We aim to make this site as accessible as possible and therefore have provided the settings below to use if you are finding it difficult to view this website. See the SFO Accessibility Statement for more information.

Where it is appropriate to provide a Welsh translation, you can switch to Cymraeg. See the Welsh Language Commissioner website for more information.

Use the settings button in the bottom right corner of the page to access these settings again.

We would like to use Analytics Cookies on our website. 

Turn these on below if you are happy with us collecting information on how our site is used, in order for us to improve the overall experience of our website. 

All other cookies are necessary and therefore by continuing to browse this website, you are agreeing to the usage of these cookies.

 See the SFO Privacy Policy for more information. 

Analytics Cookies

Control Liability – Is it a good idea and does it work in practice?

6 September, 2016 | Speeches

Alun Milford, General Counsel, at the Cambridge Symposium on Economic Crime 2016, Jesus College, Cambridge.

We are invited in this panel session to consider control liability. In England and Wales a version of it has been used as a way of attributing criminal liability to corporates in bribery cases and, shortly, in cases involving the facilitation of tax evasion through the actions of those associated with it. The government also promised that it will consult on the question of corporate criminal liability more generally and I urge you all to participate in the consultation when it is run. In the interim, I will share some personal views on the issue.

Our traditional model of attributing criminal liability to corporates is through the words and actions of a small group of people who make up the controlling mind and will of the organisation. Who precisely is capable of doing so is a fact-specific question to be determined by taking into account both the structure of the company and the purpose of the criminal statute said to have been breached. At its narrowest, it attributes criminal liability to a corporation through the actions of its directors. At its most expansive, no-one really knows.

My contribution to this morning’s discussion is very simple. The identification principle is an inadequate model for attribution to a corporate of criminal liability. It is unfair in its application, unhelpful in its impact and it underpins a law of corporate liability that is unprincipled in scope. On the other hand, the control model of liability meets each of these criticisms. So my answers to the questions posed for the panel are, yes and yes.

Unfair in application

Let’s look at a recent, non-SFO case. In December last year, the CPS announced that because the controlling mind test was not met it could not prosecute News Group International for the phone hacking carried out by a number of its employees, including the then editor of one of its newspapers, in order to boost sales. Had the CPS had recourse to a failure to prevent offence, it would not have had this problem.

The CPS’ statement announcing its decision makes interesting reading, “The law on corporate liability in the United Kingdom makes it difficult to prove that a company is criminally liable if it benefits from the criminal activity of an employee, conducted during their employment. The company will only be liable if it can be proved that the individual involved is sufficiently senior, usually close to or at board level, to be the ‘controlling mind and will’ of the company. Unlike other countries, the principles of vicarious liability or poor corporate governance, which are matters that are easier to prove, play no part in establishing corporate criminal liability. The present state of the law means it is especially difficult to establish criminal liability against companies with complex or diffuse management structures.”

As a practical matter, it is far easier to fix an SME with corporate criminal liability than it is a multi-national. That is because the identification principle enjoins us to look for a person who is the directing mind and will, the very ego of the company. Well, there are only a few of those, and the practical reality is that in a multi-national company they do not involve themselves in the company’s operations in the same way as a director of, say, a small, family-run enterprise. It simply cannot be right that questions of corporate attribution should be determined by the vagaries of company size and structure in a way that favours bigger companies over smaller ones. And, of course, by focussing not on corporate structures but on the actions of those associated with companies, the control model is even-handed – and so fair – in its application.

Unhelpful in its impact

A model for fixing corporate liability by reference to corporate structures carries with it an obvious incentive for the board and its individual members to distance themselves from the company’s operations. That is no doubt one of the reasons why, when it passed the Bribery Act, Parliament created the failure to prevent offence based on the control theory of attribution. By fixing liability on the basis of the actions of persons associated with the company and then affording the company an adequate procedures defence, it incentivised companies – and in particular, those at the top of companies – to take ownership of what was done in the company’s name. All this was reinforced by the six principles set out in the Secretary of State’s guidance: proportionate procedures; top level commitment; risk assessment; due diligence; communications (including training); and monitoring. These are the sorts of good practices that any management school would teach. A benefit of the control model as applied here therefore is that fits seamlessly with established notions of good corporate governance, and incentivises them. The identification principle incentivises the exact opposite, and we see its effects in our casework: devolution of decision making, a “don’t raise that with me” attitude, a lack of record keeping and a generally arm’s length approach to the risks of crime taking place within the organization.

Unprincipled in Scope

At present we have a two tier law of corporate criminal liability in this country. The identification principle, with all its well-understood deficiencies, applies across the economic crime landscape and beyond, including of course to the substantive offences of bribery in the Bribery Act. Then, we have the failure to prevent bribery offence, soon to be joined on the statute book by the offence of failure to prevent the facilitation of tax evasion. Why are these two types of offending singled out for this better model of corporate liability? Is corporate fraud somehow less serious? What about corporates laundering the proceeds of crime? What about other crimes from which corporates profit?

Three years ago I argued at this symposium, as I do today, for the control theory test for corporate liability. I gave the example of a hypothetical bank with a rotten corporate culture whose employees were prepared to commit crime to boost profits. Imagine that on the same day one employee committed a bribery offence in order to secure a banking licence and a second, separate employee committed a fraud offence in selling a financial product to customer. Neither employee was a controlling mind of the bank, which nonetheless benefited financially from their crimes. Those crimes in turn reflected the bank’s culture and were committed in a working environment devoid of the sorts of measures covered in the Secretary of State’s guidance. But only one would attract criminal liability for a failure to prevent. I can see no principled rationale for that distinction. Can you?

Many of the arguments in favour of the status quo boil down to an assertion that reform of our law of corporate criminal liability by extending the scope of the attribution model would increase the regulatory burden on business and so be bad for the economy.

Those bald assertions need to be challenged. Certainly, the proposed reform might reinforce to some companies the scope of the criminal law to which they are already theoretically subject. But remember that the only change proposed is that an existing, unrealistic test for criminal liability should be supplemented by a second, realistic test. It sends the message that companies should be accountable in practice as well as in theory for crimes committed in the furtherance of their businesses, in the same way as employees or agents are. It is wrong to dismiss this as a regulatory burden. Rather, it is a question of rights and responsibilities, and it would be left to each company to judge what proportionate additional steps it needs to take, if any, to ensure that crime did not feature in its business dealings. If they haven’t already done them, those are things companies should be doing anyway. Indeed, it is worth recalling that a great deal of good work was undertaken by companies on their compliance policies generally when the Bribery Act was introduced. Many have made clear that those policies covered ethics generally, not just anti-corruption. So I really do not see the problem.

As to the harm to the economy argument, I recall that it featured heavily in the debates around the implementation of the Bribery Act. The economy has, of course, grown since the Bribery Act was brought into law. If you want to take a more long-term view of the impact of corporate criminal liability laws on an economy, let’s look at the USA. Their vicarious liability model, like the control theory model, is straightforward in its application, and it has been in place for about a hundred years. I’d say the United States has done quite well over that time.

So there you have it. The control theory is fair in its application, helpful in its operation and its extension would remove an unprincipled division in our law. Its operation in the Bribery Act has not hurt the economy, and there is no reason to think that its extension to other forms of offending in the course of business would either. We should all get behind it.