Hello and welcome back to the Pinsent Masons Podcast, where we keep you abreast of the most important developments in global business law, every second Tuesday.
I’m Matthew Magee and I’m a journalist here at Pinsent Masons, and this week we look at the radical changes making more companies than ever liable for UK corporate fraud, and get instructions on how in house lawyers in England and Wales can make sure they can keep documents from the hands of the other side in litigation.
But first, here is some business law news from around the world:
Cybersecurity laws passed by Australian parliament
UK financial services firms ‘still have a long way to go’ to close gender pay and
Saudi Arabia looks to ‘6G’ age with new regulations
Laws to address increased cyber threats have been passed by Australia’s parliament and now await Royal Assent to come into force. The measures are contained in three Bills which establish mandatory security standards for smart devices and clarify the legal framework for critical infrastructure protection. Cyber and data law expert Veronica Scott said: “A key aim of these Acts is to enhance the understanding of cyber incidents to better respond to cyber threats. These reforms mark the next step in the expanding regulatory obligations and expectations in relation to cybersecurity. Organisations must be ready not only for these immediate changes but also to continuously adapt and respond to evolving regulations.”
Many financial services firms in the UK have improved their hourly gender pay gap (GPG) by 1-2% since reporting requirements were introduced, but the sector still has a long way to go to address continuing discrepancies, experts have said. Analysis carried out by Pinsent Masons shows that the financial services sector continues to have one of the widest average GPGs compared to other sectors. However, firms across the sector are applying a data-driven approach to make effective change and close the gender pay gap. Many companies within financial services have identified a lack of equality in the number of men and women in senior positions as a contributing factor to the gender pay gap. Companies are targeting this directly by setting goals to increase the number of women in these positions. However, it has been reported that, for some companies, there are now more women than men in junior and lower paid roles.
New regulations aimed at encouraging businesses to invest in new networks that could enhance wireless connectivity, and innovative new telecoms services that could be delivered via those networks, have been approved in Saudi Arabia. The Communications, Space & Technology Commission (CST) in Saudi Arabia approved three sets of rules – regulations relating to the provision and operation of so-called ‘non-terrestrial networks’ (NTNs); regulations relating to the operation of telecoms services via those networks; and regulations regarding the registration of telecommunication space stations. Dubai-based technology law expert Zil Rehman said approval of the regulations is “a pivotal step towards a more connected, innovative, and economically diverse Saudi Arabia”, adding that the move aligns with the broader goals of the state’s Vision 2030, to transform the country into a global technology powerhouse.
A year ago the UK law governing corporate fraud underwent a radical transformation and companies are much more likely than ever before to be found criminally liable for fraud. Then last week announcements were made which will impose even more stringent controls on companies, which will from September next year be open to criminal sanctions if they fail to prevent their people or suppliers from committing fraud. Edinburgh based corporate crime and investigations expert Tom Stocker said the new laws have completely changed the corporate fraud landscape in the UK.
Tom Stocker: ECCTA is the Economic Crime Act for short, and it transforms the law as we understand it in relation to economic crime and particularly increases the liability of companies that fail to prevent fraud, that is to benefit the company. Policy aim is less fraud and to make businesses liable should there be frauds from which they benefit and effectively to put greater weight and emphasis on businesses investigating and eradicating frauds in a business context and if they don't do so, there are very significant consequences for the company and for senior managers. It's a very significant change Matthew, and the reason for that is twofold. So until ECCTA, companies were generally only criminally liable for fraud if the fraud was perpetrated by what was called their directing mind and will. For partnerships, that would be the senior partner for a company that would probably be an executive director, possibly only including the Chief Executive Officer. And as a result, very rarely do you see large companies being prosecuted and convicted for the offence of fraud. ECCTA has completely changed that test, so it's got rid of the directing mind and will test for attributing criminal liability and it substitutes it with a senior manager test and therefore companies and businesses are criminally liable for any frauds perpetrated by their senior managers and those are the people who make decisions or implement decisions about the whole or a substantial part of the business and broadly it captures a far wider group of individuals could now tribute liability for fraud and other economic crimes to a company and the Serious Fraud Office has said it will make it far easier for us to investigate and prosecute companies where there's been a fraud. So that's change one, and that's massive. That completely transforms corporate criminal law. And if that wasn't significant enough change two is to introduce a secondary offence so that companies commit a criminal offence of failing to prevent frauds that are perpetrated by their employees, by their subsidiaries and by other third parties who provide services to them.
Matthew Magee: It’s clear that this is a massive extension of liability for corporate fraud. But what kind of behaviour are we talking about? What kinds of fraud do companies commonly commit?
Tom: So a common scenario would be that a company lies to secure a contract and by securing that contract through dishonest means, it makes a lot of money, it causes other bidders a loss. A company could now be criminally liable for the fraudulent statements of those involved in the bid if they comprise senior management. Another quite common scenario would be that a company in a contractual relationship considers it's not making enough money from its contract and therefore it decides or a senior manager decides to submit false timesheets or false applications for payments and that now would lead to criminal liability for the company. You know, previously the CEO of the company would have needed to be aware of those false applications for payments. Now, you could have a project level Director who's aware of false invoicing and that would tribute criminal liability to the company. Thirdly, the other common one with non financially would be things like dishonest statements about a company's green credentials, so around ESG reporting until ECCTA, very little criminal risk attached with that now quite significant criminal risk for companies that dishonestly make false statements about their green credentials for business purposes.
Matthew: The law that expanded direct fraud liability beyond ‘a controlling mind’ came into force at the end of 2023. The next expansion – the ‘failure to prevent fraud’ – will come into force in September next year. There are six pillars of the guidance about how to comply with this expanded liability and they all stem from the content of the first demand - that companies conduct a thorough risk assessment. Tom says that’s where companies should start – and soon.
Tom: There are 6 pillars to a compliance programme. The first one being risk assessment and it says that if you don't have a documented fraud risk assessment, you're not getting off the starting line for a reasonable procedures defence. Sets out quite a lot of detail about the approach they expect companies to take to developing their fraud risk assessments. And then the other principles are based on this, what comes out of the fraud risk assessment. Get a working group together. If you've got a compliance team, then this will fit under them. If not, then a legal team or your financial controls team may be well placed to come up with a working plan. The first step after you've put your people together and allocate some resource to this is to develop your risk assessment methodology. Everything flows from the risk assessment that you conduct. So I would recommend that companies aim to get a risk assessment exercise up and running. Ideally, this side of Christmas, if that's not realistic, then early in the new year and aim to complete that risk assessment by the end of quarter one and then based on that risk assessment, companies should have time to develop their PCP, so their policies, procedures and controls and to issue communications and training to their staff and service providers. But the key is, I'm afraid to start now or as early as possible in the new year.
Matthew: The consequences of being found criminally liable are severe – unlimited penalties and fines of a multiple of the sum a company accrued through the fraud. And though technically it only applies to big companies – those with a turnover of over £18 million or more than 250 employees – Tom says that in effect it will hit most companies.
Tom: So, applies to these large organisations for criminal liability purposes, but bear in mind two points. Firstly, the direct liability for the actions of senior managers applies to all companies of all shapes and sizes, so that's not dependent on the large organisation test. For the failure to prevent fraud and the large organisation test, what we'll see happening inevitably is that large organisations will pass preventative obligations down their supply chain. They'll do that contractually and therefore this is mostly relevant to larger organisations, but it will apply effectively to all organisations through the contractual passed down.
Matthew: Laws that penalise a ‘failure to prevent’ a bad outcome by companies have become increasingly common. Tom says that the failure to prevent bribery offence has completely changed how companies deal with bribery risk, and he expects the same scale of change in relation to fraud. And he’s already changing the advice he gives to companies because of it.
Tom: So, it used to be the case that in 99.5% of internal investigations that we were involved in where fraud was alleged, we would conclude that it fell short of the attribution test that applied at the time. So there was no directing mind or will involved and therefore there was no corporate criminal liability, so it could be dealt with on a civil basis or a contractual basis. We've already had cases in which we've advised that senior managers have been involved in fraudulent acts and that that attributes criminal liability to the company and once that sort of conclusion is reached some fairly difficult things flow from that, so you have to give thought to such things as whether you need to make up proceeds of crime report. You'll need to give thought to do you need to make a disclosure to your auditors who normally ask you whether you're aware of any suspected frauds and what the impact of those frauds is? So, it has already led to a change in the approach companies are taking to investigating these matters and is having consequences.
Legal professional privileges are complicated and slightly elastic concept but it’s of crucial importance when a company gets caught up in litigation. UK regulators have now cleared up when and how privilege attaches to information produced by in-house rather than external lawyers.
Privilege allows a company to refuse to let the other side in a dispute see certain information, usually documents. In a process called discovery, each side must show the other all the relevant information they have. How you conduct discovery can give you a big tactical advantage in the case.
But there are some kinds of information you are allowed to exclude, such as legal advice relating to the litigation itself. This makes sense – it would be weird if one set of lawyers could see the advice the other set of lawyers was giving on how to deal with the first set of lawyers. It also extends to general legal advice, and allows you to keep information from regulators as well as litigation opponents. The information that’s protected is called ‘privileged’ information.
It's a tricky area and the boundaries often shift on what is and isn’t privileged. But at least it was fairly clear when it came to a company and the lawyers it hired from outside law firms. But it was always less clear in relation to lawyers that worked for that company, in-house lawyers. The body that regulates lawyers in England and Wales, the Solicitors’ Regulatory Authority or SRA, has published new guidance clearing that up.
London based litigation expert Emilie Jones says that such was the confusion, the guidance is a response to a request for clarification that came from in house lawyers.
Emilie Jones: So legal professional privilege in England and Wales is essentially a basis for withholding information from a third party so an opponent in a piece of litigation, a regulator on the basis that it is private information and fundamentally what underlies that, in the sense that people, organisations should be able to seek legal advice and keep that confidential ledge. There is also another form of privilege in English law, which is called litigation privilege, and that protects communications between a client and their lawyer and a third party to someone like a witness, for example, but only where that information is sort, those communications are taking place for the dominant purpose of conducting litigation. And the SRA has been doing some work for a while on in-house practise and has produced a suite of guidance on various topics specifically for in-house lawyers. It consulted on those earlier this year and one of the things that came out of that consultation process. was apparently that people wanted guidance on privilege specifically for in-house lawyers.
Matthew: Privilege has always been a slightly tricky concept to pin down, but Emily says that it's been especially difficult in an in-house context.
Emilie: We see a lot of case law in England on these concepts. The test for legal advice privilege, which is the form of privilege that applies to legal advice and I think you know really the form of privilege that is most relevant for most lawyers, in-house lawyers, day in, day out. The test for that form of privilege is that it applies to confidential communications between a lawyer on the one hand, and that can be an in house lawyer or an external lawyer and a client on the other hand. The client, in that context is defined narrowly by English law, so it's not necessarily the whole organisation. So from the perspective of an in-house lawyer, it's not necessarily everyone who works in the business which employs the in-house lawyer. It's only those who have been authorised to seek and receive legal advice on the matter in question. And that has been controversial, there's been quite a bit of case law about that narrow definition of the client for the purposes of legal advice privilege, and that can cause some challenges for lawyers and I think in particular in-house lawyers.
Matthew: The guidance helps clarify what will determine whether information provided by in-house lawyers is privileged or not.
Emilie: Focusing on legal advice privilege, the key challenge is, which are more difficult for in-house lawyers than lawyers in private practise, for example, can probably be summarised under 3 headings. The first is that privilege only applies to legal advice. Sounds obvious, but it doesn't apply to purely commercial advice, and in-house lawyers roles can sometimes involve elements of both. They can wear more than one hat within a business. That makes identifying whether advice is legal advice which can potentially attract privilege more difficult in an in-house context. The second point is related to that but it's that privilege only applies to communications which are for the purpose of seeking and receiving that legal advice. It doesn't work just to copy in a lawyer, that is not enough to make a communication attract privilege. And I think the third point to flag is that privilege only applies to communications between a lawyer and their client. English law defines that narrowly. It's not simply anyone in the business, it's only those authorised to seek and receive legal advice on behalf of the business on the matter in question.
Matthew: London is one of the world’s centres of commercial litigation, so these principles apply to companies from all over the world, if their court case is in England. But equally, says Emilie, laws elsewhere will apply if a company gets caught up in a case outside England.
Emilie: That if you are in a court in a particular country, it is that court, that countries privileged rules, which will generally apply regardless of where the communications have come from. So, international organisations, or those doing business cross-border need to also be aware that if they end up in a dispute in another jurisdiction it is that jurisdictions privilege rules which are likely to apply and that's important to remember, as an in-house lawyer because not all jurisdictions recognise that in-house lawyers communications can attract privilege in the same way that English law does.
Matthew: Well, that's all for this week. Thank you very much for listening, for joining us, for giving us your time. I hope if you find it useful, you're sharing it with colleagues and friends and peers and contacts. It would be really helpful if you did. Remember, you don't have to wait for the podcast every second Tuesday, you can read news every day about your specialist area from our team of world wide reporters at pinsentmasons.com or you can sign up for a personalised update of the news and analysis b going to pinsentmasons.com/newsletter. For now, thanks for joining us and goodbye.
The Pinsent Masons Podcast was produced by Matthew Magee for professional services firm Pinsent Masons.
