Since their introduction in the Crime and Courts Act 2013 (CCA), the Serious Fraud Office (SFO) has concluded four deferred prosecution agreements (DPAs), seemingly all in different circumstances (the details of one remaining confidential). Opinion is divided: some commentators believe they provide an effective means of compelling businesses to behave ethically, lawfully and transparently; others (including the Executive Director of Transparency International UK) feel they represent “a soft option for companies that should be prosecuted for serious crimes”.
While it is still undeniably early days for DPAs, informative trends do begin to emerge from the DPAs concluded with Standard Bank, the company known as ‘XYZ’, and Rolls-Royce.
Fairness is the overriding principle at the core of all DPAs. In particular, the judiciary is keen to ensure that the rights, lives and careers of innocent employees are actively protected or, at least, handled in such a way that minimises disruption to them.
Take the first English DPA - that between the SFO and Standard Bank. Paragraph 65 of the preliminary judgment makes clear that only those named in the indictment and specified other individuals should be identified in the publicly available statement of facts (case number U20150854). Other parties in this case are referred to in the statement of facts initially by a description, and subsequently by a defined term. This prevents any of the individuals concerned in the relevant facts, but who were not necessarily involved in the commission of the underlying alleged offences, from being tainted by association.
An even clearer example of this fairness in action can be seen in the very structure of the XYZ DPA, which was designed to allow the survival of a corporate that would have become insolvent if punished using more conventional mechanisms. In the preliminary judgment, Lord Justice Leveson, at paragraphs 3 and 4, notes how he adjourned the preliminary hearing to allow both parties to put more evidence before the court to enable him to conclude that approving a DPA (as opposed to prosecution) would be in the public interest (case number U20150856).
His reasoning in allowing the DPA was set out at paragraph 32: “Quite apart from the fact that prosecuting and convicting XYZ would invariably lead to significant legal costs and financial penalty at an unfavourable time in the global steel industry, counsel for XYZ explained that, even without the potentially detrimental effect of a prosecution, the company is currently operating on an ‘economic knife-edge’, In addition, conviction would mean that XYZ would be debarred from participating in [public procurement contracts]…Taken together, XYZ would risk becoming insolvent (even assuming that such an outcome was not inevitable), harming the interest of workers, suppliers and the wider community”.
DPAs therefore provide a mechanism for the punishment of corporate wrongdoing which seeks to minimise any collateral harm to employees with no involvement in or factual nexus with the wrongdoing. Indeed, they may be specifically designed to protect the interests of those same individuals, and the corporate’s wider community.
Although DPAs are presented to court for approval on an agreed basis, it is clear that the court views its role under paragraph 8, schedule 17 CCA as one of providing rigorous scrutiny, rather than mere approval.
The adjournment in XYZ detailed above illustrates this. Similarly, the Rolls-Royce DPA (case number U20170036) demonstrates the thoroughness with which the court will interrogate the proposed agreements. While Leveson LJ’s “initial reaction…was that if Rolls-Royce were not to be prosecuted in the context of such egregious criminality over decades…around the world…making truly vast corrupt payments and, consequentially, even greater profits, then …it was difficult to see when any company would be” (paragraphs 61/62).
However, having studied the matter in detail, he accepted that Rolls-Royce was “no longer the company that once it was”, that its new management had “embraced the need to make essential change…deliberately” seeking “to clear out all the disreputable practices that [had] gone before, creating new policies, practices and cultures”. This, combined with the company’s “full co-operation and willingness to expose every potential criminal act that it uncover[ed]” that went “a long way to address[ing] the obvious concerns as to the past”. The lesson is clear: the in-depth consideration of the company’s concerted attempts to remediate (in the context of what came before) allowed the court to grant a DPA, in the interests of justice.
Given that all DPAs concluded in this jurisdiction to date have been approved by the same judge, it may be too early to say that such exacting judicial scrutiny is a hallmark of the English DPA but it seems that is the practice which will prevail. This stands in stark contrast to the situation in the US, where the Harvard Law Review has characterised judicial scrutiny of DPAs as ‘essentially non-existent’ (130 Harvard Law Review 1048). Despite recent attempts by sections of the judiciary to challenge this (United States v Fokker Services BV 818 F3d 733 (DC Cir 2016)), the authority and decision to enter into DPAs remain within the sole remit of the Department of Justice with the courts’ role generally reduced to that of a symbolic ‘rubber stamp’.
Another key tenet which has emerged from these DPAs is the high threshold required to evidence the requisite level of co-operation to enter DPA negotiations. In securing a DPA, Standard Bank, XYZ and Rolls-Royce all: provided summaries of first accounts of interviewees (or, in a limited waiver of privilege, the interviews themselves (Rolls-Royce)); assisted in facilitating interviews; and disclosed internal investigations and/or material and information in response to the prosecutor’s requests.
Standard Bank and XYZ both saw corporates self-report their wrongdoing, with the judgments in those cases almost suggesting that such behaviour was a pre-requisite to concluding a DPA. Rolls-Royce dissuaded commentators of that notion however, with the SFO stating publicly that in reaching the decision to negotiate a DPA, they ‘judge[d] the company’s co-operation in the round’. That this co-operation included granting a limited waiver of privilege, and alerting the prosecutor to wrongdoing ‘wholly unconnected with those business areas’ they had initially been investigating, was deemed sufficient to overcome the lack of a self-report, according to Alun Milford, General Counsel, in a speech given at the Cambridge Symposium on Economic Crime in 2017. Lord Justice Leveson deemed this level of ‘proactive’ assistance ‘extraordinary’ and sufficient in all the circumstances to make the approval of a DPA in the interests of justice. While this is useful guidance, it should be kept in perspective: waiver of privilege, as with self-reporting, is not a precondition of agreeing a DPA.
While agreeing a DPA may seem like a victory, it comes at a cost, financial and otherwise. A corporate’s own costs of instructing external counsel to conduct internal investigations, and provide advice and representation can be huge (Rolls-Royce spent over £123 million). That is without considering the distraction to business operations and time lost caused by staff assisting with resolving matters. This is also before payment of the SFO’s costs, as well as the disgorgement of profits gained from, and payment of compensation to the victims of, any relevant wrongdoing (the latter of which has only featured in the Standard Bank DPA so far because the disadvantaged party was clearly identifiable in that case).
In respect of the financial penalty, Standard Bank, XYZ, and Rolls-Royce all secured discounts akin to those granted for an early guilty plea in normal criminal proceedings. While Standard Bank received ‘a full reduction of one third’, XYZ secured what amounted to a greater discount, in their particular financial circumstances. Its ‘extraordinary’ co-operation secured Rolls-Royce a 50% reduction.
Finally, under all DPAs concluded thus far, each corporate has agreed to conduct reviews of compliance policies and procedures, implement recommendations, and report to the SFO. This process involves instructing an independent third party, requiring the payment of significant fees, as well as engaging resources which might otherwise be used elsewhere in the business.
This is to mention nothing of the reputational effect a DPA might have on a corporate, which remains a matter of some debate. DPAs cannot really be considered to be a soft option. They require strong will and huge time and financial investment from a corporate to conclude.
While DPAs were initially reserved for use in relation to Bribery Act 2010 wrongdoing, they may now be used in corporate offences of failure to prevent facilitation of tax evasion under the Criminal Finances Act 2017 (CFA 2017). Public calls for corporate anti-tax evasion measures were numerous and the CFA 2017 was a cornerstone of David Cameron’s plans to combat business crime. It will be interesting to see how DPAs work in this context. It is harder to envisage a corporate co-operating with tax evasion investigations in the same way as they might a bribery and corruption investigation.
There will be widespread dissatisfaction if the inclusion of DPAs within the new legislative framework gives rise to the type of ‘cosy deals’ Lord Rooker spoke about in the House of Lords debates around its introduction. That said, the principle of fairness should carry across – it seems unjust to take action that would indirectly punish innocent employees for the actions of a small cabal of rogue actors, simply because the context was one of tax evasion, rather than bribery. Regardless, the fact that DPAs were deployed in the CFA 2017 suggests they are becoming a fixture of the English legal landscape.
With that in mind, and given that data is the average individual’s most prized non-cash asset, it is somewhat surprising that provision was not made for DPAs to be used under the Data Protection Act 2018. The 2018 act introduces new offences in relation to what are colloquially known as ‘data breaches’ – the loss of personal data either by accident or as the result of deliberate acts perpetrated against the organisation holding the data. Data breaches are often suffered by large corporates, where the breach is the result of failures of policies and procedures, and where the corporate only admits to the breach once it has otherwise been made public. The DPAs concluded to date indicate that the remediation agreed incentivises self-reporting, imposes meaningful penalties and, most importantly, requires independent third party review of policies and procedures, and the imposition of the recommendations of that review. DPAs would therefore have been a perfect fit within the data protection context, and their non-inclusion (in some form or other) is a missed opportunity.
In spite of continued public support for widening corporate criminal liability, it seems unlikely that DPAs will proliferate throughout the English legal system as a readily available means of disposing of wrongdoing. Their use may well however grow in certain areas of serious criminal conduct. This is because, although they are meaningful punishments for serious criminality, they are on comparatively favourable terms that seek to achieve true justice having regard to the interests of innocent parties. They are also only offered to those corporates which recognise their failings, and prostrate themselves to achieve change. If, in 10 years, this regime succeeds in encouraging corporates operating in the UK to become more transparent, and robustly ethical in their dealings then it must be judged a success.
This article was published in New Law Journal in June 2018.