Role & tasks of a Compliance Officer
A Compliance Officer is the advisory, preparatory and executive body in the company for all compliance issues. The legally required appointment of a Compliance Officer is only foreseen in exceptional cases. Therefore, either a member of the company management also handles the company’s compliance tasks, or other explicitly selected employees are responsible for fulfilling these tasks.
Depending on the size, structure, sector and internationality of the areas of activity, it is common practice in larger companies or groups to appoint one or more central Compliance Officers (Chief Compliance Officer) and at least one decentralized Compliance Officer.
Relationship between Company Management & Compliance Officer
The primary responsibility for compliance lies with the company’s management. It makes key decisions, e.g. on the arrangement of the compliance management system. The management also decides whether an explicit Compliance Officer is appointed and what tasks are associated with this position.
If the company management consists of several people (several board members or managing directors), one of these members is usually responsible for compliance. The remaining decision-makers in the company then only have a supervisory function. Consequently, this also results in a graduated liability of these members. As a rule, they are only liable if they neglect their supervisory duties.
Where such an officer has been appointed, the Chief Compliance Officer often reports directly to the company’s management, who in turn is the immediate superior of the local compliance officer. In smaller companies, the Compliance Officer is often directly subordinate to the company management due to the lack of a Chief Compliance Officer.
Civil liability
In the event of compliance violations, the Compliance Officer and the company management may be liable under civil law both internally and externally.
Internal liability
Internal liability refers to liability towards the company. The subject of this liability is often claims for damages by the company against the Compliance Officer or the company management.
Liability of the company management in the internal relationship
By law, managing directors of limited liability companies (Gesellschaften mit beschränkter Haftung) and members of the management board of stock companies (Aktiengesellschaften) must exercise the diligence of a prudent businessman in the performance of their duties. In any case, a managing director or a member of the Management Board acts in accordance with the diligence of a prudent businessman if he is not guided by extraneous interests when making a business decision and may assume, on the basis of appropriate information, that he is acting for the benefit of the company (Sec 25 para 1a of the Austrian Act on Limited Liability Companies (GmbHG) and Sec 84 para 1a of the Austrian Stock Corporation Act (AktG), “Business Judgement Rule“).
In this context, the obligation to set up an internal control system is also essential (Sec 22 para 1 GmbHG, Sec 82 AktG). Internal control systems represent an accumulation of measures whose purpose is to safeguard the company’s assets. This can also include compliance measures and the obligation to conduct internal investigations in the event of suspicious matters.
In certain cases, compliance with the Business Judgement Rule may even require the company management to set up a compliance management system (if this is not already required by law). In addition, organizational precautions must be established to prevent violations of the law by the company or its employees. Following on from this, the management is obliged to take immediate action if there are indications of misconduct. This obligation may also include the initiation of internal investigations.
Obligation to initiate an internal investigation?
In practice, the question often arises as to whether the company management is obliged to initiate an internal investigation in the event of suspicions of possible violations of the law. To answer this question, a distinction must be made as to whether the suspicions relate to violations of criminal law (such as the Austrian Criminal Code) or civil and administrative law (such as the Austrian Civil Code or administrative offenses under the Austrian Administrative Offenses Act).
In the event of suspicion of a criminal offense within a company, the management is obliged to conduct an internal investigation. In this case, it is also irrelevant whether the company itself has suffered damage as a result of the offense or whether it has profited from the criminal acts. In cases of suspected non-compliance in the area of criminal compliance, there is therefore always an obligation to initiate an internal investigation.
A distinction must be made between administrative violations and violations of civil law: A violation of civil law that is (economically) ‘useful’ to the company, such as an accepted and limited violation of the Austrian Working Hours Act (Arbeitszeitgesetz) in order to complete an important contract on time, does not generally need to be investigated – it is known to the company anyway and has been accepted by the management in the overall assessment as part of weighing up the advantages and disadvantages of this approach. However, apart from such “minor” violations of the law that do not entail any significant risks for the company, the management is generally obliged to investigate. In such situations, serious consequences such as high fines or claims for damages are possible. If necessary, legal advice should be sought in advance.
Liability of Compliance Officers in the internal relationship
In the case of Compliance Officers, potential liability towards the company arises from the employment relationship and the agreed scope of duties. Compliance officers are liable for culpable breaches of their duty of care in connection with their duties arising from the employment relationship and for breaches of general duties.
However, Sec 2 para 3 of the Austrian Employee Liability Act (DHG) must be observed here, according to which employees are not liable for excusable mistakes. An excusable mistake is a minor oversight which, when taking into account the overall work performance, can easily occur in the course of business and with regard to its difficulties and can only be averted with extraordinary attention (“It can happen to anyone“). In the case of slight negligence, the damage can be reduced or completely waived by the court, in the case of gross negligence at least reduced (Sec 2 para 1 DHG).
External liability
The liability of the Compliance Officer and the company management towards third parties constitutes external liability. Personal liability of the managing director may arise from special statutory provisions. For example, the managing director has subsidiary liability for taxes (Sec 9, 80 of the Austrian Federal Tax Code (BAO)) and for social security contributions (Sec 67 para 10 of the Austrian General Law on Social Insurance (ASVG)). Corresponding compliance violations can therefore lead to a direct liability on the part of the managing director. In addition, a direct civil liability of managing directors and Compliance Officers can also result from a violation of protective laws. Examples for protective statutory provisions are the creditor protection offenses, which protect the interests of creditors in the event of imminent or actual insolvency (such as fraudulent insolvency in accordance with Sec 156 of the Austrian Criminal Code). The criminal offense of fraud (Sec 146 StGB) also falls into the category of protective statutory provisions (Section 1311 Austrian Civil Code).
Criminal liability
General information
Criminal law distinguishes between genuine and non-genuine offenses of omission. When assessing the potential criminal liability of the Compliance Officer as a contributory offender, it is primarily non-genuine offenses of omission (Sec 2 StGB) that come into consideration.
In the case of a so-called ‘unechtes Unterlassungsdelikt’, the offender is required to take action to ensure that a certain outcome does not occur. The prerequisite for this is usually that the offender has a so-called ‘guarantor obligation’, i.e. the legal system requires the offender to take certain action in a particular situation to avert a criminal outcome. This duty of guarantee may arise from a statutory or contractual obligation or from conduct that gives rise to a risk (interference); interference plays only a negligible secondary role in the activities of a compliance officer.
Requirements for criminal liability of the Compliance Officer
In most cases, the Compliance Officer (member of the management or explicit Compliance Officer) is a guarantor on the basis of a contractual agreement between the company and the Compliance Officer.
For any criminal liability, it is relevant whether the Compliance Officer has voluntarily assumed the contractually agreed duties. The more specific the duties and powers are defined in the employment contract, the easier it is to clarify any liability issues. The Compliance Officer must have actually assumed the duties assigned.
In order for the Compliance Officer’s criminal liability to be affirmed, the omission must also be equivalent to an active act. This means that the unworthiness of the omission must be comparable to that of an active act. If this is not the case, the Compliance Officer or other employees who have contractually assumed special duties are not liable to prosecution.
The Compliance Officer must also have acted with intent or at least with negligence. Negligence by omission means that a Compliance Officer fails to act in a situation that constitutes a criminal offence due to a lack of due diligence or fails to recognize it as such due to a lack of due diligence. However, a Compliance Officer can only be held liable for negligent failure to act under the Austrian Criminal Code if the law expressly (also) criminalizes negligent actions (Sec 7 para 1 StGB).
Examples
- A Compliance Officer who acts carelessly and in breach of due diligence and fails to recognize the imminent occurrence of damage caused by an employee acting fraudulently (and thus acts negligently) cannot be held criminally liable, especially as the offense of fraud under Sec 146 StGB is an intentional offense. However, negligent conduct may result in civil liability.
- In the area of environmental offenses, which also criminalize negligent conduct, participation through negligence by omission is also possible, for example if the Compliance Officer remains inactive despite knowledge of the risk and thereby fails to prevent the discharge of pollutants into a river (Sec 181 StGB).
Finally, as with any criminal liability assessment based on an omission, it must be questioned whether the omitted action of the Compliance Officer was also causal for the occurrence of the event and whether the Compliance Officer had the opportunity to take the required action at all.
Involvement of a specialized laywer in the event of crisis
In principle, a company is free to decide whether the internal investigation should be carried out by its own employees, by external consultants or in cooperation with both groups of people. In practice, external specialists such as IT experts, Lawyers or auditors are often consulted, at least for important detailed questions or in the case of particularly serious allegations.
The involvement of a Lawyer ensures that the questionable actions are examined with regard to all legal aspects. Even if the criminal prosecution authorities are already investigating the company in parallel, it is advisable to consult a Lawyer as soon as possible.
