The Italian Supreme Court recently stated that the director’s criminal liability cannot automatically trigger the recognition of corporate criminal liability, as company’s organizational fault must be specifically demonstrated by the Public Prosecutor.[1] Now, the Court of Milan[2] specifically clarifies how an appropriate and effective Organization, Management and Control Model (Model 231) pursuant to Italian Legislative Decree 231/01 (Decree 231) can shield the company from corporate criminal liability.
On January 25, 2024, the Court of Milan convicted the senior managers of an Italian joint-stock company (owned by a foreign-based multinational company) for false corporate communications, pursuant to Article 2621 of the Italian Civil Code (ICC), which provides the criminal liability of directors, general managers, managers in charge of preparing corporate accounting documents, auditors and liquidators when they represent false material facts or they omit material facts whose disclosure is required by law concerning the economic or financial situation of the company or the group.
The Court’s Overview of the Preconditions for Corporate Liability for Criminal Violations
In addition to the analysis of the liability of natural persons, the Court of Milan examined the legal requirements for the company to be deemed liable for crimes committed by its directors.
In this respect, the Court first specified that, pursuant to the Article 5 of Decree 231, company criminal liability is triggered when a senior manager or an employee commits an offence in the interest or to the advantage of the company, while the company shall not be liable if a natural person commits the crime in its own interest or in the interest of third parties.
In the event of an offence is committed by a senior manager, the company can avoid responsibility providing evidence of the following:
- The company’s board of directors adopted and efficiently implemented – before the offence was committed – a Model 231 aimed at preventing the perpetration of the offences provided by the Decree 231;
- The company appointed an internal control body (Supervisory Body) to oversee the function of Model 231 and its compliance and to manage the update of the Model 231;
- The Supervisory Body operated in compliance with its function;
- The perpetrator acted in ‘fraudulent breach’ of corporate compliance controls (Article 6 of Decree 231).
In the event the offence is committed by an employee, the company can avoid liability if the Public Prosecutor doesn’t provide sufficient evidence that the company failed in implementing effective compliance programs designed to prevent the commission of the offence (Article 7 of Decree 231).
That being said, in the case decided by the Court of Milan, the offence was committed by fraudulently evading the Model 231 and its policies (management override). The Court was satisfied by evidence that the so-called “management override” occurred even though the Model 231 appeared to be adequately implemented.
The Court of Milan provided an overview of the Model 231, which is usually made of a General Section and a Special Section: the former aimed at identifying the structural features of the Model whilst the latter at (i) analyzing the companies’ activities which are more subject to the risk of crime and (ii) at preventing the risk of offence through operational protocols.
According to the Court of Milan, the General Section of an effective Model 231 should provide the following elements:
- A Code of Ethics establishing (i) the rules of professional conduct to be applied to all company’s members; (ii) the disciplinary sanctions for its violation;
- General guidelines on how to develop intensive and ongoing information and training activities with the aim to provide a better understanding of the Model 231, internal procedures and of the Code of Ethics;
- A Disciplinary System aimed at ensuring the proper functioning of the organization and the regular conduct of business activities. The Disciplinary System must provide the criteria to identify: a) the persons to which disciplinary sanctions must be applied; b) a system of sanctions diversified on the basis of the role of each person subject to sanctions; c) the criteria to assess the severity of disciplinary sanctions; d) the relevant behaviors subject to the application of disciplinary sanctions, distinguishing between formal breaches and breaches which may have detrimental consequences for the entity; e) the procedures to be followed for imposing sanctions, specifying the holder of the disciplinary action, the guarantees for the protection of the accused and the function competent to apply the sanction;
- A whistleblowing system enabling all company’s members to report an offence, even if merely potential;
- The appointment of the Supervisory Board, responsible for (i) monitoring the effectiveness and the updating of the Model 231 by the relevant parties; (ii) managing and supervising all training and information initiatives for the implementation of the Model 231; and for (iii) handling the flow of information to and from internal corporate bodies.
As far as Special Section is concerned, an effective Model 231 shall identify the activities in the context of which certain criminal offences (predicate offences) listed in Decree 231 may be committed, i.e. the so-called sensitive activities. In this regard, the Special Section must contain:
- A list of the main criminal offences that may be committed within the company, depending on the type of activity specifically carried out. Risk assessment consists of a phase functional to the perception of the offence-risk and to the assessment of its degree of intensity. The assessment phase involves a) the identification of areas potentially at risk of offence; b) the identification of sensitive processes from which potential offence may arise; c) the identification and assessment of the degree of effectiveness of existing operational and control systems; d) the description of the possible ways in which offences may be committed;
- Behavioral protocols indicating the necessary measures to minimise the risk of a criminal offence. The main tool for achieving this is the preparation of an operating system characterized by precise, concrete, and risk-oriented precautions.
One of the fundamental principles that must inspire the content of the protocols is that the “segregation of duties”, according to which the persons involved in one phase cannot play any role in the other phases of the decision-making process, in order to prevent the process (or a significant part of it) from remaining in the hands of a single function, with the risk of generating conflicts of interest that could accentuate the risk of criminal offence.
The Analysis of the 231 Model: The Essential Role of Internal Policies and Procedures to Avoid Liability
In the case at stake, the Public Prosecutor appointed a technical expert to analyze the Model 231 adopted by the company in 2011. The expert considered the Model 231 unsuitable to prevent the risk of the offence specified in the indictment.
According to the appointed technical expert, the inadequacy of the Model 231 was mainly due to (i) the absence of the Special Section described above, (ii) the absence of a risk-crime analysis, and (iii) the lack of behavioral protocols.
However, the appointed technical expert considered the Model adopted in 2016 to be fully adequate.
Despite the Model 231 adopted by the company in 2011 did not include the Special Section, the Court in any case considered the risk assessment activity was certainly carried out by the company.
For this reason, despite the fact that the version of the Model 231 adopted in 2011 did not formally contemplate a Special Section, the Court noted that the company adopted a series of Group policies characterized by the presence of specific procedures for the prevention of offences (e.g. Delegation of Authority; Reserved Powers; Group Trading Policy; The way we work; Anticorruption & Bribery; Gift and Hospitality Policy, Charitable Donations and Sponsorship; Market Developments and Sales Incentives). The Court considered the adoption of the above-mentioned policies to be suitable to prevent the risk of the offence of false accounting being committed.
Finally, the Court of Milan, despite the conviction of a number of persons for false corporate communications and after ascertaining the fraudulent circumvention Model 231, excluded the Company’s liability pursuant to Article 25-ter of Decree 231, on the grounds that the Model 231 has been adopted and effectively implemented.
Key Takeaways
The judgment, which is the most recent development concerning the adequacy profiles of Model 231, is a clear and effective reminder of the elements that every company should take into consideration when adopting the Model 231, including:
- The importance of internal policies and procedures aimed at preventing offences;
- The implementation of a whistleblowing system as a tool to identify potential breaches;
- The importance of employee training, which must be “intensive and continuous;”
- The relevance of the controls carried out by the Supervisory Board.
*Trainee Arcangela Gerbino also contributed to this article.
[1] Court of Cassation, January 31, 2024, no 4210.
[2] Court of Milan, January 25, 2024 (excerpt of the judgment, https://www.giurisprudenzapenale.com/wp-content/uploads/2024/05/milano-ii-sez-231.pdf last seen on May 20, 2024).
