The text of a speech given to the 34th Cambridge Symposium on Economic Crime at Jesus College, Cambridge by David Bacon, Senior Editor at Practical Law Business Crime and Investigations.
I would like to start by thinking about the title of the 34th Symposium – Economic Crime – where does the buck stop. I suspect there will be a number of different answers given during the course of the week, but one clear trend will emerge: the change in responsibility for the policing of economic crime.
Twenty years ago, corporate criminal liability, as opposed to the liabilities of individuals involved in criminal activity, was possible but rarely enforced. For example, the Serious Fraud Office came into existence in 1987, yet secured the first conviction of a corporate entity, Smith and Ouzman Ltd, a printing company based in Eastbourne, after trial in 2014.
There are many reasons for the lack of corporate prosecutions. However, it is important to note that Smith and Ouzman were not prosecuted under a new law, but under the Prevention of Corruption Act 1906 and the current principles of corporate criminal liability. I know earlier this week the Director of the SFO, David Green, discussed the limitations of the current law and championed a “failure to prevent” offence covering fraud, but it is worth noting that the current laws can be used to successfully prosecute companies.
Since 1997, there have been four important pieces of legislation in England and Wales that have addressed some of the issues concerning corporate criminal liability:
- The Proceeds of Crime Act 2002 (POCA), which although not expressly creating a corporate offence, did require companies to appoint a nominated officer, with a specific statutory role and responsibilities towards the prevention and reporting of money laundering.
- The Corporate Manslaughter and Corporate Homicide Act 2007, which sets the threshold for corporate criminal liability substantially lower than director level and does not require the prosecution to prove specific failings on the part of individual senior managers.
- The Bribery Act 2010, which created the corporate offence of failure to prevent bribery.
- The Modern Slavery Act 2015, which created the modern offences of slavery and human trafficking and required companies to take specific measures to ensure supply chains are slavery free.
In addition to the four existing pieces of legislation, a consultation seeking to put in place similar measures in respect of cybercrime is ongoing.
With the increase in both criminal liability, and the need for companies to both take and demonstrate they have taken active steps to prevent the commission of criminal offences, a number of factors become important. One of the key factors is due diligence.
Due diligence is of course not a new term. It was first described in the US Securities Act of 1933, as:
- [a person had], after reasonable investigation, reasonable ground to believe and did believe, at the time such part of the registration statement became effective, that the statements therein were true
The basic idea emerged that, rather than being held strictly liable, any liability would flow from the failure to conduct “reasonable investigation”. (Indeed, in relation to many criminal offences, due diligence, the taking of every reasonable step to prevent the criminal act happening, is the only available defence.)
Returning to economic crime, the wording “due diligence” is becoming more and more commonly inserted into various statutes.
In respect of Money Laundering, Regulation 7 of the Money Laundering Regulations 2007 requires a person who is subject to the regulations to apply due diligence measures whenever he:
- Establishes a business relationship.
- Carries out an occasional transaction.
- Suspects money laundering or terrorist financing.
- Doubts the veracity or adequacy of documents, data or information previously obtained for the purposes of identification or verification.
- Considers appropriate at other times to existing customers on a risk-sensitive basis (for example if an existing customer has attracted new investment).
Due diligence is not defined in the regulations. A person is required to do two things:
- Determine the extent of customer due diligence measures on a risk-sensitive basis depending on the type of customer, business relationship, product or transaction.
- Be able to demonstrate to his supervisory authority that the extent of the measures is appropriate in view of the risks of money laundering and terrorist financing.
And part of my role while working for a supervisory authority, the Solicitors Regulation Authority, was to determine the appropriateness of the anti-money laundering and counter terrorist financing measures of various law firms.
In addition to due diligence being a regulatory standard, a failure to comply with a requirement under regulation 7 is a criminal offence.
The Bribery Act 2010 is another area where due diligence has become a compulsory measure for companies. I have no doubt most of you are familiar with the offence under section 7 of the Bribery Act 2010, the offence of failing to prevent bribery connected to a commercial organisation. For the purposes of today, there are two important elements:
- Commercial organisations can be guilty of an offence without any evidence of knowledge of that offence.
- The only defence available is the statutory “adequate procedures”.
There are six separate adequate procedures: procedure 4 concerns due diligence.
Principle 4, set down in guidance from the Ministry of Justice, states:
The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.
The guidance states that due diligence is firmly established as an element of corporate good governance and it is envisaged that due diligence related to bribery prevention will often form part of a wider due diligence framework. Due diligence procedures are consequently both a form of bribery risk assessment (in parallel with principle 3) and a means of mitigating a risk.
So what is the purpose of the principle?
The purpose of this principle is to encourage commercial organisations to put in place due diligence procedures that “adequately inform the application of proportionate measures designed to prevent persons associated with them from bribing on their behalf”.
Due diligence procedures have to be proportionate to the identified risk. The appropriate level of due diligence to prevent bribery will vary enormously depending on the risks arising from the particular relationship. By way of example, the appropriate level of due diligence required by a commercial organisation when contracting for the performance of information technology services may be low, to reflect low risks of bribery on its behalf. In contrast, an organisation that is selecting an intermediary to assist in establishing a business in foreign markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.
The nature of a business relationship is also important – one that carries particularly important due diligence implications is a merger of commercial organisations or an acquisition of one by another.
How should due diligence be conducted?
The guidance is clear that using a risk-based approach is appropriate. In lower risk situations, commercial organisations may decide that there is no need to conduct significant due diligence. In higher risk situations, due diligence may include conducting direct interrogative enquiries, indirect investigations, or general research on proposed associated persons. Appraisal and continued monitoring of recruited or engaged ‘associated’ persons may also be required, proportionate to the identified risks.
The guidance is, however, simply guidance and will not provide firms with any “safe harbour”.
Generally, more information is likely to be required from companies than from individuals. However, individuals are also important. Due diligence may involve direct requests for details on the background, expertise and business experience, of relevant individuals. This information can then be verified through research and the following up of references, etc.
The guidance also recommends companies incorporate into its recruitment and human resources procedures an appropriate level of due diligence to mitigate the risks of bribery being undertaken by employees which is proportionate to the risk associated with the post in question. Due diligence is unlikely to be needed in relation to lower risk posts, but….
The practical side:
In practice, there are few problems.
First, commercial reality. The Bribery Act, while still a hot topic in economic crime circles, is perhaps seen as less of an issue by businesses five years after the wide publicity surrounding enactment. This is partly due to point two.
Secondly, there has been limited enforcement. Notwithstanding the number of high profile organisations under investigation by the SFO, the facts are one company (Sweett Group) has entered a plea of guilty to an offence under section 7 and two have entered into deferred prosecution agreements.
Sweett Group: The indictment reads that “Between 1 December 2012 and 1 December 2015 Sweett Group plc, being a relevant commercial organisation, failed to prevent the bribing of Khaled Al Badie by its subsidiary company, Cyril Sweett International Ltd, which was intended to obtain or retain business, and/or an advantage in the conduct of business, for Sweett Group plc, namely, by securing and retaining a contract with Al Ain Ahlia Insurance Company for project management and cost consulting services in relation to the building of a hotel in Abu Dhabi, contrary to Section 7(1) of the Bribery Act 2010″.
Sweett was unable to show that it had procedures for requiring documentation of the fact that due diligence had been undertaken on whether subcontracted consultancy contracts signed by subsidiary companies were justified, and failed to act on internal reports by KPMG dating from 2011 indicating inadequate systems and controls.
Standard Bank: The indictment “sets out a count of bribery under section 7 Bribery Act 2010 (BA 2010) which related to a US$6 million payment by a former sister company of Standard Bank, Stanbic Bank Tanzania, in March 2013 to a local partner in Tanzania, Enterprise Growth Market Advisors (EGMA). The SFO alleges that the payment was intended to induce members of the Government of Tanzania, to show favour to Stanbic Tanzania and Standard Bank’s proposal for a US$600 million private placement to be carried out on behalf of the Government of Tanzania. The placement generated transaction fees of US$8.4 million, shared by Stanbic Tanzania and Standard Bank. The allegation is that the bribe was organised and paid by two employees of Stanbic Bank. These employees were associated people for the purposes of section 7 Bribery Act 2010. The offending arises out of the inadequacy of the bank’s compliance procedures and its own failure to recognise the risks inherent in the lending proposal”.
Section 7(2) of BA 2010 provides a defence for a commercial organisation to have had in place adequate procedures designed to prevent persons associated with the commercial organisation from undertaking the bribery. In this case the bank was unlikely to be able to raise the adequate procedures defence.
Notwithstanding these landmark cases, two companies have been fined and nobody has gone to prison. The Bribery Act has been in force for five years.
Thirdly, as we have yet to see a contested case, we do not know whether such procedures are “adequate” and have no judicial guidance as to the extent to which due diligence should be carried out.
Fourthly, unlike money laundering, there is no direct requirement for supervision. The FCA, SRA and no doubt other regulators will be interested to hear about the anti-bribery policies of firms within their sphere, but there is no defined law or standard.
Fifthly, different jurisdictions have different standards of “due diligence”. A really good example is the recent judgment in the High Court in respect of Leigh Day and what tragically happened to the Trafigura settlement monies. It was a claim in negligence brought by one of the defrauded claimants but the principle (know your jurisdiction) applies equally in economic crime cases.
Finally, the other issue of concern is of course Brexit. It is far too early to know what the effect of Brexit might be on due diligence, and I will not speculate. However, we can reasonably conclude that policies suitable for the beginning of 2016 may have to be amended.