LiabilityLiability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
In principle, CEOs and executive directors have the duty to give and maintain an adequate set-up of the company’s structure, including as regards compliance. Moreover, in many instances, CEOs may be indicted of crimes committed by officers down the management chain because of the CEO’s position as top-executive officer with a duty to be informed and supervise on the management of the company. Only in specific cases can CEOs demonstrate that they have effectively delegated a function to a lower officer and be exempt from responsibility. In no case will CEOs be exempted for negligence or reckless disregard in supervising. Non-executive directors may similarly suffer severe consequences if they do not supervise the CEOs or do not intervene to eliminate or at least reduce compliance violations.
Although legal entities do not have a strict regulatory obligation to prepare and implement a 231 compliance shield (see question 7), pursuant to case law, directors have a fiduciary duty to minimise risks of crime commission and so, effectively, they are bound to adopt and implement a 231 compliance shield as part of their fiduciary duties.
Do undertakings face civil liability for risk and compliance management deficiencies?
Companies are bound to compensate damages suffered by third parties as a direct result of illegal or illicit actions or omissions attributable to the company (or its directors, managers or employees) as a result of wilful misconduct or simple negligence. In certain cases (eg, data protection laws) a stricter liability regime applies. In any case, damages must have been suffered as a direct and immediate result of the compliance violation (that is, there must be an ordinary causal nexus between the violation and the production of the prejudice whose redress is requested) and the plaintiff has the burden of proof as to the existence and amount of the damage.
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
Legal entities are jointly liable for payment of fines levied against their representatives or employees for conducts or omissions related to their office or work.
On top of that, Legislative Decree 231 provides for the following administrative sanctions that can be levied directly against a legal entity:
- pecuniary penalties;
- disqualifications, such as disqualification from exercise of the whole business, suspension or revocation of authorisations, licences or concessions, prohibition to trade with the public administrations, exclusion from grants, loans or subsidies, prohibition to advertise goods or services;
- confiscations; and
- publication of the court’s decision in one or more newspapers at the entity’s expense.
In broad terms, banks deemed liable for breaches of rules regarding internal control system and governance - also for those established by the Bank of Italy - are punished with an administrative pecuniary sanction from €30,000 to 10 per cent of their turnover.
Insurance companies deemed liable for breaches of rules regarding internal control systems and governance - also for those established by IVASS - are punished with an administrative pecuniary sanction from €5,000 to €50,000.
Do undertakings face criminal liability for risk and compliance management deficiencies?
Even if the adoption of a 231 compliance shield is not considered compulsory by the law (see question 10), failure to adopt or adoption of a non-effective 231 compliance shield prevents the legal entity from utilising the compliance defence. In fact, the legal entity, in that case, will not be allowed to be exonerated from criminal responsibilities, although it can still apply for a reduction of the sanction if the legal entity implements a solid 231 compliance shield before the first discussion hearing of the criminal trial commences.Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
Directors and general managers may be liable for breach of their duties towards their company, the company creditors, single shareholders or single third parties.
Responsibility towards creditors subsists if compliance rules safeguarding the integrity of the company’s net assets have been breached and the net assets are consequently insufficient to satisfy the creditors (in practice, when the company has become insolvent). That can take place, for example, when directors illicitly distribute reserves or act in conflict against their company.
Responsibility to single shareholders and single third parties can arise only when they have been directly and specifically damaged (eg, a damage that is personal to them and is not the mere implication of a damage that affects the earnings of all the shareholders or the rights of all stakeholders).
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
Legal entities that, in their capacity as joint obligors, have paid fines levied against their directors and employees generally have recourse to them.
Directors and senior management can receive fines for a broad variety of compliance crimes, including corporate compliance, breaches of data protection rules, insider trading and market abuse, environmental and health and safety violations.
In broad terms, members of administrative, direction and control bodies as well as personnel of banks, are punished with an administrative pecuniary sanction from €5,000 to €5,000,000 for breaches of the rules regarding internal control system and governance - also for those established by the Bank of Italy - to the extent that their conducts have contributed to the relevant infringements.
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
The Italian civil code and the legislation on insolvency and quasi-insolvency of companies provide for a wide range of corporate crimes, including false financial statements, illicit obstacles to mandatory audits and controls, illicit distribution of equity, illicit operations on treasury shares, extraordinary transactions in prejudice of creditors, conflict of interest, corruption, insider trading and market abuse, procuring or facilitating insolvency, etc.