Liability for risk and compliance management in Japan

Liability

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

The Companies Act imposes an obligation on directors to exercise the duty of care of a prudent manager (also known as a ‘fiduciary duty’) in the management of their company, which requires that directors act with the level of care that is normally expected to be taken by a person in the same position and, if relevant, with the same expertise as the director - the duty is owed to the company. The duty of care could be interpreted to include a (compliance) duty to organise the managed business (including its controlled subsidiaries) in such a way so as to ensure adherence to all applicable laws so far as is reasonably possible. In order to comply with these duties, directors should familiarise themselves with background information, such as the company’s size and business type, and the occurrence of previous scandals, etc, and the occurrence of misconduct or violations by other companies in the same business.

The relationship between a company and its managers (persons other than directors exercising management functions and with authority to bind the company) is one of entrustment and employment, the managers therefore owing a duty of care to the company. The liability of officers is almost the same as that of directors (see above), though managers are usually appointed as the head of an office or branch office, and their powers and liability are limited to such office.

If a director, officer or manager suspects that an employee has engaged in an unlawful activity, he or she must take action to prevent the offence, and to prevent similar cases of non-compliance from occurring in the future by testing the effectiveness of the existing compliance programme, and adopt adequate improvement measures and controls if required. It is the responsibility of management to determine what constitutes an adequate and effective compliance programme. It was noted in a judgment that ‘what should be included in the development of a risk management system is a matter of business judgment, and it should be noted that directors are given broad discretion thereover for their expertise in company management.’ The board of directors must continuously review whether or not an existing internal control system is still appropriate and operating properly, and any deficiencies must be corrected in a timely manner. Establishment of an internal audit department, on-site audits and a whistle-blower system, and monitoring of reporting of unfair acts are some of the means to determine whether or not an internal control system is functioning properly.

Senior employees are also obligated to monitor internal control systems, but are not liable for any failure to develop appropriate internal control systems.

Although the Companies Act does not clearly specify the duties owed by directors of parent companies with respect to management of subsidiaries, there are provisions in the Banking Act based on the assumption that bank holding companies are authorised and obligated to manage and control their subsidiary banks.

Do undertakings face civil liability for risk and compliance management deficiencies?

An undertaking would only face civil liability for a risk or compliance management deficiency if the deficiency gave rise to a claim under another head, for example, tort.

A company may be liable under civil law for compliance violations resulting from torts committed by its employees or persons acting in its name. Essentially, a company is liable for the acts of its employees and directors while they are acting in the course of their employment or performance of their duties. A company is also liable for the acts of its agents when they are acting within the scope of their authority unless the company or its directors exercised reasonable care in appointing the agent or in supervising the business, or if the damages could not have been avoided even if the company or its directors had exercised such reasonable care.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Although Japan does not have a separate body of administrative law as is found in some civil law European jurisdictions, administrative actions may be taken pursuant to the specific law to which the breached compliance obligation relates.

Where an activity of a company is subject to regulatory oversight, and the applicable law provides regulators with enforcement powers, the relevant authority is often entitled to impose sanctions, including fines.

Where a company listed on the TSE has made false statements in securities reports or other sources, or where auditors, etc, of the company express, for example, an adverse opinion in audit reports and the TSE deems that ‘improvement of the internal management system, etc, of such listed company is highly necessary’, then the TSE may designate the listed stock as a security on alert. If the internal management system is not improved within the prescribed period, or the TSE deems that improvement is not expected (ie, no steps are taken for fact-finding, no policies considering preventative steps are disclosed, or the proposed policies lack practicability), then the company will be delisted.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Corporate criminal law does not exist in the Japanese legal system, as only natural persons may be subject to criminal prosecution under the Penal Code. A company can, however, be subject to criminal fines under a number of other statutes, for example, the Anti-monopoly Act, the Companies Act and the Labor Law.

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

The Companies Act stipulates that if a director, accounting advisor, company auditor, executive officer or accounting auditor of a company neglects their duties (such as their implied duty to develop and monitor internal compliance systems), they shall be liable to the company (but not its shareholders) for any resulting damages. And if a director knowingly breaches their duties, or is grossly negligent in performing them, they shall be liable to any third party (including shareholders in the company) suffering loss as a result. A director (but not the other officeholders mentioned above) may be released, in whole or in part, from their liability to the company (but not to third parties) for breach of duty on a case-by-case basis, the basis of this release depending on whether the director acted with wilful misconduct or was grossly negligent. If the director acted with wilful misconduct or was grossly negligent, shareholders’ unanimous approval is needed for such a release; otherwise, a partial limitation of liability may be available under the company’s articles and the Companies Act, though there is a minimum liability in some cases.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

No specific or ‘catch all’ administrative liability exists for directors, officers or managers of a company that fail to supervise a subordinate, or to put adequate supervisory processes in place. However, such failures may violate specific legislation, depending on the nature of the business and the act or failure in question, and could give rise to third-party claims.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Persons are criminally liable if they commit criminal offences themselves or if the criminal offence arises from their actions, for example, when they instruct others to commit a criminal act or otherwise contribute to it. A director’s breach of the duty of care owed to their company (see question 10) does not, in itself, give rise to any criminal liability. As there is no catch-all risk and compliance management obligation at law, there is no related criminal liability.

Specific legislation may impose criminal sanctions for certain acts that are compliance-related; for example, the Anti-monopoly Act imposes criminal fines on representatives of companies who have failed to take necessary measures to prevent certain acts (such as not complying with regulatory orders), despite their knowledge of an intention to commit such acts, or who have failed to take necessary measures to rectify such acts despite their knowledge of them.