A compliance officer (CO) is liable for criminal conduct within the company if the CO can be charged with dereliction of duties and wilfully and knowingly took, or failed to take, action. Liability strongly depends, however, on the contractual arrangement of the CO’s position, which must be assessed on a case-by-case basis.

In respect of civil liabilities, the CO is liable for damages affecting the company or third parties for wilful dereliction of duties. Due to the employee privilege based on the Austrian Employee Liability Act, the CO is not liable for accidents or excusable poor performance.

Criminal liability of the CO

Dereliction of duty under administrative law

In Austria, the potential for a CO’s criminal liability begins at the point where his or her duties and responsibilities have been definitively standardised by law. This is the case in certain administrative regulations, such as in Sec. 18 of the Austrian Securities Supervision Act (Wertpapieraufsichtsgesetz; WAG) and Sec. 82, para 5 of the Austrian Stock Exchange Act (Börsegesetz; BörseG). The administrative law mandates that a company establish a permanent, independent compliance function to ensure compliance with certain WAG or BörseG regulations. The duties, responsibilities, and functions of the CO must therefore be circumscribed by the law. They specifically affect the protections afforded to investors and customers, the guidance and information to employees and executive management, quality assurance, and supervisory and reporting duties.

The CO thus assumes a guarantor position as defined in Sec. 2 of the Austrian Criminal Code (ACC). This means that, by virtue of the obligations affecting the CO as standardised in the legal system, he must conduct himself/ herself to avert the successful performance of a criminal act (eg, by a company employee) or to immediately notify executive management of the act. So, the CO may be culpable if, with full knowledge of an employee’s criminal act within the company, the CO does nothing. To avoid criminal liability, the CO must at a minimum report the criminal act to executive management.

Liability for violation of the anti-corruption and cartel law

If a CO is exclusively responsible for the areas of anticorruption and/or antitrust, then the guarantor role of the CO is debatable. Anti-corruption and antitrust are legal domains in which Austrian legislators have imposed no obligations on companies to take active measures for preventing criminal acts or cartel-related infringements. If the company assigns compliance duties and responsibilities to the CO for adherence to the anti-corruption and cartel law, then this is predicated on the voluntary discretion of the company, without a legal obligation existing to do so. At this time, Austria’s legal position merely intends to mitigate or dispense with the company’s penalty or liability if a CO within the company is able to demonstrate that suitable preventative measures against such types of legal infringements exist.

Still, the implementation of a compliance programme, together with the installation of a CO, is recommended,from both the legislature and the doctrine and jurisprudence.

Thus, the law does not govern whether the CO is accorded a guarantor role in the area of anti-corruption and anti-trust. As of yet, no Supreme Court ruling exists on this issue. From the doctrinal standpoint, the employment contract or description of duties may give an indication of the guarantor role, because these documents set forth the duties, responsibilities and authorities of the

CO. In this respect, it is essential that the CO has in fact assumed these assignments.

The following attributes are indicative of the CO’s guarantor role:

  • an express circumscription of any conduct subject to penalty, which the CO must counteract;
  • the authorities to issue directives and commands to company employees;
  • the authority to enforce disciplinary action against
  • employees;
  • inspection, access, and informational rights;
  • a contractually defined disclosure obligation towards a supervisory body or penal authority;
  • special reporting duties to executive management.

From a practical viewpoint, the CO’s guarantor role must be assumed if the general responsibilities are agreed as follows:

  • assess legal compliance risks and advise on compliance matters;
  • conduct internal compliance audits;
  • ensure proper reporting of violations;
  • act as an independent review and evaluation body, to ensure that compliance issues are being appropriately evaluated, investigated, and resolved;
  • respond to alleged violations of legal standards, regulations, and laws;
  • respond to queries, detected offenses, develop corrective action, and report findings;
  • decide together with other senior managers on consequences of accountability violations.

If a CO who is tasked with preventing corruption within the company, and who is assigned a guarantor role accordingly, intentionally fails to act, despite having knowledge of the practice of gift-giving to officeholders, then such failure could lead to a punishable accessory involvement through omission in the prevention of bribing officeholders (Secs. 12, 307 ACC). The same would apply to knowledge of arrangements in the granting of contracts that would impede competition (Secs. 12, 168b ACC). In this respect, it suffices that the CO seriously considered the realisation of a criminal act to be possible and yet accepted it.

As to the impunity of the CO, in general terms, it should be sufficient that the CO has met his or her reporting and notification duties towards the executive management bodies or another superior (provided that the CO has knowledge of a punishable incident at the company and the taking up of such matters would fall within his or her sphere of responsibility).

This matter should not be influenced by the question of whether the CO has effectively prevented the occurrence of an offence. Determinative is whether, depending on the CO’s training and prior knowledge of the matter, the CO bears any culpability because he or she misjudged an incident within the company and therefore did not meet the notification duty.

In sum, a CO’s liability largely hinges on the contractual arrangement between the employer and the CO. All contractual amendments or new arrangements of the CO’s activities and duties as CO should thus be assessed individually.

Civil liability of the CO

Compensatory damages by the CO to the employer or third party must be judged according to the general principles of the Austrian Employee Liability Act (Dienstnehmerhaftpflichtgesetz; DHG). Accordingly, the CO is not liable for excusable poor performance or for oversight (employee privilege). The employer may not, therefore, take recourse against the CO if a third party is asserting a claim against the employer.

The court may mitigate damages caused by minor or gross negligence by the CO.

A criminal conviction of the CO due to intentional accessory acts to a criminal action frequently serves as the basis for employer or third party damages claims. In the event of negligence, the above-described privilege does not benefit the CO under the DHG: the CO is fully liable.

In the event of liability towards third parties, it is also significant whether the CO has omitted or resorted to certain measures with the mutual agreement of superiors that ultimately led to third party damages.

The compliance officer may be culpable if, with full knowledge of an employee’s criminal act within the company, he or she does nothing. To avoid criminal liability, the compliance officer must at a minimum report the criminal act to executive management.