Managing corporate criminal liability risks arising out of the acts of ‘associated persons’
March 2022 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2022 Issue
July 2021 marked the 10-year anniversary of the entry into force of the UK Bribery Act and the introduction of corporate criminal liability – which applies across sectors and borders – based on a company’s ‘failure to prevent’ the payment of a bribe or bribes by an ‘associated person’.
Since 2011, liability based on the acts of associated persons has gained traction as a model for reform of corporate criminal liability in the UK. In 2017, legislation was enacted which made a commercial organisation criminally liable for a failure to prevent the facilitation of tax evasion by an associated person of the organisation. A new offence of ‘failure to prevent economic crime’, imposing criminal liability on companies for any failure to prevent their associated persons committing economic crimes, is likely to be proposed by the Law Commission in the coming weeks.
The risks arising out of the actions of a company’s associated persons have therefore increased markedly and may yet increase further. This increase in risks, and the potential liabilities it creates, will be of concern to those investing in and acquiring companies which carry on business in the UK, as well as those in management and compliance roles.
This article considers the definition and scope of ‘associated persons’, the growing criminal liability risks arising out of the acts of this broad class of persons and offers some practical steps that can be taken to assess and manage those risks.
The Bribery Act 2010 – the advent of the ‘associated person’ criminal liability risk
The introduction – through section 7 of the Bribery Act – of corporate liability on the basis of the acts of associated persons represented a very significant expansion of corporate criminal liability risk for companies doing business in the UK. It also gave rise to (as intended) powerful imperatives toward managing the new criminal liability risks that might arise out of the acts of associated persons, over whom companies might previously have exercised only minimal or notional control or oversight.
The introduction of the ‘failure to prevent’ model of corporate criminal liability moved the criminal risk and enforcement landscape in the UK closer to the American model of vicarious corporate criminal liability – respondeat superior – and put on a criminal liability footing a category of risk (namely, the risk of a corporate liability based on the actions of an employee or agent) which has hitherto been subject to only civil or regulatory sanction.
An ‘associated person’ is defined broadly in section 8 of the Bribery Act as any person (human or corporate) who “performs services for or on behalf of” a company. This definition will include employees, agents and subsidiaries of a company. Guidance issued by the UK Ministry of Justice indicates that the definition will also capture certain suppliers, joint ventures and entities in a supply chain, each of which might be capable of paying a bribe on a company’s behalf.
The concept of ‘associated person’ is made broader still by section 8(2), which provides that the capacity in which an associated person provides services to a company “does not matter”. The effect of section 7 of the Bribery Act is to create liability based on the acts of an associated person (i.e., bribery, for the benefit of the company) rather than the capacity in which those acts are performed. The position is different under the Criminal Finances Act 2017.
It is a defence to the section 7 offence for a company to show that it had in place (at the time of the payment of a bribe by an associated person) “adequate procedures designed to prevent persons associated with [the company] from undertaking such conduct”. Managing the risk arising out of section 7, and the risks posed by associated persons, by creating and deploying “adequate procedures”, is an exercise made considerably more difficult by the breadth of the definition of ‘associated person’ and the potentially wide range of individuals and corporate entities over which a degree of oversight and control must be exercised.
Criminal Finances Act 2017 – facilitation of tax evasion offences by associated persons
The Criminal Finances Act 2017 created two new corporate criminal offences, modelled on section 7 of the Bribery Act: the “failure to prevent facilitation of UK tax evasion offence” and the “failure to prevent facilitation of foreign tax evasion offence”. A company commits an offence if it fails to prevent the facilitation of tax evasion by an ‘associated person’.
Under the 2017 Act, ‘associated person’ is defined in similarly broad terms as under section 8 of the Bribery Act. In contrast to the position under the Bribery Act, the associated person’s actions need not have been for the company’s benefit for the company to be liable. Instead, it must be established that the associated person committed the act of facilitation of tax evasion, “when acting in the capacity of a person associated with (the company)”. The scope of corporate liability is thus again broad, albeit on a different basis to the corporate liability created by section 7 of the Bribery Act.
As under the Bribery Act, a corporate has a defence to the 2017 Act offences if it can show that it had “reasonable prevention procedures” in place to prevent the facilitation of tax evasion by an associated person.
The extent of the risk – liabilities arising from the acts of associated persons
The potential risks and liabilities presented by the “failure to prevent” offences are not academic but real and significant. Since 2011, the UK Serious Fraud Office (SFO) has entered into deferred prosecution agreements (DPAs) with 12 corporates. Nine of those 12 were subject to indictments alleging at least one count of failure to prevent bribery contrary to section 7 of the Bribery Act. The total financial penalties and orders made against those nine corporates totalled more than £1.4bn. Less tangible but perhaps not less significant is the publicity and reputational harm caused to those companies, having been accused of and publicly settling allegations of Bribery Act offences.
The costs of a failure to manage the risks posed by associated persons are therefore significant. Creating ‘adequate procedures’ or ‘reasonable procedures’ to manage these risks requires an assessment of the particular risks presented by or arising out of a particular business. However, a few general considerations as to managing the risks are set out below.
Managing the risks – practical steps
Although every step that might be taken to manage the risk arising out of the actions of associated persons cannot be fully considered here, there are a small number of important, practical steps, which will be key to any risk management exercise of this nature.
Identify your associated persons and assess the risks they pose. UK government guidance on both the section 7 Bribery Act offence (published in March 2011) and on the corporate criminal offences of failure to prevent the facilitation of tax evasion (published in September 2017) indicate that an assessment of risk is a critical first step in meeting the risks posed by associated persons.
In practice, it will first be necessary to consider the relevant statutory definitions of ‘associated person’, and to compose a full list of all individual and corporate persons which perform services for or on behalf of the company. This list will include persons who perform services directly or indirectly, on a full-time or occasional basis and persons providing services both in the UK and overseas.
Establish, review and update appropriate control frameworks. The control framework which is created will need to be demonstrably proportionate to the risks arising out of the company’s business activities. Some activities will obviously present a higher risk: appointing unvetted agents in high risk-jurisdictions to win contracts or to obtain government permits would typically give rise to a high risk of bribery. This form of risk is exceptional. It does not follow that purely domestic business activities will present no bribery risk whatsoever. Some demonstrable measure of control of bribery risk will almost always be appropriate and necessary.
Control frameworks for anti-bribery (or anti-facilitation of tax evasion) purposes cannot be generic and must be tailored to risk. However, the foundations of any control framework will typically be effective policies and procedures that are communicated to associated persons, including by way of training, tailored contractual terms, for instance prohibiting acts of criminality, appropriate due diligence on associated persons and potential associated persons and effective oversight of their activities.
Apply adequate and ongoing oversight, scrutiny and audit. The mere fact of having told associated persons, in a policy, email or training, not to pay bribes or facilitate tax evasion will rarely, if ever, be sufficient to establish a statutory defence to a ‘failure to prevent’ offence. In most cases, demonstrating ‘reasonable’ or ‘adequate’ prevention procedures will require evidence of effective oversight of the activities of associated persons.
In higher risk relationships, creating a contractual right of audit over the associated persons’ books and records might be a proportionate. Where contractual services are subcontracted, it will be essential for the company procuring the services to demonstrate sufficient control and oversight of each associated person in the supply chain.
The future – a new corporate criminal offence of failure to prevent economic crimes
In early 2022, the Law Commission is due to publish a formal paper on the options for the reform of the corporate criminal liability. A new corporate offence of “failure to prevent economic crime”, imposing criminal liability on companies for failing to prevent their associated persons committing economic crimes (likely to include, most obviously, fraud) has been championed by prosecutors in the UK (including the director of the SFO) and is likely to be among the options put forward.
If the Law Commission recommends, and the government adopts, a new corporate criminal offence of failure to prevent economic crime, the vista of corporate criminal liability, based on the acts of associated persons, will become significantly broader, creating an even greater impetus than exists at present for those owning, investing in or managing companies to ensure that associated person risk is managed appropriately and in line with relevant government guidance.
Sean Jeffrey is a partner and Alan Ward is a senior associate at Stephenson Harwood LLP. Mr Jeffrey can be contacted on +44 (0)20 7809 2034 or by email: sean.jeffrey@shlegal.com. Mr Ward can be contacted on +44 (0)20 7809 2295 or by email: alan.ward@shlegal.com.
© Financier Worldwide
BY
Sean Jeffrey and Alan Ward
Stephenson Harwood LLP
Q&A: ESG and climate risk management
Keys to a sound and sustainable regulatory reporting programme
Servant leaders, boards and resilience: the management issue of the 2020s
Fraud risk lessons from the pandemic
Managing corporate criminal liability risks arising out of the acts of ‘associated persons’
Cyber insurance and the need for standardisation
Captive insurance grows in importance as a hard market continues