Corporate Crime & Investigations: An Overview

A Question of Responsibility 

The role of the corporate 

What is the role of corporates in the fight against crime? The last 15 years have seen UK governments of different stripes provide increasingly expansive answers to that question, with “failure to prevent” as the flagship of the trend.

Under that model, corporates are held accountable for the actions of their employees (and other “associated persons”), unless they can show that they had adequate (or reasonable) procedures in place to prevent such behaviour. The Bribery Act 2010 (specifically, Section 7, which created the corporate offence) brought about a sea change in corporates’ attitude towards bribery. The government has since sought to capitalise on that success, including by extending the principle from bribery, via tax evasion, to (through the Economic Crime and Corporate Transparency Act 2023 (ECCTA)) fraud.

The Serious Fraud Office (SFO) has principally made use of the Bribery Act in conjunction with its power, under the Crime and Courts Act 2013, to reach Deferred Prosecution Agreements (DPAs) with corporates it believes are guilty of financial crimes. The vast majority of DPAs so far have been agreed in bribery cases, while prosecutions under the Bribery Act (including under Section 7) have, until the guilty pleas of Glencore and Petrofac in 2021, been comparatively rare.

But, notably, these DPAs – in bribery cases like Rolls-Royce and Airbus, and others like Serco and Tesco – have generally not been accompanied by convictions of individuals. This is striking because, under conventional rules of corporate liability as well as under the “failure to prevent” model, a corporate cannot be guilty of an offence unless an individual is also guilty. So how has this come about?

Risks and mitigations 

The obvious answer to this is that corporates value commercial certainty. They will factor in the costs and risks of prosecution (which will be substantial, even if the eventual result is a dismissal or an acquittal) before deciding whether to crystallise those risks into the financial penalties and other requirements (such as monitoring) that a DPA would involve.

As part of that process, they will also consider how best to deal with individual suspects, which will involve not only difficult decisions about suspensions and dismissals, but also complex considerations about individuals’ representation and the status of material subject to legal professional privilege (LPP). They will also consider issues about preservation and access to evidence, the relevance of other jurisdictions, and any reporting obligations that may exist, including under proceeds of crime laws.

For an individual, while similarly complex issues will also have to be considered, the potential impacts of a conviction – including the risk of imprisonment – will almost inevitably be weighed up rather differently. An individual may challenge the prosecution’s case in ways that a corporate would not, and a case that the SFO may have thought watertight when negotiating a DPA might nevertheless implode spectacularly at trial. While none of that impugns the rationality of the corporate’s decisions in negotiating a DPA, it might legitimately raise questions for the SFO and the courts.

The limits of law enforcement 

The SFO’s own goals in litigation against ENRC, KBR, and (most spectacularly) Unaoil have helped re-establish the limits on its powers and reinforce a long-standing impression that it is not fit for purpose. While the growth of private prosecutions has rendered the landscape more complex, the cynical corporate may still be forgiven for thinking that its real prospects of being convicted (or even prosecuted) in the UK are low.

It is worth adding three caveats to that approach, however. The first is that there are significant and increasing sectors of business in the UK where the risks are very different. Businesses in the financial sector, for instance, regularly face significant fines and even prosecutions (notably NatWest) for breaching anti-money laundering (AML) rules, while an increasing range of offences – covering issues from sanctions to medical devices – are now subject to civil penalty regimes, for which convictions are unnecessary (and, in the case of sanctions, a strict liability approach now applies). Civil powers to freeze and obtain forfeiture of funds in bank accounts under proceeds of crime laws present an additional risk, particularly where banks become aware of suspicious activity. Businesses in some sectors – from AI via CBD, crypto, fintech and gaming apps to health and wellness products – face these issues more often than others.

The second caveat is that “failure to prevent” is a conspicuously escalating agenda. Its extension from bribery via tax evasion to fraud has been slow until now, and the government’s reluctance to apply the new ECCTA offence to smaller companies demonstrates a pragmatic acceptance that imposing new risks and overheads on business comes at a price. But the new offence, and the extension of corporate criminal liability to senior managers, will surely herald a shift in corporates’ approach towards an expanding range of crime types.

A responsible approach 

The third caveat is that there remain important imperatives on corporates to adopt and enforce procedures against financial crime, beyond the basic risk of being prosecuted. Most major UK brands continue to see environmental, social, and governance (ESG) factors as key to their business, and even newer and smaller corporates will have become familiar with their legal obligations in areas such as data protection, health and safety, and modern slavery. In due course, perhaps, AML, anti-bribery, the CFA, ECCTA, and sanctions obligations will be considered in the same way, as part of the basic framework of doing business as a corporate entity in the UK.

For the time being, however, the criminal-regulatory landscape for any corporate, whether large or small, that does business in the UK is complicated. Few can afford, or would want, either to spend unnecessary effort or expense on doing whatever government or law enforcement would prefer them to do, in ignorance of what the law technically requires. And yet, at the same time, to take the cynical approach of doing the minimum required, or to rely on inadequate enforcement, increasingly carries risks of its own. For a well-informed, responsible corporate, taking steps to tackle the myriad risks applicable to them must be (and, if not, it must become) an integral part of doing business.