Personal Liability for Inadequate Anti-Corruption Controls


By Geert Vermeulen
ECMC: Ethics & Compliance Management & Consulting

Ten years ago, the OECD launched its Anti-Bribery Recommendation and the OECD Working Group on Bribery thought it was time to have it reviewed and updated. So, they asked the view of major stakeholders in the fight against foreign bribery by launching a consultation document, that contained just over 50 questions. And while the Recommendation it is still a pretty good, concise and comprehensive document, there have indeed been a couple new developments and we gained some more insights. My company ECMC, therefore, responded to the consultation document. In this post, I highlight one of the recommendations that we made.

We propose to make it possible that a member of the top-management is held personally liable in case the organization has not addressed the bribery and corruption risk properly. We use two examples from our practical experience to illustrate why this will help the fight against bribery and corruption.

In the first case, we tried to convince the CFO of a listed, European multinational that the company should invest in conducting third-party due diligence. When we were asked why the company should dedicate its scarce resources to that, we indicated that research has shown that in 75% of the corruption cases, the bribes were paid through intermediaries. Conducting third party due diligence would, therefore, reduce the bribery and corruption risk and also reduce the risk of being prosecuted by the authorities or getting involved into lengthy settlement negotiations with a government, causing a lot of legal and investigative costs and valuable management time wasted on problems. We added that this was also the right thing to do and could prevent reputational damage to the company and to the CFO personally. The next question we received was, how many CFO’s had gone to jail in this European country for failing to invest in a due diligence program. We had to admit that no CFO ever went to jail for that. The conclusion of our discussion was that no investments were made into third party due diligence.

In the second case, external counsel had convinced the CFO of a listed US multinational that the CFO could be held personally liable because she had signed the ‘in control’ statement under the Sarbanes Oxley legislation. Investigations had revealed that suspicious payments had been made, so apparently, the internal controls had not been working properly and as the CFO had signed the ‘in control’ statement, the CFO could be held personally liable under the Sarbanes Oxley legislation. The outcome of this discussion was that the CFO granted the compliance department unlimited budget to fix the problem. By the way: does anybody know why this scenario has never occurred in real life so far?

These two anecdotes illustrate that personal liability is a game-changer and therefore ECMC recommended that the OECD countries introduce something like the senior managers’ regime in the UK financial services industry, where a senior manager is appointed who ‘owns’ a certain risk. In this case the bribery and corruption risk. This person can then be held personally liable in case bribery or corruption takes place and the senior manager had not taken sufficient measures (or adequate procedures, internal accounting controls or whatever you want to call it) to prevent this from happening. Under the French Loi Sapin II, directors can also be held personally liable for having an insufficient anti-corruption program. We are not entirely sure though whether the maximum penalty per person of EUR 200.000 under Sapin II is high enough.

In the last decades, we have seen plenty of cases where multinationals have agreed to pay multi-million dollar fines because the organization had paid substantial bribes in the past, while there were hardly any consequences for the top-management, under whose watch the corrupt practices took place. The average citizen does not understand why this should be the case; it generates a lot of public anger. It creates the impression that top managers receive the benefits of unethical behavior in the form of higher performance-related bonuses, while there is hardly any downside for them personally if the company gets caught.

So, our suggestion would be: create the obligation that a senior manager, preferably an executive board member, has to sign an annual statement confirming that the organization took adequate measures to combat bribery and corruption, and hold this individual personally liable in case this statement appears to be incorrect.

Should the Chief Ethics and Compliance Officer sign this statement? Well, normally I would prefer that it is the CEO or CFO of a company, somebody who determines the tone from the top and decides about the authority and the budget of the compliance function. But if you are going to be asked to sign this statement, you better make sure that you have a seat at the table and your authority and budget are well secured or refuse to sign.

Are you curious for the other recommendations that ECMC made? Send an email to and we will send you the full report.