Corporate Crime and the Regulatory Approach
Corporate criminal liability has been transformed beyond all recognition, with companies now having to behave ‘responsibly’ or face not merely reputational damage but criminal prosecution and highly punitive fines. Tom McNeill, senior associate at BCL Solicitors, analyses the current position and identifies the corporate risks.
Corporate criminal liability has been transformed beyond all recognition in the past 15 years. Not only have fines increased significantly, but the expectations placed on corporates have also changed fundamentally.
Companies are now expected to behave responsibly. That does not only mean doing no wrong; it means preventing others from doing wrong as well. And if they do not, they risk not merely reputational harm but criminal prosecution and highly punitive fines.
A key change has been the growth and development of the “regulatory” approach. Traditionally, the most serious offences have been “mens rea” offences. These offences require proof of the relevant mental element (e.g. knowledge or intention) as well as the relevant act. Regulatory offences, previously seen as less serious, are to the effect that if the proscribed thing happens, or the required thing does not, an offence is committed, and it does not matter whether an organisation meant it or even knew about it.
Sometimes, regulatory offences have a due diligence provision – so that it would not be an offence if the person in question did all they reasonably could, but the proscribed thing still happened despite their efforts. However, it is the nature of regulatory offences to be easy to commit and difficult to defend.
It is hard for companies to commit mens rea offences because it typically requires a directing mind (usually a director) to commit the offence which is then attributed to the company. Often, directing minds are not involved with the relevant conduct – or at least not provably so.
Corporate criminal liability has been transformed beyond all recognition in the past 15 years.
Legal scholars used to query the justification for fining corporations, effectively the shareholders, for conduct they might not have approved or been aware of, i.e. of which they were innocent. It was also doubted that the shareholders would be moved (or be in a position) to take steps to address the offending. In any event, it was thought to be curious reasoning that an innocent person should be punished in order to compel them to do something which the law could do directly.
In more recent years the concern became that identification doctrine was shielding companies from criminal liability. The response has been the extension of the regulatory approach to mens rea offences.
Failure to prevent
In 2010, the UK introduced a “failure to prevent bribery” offence which makes commercial organisations criminally liable if a bribery offence is committed by an “associated person” – a very broad term that could include sub-contractors or suppliers – so long as that person intended a business advantage for the organisation.
There is no minimum level of culpability; the draft bill required proof of negligence, but that requirement was dropped. The only defence for the company is to show that it had adequate procedures to prevent such conduct. In other words, commercial organisations are made criminally liable if someone else commits an offence, subject to a defence which requires them to prove that they did all they reasonably could to prevent the offending.
In 2017, a “failure to prevent the facilitation of tax evasion” offence was introduced, in similar though not identical terms. There is currently an ongoing Law Commission review which is considering extending the offence to other economic crimes, such as fraud, false accounting and money laundering.
Deferred Prosecution Agreements
Introduced in 2014, DPAs have dovetailed perfectly with the failure to prevent offence. Under a DPA, a prosecutor will lay but not proceed with criminal charges against an organisation, pending compliance with onerous conditions including a punitive financial penalty and measures to prevent future offending. Applying to various economic crimes, they incentivise corporates to self-report early and unreservedly, with a view to avoiding a criminal conviction and securing a quicker and more certain conclusion than a lengthy investigation and prosecution.
With failure to prevent offences very difficult to defend – and in any event for reasons of commercial certainty – a number of organisations have pursued the DPA route. Nine of the 12 DPAs agreed to date have concerned bribery offences.
Size of fines
At the same time that the regulatory approach is being extended, punishments for regulatory offences have been significantly increased. One factor in these increases is that fines now much better account for the financial circumstances of the organisation – large companies can now expect large fines.
The more fundamental change is that regulatory offences are now treated much more seriously, even when failings are merely systemic. There was a time when it was considered that the criminal law should not be concerned with companies trying to do the right thing. The Robens Report, which underpins the UK’s health and safety law, set out the reasoning:
“The fact is – and we believe this to be widely recognised – that the traditional concepts of the criminal law are not readily applicable to the majority of infringements which arise under this type of legislation. Relatively few offences are clear-cut, few arise from reckless indifference to the possibility of causing injury, few can be laid without qualification at the door of a particular individual. The typical infringement or combination of infringements arises rather through carelessness, oversight, lack of knowledge or means, inadequate supervision or sheer inefficiency. In such circumstances the process of prosecution and punishment by the criminal courts is largely an irrelevancy.
“The real need is for a constructive means of ensuring that practical improvements are made and preventative measures adopted. Whatever the value of the threat of prosecution, the actual process of prosecution makes little direct contribution towards this end … We recommend that criminal proceedings should, as a matter of policy, be instituted only for infringements of a type where the imposition of exemplary punishment would be generally expected and supported by the public. We mean by this offences of a flagrant, wilful or reckless nature which either have or could have resulted in serious injury…” 
However, that approach has long since passed. When serious harm occurs, it is commonplace to see prosecutions of even the most conscientious organisations.
Regulatory offences are now treated much more seriously, even when failings are merely systemic.
All else being equal, organisations which are much less culpable should pay much smaller fines – if prosecuted at all. However, with criminal regulatory offences in place, if harm occurs, the first question is: Why did the company not prevent it?
Cognitive bias is now well understood. Unfortunately, that understanding is rarely applied in the criminal justice system. So, a system which failed to prevent harm risks being judged a bad system. What might be viewed as a remote possibility before the event will afterwards be considered an incident or crime waiting to happen. If people did not follow the required systems, it is assumed to be because the company did not train them, or lead them, or monitor them properly.
Organisations are expected to be able to overcome the everyday failings of people. If they do not, the organisation is not merely held responsible: it is judged to have committed a very serious crime.
Airbus – a case study?
In 2020, Airbus entered a DPA with the SFO in relation to bribery offences, covering serious criminality across five jurisdictions between 2011 and 2015. Based on the agreed statement of facts, Dame Sharp noted in her judgment that:
- most of the conduct was by business partners (i.e. intermediaries or agents), but also involved employees, some very senior;
- Airbus had in place externally certified bribery prevention policies;
- individuals deliberately circumvented the systems, including by the creation of false invoices, payments and other compliance material;
- when Airbus identified weaknesses, the systems were reviewed and updated, and payments frozen; and
- Airbus was slow to self-report, but thereafter cooperated with the prosecuting authorities to the fullest extent possible.
Under the DPA, Airbus agreed to pay €991 million in the UK as part of a €3.6 billion global resolution, involving authorities in France and the United States. It has been reported that the SFO has decided not to prosecute any individual suspects. It remains possible that an overseas prosecutor will.
The extension of the regulatory approach will see more organisations pay highly punitive fines for harm or wrongdoing which they have limited ability to prevent. By one route or another, it may also mean that fewer culpable individuals are prosecuted.
For the criminal law to be fair and robust it should ensure that culpable persons are prosecuted, whether organisations or individuals, and that any punishment imposed is proportionate to that culpability.
Tom McNeill, Senior Associate
Address: 51 Lincoln’s Inn Fields, London WC2A 3LZ
Telephone: +44 020 7430 2277
 Safety and Health at Work: Report of the Committee, 1970-72, Chairman Lord Robens, p.82.
 The author discussed cognitive bias here: https://www.hsmsearch.com/Cognitive-bias-health-safety-investigations.