FINANCIAL CRIME: CORPORATES: An Introduction
Limitations, Risks, and Mitigation
The role of the corporate
What is the role of corporates in the fight against financial crime? Since the Bribery Act 2010 came into force, the UK government’s preferred answer to that question has become increasingly clear. Under the “failure to prevent” model, corporates are held accountable for the actions of their employees (and other “associated persons”), unless they can show that they had adequate (or reasonable) procedures in place to prevent such behaviour. The Bribery Act (specifically, Section 7, which created the corporate offence) brought about a sea change in corporates’ attitude towards bribery. The government has since sought to capitalise on that success, including by extending the principle from bribery via tax evasion to fraud, albeit at a slower pace than many would have liked.
The Serious Fraud Office (SFO) has principally made use of Section 7 in conjunction with its power, under the Crime and Courts Act 2013, to reach Deferred Prosecution Agreements (DPAs) with corporates it believes are guilty of financial crime. The vast majority of DPAs so far have been agreed in bribery cases, while prosecutions under the Bribery Act (including under Section 7) have, until the guilty pleas of Glencore and Petrofac in 2021, been comparatively rare. But, notably, these DPAs – in bribery cases like Rolls-Royce and Airbus, and others like Serco and Tesco – have invariably not been accompanied by convictions of individuals. This is striking because, under conventional rules of corporate liability as well as under the “failure to prevent” model, a corporate cannot be guilty of an offence unless an individual is also guilty. So how has this come about?
A question of risk
The obvious answer to this is that corporates value commercial certainty. They will factor in the costs and risks of prosecution (which will be substantial, even if the eventual result is a dismissal or an acquittal) before deciding whether to crystallise those risks into the financial penalties and other requirements (such as monitoring) that a DPA would involve. As part of that process, they will also consider how best to deal with individual suspects, which will involve not only difficult decisions about suspensions and dismissals, but also complex considerations about individuals’ representation and the status of material subject to Legal Professional Privilege (LPP). They will also consider issues about preservation and access to evidence, the relevance of other jurisdictions, and any reporting obligations that may exist, including under proceeds of crime laws.
For an individual, while similarly complex issues will also have to be considered, the potential impacts of a conviction – including the risk of imprisonment – will almost inevitably be weighed up rather differently. An individual may challenge the prosecution’s case in ways that a corporate would not, and a case that the SFO may have thought watertight when negotiating a DPA might nevertheless implode spectacularly at trial. While none of that impugns the rationality of the corporate’s decisions in negotiating a DPA, it might legitimately raise questions for the SFO and the courts.
The limits of law enforcement
The SFO’s own goals in litigation against ENRC, KBR, and (most spectacularly) Unaoil have helped re-establish the limits on its powers and reinforce a long-standing impression, fuelled by what its former director called “vocal and ill-informed detractors”, that it is simply not fit for purpose. While neither Brexit nor COVID-19 have (as some feared) had significant effects on the abilities of law enforcement more generally, and the growth of private prosecutions has rendered the landscape more complex, the cynical corporate may still be forgiven for thinking that its real prospects of being convicted (or even prosecuted) in the UK are low.
It is worth adding three caveats to that approach, however. The first is that there are significant and increasing sectors of business in the UK where the risks are very different. Businesses in the financial sector, for instance, regularly face significant fines and even prosecutions (notably NatWest) for breaching anti-money laundering (AML) rules, while an increasing range of offences – covering issues from financial sanctions to medical devices – are now subject to civil penalty regimes, for which convictions are unnecessary (and, in the case of financial sanctions, a strict liability approach now applies). Civil powers to freeze and obtain forfeiture of funds in bank accounts under proceeds of crime laws present an additional risk, particularly where banks become aware of suspicious activity. Businesses in some sectors – such as the extractive industries, public sector procurement in some jurisdictions, and medicinal cannabis – face these issues more often than others.
The second caveat is that “failure to prevent” is a conspicuously escalating agenda. Its extension from bribery via tax evasion to fraud has been slow, and the government’s reluctance to apply the fraud offence to smaller companies demonstrates a pragmatic acceptance that imposing new risks and overheads on business comes at a price. But the new offence, and the extension of corporate criminal liability to senior managers in economic crime cases, will, in time, surely herald a shift in corporates’ approach towards an expanding range of crime types.
A responsible approach
The third caveat is that there are of course important – and, again, increasing – imperatives on corporates to adopt and enforce procedures against financial crime, beyond the basic risk of being prosecuted. Most major UK brands now consider the environmental, social, and governance (ESG) agenda as a core ingredient of their business, and even newer and smaller corporates will have become familiar with their legal obligations in areas such as data protection, health and safety, and modern slavery. In due course, perhaps, AML, anti-bribery, the CFA, and sanctions obligations will be considered in the same way, as part of the basic framework of doing business as a corporate entity in the UK.
For the time being, however, the criminal-regulatory landscape for any corporate, whether large or small, that does business in the UK is complicated. Few can afford, or would want, either to spend unnecessary effort or expense on doing whatever government or law enforcement would prefer them to do, in ignorance of what the law technically requires. And yet, at the same time, to take the cynical approach of doing the minimum required, or to rely on inadequate enforcement, increasingly carries risks of its own. For a well-informed, responsible corporate, taking steps to tackle the myriad of risks of financial crime must be (and, if not, it must become) an integral part of doing business.