Compliance a legal obligation?


The debate about whether implementing and enforcing a compliance programme is a general legal obligation is nothing new. Compliance is a tool for managing an organisation’s operational processes, preventing wrongdoing, and mitigating liability. For this reason, it is an element of the duty to exercise due diligence, with penalties not only of a criminal nature.

Under current law, there is no overall, systemic obligation to introduce and enforce compliance programmes, although the origin of the debate on this topic could be the currently applicable Corporate “Criminal” Liability Act. Under this act, inappropriate organisation of a firm’s activities, due to failure to exercise due diligence required in the context in question, and a failure to exercise due diligence when selecting or monitoring persons acting on behalf of or for the company, is grounds for corporate liability.

Regardless of whether it is considered obligatory to introduce a structural compliance programme encompassing every area of the organisation’s activities, the law requires implementation and enforcement of the essential procedures ensuring regulatory obligations are duly complied with in particular areas of activity. In certain cases, these obligations may extend to other jurisdictions. With increasing frequency, compliance procedures are also an element of assessment of the prudence required when determining criminal liability.

New Corporate Liability Act

The Corporate Liability Act now being drafted retains the prerequisite for culpability both in selection, and in monitoring, and in the organisation. It also states at the same time the events in a corporate organisation that will be found to constitute wrongdoing, being grounds for culpability, and further, corporate liability.

The legislative proposal identifies the following as wrongdoing:

  • not having procedures in place in the event of an offence being committed or principles of prudence not being observed,
  • failure to properly define boundaries with regard to responsibilities and skills within an organisation, among the bodies of the organisation, particular organisational units, and personnel,
  • failure to appoint an officer or organisational unit responsible for monitoring legal compliance within the organisational and proper functioning of the organisation,
  • not having in place procedures for monitoring and responding effectively in cases of wrongdoing.

At the same time, these are examples, and do not constitute an exhaustive list. This places the burden of responsibility for correct measures to prevent wrongdoing on the corporate entity, and this includes in an anticipatory sense as well.

Meanwhile, the examples of wrongdoing defined in the proposal give rise to obligations of specific conduct for corporate entities. In the context of possible proceedings against a corporate entity, these could serve as defence against alleged liability and a penalty.

Another major obligation under the proposal concerns establishing a system for whistleblowers to report wrongdoing, and conducting inquiries. If inquiries are not conducted and wrongdoing not remedied, and the reported wrongdoing results in commission of an offence, these could be grounds for more severe penalties, potentially even leading to a penalty that is twice as severe.

The vague manner of formulation of the grounds for liability and the types of wrongdoing that can lead to liability if an organisation fails to prevent them, leave a hazy picture of the intended new laws. For this reason, the means of preventing wrongdoing in an organisation should be an all-embracing system of formal principles and rules applicable to all of the organisation’s areas of activity and aligned to its specific nature. This system has to be duly implemented and applied. This can be achieved precisely by putting in place a compliance programme.

Also, as a compliance programme is intended to prevent wrongdoing occurring and mitigate the risk of legal liability, perhaps the compliance programme should be the standard for the proper running of a business in the maze of legal requirements, often of a cross-border nature.

Current requirements

In current laws, obligations abound for businesses operating in particular sectors, and are usually formulated as a requirement to assess risk, anticipate possible breaches of law and of other parties’ rights, and to create response procedures.

Important examples are data protection regulations (GDPR), protection of IT infrastructure against cyberattacks that limit or prevent services being rendered that are essential to the public (the Cybersecurity Act), AML regulations, insider trading prevention requirements, and obligations to declare tax structures.

Laws in effect in other jurisdictions, which sometimes cross jurisdictions, are also important. This occurs even if a Polish business only conducts a portion of its operations in a country in which prevention obligations apply, or the business is part of a capital group in which the parent company is based in that country.

One example of regulations of this kind is anti-bribery laws, such as the UK Bribery Act, which defines the offence of failure to prevent bribery occurring, and the French Sapin II. The latter requires anti-bribery programmes to be implemented and enforced in firms with a headcount of 500 or more and annual turnover in excess of EUR 100 000 000, where administrative penalties apply for non-compliance (information about this act can be found here – article of June 2017 and here – article of January 2018).

Rules on compliance with laws and ethics concerning prevention of slavery, human rights, and human trafficking also extend across jurisdictions. Once again, UK law (the Modern Slavery Act) and French law (Loi sur le devoir de vigilence des sociétés mères et des sociétés donneuses d’ordre) are at the forefront.

Practice of law enforcement agencies

Law enforcement agencies are taking more and more interest in the proper organisation of decision-making processes and in the correct running of businesses. In abuse of trust cases, it is being stated more and more explicitly that failure on the part of management board members to monitor correctly (monitoring culpability) decision-making processes that have implications for a business’ assets is grounds for potential liability. In cases of fiscal offences, under guidelines on verification of business counterparties and prevention of involvement in carousel fraud, law enforcement agencies have stated clearly that an officer has to be appointed to monitor supply chains because this is an organisational element of prevention of fiscal offences.

In addition – despite possible variations in legal requirements – effective compliance is also assessed in multijurisdictional criminal cases. One recent case involved a Swiss bank and a subsidiary based in France, which faced charges in a French court of obtaining customers unlawfully and laundering funds gained through tax avoidance. One fact that led to the bank being convicted in the first instance, and a fine of a record EUR 3.7 m, was antiquated organisation and ineffective in-company procedures concerning marketing practices in France. In its assessment of the ineffective in-company procedures, the French court considered a failure to document provision of information about the adopted procedures, lack of disciplinary penalties for not complying with them, and a failure to monitor compliance.

Remedy – all-embracing compliance programme

Structural compliance, covering all areas of a business’ operations, may be considered in terms of the future, as the new Corporate Liability Act was still being drafted at the time this article was produced. Taking into account however Poland’s international commitments and objections raised for example by the OECD with respect to the current corporate criminal liability system in place, it is highly likely that the law will be passed and take effect.

It would therefore not be advisable to wait until measures are taken in direct response to prosecution. Even if all-embracing compliance programmes are not a legal requirement in themselves, they can be an important tool in managing an organisation’s operational processes, and enable due conformity to legal obligations. A compliance programme can be of additional help when demonstrating due diligence on the part of a company. This is often a factor determining civil, administrative, and criminal liability.

Aleksandra Stępniewska, adwokat, Business Crime practice, Wardyński & Partners