The second UK corporate offence of failing to prevent a crime committed by an associated person has just been introduced by the Criminal Finances Act 2017, covering facilitation of tax evasion and following in the tracks of the similar UK Bribery Act 2010 offence.
Most corporates would agree that aiming to prevent associates from committing crimes within the business is the right thing to do, and that the defences of having adequate procedures (for the UKBA) or reasonable procedures in all the circumstances (for the CFA) appear sensible. So this approach could provide a sound solution to the problem of corporate criminal liability. It should, however, be used with caution.
This is because in practice the only enforcement information available is about what does not amount adequate procedures under the UKBA, not about what is adequate. The government guidance and deferred prosecution agreements (DPAs) are the only benchmarks we have.
Even the best guidance can’t set out what a particular business’s risks are or what their mitigations should be, and therefore what ‘adequate’ or ‘reasonable’ might look like. Nor have the UKBA DPAs so far helped identify this.
It is not the purpose of DPAs to say ‘what might have been’ if a business did something different – they can only look at what was actually done. The focus however is clearly on whether policies and procedures are effective in influencing actions and behaviour, not simply on whether a policy or training exists or has been read/taken by the relevant people. In the first DPA case, the bank had anti-corruption training and policies, but the judgment notes that ‘[t]he applicable policy was unclear’ and ‘In essence, an anti-corruption culture was not effectively demonstrated... as regards the transaction at issue’. In the agreed Statement of Facts, it says ‘Although [the bank] did have a relevant training system in place for its employees, the effectiveness of the training provided must be in doubt given that no [bank] deal team member raised any concern…’
This level of embedded effectiveness is much harder for a business both to achieve and to measure, and requires a cultural shift (for which methodologies are still evolving). It also begs the question of whether procedures can ever be ‘adequate’ if a bribe has occurred inadvertently, and whether this is really what the law intended.
Unfortunately, this seems unlikely ever to be tested properly in court. For that to happen, a contested criminal trial, followed by appeals, is needed - but there is little incentive for either prosecution or defence to risk a full trial. Based on evidence so far, DPAs will usually be offered unless failings go to the top of the organisation (and sometimes even if they do), and/or the company has not co-operated with the SFO – in which case it seems that the defence would probably not be arguable anyway.
If a DPA is offered, it is hard to see why an organisation would not accept. You must agree that the defence does not apply but it would be a brave business that would incur trial costs and risk even higher penalties with highly uncertain chances of success. For prosecutors, a contested trial is also more expensive and could weaken their ongoing position if the jury or appeal courts take a less firm view of what ‘adequate’ means.
This point is illustrated by examples from the US where the authorities have declined to prosecute corporates under the Foreign Corrupt Practices Act. Some heralded the Morgan Stanley and Noble cases as examples where business had done enough to satisfy the authorities, but expert commentators have pointed out that neither offered a sound basis for prosecution. In those circumstances, a wise enforcer would always step back and keep its advantage.
It has yet to be seen whether the CFA’s ‘reasonable procedures in all the circumstances’ is, as I believe, a lower bar than ‘adequate procedures’. Even if it is, the benefits of agreeing a DPA over going to trial would still apply and uncertainty would continue.
This combination of significant penalties, reputational risk and an untested high standard for a defence is a tool to be used only where the business impact and expense is proportionate to the harm caused. This is hard to judge, as the ‘failure to prevent’ approach does not have to go through any regulatory cost-benefit or impact analysis before enactment. This is because it doesn’t impose any compliance burden, as the procedures form part of a defence and are not a requirement.
It should in each case be justified as to why it is the best and most proportionate way forward. For bribery and corruption, the argument is easily made. It is internationally recognised as a cost to society as well as to business, and by its nature is often only brought into the open by whistleblowers or journalists. The UKBA has indisputably raised awareness and incentivised businesses to focus more sharply on their own responsibility for tackling corruption.
Moving forward, though, it should not become the default solution to corporate liability, as it risks that focus being diffused across too many issues, becoming less effective, and creating disproportionate burdens on those who make the most effort to comply. And, where it is appropriate, thought needs to be given as to how businesses can better identify whether or not they are doing enough.