How will changes to corporate criminal liability impact the banking sector

The Economic Crime and Corporate Transparency Act was passed by Parliament on 26 October. The Act makes significant changes to the law of corporate criminal liability.

• First, it materially expands the scope of persons whose criminal conduct can be attributed to a company, under the ‘identification doctrine’, for economic crime.
• Second, it introduces a new offence of failing to prevent fraud. The new offence, which only applies to ‘large organisations’ (as defined)^[1], is made out where a person ‘associated’ with the defendant company has committed a fraud offence, intending to directly or indirectly benefit the company. In order to raise a valid defence, the company must show that it had reasonable procedures in place to prevent fraud. By operating in that way, the law effectively places a compliance burden on firms.

How will these provisions affect banks, and other financial services firms in the regulated sector? Two questions might immediately be posed:

• One, to what extent will these changes significantly increase the risk that banks may face criminal investigation and prosecution in the future?
• Two, to what extent are the obligations to implement adequate procedures to prevent fraud already captured by the duty on regulated firms to establish and maintain effective systems and controls to combat financial crime?

Corporate liability - the current position

Under common law, the identification doctrine is very limited. Companies can only be criminally liable for offences committed by persons considered to be their ‘controlling mind and will’, a status primarily determined by analysing the allocation of power under the articles of association. Typically, the persons who fall within scope are the board, the managing director and other superior officers, although power can be formally delegated to others. The narrow scope of the doctrine has prompted calls for reform^[2]. Critics have argued that it is not appropriate for, and does not reflect, the reality of complex corporate structures, where responsibility is not centralised.  To date, the legislative response to those concerns has been the introduction of offences which hold companies liable for ‘failing to prevent’ specific crimes: first bribery and then tax evasion. The new Bill both widens the identification principle in relation to economic crimes and introduces an offence of failing to prevent fraud. 

Changes to the identification principle

In respect of the former, under the new Act companies will be criminally liable for ‘economic crimes’^[3]committed by ‘senior managers’ “acting within the actual or apparent scope of their authority”. ‘Senior managers’ are defined as individuals who play a significant role in either decision-making about how the whole or a substantial part of the activities of the company is to be managed or organised, or the actual managing or organising of a substantial part of those activities^[4]. In the context of a financial institution, it is important to stress that the term has no relationship to or connection with Senior Manager Function (SMF) holders.

Whilst certainly broader than the ‘controlling mind and will’ standard, the scope of the definition for a ‘senior manager’ is far from clear.  The definition would certainly cover all board and executive committee members. It may also cover managers of certain parts of the business, depending on the size and importance of that part to the company as a whole. Business heads or regional managers will fall within the definition of ‘senior manager’ where their respective area / region is a substantial part of the company’s activities. Similarly, middle managers who report to those heads could be in scope where they also play a significant role in the management of that area.  Descending the hierarchy the position will become far more opaque Could the definition be applied to a senior executive of a subsidiary company in order to render criminally liable the holding parent?  

Given the definition hinges on a person’s actual role in the decision-making of, or actual involvement in, the management and organisation of a company’s activities, instead of being rooted in an assessment of the company’s formal governance structure, the lives of investigators and prosecutors will be made easier.  Building a case against a firm by gathering facts about how the principal offender was operating in the company at the time of the offence is a more straight forward exercise.

The introduction of failing to prevent fraud

In respect of the offence of failing to prevent fraud, companies will be liable where a person ‘associated’ with it commits a fraud offence^[5]intending to benefit either the company itself, or someone to whom they are providing services on the company’s behalf. In order to raise a valid defence, the company must demonstrate (on the balance of probabilities) that it had, at the relevant time, implemented reasonable procedures to prevent fraud.  What amounts to ‘reasonable procedures’ is not defined under the Act itself, but the Government is required to publish guidance once the legislation is passed.

The failure to prevent fraud offence could change the criminal risk landscape for banks more dramatically than the proposed changes to the identification principle. The first step to proving liability rests on showing that fraudulent conduct was committed by an ‘associated person’, the definition of which extends beyond employees and agents, to persons performing services for the company^[6]. Many of the major banking scandals that emerged following the financial crisis involved conduct that was investigated as fraud, for example the alleged manipulation of benchmark rates and the foreign exchange market.  If the new failure to prevent fraud offence had been at the disposal of prosecutors at the time, the banks involved would likely have been under criminal investigation and, at any subsequent trial, would have had the burden of proving that they had reasonable procedures to prevent such fraud. Where the underlying conduct, alleged as criminal, occurred systematically and over an extended period, successfully discharging that burden would probably have been very difficult for a defendant institution.

How does the requirement to have reasonable procedures overlap with existing regulatory obligations?

Under the Act, the Government is required to publish guidance on how organisations can meet their obligation to have reasonable procedures.  The guidance is likely to be materially similar to that published in relation to equivalent offences of failing to prevent bribery and tax evasion, which comprise six guiding principles, namely that:

1. the procedures are proportionate to the risk of the criminal conduct and to the nature, scale and complexity of the commercial organisation’s activities;
2. there is top-level commitment; 
3. the company undertakes, documents and periodically refreshes a risk assessment across its business;
4. the company conducts due diligence on persons who perform services on its behalf;
5. the corresponding policies and procedures are embedded, communicated and understood;
6. the procedures are monitored and reviewed.

These principles significantly overlap with the existing regulatory obligation on firms to take reasonable care in establishing and maintaining effective systems and controls to counter the risk that they are used to further financial crime^[7]. The Financial Crime Guide (“FCG”) provides assistance as to what amounts to effective systems and controls. For the most part the recommendations in the FCG seem to cover the areas that the guiding principles address.  There is no specific reference to conducting due diligence on persons who perform services for a firm, although this could be one aspect of how firms are likely to assess their risks posed by their business.

In any event, on publication of the guidance, firms will still need to turn their minds to whether their existing compliance framework and governance would amount to ‘reasonable procedures’ under the new law. That analysis should of course be documented, even if it concludes that nothing additional needs to be done.

Looking ahead - the appetite of regulators

Whilst the above changes to corporate criminal liability may be considered by some to be modest, especially when compared to the position in the US, they are significant.  How significant will depend, to a large degree, on prosecutors’ appetite and interest in using them, as well as (in time) how they are interpreted by the judiciary.  The Serious Fraud Office had little success in prosecuting financial institutions for the various large banking scandals that were exposed in the wake of the financial crisis. It would have been far better positioned to pursue similar cases if the failure to prevent fraud offence was available to it. And what of the FCA? Might it be interested to use the failure to prevent fraud offence as an alternative to a regulatory action? The former Head of Enforcement made good on his commitment to prosecute firms under the Money Laundering Regulations, in preference to taking regulatory action. Moreover, the exercise of assessing the reasonableness of firms’ procedures - i.e. the systems, controls and governance- to prevent against fraud sits firmly in the FCA’s wheelhouse. If the Regulator is minded to use it, the new failure to prevent offence could lead the FCA to be being a far more active prosecutor.

This article was published one day before the Act was passed by Parliament and has since been updated to reflect this.