Governance & Compliance 4: Risks escalate for corporate criminal liability

Will Chalk:

Welcome to the fourth in our series of AGC Ashurst Governance and Compliance Podcasts, where we focus on the latest developments in the world of governance, compliance, and reporting. I'm Will Chalk, a partner in Ashurst's London corporate team focused on corporate governance.

In this edition, we're going to focus on corporate criminal liability, and in particular, what companies should be doing in response. The landscape in this area has moved on significantly in the past 18 months with more to come. In certain respects, companies which are yet to act, need to do so in short order. So I'm delighted to be joined by Ruby Hamid, a partner in our corporate crime and investigations practise, and Neil Donovan, also a partner in that team. Thanks both very much for joining me.

Ruby, can I turn to you first? Can you just remind everybody of the headline changes to the corporate criminal compliance risk landscape in the last 18 months?

Ruby Hamid:

Yes, absolutely Will. As you say, the last 18 months has been a period of significant change, and there've been some really notable changes at the enforcement authorities in the UK, a change of leadership at the Serious Fraud Office and at the FCA in its enforcement division. And interestingly, in both agencies, former senior police officers have been brought in to run the investigation and enforcement functions, bringing with it a much greater familiarity and comfort around financial crime and a much more outcomes-focused approach when it comes to taking criminal action. So what we are expecting to see already, but also as it develops, is a much braver approach to tackling corporate criminal activity. And for companies that means greater risk of conduct being identified, investigated, and then enforced.

There have been some changes in terms of guidance too. I think we're going to talk a little bit more in this edition about the updated guidance from the Serious Fraud Office on companies who wish to self-report and cooperate with investigations, that we've also seen UK government guidance on transparency in supply chains. This is an area which is really subject to change across the EU as well as in the UK. And I think we'll talk a little bit about the expectations for companies who now need to detail their efforts to prevent modern slavery, both within their own operations, but also within their supply chains. And of course, the impact of the Economic Crime and Corporate Transparency Act, which brings in both a new criminal offence of failing to prevent fraud, which comes into force on the 1st of September; we're in the last 100 days leading up to that now. And also a change in who can create criminal liability for companies. That used to be just a relatively small cohort at the most senior level of the company. It's now been expanded to a company's senior management. So plenty that's been in flux.

Will Chalk:

Yeah. So ECCTA, who could possibly forget ECCTA, the gift that keeps on giving, eh? So Neil, turning to you, turning in that SFO revised guidance, just briefly outline what its purpose is, first of all, if you wouldn't mind?

Neil Donovan:

Yes. Hi Will. Good to be with you. So as Ruby mentioned, the purpose of the guidance is to encourage companies to self-disclose suspected criminal activity and sets out the SFO's expectations in relation to how a company is then expected to cooperate with a subsequent SFO investigation. And whether to make a self-report and cooperate is a voluntary decision for companies. And this means it's a highly strategic decision which needs to be made at the point at which suspected criminality is identified. And the reasons companies may take this approach is to obtain what's known as cooperation credit and a proactive timely self-report is a feature of that.

So the benefits of obtaining cooperation credit is that then at the end of the SFO investigation, the company may be invited to negotiate what's known as a Deferred Prosecution Agreement, this is a form of negotiated settlement with the SFO, which is an alternative to facing criminal prosecution and potential conviction. So it can be an attractive outcome for the corporate.

Will Chalk:

So how do you think the updated guidance is going to change how company's respond to potential criminal issues within their business? Or rather, how should it in any event?

Neil Donovan:

Yeah, so the first thing to note, the headline points noted in the guidance Will, is that there's been a slight change in the SFO's position and that companies that now make a prompt self-report and cooperate fully with the investigation will effectively be guaranteed an invitation to negotiate a DPA, so there's more certainty around the outcomes of self-reporting and cooperating. And so as a practical matter then, companies will need to decide early on in relation to any internal investigation, whether they're going to engage with Serious Fraud Office and how they're going to do that. And what this may lead to changes within companies is because it will really underscore the importance of proactive escalation of suspected criminality within the business, so that those decision-makers who are tasked with deciding whether to self-report or not, are aware of the conduct at an early stage and can take advice on the suspected criminality and can weigh up those factors as to whether they should self-report or not.

So having really clear escalation and communication channels in place for employees to report concerns, really underlines the importance of robust whistleblowing procedures and just avoiding that risk, that problematic conduct isn't sitting somewhere in the business and being ignored so that at the point at which it is detected it's too late to make that self-report and too late to obtain that corporation credit from the SFO.

Will Chalk:

Thanks, Neil, that's helpful. And Ruby, so we've touched on this already, that SFO guidance has been published at a time when companies are preparing for the new corporate criminal offence of failing to prevent fraud. And again, as you've said, the clock is ticking very loudly on that now. So just outline what the key considerations for legal and compliance teams are ahead of that implementation deadline.

Ruby Hamid:

Will, yes, and interestingly, you mentioned the clock is ticking:when we've had these failure to prevent offences in the past, the government has sanctioned a slow start, a ramp up and has explicitly said they would be comfortable with a program being in place by the date of implementation, even if the procedures are not yet in place. But they haven't given that comfort this time round. They gave a longer period for implementation than we all thought might be the case, with the assumption that that allowed the appropriate time to get things in order. So as I say, less than 100 days out for an implementation now. The offences, I'm sure many of our listeners will know, mirrors the language in the Bribery Act. It's a strict liability offence if an employee or a subsidiary or someone associated with the company commits a fraud either for the benefit of the company or for the benefit of one of its clients.

And the only defence for that offence is that the company demonstrates it had reasonable procedures in place at the time the fraud took place. So not at the time the enforcement authority comes asking, which may be some years after the event, it's a look back to what were the procedures at that moment in time. And that means, doesn't it, that enforcement authorities will be looking at this with hindsight, and that's never a helpful thing for a company. So what it does mean is: documentation. That's really essential. Knowing today that you've got a range of things in place that you think are probably adequate, but not recording that all of that is in place, I think is a misstep that lots of companies are trying to avoid at the moment.

So what should people be doing? Well, mapping fraud risks to current compliance frameworks to work out what is already in place. And then there can be a gap analysis looking at the new aspects of the offence and comparing them to what's already in place, where might those gaps be in existing coverage. It's really important that that is documented so that a reader of that knows why certain decisions were taken and why priorities were applied in the way they were. This is a risk-based proportionate set of responses,so there needs to be some justification for why a company decides to focus on one high-risk area, but to declare another area much lower risk. And that rationale has got to be part of the thinking.

Training and raising awareness throughout the organisation is important, documenting that that training has been given. And that's important because any employee might be the person who creates liability for the business. So they all need to know what it is that might create a risk and the controls the business has in place to prevent it.

Will Chalk:

So there's a real cultural aspect to this. These procedures have really got to live and breathe, they can't just be nice shiny documents that sit in a drawer.

Ruby Hamid:

Absolutely, because these are conduct offences: bribery, fraud, failure to prevent the facilitation of tax evasion. These are all criminal offences, which means they bring with them the requirement for dishonesty and dishonest conduct is a human question. So this is about your people and the culture in which they operate, what they are allowed to get away with, what they are confident they're going to be prevented from doing, and the way the business exercises those controls. And we mustn't forget that it's really important to test the controls, that the government guidance makes plain that it's not just a roll call of things that are in place, this is, are the controls designed effectively? Are they operating effectively? Have they been tested?

So there's a lot to do in the next 100 days, but there's some prioritisation that can be undertaken to make sure that the real high points are being hit the ahead of the 1st of September.

Will Chalk:

When we were expecting that 'failure to prevent' guidance, we expected it to be very, very similar to that which was produced in relation to the failure to prevent bribery offence. The full guidance has actually turned out to be more detailed, more prescriptive, arguably more useful. Does that mean that companies should be thinking about doing anything in relation to their bribery systems and procedures?

Ruby Hamid:

It's a really interesting testimony to the development of compliance in the intervening period. So much has changed in the 15 years since the Bribery Act came into force. The very concept of assessing risk is a much more developed concept than it was at that time. And so the Bribery Act guidance was really a creature of the period in which it was written. We now deal with a risk assessment in a much more robust and detailed way. And an entire industry, as our listeners will know, is built around the identification and management of risk. So the procedures that are expected to now be in place are more detailed, they're more sophisticated, they're more robust, they require more energy and resource of businesses. And that's why the procedures talk about demonstrating that appropriate resource has been allocated to this exercise and demonstrating that that resource has been deployed is part of the reasonable procedures.

So to your question of does this mean a different approach for other failure to prevent offences? Yes, I think it does. I don't think that companies need to go back and refresh their Bribery Act procedures right now, but the next time they come up for their periodic cadence of review, that's the time to get out the 'failure to prevent fraud' guidance and look to see whether you are conducting your Bribery Act risk assessment in this more up-to-date way because it seems to me that that's very much the test that enforcement authorities will use across the piece.

Will Chalk:

Thanks Ruby. Neil, finally, supply chains, modern slavery. Just remind us briefly, in case people haven't been following the media over the last two or three years, what's driving the focus on tackling transparency in supply chains, and again, fundamentally what companies should be doing in response to the latest developments here?

Neil Donovan:

Thanks Will. Yes. So compliance risk in supply chains is an area that's increasingly under the spotlight by authorities and this is driven really by a perception that certain compliance risks are higher or greater in a supply chain context, notably modern slavery risk and the risk of human rights abuses. And this is against the backdrop of very strong public and political appetite to tackle these risks. So what we've seen is the EU, for example, enacting really ambitious supply change due diligence legislation, which is currently subject to some modification, but that that will be coming into force. In England, we've seen the courts showing a willingness to hear supply chain liability claims arising from allegations of harm overseas. And we've also seen the courts in England holding enforcement bodies to account where they fail to investigate alleged human rights abuses within their sphere of responsibility, that that was the NCA and World Uyghur Congress case last year.

So there's this real emphasis on supply chain, and so the guidance that has been published by the government is very helpful. It's detailed, it's very instructive for companies in terms of what they should be doing in response to this risk. And the guidance is helpful for those companies that already have established compliance frameworks in relation to their supply chains, but also for those companies that have identified this as an emerging risk and are now looking to build out a compliance framework.
Practically, in terms of what companies should be doing, there's a focus on understanding the supply chain structure, so identifying how workers are recruited into the supply chain, mapping the sources and transit of goods within supply chain, and the use of intermediaries, to understand the risks associated with those parties. Similar to the guidance that we've seen for the financial crime risks such as fraud, there's a recommendation that companies have a clear policy suite that demonstrates a real commitment to preventing modern slavery and these types of risks. And also conducting the risk assessment, which is something that Ruby mentioned.

And consideration should be given by companies as to those parts of the supply chain where they have the greatest leverage to influence partners within the supply chain. So there's a recognition that in larger supply chains, it may be more difficult to influence those partners with whom there's an indirect or more distant relationship. So the risk assessment has to be proportionate to those partners with whom you have a direct relationship.

There's a real focus on due diligence in the guidance and the importance of understanding / protecting workers within the supply chain through your due diligence measures and training as well as an essential way just to raise awareness and equip staff with the necessary knowledge to identify red flags and modern slavery risks. So they're the real key takeaways for companies, Will.

Will Chalk:

Ruby, Neil, thank you so much for joining me and providing those really helpful and practical insights. And thank you for listening to our podcast. You can find links to relevant publications on the subject matter we've just discussed in the show notes, and there's more podcasts to come, many of which will develop the issues in our Board Priorities for 2025, which you can find on our website. Please do share the podcast with interested colleagues and let us know what you think we can do to improve them in the future. And don't forget, we cover all these issues in our AGC - Ashurst Governance and Compliance updates. So let us know if you'd like to be added to the distribution list. Bye for now.