ARTICLE
20 September 2024

How To Prevent Bribery, Fraud And Other Economic Crime: Corporate Culture, Innit?

BS
BCL Solicitors LLP

Contributor

BCL Solicitors is a law firm with a single-minded ambition – to achieve the best possible outcome for each and every client. We specialise in corporate and financial crime, regulatory enforcement and serious and general crime. We offer discreet, effective and expert advice to corporations, senior executives, public bodies and high-profile individuals.
The UK's 'failure to prevent' model in corporate liability, extended to bribery, tax evasion, and now fraud, mandates strict liability for commercial entities unless they prove "reasonable procedures." However, ensuring foolproof internal controls to prevent misconduct remains challenging.
United Kingdom Corporate/Commercial Law

The Bribery Act 2010 transformed corporate criminal liability in the UK by introducing the so-called 'failure to prevent' model. Initially for bribery, the FTP model has been extended to facilitation of tax evasion offences, and is now being extended to fraud offences for 'large organisations'.

Very broadly, the approach is to make commercial organisations 'strictly liable' for the wrongdoing of persons providing services on their behalf, unless the organisation can prove that it had in place 'reasonable procedures' designed to prevent the offending. The FTP model effectively transfers from law enforcement authorities to commercial organisations a significant part of the responsibility for detecting and preventing economic crimes, where failure risks a criminal conviction and very considerable financial and reputational harm.

Should that not be sufficient encouragement, the 'identification principle' has been reformed so as to significantly expand the category of persons who could be 'identified with' an organisation for the purposes of attributing criminal liability in economic crimes from 'directing minds' (usually Board directors) to 'senior managers' (so broadly defined as potentially to include department heads, for example).

So, how should commercial organisations prevent criminal wrongdoing? And what are 'reasonable procedures' that would amount to a defence to a FTP offence?

Government guidance published to date is a bit thin. It sets out 'guiding principles' and a few practical examples. And while compliance professionals (and now GenAI) have stepped up to fill the void, and collectively UK financial services organisations are reportedly spending £34 billion each year on financial crime compliance, it does not appear that anyone yet has discovered a reliable method for preventing individuals from behaving dishonestly (or improperly) for financial gain.

There is of course a limit to what any organisation can do to prevent individual wrongdoing and, in theory at least, the law only requires 'reasonable' procedures, not foolproof ones. In the event of serious offending, however, particularly if relevant conduct has continued for more than a short period of time, it will be difficult for organisations to persuade law enforcement and ultimately the courts that their procedures were 'reasonable'.

With the benefit of hindsight, there will almost inevitably be red flags that were missed, controls that proved ineffective, measures that could have been implemented but were not. The reason for such failures will involve interesting questions about how humans think and make decisions, about group behaviours, and about the role of leadership. The criminal justice system however is neither equipped to nor interested in answering these questions. Instead, in all but the most exceptional cases, you can expect principles of 'strict liability' to be applied alongside largely unexamined notions of corporate 'culture'.

Take Sir Brian Leveson's deferred prosecution agreement judgment in Tesco Stores Limited: 'It is important to underline that a company is a structure which can only operate through its directors, employees and agents. Stripping out the human beings, a company itself can have no will or ability to decide how it should behave. Thus, as I made clear in SFO v Rolls-Royce and another (U20170036) at [48], it is "of real significance" whether or not those who were implicated in or should have been aware of illegal behaviour, or of a culture which permitted illegality to thrive, remain members of the senior management.'

What did Leveson mean by a 'culture which permitted illegality to thrive'? How could the wrongdoing have been prevented? Why was Leveson so sure that senior managers 'should have been aware' (and therefore needed to be replaced)? As it happens, despite Tesco agreeing to pay a £129m fine and £3m in costs as part of the DPA, no individuals have ever been convicted in relation to that alleged offending (famously, the three individuals prosecuted were acquitted of all charges without troubling a jury) and so it is perhaps unfair to examine why Tesco did not prevent something which may well not have happened.

Let us take another well-known judgment, the Airbus DPA, where Dame Victoria Sharp expressed similar sentiments: 'As I have identified, Airbus did have bribery prevention policies and procedures in place at the material time. However, prior to September 2014, those policies and procedures were easily bypassed or breached and there existed a corporate culture which permitted bribery by Airbus business partners and/or employees to be committed throughout the world.'

In fact, notwithstanding that Airbus was penalised €991 million in the UK as part of a €3.6 billion global resolution, no individuals have ever been convicted in relation to that alleged offending either. However, for these purposes, let us take the judgment at face value.

The alleged FTP bribery took place between July 2011 and June 2015. Most of the conduct involved the use of third parties (i.e. intermediaries or agents) to assist in winning sales contracts in five jurisdictions. In 2012, Airbus commissioned an external consultant to review its compliance programme and Airbus received an award for the design of its anti-bribery compliance programme. Throughout, Airbus had written policies governing payments and contractual relationships with third parties, including policies specifically aimed at ensuring that third parties were used appropriately and only after sufficient due diligence. Airbus operated a series of committees with responsibility for reviewing the use of and payments to third parties. In 2014, Airbus found significant breaches of compliance policies, the systems were reviewed and updated, and payments frozen. (Airbus eventually self-reported in 2016, following enquiries by UK Export Finance.)

In short, Airbus had extensive anti-bribery procedures, and these procedures were to some degree effective. What did Sharp mean by a corporate culture that permitted bribery?

Sharp noted that some committee members were aware of and/or involved in the material wrongdoing. The information provided to the committees was incomplete, misleading or inaccurate such that the committees were not able to provide effective or properly informed oversight in the manner intended. And the conduct by some included the creation of false invoices, false payments and other compliance material.

In other words, dishonest individuals used sophisticated methods including the creation of false documentation to deliberately circumvent procedures. Some might have turned a blind eye. After a period, the company spotted issues, stopped payments, and strengthened the systems. The outcome was that the company was penalised €991 million in the UK alone because their systems 'were easily bypassed' (while the allegedly guilty individuals walked away scot-free).

The lesson here is that company's systems will be judged on their outcomes. A system which does not prevent serious wrongdoing will be judged a poor system. Wise judges will identify the corporate culture as being permissive of illegality. And if organisations wish to be sure of avoiding enormous fines and reputational harm for someone else's wrongdoing, they'd better find ways to prevent that wrongdoing in the first place.

On that last point, organisations could learn from the professionals, like the US Securities and Exchange Commission (a powerful US agency which enforces the law against market manipulation): Between June 1992 and December 2008, when Bernie Madoff confessed, the SEC received six substantive complaints that raised significant red flags concerning Madoff's hedge fund operations and should have led to questions about whether Madoff was actually engaged in trading. The SEC never properly examined or investigated Madoff's trading and never took the necessary, but basic, steps to determine if Madoff was operating a Ponzi scheme. Had these efforts been made with appropriate follow-up at any time beginning in June of 1992 until December 2008, the SEC could have uncovered the Ponzi scheme well before Madoff confessed (findings from the SEC's 'Investigation of Failure of the SEC to Uncover Bernie Madoff's Ponzi Scheme').

It turns out that no one in the SEC could believe that Bernie Madoff – the Bernie Madoff – would have done anything so outrageous as run a $65 billion Ponzi fraud, until afterwards when it turned out to be blindingly obvious. This indeed is why fraud is such a prolifically successful strategy, and so difficult to prevent. People are social animals with a tendency to believe one another, particularly those who look and sound the part. They are subject to countless cognitive shortcuts, biases, blind spots, and failures of foresight (not to mention off-days and lapses of judgment). In short, people are so notoriously fallible, that it's a wonder that anyone is able to pronounce confidently on any complex topic, let alone something as unproven as the ability of commercial organisations to prevent individuals from committing dishonesty offences. Which organisation in history has succeeded?

So, where does all this leave commercial organisations which wish to minimise the risk of being prosecuted for someone else's wrongdoing?

To engender a corporate culture that does not permit illegality, commercial organisations will somehow have to find a way to control for the fallibility of those who design, implement, and deliberately circumvent their systems. That means understanding and controlling for how humans think and make decisions, group behaviours, and the role of leadership.

There is in fact much that can and should be done. Often, however, that will involve countering people's natural instincts. Learning to be sceptical, mistrustful even. Not relying on the assurances of long-standing colleagues. Being coldly analytical. Having well-resourced and imaginative compliance personnel. Employing people who understand the business and with the ability to challenge what does not make sense. Having processes that spot risks and ultimately say 'no'. There may be downsides to all this, of course, but that is what happens when organisations are given the responsibilities of law enforcement, and exponentially greater risks.

Should an organisation's efforts at detecting and preventing economic crimes not greatly exceed the SEC's (or if they do not spot red flags and instruct independent lawyers to investigate thoroughly), and if wrongdoing is subsequently identified, they risk criminal prosecution, enormous fines and reputational harm.

All is not necessarily lost. When commercial pressures do not dictate otherwise, some organisations may have a shot at defending themselves. As the SFO has discovered repeatedly, correctly identifying and proving wrongdoing by associated persons is not always straightforward. There may also be scope to argue that individual failings by particular workers do not necessarily illustrate systemic failures. It will be an exceptional case, however, where an organisation succeeds with a reasonable procedures defence in the face of serious offending.

Corporate culture, innit?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More