For many businesses, a year since the start of the first lockdown has been a year of operating either entirely or partially remotely. This has accelerated a shift towards permanent remote/hybrid working. However, businesses need to understand that, whilst remote working may be here to stay in some form, compliance is anything but remote. The shifting and increasing compliance risks associated with a new way of working must be tackled if businesses want to limit exposure to potential criminal liability and reputational risk.
A year has passed since the announcement of the first UK lockdown, and many businesses are continuing to operate on a remote working only basis. Along with the challenges, businesses have realised the benefits this can bring and the pandemic appears to have been a catalyst for the hybrid working that many felt workplaces would eventually adopt. Bank of England Governor Andrew Bailey recently acknowledged this shift, suggesting that "there will be more of a hybrid model of working from home and working in a place of work".
Employers looking to find a balance by offering employees the flexibility to choose when they work in the office, from home or in a third location face shifting compliance risks, particularly those arising out of the increased digitalisation of work and communication and reduced oversight of employees. As businesses consider their working policy going forward, they should be mindful of the changes to their risk profile and the effect this will have on their compliance framework, particularly in relation to the Bribery Act 2010 (the "Bribery Act") and Criminal Finances Act 2017, (the "Criminal Finances Act"), which create strict liability offences for corporates.
What are the risks?
Whilst some employees find they are more productive working remotely, we have learned that others may struggle with feeling disconnected. Reduced engagement of the workforce may lead to a risk of employees becoming involved in unethical conduct. This can be exacerbated when the compliance culture is not reinforced in the "usual" way. Employees often look to the behaviour of colleagues and supervisors to understand what is expected of them and how they should act. Compliance cues can therefore be more difficult to gauge when working remotely, where contact with team members may be limited to digital communication and scheduled video conferences. Coupled with reduced oversight of employees, this could lead to an increased risk of employee misconduct.
Removal from the office context may also lead some employees to deprioritise compliance and fail to follow business policy and procedure. There is a risk that employees feel that the policies and procedures do not apply to remote working, or they are simply forgotten.
There is also greater scope for conflicts of interest to arise when working remotely. For example, such conflicts may arise in the form of employees’ "side hustles". This may not be problematic itself but, without clear policies and procedures in place, as well as enforcement, compliance issues can arise and businesses may face reputational damage.
The Bribery Act and the Criminal Finances Act created strict liability offences for businesses within their scope. A business will have a defence to these if it can prove it has adequate procedures to prevent associated persons from bribing, or reasonable procedures to prevent the criminal facilitation of tax evasion. The guidance on adequate and reasonable procedures (the "Guidance") makes it clear that these will be proportionate to risk, and may change over time.1 Aside from the risk that policies and procedures are not followed, a move to hybrid or remote working may mean that a business’ existing compliance program is no longer fit for its purpose. The risk profile of businesses will have shifted as a result of moving to a new way of working. It is important to carry out a thorough risk assessment of the changed working landscape, which can then inform changes to policies and procedures.
For many organisations, the move to remote working will result in significant changes, and perhaps some challenges, in workplace communication. Careful consideration should be given to how compliance training can be effectively communicated. Whereas levels of engagement can be monitored in face-to-face training, sessions may have to be adapted to a virtual format to ensure attendees remain engaged and understand compliance issues and company policy.
External bad actors may also exploit gaps in communication by impersonating customers, suppliers or senior executives with the aim of stealing money, data or accessing systems. In particular, instances of "whaling," or CEO fraud, have become more common over the last few years, and remote working may amplify vulnerabilities by making it more difficult to verify the identity of third parties. Organisations without robust verification processes in place may be exposed to the risk of being defrauded.
Where potential issues do arise, organisations will need to be able to satisfy themselves that they have been investigated promptly and effectively and that appropriate remedial actions have been taken. Conducting internal investigations remotely raises additional considerations, particularly in relation to the collection of relevant materials and interviews of personnel who have information relevant to the investigation.
Remote working is likely to result in employees using alternative forms of communication. In an investigation context, issues may be exacerbated by the blurring of lines between personal and business devices. Businesses will need to ensure they have carefully considered where relevant materials may be stored and document the steps taken to preserve and collect such material. The potential reliance on employees to do this, some of whom may be suspected of the alleged misconduct, will require a careful and considered approach.
Ensuring that a compliance framework is fit for purpose
The Bribery Act and Criminal Finances Act create strict liability offences for corporates. The defence of having adequate or reasonable procedures will require organisations to consider their risks. Given the significant changes to working practices, businesses may wish to take this opportunity to review their risk assessments in relation to bribery and tax evasion risks in particular.
Following this assessment, it is likely that policies and procedures drafted in a different context may require amendment. Organisations should check that their compliance program corresponds to their new risk profile and seek expert advice where necessary. Additional policies might be required, such as a new fraud policy to cover additional risks, or an investigation policy to ensure any investigation of issues can withstand scrutiny.
1 E.g. paragraph 6.1, Bribery Act 2010 Guidance, Ministry of Justice, March 2011 ("Bribery Act Guidance"); and paragraph 1.4, Tackling tax evasion: Government guidance for the corporate offences of failure to prevent the criminal facilitation of tax evasion, HM Revenue & Customs, 1 September 2017, ("Criminal Facilitation of Tax Evasion Guidance").
Lucy Rogers (Associate, White & Case, London) contributed to the development of this publication.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2021 White & Case LLP