Client Alert

Protecting Companies in a Challenging Environment: Compliance Programs Under Italian Law—the New 2014 Guidelines of Confindustria

December 23, 2014



In July 2014 the Italian Ministry of Justice approved a revised version of the guidelines on the adoption and implementation of compliance programs, issued by the Italian Confindustria[1] in March 2014 (hereinafter the “2014 Guidelines” or the “new Guidelines”).

Under Italian Legislative Decree No. 231 of 2001 on corporate liability (hereinafter the “Law 231”), a corporation shall be considered liable for the commission of crimes listed in Law 231 by one of its managers or employees, if prior to the commission of the crime it did not adopt and efficiently implement an adequate compliance program (the so-called Law 231 model) to prevent the execution of those crimes.

The further element required for there to have been a breach of Law 231 is that such potential crime was committed for the benefit for the company potentially deriving from the criminal behaviour, but regardless to its material exploitation.[2]

Corporate compliance programs have been increasing in importance, because Law 231 exempts a company from liability if it can be demonstrated that the compliance model in question was correctly adopted and implemented.

Following the entry into force of Law 231, the knowledge of the matters and of how these affect the company’s operating on a domestic or a transnational level, has undergone major developments. Judges, prosecutors, and legal experts have worked to bring the significant elements of the revised guidelines to wider attention.

Since the principles of Law 231 do not include a fixed applicable program for all companies, but make specific reference to the industries model approved by the Ministry of Justice, the 2014 Guidelines give operators a useful instrument to achieve compliance with the law and therefore the conditions for exemption from liabilities under Law 231.

I. The 2014 Guidelines: The Main New Features

The 2014 Guidelines highlight the importance of a clear and consistent system of delegation of functions[3], examine the responsibility thresholds (distinguishing between whether the crime was committed with fraud or negligence), stress the key role of the disciplinary sanctions, and explain the different levels of liability in the context of groups of companies.

The 2014 Guidelines also describe in detail the new crimes that have been introduced in Law 231 following the previous version of the guidelines (which dated back in March 2008) including computer crimes, transactional organized crimes, environmental crimes and the exploitation of illegal immigrants.

Finally, in accordance with the Italian Courts, which ruled that the program has a self-normative value on the basis of which it is possible to weight the company’s liability,[4] the new guidelines stress that effectiveness, specificity and dynamism are structural characteristics of compliance programs.[5]

The 2014 Guidelines are extremely innovative in introducing a specific section regarding the corporate liability and the compliance programs of groups of companies, which have been totally revised in light of the recent positions assumed by Italian and international Courts and doctrine.

II. Groups of Companies and Compliance Programs

A number of Law 231 cases have regarded groups of companies. Where more than one company of the group are involved, Italian case law considered relevant the parties in whose interest the crime was committed, in order to identify which company (of the group) was liable pursuant to Law 231.[6]

The new Guidelines ratify Italian case law and stress that in connection with corporate liability the main issue is to identify the conditions under which each corporation of the group (including holding companies and subsidiaries) may be considered liable under Law 231, and then give recommendations regarding the characteristic of the compliance programs to be implemented by each company of the group.

The 2014 Guidelines underline that a holding company is not always responsible for the crimes committed by its subsidiary, and it can be considered liable for a crime committed by an individual of its subsidiary, only if the holding company itself has received a direct or indirect benefit.[7]

The conditions under which a holding company may be considered liable under Law 231 are as follows:

  • A crime listed in Law 231 has been committed by a top individual/employee of a subsidiary in the interest or to the advantage of its holding company; and

  • Individuals connected to a holding company took part in the commission of the crime, for example when: (i) the crime is the consequence of the illegal instructions issued by the top individuals of the holding company, or (ii) the top individuals of the holding company and of the subsidiary are the same people (so-called “interlocking directorates”).

The 2014 Guidelines recommend that a group of companies adopt compliance programs balancing the independence of each entity of the group with the opportunity to implement a common ethical style and shared standards of compliance.

In accordance with such framework, each company of the group, being an independent entity and therefore a subject of Law 231’s requirements, should be required to implement a specific organizational model, as well as to appoint its own supervisory body.

On the other hand, a holding company could implement general compliance guidelines applying to the group, but without limiting the power of each subsidiary to implement its tailored organizational model. In addition, such holding company could lay down the structure of the code of ethics, the general principles for the disciplinary system and the protocols to be applied and implemented by each company of the group.

Moreover, the organizational model of the holding company should take into consideration the procedures implemented by its subsidiaries as well as the activities that are carried out on a shared level. On the basis of the specific characteristic of the group, it could be useful to implement certain policies and protocols at the group level (e.g. in the field of cash pooling).

The 2014 Guidelines recommend that the supervisory bodies of the companies of a group develop a system that enables them to share promptly key information (e.g. the activities planned, the actions concretely implemented, any issue which has emerged, etc.), through, for example, periodic reports or meetings.

III. International Groups of Companies

The 2014 Guidelines highlight that international groups present a specific Law 231 risk profile, due to the geographic dispersion of their business, the decentralization of the decisions, the complexity of the operations involved, the possibility that the crimes involve farther-reaching areas, and greater difficulties in pursuing claims.

In particular, the new Guidelines specify that in such international contexts:

  • The code of ethics should include ethical standards that take into consideration the characteristics of the business;

  • The top individuals and the employees who have contacts with foreign countries in conducting their corporate duties should receive effective training that covers the relevant applicable law of foreign countries; and

  • The protocols should take into considerations the specific international profiles of the group.

Transnational groups should implement compliance programs in compliance with all national and international laws applicable to the business of the group.


The 2014 Guidelines represent a key instrument for corporations conducting their business in Italy, because they contain an important set of recommendations which aim to tailor best practice 231 compliance programs to all companies.

Group companies are required to implement both policies of general principles at a group level and specific policies of practical protocols at the level of each company of the group.

International groups have a specific Law 231 risk exposure and are strongly required to include in their compliance programs a reference to the foreign laws that are applicable to their international business.

As illustrated in this article, a compliance program is a strategic tool that a company could adopt to prevent crime as well as to avoid being pursued under Law 231, and the 2014 Guidelines supply corporations with flexible instruments capable of being quickly and efficiently adopted by all companies.


[1]   The National Confederation of Italian Industries.

[2]  In particular, if the offences are committed by the top management of the company, corporations will not be held liable if they prove that: (i) before the offence was committed, the company adopted and effectively implemented an appropriate compliance program capable of preventing the commission of unlawful acts; (ii) they charged a supervisory body, having independent powers of initiative and control, with the task of supervising the implementation and updating of the compliance program so as to bring the business activities performed by the legal entity in line with the law; (iii) the persons who committed the offences acted fraudulently by evading the compliance program; and (iv) the supervisory body was not negligent to its duties.

If the offences are committed by employees, corporations are liable if such offences were committed due to a non-compliance with management and control obligations.

The corporation can be exonerated from liability even where the individual offenders acted solely in their own interest or on behalf of third parties and not in the interest of the corporation.

[3]  The 2014 Guidelines highlight the importance of a system of delegated functions implemented in compliance with certain key standards specifying that some powers may be delegated to other individuals, provided that the instrument of proxy defines in advance the specific business areas for which the risk management of potential crimes is attributed. It is appropriate that the instrument of proxy is prepared in accordance with legal requirements; clearly identifies the delegates, their functions, powers and competences; sets the spending limits for each area of risk management; provides solutions aimed at control of delegates; provides sanctions in case of regulation infringement; respects the principle of segregation; and respects the internal regulations of the company. The 2014 Guidelines also stress that it might be advisable to constantly update the system of delegation of functions and periodically check their compliance to the company structure. Particular issues arise in regard to the delegation of the risk management inherent to environmental matters, which unlike the general delegation of functions, does not have a specific regulation. For this reason, a sort of status may be settled by judgments’ indications. With reference to the rulings of the Courts, the environmental delegation is valid under the following conditions: (i) precise indication of the delegated powers; (ii) dimensions of the company; (iii) technical skills of the delegate; (iv) financial and managerial autonomy of the delegate; and (v) express acceptance of the delegate. Despite the peculiarities of the environmental delegation, the general principles supplied by the judgments concerning the delegation of functions are applicable. This means that in case of organizational deficiencies, the leaders of companies are to give support to the inferior structures, even though this does not involve their automatic liability for failure to control.

[4]   Court of Milan, December 28, 2011.

[5]    Court of Milan, order of October 28, 2004 (Siemens AG); Court of Naples (Judge for Preliminary Investigations, order of June 26, 2006), according to which the program shall be based on: (i) the establishment of specific procedures that give rules in connection with the so-called risk areas; (ii) a specific control system to verify the use of implementation of such procedures; and (iii) appropriate and specific sanctions to prevent the violation of the procedures.

[6]   Italian Supreme Court, January 18, 2011, No. 24583 (Tosinvest).

[7] Italian Supreme Court, December 20, 2013, No. 2658 (Ilva).

Paul Hastings LLP
StayCurrent is published solely for the interests of friends and clients of Paul Hastings LLP and should in no way be relied upon or construed as legal advice. The views expressed in this publication reflect those of the authors and not necessarily the views of Paul Hastings. For specific information on recent developments or particular factual situations, the opinion of legal counsel should be sought. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions. Paul Hastings is a limited liability partnership. Copyright © 2014 Paul Hastings LLP.

Click here for a PDF of the full text

Practice Areas


Get In Touch With Us

Contact Us