º¬Ðß²ÝÉçÇø

If an employee breaks the law in the name of the company, does the company bear responsibility? Judicial practice has long centred on tracing the flow of benefit. Now the effectiveness of a company¡¯s compliance framework is becoming the benchmark for drawing the line between personal misconduct and corporate culpability.

Judicial recognition

While no explicit provisions define the rules for identifying corporate criminal liability under the Criminal Law and relevant judicial interpretations, the Supreme People¡¯s Court and the Supreme People¡¯s Procuratorate have elaborated on criteria for such identification through guidance in a series of symposium summaries, offering concrete direction for judicial practice.

The Minutes of the National Courts Symposium on the Trial of Financial Criminal Cases make clear that an offence is a corporate crime when committed in the name of the entity, and with illegal proceeds accruing to the entity. The Minutes of the Symposium on Issues Concerning the Handling of Internet Finance Criminal Cases also provide that criminal activity carried out by employees pursuant to a decision of the entity, with illicit proceeds accruing to the entity, constitute a corporate offence.

Under the Minutes of the Symposium on Issues Concerning the Handling of Environmental Pollution Criminal Cases, an environmental pollution offence constitutes a corporate crime if committed for the benefit of the entity by decision or with consent of its de facto controller, principal responsible person, or an authorised executive. It also constitutes a corporate crime where any such individual learning of an employee¡¯s criminal act fails to intervene or adopt timely measures and instead ratifies, condones or tacitly acquiesces in the conduct.

This suggests a decision by the entity¡¯s responsible officer or an authorised delegated executive is imputed as the corporate will.

In case law, this has been incrementally qualified. Courts look beyond the fact of authorisation, holistically examining factors to assess whether the conduct truly manifested corporate will, such as whether the decision was approved by the entity¡¯s governing body following decision-making procedures set out in the articles of association, and whether the decision remained within the entity¡¯s legitimate business remit.

Whether an act embodies the corporate will now stands as the boundary separating individual from entity conduct in judicial practice, constituting the pivotal contested issue in establishing corporate criminal liability. How the assessment criteria are refined and enhanced has a direct bearing on the rulings in corporate crime cases.

Compliance framework

Chinese jurisprudence on corporate crime has long focused on private companies. In these companies, governance arrangements are often underdeveloped, and ownership is commonly fused with operational control. The personal interests of the de facto controller, majority shareholder or senior management tend to overlap heavily with the company¡¯s own interests.

This configuration means that individual decisions by these figures are readily imputed as the entity¡¯s will, and it is realistically defensible for the judicial authorities to equate a personal decision with a corporate one.

However, when the entity concerned has a mature, modern governance framework and a robust compliance system ¨C and the employee¡¯s criminal conduct clearly contravenes the company¡¯s compliance policies ¨C how, then, should the line be drawn between individual and corporate acts?

This presents a genuine challenge in judicial practice. Experience suggests that judicial authorities scrutinise two key factors: how the compliance programme was devised and enforced; and the independence of the compliance function.

The adequacy of these two elements determines whether the compliance regime serves to exclude corporate criminal liability.

Case study

In a case concerning Nestl¨¦ employees infringing citizens¡¯ personal information, Zheng and Yang, managers of the infant nutrition division for northwest region at Nestl¨¦ (China), and other staff, were alleged to have illicitly acquired personal data from medical personnel at several hospitals for the purpose of promoting infant milk formula.

The court held that:

(1) Nestl¨¦ nutrition specialists¡¯ remit did not cover the acquisition of consumer personal information. The specialists¡¯ performance was reviewed via telephone calls by the nutrition advisory centre operated by the China Association of Health Promotion and Education;

(2) Nestl¨¦ maintained an internal ban on the illicit collection of consumer personal data by employees, and at no point supplied funds to employees or healthcare professionals for this purpose; and

(3) Nestl¨¦ required every nutrition specialist to complete compliance training and sign a letter of undertaking, and all defendants in this case had undergone the prescribed training and testing.

In its final ruling, the appellate court determined: ¡°Evidence such as Nestl¨¦¡¯s corporate policies and employee conduct standards proves that the company barred staff from the criminal infringement of citizens¡¯ personal information. The appellants acted in contravention of company management rules and committed the offences to boost their individual performance. The acts are thus deemed personal in nature.¡±

This case illustrates that, in determining whether a compliance framework truly reflects the entity¡¯s will, the court does not confine its review to the mere existence of compliant policies. Its scrutiny reaches further, encompassing the lawfulness of the underlying project, the extent to which the compliance system has been communicated and embedded, and the tangible results of its implementation.

Growing judicial experience is leading the courts to impose more exacting standards on compliance management systems when a company seeks to rely on them as an authentic reflection of the corporate will, such that employee violations are characterised as personal acts.

Central to this is the independence of compliance: whether the compliance department can perform its role autonomously; whether it remains free from undue interference by the entity¡¯s leadership; and whether it can constrain the leadership¡¯s irregular decision making.

The lesson for enterprises strengthening their compliance systems is to make independence of the compliance function, and of compliance officers, a key priority.

This involves clearly prescribing the compliance department¡¯s responsibilities and authority, guaranteeing that compliance staff can perform their roles autonomously, and instituting effective compliance monitoring and accountability structures.

Rigorous enforcement of the compliance system will then be secured, with the entity¡¯s criminal law risks effectively contained.

Li Kexuan is a partner at Starrise Law Firm