Ensure compliance programs keep up with new corporate criminal offenses

This means that any analysis of corporate exposure following allegations of misconduct should factor in the jurisdictions involved, and the risk of corporate (and individual) liability. Businesses should reduce their financial crime risk and maximize their chance of successfully mounting a “reasonable procedures” defense, where applicable, by implementing an effective compliance program.

New laws specifically aimed at making it easier to prosecute businesses

A continuing trend in recent years is the expansion of corporate criminal liability. Many jurisdictions are introducing new offenses and expanding the scope of existing laws to hold companies accountable for a broader range of misconduct. For example, in the past 12 months:

• The UK’s new corporate criminal offense of “failure to prevent fraud” came into force on September 1 2025. The offense applies to large UK and non-UK businesses that fail to prevent fraud by an associated party, with only one defense of having “reasonable procedures” in place to prevent fraud. The offense has broad extra-territorial reach.
• In China, there has been reform to anti-bribery legislation and new predicate offenses under China’s anti-money laundering regime, with implications for corporate and individual liability, particularly when dealing with state-owned companies.
• In Hong Kong there are new corporate criminal offenses relating to cybersecurity that are relevant to providers of critical infrastructure, including energy, IT, banking and financial services, transport, healthcare and telecoms, as well as major sports and performance venues.
• Significant reform of the UAE’s AML laws were enacted in October 2025 including new predicates and substantive offenses for corporates and individuals.
• The Australian corporate offense of failing to prevent an associate from bribing a foreign public official has been bolstered by a new multidisciplinary taskforce aimed at investigating foreign bribery.
• In Italy, legislative reforms expanded the exposure of corporations to criminal investigation through new environmental predicate offenses and AI-related aggravating circumstances across several criminal offenses - including market manipulation and insider trading committed using AI systems. There are also plans to reform the concept of organizational fault, how compliance programs are assessed, parent company liability for misconduct for offenses committed by a subsidiary, supply chain compliance certification, and sanctions offenses.
• A new Belgian Criminal Code effective April 2026 is expected to increase corporate liability.
• France has introduced a new tax offense aimed at businesses that offer tools to conceal income or assets.
• Across the EU, Member States are implementing the EU Sanctions Crime Directive (Directive (EU) 2024/1226), which widens corporate criminal liability and director liability for breaches of EU sanctions. Read more about how EU sanctions enforcement is on the rise.

Note that in the U.S. the trend has been opposite, with a move away from so-called ‘general corporate malfeasance’ and a focus instead on individual accountability. However, U.S. multinational businesses should be aware that corporate criminal liability risk remains in other jurisdictions.

Looking ahead:

• Harmonization of corruption standards across the EU will lead to new corporate criminal offenses being introduced. The text of a new EU Directive on Anti-Corruption was agreed at the end of 2025. It contains new minimum standards for defining punishable corruption offenses, including bribery in the public and private sectors, and stipulates far-reaching sanctions for individuals and companies. Legal entities will be held liable for corruption offenses committed by persons who have “a leading position.” In addition to liability for active corruption, a breach of supervisory duties on the part of the person who has the leading position would be sufficient for the company to be held liable. Member States will have to impose tough penalties, e.g., fines with a maximum limit of not less than 5% of a company’s total worldwide turnover. A good compliance program will be a mitigating factor. The Directive will present a significant expansion in Member States which do not currently have a well-developed concept of corporate criminal liability. Many of the features of the Directive will be familiar to multinationals that have aligned their ABAC compliance programs with jurisdictions that have more developed corporate criminal liability regimes, such as the U.S., the UK, and France.
• The EU’s AML Package is expected to establish more stringent standards for sanctions and AML compliance, becoming directly applicable in the EU from mid-2027.
• In the UK, there is a proposed expansion of the “senior manager” test for corporate criminal attribution, which, since the end of 2023, has applied a lowered threshold for determining whose acts can be attributed to the company for liability purposes, but only for economic crimes. Draft legislation currently before the UK Parliament proposes to extend the test to all crimes. Read about the potential impact of this proposed change, and what businesses would need to do to be ready for it.
• In Germany, the legislature plans to increase the statutory maximum for corporate administrative fines from EUR10 million to EUR40 million for intentional criminal offenses, and from EUR5 million to EUR20 million for negligent criminal offenses.

Check that compliance programs are keeping up

A robust and effective compliance program will:

• reduce the risk of corporate crime occurring;
• detect and act as a potential defense should there be misconduct; and
• be considered by an enforcement authority in deciding whether to prosecute and/or mitigate the penalty imposed.

In some sectors, authorities have been willing to prosecute businesses for failures in compliance programs, even where there is no actual loss shown to customers or investors. For example, in the UK in the financial services sector, businesses have been prosecuted for deficient AML or sanctions systems and controls. In the U.S., banks have been fined for failing to keep adequate records due to the use by employees of “off-channel” communication tools such as WhatsApp. There has also been an increase in aiding-and-abetting claims against banks for fraud committed by customers due to purportedly lax compliance controls.

Here are some top tips for corporate compliance officers:

1. Conduct comprehensive risk assessments: Regularly perform thorough risk assessments to identify potential areas of vulnerability within the organization. This includes understanding how different types of misconduct could manifest in your specific business context. Use the risk assessment to inform and update policies and procedures, including training requirements.
2. Stay informed of legislative changes: Keep abreast of new laws and regulations that impact your industry. In most of the jurisdictions surveyed for the A&O Shearman white collar crime and investigations review, there have been law reforms in the past year relevant to compliance programs. Compliance officers should ensure that their programs reflect these new requirements.
3. Enhance data protection and cybersecurity measures: With the increasing focus on data protection and cybersecurity, compliance programs should include robust measures to protect sensitive information. There are even stricter rules in some countries for critical infrastructure providers, with steep criminal fines for violations.
4. Implement effective whistleblowing mechanisms: Ensure that there are clear, accessible, and confidential channels for whistleblowers to report misconduct. Compliance programs should include training for staff on how to manage whistleblower reports and protect whistleblowers from retaliation.
5. Strengthen internal investigation protocols: Develop clear protocols for conducting internal investigations to ensure they are thorough and legally compliant. Ensure that investigations are documented properly and that there is proper consideration on how findings are recorded and communicated. See our articles on internal investigations and the use of AI to find facts.
6. Leverage technology for compliance monitoring: Consider using advanced technology and data analytics to monitor compliance and detect potential issues early. Early detection will enable a company to decide to self-report promptly, which is a key factor for obtaining a declination under the U.S. DOJ’s Corporate Enforcement Policy. Additionally, the U.S. DOJ signaled in its Evaluation of Corporate Compliance Programs (ECCP) that compliance functions are expected to be data-driven and have access to relevant sources of data and data analytics tools to monitor for non compliance. The UK FCA’s investment in data analytics for market monitoring and the use of the Consolidated Audit Trail (CAT) by U.S. regulators to identify trading patterns are examples of how the authorities are already using data to identify misconduct.
7. Ensure compliance keeps up with innovative technologies being used in the business: As well as using data analytics to monitor compliance, the compliance functions must also assess the potential impact of new technologies on the business, such as AI, and implement governance structures to manage these risks. Again, from the U.S. DOJ’s ECCP, prosecutors will consider whether a company has considered and mitigated the risks of new and emerging technologies, including (but not limited to) AI. The compliance program should also monitor how the technologies used by the business are being described externally to ensure statements are accurate and not misleading.
8. Regular training and awareness campaigns: Conduct regular training sessions and awareness campaigns to keep employees informed about evolving compliance requirements and the importance of adhering to them. Ensure that the risk assessment is used to inform who is trained on what, and how often. Gather data on training completion rates and follow up with appropriate sanctions if necessary.
9. Engage with external experts: Consider engaging with external legal and compliance practitioners to gain insights into best practices. They can provide valuable perspectives on emerging risks, sector insight, and regulatory expectations.

A&O Shearman’s market-leading white collar defense and global investigations practice is able to advise on all aspects of corporate liability and compliance programs. Please contact one of the authors of this article or your normal A&O Shearman contact. 

This article is part of the A&O Shearman cross-border white-collar crime and investigations review 2026.