Criminal law in the European Union is an area that still falls within the remit of each Member State. Hence, the rules on whether or not a corporate can be criminally liable and on the criminal sanctions in the event of liability vary according to the relevant Member State, including in areas that concern the transposition of EU Directives (for instance on financial services and banking) that require Member States to establish sanctions.

Having said that, there is a variety of EU authorities and regulators that, albeit strictly speaking active in the regulatory and administrative field, have far-reaching investigative and sanctioning powers as well. These powers often do not differ significantly from those of criminal authorities. Because of the nature and effects of the measures taken and sanctions imposed by regulators on the corporates and individuals (e.g., senior management) affected by them, these persons often benefit from the same fundamental rights and guarantees under EU and national law that apply to purely criminal sanctions.

Well-known examples of such regulatory authorities are the EU competition authorities (which wield powers across all sectors and areas of economic activity) and the EU financial and banking regulators (which supervise, investigate and sanction the conduct and activities of financial services providers, including banks).


i EU competition law: the example of leniency

Undertakings are not obliged to self-report when they discover an internal wrongdoing that could constitute a competition law infringement. They may, however, voluntarily opt to do so in competition cases to benefit from a leniency programme.

Under EU competition law, the conditions and benefits of leniency applications are enumerated in the Commission Notice on immunity from fines and reduction of fines in cartel cases (Commission Leniency Notice).2 Undertakings that are part of a cartel can apply for leniency. By contrast, abuses of dominant position, vertical agreements and horizontal agreements that are not cartels within the meaning of the Commission Leniency Notice cannot benefit from the leniency programme.

Leniency is granted on a first-come, first-served basis. If an undertaking or association of undertakings wants to obtain full immunity from fines, it must be the first to submit information and evidence that enables the European Commission to carry out a targeted inspection or to establish an infringement. A company that does not qualify for full immunity can apply for a reduction of the fine if it provides evidence that represents significant added value to the evidence already in the possession of the European Commission. In all cases, the leniency applicant must also end its involvement in the alleged cartel (except when the European Commission decides otherwise to preserve the integrity of the inspections), cooperate fully and expeditiously with the European Commission throughout its investigation, and provide all evidence in its possession. The applicant may not destroy, falsify or conceal any evidence relating to the alleged cartel, either prior to the submission of the application or during the investigation.

In assessing whether the conditions for leniency are satisfied, the European Commission enjoys a margin of discretion.

A company cannot be certain whether the competition authorities will consider the information provided to be sufficient to qualify for immunity or fine reduction. Also, leniency applications, under European competition law, provide no protection against private law claims for damages from customers or competitors.

Under the Antitrust Damages Directive,3 final decisions by the competition authorities constitute irrefutable proof of fault in private damage claims. The Antitrust Damages Directive also facilitates disclosure of evidence. However, leniency statements are shielded from requests from disclosure. Other documents in the investigation file may be disclosed, albeit that the court must balance the interests of the victims with the interest of effective public enforcement of competition law (i.e., keeping the leniency programme attractive for undertakings).

ii EU financial services and banking: the example of whistle-blowing

At the EU level, various pieces of legislation in the areas of financial services generally and banking specifically contain rules on the establishment of mechanisms for the reporting of infringements, commonly known as whistle-blowing. These mechanisms typically have an internal dimension (i.e., procedures for the reporting by employees to their employer of possible infringements) and an external dimension (i.e., procedures with the regulators for the reporting by employees or other persons that deal with financial services firms or banks of possible infringements to the regulators).

Thus, for instance, Article 32 of the EU Market Abuse Regulation4 requires Member States to ensure that the respective national administrative authority that is competent for market abuse infringements establishes effective mechanisms to enable reporting of actual or potential infringements of this Regulation. These mechanisms must include at least:

  1. specific procedures for the receipt of reports of infringements and their follow-up, including the establishment of secure communication channels for such reports;
  2. within their employment, appropriate protection for persons working under a contract of employment, who report infringements or are accused of infringements, against retaliation, discrimination or other types of unfair treatment at a minimum; and
  3. protection of personal data both of the person who reports the infringement and the natural person who allegedly committed the infringement, including protection in relation to preserving the confidentiality of their identity, at all stages of the procedure without prejudice to disclosure of information being required by national law in the context of investigations or subsequent judicial proceedings.

In the same context, the Market Abuse Regulation also obliges Member States to require employers who carry out regulated activities to have in place appropriate internal procedures for their employees to report infringements of the Regulation.

Finally, the Market Abuse Regulation allows Member States to provide for financial incentives to persons who offer relevant information about potential infringements of the Regulation to be granted in accordance with national law where those persons do not have other pre-existing legal or contractual duties to report the information. The conditions for the provision of these incentives are that (1) the information is new, and (2) it results in the imposition of an administrative or criminal sanction, or the taking of another administrative measure, for an infringement of the Regulation.

A similar requirement to establish internal and external whistle-blowing mechanisms is also provided for in other EU legislation, such as, for instance, in relation to MiFID II,5 undertakings for collective investment in transferable securities (UCITS),6 insurance distribution7 and packaged retail and insurance-based investment products (PRIIPs).8

Finally, the same requirement exists in relation to the activities and supervision of credit institutions. The details of this requirement are laid down in Article 71 of the 2013 EU Banking Directive.9 The whistle-blowing mechanism to be established thereunder is to encourage the reporting of potential or actual breaches of both the national provisions implementing the 2013 EU Banking Directive and the 2013 EU Banking Regulation.10

As regards credit institutions in the eurozone, the European Central Bank (ECB) obviously has an essential supervisory role to play, being at the helm of the Single Supervisory Mechanism (SSM). As the competent authority within the meaning of the aforementioned Article 71, the ECB has set up a 'breach-reporting mechanism'. The rules and procedures governing this mechanism are laid down in Articles 36 to 38 of the SSM Framework Regulation.11 They set forth that any person may, in good faith, submit a report directly to the ECB if that person has reasonable grounds for believing that the report will show breaches of the 'relevant EU law' by the institutions supervised by the ECB or by the supervisors themselves (both the ECB and the national competent authorities for banking supervision).12 Where a breach relates to other areas of activity by a bank that do not fall under the ECB's supervisory competences (e.g., consumer protection or the implementation of anti-money laundering rules), it is outside the ECB's mandate to follow up on the breach. Instead, the breach should be reported to the national authorities that are competent for these areas. All personal data concerning both the person who does the reporting and the person who is allegedly responsible for the breach shall be protected in compliance with the EU data protection framework. Also, the ECB shall not reveal the identity of a person who has made such a report without first obtaining that person's explicit consent, unless disclosure is required by a court order in the context of further investigations or subsequent judicial proceedings.

With regard to significant supervised entities, that is to say, those entities that are directly supervised by the ECB, the ECB itself assesses the report. By contrast, with regard to less significant supervised entities, the ECB only assesses reports for breaches of ECB regulations or decisions. The ECB forwards reports concerning less significant supervised entities to the relevant national competent authority, without communicating the identity of the person who made the report, unless that person provides his or her explicit consent.

While everybody that has knowledge of a potential breach may report this to the ECB, the ECB has indicated that compliance officers, auditors and other employees of a bank are the groups that are more likely to have knowledge of possible wrongdoing. The breaches that are most commonly reported to the ECB concern the inadequate calculation of own funds and capital requirements as well as governance issues within credit institutions.


i EU competition law

Under EU competition law, the European Commission may impose fines on corporates of up to 10 per cent of the annual consolidated worldwide turnover of the undertaking. In setting the fine, the European Commission takes into account the gravity and duration of the infringement. The Fining Guidelines provide more guidance on how the European Commission will exactly calculate the fines.13 These Guidelines are not binding on the European courts, which exercise full jurisdiction and can review the fine. However, the instances when the European courts have adjusted fines in competition cases remain exceptional. A 10 per cent reduction of the fine can be granted under EU competition law if an undertaking agrees to enter into a settlement with the competition authority. In doing so, the undertaking concerned must admit its involvement in the infringement.

ii EU financial services and banking

The SSM started in November 2014 and is one of the four pillars of the EU Banking Union. It is particularly relevant for the supervision of credit institutions in the eurozone. It is composed of the ECB and the national authorities that are competent for the supervision of credit institutions in their respective EU Member State. The ECB has a key role in the SSM, as it is responsible for its effective and consistent functioning. In addition, it has, among the thousands of credit institutions that are established in the eurozone, full and direct supervisory authority over 'significant institutions'. To ensure compliance with the supervisory rules and its regulations and decisions in this area, the ECB has significant supervisory,14 investigative and sanctioning powers.

The ECB's investigative powers are similar to those that have been granted to other EU financial supervisory authorities, such as the European Securities and Markets Authority in the areas of supervision of over-the-counter derivatives, central counterparties and trade repositories,15 and of credit rating agencies.16 Thus, the ECB has the right to require legal and natural persons to provide all information that is necessary to carry out its supervisory tasks. It also has the right to require the submission and examination of documents, books and records, to obtain written or oral explanations from the representatives or staff of such persons, and to conduct all necessary on-site inspections at the business premises of the institutions under its supervision, including without prior announcement.

If an institution supervised by the ECB breaches, intentionally or negligently, a requirement under directly applicable EU law for which administrative sanctions are made available, then the ECB has the right to start a sanctioning procedure and impose administrative pecuniary sanctions.17 The same right exists in case of breaches of regulations or decisions adopted by the ECB in exercising its supervisory tasks.18 The ECB also has the right to publish the imposition of such sanctions, irrespective of whether or not a decision has been appealed.

In other cases – for instance, breaches of national legislation that transposes EU Directives – the ECB can only require the national supervisory authorities to open a sanctioning procedure with a view to taking action in order to ensure that appropriate sanctions are imposed by the national authorities.

The ECB imposes its sanctions in accordance with the ECB Sanctioning Regulation.19 This Regulation, among others, sets forth the procedural rules and time limits for the imposition of sanctions and for judicial reviews.


1 Stefaan Loosveld is a partner at Linklaters LLP. The information in this chapter was accurate as at June 2018.

2 Commission Notice on immunity from fines and reduction of fines in cartel cases (OJ C 298, 8 December 2006, p. 17).

3 In full, Directive 2014/104/EU of the European Parliament and of the Council of 26 November 2014 on certain rules governing actions for damages under national law for infringements of the competition law provisions of the Member States and of the European Union (OJ 349, 5 December 2014, p. 1).

4 In full, Regulation (EU) No. 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (OJ L 12 June 2014, 173/1).

5 See Article 73 of Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12 June 2014, p. 349).

6 See Article 99 quinquies of Directive 2014/91/EU of the European Parliament and of the Council of 23 July 2014 amending Directive 2009/65/EC on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) as regards depositary functions, remuneration policies and sanctions (OJ L 257, 28 August 2014, p. 186).

7 See Article 35 of Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (OJ L 26, 2 February 2016, p. 19).

8 See Article 28 of Regulation (EU) No. 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for packaged retail and insurance-based investment products (PRIIPs) (OJ L 352, 9 December 2014, p. 1).

9 In full, Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27 June 2013, p. 338).

10 In full, Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 648/2012 (OJ L 176, 27 June 2013, p. 1).

11 In full, Regulation (EU) No. 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities (ECB/2014/17) (OJ L 141, 14 May 2014, p. 1).

12 The term 'relevant EU law' covers the substantive rules relating to the prudential supervision of credit institutions that the ECB applies when carrying out the tasks conferred on it by the SSM Regulation. These rules are composed of directly applicable EU Regulations such as the Capital Requirements Regulation. When EU Directives are considered relevant Union law, the national implementations of these Directives are also considered to be relevant Union law, e.g., national implementations of the Capital Requirements Directive IV (CRD IV). Furthermore, where directly applicable EU Regulations grant options to Member States, the national legislation exercising those options is considered to be relevant Union law. ECB regulations, such as the SSM Framework Regulation, and ECB decisions, are also considered to be relevant Union law.

13 Guidelines on the method of setting fines imposed pursuant to Article 23(2)(a) of Regulation No. 1/2003 (OJ C 210, 1 September 2006, p. 2).

14 E.g., requiring a credit institution to hold own funds in excess of the EU law capital requirements or to use its net profits to strengthen its own funds, requesting the divestment of activities that pose excessive risks to the soundness of an institution, limiting variable remuneration when it is inconsistent with the maintenance of a sound capital base, or removing members from the management of a credit institution.

15 Regulation (EU) No. 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ 2012 L 201/1).

16 Regulation (EC) No. 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies (OJ 2009 L282/23), as among others amended by Regulation (EU) No. 513/2011.

17 The sanctions that the ECB can impose in this case consist of a maximum of twice the amount of the profits gained or losses avoided because of the breach where those can be determined, or a maximum of 10 per cent of the total annual turnover of that institution in the preceding business year. If the institution is a subsidiary, then the relevant total annual turnover is calculated on a consolidated basis.

18 The sanctions that the ECB can impose in this case consist of (1) fines of a maximum of twice the amount of the profits gained or losses avoided because of the infringement where these can be determined, or 10 per cent of the total annual turnover of the undertaking, and (2) periodic penalty payments of a maximum of 5 per cent of the average daily turnover per day of infringement. Periodic penalty payments may be imposed in respect of a maximum period of six months from the date stipulated in the decision imposing the periodic penalty payment.

19 In full: Council Regulation (EC) No. 2532/98 of 23 November 1998 concerning the powers of the European Central Bank to impose sanctions (OJ 1998 L318/4). In order to adapt it to the supervisory tasks exercised by the ECB under the SSM, the ECB Sanctioning Regulation has been amended by Council Regulation (EU) 2015/159 of 27 January 2015 amending Regulation (EC) No 2532/98 concerning the powers of the European Central Bank to impose sanctions (OJ L 27, 3 February 2015, p. 1).