The Bribery Act Template
The story so far
The Law Commission devotes surprisingly little of its discussion paper to what most would expect to be the government’s next step – one or more new ‘failure to prevent’ offences, based on the template created in the Bribery Act 2010, and followed in the Criminal Finances Act 2017 (the CFA). The offence of paying a bribe, often committed in order to win a contract or other advantage for the benefit of a business, was and is well suited to this model, whereby the organization becomes liable for the act of an ‘associated person’, unless it can show it had ‘adequate procedures’ to prevent that happening. The main effect of its creation has not been in convictions but in Deferred Prosecution Agreements (DPAs) under the Crime and Courts Act 2013 between the Serious Fraud Office (SFO) and companies, invariably not accompanied by convictions of ‘associated persons’. The offences of facilitating tax evasion (domestic or foreign) are perhaps less well suited to this model, and we have not yet had time to see whether and how companies will be held liable for the acts of ‘associated persons’ under the CFA, or how they might use the defence (subtly different from that in the Bribery Act) that they had ‘reasonable procedures’, or that it was reasonable for them not to have any. When considering further such offences, there are several points to bear in mind.
First, it is undoubtedly difficult to conceptualise, let alone consider the merits of, a ‘failure to prevent’ offence in general terms, even if narrowed down to a subset of ‘economic crime’, or the (reasonably lengthy) list of offences in the 2013 Act for which DPAs are available. Companies (and other organizations covered by such offences) may find it difficult to assess their risks for such a broad range of offences that may be committed by ‘associated persons’, and guidance will necessarily be complicated. The fact that different companies will start from different points is also a complicating factor: while some may ‘bolt on’ procedures to prevent (say) false accounting, forgery, fraud, market abuse, money laundering, price-fixing, sanctions-busting, tax evasion and others, alongside those they have already, others will be presented with a very steep learning curve indeed. The challenge, both in terms of formulating the offence and of winning the argument for it in Parliament, would undoubtedly be difficult, and the government may prefer to proceed incrementally.
Second, for those offences that are typically committed by way of acts (rather than omissions) of individuals, with a ‘fault’ element (such as dishonesty, or an intention to mislead), the requirement for an individual to have committed that act, and to have been at fault, remains important. Bribery and facilitating tax evasion are examples of this type of offence, as is fraud (perhaps the most obvious single candidate for the next ‘failure to prevent’ offence).
The existence of the DPA system has helped to confound the question of whether an offence has actually been committed with the question of how easy or difficult it is to prove it, by enabling companies and prosecutors to agree between themselves that a particular individual has committed an offence (most often bribery). As we have seen with literally all the DPAs reached so far, that agreement may well be ruinous to the individual/s concerned, despite not being borne out by a single individual conviction.
Money laundering (etc)
Third, some of the offences under consideration for this treatment arguably fall into a different category, in that they are typically committed not by act but by omission, and with little or no ‘fault’ element involved. Under the Proceeds of Crime Act 2002 (POCA), for instance, offences of money laundering can be committed by dealing with, or even merely possessing, property that represents the proceeds of criminal conduct, while having no more than a suspicion that this is so, and failing to obtain a defence by making a report to (and, usually, seeking consent from) the National Crime Agency. In practice, companies will often adopt a ‘safety first’ approach to this question, and readily opt to make reports based on (for instance) suspicions held by their compliance or legal staff, rather than a ‘directing mind and will’.
Separate offences under POCA of failing to report another person’s money laundering may only be committed by people working in the regulated sector or by a Money Laundering Reporting Officer, which a firm in that sector is obliged to appoint under money laundering regulations (MLRs). As with offences under sanctions regulations (typically committed in a business context) and the Terrorism Act 2000, their ‘fault’ element is the objective one of having reasonable grounds/cause to know or suspect (which, of course, may be held by companies as well as individuals).
Regulated-sector firms also have various other duties under the MLRs, and reporting obligations under sanctions regulations and the Terrorism Act, all with criminal penalties for breach. The distance between these existing corporate liabilities and a hypothetical corporate offence of ‘failure to prevent’ money laundering or sanctions offences is relatively short, though not straightforward.
What might a corporate offence of money laundering look like? Thanks to the UK’s opt-out from the EU’s most recent money-laundering directive, which requires such an offence to be created by member states, we have not had the obligation to find out. But in the context of the existing laws under POCA and the MLRs, it surely makes little sense to look to the Bribery Act as a template, rather than build on what already exists. Notably, a corporate obligation (in effect) to report money laundering should also capture (in theory at least) any economic crime where a benefit had been obtained by a corporate (subject only to the equivalent of a due diligence offence).
It is also long established that an offence of money laundering may be proved without specifics about the predicate offence (including who committed it), and a failure to report money laundering could also be established without having to identify a particular launderer, so that some of the problems arising from the need to identify ‘associated persons’ would fall away. For similar reasons, the creation of corporate offences of sanctions-busting or terrorist financing based on the Bribery Act template would seem to make very little sense.
Fourth, the position with respect to tax evasion is also complicated – and has been made more so by the existence of the corporate offences under the CFA. Is a new corporate offence of failure to prevent tax evasion needed, on top of the existing ones of failure to prevent the facilitation of tax evasion?
Perhaps the best starting point is to ask whose taxes are being evaded: a corporate offence would surely capture the evasion of taxes due from the company, while the CFA offences seem targeted at evasion by its clients or customers (as facilitated by persons associated with it). There are alternative ways to tackle this issue, which would not have to rely on identifying individuals – such as a presumption of fault by a company where its taxes are not properly paid (subject to a due diligence defence).
Fifth, insofar as the drive for more ‘failure to prevent’ offences is allied (as it has been for bribery) with the facility to agree DPAs with companies, it should be noted that many economic crimes committed in a corporate context can already be tackled without the need for criminal convictions.
There would seem little sense in creating new risks for companies in the regulated sector to face DPAs for breaching the MLRs, for example, or for companies in general to face DPAs for breaching financial sanctions, evading taxes, or committing market abuse, insofar as they already face risks of civil penalties from their supervisors (in the case of the MLRs), from the Office for Financial Sanctions Implementation (in the case of financial sanctions), from HMRC (for non-payment of tax – noting that penalties can be imposed for deliberate, reckless or even negligent behaviour), or from the Financial Conduct Authority (for civil offences of market abuse).
Insofar as there is a perceived need for greater civil penalties against companies (regulated or otherwise) for conduct by them that is not presently criminal, there may be ways in which this could be achieved, without following the Bribery Act template (that is, having to identify criminal conduct by ‘associated persons’, and then making corporates liable for that conduct).
The Risks of Expanding ‘Failure to Prevent’
Any new ‘failure to prevent’ offence, in a similar but (probably) smaller way to any change to the identification principle, would come at a cost to companies. The risk to individuals should also not be ignored, particularly where companies face commercial pressures to reach DPAs with prosecutors, as many have already with the SFO, that unfairly implicate individuals, in a process that affords them no right to be heard. Ten years into the operation of the Bribery Act, with multiple DPAs and no convictions of individuals, the evidence is striking that this is a pervasive problem. Any creation of a new offence following the same template clearly risks exacerbating it.