Limits to compliance officers’ criminal liability in Brazil: the role of compliance in the society of risk

Wednesday 14 September 2022

Vinícius Cim

LeFosse, Sao Paulo



Modern society is a society of risk. This phenomenon was first described by Ulrich Beck as being a consequence of the modern society. According to Beck, risk is omnipresent because society is increasingly occupied with debating, preventing and managing risks that it has itself produced.[1] One of the consequences of the risk society phenomenon is the development of new criminal doctrines which seek to maximise prevention in the face of new criminal threats (‘criminal law for risks’). One of these threats is the increase in transnational financial crimes, including corruption. The response to the new threats has been to increase global anti-corruption enforcement.

In the context of international efforts to prevent and fight against corruption, some jurisdictions are enacting laws and regulations which encourage companies to adopt compliance programmes to manage their own risks and prevent misdeeds in their activities. Compliance is a state-intervention into corporate risk management by means of entrusting the criminal detection and prevention to private companies. These companies are now responsible for overseeing, detecting and preventing their own criminal risks, in a system called regulated self-regulation. From a criminal standpoint, compliance failures may lead to criminal consequences for the company’s management body. In this sense, under certain circumstances, directors, managers and employees may face criminal liability for offences related to the business, even if not practiced by them directly.

In Brazil, the Brazilian Criminal Code (BCC) and other related criminal laws[2] provide criminal liability on individuals for wrongdoings.[3] When a misdeed is committed by individuals within their legitimate occupations, for their employing organisation’s benefit or interest, such as directors, managers or employees, the conduct is classified as a corporate crime. Corporate crimes may be detected and prevented by means of an effective compliance programme.

Under criminal law, compliance is a criminal liability anticipation model. It gives rise to a criminal liability chain and enables the correct identification of criminal conduct within business.[4] Those who intervene in the criminal causal chain through unlawful behaviour, may face criminal liability.[5]

Considering the compliance officer’s position as the ‘last stand’ against criminal acts in a business, is it a guarantor with respect to criminal practices? If so, could such an officer be held liable for criminal acts committed by third parties, such as employees, for the company’s benefit?

Bearing in mind their role as the officer in charge of the compliance programme, this article delineates some required aspects on compliance officer’s criminal liability and its position in the criminal liability chain under Brazilian criminal law.

The guarantor position in corporate structures

As described above, a consequence of modern society is new threats and the proper response to such risks. Companies take on permitted risks to carry out their activities. From a risk standpoint, the company turns into a ‘source of danger’ regarding permitted risks arising from its activities. The BCC provides special duties of watchfulness and protection for individuals who take control over the source of danger in corporate structures.[6] These individuals are called guarantors. Under Brazilian criminal law, the guarantor position is sourced by: (1) a legal provision; (2) an assumption of the responsibility to avoid the misdeed; or (3) whether the individual knowingly created a criminal risk. For the purpose of this article, the analysis is based on the assumption of the responsibility to avoid the misdeed hypothesis in a corporate context.

In corporate structures, the guarantor must manage all criminal risk arising from the company’s activities under their oversight. It includes those risks arising from employee and third-party conduct relating to the business. The guarantor may comply with their role by means of a certain authority and position of oversight over other individuals – such as employees and third parties – whose conduct may give rise to criminal risks.

The corporate position’s roles and authority sets their status of guarantor. Above all, it is mandatory that the source of danger is under their supervision. In this sense, the company’s shareholders are the main guarantors of misdeeds committed in interest of the company.[7] This is an obvious conclusion since they have broad control over the business.[8]

However, it is natural and expected that the shareholders entrust the company’s management to other individuals: its officers and managers. If the company’s management may be entrusted to officers, then consequently so must the control of the source of danger. Therefore, the guarantor position may be entrusted to other individuals by reason of the strict separation of spheres principle. When corporate roles are separated into different departments (labour’s horizontal segregation),[9] each department is responsible for managing its own risks (such as the compliance area and the company’s corruption risks). The company management body’s roles and duties turn into secondary guarantors. In this case, the management body assumes responsibility for the same duties as the primary guarantor with respect to those risks under its supervision.

The authorship by guarantor’s position doctrine

Brazil does not have strict criminal liability. Removing the limits of criminal liability in the context of corporate crimes is challenging because of its complexity. Several doctrines have been studied and developed to establish conditions for the liability of individuals regarding corporate crimes, such as direct and indirect conducts, assistance, omission and risk-taking.

One of the criminal doctrines adopted in the BCC to provide criminal liability on those individuals who are in a leadership position and are involved in corporate crimes is the authorship by guarantor’s position doctrine. This doctrine was inspired by the German Law, which combines elements of conduct and omission. It turns different offences into special management crimes.[10] The doctrine is covered in Article 13, s2(b) of the BCC[11] and provides criminal liability on a nonfeasance on a duty previously aware and formally assumed by the guarantor.[12]

Under Brazilian criminal law, it is required that the guarantor has ability and opportunity to act. At the same time, it chooses to commit a nonfeasance on purpose. The nonfeasance must be related to a situation that the guarantor should oversee. Due to this, a link is required between the third party’s conduct, the misdeed and the guarantor’s nonfeasance. The law highlights that it is not necessary for the guarantor to commit a misdeed directly. Criminal liability must fall on those individuals in a guarantor position who have failed to behave in the necessary and required way to avoid a harmful result.

The compliance officer’s criminal liability

As described above, some directors, managers and employees are guarantors because they have a special duty of oversight and protection related to certain criminal risks in the business. In certain conditions, the compliance officer – as a guarantor – may hold criminal liability due to the authorship by guarantor’s position doctrine.

When taking on the compliance role, the compliance officer voluntarily takes on the legal duty concerning certain criminal risks in the business by means of an employment agreement. The shareholders, on behalf of the company, entrust to the company’s management the duty of oversight all business risks. When management implements a compliance programme in the company, it entrusts to the compliance officer the duty of oversight over certain criminal risks, as well as other risks that fall under compliance area management. Thus, the compliance officer may be a guarantor of certain criminal risks in the company and, consequently, may hold criminal liability in the case of failures in the compliance role.

To assess the compliance officer’s criminal liability, the company must meet certain conditions. First, the company must have implemented a structured and effective compliance programme based on three main concepts: detection, prevention and response. The compliance programme must also meet the minimum standards foreseen in the Brazilian anti-corruption laws and regulations, such as the requisites foreseen in the new Decree No 11,129/2022. One of the main requisites is that the compliance area has independence, autonomy and adequate resources to comply properly with its roles. Thus, the compliance officer must also have broad powers to act in their position.

Simultaneously, the compliance officer must be aware of all risks under their oversight. This means that the company must have its criminal risks properly assessed and classified into severity/probability criteria.

A detailed analysis concerning the effectiveness of compliance programme is thus mandatory. Failures in its structure or the lack of top support limit the liability of the compliance officer.[13] In this case, the compliance officer is not able to oversee or to avoid misdeeds. The ability to act and the due control on the source of danger are required to the criminal liability under authorship by guarantor’s position doctrine.

Under Brazilian criminal law, as condition to the compliance programme effectiveness, it is expected that the compliance officer adopts all possible, required and expected measures to prevent and avoid misdeeds related to business. Therefore, if the compliance officer commits a knowingly nonfeasance, they may face criminal liability due to violations of their duty as guarantor.



[1] Ulrich Beck, ‘Living in the world risk society’ (2006) 35 (3) Economy and Society 329.

[2] Such as: Law No 9,613/1998 (anti-money laundering), Law No 8,137/1990 (tax crimes) and Law No 7,492/1996 (financial crimes).

[3] In Brazil, only individuals may be held criminally liable for wrongdoings, with very few exceptions specifically provided by law. Legal entities may still face criminal liability only for environmental crimes.

[4] Thomas Rotsch, ‘Criminal compliance’, Revista para el análisis del derecho, Barcelona, n 5, p 619, Jan/2012.

[5] Heloisa Estellita, ‘Responsabilidade penal de dirigentes de empresas por omissão’, São Paulo: Marcial Pons, 2017, pp 54-55.

[6] Joana Siqueira, ‘Limites da responsabilidade penal por omissão imprópria’, www.jota.info/opiniao-e-analise/colunas/penal-em-foco/limites-da-responsabilidade-penal-por-omissao-impropria-03032022, accessed 31 August 2022.

[7] Andrei Zenkner Schmidt, ‘Direito Penal Econômico: Parte Geral’, Porto Alegre: Livraria do Advogado, 2015, p 177.

[8] Renato De Mello Jorge Silveira and Eduardo Saad Diniz, ‘Compliance, direito penal e lei anticorrupção’, 1st edn, São Paulo: Saraiva, 2015, pp 129–130.

[9] Jesús-Maria Silva Sanchez, ‘Deberes de Vigilancia y Compliance empresarial’, in Lothar Kuhlen, Montiel, Juan Pablo. Gimeno, Íñigo Ortiz de Urbina (org). Compliance y teoría del derecho penal, 1 ed Madrid: Marcial Pons, 2013.

[10] Heloisa Estellita, ‘Responsabilidade penal de dirigentes de empresas por omissão’, São Paulo: Marcial Pons, 2017, p 62.

[11] Art 13: ‘The result, on which the existence of the crime depends, can only be attributed to those who caused it. The cause is considered to be the action or omission without which the result would not have occurred.’ s2: ‘The omission is criminally relevant when the agent should and could have acted to avoid the result. […]’.

[12] Gustavo Britta Scandelari, ‘As posições de garante na empresa e o criminal compliance no Brasil: primeira abordagem’. In: David, Décio Franco (org), Compliance e Direito Penal, São Paulo: Atlas, 2015.

[13] Luís Greco, et al, ‘Autoria como domínio do fato: estudos introdutórios sobre o concurso de pessoas no direito penal brasileiro’, São Paulo: Marcial Pons, 2014, p 150.