Criminal Compliance

A roadmap for companies

In a constantly changing regulatory landscape, it is essential for companies to keep an eye on criminal law. It is not only a matter of counteracting current criminal offences, but above all of ensuring preventively that employees and managers do not cross criminal law boundaries at any time. In this context, the topic of Criminal Compliance is becoming increasingly important.

The definition of compliance in the legal context refers to adherence to legal provisions and internal guidelines by companies and public institutions in order to minimise legal risks. The basis for effective criminal compliance management is the creation of an awareness of criminal law risks and the resulting obligations. More than almost any other area of law, criminal law is subject to ongoing amendments and is constantly evolving. Compliance measures must therefore also be constantly adapted.

Compliance Management System

In order to set up a successful Compliance Management System (CMS), it is first necessary to identify the potential risk areas within the company. This involves analysing in which business areas, processes and practices there is an increased risk of criminal misconduct. Possible risk indicators for potential criminal offences include conflicts of interest, sham contracts and invoices as well as a lack of control structures. Typical criminal liability risks in Commercial Criminal Law and Corporate Criminal Law arise, for example, due to the criminal offences of fraud, breach of trust, embezzlement as well as bribery and corruption – to name just a few.

Many companies do not have an in-house criminal lawyer and draw on specialized external experts for preventive advice and optimisation of Criminal Compliance. Following the risk analysis, clear guidelines and procedures should be developed to minimise these risks. This can include the introduction of employee training, regular audits and the introduction of an internal whistleblower system. This allows problem areas and potential legal violations to be quickly recognised and reported.

Just as important as the introduction is the ongoing monitoring and adjustment of the aforementioned compliance measures. The compliance management system should therefore not be seen as a one-time-task, but as an ongoing process.

The importance of training and education

An effective Compliance System is only as good as the employees who implement it. Training and external education are therefore of central importance. All employees – from management to entry-level-workers – should be trained in the principles of compliance and the specific criminal offence risks in their respective areas of responsibility. When drafting and implementing compliance guidelines (Code of Conduct) and employee training, it may be advisable to consult a lawyer specialising in criminal law. This can ensure that all relevant legal aspects are taken into account and that the company is optimally protected against legal risks.

In addition to imparting knowledge about criminal law boundaries, corporate culture also plays a central role in employee training. According to the principle of Tone from The Top, company management should clearly communicate the company’s values and emphasise that integrity and legally impeccable behaviour are expected, with no room for negotation. At the same time, there should be clear consequences for misbehaviour.

Internal whistleblower system

Whistleblower systems that allow employees to confidentially report possible misconduct are another key element of a robust Criminal Compliance System. By introducing a whistleblower system, the company not only demonstrates that it takes misconduct seriously, but also provides a protected channel through which information about possible violations of the law can be submitted. Since 2023, companies in Austria with 50 or more employees are obliged to set up an internal whistleblower system under the Whistleblower Protection Act (HSchG). An efficient internal reporting channel also reduces the risk of a whistleblower submitting a report to a so-called external entity – such as the Federal Bureau of Anti-Corruption (BAK) or the Central Public Prosecution Office for Combatting Economic Crimes and Corruption (WKStA).

For a whistleblower system to be effective, the company must ensure that any information received is taken seriously and thoroughly investigated. At the same time, employees must be able to trust that they will not be penalised as a result of a tip and that their information will be treated confidentially. If whistleblowers wish, they should also be given the opportunity to submit an anonymous report. Reports received should be examined with great care and, in particular, checked for their relevance under criminal law. If necessary, an internal investigation should be initiated.


Criminal law pitfalls must be recognised at an early stage. If necessary, the company’s own Compliance Management System must be upgraded. A Compliance System oriented towards criminal law not only protects the company from legal consequences. It is also a signal to customers, business partners, and investors that the company takes compliance seriously in every respect. By continuously adapting to new legal framework conditions and focusing on regular employee training and compliance awareness, companies and public institutions can minimise criminal law risks and at the same time take their Compliance System to the next level.

If you have any questions about Criminal Compliance or need support from an experienced law firm, please feel free to contact us.
Picture of Dr. Elias Schönborn

Dr. Elias Schönborn


Fast and competent legal advice

Do you need legal support?
We are here for you – book a consultation appointment directly or use the contact form to get in touch with us.