On 17 January 2020, the UK Serious Fraud Office updated its Operational Handbook regarding Evaluating a Compliance Programme (the Handbook). The Handbook is an internal tool for SFO prosecutors, investigators, auditors, lawyers and compliance professionals that sets out standard processes, instructions and guidance on the conduct of SFO casework. It is intended as a practical reference guide for staff and reflects, rather than dictates, best practice.
In the most recent update, the Handbook provides guidance in relation to three key phases of the evaluation of a compliance programme:
- Efficacy of the Compliance Programme;
- Scope of Investigation; and
- Scope of Assessment.
Below is a summary of the main features, which we encourage organisations to consider when reflecting on the adequacy of their own compliance programmes.
Efficacy of the Compliance Programme
The Handbook reiterates that a key feature of any compliance programme is that it needs to be effective and work for each specific organisation in the field in which it operates and that it is critical that the compliance programme is proportionate, risk-based and regularly reviewed. Prosecutors are therefore required to assess the past, present and future effectiveness of an organisation's compliance programme.
Past: It will be in the public interest to favour prosecution where "the offence was committed at a time when the company had an ineffective corporate compliance programme." Conversely, an organisation will have a defence against a s.7 Bribery Act offence (failure of a commercial organisation to prevent bribery) if, at the time of the bribe, the organisation had in place "adequate procedures designed to prevent persons associated with [it] from undertaking such conduct." Even inadequate bribery prevention measures may still be relevant to sentencing.
Present: It will be in the public interest against prosecution where a prosecutor identifies evidence of an organisation taking "remedial actions" (e.g. has enhanced its compliance programme) and "a genuinely proactive and effective corporate compliance programme" after the decision to prosecute has been taken. The prosecutor will be required to consider whether the organisation currently has a genuinely proactive and effective corporate compliance programme when assessing its suitability for a Deferred Prosecution Agreement (DPA). The current state of an organisation's compliance programme may also be considered at sentencing, including whether the level of fine impacts the organisation's ability to implement effective compliance programmes in the future.
Future: A DPA can include terms requiring the organisation to implement a compliance programme in the future, or change its existing programme, policies or training. The prosecutor considering a DPA therefore needs to assess whether such terms may be appropriate and be ready to justify this to the Court. Any such DPA should set out the means by which the expected reforms will be monitored and the assessment criteria for the organisation to satisfy the prosecutor.
Scope of Investigation
Investigators will be required to consider specific compliance issues as part of the overall investigation strategy and obtain information from a variety of sources about the organisation's compliance programme. This will involve strategic and tactical questions, including when to seek information from the various potential sources, and may involve using a variety of the SFO's investigatory “tools”, all of which should be reflected in any relevant case decision log entries and Investigation Plans addressing how the compliance programme will be evaluated.
Scope of Assessment
The Ministry of Justice’s 2011 statutory guidance on the Bribery Act included six key principles that continue to represent a good general framework for assessing compliance programmes.
Principle 1: Proportionate Procedures – adequate bribery prevention procedures, including the nature and implementation of policies prohibiting bribery, ought to be proportionate to the bribery risks that the organisation faces and to the nature, scale and complexity of the commercial organisation's activities.
Principle 2: Top Level Commitment – bribery prevention procedures of a commercial organisation should be implemented at board level and should be reflected through examples of robust risk assessments, specific director involvement in high profile and crucial decision-making, and the selection and training of senior managers to lead anti-bribery work.
Principle 3: Risk Assessment – a commercial organisation is responsible for the evolutionary assessment of the nature and extent of its exposure to potential external and internal risks of bribery. Common external risks include: country; sectoral; transactional; business opportunity; and business partnership. Common internal risks include: deficiencies in employee training, skills, and knowledge; a "bonus culture" that encourages risk-taking; lack of clarity regarding hospitality and promotional policies and procedures; lack of clear financial controls; and lack of a clear message from the top.
Principle 4: Due Diligence – a commercial organisation is responsible for the application of due diligence procedures in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks. Such procedures may include an appropriate level of HR due diligence to mitigate the risks of bribery being undertaken by employees, care in entering into certain third party business relationships, and robust due diligence for mergers and acquisitions.
Principle 5: Communication (including training) – a commercial organisation is responsible for effectively communicating its bribery prevention policies and procedures and that they are embedded and understood throughout the organisation through internal and external communication, including tailored training that is accessible to employees and agents.
Principle 6: Monitoring and Review – a commercial organisation is responsible for the evolution of its own compliance programme in order to ensure the effectiveness of the programme through monitor the review ranging from investigations and internal controls to staff surveys and other detection measures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.