Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

Members of governing bodies and senior management have several responsibilities regarding risk and compliance. First, governing board members have responsibility for compliance programme oversight. This means that board members must ensure that the compliance programme is effective, designed to mitigate compliance risks and that it has sufficient resources to prevent, detect and respond to potential misconduct. Second, board members must hold both senior management and those responsible for the compliance programme accountable to implement the programme. Board members also must establish a ‘tone at the top’ that demonstrates to employees and external parties that the organisation expects all who are associated with it to act properly and in accordance with applicable laws and regulations as well as organisation policies.

With regard to senior management, the expectation is similar to that of members of the governing body. Senior management should ensure that the compliance programme has the resources and capabilities to implement a programme that prevents, detects, and responds to potential misconduct. Senior management also has an obligation to demonstrate support for compliance through tone at the top. This requires management to show by their words and their actions that they require all employees to act in a compliant way and that misconduct will not be tolerated. This tone can be demonstrated through written and oral communications including at meetings, by email, and through one-on-one interactions where employees are encouraged to conduct business ethically and in accordance with applicable laws and organisation policies.

Additionally, certain specific laws may set forth compliance obligations for members of senior management, such as certifications of accountability or certifications of the accuracy of required government filings. Case law in certain areas, such as pharmaceutical and medical device regulation, suggests that senior managers can be held vicariously accountable for regulatory violations committed through acts or omissions of junior employees or the corporation as a whole.

Do undertakings face civil liability for risk and compliance management deficiencies?

Organisations that breach compliance obligations under law face potential civil liability through government enforcement actions. This liability could include fines, disgorgement of gains, restitution, and debarment from participating in government programme. Liability of this nature typically would result from a violation of applicable law or regulation, as opposed to a violation of a purely internal compliance programme requirement.

In addition, organisations may face the risk of civil liability from private litigants who may claim that the organisation failed to fulfil a contractual or other obligation to manage risk through a compliance programme. For example, an investor may claim a loss of value that would not have been experienced if the programme had been managed effectively. These private legal actions may result in added defence costs as well as judgments or settlements, depending on the facts of the underlying matter.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Administrative or regulatory action may result in being debarred from conducting business with government entities, restrictions on or suspension of a licence, or fines associated with the underlying conduct. The nature of the action that could be taken is a function of the requirements of the underlying administrative provisions or regulations that specify the consequences of the violation. If an organisation has settled an enforcement action, compliance obligations may be required to be undertaken as part of the settlement agreements. Failure to meet the settlement obligations relating to compliance may result in fines or penalties. For example, an organisation may have committed as part of a settlement to conduct annual training on compliance topics. Failure to complete that training obligation may result in administrative or regulatory action, including fines or penalties. In some heavily regulated industries, courts have interpreted certain laws as authorising sanctions if senior management fails to prevent violations, since the senior managers are presumed to have known about by virtue of their position in an organisation. US public health laws, such as the Federal Food, Drug and Cosmetic Act, and environmental laws, such as the Clean Water Act, are examples of laws that have been applied broadly in such circumstances.

Do undertakings face criminal liability for risk and compliance management deficiencies?

As a general matter, a company can be held criminally liable for the illegal acts of its directors, officers, employees, and agents.  Various laws also specifically provide for corporate criminal liability.  Examples of such laws include the Foreign Corrupt Practices Act, which prohibits the payment of bribes to non-US government officials to obtain an improper advantage, and the Anti-Kickback Statute, which prohibits domestic bribery in the healthcare sector where federal healthcare programme dollars are involved. Organisations face criminal liability based on the underlying law rather than a general failure to maintain an effective compliance programme.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Those who participate in the underlying misconduct run the risk of civil liability. As a general matter, the more active the involvement of the individual in the misconduct, the greater the risk of personal liability. However, the relevant standards for civil liability can vary, depending on the law in question. Members of the governing bodies and management of publicly traded companies are often indemnified pursuant to the corporation’s bylaws, but that indemnity is not unlimited, and it is possible that officers and directors could face liability from private litigants under securities laws, for example. Personal liability also may flow from a government-negotiated settlement, if management’s conduct is considered egregious or if management makes representations that were known to be false at the time they were made. 

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

In general, members of governing bodies and senior management do not face the risk of administrative or regulatory consequences for compliance programme management issues. However, such members are at risk if they participate in the underlying misconduct or undertake specific obligations regarding compliance as part of a government settlement and fail to fulfil those obligations.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Liability may result if members of governing bodies and senior management participate in the underlying criminal misconduct. Absent such activity, the risk of criminal liability to board members and senior management for failing to implement compliance programme obligations are low, unless it can be proved that such failure was part of a deliberate plan to engage in criminal activity. However, knowingly false statements about the existence or efficacy of the compliance programme may result in liability.

Law stated date

Correct on

Give the date on which the information above is accurate.

11 February 2022.