BCL Senior Associate Tom McNeill and partner John Binns explore the reasons why organisations are not defending failure to prevent offences.
‘Failure to prevent’ (FTP) offences have changed the landscape of corporate criminal liability.[i]
For bribery and facilitation of tax evasion offences, and potentially more economic crimes on the way,[ii] investigating authorities have a route to prosecute commercial organisations that side-steps the requirement to prove wrongdoing by a ‘directing mind’.
Commercial organisations can now be held criminally liable if an ‘associated person’ commits certain types of offence,[iii] subject to a defence which requires them to prove (broadly speaking) that they did all they reasonably could to prevent the offending. [iv]
The question is: why aren’t more organisations defending themselves?
Failure to defend
To date all FTP prosecutions have concerned bribery, and the almost universal preference has been to resolve the prosecution by deferred prosecution agreement (DPA).
While DPAs avoid a criminal conviction, organisations must in practice admit serious wrongdoing, pay a financial penalty comparable to a fine following conviction, and comply with onerous measures to prevent future offending.
For some organisations, commercial certainty and risks in relation to disbarment from public procurement may make these prices worth paying in all circumstances. [v] Other organisations, however, will weigh the chances of proving themselves innocent before accepting the certainty of reputational and financial harm.
That only one organisation has sought to defend an FTP prosecution to date inevitably reflects a view that such offences are difficult to defend. Few lessons however can be drawn from the conviction of Skansen Interiors Limited. One of its directors pleaded guilty to bribery, and the company did not have any anti-bribery and corruption policy in place at the time that the offending commenced, making it hard to argue a defence of ‘adequate procedures’.
The defence in theory
Without contested prosecutions and a body of interpretive case law we cannot be sure how the defence will operate in practice. The guidance issued to date is not particularly helpful.
One key area of uncertainty is the extent to which organisations could rely on the defence in circumstances where individuals did not follow, or deliberately circumvented, the measures in place. With the considerable efforts and costs that many organisations have invested in developing systems, often this will be the question that determines the organisation’s guilt or innocence.
When drafting the failing to prevent bribery offence, however, we know that the Law Commission had in mind specific ‘regulatory’ due diligence defences, which assist with this precise question. These include section 21(1) of the Food Safety Act 1990 and section 24 of the Trade Descriptions Act 1968.[vi] That the reasonable procedures defence was intended to operate similarly, notwithstanding changes to the draft bill during the legislative process, was recognised by the House of Lords Select Committee on the Bribery Act in 2019.[vii]
While FTP offences will differ in important ways, there is therefore a body of ‘regulatory’ caselaw that provides a reasoned basis to analyse how their defences are intended to operate.
Individual failings – a defence?
The common feature of the due diligence defences identified by the Law Commission is that they allow organisations a defence if they can show that (1) the offence was due to the act or default of ‘another person’, and (2) the organisation had taken all reasonable precautions, and exercised all due diligence, to avoid the commission of the offence.
In a broad range of circumstances, organisations have been able to establish that they complied with their duty to take appropriate measures to prevent offending, notwithstanding failings, including supervisory failings, by individual workers at a senior or junior level. For example, in a case concerning the Food Safety Act 1990, a hotel chain was able to rely on the defence, notwithstanding supervisory failings by their head of health and safety, in addition to failings by kitchen hands, to maintain a kitchen adequately.[viii] A further case is Tesco Supermarkets v Nattrass,[ix] which, as well as being the leading case on section 24 of the Trade Descriptions Act 1968, remains one of the UK’s leading cases on corporate criminal liability.
In that case, Tesco sold washing powder at more than the advertised price, an offence under section 11 of the 1968 Act. Relying on the section 24 defence, Tesco argued that the store manager was at fault for failing to spot that a shop assistant had put out non-discounted stock, and that the company had taken all reasonable precautions and exercised all due diligence. Endorsing the ‘directing mind’ principle, the House of Lords held that the store manager did not fit that description, and accordingly that his failings could not be attributed to the company. Further, it held that Tesco had complied with its duty by providing appropriate instruction, ensuring that the store was adequately staffed and equipped, and ensuring a chain of supervision including by branch and area inspectors.
Lord Diplock stated: ‘Where Parliament in creating an offence of “strict liability” has also provided that it shall be a defence if the person upon whom the duty is imposed proves that he exercised all due diligence to avoid a breach of the duty, the clear intention of Parliament is to mitigate the injustice, which may be involved in an offence of strict liability, of subjecting to punishment a careful and conscientious person who is in no way morally to blame.’
And further: ‘To exercise due diligence to prevent something being done is to take all reasonable steps to prevent it. It may be a reasonable step for an employer to instruct a superior servant to supervise the activities of inferior servants whose physical acts may in the absence of supervision result in that being done which it is sought to prevent. This is not to delegate the employer’s duty to exercise all due diligence; it is to perform it. To treat the duty of an employer to exercise due diligence as unperformed unless due diligence was also exercised by all his servants to whom he had reasonably given an proper instructions and upon whom he could reasonably rely to carry them out, would be to render the defence of due diligence nugatory and so thwart the clear intention of Parliament in providing it.’
Failure to prevent
In its ‘Reforming Bribery’ paper in 2008, the Law Commission gave an example of how this approach might apply to the ’adequate procedures’ defence: ‘An English company, C, wishes to do business in Blueland. C employs an agent (X) living in Blueland to establish business contacts on C’s behalf with Government officials in Blueland. X bribes those officials to place contracts with C. C can show that it gave Y, their regional manager, the task of ensuring that all foreign agents complied with the company’s anti-bribery policy. Y had failed in her task, as she was busy looking for a job with a rival company.’
The Law Commission explained that C would have a good defence if it could show that its systems were adequate: ‘individual failings of particular members of staff do not necessarily illustrate systematic failures in the way that it is sought to prevent the commission of bribery.’ [x]
This approach, and the approach in the cases summarised above, provides far greater scope for organisations to defend themselves than some other regulatory defences which the ‘adequate procedures’ defence was not modelled on. The best known is the so-called ‘reasonably practicable’ defence in the health and safety sphere.
Here, the reasoning in Tesco has been expressly rejected by the courts on the basis that it applies to ‘quite different’ provisions, with the consequence that organisations are likely to be criminally liable for any failings by employees which expose persons to health and safety risks. It is not vicarious liability but, in most circumstances, there is little practical difference.
So there is, at least in principle, a reasoned basis by which organisations may be able to defend themselves where they have devised appropriate measures, but these measures have not been followed. But would such a defence work in practice? What about failings over longer periods? Or failings by more than one individual? Or, bearing in mind the expectation in the guidance of top-level commitment, failings by ‘senior officers’? [xi]
Ultimately, the unsatisfactory answer is that such factors would make it more difficult to defend a prosecution, but they would not necessarily be prohibitive. Careful consideration would have to be given to the particular facts and circumstances of the case. It is important however to recognise a key difference between the defences to FTP offences, and the regulatory defences they are modelled on.
The regulatory due diligence defences on which the FTP defences are modelled effectively require organisations to have procedures to prevent what are usually non-deliberate harms – products being sold at more than the advertised price, unsafe food, knives being sold to persons under the age of 18.
FTP offences are concerned with something different. Organisations are effectively required to have procedures to prevent dishonest individuals from committing serious criminal offences. Such individuals may be determined to commit offences no matter what procedures an organisation puts in place. The individuals may use sophisticated methods to circumvent them, by, for example, creating false invoices, false payments and other compliance material that conceals their tracks.
The more sophisticated the offending, the more difficult it will be to prevent, and the more likely it will be able to persist over long periods without being detected, notwithstanding reasonable procedures to prevent it. And, while to a degree the harms that FTP offences are seeking to prevent will require anticipation of dishonest methods and appropriate levels of scrutiny, commercial organisations are not law enforcement agencies, and cannot be expected to act as such in the ordinary course of their business.
The clear intention is for organisations to be able to rely on these defences even in circumstances where through carelessness etc. an individual has failed to implement the preventative measures. Where dishonest individuals have deliberately circumvented those measures, and used sophisticated methods to conceal their wrongdoing from the organisation, that is not, as some DPA judgments seem to suggest, an aggravation of the organisation’s failings, but its defence.[xii]
[i] Section 7 of the Bribery Act 2010 makes commercial organisations criminally liable for bribery offences committed by ‘associated persons’. The Criminal Finances Act 2017 introduced a failure to prevent the facilitation of tax evasion offence in similar though not identical terms. The only defence for the organisation is to show that it had ‘adequate procedures’ (or, for the 2017 Act, ‘reasonable procedures’) to prevent such conduct.
[ii] There is currently an ongoing Law Commission review which is considering extending the offence to other economic crimes, such as fraud, false accounting and money laundering.
[iii] The failure to prevent bribery offence requires the associated person to intend a business advantage for the organisation. The failure to prevent the facilitation of tax evasion offence does not include this requirement.
[iv] The failure to prevent bribery defence refers to ‘adequate procedures’ while the failure to prevent the facilitation of tax evasion defence refers to procedures ‘reasonable in all the circumstances’. It is highly unlikely that there is any difference in meaning between the two. See House of Lords report ‘The Bribery Act 2010: post legislative scrutiny’, paras 196-211.
[v] A conviction may constitute grounds for discretionary disbarment from EU public sector contracts.
[vi] Law Commission, ‘Reforming Bribery: A Consultation Paper’ (2008), paras 6.96-6.99. Other due diligence defences mentioned were section 34 of the Weights and Measures Act 1985 and section 141A of the Criminal Justice Act 1998.
[vii] See the House of Lords Select Committee on the Bribery Act 2010 report ‘The Bribery Act 2010: post-legislative scrutiny’ (2019), paras 172-175.
[viii] Kilhey Court Hotels Ltd v Wigan MBC  ACD 66.
[ix] Tesco Supermarkets Ltd v Nattrass  2 WLR 1166.
[x] The Law Commission: Reforming Bribery (2008), paras 6.106 to 6.108.
[xi] The draft bribery bill included a requirement to prove negligence by a person responsible for preventing bribery, and a clause saying that the defence would not apply where a ‘senior officer’ was negligent in performing their role as a ‘responsible person’. The requirement to prove negligence was dropped (for being ‘too complex and narrow’), as was the related clause in relation to negligence by a senior officer. The role played by senior officers is instead to be determined as part of the defence. See the Joint Committee Report on Draft Bribery Bill, paras 94-103.
[xii] See for example the Airbus DPA judgment, para 65. Note that the Sentencing Council’s Fraud, Bribery and Money Laundering Offences Definitive Guideline includes a section in relation to corporate offenders, which identifies characteristics that may indicate high culpability, including: ‘Wilful obstruction of detection (for example destruction of evidence, misleading investigators, suborning employees’; and ‘Culture of wilful disregard of commission of offences by employees or agents with no effort to put effective systems in place (section 7 Bribery Act only).’