants who may claim that the organisation failed to fulfil its obligation to manage risk through a compliance programme, resulting in a loss of value to an investor who would not have experienced the loss if the programme had been managed effectively. These private legal actions may result in added defence costs as well as judgments or settlements, depending on the facts of the underlying matter.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Administrative or regulatory action may result in being debarred from conducting business with government entities, restrictions or suspension of a license, or fines associated with the underlying conduct. The nature of the action that could be taken is a function of the requirements of the underlying administrative provisions or regulations that specify the consequences of the violation. If an organisation has settled an enforcement action, compliance obligations may be required to be undertaken as part of the settlement agreements. Failure to meet the settlement obligations relating to compliance may result in fines or penalties. For example, an organisation may have committed as part of a settlement to conduct annual training on compliance topics. Failure to complete that training obligation may result in administrative or regulatory action, including fines or penalties. In some heavily regulated industries, courts have interpreted certain laws as authorising sanctions if senior management fails to prevent violations, they are presumed to have known about by virtue of their position in an organisation. US public health laws, such as the Federal Food, Drug and Cosmetic Act, and environmental laws, such as the Clean Water Act, are examples of laws that have been applied broadly in such circumstances.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Criminal liability may occur for violations of applicable law. This liability may occur, for example, if the conduct violates a law such as the Foreign Corrupt Practices Act, which prohibits the payment of bribes to non-US government officials to obtain an improper advantage, and the Anti-Kickback Statute, which prohibits domestic bribery in the healthcare sector where federal healthcare programme dollars are involved. Payment of a bribe would result in criminal liability for the payer under both laws. Organisations that face criminal liability, however, do so based on the underlying law rather than the failure to maintain an effective compliance programme.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Those who participate in the underlying misconduct run the risk of civil liability. Generally, however, without the active involvement of governing body members or management in the misconduct, the risk of personal liability is low. Liability could occur, however, if private litigants establish that management failed in its oversight duties in a securities law action or if, as part of a government-negotiated settlement, management makes representations about the compliance programme that are later determined to be incorrect.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

In general, members do not face the risk of administrative or regulatory consequences for compliance programme management issues. Risk could occur, however, if members participate in the underlying misconduct or undertake specific obligations regarding compliance as part of a government settlement and fail to fulfil those obligations.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

If members of governing bodies and senior management participate in the underlying criminal misconduct, there may be liability. If there had not been active involvement in criminal misconduct, the risk of criminal liability to board members and senior management for failing to implement compliance programme obligations is low.

Law stated date

Correct on

Give the date on which the information above is accurate.

12 February 2021.