Preventive criminal compliance refers to strengthening proactive measures within a company to prevent corporate crime, thereby establishing systems and strategies that effectively mitigate criminal risks. At its core, corporate criminal compliance aligns with the overarching goal of managing and controlling legal risks related to criminal law. By taking a proactive approach to criminal compliance, companies can leverage their own initiative and autonomy—making it the most effective strategy for safeguarding against criminal legal risks, particularly those originating from within the organization itself.

1. Criminal compliance objectives: Clearly define the basic and extended functions of legal services

(1) Core Objective: Reducing Corporate Criminal Risk

Promoting and implementing a corporate criminal compliance system plays a crucial role in preventing corporate crime, strengthening corporate governance, and building and refining modern enterprise frameworks. By ensuring that criminal compliance leads to more detailed, rational, and robust internal management practices, companies can effectively close loopholes that criminals might exploit. Currently, however, corporate legal risk management tends to focus primarily on civil, commercial, and economic risks—leaving criminal legal risks underprioritized. Even when corporate compliance departments identify and recognize the presence of criminal risks, insufficient or ineffective review and management measures often allow these risks to escalate unchecked. Yet once a criminal legal risk materializes, the resulting losses for the company can far outweigh those incurred from other types of legal risks. In the criminal arena, overlooking just 1% of potential issues can lead to a complete 100% failure for the organization.

(2) Expanded Objective: Encourage businesses to responsibly fulfill their social responsibilities

From the perspective of social responsibility, enterprises—as key participants in societal activities—primarily bear two major types of obligations. First, they are tasked with producing goods, delivering services, and managing business operations, thereby generating social wealth and economic value. Second, they are responsible for overseeing social management within their workforce and operational scope, ensuring the overall stability of societal order. Importantly, criminal compliance plays a clear and positive role in helping companies fulfill both of these critical social responsibilities in a responsible and effective manner.

First, criminal compliance aims to prevent the harm caused by the risk of criminal offenses. A robust criminal compliance framework not only helps maintain a company’s long-term stability but also reinforces its intrinsic value. By simultaneously focusing on "business operations" and "risk management," companies can maximize their benefits while minimizing potential risks. In today’s complex business environment, the demand for effective risk control is greater than ever—much like how the healthcare industry has evolved from routine check-ups to comprehensive diagnostic and treatment services. Just as medical check-ups enable early detection of suboptimal health conditions and underlying illnesses, allowing for timely intervention and treatment, a well-established criminal compliance system acts as a tailored "health screening package" customized for each organization. Through thorough reviews, it identifies emerging criminal legal risks before they escalate, enabling proactive prevention and control measures. Ultimately, this approach safeguards a company’s operational activities, fostering a positive cycle that maximizes profits while keeping risks to a minimum.

Secondly, by establishing compliance systems, companies can strengthen their sense of responsibility in crime prevention, enhancing their ability to proactively address potential criminal risks within their workforce and operations. This, in turn, enables businesses to actively share social responsibility and help make up for the limitations of the state’s crime-prevention efforts. In fact, Article 5 of China’s Company Law already includes a similar provision regarding corporate obligations: "Companies engaged in business activities must comply with laws—including criminal laws—and administrative regulations, uphold public ethics and business ethics, act with honesty and integrity, accept supervision from the government and the public, and fulfill their social responsibilities." Corporate criminal compliance is precisely one of the key, concrete measures through which companies can embrace their social accountability.

2. Guidance and Recommendations for Pre-emptive Compliance Advisors Engaging in Criminal Compliance Activities

(1) Written Review of Corporate Risks

To understand the criminal legal risks facing a business, lawyers must conduct thorough due diligence strictly according to the work plan. First, based on the client’s specific circumstances, they should prepare a detailed list of criminal compliance documents. Typically, this list includes essential company information, governance systems, organizational structure, corporate business management policies, and details about the company’s actual operations.

Notably, when dealing with internal corporate policies and other materials, it’s important not to simply aim for quantity—instead, focus strategically by identifying key priorities. Tailor your approach to align with the company’s specific needs, particularly in light of anticipated criminal risks. For instance, for e-commerce platforms, given their industry characteristics and previous assessments of potential criminal risks, the list of criminal compliance documents should emphasize systems related to finance, human resources, sales, product quality control, after-sales services, customer information management, and employee incentives and disciplinary measures. Among these, the sales standardization system should be highlighted as a critical component.

Second, based on the criminal compliance materials checklist, carefully review all written documents provided by the company to identify any omissions or missing information, and promptly organize the team’s lawyers to conduct a cross-check of the client’s submitted criminal compliance materials. This will enable a comprehensive understanding of the company’s business decision-making processes, implementation practices, and oversight mechanisms, with a particular focus on identifying potential criminal legal risks the client may face. Additionally, during the review of the criminal compliance materials, make sure to also assess any related civil or administrative legal risks that could arise.

(2) Findings from the Legal Risk Interview

After conducting a thorough and cross-referenced review of the criminal compliance materials provided by the client, criminal compliance lawyers assess the potential criminal risks involved. To gain a comprehensive understanding of the company’s actual operations, they engage in interviews with senior management, department heads responsible for relevant areas, and key personnel directly tied to critical business activities—ultimately aiming to identify and address any emerging corporate criminal legal risks.

During the on-site interview session with criminal compliance lawyers, the process involves three key steps: 1. First, draft an interview plan that outlines the list of employees to be interviewed, pre-prepare an interview outline, and identify the critical questions to focus on. 2. Next, conduct individual interviews—starting from company leadership down to department heads and even frontline staff—according to the pre-determined employee list. This step is crucial for gaining a deep understanding of the company’s current operations and identifying any existing challenges or issues. 3. Finally, document each interview in real-time by creating an interview record on the spot. Afterward, print out these records for the interviewees to review, verify their accuracy, and sign off. Once all interviews are completed, lawyers will conduct a second round of review to meticulously assess whether the records uncover any potential criminal legal risks or other compliance-related concerns. The most important aspects of this phase include clearly defining the rationale behind interviewing employees, carefully designing the interview outline, and mastering effective interviewing techniques. It’s essential to approach the interviews thoughtfully, ensuring the process doesn’t inadvertently create negative perceptions or backlash within the organization. Additionally, beyond what company leadership has specifically authorized, it’s critical to determine whether the interviews are being conducted under the guise of "compliance initiatives" or "financing due diligence"—or directly under the banner of "criminal compliance." The exact terminology should be decided by senior management to prevent unnecessary anxiety among employees who might mistakenly perceive the initiative as overly aggressive or punitive. In practice, some companies prioritize enhancing employee awareness by framing the effort explicitly as "criminal compliance," while others opt for more cautious approaches aimed at minimizing disruption.

When designing the interview outline, it’s essential to closely align it with the interviewee’s role and the specific responsibilities they oversee. Based on the risk areas identified during the preliminary review of the company’s criminal compliance materials—particularly those relevant to their department—craft a targeted interview plan that highlights key issues and notes down critical questions. During the actual interview process, pay close attention to your interviewing strategies and techniques, ensuring you avoid directly posing sensitive or pivotal questions right from the start. For instance, when speaking with employees, steer clear of straightforward inquiries like, "Have you encountered any non-compliant, unusual, or controversial situations at work?" Instead, introduce such topics more subtly by asking broader, less intimidating questions first, such as, "Does the company organize team-building activities? And how would you describe your overall sense of well-being at work?" This approach helps prevent the interviewee from immediately sensing the true purpose of the conversation. Once the atmosphere feels more relaxed, you can gently transition into discussing more sensitive or risk-related topics, encouraging open and honest responses. For questions involving specific risks, it may be helpful to invite the interviewee to provide detailed explanations, fostering a deeper understanding of their perspective.

(3) On-site Investigation of Legal Risks

Criminal compliance lawyers can conduct timely on-site inspections of companies in accordance with the law, identifying and addressing legal risks that arise during clients' day-to-day operations. During these on-site assessments, criminal compliance attorneys may visit the client’s office premises to thoroughly examine and document various aspects, including the workplace environment, organizational structure, and the company’s internal compliance awareness programs and training initiatives. Alternatively, lawyers may review the client’s external promotional materials beforehand—such as marketing brochures, website content, or other public-facing resources—to verify whether the information aligns with the company’s actual business activities. For instance, in a specialized criminal compliance review for an online education institution, the legal team would meticulously compare the advertised course offerings, pricing details, and faculty qualifications against the institution’s real-world practices, while also assessing how closely its promotional efforts match its actual operational scope and outreach strategies. Similarly, in a criminal compliance project involving commercial banks, the legal team would carefully scrutinize the bank’s official website to ensure that the services listed—ranging from personal banking to corporate solutions and credit card offerings—are accurately represented. This analysis would then be cross-referenced with insights gathered during preliminary document reviews and on-site interviews, enabling the identification of any potential criminal risks. In addition to these formal assessments, criminal compliance lawyers may also engage directly with the company’s customer base, gathering feedback and opinions to gain a more comprehensive understanding of the business’s performance and reputation from an external perspective.

(4) Compliance Risk Assessment

Drawing on the results of preliminary document reviews, on-site interviews, and field inspections, a criminal compliance lawyer thoroughly assesses the client company’s specific circumstances to identify and evaluate potential risks. The lawyer then analyzes the root causes of identified criminal, civil, and administrative legal risks, estimates the likelihood of these risks materializing, and determines their potential impact—ultimately crafting a comprehensive written legal opinion.

At this stage, a criminal compliance lawyer can assess a company’s specific criminal risks in three key steps. First, determine whether any criminal risks exist—specifically, whether there are suspected criminal activities. This assessment is based on a thorough review of preliminary written documents, as well as firsthand insights gained from on-site interviews and inspections, focusing on employees’ actual behaviors and their potential implications for criminal liability. Second, if the initial assessment confirms the presence of criminal risks, the next step is to distinguish whether these risks stem solely from individual employee actions or reflect broader organizational issues. It’s crucial to identify whether directly responsible executives and other accountable personnel should bear responsibility, and whether the company itself faces significant criminal legal risks as a result. To do this effectively, lawyers typically examine three critical areas: 1) The decision-making process—whether the company’s choices regarding financing, operations, sales, trade secret protection, intellectual property management, and other activities were conducted lawfully; 2) The implementation phase—whether the company successfully put these decisions into practice, addressing any discrepancies between stated policies and actual execution; 3) The oversight mechanism—whether the company actively monitored employee conduct, promptly addressing, penalizing, or reporting any identified illegal or unethical behavior—or, conversely, whether the company overlooked, tolerated, or even encouraged such actions because they aligned with its own interests. Finally, beyond evaluating potential criminal risks, it’s equally important to assess whether the company may also face other types of risks, such as civil or administrative legal liabilities.

(5) Compliance Report Writing

A criminal compliance lawyer prepares a draft written report on criminal legal risk compliance, ensuring it accurately reflects the objective situation while offering lawful and reasonable recommendations. The primary purposes of this legal risk compliance report are: first, to minimize costs and effectively mitigate existing criminal risk factors for the client’s business and its involved personnel; and second, to provide strategic advice on how company executives can legally and properly manage their enterprises in the future, proactively preventing criminal and other legal risks, and ultimately enhancing the company’s governance structure.

A criminal legal risk compliance report typically consists of five key sections. First, it outlines the specific context of the company’s criminal compliance efforts. Second, it provides an overview of the company’s basic operational and structural details. Third, it summarizes the key findings from the due diligence process. Fourth, it identifies the company’s existing criminal legal risks as well as other potential legal risks. Finally, it offers strategic recommendations and actionable measures to mitigate these risks effectively. Among these sections, the fourth and fifth parts are particularly critical. At this stage, it is recommended that the lead attorney involved in the project draft the initial version of the company’s criminal compliance special report. This draft should then undergo a second round of review and revision by a partner attorney, followed by a thorough group discussion among the legal team. This collaborative approach ensures that the report is both legally sound and scientifically grounded, tailored to the company’s unique circumstances, highly relevant, and fully feasible for implementation. Once the comprehensive report is finalized, it should be promptly and efficiently submitted to the company’s leadership. After receiving feedback from senior management, the report can be further refined and adjusted accordingly. Importantly, any sensitive information related to the company’s executives or leadership should be carefully redacted before sharing the full report with employees. Instead, a simplified version of the criminal compliance report should be provided to staff—allowing them to easily access, understand, and align their actions with the company’s compliance standards, ultimately enhancing their awareness and commitment to maintaining high ethical and legal practices.

(6) Compliance Results Feedback and Implementation

Even after a company has conducted criminal compliance due diligence, identified and assessed potential criminal compliance risks, it may still face criminal risks—whether due to risk appetite, inadequate implementation of established policies, or employees deliberately circumventing company regulations. Therefore, following the issuance of the criminal legal risk compliance report, the specialized legal team not only presents and provides feedback on the firm’s criminal compliance findings to corporate leadership but also meticulously analyzes each existing legal risk with the management team. Additionally, the team engages in open discussions with leadership to propose tailored strategies and recommendations for mitigating these risks, helping the company prioritize future compliance efforts and supporting the development and refinement of its comprehensive criminal compliance governance framework.

The primary function of a robust criminal compliance governance system should lie in identifying and controlling criminal legal risks. To address the current challenges faced by businesses, during the period when a law firm specializing in criminal law serves as the company’s legal advisor, it should assist the organization in developing tailored compliance strategies and ensuring their effective implementation. This can be achieved by refining the company’s relevant systems and procedural documents, conducting comprehensive legal awareness training, and providing expert guidance on complex legal queries. Such measures will further strengthen the company’s compliance framework, safeguarding its lawful and compliant operations while enabling risk identification and mitigation at the earliest stages. Moreover, the specialized criminal law firm plans to undertake targeted restructuring and revision of departmental systems within areas identified as high-risk for criminal legal issues. This initiative aims to ensure that each department’s regulatory framework is fully optimized, while also enhancing the criminal compliance awareness among senior executives and employees. By doing so, the firm will help the company clearly define responsibilities and, when necessary, facilitate the appropriate allocation of accountability—empowering the organization to manage risks effectively and maintain operational integrity.

Currently in practice, when appointing compliance supervisors, procuratorial authorities may delegate this role to lawyers, accountants, auditors, tax advisors, engineering technicians, and even administrative regulators. Among these professionals, lawyers are arguably best positioned to offer the most comprehensive expertise—especially those who have long been engaged in criminal compliance work. Of course, as independent supervisors, lawyers must avoid any conflicts of interest with the companies under investigation or their affiliated entities. Moreover, they have a legal obligation to report any related misconduct committed by the companies involved. Failure to fulfill this duty could even lead to liability as an accomplice through omission.

Based on the pilot programs conducted in our country, the fees for third-party independent supervisors are currently not high—and in some cases, even basic safeguards are lacking. For instance, in certain regions, procuratorates arrange funding to hire professionals, while in others, companies cover the associated costs. However, for lawyers, participating in this emerging field may yield greater value in terms of experience than financial compensation. This includes gaining valuable insights that can later be leveraged as defense counsel for other companies involved in similar cases, helping them pursue compliance-based non-prosecution strategies. Specifically, the responsibilities of lawyers serving as third-party independent supervisors primarily encompass the following key areas:

1. Identifying Criminal Risk Areas

Identifying criminal risk areas is the essential starting point for building a corporate criminal compliance system. All criminal risks faced by businesses can be categorized into two main types: general risks and specific risks. General risks are those that typically arise as inherent challenges for companies operating in the market—such as the risk of commercial bribery, which is an area every enterprise must address. In contrast, specific risks stem from the unique characteristics of a company’s business operations—for instance, whether a firm has overseas activities directly influences whether it needs to focus on international criminal risks. In other words, pinpointing criminal risk areas requires balancing both universal concerns and industry-specific factors, making criminal law provisions the "measuring tool" for this risk assessment process.

2. Criminal Legal Risk Assessment

After completing the identification of corporate criminal risks, the process moves into the formal phase of criminal compliance. This stage requires systematically organizing previously fragmented risk areas, conducting qualitative and quantitative analyses of the identified legal risks, and carefully examining the root causes behind these risks, as well as assessing both the likelihood of their occurrence and their potential consequences. Additionally, factors influencing the probability of risk events and the severity of their outcomes must be evaluated. Ultimately, the results of this risk assessment will serve as a roadmap for developing an effective criminal compliance program.

3. Provide guidance on developing a criminal compliance program

Currently, society is undergoing an economic transformation, making corporate management increasingly complex and heightening criminal legal risks for both businesses and their employees. Therefore, developing a specialized criminal compliance program—and effectively guiding its implementation within the company—is a critical prerequisite for mitigating these risks.

Specifically, a criminal compliance program should balance the following three-level objectives.

The first level focuses on macro-level objectives, which primarily include: a) How to prevent criminal risks—both internal and external—to the enterprise. b) How to promptly identify and effectively address these risks once they arise within the company, minimizing the damage to the organization’s interests should those risks escalate into actual criminal activities.

The second level focuses on value objectives, which primarily include: a) How to provide a formal, standardized document that establishes an internal corporate mechanism, ensuring criminal compliance is widely understood and effectively implemented across the organization; b) How to integrate criminal compliance as a critical component of business management, thereby enhancing awareness of criminal compliance among senior executives, in-house legal professionals, and all employees; c) How to align with evolving external criminal legal standards, ensuring that criminal compliance reflects the latest legislative updates, helps the company fulfill its statutory criminal obligations, and, when exploring new business areas, first identifies and clarifies the relevant legal responsibilities associated with those emerging fields.

The third level focuses on functional objectives, which primarily include: a) Providing enterprises with an independent and convenient channel to continuously assess and receive feedback on criminal risk factors associated with their business operations and management practices, while also enabling access to expert legal advice and guidance; b) Aligning with the company’s growth by leveraging diverse assessment entities and external service providers to deliver real-time, up-to-date alerts about criminal risk threats, thereby integrating criminal compliance efforts with the company’s business expansion and ongoing updates in external legal frameworks; c) Gathering internal and external insights—such as feedback and expectations—regarding the organization’s criminal compliance initiatives, allowing for timely identification of mistakes, addressing shortcomings, and ultimately enhancing the effectiveness of criminal risk prevention and control within the enterprise; d) Evaluating the actual impact of the company’s criminal compliance measures, ensuring a clear understanding of its performance, while maintaining the assessment process as authentic, consistent, and sustainable over time; e) Establishing structured procedures and protocols for engaging criminal compliance teams in response to significant, urgent, or unexpected events, guaranteeing prompt and effective intervention when needed.

4. Monitoring the Implementation of the Criminal Compliance Program

The key to criminal compliance lies in enforcement. While most companies initially establish some risk-control mechanisms at the outset, these often get overlooked—or even deliberately abandoned—as the business grows and operates. Therefore, enforcing criminal compliance is at the heart of the entire compliance framework. Weak enforcement of criminal compliance practices directly leads to heightened legal risks, which in turn can inflict significant damage on the company itself. If these risks escalate into severe outcomes—such as corporate bankruptcy or forced equity transfers—the resulting losses can be far more devastating, affecting not only employees and internal stakeholders but also the broader industry ecosystem. To reinforce a company’s commitment to effective criminal compliance enforcement, it is essential to strengthen both review processes and accountability mechanisms. Additionally, businesses should increase their investment in criminal compliance initiatives, making it an integral part of their operational costs. Furthermore, the implementation of robust criminal compliance programs should ideally incorporate external oversight mechanisms. Currently, China is developing a comprehensive legal framework for corporate regulation, with certain government agencies already tasked with monitoring compliance efforts at specific enterprises. In the future, it will be crucial to expand this legal system further, bolstering external regulatory oversight. Meanwhile, drawing inspiration from successful models abroad—such as industry associations that actively promote self-regulation and oversight—we should thoughtfully integrate similar structures into China’s approach. By doing so, we can create a layered system of governance: internal management within the company, peer oversight by industry bodies, and external supervision from government authorities. This multi-tiered framework will ensure that criminal compliance strategies move beyond theoretical frameworks and are effectively put into practice.

5. Ongoing Monitoring and Evaluation

The criminal compliance system is a dynamic framework that cannot afford to stand still. Continuous, proactive monitoring and review are essential components of criminal compliance, enabling companies to stay agile in the face of evolving risks. Therefore, monitoring and assessing criminal compliance should become an integral part of a company’s internal management practices. To maximize the effectiveness of criminal compliance efforts, organizations might consider introducing external, professional assessment mechanisms into their compliance programs.

Specifically, the evaluation of criminal compliance effectiveness should be examined from the following aspects:

a) The number and scale of criminal compliance initiatives implemented within the company, as well as the alignment of these initiatives with the company’s overall business operations and management practices;

b) The position and function of corporate criminal compliance in business management, and whether corporate management practices have undergone a criminal compliance review.

c) The number and types of criminal risks prevented, detected, and mitigated through criminal compliance;

d) The involvement of corporate executives in the company’s criminal compliance efforts, including both proactive and reactive scenarios;

e) The actual actions taken by the company in response to feedback from criminal compliance recommendations.