1. General remarks
Pursuant to Italian decree 231/2001 (“Law 231”), the commission of certain offenses may entail corporate criminal liability when the offenses are committed by persons representing or managing the company or employees who are subjects to their management and control and the offenses are perpetrated either in the interest of the company or for its benefit.
To avoid corporate criminal liability, companies must (a) establish and effectively implement a specific compliance program suitable to prevent crimes of the same nature as those that occurred prior to their commission (“Model 231”); (b) assign a supervisory board to supervise effectiveness of and compliance with such Models 231 and keep them updated. Additionally, (c) the persons who committed the crime must have done so by fraudulently evading a Model 231 and (d) the supervisory board must have performed adequate oversight of the Model 231.
This means that (i) an effective Model 231 should constitute an obstacle to criminal conduct and individuals may commit offenses by circumventing the precautionary safeguards contained in it, known as “Fraudulent Evasion of Model 231,” and (ii) an entity may be considered liable when the offense is attributable to a flaw in the organization, management, or oversight of compliance programs intended to prevent the commission of such crimes; this type of flaw or defect is known as an “Organizational Fault” (ITA: “Colpa d’Organizzazione”).
Organizational Fault and its meaning have long been a subject of heated debate in the legal community, particularly in relation to:
- the nature of corporate liability, as Law 231 expressly establishes that an entity may not be considered liable if it proves the absence of Organizational Fault. The burden of proof is then transferred from the prosecution to the entity, contravening one of the basic principles of criminal law: the presumption of innocence of the investigated parties.
- the actual exemptive value of an effective Model 231, as it is important to understand whether the adoption and effective implementation of a Model 231 is in and of itself capable of exempting the entity from corporate criminal liability.
Several previous court rulings touch on this subject; below, we analyze two recent judgements of the Italian Supreme Court dealing with the nature of Organizational Fault in the context of criminal compliance programs.
2. Organizational Fault as an element of corporate criminal liability
a) Italian Supreme Court, decision No. 18413/2022
This case concerned alleged corporate criminal liability for failing to prevent personal injury to an employee assigned to a folding and gluing machine, aggravated by violation of workplace safety standards. The court of first instance found the company liable under Law 231 and the Court of Appeals of Venice upheld the conviction. According to the prosecution, the company’s legal representative committed the crime in the interest of the corporate entity, which lacked a Model 231 and a supervisory board dealing specifically with workplace safety. The company filed an application for review before the Italian Supreme Court.
The Italian Supreme Court clarified that the liability of legal entities for predicate crimes consists of the following elements:
- principal-agent relationship between the entity and the person who committed the predicate crime;
- commission of the predicate crime in the interest or to the advantage of the entity;
- Organizational Fault;
- chain of causation linking the predicate crime to Organizational Fault.
Given the requirement of it being in the interest or to the advantage of the entity, corporate liability cannot be construed as liability for the acts of others. It also cannot be construed as strict liability, because an entity can only be held liable on the grounds of Organizational Fault, i.e., for failing to adopt adequate preventive measures. Organizational Fault thus becomes a standard of culpability that cannot coincide with the mens rea of the person who committed the predicate crime. As such, the burden of proof lies with the prosecution, which has to prove all of the above-listed elements in order to establish liability.
On these grounds, the Italian Supreme Court annulled the appellate judgement because it did not sufficiently address the corporate negligence of the company, nor its causal link to the predicate crime. Notably, the court stated that failure to adopt a Model 231 does not, per se, prove Organizational Fault and is therefore insufficient to establish a finding of liability.
b) Italian Supreme Court, decision No. 23401/2022: the Impregilo case
This case referred to the suitability of the Impregilo Model 231 to prevent the commission of market rigging. Impregilo Model 231 provided a specific procedure pursuant to which the preparation of press releases for price-sensitive information was the responsibility of an internal body that reported directly to the chairman of the board and the CEO.
According to the court of first instance, as well as to the Italian Court of Appeals, the failure of top management to comply with this procedure and the subsequent dissemination of false news did not automatically indicate that the Model 231 adopted by the entity was unsuitable to prevent market rigging, since it had been fraudulently evaded by the defendants.
The Italian Supreme Court upheld the decision of the lower courts and established that:
- Organizational Fault may be considered a necessary element for the commission of the offense, and, therefore, the burden of proof lies with the prosecution;
- the commission of a predicate offense does not mean that the Model 231 has not been effectively implemented: in this respect, the risk of the commission of the offense is deemed acceptable when the prevention system cannot be circumvented unless it is evaded by means of fraud. The company may be exempted from corporate criminal liability when the conduct of top management represents a departure from company policy and the crime is the product of a party’s personal and autonomous choice made not as a result of organizational inefficiencies, but despite adequate organization;
- in assessing the suitability of a Model 231, the judge should ideally place themself at the time when the crime was committed and determine its foreseeability and how it might have been avoided;
- judicial evaluation of the effective implementation of a Model 231 should not refer to the whole compliance program, but should simply assess impact of violation of that protective measure along with the risk of a similar type of crime being committed again.
To sum up, the Italian Supreme Court acquitted the entities involved in the two cases because the prosecution alleged Organizational Fault but did not prove it beyond a reasonable doubt. Absent proof of Organizational Fault, a corporate entity cannot be held liable for the commission of a predicate crime by its agents or subordinates.
3. Civil liability of company directors: Oversight failure and failure to adopt Models 231
a) Can companies, shareholders, and creditors claim compensation from directors who should have adopted an adequate Model 231?
Italian case law states that they can.
Specifically, with a decision of February 13, 2008, the Court of Milan established the civil liability of a chairman of the board and managing director of a company because his failure to adopt a Model 231 led to a finding of liability for the company. The court observed that although corporate entities are not, strictly speaking, under an obligation to adopt a Model 231, the decision to do so is part of the overall corporate governance structure and, therefore, is one of the duties of a company director.
While deciding that there is no need to adopt and implement a Model 231 might (and should), to a certain extent, be covered by the business judgement rule, the failure to evaluate such a need is solid proof of mismanagement. The latter is not, however, sufficient grounds to hold a director (or a statutory auditor) liable for harm to the company deriving from failure to adopt adequate preventive measures. To warrant an award of damages, the company (or a qualified number of shareholders, single shareholders, or creditors) would have to plead and prove the following elements:
- misconduct of one or more directors (or statutory auditors);
- harm suffered by the company or a third party (creditor or shareholder) as a result of said misconduct;
- chain of causation linking the harm to the misconduct;
- finally, to establish a finding of liability against the statutory auditors, the parties would also have to plead and prove the auditors’ oversight failure and its causal relationship to the misconduct and the harm.
b) How can the new obligation set forth by Section 2086 of the Italian Civil Code be combined with the adoption of an effective Model 231?
New corporate governance requirements are increasingly common under Italian law; one of the major ones is established by Section 2086, paragraph 2 of the Italian Civil Code, which requires company directors to (i) establish “organizational, management, and accounting structures” appropriate to the type and size of their specific companies that can detect potential business crises and the loss of status as a going concern in a timely manner; and (ii) adopt and implement the relevant tools provided by law to overcome such crises and restore company business so that it again achieves the status of a going concern.
Effectively organizing a company pursuant to section 2086 of the Italian Civil Code, as well as for Model 231 compliance purposes, means implementing a set of corporate oversight and information channels for preventing all possible risks that may be related to both insolvency and criminal liability. Indeed, if insolvency does occur, top management may be considered civilly liable for not having adopted the structure provided by section 2086 of the Italian Civil Code, but the company may also be considered criminally liable should it turn out that a predicate offense indirectly connected to insolvency (e.g., tax crimes, false accounting) was committed by its associates.
This means that assessment of the effectiveness of organizational, management, and accounting structures, as established by section 2086, second paragraph of the Italian Civil Code, should also consider (i) the features of the Model 231 effectively implemented by the company and (ii) cooperation, in terms of exchange of information concerning business crisis red flags, between the supervisory board and internal and external auditors and corporate bodies.
 Corporate Criminal Liability is set forth by Legislative Decree No. 231/2001 (“Law 231”).
 Court of Milan, February 13, 2008, No. 1774.
 New corporate governance requirements are increasingly common in Italian law. For more information on the corporate governance requirements introduced by the New Insolvency Code, see our article on The new provisions of Section 2086 of the Italian Civil Code and Directors’ liability in establishing a company’s organizational, administrative and accounting structure.
 For more information on the intersection of the obligation provided in Section 2086 of the Italian Civil Code and Model 231 compliance programs, please see our article on Risk prevention-based regulation: the importance of compliance programs in the context of the new insolvency code.