Corporate culture and how to prevent bribery, fraud and other economic crimes

The Bribery Act 2010 transformed corporate criminal liability in the UK by introducing the so-called ‘failure to prevent’ (FTP) model. Initially for bribery, the FTP model has been extended to the facilitation of tax evasion offences and is now being extended to fraud offences for ‘large organisations’.

Very broadly, the approach is to make commercial organisations ‘strictly liable’ for the wrongdoing of persons providing services on their behalf, unless the organisation can prove that it had in place ‘reasonable procedures’ designed to prevent the offending. The FTP model effectively transfers from law enforcement authorities to commercial organisations a significant part of the responsibility for detecting and preventing economic crimes, where failure risks a criminal conviction and very considerable financial and reputational harm.

Should that not be sufficient encouragement, the ‘identification principle’ has been reformed so as to significantly expand the category of persons who could be ‘identified with’ an organisation for the purposes of attributing criminal liability in economic crimes from ‘directing minds’ (usually Board directors) to ‘senior managers’ (so broadly defined as potentially to include department heads, for example).

How should commercial organisations prevent criminal wrongdoing? And what are ‘reasonable procedures’ that would amount to a defence to an FTP offence?

The government guidance published to date is a bit thin. It sets out ‘guiding principles’ and a few practical examples. And while compliance professionals (and now generative artificial intelligence) have stepped up to fill the void, and collectively UK financial services organisations are reportedly spending £34 billion each year on financial crime compliance, it does not appear that anyone yet has discovered a reliable method for preventing individuals from behaving dishonestly (or improperly) for financial gain.

There is of course a limit to what any organisation can do to prevent individual wrongdoing and, in theory at least, the law only requires ‘reasonable’ procedures, not foolproof ones. In the event of serious offending, however, particularly if relevant conduct has continued for more than a short period of time, it will be difficult for organisations to persuade law enforcement and ultimately the courts that their procedures were ‘reasonable’.

With the benefit of hindsight, there will almost inevitably be red flags that were missed, controls that proved ineffective, measures that could have been implemented but were not. The reason for such failures will involve interesting questions about how humans think and make decisions, about group behaviours and the role of leadership. The criminal justice system, however, is neither equipped to answer nor interested in answering these questions. Instead, in all but the most exceptional cases, you can expect principles of ‘strict liability’ to be applied alongside largely unexamined notions of corporate ‘culture’.

Take Sir Brian Leveson’s deferred prosecution agreement judgment in Tesco Stores Limited: “It is important to underline that a company is a structure which can only operate through its directors, employees and agents. Stripping out the human beings, a company itself can have no will or ability to decide how it should behave. Thus, as I made clear in SFO v Rolls-Royce and another (U20170036) at [48], it is ‘of real significance’ whether or not those who were implicated in or should have been aware of illegal behaviour, or of a culture which permitted illegality to thrive, remain members of the senior management.” [emphasis added]

What did Leveson mean by a ‘culture which permitted illegality to thrive’? How could the wrongdoing have been prevented? Why was Leveson so sure that senior managers ‘should have been aware’ (and therefore needed to be replaced)? As it happens, despite Tesco agreeing to pay a £129 million fine and £3 million in costs as part of a Deferred Prosecution Agreement (DPA), no individuals have ever been convicted in relation to that alleged offending (famously, the three individuals prosecuted were acquitted of all charges without troubling a jury) and so it is perhaps unfair to examine why Tesco did not prevent something which may well not have happened.

Let us take another well-known judgment, the Airbus DPA, where Dame Victoria Sharp expressed similar sentiments: “As I have identified, Airbus did have bribery prevention policies and procedures in place at the material time. However, prior to September 2014, those policies and procedures were easily bypassed or breached and there existed a corporate culture which permitted bribery by Airbus business partners and/or employees to be committed throughout the world.” [emphasis added]

In fact, notwithstanding that Airbus was penalised with a fine of €991 million in the UK as part of a €3.6 billion global resolution, no individuals have ever been convicted in relation to that alleged offending either. However, for these purposes, let us take the judgment at face value.

The alleged FTP bribery took place between July 2011 and June 2015. Most of the conduct involved the use of third parties (i.e., intermediaries or agents) to assist in winning sales contracts in five jurisdictions. In 2012, Airbus commissioned an external consultant to review its compliance programme and Airbus received an award for the design of its anti-bribery compliance programme. Throughout, Airbus had written policies governing payments and contractual relationships with third parties, including policies specifically aimed at ensuring that third parties were used appropriately and only after sufficient due diligence. Airbus operated a series of committees with responsibility for reviewing the use of and payments to third parties. In 2014, Airbus found significant breaches of compliance policies, the systems were reviewed and updated, and payments frozen. (Airbus eventually self-reported in 2016, following enquiries by UK Export Finance.)

In short, Airbus had extensive anti-bribery procedures, and these procedures were to some degree effective. What did Sharp mean by a corporate culture that permitted bribery?

Sharp noted that some committee members were aware of and/or involved in the material wrongdoing. The information provided to the committees was incomplete, misleading or inaccurate, such that the committees were not able to provide effective or properly informed oversight in the manner intended. And the conduct by some included the creation of false invoices, false payments and other compliance material.

In other words, dishonest individuals used sophisticated methods, including the creation of false documentation, to deliberately circumvent procedures. Some might have turned a blind eye. After a period, the company spotted issues, stopped payments and strengthened its systems. The outcome was that the company was penalised €991 million in the UK alone because their systems ‘were easily bypassed’ (while the allegedly guilty individuals walked away scot-free).

The lesson here is that company’s systems will be judged on their outcomes. A system which does not prevent serious wrongdoing will likely be judged a poor system. Wise judges will identify the corporate culture as being permissive of illegality. And if organisations wish to be sure of avoiding enormous fines and reputational harm for someone else’s wrongdoing, they’d better find ways to prevent that wrongdoing in the first place.

On that last point, organisations could learn from the professionals, like the US Securities and Exchange Commission (SEC) (a powerful US agency which enforces the law against market manipulation). Between June 1992 and December 2008, when Bernie Madoff confessed, the SEC received six substantive complaints that raised significant red flags concerning Madoff’s hedge fund operations and should have led to questions about whether Madoff was actually engaged in trading. The SEC never properly examined or investigated Madoff’s trading and never took the necessary, but basic, steps to determine if Madoff was operating a Ponzi scheme. Had these efforts been made with appropriate follow-up at any time beginning in June of 1992 until December 2008, the SEC could have uncovered the Ponzi scheme well before Madoff confessed (findings from the SEC’s ‘Investigation of Failure of the SEC to Uncover Bernard Madoff’s Ponzi Scheme’).

It turns out that no one in the SEC could believe that Bernie Madoff – the Bernie Madoff – would have done anything so outrageous as run a $65 billion Ponzi fraud, until afterwards when it turned out to be blindingly obvious. This, indeed, is why fraud is such a prolifically successful strategy, and so difficult to prevent. People are social animals with a tendency to believe one another, particularly those who look and sound the part. They are subject to countless cognitive shortcuts, biases, blind spots and failures of foresight (not to mention off-days and lapses of judgment). In short, people are so notoriously fallible that it’s a wonder that anyone is able to pronounce confidently on any complex topic, let alone something as untouched by scientific study as the ability of commercial organisations to prevent individuals from committing dishonesty offences. (So great is our fallibility that even when recognised, it doesn’t diminish our confidence to prescribe solutions, or analyse what went wrong in the past.)

Where does all this leave commercial organisations that wish to minimise the risk of being prosecuted for someone else’s wrongdoing?

To engender a corporate culture that does not permit illegality, somehow commercial organisations will have to find a way to control for the fallibility of those who design, implement and deliberately circumvent their systems. That would mean understanding and controlling for how humans think and make decisions, group behaviours and the role of leadership. There is much that can and should be done, but it must be recognised that often it will involve countering people’s natural instincts. Learning to be sceptical, mistrustful, not relying on the assurances of long-standing colleagues, being coldly analytical. Having well-resourced and imaginative compliance personnel. People who understand the business and with the ability to challenge what does not make sense. Having processes that spot risks and ultimately say ‘no’.

Should an organisation’s efforts at detecting and preventing economic crimes not greatly exceed the SEC’s (or if they do not spot red flags and instruct independent lawyers to investigate thoroughly) and if wrongdoing is subsequently identified, they risk criminal prosecution.

In those circumstances, all is not necessarily lost. When commercial pressures do not dictate otherwise, some organisations may have a shot at defending themselves. As the Serious Fraud Office has discovered repeatedly, correctly identifying and proving wrongdoing by associated persons is not always straightforward. There is also scope to argue that individual failings by particular workers do not necessarily illustrate systemic failures. It will be an exceptional case, however, where notwithstanding serious offending an organisation has scope to argue that its procedures were reasonable.