Corporate criminal liability has been transformed beyond all recognition, with companies now having to behave ‘responsibly’ or face not merely reputational damage but criminal prosecution and punitive fines.
Tom McNeill, senior associate at BCL Solicitors analyses the current position and identifies the corporate risks.
Corporate criminal liability has been transformed beyond all recognition from what it was just 15 years ago. Not only have fines increased very significantly, the expectations placed on corporates have changed fundamentally.
Companies are now expected to behave responsibly. That doesn’t just mean doing no wrong, it means preventing others from doing wrong. And if they do not, they risk not merely reputational harm but criminal prosecution and highly punitive fines.
A key change has been the growth and development of the ‘regulatory’ approach.
Traditionally, the most serious offences were ‘mens rea’ offences. These offences require proof of the relevant mental element (e.g. knowledge or intention) as well as the relevant act.
Regulatory offences, previously seen as less serious, are to the effect that if the proscribed thing happens, or the required thing does not, an offence is committed, and it doesn’t matter whether an organisation meant it or even knew about it.
Sometimes regulatory offences have a due diligence provision – so that it wouldn’t be an offence if the person did all they reasonably could, but the proscribed thing still happened.
However, it is the nature of regulatory offences, even those with a due diligence defence, that they’re easy to commit and difficult to defend.
It’s hard for companies to commit mens rea offences because it typically requires a directing mind, usually a director, to commit the offence which is then attributed to the company.
Often directing minds aren’t involved with the relevant conduct – sometimes not provably so.
Legal scholars used to query the justification for fining corporations, effectively the shareholders, for conduct they might not have approved or been aware of i.e. of which they were innocent.
It was also doubted that the shareholders would be moved (or be in a position) to take steps to address the offending. In any event, it was thought curious reasoning that an innocent person should be punished in order to compel him to do something which the law could do directly.
In more recent years the concern became that identification doctrine was shielding companies from criminal liability. The response has been the extension of the regulatory approach to mens rea offences.
Failure to prevent
In 2010, the UK introduced a failure to prevent bribery offence which makes commercial organisations criminally liable if a bribery offence is committed by an ‘associated person’ – a very broad term that could include sub-contractors or suppliers – so long as that person intended a business advantage for the organisation.
There is no minimum level of culpability – the draft bill required proof of negligence, but that requirement was removed during the legislative process.
It doesn’t matter if no one within the company knew about the offending or the organisation did gain an advantage. The only defence for the company is to show that it had adequate procedures to prevent such conduct.
In other words, commercial organisations are made criminally liable if someone else commits an offence, subject to a defence which requires them to prove that they did all they reasonably could to prevent the offending.
In 2017, a failure to prevent the facilitation of tax evasion offence was introduced, in similar though not identical terms. There is currently an ongoing Law Commission review which is considering extending the offence to other economic crimes, such as fraud, false accounting and money laundering.
FCA-regulated persons are already subject to substantial ‘regulatory’ (i.e. non-criminal) penalties that are frequently higher than those imposed by the criminal courts,  including for shortcomings in anti-money laundering controls and for failing properly to assess, monitor and mitigate the risk of financial crime.
Deferred Prosecution Agreements
Introduced in 2014, DPAs have dovetailed perfectly with the failure to prevent offence.
Under a DPA, a prosecutor will lay but not immediately proceed with criminal charges against an organisation, pending successful compliance with onerous conditions including a punitive financial penalty and measures to prevent future offending.
Applying to various financial crimes (which often do not have the self-reporting structures that exist in a number of regulatory contexts), it incentivises corporates to self-report early and unreservedly with a view to avoiding a criminal conviction and securing a quicker and more certain conclusion than a lengthy investigation and prosecution.
With failure to prevent offences very difficult to defend – and in any event for reasons of commercial certainty – a number of organisations have pursued the DPA route. Nine of the twelve DPAs agreed to date have concerned bribery offences.
Since their introduction, DPAs have collected £1.67 billion for the Treasury.
Size of fines
At the same time that the regulatory approach is being extended, punishments for regulatory offences have been significantly increased.
One factor in this increase is that fines now much better account for the financial circumstances of the organisation – large companies can now expect large fines.
But the more fundamental change is that regulatory offences are now treated much more seriously, even when failings are merely systemic.
There was a time when it was considered that the criminal law should not concern itself with companies trying to do the right thing – guidance and instruction were thought more appropriate.
The Robens Report, which underpins the UK’s health and safety law, set out the reasoning:
“The fact is – and we believe this to be widely recognised – that the traditional concepts of the criminal law are not readily applicable to the majority of infringements which arise under this type of legislation. Relatively few offences are clear-cut, few arise from reckless indifference to the possibility of causing injury, few can be laid without qualification at the door of a particular individual. The typical infringement or combination of infringements arises rather through carelessness, oversight, lack of knowledge or means, inadequate supervision or sheer inefficiency. In such circumstances the process of prosecution and punishment by the criminal courts is largely an irrelevancy. The real need is for a constructive means of ensuring that practical improvements are made and preventative measures adopted. Whatever the value of the threat of prosecution, the actual process of prosecution makes little direct contribution towards this end…We recommend that criminal proceedings should, as a matter of policy, be instituted only for infringements of a type where the imposition of exemplary punishment would be generally expected and supported by the public. We mean by this offences of a flagrant, wilful or reckless nature which either have or could have resulted in serious injury…”. 
However, that approach has long since passed. When serious harm occurs, it is commonplace to see prosecutions of even the most conscientious organisations.
All else being equal, organisations which are much less culpable should pay much smaller fines – if prosecuted at all.
However, with criminal regulatory offences in place, if harm occurs, the first question is, Why didn’t the company prevent it?
Cognitive bias is now well understood. Unfortunately, that understanding is rarely applied in the criminal justice system.
So, a system which failed to prevent harm risks being judged a bad system.
What might be viewed as a remote possibility before the event will afterwards be considered an incident or crime waiting to happen.
If people didn’t follow the required systems, it is assumed because the company did not train them, or lead them, or monitor them properly.
Organisations are expected to be able to overcome the everyday failings of people. If they do not, the organisation is not merely held responsible: it is judged to have committed a very serious crime.
Organisations have two main routes to address these risks.
The first, which is the principal legislative intent, is to properly fund, resource, audit and monitor preventative procedures .
Organisations should do this. It is unlikely however that organisations will ever be able to fully protect against human error.
The second is when things go wrong. Expert advice will help avoid own goals, such as in relation to self-reporting and disclosure.
Beyond that, it will be necessary to properly investigate what happened and what went wrong, engaging experts where required, and to persuasively explain the organisation’s position.
With regulatory offences, however, damage limitation will sometimes be the best possible outcome, even for well-run organisations.
For the criminal law to be fair and robust it should ensure that culpable persons are prosecuted, whether organisations and/or individuals, and that any punishment imposed is proportionate to that culpability.
The extension of the regulatory approach, however, will see more organisations pay highly punitive fines for harm or wrongdoing which they have limited ability to prevent. By one route or another, it may also result in fewer culpable individuals being prosecuted.
A preoccupation with ‘holding corporates to account’ is not necessarily the best way to deter or punish
 UBS & Deutsche Bank were fined £160 million and £227 million respectively by the FCA for manipulation of LIBOR; Barclays Bank was fined £284.4 million by the FCA for manipulation of the currency exchange market (FOREX). Standard Chartered Bank was fined £102.2m by the FCA in relation to shortcomings in the bank’s AML controls relating to customer due diligence and ongoing monitoring.
 Safety and Health at Work: Report of the Committee, 1970-72, Chairman Lord Robens, p.82.
 The author discussed cognitive bias here: https://www.hsmsearch.com/Cognitive-bias-health-safety-investigations.