LONDON (FIRMS): An Introduction
A Question of Responsibility
The role of the corporate
What is the role of corporates in the fight against financial crime? Since the Bribery Act 2010 came into force, the UK government’s preferred answer to that question has become increasingly clear. Under the “failure to prevent” model, corporates are held accountable for the actions of their employees (and other “associated persons”), unless they can show that they had adequate (or reasonable) procedures in place to prevent such behaviour.
The Bribery Act (specifically Section 7, which created the corporate offence) brought about a sea change in corporates’ attitude towards bribery. The government has since sought to capitalise on that success, including by extending the principle from bribery –via tax evasion – to (and now in the Economic Crime and Corporate Transparency Act 2023 (ECCTA)) fraud, albeit at a slower pace than many would have liked.
The Serious Fraud Office (SFO) has principally made use of the Bribery Act in conjunction with its power, under the Crime and Courts Act 2013, to reach deferred prosecution agreements (DPAs) with corporates it believes are guilty of financial crime. The vast majority of DPAs so far have been agreed in bribery cases, while prosecutions under the Bribery Act (including under Section 7) have, until the guilty pleas of Glencore and Petrofac in 2021, been comparatively rare.
However, notably, these DPAs – in bribery cases like those involving Rolls-Royce, Airbus and others like Serco and Tesco – have invariably not been accompanied by convictions of individuals. This is striking because, under conventional rules of corporate liability as well as under the failure to prevent model, a corporate cannot be guilty of an offence unless an individual is also guilty. How has this come about?
Risks and mitigations
The obvious answer to this is that corporates value commercial certainty. They will factor in the costs and risks of prosecution (which will be substantial, even if the eventual result is a dismissal or an acquittal) before deciding whether to crystallise those risks into the financial penalties and other requirements (such as monitoring) that a DPA would involve.
As part of that process, they will also consider how best to deal with individual suspects, which will involve not only difficult decisions about suspensions and dismissals, but also complex considerations about individuals’ representation and the status of material subject to legal professional privilege (LPP). They will also consider issues regarding the preservation of and access to evidence, the relevance of other jurisdictions and any reporting obligations that may exist, including under the proceeds of crime laws.
For an individual, while similarly complex issues will also have to be considered, the potential impacts of a conviction – including the risk of imprisonment – will almost inevitably be weighed up rather differently. An individual may challenge the prosecution’s case in ways that a corporate would not, and a case that the SFO may have thought watertight when negotiating a DPA might nevertheless implode spectacularly at trial. While none of that impugns the rationality of the corporate’s decisions in negotiating a DPA, it might legitimately raise questions for the SFO and the courts.
The limits of law enforcement
The SFO’s own goals in litigation against ENRC, KBR and (most spectacularly) Unaoil have helped re-establish the limits of its powers and reinforce a long-standing impression, fuelled by what its former director called “vocal and ill-informed detractors”, that it is simply not fit for purpose. While neither Brexit nor COVID-19 have (as some feared) had significant effects on the abilities of law enforcement more generally, and the growth of private prosecutions has rendered the landscape more complex, the cynical corporate may still be forgiven for thinking that its real prospects of being convicted (or even prosecuted) in the UK are low.
It is worth adding three caveats to that approach, however. The first is that there are significant and increasing sectors of business in the UK where the risks are very different. Businesses in the financial sector, for instance, regularly face significant fines, and even prosecutions (notably NatWest), for breaching anti-money laundering (AML) rules, while an increasing range of offences – covering issues from sanctions to medical devices – are now subject to civil penalty regimes, for which convictions are unnecessary (and where, in the case of sanctions, a strict liability approach now applies). Civil powers to freeze and obtain forfeiture of funds in bank accounts under the proceeds of crime laws present an additional risk, particularly where banks become aware of suspicious activity. Businesses in some sectors – such as the extractive industries, public sector procurement in some jurisdictions, and medicinal cannabis – face these issues more often than others.
The second caveat is that failure to prevent is a conspicuously escalating agenda. Its extension from bribery – via tax evasion – to fraud has been slow, and the government’s reluctance to apply the new ECCTA offence to smaller companies demonstrates a pragmatic acceptance that imposing new risks and overheads on business comes at a price. However, the new offence, and the extension of corporate criminal liability to senior managers, will surely herald a shift in corporates’ approach towards an expanding range of crime types.
A responsible approach
The third caveat is that there are of course important – and, again, increasing – imperatives on corporates to adopt and enforce procedures against financial crime, beyond the basic risk of being prosecuted. Most major UK brands now consider the environmental, social and governance (ESG) agenda as a core ingredient of their business, and even newer and smaller corporates will have become familiar with their legal obligations in areas such as data protection, health and safety, and modern slavery. In due course, AML, anti-bribery, the CFA, the Economic Crime and Corporate Transparency Act (ECCTA) and sanctions obligations will perhaps be considered in the same way, as part of the basic framework of doing business as a corporate entity in the UK.
For the time being, however, the criminal-regulatory landscape for any corporate, whether large or small, that does business in the UK is complicated. Few can afford, or would want, to spend either unnecessary effort or expense on doing whatever government or law enforcement would prefer them to do, in ignorance of what the law technically requires. And yet, at the same time, to take the cynical approach of doing the minimum required, or to rely on inadequate enforcement, increasingly carries risks of its own. For a well-informed, responsible corporate, taking steps to tackle the myriad risks of financial crime must be (and if not, must become) an integral part of doing business.