In facing anti-bribery and anti-corruption (ABC) challenges, with new layers of ABC legislation being introduced globally, compliance teams—especially those working with international companies—are dealing with ever-increasing regulatory complexity and diversification. Intensifying enforcement focus on corporate wrongdoing in a growing number of jurisdictions means that compliance officers are facing increased levels of scrutiny from regulators and criminal enforcement authorities. In light of this new environment, as well as recent enforcement actions against senior compliance officers, part I of this article provides a brief overview of the state of play of the criminal enforcement risks for compliance officers as well as some of the implications—both practical and legal—for companies and their compliance departments in the U.S., France and the Netherlands. Part II will follow up with the UK, Germany and Ukraine, finishing off with takeaways based on the developments discussed in relation to all six jurisdictions.

U.S.: Continued Action Against Compliance Officers, Particularly in the Financial Sector

There have been no resolved Foreign Corrupt Practices Act-related enforcement actions against compliance officers to date, although the U.S. Department of Justice and Securities and Exchange Commission, the enforcement agencies tasked with enforcing the FCPA, began official proceedings in February 2019 against Steven Schwartz, former executive vice president, chief legal and corporate affairs officer of Cognizant, who was "responsible for overseeing and managing Cognizant's compliance functions." Schwartz was indicted for bribery, books and records, and internal controls violations. Other enforcement agencies, such as the Financial Industry Regulatory Authority and the Financial Crimes Enforcement Network, also known as FinCEN, have taken civil action against compliance officers in money laundering and other financial crimes-related cases as well.

The DOJ and SEC have provided some limited guidance on enforcement against compliance officers. The DOJ's 2015 Individual Accountability for Corporate Wrongdoing memorandum, also known as the Yates Memorandum, identified holding individuals accountable for their wrongdoing as a key priority for both criminal and civil DOJ attorneys. In the memorandum, the DOJ made no distinction as to compliance officers, but later in 2015, then-SEC director of the Division of Enforcement Andrew Ceresney outlined three circumstances in which the SEC had generally brought actions against chief compliance officers:

1. When a chief compliance officer is "affirmatively involved in misconduct unrelated to their compliance function";
2. When a chief compliance officer "engage[s] in efforts to obstruct or mislead the [SEC] staff"; and,
3. When the chief compliance officer has "exhibited a wholesale failure to carry out his or her responsibilities."

The SEC has broadly adopted this position, stating that, although liability determinations are situation-specific, there are situations where liability is clear: "when a CCO engages in wrongdoing, attempts to cover up wrongdoing, crosses a clearly established line, or fails meaningfully to implement compliance programs, policies, and procedures for which he or she has direct responsibility." At the same time, the SEC has also emphasized that enforcement actions against chief compliance officers "generally should not be based on an isolated circumstance where a CCO, using good faith judgment makes a decision, after reasonable inquiry, that with hindsight, proves to be problematic."

Particularly in the financial sector, U.S. authorities have prosecuted a number of compliance officers in the last decade, and, in February, the New York City Bar Association released a report entitled "Chief Compliance Officer Liability in the Financial Sector." The report recommended more guidance on enforcement discretion and argued that the increase in investigations of and enforcement actions against compliance officers can "discourage appropriate activity by compliance officers, isolate compliance officers from other business processes, or, at the extreme, lead individuals to leave compliance roles for fear of bearing liability for the misconduct of others."

As enforcement agencies in the U.S. continue to focus on the prosecution of individuals, compliance officers at U.S. companies or international companies with a U.S. nexus should ensure that they personally and the compliance processes they oversee are living up to enforcement authorities' expectations.

France: Increasingly Exposed, if not Criminally

The absence of a specific regime in French law for holding compliance officers criminally liable for offenses committed on their watch does not stop members of the compliance community from feeling exposed. This widespread concern likely led the French anti-corruption agency (l'Agence Française Anticorruption, or AFA)—which is, albeit, not a prosecuting authority—to issue guidance clarifying that "the sole failure by a compliance officer to discharge his professional obligations" will not lead to criminal liability for corruption which is "in practice … highly unlikely if he limited himself to acting (or omitted to act) within his area of responsibility."

This clarification in reality merely applies the principle in the French penal code that criminal liability, principal as well as accessory, generally presupposes active and knowing involvement in offending. The AFA was nevertheless wise not to exclude completely the possibility of a compliance officer being criminally liable for failings on the job. There are a few examples of successful prosecutions of company directors as accessories for failing to stop offenses of which they were aware and had the power (and responsibility) to prevent. It is not unthinkable that senior compliance officers could be prosecuted on this basis, although no such a case has yet been brought.

Another principle of general French criminal law is worth highlighting because it emphasizes the importance of the institutional independence of the compliance function: Employer instructions are not a defense to a criminal charge. So, for instance, a compliance officer could not escape criminal liability on the grounds that (s)he acted under management instructions.

Prosecutions of compliance officers in relation to offenses by those they supervise will likely remain rare. However, as a recent judgment in an employment matter from the Paris Court of Appeal confirms, incompetence by a compliance officer leading to significant risk exposure for their company is grounds for termination. This is noteworthy because regardless of the low risk of criminal exposure, compliance officers and how they carried out their responsibilities will almost inevitably be a main focus in most corporate criminal investigations. Moreover, although compliance officers do not fall within the AFA's personal regulatory remit, the AFA's regular audits of companies' anti-corruption compliance frameworks subject their work to intense scrutiny. In addition, the AFA is obliged to report suspected criminal activity that it becomes aware of to prosecutors.

So, as French corporate criminal enforcement and regulatory oversight intensify, the likelihood of compliance failings coming to light increases, and those failings are increasingly likely to have consequences, even if not often criminal.

The Netherlands: Increased Focus on Individual Accountability for Corporate Crime

To date, there have not been any criminal convictions of compliance officers for their involvement in misconduct within their company. However, during recent years there has been an increased focus on prosecuting individuals presumed responsible for misconduct in the Netherlands. Under Dutch law, whether or not criminal liability can be attributed to a legal entity depends upon whether the offense can "reasonably" be imputed to the legal entity. This may be the case if the criminal conduct took place within the scope of the legal entity (e.g., if the criminal conduct was committed by an employee or if the conduct fits within the normal business operations of the company).

If criminal liability is attributable to a company, any person who can be considered to have "directed" the criminal conduct as a de facto manager may be held criminally liable as well. Prosecution of the company concerned is not required for the prosecution of such individuals.

To be held criminally liable for a criminal offense attributable to a company, the de facto manager must have had a certain level of knowledge and responsibility to act as well as an awareness of the relevant misconduct, or an appreciation that this conduct could occur without taking appropriate measures to prevent such an occurrence. Given the nature of a compliance officer's activities and responsibilities, it is fair to say that she or he seems particularly exposed to being held liable in the event of allegations against a company.

In 2018, following controversy over a settlement with a major Dutch bank in which it was agreed that individuals involved in the facts concerning the settlement would not be prosecuted, the Dutch Public Prosecution Service announced that such guarantees would not feature in future settlements. In 2019, a legislative amendment was announced (which is likely to be implemented) that would introduce judicial oversight of major (multimillion euro) settlements. In response, the DPPS announced that settlements will in principle only be offered to companies and no longer to natural persons against whom a prosecution will be launched or a penalty order will be issued in case of sufficient proof of misconduct.

As a result, in the near future, it seems unlikely that members of the management board or individuals employed by a company will be able to settle charges against them. Compliance officers operating within the Netherlands will therefore likely be even more exposed to prosecution or receiving a penalty order for their alleged involvement in corporate misconduct.

Preliminary Takeaways

None of the jurisdictions canvassed in part I of this article have a specific regime for holding compliance officers criminally liable for offenses committed on their watch. In part II of this article, which will focus on recent trends in the UK, Germany and Ukraine, it will become clear that compliance officers are more and more likely to find themselves in the front line—if not as a suspect, then as key witnesses to assessing the company's compliance program as well as in relation to the (potential) criminal conduct.

Ann Sultan is a member at Miller & Chevalier in Washington, D.C.; Shula de Jersey is a partner at BCL Solicitors in London; Daniel Travers is a counsel at Freshfields Bruckhaus Deringer in Düsseldorf, Germany; Robin Lööf is an international counsel at Debevoise & Plimpton in London and Paris; Ariane Fleuriot is an associate at Debevoise & Plimpton in Paris; Ario Dehghani is a counsel at Sayenko Kharenko in Kyiv, Ukraine; and Maarten 't Sas is a managing associate and Georgianna Verhage is an associate at Simmons & Simmons in Amsterdam.