Corporate Criminal Liability and Executive Accountability

Attribution of Criminal Liability to the Legal Entity

Delineating the attribution standard requires a nuanced assessment of whether a given act can be situated “within the sphere of the legal entity”. Functional criteria are typically determinative, including whether the conduct occurred in the course of the business, whether it aligned with normal business activities, whether it served—or could reasonably be regarded as serving—the organisation, and whether the organisation exercised, or could have exercised, factual or normative control over the relevant processes. In practice, this assessment is rarely binary: where decision-making is diffuse, the analysis turns on the overall constellation of circumstances, including the allocation of roles and responsibilities, mandates, available controls, escalation pathways, and the degree to which deviations are tolerated. The existence of formal policies can in that regard operate both exculpatorily and inculpatorily: exculpatory where implementation and enforcement are demonstrably effective, inculpatory where repeated breaches point to deficiencies in oversight, training, monitoring, or sanctioning.

A second analytical dimension concerns identifying the relevant “carriers” of knowledge, intent, and direction within the organisation. Classic approaches that conceptualise the legal entity through a narrow circle of the “directing mind and will” often have limited explanatory power in complex enterprises, because material decision-making frequently occurs through committees, delegated authorities, and functional lines within compliance, risk, finance, and operations. A broader attribution approach therefore focuses on the factual distribution of power and information between senior management and key function-holders, including control functions with authority to block transactions, compel escalation, or initiate remediation. Relevant factors include, inter alia, the extent to which signals from the second and third lines were taken seriously, the quality of the response to audit findings, and the choice between substantive intervention and merely cosmetic measures once concrete indications were available. In that context, “tone from the top”, organisational culture, and incentive structures can function as evidentiary indicators—not as abstract notions, but as verifiable elements reflected in KPI architecture, bonus criteria, disciplinary practice, and the consistency with which integrity standards in fact prevail over commercial targets.

The scope of explicit and implicit mandates and the practical functioning of escalation lines is often decisive for the attribution question. Explicit mandates are evidenced by organograms, delegation instruments, powers of attorney, and approval matrices, whereas implicit mandates and de facto authority are demonstrated through repeated practice: who in fact makes decisions, who sets direction, who approves exceptions, and who in practice can say “no”. In outsourcing relationships involving service providers, agents, or third-party intermediaries, attribution is also assessed in light of selection and oversight duties, contractual safeguards, monitoring, and the extent to which the third party effectively functions as an extension of the enterprise. A formal “hands-off” posture rarely convinces where economic reality points to integrated steering, or where the organisation structurally profits from risky conduct. Nor does acting contrary to instructions necessarily exclude attribution: where non-compliance was foreseeable in view of culture, incentives, under-resourcing, or deficient enforcement, the conduct may still fall within the organisational sphere. External representations such as prospectuses, annual reports, and investor calls can provide an additional nexus between the organisation and the conduct, because governance, controls, and risk management are presented in a manner later tested against actual practice, including discrepancies that may be construed as indications of intentional or culpable misrepresentation.

Board Responsibility and Executive Accountability

The normative basis for board responsibility and executive accountability lies in the core duties of care, oversight, and the adequate design and operation of internal control, with particular relevance to financial integrity and fair market conduct. A central perspective is the “duty of oversight”: the obligation to ensure a workable system of information and controls capable of identifying, escalating, and mitigating material risks in a timely manner. The emphasis is therefore not merely on the existence of policies and committees, but on their effective operation: the quality of management information, the independence and positioning of compliance and internal audit, and whether escalations actually lead to decision-making, intervention, and remediation. In enforcement contexts, significant weight is often attached to whether governance structures facilitate a genuine “challenge culture”, or whether information asymmetries exist such that critical signals are filtered, softened, or delayed.

Drawing the line between strategic decision-making and culpable mismanagement requires a materiality and reasonableness assessment that is sensitive to context. Strategic risk appetite is not inherently blameworthy, but it may become so where known risks are systematically ignored, where controls are manifestly inadequate for the complexity of the activities, or where the articulated “risk appetite” is materially exceeded without adequate compensating measures. Personal involvement may manifest as active direction, but also as omission; omission liability may arise where, given role, information, and powers, an executive could reasonably be expected to act and nonetheless failed to take reasonable steps. Evidentiary requirements then concentrate on the presence of “red flags”, the clarity and severity of warnings, the availability of effective interventions, and whether the failure to act was causally relevant to the continuation or escalation of the breach. The existence of a formal delegation model does not provide an automatic shield where factual involvement or knowledge can be inferred from decision logs, email trails, approvals of exceptions, or recurring discussions in governance forums.

Board dynamics introduce a distinct risk dimension, precisely because reliance on management and assurance lines can be legitimate in principle, but is bounded by reasonableness and good faith. Reliance is difficult to sustain where information is demonstrably incomplete, where critical audit findings recur, or where compliance escalations are not consistently followed up. Documentation and file-building can serve as a line of defence, provided they reflect reality: minutes that genuinely capture key points and dissent, decision logs documenting alternatives and trade-offs, and rationale memoranda evidencing that risks were analysed and mitigation implemented. Conflicts of interest and executive compensation are also relevant as explanatory factors for perverse incentives; KPI architecture, bonus criteria, and clawback mechanisms can illuminate whether behavioural steering is directed toward compliance or toward “making the numbers”. Engagement with supervisors and regulators further requires consistency and completeness: misleading or incomplete disclosures can materially increase exposure, not least because they undermine supervisory integrity and are often independently sanctionable alongside corporate exposure. Individual measures such as disqualification, professional bans, fines, and criminal exposure may run in parallel with corporate resolution, requiring a sharp separation of fact positions, defence strategies, and interests.

Financial Reporting Fraud and Market Misleading

Financial reporting fraud encompasses a spectrum of typologies fundamentally aimed at shaping reported earnings, cash-flow perception, and leverage indicators. Practices such as aggressive revenue recognition, improper capitalisation of costs, manipulating provisions through “cookie jar reserves”, channel stuffing, and round-tripping may take different forms, but share a common structure: creating the appearance of sustainable performance, often supported by selective documentation, pressure on finance teams, and “management judgement” that is not proportionately substantiated. The evidentiary construct frequently focuses on patterns across multiple periods, on unusual journal entries at the end of the reporting cycle, on atypical contract interpretations, and on signals from internal audit or the second line indicating control override. Materiality is not defined exclusively in quantitative terms; qualitative materiality may be decisive, for example where misstatements affect core KPIs, covenant headroom, or market expectations.

Judgement latitude within reporting standards may be legitimate, but it is susceptible to misuse where estimates are systematically “calibrated” to meet targets. Impairments, fair value measurements, and provisions require transparent assumptions, consistent methodology, and robust governance; deviations become suspicious where assumptions shift opportunistically without a plausible business rationale, where sensitivity analyses are missing, or where external signals are insufficiently incorporated. Consolidation and off-balance-sheet structures, including SPVs and related-party arrangements, increase opacity risk; in practice, consolidation boundaries are tested through factual control, exposure to variable returns, and decision-making power. In matters where governance is weak, a picture may emerge of deliberate structuring to keep debt or losses out of view, with internal memos, board packs, and treasury documentation often serving as critical evidence sources for knowledge and intent.

Market misleading is not confined to the statutory financial statements; it can also arise through KPI presentations and non-GAAP metrics that are insufficiently reconciled or selectively defined to support a favourable narrative. Disclosure controls then become the central framework of assessment: whether an effective process existed to publish price-sensitive information timely, fully, and consistently, and whether messaging was subject to adequate challenge. The auditor interface is likewise critical; management representations, scope-limiting behaviour, and “opinion shopping” may be interpreted as indicators of obstruction or conscious misleading, increasing the likelihood of escalation by the auditor. Data integrity forms the technical backbone: manipulation of transactional evidence in ERP systems, weak master data governance, and missing audit trails impede detection and strengthen culpability where it was known that systems facilitated “gaming”. Remediation through restatements and governance redesign has a dual character: it may mitigate exposure when undertaken timely, transparently, and comprehensively, but it can also be inculpatory where it implicitly confirms that earlier disclosures were inadequate and where root-cause analyses point to structural deficiencies in oversight and control.

Fraud Patterns in Treasury, Finance Operations, and Cash Management

Fraud patterns in treasury and cash management are shaped by the combination of high transaction volumes, time pressure, technical complexity, and reliance on authorisation matrices, which materially expands the scope for abuse where segregation of duties, reconciliations, and exception management are deficient. Abuse of payment processes may manifest in fake vendors, spoofing, CEO fraud, and exploitation of payment authorities; such schemes often succeed due to weak vendor master governance, insufficient verification of bank account changes, and routine processing of exceptions without independent review. In evidentiary terms, audit trails, authorisation logs, email headers, and device metadata are typically decisive, precisely because they can reconstruct the factual chain of instruction, approval, and execution. Structural control overrides are rarely merely “incidental errors”; in enforcement contexts they are often framed as indicators of conscious recklessness or intent, especially where overrides coincide with commercial pressure or performance targets.

Treasury structures add further risk, in part because exposures can be hidden or “packaged” through derivatives, hedging strategies, and internal allocations. Unauthorised hedges, derivatives abuse, and concealment of mark-to-market losses can be facilitated by complexity asymmetry between treasury specialists and governance forums, particularly where risk limits are unclear or limit breaches are not consistently escalated. Cash pooling and intercompany lending can be abused through mispricing, non-arm’s-length terms, and masking liquidity stress; such patterns often become visible through atypical interest arrangements, unusual settlement cycles, and “ad hoc” funding decisions that do not align with documented policy. Factoring and supply chain finance may be used for window dressing where disclosure failures conceal economic reality, for example by presenting debt-like positions as operational optimisation; legal assessment then concentrates on the completeness of disclosures and the consistency of internal classifications with external messaging.

Diversion of funds through consultancy fees, “marketing allowances”, or other difficult-to-verify services is a well-established route for concealing improper payments, in part because deliverables can be described abstractly and business rationales can be constructed relatively easily. Collusion between accounts payable and accounts receivable, including kickbacks, fictitious credits, and manipulation of ageing reports, typically requires a combination of system access, knowledge of reconciliation processes, and the ability to normalise exceptions as routine. In that regard, governance around bank accounts—including the existence of “shadow accounts” and deficient reconciliations—constitutes a core risk directly implicating cash governance. Forensic reconstruction relies on bank data, SWIFT messages, settlement information, user entitlements, change logs, and eDiscovery readiness; an organisation that cannot ensure a reliable chain of custody and data retention faces not only elevated detection risk, but also a greater likelihood that deficiencies will be characterised as culpable because they impede fact-finding.

Bribery and Corruption Through Third-Party Intermediaries

Bribery and corruption through third-party intermediaries often arises at the intersection of commercial expansion, local market practices, and insufficiently embedded governance. Risk-based due diligence is therefore not merely a “check-the-box” requirement, but a substantive process that must align scope and depth with the country, sector, and transaction profile, with particular attention to beneficial ownership, adverse media screening, and identifying political or government-related exposure. Practical effectiveness depends on the quality of source data, the consistency of escalation assessments, and the extent to which commercial pressure does not dictate outcomes. Where due diligence is conducted in an overly formalistic manner, without meaningful verification and without red flags leading to remediation or termination, an evidentiary picture of willful blindness or culpable negligence may emerge, particularly where the same risk indicators were already known internally.

Contractual safeguards—such as audit rights, anti-corruption clauses, termination rights, and compliance undertakings—are essential but not determinative; the core question is whether they are actually invoked and enforced. Payment patterns are often evidentially rich in practice: unusual success fees, cash requests, offshore accounts, “split invoicing”, and payments without clear deliverables are typical signals that, viewed in conjunction with the file, may point to concealed bribery components. The concept of “anything of value” requires a broad approach: gifts, hospitality, travel, donations, and sponsorships may mask indirect quid pro quo, especially where timing coincides with tender decisions or permitting processes, or where beneficiaries are linked to decision-makers. Facilitation payments and local customs are frequently advanced as justification, but in governance terms they function as a stress test for a “zero tolerance” posture: the degree to which exceptions are normalised is directly relevant to the analysis of attribution and culpability.

Government relatedness is a critical qualification issue, including in relation to SOEs and entities performing a “public function”, where the factual role of counterparties and their decision-making authority often carries more weight than formal labels. Internal escalation around exception approvals and pre-approval workflows shows whether accountability of business sponsors is truly embedded, or whether the process functions as rubber-stamping. In tender contexts, governance and integrity around agent engagement are often decisive: tender manipulation and bid-rigging indicia frequently emerge from unusual commission arrangements, limited transparency on sub-agents, and internal communications where “must win” targets dominate without adequate compliance challenge. Post-onboarding monitoring—including ongoing screening, transaction testing, and periodic re-assessment—determines whether an intermediary relationship remains a controlled risk or escalates into structural exposure. Internal enforcement through disciplinary measures and consistent sanctioning also carries external significance as a mitigating factor, provided it can be demonstrated that measures were applied timely, proportionately, and non-selectively, and that remediation truly addresses root causes in incentives, controls, and culture.

Procurement, Tender, and Kickback Matters

Procurement and tender processes represent an inherent concentration of integrity risks in many organisations, because purchasing decisions directly affect cash flows, supplier selection, deliverable quality, and commercial dependencies. Vulnerabilities arise in particular where single sourcing, expedited procedures, and exception pathways are used structurally, placing transparency, market testing, and independent price validation under pressure. In such circumstances, the risk profile shifts from incidental error-proneness to an environment in which deviation from norms can become normalised, especially where governance elements such as objective selection criteria, rotation of responsibilities, and effective second-line challenge are insufficiently embedded. The evidentiary picture in enforcement files is often built from process deviations that may appear explainable in isolation but, taken together, form a pattern of deliberate circumvention of internal controls, with particular attention to repeated exceptions for the same suppliers, atypical contract terms, and unexplained acceleration of approval cycles.

Conflicts of interest are often the “hidden driver” behind ostensibly commercial decisions in this domain. Outside appointments, family ties, and concealed economic interests in suppliers can steer the procurement process, for example through tailor-made specifications, narrowing the scope of a tender, or strategically excluding competing parties. Collusion also manifests through rotation arrangements, sham competition, and recognisable patterns in bidding behaviour, such as repeatedly minimal price differences, identical wording in bids, or a conspicuous clustering of bidders sharing common characteristics. Kickback schemes are frequently concealed via consultancy layers, rebates, commission sharing, or marketing-style fees, where an apparent service component is used to legitimise cash flows that in reality serve as quid pro quo for contract awards or favourable change orders. The boundary between commercial flexibility and fraudulent scope creep lies in the demonstrability of deliverables, the consistency of pricing governance, and the extent to which independent control is exercised over change orders, variations, and claims.

The effectiveness of controls in procurement matters is strongly determined by the integrity of foundational processes such as three-way match, vendor master governance, and segregation of duties. Once supplier data management can be manipulated—through uncontrolled bank account changes or insufficient authorisation over master data, for example—opportunities arise for overbilling, fictitious goods-receipt confirmations, and asset misappropriation, including diversion of inventory or the creation of sham deliveries. Forensic signals in this context are often data-driven: vendor clustering, identical bank accounts, reuse of IP addresses, metadata similarities across invoices, and repetitive anomalies in payment patterns. Remediation then requires more than policy adjustments; supplier rationalisation, strengthened approval matrices, independent price validation, and periodic audits are only sustainable when coupled with accountability, consistent enforcement, and a governance structure in which exceptions truly remain exceptional. Legal consequences can extend to contract rescission, damages recovery, debarment, and parallel criminal exposure, with the quality of internal decision-making and file-building influencing outcomes.

Money Laundering, AML Programme Failures, and “Dirty Money” Exposure

Money-laundering risks and AML programme failures are assessed in contemporary enforcement practice primarily through the lens of demonstrable risk control: an organisation must be able to show that risks have been systematically identified, prioritised, and mitigated through a coherent framework of KYC/CDD, transaction monitoring, escalation, and reporting. Risk assessments should not exist merely as periodic documents, but must align consistently with the product offering, geographic footprint, customer segmentation, and delivery channels, with assumptions and data quality explicitly substantiated. An AML framework that does not match the realities of the business—because scenarios are generic, risk indicators are outdated, or customer profiling lacks sufficient granularity—creates structural blind spots. In matters where “dirty money” exposure comes to light, the core question is typically whether the failure was incidental or systemic, with recurring deficiencies, under-resourcing, and prolonged absence of remediation weighing heavily.

KYC/CDD quality is a foundational pillar: identification, verification, UBO determination, and continuous due diligence must be not only procedurally sound but substantively robust. Weak UBO transparency, inadequate verification of source of funds, or routine acceptance of incomplete documentation can—particularly in higher-risk contexts—lead to culpability where the organisation should reasonably have recognised that the customer profile was unreliable. Transaction monitoring likewise requires a well-designed architecture of scenarios, thresholds, and tuning that is commensurate with the risks; “alert fatigue” is not merely an operational challenge, but may be characterised as systemic risk where volume and prioritisation logic is configured such that relevant signals are structurally drowned out. In automated monitoring, model governance, data lineage, and audit trails are essential to explain after the fact why particular transactions were or were not flagged, and to demonstrate that decisions on tuning, suppressions, and exceptions were carefully weighed and documented.

Suspicious activity reporting introduces a further touchstone: the quality of narratives, the timeliness of escalations, and the consistency of the decision pathway are determinative in assessing whether statutory and prudential expectations have been met. Correspondent banking and nested relationships increase complexity, because enhanced due diligence and transparency regarding respondent activity require governance to extend beyond the organisation’s direct customer relationship. Trade-based money laundering—through patterns such as over- and under-invoicing and documentary fraud in supply chains—also requires AML not to be isolated within compliance, but integrated with trade finance, procurement, and logistics controls. Board and executive liability may come into view where structural shortcomings were known—for example through internal audit findings, regulatory feedback, or incident trends—yet insufficient investment was made in resourcing, tooling, or process redesign. Remediation and monitorship-type programmes then call for independent testing, lookbacks, and durable strengthening of controls, with credibility determined by measurable improvements, clear governance ownership, and demonstrable first-line effectiveness.

International Sanctions Breaches and Export Controls

Sanctions and export-control risks are characterised by a broad and dynamic scope of application, in which direct and indirect transactions, facilitation, brokering, and circumvention risk reinforce one another. A central complication is that exposure may manifest through diversion routes, supply-chain partners, and financial flows that are not always directly visible to the commercial front office. Scoping therefore requires an integrated approach in which goods, services, technology, technical data transfers, and financial services are assessed together, including the role of re-export, transshipment, and free zones. Screening architecture must support that integrated approach through party, ownership, and goods screening, supplemented by end-use/end-user controls that go beyond box-ticking statements. In practice, assessments of culpability often focus on whether reasonable measures were taken to detect and prevent circumvention, including recognising routing anomalies, documentation inconsistencies, and atypical payment structures.

Complex ownership structures constitute a core risk, driven in part by 50% rules, control tests, and the need for UBO transparency. An organisation that lacks sufficient insight into ultimate ownership or de facto control risks inadvertently conducting transactions involving sanctioned interests, with the depth of due diligence and monitoring being decisive for legal characterisation. Dual-use goods also require specialist classification, licensing, and governance around deemed exports and technical data transfers; deficiencies are often traceable to inadequate alignment between sales, engineering, logistics, and compliance, or an overly limited role for export-control specialists in product development and deal structuring. Financial flows—including correspondent banks and trade-finance instruments—can reduce visibility of “shadow beneficiaries”, making a robust combination of transaction screening, document review, and exception governance essential. Where exceptions are routinely approved without in-depth analysis, the evidentiary picture points not to a single incident but to a structurally careless approach to high-risk transactions.

Governance mechanisms such as a sanctions committee, clear escalation protocols, and documented decision-making in borderline cases are often decisive for the defence position in this domain. Voluntary disclosure can be strategically relevant, but requires tight timeline management, careful consideration of privilege issues, and consistent regulator engagement, particularly in multi-jurisdictional exposure. Contract management also plays an important role: sanctions clauses, warranties, and suspension/termination mechanisms must not merely exist on paper, but be operationally usable, including procedures to stop deliveries and freeze payments upon designation events. Consequences can be substantial and include fines, debarment, reputational harm, and personal exposure in cases of willful blindness. Effective control ultimately rests on demonstrably integrating sanctions and export-control requirements into end-to-end processes, with sufficient resourcing, training, data governance, and independent testing.

Obstruction, Evidence Manipulation, and the Integrity of Internal Investigations

Obstruction and evidence manipulation constitute an independent escalation factor in many matters, because they go to the reliability of fact-finding and the integrity of supervision and enforcement. Document retention and legal hold require timely issuance, a sufficiently broad yet proportionate scope, and demonstrable enforcement, including preservation of relevant data across systems, email, file shares, and collaboration tooling. Spoliation risks are amplified by messaging apps, ephemeral communications, and BYOD environments, where data volatility and device-management shortcomings can impede reconstruction of events. In an enforcement context, scrutiny extends beyond the existence of policies to their actual effectiveness: were holds properly communicated, understood, and complied with, and were there technical measures to prevent automatic deletion? Where discrepancies exist between formal instructions and actual data retention, an inference may arise of negligence or, in more serious cases, deliberate obstruction.

Witness interference is a particularly sensitive issue, because the line between legitimate preparation and improper influence can be thin. Coaching aimed at aligning statements, intimidation, or encouraging selective memory loss can create substantial additional exposure, not least because such conduct is often interpreted as an indicator of awareness of underlying breaches. Whistleblower channels and non-retaliation safeguards are in this regard not only compliance elements but also evidentiary indicators: the degree to which reports are independently triaged, investigated, and followed up, and the extent to which reporters are genuinely protected, can be determinative for assessments of culture and governance. Privilege and confidentiality require careful structuring of investigations, clarity on counsel roles, and awareness of cross-border privilege risks; suboptimal structuring can result in loss of protection, inconsistent communication, and an increased likelihood of misunderstandings with regulators.

E-discovery governance is often a technical and process “litmus test”: collection, chain of custody, filtering, and proportionality must be demonstrably robust to avoid disputes over data integrity and completeness. Interview governance—including Upjohn-type warnings, accurate memoranda, and consistent recording—affects the quality and usability of the factual record. Parallel proceedings—such as coordination with regulators or criminal authorities, dawn raids, and cross-border mutual legal assistance—create additional pressure on speed and consistency, where messaging errors or incomplete information can escalate immediately. Remediation transparency requires that fact-finding not be conflated with “spin”; presenting cosmetic measures as structural solutions may be construed as misleading or as a lack of good faith. “Lessons learned” and root-cause analyses only attain external credibility when they lead to demonstrable embedding in policies, training, controls, and accountability, including measurable improvements and independent testing for sustainability.

Enforcement, Settlements, and Compliance Remediation

Enforcement and settlement-type pathways require strategic positioning from the outset based on early case assessment, exposure mapping, and scenario planning. A robust approach brings together facts, legal characterisations, involved functions, implicated jurisdictions, and potential harm components in one consistent framework, while also addressing reputational and business-continuity risks. Multi-jurisdictional coordination is often outcome- and timing-determinative in practice, because forum risks, information sharing among authorities, and settlement sequencing can shape negotiating leverage. In that context, the quality of internal fact-finding and the degree of control over data and document flows become strategic factors, because inconsistent or shifting positions can undermine credibility with authorities and increase exposure. Decision-making governance around disclosures is likewise critical, including explicit documentation of considerations, risks, and boundary conditions.

Cooperation credit typically depends on the content, timing, and reliability of disclosures, but it has limits: incomplete information, selective presentation, or lack of consistency can neutralise the intended mitigation or even reverse it. Penalty calculation may be anchored in different approaches, including gain-based and harm-based models and culpability factors, where precedent and proportionality play a role, but factual circumstances such as duration, scale, level of seniority involved, obstruction elements, and remediation quality are often decisive. Monitorship versus self-monitoring requires a credible demonstration that improvements are durably embedded, with adequate resourcing, independent testing, and clear governance ownership. Data and metrics are increasingly central: KPIs for compliance effectiveness, auditability, and board reporting must not only exist, but must demonstrably drive risk reduction, with visibility into leading indicators such as escalation volumes, remediation timeliness, and due-diligence quality.

Individual accountability is an explicit focus in many matters, requiring careful management of defence separations, conflicts of interest, and indemnification issues. Internal and external communications require a consistent, fact-based line, particularly toward the market, lenders, counterparties, and employees; discrepancies between internal fact-finding and external messaging can create additional exposure, including through inaccurate or misleading disclosures. Remediation programmes must be concrete, with control enhancements that directly map to root causes, including adjustments to processes, tooling, authorisation matrices, training, and first-line accountability. Durable embedding further requires integrating compliance into business processes, incentives, and performance management, with periodic independent reviews to continue testing effectiveness. Ultimately, the credibility of a settlement pathway is determined by the extent to which it can be demonstrated that the organisation has learned, improved structurally, and is capable of materially preventing recurrence, without governance reverting to merely formal compliance.