Corporate criminal liability has been transformed beyond all recognition from what it was just 15 years ago.
Not merely have fines increased very significantly, the expectations placed on corporates have changed fundamentally. Companies are now expected to behave responsibly.
That doesn’t just mean doing no wrong, it means preventing others from doing wrong.
And if they do not, they risk not merely reputational harm but criminal prosecution and highly punitive fines.
A key change has been the growth and development of the ‘regulatory’ approach.
Traditionally, the most serious offences were ‘mens rea’ offences. These offences require proof of the relevant mental state as well as the relevant act – for example, theft requires proof of dishonesty and not merely the appropriation of property belonging to someone else.
Regulatory offences, previously seen as less serious, are to the effect that if the proscribed thing happens, or the required thing does not, an offence is committed, and it doesn’t matter whether on organisation meant it or even knew about it.
Sometimes regulatory offences have a due diligence provision – so that it wouldn’t be an offence if the person did all they reasonably could, but the proscribed thing still happened.
But it is the nature of regulatory offences, even those with a due diligence defence, that they’re easy to commit and difficult to defend.
It’s hard for companies to commit mens rea offences because it typically requires a directing mind, usually a director, to commit the offence which is then attributed to the company.
Often directing minds aren’t involved with the relevant conduct – sometimes not provably so.
Legal scholars and practitioners used to query the justification for fining corporations, effectively the shareholders, for conduct they might not have approved or been aware of i.e. of which they were innocent.
It was also doubted that the shareholders would be moved (or be in a position) to take steps to address the offending. In any event, it was thought curious reasoning that an innocent person should be punished in order to compel him to do something which the law could do directly.
In more recent years the concern became that identification doctrine was shielding companies from criminal liability. The response has been the extension of the regulatory approach to mens rea offences.
Failure to prevent
In 2010, the UK introduced a failure to prevent bribery offence which makes commercial organisations criminally liable if a bribery offence is committed by an ‘associated person’ – a very broad term that could include sub-contractors or suppliers – so long as that person intended a business advantage for the organisation.
There is no minimum level of culpability – the draft bill required proof of negligence, but that requirement was removed during the legislative process.
It doesn’t matter if no one within the company knew about the offending or the organisation did gain an advantage. The only defence for the company is to show that it had adequate procedures to prevent such conduct.
In other words, commercial organisations are made criminally liable if someone else commits an offence, subject to a defence which requires them to prove that they did all they reasonably could to prevent the offending.
In 2017, a failure to prevent the facilitation of tax evasion offence was introduced, in similar though not identical terms. There is currently an ongoing Law Commission review which is considering extending the offence to other economic crimes, such as fraud, false accounting and money laundering.
FCA-regulated persons are already subject to substantial ‘regulatory’ (i.e. non-criminal) penalties that are frequently higher than those imposed by the criminal courts,  including for shortcomings in anti-money laundering controls and for failing properly to assess, monitor and mitigate the risk of financial crime.
Deferred Prosecution Agreements
Introduced in 2014, DPAs have dovetailed perfectly with the failure to prevent offence.
Under a DPA, a prosecutor will lay but not immediately proceed with criminal charges against an organisation, pending successful compliance with onerous conditions including a punitive financial penalty and measures to prevent future offending.
Applying to various financial crimes (which often do not have the self-reporting structures that exist in a number of regulatory contexts), it incentivises corporates to self-report early and unreservedly with a view to avoiding a criminal conviction and securing a quicker and more certain conclusion than a lengthy investigation and prosecution.
With failure to prevent offences very difficult to defend – and in any event for reasons of commercial certainty – a number of organisations have pursued the DPA route. Nine of the twelve DPAs agreed to date have concerned bribery offences.
Since their introduction, DPAs have collected £1.67 billion for the Treasury.
Size of fines
At the same time that the regulatory approach is being extended, punishments for regulatory offences have been significantly increased.
One factor in this increase is that fines now much better account for the financial circumstances of the organisation – large companies can now expect large fines.
But the more fundamental change is that regulatory offences are now treated much more seriously, even when failings are merely systemic.
There was a time when it was considered that the criminal law should not concern itself with companies trying to do that right thing – guidance and instruction were thought more appropriate.
The Robens Report, which underpins the UK’s health and safety law, includes:
“The fact is – and we believe this to be widely recognised – that the traditional concepts of the criminal law are not readily applicable to the majority of infringements which arise under this type of legislation. Relatively few offences are clear-cut, few arise from reckless indifference to the possibility of causing injury, few can be laid without qualification at the door of a particular individual. The typical infringement or combination of infringements arises rather through carelessness, oversight, lack of knowledge or means, inadequate supervision or sheer inefficiency. In such circumstances the process of prosecution and punishment by the criminal courts is largely an irrelevancy. The real need is for a constructive means of ensuring that practical improvements are made and preventative measures adopted. Whatever the value of the threat of prosecution, the actual process of prosecution makes little direct contribution towards this end…We recommend that criminal proceedings should, as a matter of policy, be instituted only for infringements of a type where the imposition of exemplary punishment would be generally expected and supported by the public. We mean by this offences of a flagrant, wilful or reckless nature which either have or could have resulted in serious injury…”. 
However, that approach has long since passed. When serious harm occurs, it is commonplace to see prosecutions of even the most conscientious organisations.
All else being equal, organisations which are much less culpable should pay much smaller fines – if prosecuted at all.
However, with criminal regulatory offences in place, if harm occurs, the first question is, Why didn’t the company prevent it?
We now know quite a lot about cognitive bias. Unfortunately, that understanding is rarely applied in the criminal justice system.
So, a system which failed to prevent harm is judged to be a bad system.
What might be viewed as a remote possibility before the event will afterwards be considered an accident or crime waiting to happen.
If people didn’t follow the required systems, the assumption is because the company did not train them, or lead them, or monitor them properly.
Organisations are now expected to be able to overcome the everyday failings of people. If they do not, the organisation is not merely held responsible: it is judged to have committed a very serious crime.
The extension of the regulatory approach, therefore, will see more organisations pay highly punitive fines for harm or wrongdoing which they have limited ability to prevent.
Organisations have two main routes to address these risks.
The first, which is the principal legislative intent, is to properly fund, resource, audit and monitor preventative procedures .
Organisations should do this. It is unlikely however that organisations will ever be able to fully protect against human fallibility. They should also be wary of drafting procedures in such a way as increase criminal risks for the organisation and senior individuals without necessarily making for better procedures.
The second is when things go wrong. Obtain expert advice. This will help avoid own goals, whether in relation to self-reporting, talking senior managers into being suspects as well as the organisation, or bringing into play more serious offences e.g. corporate manslaughter.
Beyond that, it is necessary to understand what happened and what went wrong, engaging experts where required, and ultimately being in place to persuasively explain the organisation’s position.
And the earlier the better. When investigators form a view about an organisation it can be very difficult to change.
But be warned, in serious cases defending against regulatory offences is usually a process and not an event.
 UBS & Deutsche Bank were fined £160 million and £227 million respectively by the FCA for manipulation of LIBOR; Barclays Bank was fined £284.4 million by the FCA for manipulation of the currency exchange market (FOREX). Standard Chartered Bank was fined £102.2m by the FCA in relation to shortcomings in the bank’s AML controls relating to customer due diligence and ongoing monitoring.
 Safety and Health at Work: Report of the Committee, 1970-72, Chairman Lord Robens, p.82.
 The author discussed cognitive bias here: https://www.hsmsearch.com/Cognitive-bias-health-safety-investigations.