The obligation to secure your opponent's data in the age of hacking
Hacking, corporate espionage and data breaches are on the rise around the globe.
On 19 March 2018, the Singapore Parliament passed the Criminal Justice Reform Bill (the Criminal Justice Bill),1 which introduced sweeping changes to Singapore’s criminal justice framework. One key change is a formal legislative framework for the Public Prosecutor to enter into deferred prosecution agreements (DPAs) with corporate offenders to resolve misconduct.
The introduction of DPAs as a formal prosecutorial tool represents a significant shift in Singapore’s approach towards corporate wrongdoing – one that aligns Singapore more closely with global trends.
As discussed in more detail below, DPAs are used in various jurisdictions. Although they have unique characteristics, certain features are common among them:
Under the “Speedy Trial Act” (18 U.S.C. §§ 3161-3174), U.S. federal courts are generally required to set a date for trial within 70 days of a criminal indictment or information (i.e., the charging document which sets forth the allegations against the defendant) being filed. However, under § 3161(h)(2), this period can be extended as a result of “[a]ny period of delay during which prosecution is deferred by the attorney for the Government pursuant to written agreement with the defendant, with the approval of the court, for the purpose of allowing the defendant to demonstrate his good conduct.” The U.S. Department of Justice (DOJ) began to use DPAs increasingly after the criminal conviction of the public accounting firm of Arthur Anderson arising from its work for Enron which resulted in the firm shutting down. On appeal, the conviction was eventually overturned; however, the damage was already done. The victims included workers left unemployed, affected investors, and markets. DPAs also appeal to defendant corporations because they provide a complete resolution to allegations of wrongdoing without causing the company to suffer the potentially devastating consequences of criminal liability, such as loss of licensing or debarment. Recently, the U.S. Securities and Exchange Commission (SEC) began to use DPAs to resolve civil cases within its jurisdiction.
In the United States, the use of DPAs in a corporate criminal case is completely within the discretion of federal prosecutors. As instructed in the U.S. Attorneys’ Manual, when determining whether to charge a corporation, prosecutors should consider:
the corporation’s history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it;
In the U.S. model, most of the process occurs between the putative defendant and the prosecutors in an extra-judicial way. Although the final agreement requires judicial approval, judges have little leeway to deny such approval. In a recent case, an appeal was filed after a district court judge denied approval of a DPA following his criticism of the lack of individual prosecutions in the case and the leniency shown to the defendant. The D.C. Circuit, however, vacated the lower court’s decision noting that the determination as to whether to enter into a DPA and the terms of such a DPA are squarely within the ambit of the federal prosecutors. United States v. Fokker Services B.V., 818 F.3d 733, 742-45 (D.C. Cir. 2016) (stating that the approval requirement in the Speedy Trial Act does not enable a court to reject a DPA for being too lenient but rather “enables courts to assure that a DPA does not exist merely to allow evasion of speedy trial time limits, but instead serves the bona fide purpose of confirming a defendant’s good conduct and compliance with law”); see also United States v. HSBC Bank USA, N.A., 863 F.3d 125 (2d Cir. 2017) (limiting the court’s ability to supervise and oversee the implementation of a DPA). As a result, some commentators have criticized the use of DPAs in the United States as largely bypassing the formal legal system, raising a number of constitutional and public policy considerations. In particular, there are also fears that prosecutors hold an undue advantage throughout the process because the emphasis on co-operation and negotiation masks disproportionate prosecutorial leverage.
The increased use of DPAs has also led to a limited judicial review and oversight of the prosecution of certain laws, such as the U.S. Foreign Corrupt Practices Act (FCPA). Additionally, the facts set forth in a DPA are negotiated by the parties and do not necessarily provide the full extent of the conduct at issue. As a result, key issues, such as the extent of the law’s extraterritorial jurisdiction, remain open.
In February 2014, the UK introduced a DPA framework in response to perceived deficiencies in the existing prosecution framework involving economic crime, including:2
Under a DPA in the UK, a prosecutor charges a company with a criminal offence but proceedings are automatically suspended if the DPA is approved by the judge. Under UK Serious Fraud Office policy, a company would only be invited to enter DPA negotiations if there was full cooperation with the SFO’s investigations. Under such agreements, penalties could include: (1) a financial penalty; (2) compensation to aggrieved parties; and (3) continuing cooperation with respect to prosecutions of individuals.
To date, the SFO has entered into four DPAs, totaling over £667 million.
In recent years, we have observed an emerging trend of jurisdictions introducing DPAs, drawing upon the largely positive experience the U.S and UK authorities have had thus far with DPAs as a prosecutorial tool.
In December 2016, France introduced conventions judiciaire d’intérêt public (CJIPs), which are similar to DPAs, under Sapin II Law and in November 2017, French prosecutors entered into their first CJIP. CJIPs share similar characteristics but also have some differences compared to the U.S. and UK DPAs:
In December 2017, Australia announced that it will introduce new laws to establish DPAs as part of a raft of new reforms to Australia’s anti-bribery and corruption regime.3 The Crimes Legislation Amendment (Combatting Corporate Crime) Bill 2017 aims to:
In addition, Argentina recently implemented a DPA scheme and Canada announced on 22 February 2018 that it would be introducing legislation for deferred prosecution agreements to be implemented through judicial remediation orders, following a public consultation on DPAs that took place between September and December 2017.
Until the recent introduction of DPAs as a formal prosecutorial tool, Singapore’s approach towards corporate crime had been to focus on individual conduct and personal criminal liability.
This position was most recently stated in a 2015 opinion-editorial on financial crime authored by then Attorney-General V.K. Rajah, who stated:4
In Singapore, both individuals and corporate entities can expect to face prompt enforcement action for financial misconduct. The emphasis, if there is one, is placed on holding accountable the individuals who perpetrated the misconduct. Persons involved in financial misconduct should expect that they would be subject to enforcement action. The threat of personal criminal liability for misconduct in Singapore is real. There is no certainty of escape from liability by hiding corporate structures or the corporate veil.
In this regard, it is unsurprising that Singapore’s emphasis on individual conduct and personal criminal liability is also reflective of its historical approach towards corporate criminal liability for bribery and corruption.
In Singapore, the Prevention of Corruption Act (PCA), Singapore’s primary anti-bribery legislation, criminalises bribery of domestic and public officials, which may be committed by ‘persons’. The term ‘person’ has been defined in the Singapore Interpretation Act to include ‘any company or association of body of persons, corporate or unincorporated’. Hence, the offences under the PCA can theoretically be committed by a corporation. In addition, case law in Singapore indicates that corporate liability can be imposed on companies for crimes committed by their employees or agents.
In this regard, the test for whether a company can be found liable for bribery and corruption depends on whether the individual who committed the crime can be regarded as the ‘embodiment of the company’ or whose acts ‘are within the scope of the function of management properly delegated to him’. This test, known as the ‘identification doctrine’, was derived from English common law.5
However, the ‘identification doctrine’ sets a relatively high bar for corporate criminal liability to be established. Only a very select few individuals in a company can be said to be an ‘embodiment of the company’, and with large multinationals comprising complex corporate structures, it would be difficult to identify such persons. It would also be difficult to show that an individual’s acts of bribery or corruption on behalf of or for a company are ‘acts within the scope of the function of management properly delegated to him’ in light of the complex decision-making structure of large multinationals.
Therefore, under the ‘identification doctrine’, companies, in particular large multinationals, could avoid criminal responsibility for acts of bribery and corruption committed for and on its behalf, even if the company had clearly benefitted from such conduct. This poses further difficulty in the recovery of the illegal revenue generated by corrupt conduct. Consequently, even though in theory there is a concept of corporate criminal liability, prosecutions against corporations for bribery offences are rare in Singapore.
In light of Singapore’s approach to corporate criminal liability for bribery and corruption, the use of the ‘conditional warning’ by the Singapore authorities in a recent global resolution involving the U.S. and Brazil was a novel development.
Under the terms of the global resolution, the Singapore Corrupt Practices Investigation Bureau (CPIB) issued a ‘conditional warning’, including an undertaking by the Singapore corporation to make payment of a stipulated sum, for corruption offences under section 5(1)(b)(i) of the PCA, as part of the total criminal penalties imposed pursuant to the global resolution.
A ‘conditional warning’ is a variant of a ‘stern warning’, which is an exercise of prosecutorial discretion granted to the Attorney-General as the Public Prosecutor and is not governed by written law. Neither ‘stern warning’ nor ‘conditional warning’ result in a conviction; the accused person will not have any criminal record for the infraction. The difference between a ‘stern warning’ and a ‘conditional warning’ lies in the stipulation that the public prosecutor’s exercise of his discretion not to prosecute is contingent on the recipient’s fulfilment of certain conditions, typically to stay crime-free for a period of between 12-24 months and/or to pay a sum of money as compensation or restitution to the victim. Traditionally, ‘conditional warnings’ were used in minor criminal offences involving youths or in a community/domestic context as a means of diverting such cases from the criminal justice system.
In a recent Singapore High Court decision, PP v Wham Kwok Han Jolovan  1 SLR 1370, the legal effect of a ‘stern warning’ was considered. In that case, the High Court held that a ‘stern warning’ was not binding on its recipient such that it affected his/her legal rights, interests or liabilities, and that it is ‘no more than an expression of the relevant authority that the recipient has committed an offence… [i]t does not and cannot amount to a legally binding pronouncement of guilt or finding of fact.’
In this regard, the use of the ‘conditional warning’ mechanism by Singapore authorities to resolve the criminal violations as part of the global resolution was a novel development.
First, as ‘conditional warnings’ are not governed by written law, such resolutions are opaque and lack transparency. It is not common for the terms of a ‘conditional warning’ to be made public; the exact terms of such warnings are typically known only to the offender and the authorities.6 While it may be argued that opacity and lack of transparency of a ‘conditional warning’ may not be a cause for major concern in cases involving minor offences because the stakeholders involved are few and the impact of the conduct is likely to be localised, this may not be the case for serious corporate criminal conduct, which has the potential of impacting a greater number of stakeholders, such as shareholders, employees and other third parties across multiple jurisdictions. To this end, it should be noted that in jurisdictions such as the United States and UK, DPA resolutions are often accompanied with statements of facts that detail the misconduct of the corporate entity, which serve to inform the public about the degree of wrongdoing and provide a level of transparency to the process of achieving the resolution.
Second, under the terms of the global resolution, the payment made to the Singapore authorities far exceeded the maximum fine of S$100,000 per charge under the PCA. While being able to extract a penalty far in excess of what is provided for under written law may be desirable from an enforcement perspective, it is nevertheless dissonant and suggests that the current state of the law may require amendment.
Third, as warnings in general are not legally binding pronouncements of guilt or findings of fact, it is likely that in the event the recipient breaches any of the terms of the ‘conditional warning’ and a decision is made to prosecute the company, authorities in Singapore will need to embark on the usual criminal justice process against the company, without the benefit of relying on documents such as a statement by the company setting out the company’s formal admission of the misconduct to aid in the prosecution. In such a case, as prosecution would have possibly been delayed by a few years, the prosecution would find further challenges in collating evidence.
Fourth, this resolution potentially marks a shift in focus for Singapore authorities, who have traditionally focused on personal criminal liability (see above), to one that focuses on ensuring both corporates and individuals remain accountable for criminal misconduct.
In light of the issues raised, the use of the ‘conditional warning’ to participate in a global resolution is certainly unprecedented. While it allowed Singapore to achieve a robust outcome, the ‘conditional warning’ approach may not necessarily be the most appropriate tool to be employed in future similar cases in light of the concerns raised above.
Therefore, the introduction of DPAs to Singapore is a positive step and reflects Singapore authorities’ awareness of the value of DPAs and the need to formalise the process by which such corporate resolutions are arrived at, as opposed to the use of ‘conditional warnings’ to achieve such outcomes.
The DPA regime introduced by the Criminal Justice Bill is broadly similar to the UK approach in that:
However, one significant difference between the Singapore and UK approach is that under the UK framework, the Director of Public Prosecutions and the Director of the Serious Fraud Office are required to jointly issue a Code on DPAs to provide guidance on various issues. Such guidance includes the general principles to be applied in determining whether a DPA is likely to be appropriate in a given case (including the benefits of self-disclosure and conditions for leniency), whereas the Singapore approach does not impose such a requirement. This divergence in approach is likely due to the fact that Singapore has taken the position that it is not desirable to publish prosecutorial guidelines.7 It is possible, however, that the factors considered by the UK authorities will also be relevant factors in Singapore.
Thus far, reception towards the proposal to introduce DPAs in Singapore has been largely positive in Singapore. In this regard, the approach to DPAs adopted by Singapore addresses many of the concerns with the informal ‘conditional warning’ approach highlighted above. Nevertheless, there have been concerns that DPAs may embolden companies to behave irresponsibly or that prosecutors may, in the future shy away from fearlessly prosecuting companies for egregious corporate misconduct. Such criticism, however, is unfounded and largely represents a misunderstanding of what DPAs stand for.
Contrary to concerns that DPAs may encourage reckless corporate behaviour, DPAs are likely to encourage companies to put in place sound governance procedures and compliance programs. In order to avail itself of a DPA, a company must first show that it is a worthy candidate for the exercise of such prosecutorial discretion. Factors such as self-reporting, the existence of a working compliance program, and a commitment to reform are among the factors to be considered when authorities consider whether to grant a DPA. Duplicitous conduct, such as acting irresponsibly and appearing contrite when caught is unlikely to be seen favourably by the authorities. Furthermore, under DPAs, the benefits of misconduct are often disgorged, providing little incentive for a company to act irresponsibly. As for prosecutors shying away from prosecuting companies, experience has shown that Singapore’s prosecutors do not avoid taking on ‘difficult’ cases. Finally, it must also be noted that DPAs also benefit the public, in that it provides a company genuinely seeking to rehabilitate with an opportunity to do so, and minimizes the potential fallout from the collapse of major public companies caught up in corporate wrongdoing (such as insolvency and lay-offs to innocent rank and file employees).
The introduction of a DPA regime, however, is only one piece of the puzzle if Singapore wants to make good on its commitment to ensure that Singapore companies comply with the laws of Singapore and the laws of the jurisdictions in which they operate.
In order to achieve such aims, the government will need to ensure that its anti-bribery laws keep pace with international developments and the international business reality. In this regard, we note that a review of Singapore’s PCA has been ongoing since January 2015. Areas of potential reform include:
An abridged version of this article was published in The Business Times on 6 February 2018.
The relevant amendments introduced by the Criminal Justice Bill would be implemented in Singapore’s Criminal Procedure Code.
http://www.nortonrosefulbright.com/knowledge/publications/158656/deferred-prosecution-agreement-scheme-and-failure-to-prevent-bribery-offence-for-australia. See also https://www.ag.gov.au/Consultations/Documents/Deferred-prosecution-agreements/Norton-Rose-Fulbright.PDF for Norton Rose Fulbright Australia’s response to the Australia’s public consultation on deferred prosecution agreements in May 2016.https://www.ag.gov.au/Consultations/Documents/Deferred-prosecution-agreements/Norton-Rose-Fulbright.PDF
Financial crime: Leaders can instil spirit of compliance”, VK Rajah, Business Times (4 November 2015).
Tesco Supermarkets Ltd v Nattrass  2 All ER 127. The identification doctrine was subsequently broadened in the Privy Council case of Meridian Global Funds Management Asia Ltd v Securities Commission  2 AC 500, which held that the test for attributing mental intent should depend on the purpose of the provision creating the relevant offence. This broader approach has been affirmed in Singapore (see The Dolphina  1 SLR 992) in a case involving shipping and conspiracy but not in the context of bribery offences.
In response to a question from a member of the house on the terms of the ‘conditional warning’ issued to the company, Senior Minister of State for Finance and Law, Ms. Indranee Rajah stated: “[i]t is not our practice to disclose terms of conditional warnings… In other words, conditional warnings are things which had been given in the past by the agencies but, as a general practice, we do not disclose its exact terms.” Singapore Parliamentary Debates, Official Report (8 January 2018) (Indranee Rajah, Senior Minister of State for Finance and Law). See https://www.agc.gov.sg/legal-processes/publication-of-prosecution-guidelines.
Hacking, corporate espionage and data breaches are on the rise around the globe.
Implications for cryptocurrency trading, smart contracts and AI
Decree No. 228 of 2019 (Decree 228/2019) came into effect on 27 August 2019, which simplifies and revokes previous decrees of the Ministry of Employment (MoE) to widen the type of job titles allowed for foreign professionals to work in Indonesia.