Corporate crime and investigations: How leaders can prepare for changes to criminal liability laws

Ruby Hamid:

Hello, and welcome to Ashurst Legal Outlook. This is a podcast for the corporate crime and investigations mini-series. A series in which we explore a range of topics related to investigations and bring you some of the insights we gain from carrying out investigations with our clients across a range of sectors. My name is Ruby Hamid. I co-lead Ashurst Global Corporate Crime team from our offices in London. And today I'm delighted to be joined by a fantastic panel of my Ashurst colleagues in this content about fraud, Tom Mercer, Matt Russell, Nisha Sanghani, and Neil Donovan who will be focusing with me today on the new legislation in the UK failing to prevent fraud and also what our clients should be doing to get ready for it. I'm going to start Tom with you if I may. In the time that you spend with boards and senior management, what shift are you seeing in their view of fraud and the management of the risk of fraud?

Tom Mercer:

It's interesting how fraud has moved on and I think this new legislation is going to result in a step change in the way in which boards have to deal with fraud. It used to be said probably by lawyers on the basis that you couldn't exclude liability for fraud, that it wasn't something you could legislate for. And ironically now it has been legislated for, and boards need to be very careful in relation to how they're monitoring potential fraud in businesses. And without stealing Neil's thunder, because I know he's going to talk about it in a minute, one of the particular features of the new legislation is been not talking about fraud on the company. We're talking about effectively vicarious fraud by the company and a failure of fraud and senior management to prevent that fraud. And I do think that requires boards to think very carefully about a company's purpose and culture. And in particular focus on whether there are actually any potentially perverse incentivizations or pressures on people within a business which can incentivize people effectively to cheat, to game the system in a way which could amount to fraud.

And that does involve slightly more focused thinking around a company's values and its culture. And also the outward representation of the company to consumers and people who could be affected by any fraud by the company, which touches on some other hot topics like for example, greenwashing. So this is something which is fairly all encompassing for boards to think about. The good news, I think particularly for large organisations and public companies is that this ought to be a build on their existing systems and controls, but nonetheless it will test them and it will sometimes require boards to think and to look at things, reading between the lines as well as the more traditional financial reporting lines and audit controls they have in place.

Ruby Hamid:

Tom, thank you. That's a really great way to set the scene. Neil, do you mind just giving us a little bit of an introduction on what this new legislation is?

Neil Donovan:

Yes, of course. Thanks, Ruby. So the new failure to prevent fraud offence creates a standalone criminal offence by which an organisation can be liable failing to prevent fraud committed for its benefit by an associated person. So if we just unpack some of those key elements, firstly, the offence only applies to large organisations. Those are organisations which satisfy two of the following criteria, more than 250 employees, more than 36 million pounds in turnover or managing over 18 million pounds in assets. And that's a difference to the failure to prevent offences we've seen under the Bribery Act in the Criminal Finances Act where there is no carve out the small and medium-sized companies.

The predicate conduct for the offence, so the underlying fraud captures a very broad range of fraud offences. It covers the principle offences under the Fraud Act. So that's your fraud by false representation, pays disclose, abuse of position. But it also covers offences like false accounting, fraudulent trading, and significantly cheating the public revenue. So you'll be seeing statements for HMRC or tax evasion that's for the benefit of the company could potentially lead to liability under this new event. The associated person says it's the same as that for previous failure to prevent offences that's persons who perform services on behalf of the company. And the jurisdictional scope is quite untrusting under the new offence because whilst the act is silent on extraterritoriality, in contrast to the Bribery Act for example, which applies to overseas conduct.

For the new offence jurisdiction will be determined by the underlying fraud offence. And what that means in broad terms is that an element of the offence of the fraud must have occurred in the UK. So that might be that that associated person commits a part of the fraud in the UK or that the intended gain or loss occurs in the UK. It's strict liability so previously, if the company doesn't have knowledge of the conduct that that's not a defence, it's a strict liability offence. And there is a defence that we've seen previously that Tom mentioned that if the company can prove it had reasonable prevention procedures in place at the relevant time, so that can continued focus on compliance controls, the penalty is a fine, unlimited fine. We've obviously seen some very significant fines imposed for failures prevent conduct in recent years.

And then in terms of next steps, the offence, we're expecting it to come into force over the next six to 12 months. The government will first need to issue some guidance on reasonable procedures, and the offence should come into force shortly thereafter.

Ruby Hamid:

Thanks, Neil. Matt, this sounds like a big change. Can you give our clients some reassurance that the systems and structures and controls they already have in place are going to get them some way to towards where they need to be?

Matt Russell:

Yes. The first point is those reasonable procedures that Neil described, which obviously inform the controls, we are anticipating are going to be consistent with what we've got in place, what organisations should have in place in terms of either the Bribery Act or the Criminal Finances Act as it relates to the facilitation of tax evasion. So we're anticipating those six pillars of risk assessment, risk sensitive or risk-based policies and procedures, the senior management commitments, due diligence, communications and training, and then finally monitoring and testing.

So on one level, we would hope that organisations have already got that framework and are able to think about their controls through that lens. And similarly to Tom's point, from a fraud perspective, you'd expect particularly those large organisations to already have controls in place, particularly around financial misstatements. So in part we would hope this is an element of calibration of what they've got in place and maybe identifying where some of the gaps are that they need addressing.

It's probably worth just reinforcing though that we are talking about fraud controls, which means we are focused perhaps more on some of those softer controls around things like conduct, which may not have been such a area of focus in relation to those other two offences that I've just described. And also some of the specific controls may warrant a bit more attention. So particularly things like whistleblowing or speak up. So again, how does the organisation get comfortable that perhaps the controls that they do have in place are perhaps now still fit for purpose in the context of the greater emphasis that this offence is wanting to get organisations to focus on.

Ruby Hamid:

Matt, thank you. That's a great point you make about focus on conduct rather than focus on financial management. Nisha, I know that's one of the challenges that you see with the offence from a governance perspective, but there are others aren't there? What would you see as the challenges companies need to tackle as they get ready for the new offence?

Nisha Sanghani:

Thank you, Ruby. Look, I think Tom and Matt have just articulated really well that actually organisations generally will have controls in place at a ground level in terms of fraud, and they'll have an idea of exactly how they manage this risk from a day-to-day business perspective. I think one of the biggest challenges I see comes back to if you think about what the objective of the act is. And the objective of the act is really for organisations to think about the fact that actually it's not a defence to say that you didn't know. And that approach and that attitude really has to be driven from the boardroom. And in light of what Tom was talking about earlier, that really the act is all about thinking about culture and conduct and around how the values of an organisation stem through to all the processes and controls on the ground.

And I think one of the biggest challenges I can see from a governance perspective is if you think about some of the principles behind the app, they talk about this concept of senior managers and decision-making. And what that is really trying to get to is really two things. One, accountability starts at the boardroom. And number two, how do you build that connection between enterprise risk management when it comes to fraud control from a boardroom perspective, versus all of those price and controls are running on the ground. What's the framework that brings all of that together to make sure that A, the board is ensuring that its values and the culture that it sets from the top permeates through the organisation. But it's more than that. How does the board then oversee that all the processes and controls are working accurately?

Coming back to what I said at the beginning, it's not a defence to say that you didn't know. You've got to have reasonable steps in place. You've got to build a framework to make sure that actually your oversight mechanisms are working. And for me, I think that's probably the single biggest challenge in all of this.

Ruby Hamid:

Can I ask you, Nisha about the challenge around senior managers? What we know from the new act is that there is an additional change as well as the failure to prevent fraud offence in that the way that corporates become criminally liable is being expanded beyond the very senior directing mind and will test we've been used to, to the actions of a much larger group of people who are described as senior managers. How is a company going to understand what that population is and how they manage the risk within it?

Nisha Sanghani:

It's a really good question, Ruby. Broadly, if you think about the concept that accountability starts at the boardroom, in order to define your list of senior managers, you almost need to look at how that delegation of authority and that chain of command works in the boardroom down to the ground floor. And that's really important when it comes to something like fraud control because actually if I'm sitting on the board of a large organisation and I'm responsible, I'm obviously, I've got accountability for making sure that my organisation has the right controls and framework in place for managing these risks.

I don't do all of that work myself. I'm reliant on my peers, the functional heads that work with me, they also have people working for them. I have people working for me. And each of those will own various elements of the risk profile if you like. They will be running controls to help me manage that risk. So this is about building a real understanding of those delegation chains. And from that is really how you get your population of senior managers, because there'll be different levels of accountability depending on their day-to-day roles and responsibilities. But you really need to map out and look at it from this lens.

Ruby Hamid:

Neil, can I move back to talking about investigations, which is the focus of our series. Do we think there's going to be an increase in investigations now we have these two new routes to liability for fraud?

Neil Donovan:

Yes. It's a short answer, Ruby. I think what we were expecting quite a significant uptick in investigations. Obviously over the course of the past 13 years since the Bribery Act was introduced and the subsequent offence under the Criminal Finance Act, we have seen corporates become increasingly sophisticated at conducting investigations into economic crimes. And we do expect an uptick on the back of the new offence coming into force. I think in many ways investigations are going to be, whether internal or externally led are going to be very much the starting point for boards and very instructive to them in terms of understanding what their level of exposure might be and whether a failure to prevent offence may have occurred here.

So a robust tidy scope timely investigation is going to be a very important step to take where potential issues have been identified. There is a broader point as well, which is that boards may have to grapple more regularly with self-reporting considerations. So understanding the nature of the conduct and whether there is an exposure at corporate level such that a self-report may be maybe required to the authorities. They're very important strategic considerations and boards will only be in a position to take those decisions if they are informed as to the full set of facts. So conducting that proportionate fact finding exercise, understanding what's happened and doing that as efficiently as possible is going to be a very important stat.

Ruby Hamid:

And Matt, if those investigations are going to increase, are they themselves part of the reasonable procedures that a company has in place? Is it, I suppose, reasonable to investigate a fraud?

Matt Russell:

I think yes. But probably yes on a couple of levels, Ruby. So I suppose the first one is, and this comes back to the point that Nisha was making around senior manager and being able to demonstrate that they are on top of these issues and responding to the information and the insights that they're receiving, the investigation or investigations, I think becoming important tool in that context. So I think you'd expect to see senior management being able to have visibility over not just the outcome of the investigation as it relates to the facts of the case, but also the extent to which the investigation is able to conclude on the effectiveness of the controls that are in place and the extent to which those reasonable procedures are working.

And also thinking about the evidence that the organisation is responding to some of those weaknesses. And also asking the question of to what extent are some of those weaknesses systemic. And I think reassuringly, that's part of the journey that investigations functions have already been on over the last five to 10 years moving away just from determining facts to being able to start to assess that controlled environment. I think probably this furthest step is thinking about what it means in the context of a potential failure in the context of those overarching reasonable procedures.

I think the other point I would make though is that I think those investigations functions probably need to be upskilled in relation to how they navigate and understand how those reasonable procedures are framed in the context of the particular activity or the particular allegations that they're investigating. Because again, we come back to this idea that it's a risk-based approach in the context of what we anticipate the reasonable procedures to be or the principles to be framed. So how does the investigator get comfortable or does it ask the right questions in terms of was it a failure of the control operation or was it a failure of the control design? And if it was a failure of the control design, actually was the organisation pointing their resources in the right areas. So I think what it does do, because I think becomes an important tool in the context of read procedures. It also potentially means that maybe the investigation's capability may need to be uplifted accordingly.

Ruby Hamid:

Interesting. I'm going to ask each of you so you've got a moment to prepare what your priorities would be if you were a corporate here trying to tackle this increase in fraud legislation. Tom, can I come back to you with your board advisory hat on? If you were on the other side of that fence, what would your priorities be if you were a board member or a chairman?

Tom Mercer:

Thanks, Ruby. Whenever we talk to boards of directors about their duties to the company generally, one of the pieces of advice we try and impart, which in fairness is a bit of a truism, is that to discharge their duties, directors of companies need to have an inquiring mind and a natural curiosity about the operations of the business. And whilst that that is a bit of a truism and is applicable to most of the decision-making that the boards have to undertake, it's particularly relevant and comes to the fore what we're talking about prevention abroad.

There is a need for non-executives and chairs in particular and those who sit on audit committees to challenge the received wisdom, to ask potentially the stupid question about how does that work? How is it done in practise? And for organisations which are rather public companies or private, but with a large interface with the public, there is a real need to ensure that the outward representation of the company and its values to people who may be affected by the company's behaviour accords with what is actually happening in the business and that there's no dislocation between the two.

And one of the reasons that's so important is because of the importance in the modern economy of corporates and what they say and what they do. And that means that things like cynicism and hypocrisy are real red flags here in relation to the possibility of fraud. Because if there are people within the business who say this is the company's outward position, but it doesn't really work like that in practise, that should be a flashing red light.

Ruby Hamid:

Tom, thank you. Matt, if you were the chief risk officer of one of our clients, what would you be doing now?

Matt Russell:

So Ruby, you won't be surprised to learn that I'd be saying, "You've got to focus on the risk assessment." And I think that's important in the context of this offence for a couple of reasons. I think firstly, I think as we've touched on a couple of times in this conversation, we are talking about a subset of fraud within an organisation and specifically fraud where the organisation may benefit whether directly or indirectly. So the risk assessment I think becomes critical in being able to identify those higher risk parts of the organisation where the sorts of opportunities that Tom described right at the start, particularly around incentivization, whether in the context of staff or third parties, could crystallise this particular risk. So almost using that risk assessment as a little bit of a scalpel to be able to really get to the heart of where the risk is and more particularly then where the controls are.

And I suppose that the follow on from that would be getting particularly an organisation that may already have a focus around fraud, and I'm thinking about financial services that may have insider risk on the one hand, but also fraud against its customers on the other. It's quite possible that this will be an area that wouldn't necessarily have had the focus within the organisation. So being able to really identify that potential blind spot and be comfortable that, again, as we talked about, ideally existing controls can be recalibrated to focus on that. But it's really, I think, be able to focus on that where the risk is and then get comfortable that you've got the right controls in place.

Ruby Hamid:

Interesting. Nisha, tell me what you would be doing if you were the chairman of an audit committee.

Nisha Sanghani:

Thank you, Ruby. So really interestingly, I had a conversation with the chief executive officer last week and actually the chair of his audit committee. And there were two particular things that they said they were really interested in thinking about when it comes to this act, and I'm tended to agree with them. So one of the things that they said was high on their agenda is looking at their assurance framework. And by assurance framework, they didn't mean looking at what their external auditors are doing. So whilst obviously the external audit is a big part of the assurance framework, they were very clear around the fact that actually there are limitations when it comes to external order. Ultimately, if there are significant issues with the design of their systems and controls, they were very clear about the fact that they understood the firm would still be accountable. And that's absolutely right and that's the right way to be thinking about it.

And when it comes to their assurance processes, and this comes back to what Tom was talking about earlier, they were really focused on what does that insurance process actually do? What value does it give them from a boardroom perspective? How much comfort can they get over the processes and controls that are operating within their organisation and some of those risk assessments outcomes that Matt talked about. And the conversation was really interesting because in particular they talked about things like... Actually from a board perspective, they don't really ever question, for example, the limitations of their internal audit papers. And of course that's a really important thing for boards to be questioning, to have an open inquiring mind as Tom said. Because the limitations of the internal audit actually will be able to give you great insight in terms of how much reliance you can place on that internal debt.

And where we got to with this conversation which I thought was really interesting, is they really honed in on the fact that the assurance process that you have is not just about identifying issues when they happen and forensically analysing what the root cause was. It's more than that. It's around what positive assurance can you get over your controlled environment. And that's what it comes down to as a board and as senior managers, that's what you want. You want a framework that tells you where the issues are, but also gives you positive assurance so that you don't become complacent. These things don't catch you out.

The second thing, which is really important, again going back to some of what Tom and Matt were talking about, is around this idea of having an open culture that permeates from the boardroom all the way to the ground. And for them that was particularly important because what they explained was that they want to build a culture of self-policing. Though actually throughout the organisation, you get this idea of people being accountable and responsible for the controls that they are responsible for delivering. However, they said it's a really fine balance because you want to have this open and self policing culture, but equally, this is not about building a framework that is zero risk. Zero risk doesn't work because you get decision paralysis and operations can't continue as they should to keep the business going. So there's this real balance that you've got to have in place. And their view was, this is where boards really need to focus. It's these soft things. It's around these controls around culture and conduct that are really important to get this right.

Ruby Hamid:

Thanks, Nisha. Plenty to think about there. And Neil, what would you be doing if you were the general counsel of a corporate readying yourself for the failure to prevent fraud offence?

Neil Donovan:

Thanks, Ruby. In addition to the failure to prevent fraud offence, as you mentioned, the act has brought in an expanded version of the identification doctrine such that acts of senior managers will now be attributable to the corporate for economic crimes. And I think that's a really significant change. And I think something that companies could start doing now is trying to map out and identify and understand who are those senior managers within the business whose conduct could potentially expose the corporate to criminal liability. And that will not be a straightforward exercise because it requires some judgement around who's performing a significant role and whether they're performing that in relation to a substantial part of the business. But these are quite important concepts, which will take some time to work out who the individuals are. So I think that's an exercise which could very sensibly start now while firms are waiting for the new offence to come into ports.

Ruby Hamid:

Well, that's all we've got time for. Thank you very much to Tom Mercer, Matt Russell, Nisha Sanghani, and Neil Donovan for joining me on this episode. If any of our listeners would like to get in touch with us, then you'll find our details on the Ashurst website. And if you'd like to learn more, then look out for the next podcast in the corporate crime and investigation series. Nisha mentioned audit, we're going to be talking about changes to the audit risk framework in response to fraud and fraud risk management.

If you don't want to miss future episodes, do subscribe now on your favourite podcast platform, looking for Ashurst Legal Outlook. And if you'd like to keep the conversation going, do leave us a review or a rating and let us know if there are any other topics you'd like to hear us talk about. Until next time, thank you for listening and goodbye.