Criminal Compliance and Enterprise Governance
Lawyer Lifei Jiang
In March 2020, the Supreme People’s Procuratorate initiated the pilot reform on compliance for the first batch of enterprises involved in criminal cases, in which 6 grassroots people’s procuratorates in Nanshan (Shenzhen), Bao’an (Shenzhen), Pudong (Shanghai), Jinshan (Shanghai), etc. participated.
In May 2021, the State-owned Assets Supervision and Administration Commission (SASAC) announced that each central state-owned enterprise shall set up a compliance committee.
The pilot reform on compliance for enterprises involved in criminal cases is carried out by the procuratorial organs against enterprises which have incurred “criminal risks” and are subject to “review and prosecution”. Once the involved enterprises have passed the compliance inspection, the procuratorial organs may propose not to arrest, prosecute against or apply actual punishment tosuch enterprises.
I. Criminal compliance and enterprise compliance
Different from the compliance of enterprises subject to “review and prosecution”, “criminal compliance” in this article mainly focuses on the prevention of potential criminal risks in daily operation of enterprises at the time of not incurring any real criminal risks.
Therefore, the criminal compliance here refers to a series of measures taken to identify, assess, prevent and control any potential criminal risks in the operation and administration of enterprises based on criminal laws, norms and other standards.
In 2018, the SASAC provided in the Guidelines on Compliance Management for Central State-owned Enterprises (for Trial Implementation) the definition of enterprise compliance that the operation and management of the central state-owned enterprises and their employees comply with laws and regulations, regulatory provisions, industrial codes, Articles of Association and policies of enterprises, international treaties and rules and other requirements.
In conclusion, enterprise compliance includes traditional compliance and criminal compliance. Criminal compliance, as a constituent part of enterprise compliance, is different from and will by no means replace traditional compliance, but supplements it in a targeted manner. Moreover, criminal compliance does not cover all aspects of enterprise compliance and is a special compliance focusing on prevention of criminal risks.
II. The necessity of criminal compliance
According to the preliminary statistics by the author’s team, there are approximately 149 crimes relating to enterprises in the PRC Criminal Law. In other words, the 149 crimes are like 149 red lines encircling the enterprises during business operation, whose existence or boundaries are invisible and imperceptible to many until being crossed. However at that moment, it is too late for such enterprises to take remedial measures.
According to the classification in the Guidelines on Compliance Management for Central State-owned Enterprises, 29 crimes are related to “market transactions”, 33 related to “finance and taxation”, 7 related to “intellectual property rights”, and 46 fall into “other fields” including data security, network security, privacy, etc. According to the statistics of stages at which the crimes were committed in 2018 in the Analysis Report on Crimes Committed by Chinese Entrepreneurs issued by Chinese Entrepreneurs Crime Prevention Research Center (CECPC) of Beijing Normal University, 36.03% crimes were committed at the “daily operational stage”, 24.81% at the “financing stage”, and 8.84% at the “financial management stage”.
Obviously, criminal risks are more likely to be triggered in the fields of market transactions, finance and taxation and intellectual property rights during the daily operation, financing and financial management of the enterprise, to which enterprises shall pay special attention. It is urgent to raise the enterprises’ awareness of criminal risk prevention at the above stages and in the above fields, particularly in the practice of the law-based governance.
III. The application of criminal compliance in enterprise governance
Take the following case as an example.
From 2011 to 2013, Zheng and 5 other employees of Nestle, with the purpose of promoting milk powder, have obtained more than 120,000 pieces of information including names and mobile phone numbers of pregnant moms from medical workers of multiple Lanzhou-based hospitals by paying gratuities and other means.
In October 2016, Chengguan District People’s Court, Lanzhou ruled that Zheng and others constituted the crime of infringing citizens’ personal information. Afterwards, Zheng and others filed an appeal, claiming that their acts shall be deemed to have constituted a crime committed by a unit.
During the appeal trial, Nestle provided Articles of Association, letters of undertaking signed by the employees and other evidence to prove that its employees were strictly prohibited from conducting the criminal act of infringing citizens’ personal information. The criminal offenses by such appellants shall be deemed their individual behavior to improve performance in violation of the company’s administrative rules.
In May 2017, Lanzhou Intermediate People’s Court made the final decision, dismissing the appellants’ claim for the crime committed by a unit, and upheld the judgement of first instance. [Source: (2016) Gan 0102 Xing Chu No.605, (2017) Gan 01 Xing Zhong No.89]
This case was tried between 2016 and 2017. Although criminal compliance was not applied to the trial, it is recognized in the legal circle as the “first case of enterprise compliance defense of not guilty”. The court in this case identified the criminal acts of the accused employees as their individual behavior based on the establishment and effective implementation of relevant regulations of Nestle, thus building a “firewall” that effectively distinguishes the staff’s personal responsibility from enterprise responsibility.
The above analysis is only superficial. Assuming that Nestle did not give compliance training to its employees or Nestle failed to retain the complete records of the compliance training due to poor management, Nestle was highly likely to be found guilty because it was unable to provide relevant evidence as a defense.
This is why it is worthwhile to conduct criminal compliance to prevent potential criminal risks in enterprise governance.
IV. The prevention of criminal risks in enterprise governance
The author has been long engaged in writing legal articles and is adept at digging deeper into the situation to analyze each aspect. In the discussion of “enterprise criminal risks”, the author will dwell on each element before giving a summary.
When it comes to the prevention of criminal risks of enterprise, “who” has conducted the illegal act liable to result in criminal risks shall be firstly determined. If we say an enterprise committed a crime, did the enterprise conduct the illegal act on its own? Of course not, since the enterprise is only a platform gathering personnel which cannot commit any illegal acts by itself. However, acts conducted by persons or groups representing the will of the enterprise are often deemed to be the acts of the enterprise itself. Therefore, it is important to identify the real actor of the illegal act triggering criminal risks when dealing with the prevention of criminal risks of enterprise.
In general, the managers of an enterprise include the real controller, shareholders, directors, supervisors and senior management.
Given the identities of the managers, people tend to associate/identify their acts during business operation with/as the intention of the enterprise, thus confusing personal intentions/acts with the enterprise’s. Therefore if the manager conducted criminal acts which gain profits for the enterprise, it is necessary to distinguish the personal intention from the will of the enterprise, meaning that the enterprise has a heavier burden of proof on “non-enterprise will”.
The acts of employees during business operation can be either the acts of duty under instructions of the company or individual behavior for their own good. For example, the 6 salesmen of Nestle in the “citizens’ personal information infringement case against Nestle employees” as mentioned in the previous article “Criminal Compliance and Enterprise Governance (II)” claimed during the trial that they “collected and provided the company with the citizens’ personal information as instructed by the company to fulfill the KPI requirement on infant formula milk powder, which shall be deemed an act of duty”. However, the court accepted the claims and evidence of Nestle (company instructions, materials of telephone interviews, training and test materials as well as letters of undertaking signed by the salesmen, etc.), ruling that the salesmen’s acts shall be deemed individual acts and a crime to improve personal performance in violation of Nestle’s administrative rules.
3) Parties outside the company
Parties outside the company such as outside suppliers/business partners, although often unnoticed, are also very important. During business operation, enterprises will cooperate or transact with relevant personnel outside the company, enterprises and public institutions, social organizations and other entities. Once the suppliers or partners conduct illegal acts to reach any cooperation or deals with the enterprise, such enterprise without adequate risk prevention/isolation measures is very likely to commit criminal offense due to the criminal risks triggered by such outside parties. For example, if the enterprise engages a non-local third-party intermediary institution to bid for a project, such institution may trigger criminal risks by collusive bidding or commercial bribery in order to win the bidding. Therefore, it is necessary for the authorities handling the case to investigate whether the enterprise has also participated in the collusive bidding or commercial bribery.
In this article, the above managers, employees and parties outside the company hereinafter are collectively referred to as “Actors”.
2. Legal interests
Any acts conducted by actors during the business operation will be positively evaluated as “legal” or negatively as “illegal”. If an act infringes any interests protected by the Criminal Law, it will be evaluated negatively, and such “interests protected by law” are legal interests.
In general, most enterprises are aware that issuance of false invoices and tax evasion are illegal acts. Since such acts have aroused enterprises’ awareness and precaution, the legal interests arising therefrom are referred to as “known legal interests” in this article, meaning that enterprises have the knowledge of such legal interests through popularization of laws and internal training in relation to compliance. On the other hand, there is another type of legal interests expressly protected by the Criminal Law while unknown to the enterprises, which the author calls “unknown legal interests”, meaning that enterprises do not know the existence of such legal interests but may unintentionally infringe upon them during business operation. Being vulnerable to criminal operational risks, unknown legal interests are a primarily significant aspect of the prevention of enterprise criminal risks.
Why are “unknown legal interests” ubiquitous? On one hand, with the economic development, more legal interests arise. For example, China has strengthened its protection of data security, network security, personal information and other interests, while many enterprises have not timely established corresponding regulations or organized systematic training. On the other hand, without realizing the importance of criminal risk prevention, enterprises, small and medium sized private enterprises in particular, are reluctant to enhance their criminal compliance construction and make relevant investments.
3. The subjects carrying out criminal compliance
As mentioned above, unknown legal interests are important for enterprises when preventing potential criminal risks. In order to turn unknown legal interests into known ones, in addition to constantly improving its business capability to overcome any limitations, the legal team of the enterprise shall also retain the criminal compliance service of outside legal counsels.
Establishing corresponding regulations within the enterprise via outside legal counsels and organizing systematic training for actors can transform unknown legal interests into known ones, building a “firewall” that effectively distinguishes the staff’s personal responsibility from enterprise responsibility.
V. “Compliance” remedies for enterprises involved in criminal cases during “review and prosecution stage”
In March 2020, the Supreme People’s Procuratorate initiated the pilot compliance regulation against the enterprises involved in criminal cases which are not arrested, prosecuted against or sentenced to actual crime according to the law.
On April 2, 2022, the Supreme People’s Procuratorate held a meeting with All-China Federation of Industry and Commerce to push forward the all-round pilot reform on compliance of enterprises involved in criminal cases, emphasizing that “the third-party mechanism will be applied as long as the enterprises involved in criminal cases, whether private or state-owned, micro-, small and medium-sized or listed, plead guilty and accept punishment, operate business normally, undertake to establish or improve their compliance systems and have both the ability and the intention to initiate such third-party mechanism”.
The compliance mechanism for enterprises involved in criminal cases is illustrated by the table below:
Firstly, the compliance of the enterprise involved in the case takes place at the stage of “review and prosecution” of procuratorial organ when criminal risks have been incurred by the enterprise, the crime investigation procedures have been initiated and the case has been transferred to the procuratorial organ. Therefore, the compliance of the enterprise involved in criminal case only applies to the “review and prosecution” of procuratorial organ against such enterprise.
Secondly, if the procuratorial organ decides to apply “compliance” to the involved enterprise meeting relevant conditions, such enterprise shall sign “the statement of repentance to plead guilty and accept punishment” and “the letter of undertaking on acceptance of inspection”. Since the application of “compliance” is a two-way selection, the involved enterprise may either agree or disagree. However, it shall be noted that if it agrees to apply the “compliance” procedures, it shall also agree to “plead guilty and accept punishment” and “accept inspection”.
Thirdly, after the enterprise involved in the case has signed “the statement of repentance to plead guilty and accept punishment” and “the letter of undertaking on acceptance of inspection”, the procuratorial organ shall organize third-party professionals to draw up/implement a compliance plan for such enterprise in response to the suspected crime, which figures out all problems and loopholes in the internal governance structure, Articles of Association, personnel training and other issues of the enterprise causing the crime, establishes comprehensive compliance management regulations as well as an effective compliance system, and improves the compliance risk precaution and response mechanism to effectively prevent the re-occurrence of the crime. The third-party professionals include industry experts, scholars, lawyers, accountants and other personnel assisting the involved enterprise in working out the compliance plan.
Fourthly, after working out the compliance plan, the enterprise involved in criminal case shall implement the plan and make rectification accordingly. Afterwards, the procuratorial organ will inspect the implementation and rectification by the enterprise to determine whether the goals set by the “compliance plan” have been fulfilled.
Lastly, the procuratorial organ will propose not to arrest, prosecute against or apply actual punishment to the enterprise involved in criminal case based on the inspection results.
Therefore, the compliance of enterprises involved in criminal cases neither provides antidotes and patches to the problems and loopholes, nor denies and completely re-constructs the existing compliance systems of the enterprises. Instead, it supplements and enhances the enterprises’ existing compliance mechanisms through targeted identification of loopholes in compliance management underlying illegal acts and establishment of new standards for compliance inspection.
VI. Common misunderstandings in relation to criminal risk prevention
Misunderstanding 1: Collective decision is the “safe lock” exempting the enterprise from any liabilities.
It is widely recognized that the collective decision is one of the important internal control systems of the enterprise, which may nevertheless mislead some into believing that decisions made collectively without being affected by individual intention will not bring about any legal risks to them. Even if the decision is eventually proved wrong, the law won’t be enforced when everyone is an offender. However, in judicial practice, if a decision made collectively is wrong and has triggered certain criminal risk, in addition to pursuing the criminal liabilities of the enterprise, the leading legal representative and the person in charge may also face the risk of being held accountable for the crime.
Misunderstanding 2: Examination and approval level by level offers a “safety net” to the enterprise.
An examination and approval system with clear duty boundary is common in enterprise governance. However, due to the fixed and rigid procedures, many responsible persons usually examine and approve the item/application through checking the signature on the signature page rather than the legitimacy of such item. Regardless of all the complexity of the relevant procedures for internal control in the form, examiners may only go through the whole process as a routine devoid of any risk control consciousness. In case of any material violation of laws and regulations by the approved item, the enterprise may be mired in criminal risk events.
Therefore, enterprises shall conduct substantial examination on the items during the examination and approval procedures as well as the corresponding criminal compliance validity analysis on a regular basis.
Misunderstanding 3: The third-party assessment is the “firewall” isolating the enterprise from any risks.
For third-party assessment, the third party issues professional assessment opinions on major issues based on its professional knowledge as well as objective and neutral social status, and the enterprise will rely on such opinions to make its final operational decision. Most state-owned enterprises will initiate the third-party assessment procedures before making major transactions or decisions. However, in case of any losses of state-owned properties due to irregular assessment or due diligence which are not rectified by decision makers of the enterprises, the crime of malpractice by employees of state-owned enterprises or companies may be established. In recent years, events of loss of state-owned properties take place from time to time during enterprise restructuring, particularly in the third-party assessment procedures. Therefore, the enterprises shall use their best efforts to act as “goalkeepers” in market transactions through conducting substantial examination on the process, method and conclusion of the “third-party assessment”.
VII. Most vulnerable sectors to criminal risks in business operation
In 2021, Watson & Band set up the criminal compliance department. The author, as the department head, has led the team to conduct various systematic researches on the features and regularities of criminal risks incurred by enterprises in different industries, business fields and development stages.
With the thriving digital economy and Internet technologies as well as the wide use of personal information, it is evitable for enterprises to access personal information, take advantage of the Big Data and transmit data information through the Internet. In face with this new development, China has strengthened the protection of digital security, network security and personal information through legislation.
On June 1, 2017, the Cybersecurity Law of the People’s Republic of China came into effect; On January 1, 2020, the Cryptography Law of the People’s Republic of China took effect; On September 1, 2021, the Data Security Law of the People’s Republic of China was enacted; On November 1, 2021, the Personal Information Protection Law of the People’s Republic of China became effective. With the promulgation of the aforesaid laws, nine crimes have come into the spotlight including the crime of infringing citizens’ personal information, the crime of unlawful acquisition of data from computer information systems, or unlawful control of computer information systems and the crime of illegally using the information network. Therefore, potential criminal risks are liable to be triggered during the enterprises’ use of data, protection of personal information and network security.
Moreover, the Criminal Law of the People’s Republic of China sets up a “special” crime, which is called the crime of illegal operations. Although it is only a name of crime, more and more illegal acts may fall under this crime. So it is also referred to as the “pocket crime”.
As collated and summarized by the author, a total of 59 “illegal acts in business operation” are regulated under the crime of illegal operations, including 6 acts as stipulated in Article 225 of the Criminal Law, 25 as identified by judicial interpretations/documents and 28 as regulated by industry laws and regulations. The above plethora of illegal acts in business operation falling under “the crime of illegal operations” is likely to bring about criminal risks, which calls for the enterprises’ attention and vigilance.
The Watson & Band website is intended for informational purposes only. Nothing in this site is to be construed as creating an attorney-client relationship between the reader and Watson & Band or as offering legal advice on any specific matter. Since we are not providing legal advice through this website, you should not act upon any information that you might receive here without first seeking professional counsel. No client or other reader should act or refrain from acting on the basis of any information contained in the Watson & Band website without seeking appropriate legal or other professional advice based on the particular facts and circumstances at issue.