Article

Ensure compliance programs keep up with new corporate criminal offenses

two ladders leaning against a wall

Part of our report

Cross-border white-collar crime and investigations review 2025
Published Date
Jan 28 2025

The goal of recent law reforms in several jurisdictions is to make it easier to hold large businesses to account, a trend that has been developing over several years. This means that any analysis of corporate exposure following allegations of misconduct should factor in the jurisdictions involved, and the risk of corporate (and individual) liability. Businesses should reduce their financial crime risk and maximize their chance of successfully mounting an ‘adequate procedures’ defense, where applicable, by implementing an effective compliance program. 

New laws specifically aimed at making it easier to prosecute businesses

One of the most notable trends in recent years is the expansion of corporate criminal liability. Many jurisdictions are introducing new offenses and expanding the scope of existing laws to hold companies accountable for a broader range of misconduct. In 2024 alone, e.g.:

  • Australia introduced a 'failure to prevent bribery' offense, with strict liability for businesses that fail to prevent an associate from bribing a foreign public official, subject to an ‘adequate procedures’ defense.
  • The UK has a new corporate criminal offense of ‘failure to prevent fraud’, coming into force in September 2025. The offense applies to large businesses that fail to prevent fraud by an associated party, with only one defense of having ‘reasonable procedures’ in place to prevent fraud.
  • Also in the UK, a new ‘senior manager’ test for corporate criminal attribution has lowered the bar for whose acts can be considered those of the company for a wide range of economic crimes.
  • In Belgium, there is a new offense of 'ecocide,' and enhanced provisions to combat ‘social dumping’(the practice of employing cheaper overseas labor to undercut domestic wages).
  • In Italy, a new offence within the public sector can trigger quasi-criminal corporate liability and there has been a raft of new corporate criminal offenses concerning cybercrime and excise duty evasion.
  • France has introduced a new tax offense aimed at businesses that offer tools to conceal income or assets.

Looking ahead, harmonization of corruption standards across the EU is likely to lead to new corporate criminal offenses being introduced. The new Polish Presidency of the EU Council is expected to advance the proposed EU Directive on Anti-Corruption. In addition to measures to better prevent and combat corruption, the Directive proposes new minimum standards for defining punishable corruption offenses, including bribery in the public and private sectors, and stipulates far-reaching sanctions—for individuals and companies. It is proposed that legal entities should be held liable for corruption offenses committed by persons who have “a leading position”. In addition to liability for active corruption, a breach of supervisory duties on the part of the person who has the leading position would be sufficient for the company to be held liable. Members States would have to impose tough penalties, e.g., fines with a maximum limit of not less than 5% of a company’s total worldwide turnover. A good compliance program would be a mitigating factor. This would present a significant expansion for Member States which do not currently have a well-developed concept of corporate criminal liability.

Check that compliance programs are keeping up

Given the expanding scope of corporate liability, businesses need a robust compliance program:

  • to reduce the risk of corporate crime occurring;
  • to act as a potential defense should there be misconduct; and
  • to be considered by an enforcement authority in deciding whether to prosecute and/or mitigate the level of fine.

In some sectors, authorities have been willing to prosecute businesses for failures in compliance programs even where there is no actual loss shown to customers and investors. For example, in the U.K. in the financial services sector, businesses have been prosecuted for deficient AML or sanctions systems and controls. In the U.S., banks have been fined for failing to keep adequate records owing to the use by employees of ‘off-channel’ communication tool such as WhatsApp. We may of course see enforcement priorities change in the U.S. under the new Trump administration, with a possible refocus on bringing cases where significant loss has occurred.

Updating corporate compliance programs is crucial for ensuring that organizations remain compliant with evolving legal and regulatory landscapes. Here are some top tips for corporate compliance officers:

  1. Conduct comprehensive risk assessments: Regularly perform thorough risk assessments to identify potential areas of vulnerability within the organization. This includes understanding how different types of misconduct could manifest in your specific business context. Use the risk assessment to inform and update policies and procedures, including training requirements.
  2. Stay informed of legislative changes: Keep abreast of new laws and regulations that impact your industry. In most of the jurisdictions surveyed for the A&O Shearman White-Collar Crime and Investigations Review there have been law reforms in the past year relevant to compliance programs. Compliance officers should ensure that their programs reflect these new requirements.
  3. Enhance data protection and cybersecurity measures: With the increasing focus on data protection and cybersecurity, compliance programs should include robust measures to protect sensitive information. There are even stricter rules in some countries for critical infrastructure providers, such as energy, IT, banking, transport, healthcare, and telecoms, with steep criminal fines for violations.
  4. Implement effective whistleblowing mechanisms: Ensure that there are clear, accessible, and confidential channels for whistleblowers to report misconduct. The ongoing implementation of the EU Whistleblowing Directive and the new enhanced whistleblower protections in the UAE demonstrate the continued importance of protecting whistleblowers. Compliance programs should include training for staff on how to manage whistleblower reports and protect whistleblowers from retaliation.
  5. Focus on ESG compliance: Environmental, Social, and Governance (ESG) issues are increasingly becoming a priority for regulators. Compliance officers should ensure that their programs include measures to address ESG risks and how these risks intersect with financial crime risks, e.g., ABAC risk. See our article on ESG enforcement risk
  6. Strengthen internal investigation protocols: Develop clear protocols for conducting internal investigations to ensure they are thorough and legally compliant. The guidance from the Dutch bar association on internal investigations and the emphasis on maintaining privilege in Australia are examples of the importance of well-structured internal investigations. Ensure that investigations are documented properly and that there is proper consideration on how findings are recorded and communicated. See our article on considerations for internal investigations.
  7. Leverage technology for compliance monitoring: Consider using advanced technology and data analytics to monitor compliance and detect potential issues early. The U.S. DOJ signaled in its recently revised Evaluation of Corporate Compliance Programs (ECCP) that compliance functions are expected to be data-driven, and have access to relevant sources of data and data analytics tools to monitor for non-compliance. The FCA's investment in data analytics for market monitoring and the use of the Consolidated Audit Trail (CAT) by U.S. regulators to identify trading patterns are examples of how the authorities are already using data to identify misconduct.
  8. Ensure compliance keeps up with innovative technologies being used in the business: As well as using data analytics to monitor compliance, the compliance functions must also assess the potential impact of new technologies in the business, such as artificial intelligence, and implement governance structures to manage these risks.  Again, from the U.S. DOJ’s ECCP, prosecutors will consider whether a company has considered and mitigated the risks of new and emerging technologies, including (but not limited to) AI. The compliance program should also monitor how the technologies used by the business are being described externally to ensure statements are accurate and not misleading.
  9. Regular training and awareness campaigns: Conduct regular training sessions and awareness campaigns to keep employees informed about evolving compliance requirements and the importance of adhering to them. Ensure that the risk assessment is used to inform who is trained on what, and how often. Gather data on training completion rates and follow-up with appropriate sanctions if necessary.
  10. Engage with external experts: Consider engaging with external legal and compliance practitioners to gain insights into best practices. They can provide valuable perspectives on emerging risks, sector insight, and regulatory expectations.

A&O Shearman’s market-leading white-collar defense and global investigations practice is able to advise on all aspects of corporate liability and compliance programs.  Please contact one of the authors of this article or your normal A&O Shearman contact.  

This article is part of the A&O Shearman Cross-border White-Collar Crime and Investigations Review 2025.

Related capabilities