It has been over twenty years since the OECD Anti-Bribery Convention came into force, over a decade since the enactment of the UK Bribery Act, and over three years since the passage of France's Sapin II law. Alongside those ground-breaking developments have come a host of other measures across the Europe, Middle East, and Africa ("EMEA") region to strengthen anticorruption laws, enhance the enforcement tools available to government authorities, and incentivise investments in compliance programmes, making it clear that the U.S. Foreign Corrupt Practices Act ("FCPA") is no longer the only practical enforcement risk to which companies headquartered or operating in the EMEA region must address themselves. In this alert, we provide an update concerning key anti-corruption enforcement trends and developments in the EMEA region.
Enforcement Trends in the EMEA Region
Rising Enforcement Activity and Penalties High-value corporate enforcement actions in Europe are not new. In 2007 and 2008, for example, the German conglomerate Siemens was ordered to pay nearly 600 million in confiscation to the German authorities--in addition to substantial penalties under parallel U.S. enforcement actions--to resolve foreign bribery cases, in what was at the time the largest corporate anti-corruption enforcement action in history.1 However, the past few years have seen an increase in both the frequency and magnitude of such actions, culminating in the January 2020 announcement of a record-setting 3.6 billion global settlement between Airbus and the French, UK, and U.S. authorities, with the lion's share of the settlement going to France and the United Kingdom.2
While the Airbus action has been a subject of particular attention among commentators, it is only one of a number of recent high-profile enforcement actions resolved by UK and other European enforcement authorities in the past several years. In 2014, for example, SBM Offshore paid $240 million (approximately 193 million) under an out-of-court settlement with
1 See OECD Working Group on Bribery, Phase 3 Report on Implementing the OECD Anti-Bribery Convention in Germany (Mar. 17, 2011), at 10. 2 See UK Serious Fraud Office ("SFO"), SFO enters into 991m Deferred Prosecution Agreement with Airbus as part of a 3.6bn global resolution (Jan. 31, 2020).
the Dutch government, which was followed in 2017 and 2018 by related enforcement actions in the U.S. and Brazil.3 In addition, several UK and EU Member State enforcement actions have been resolved alongside parallel enforcement actions in the United States.4 Although some of those resolutions were driven primarily by investigations by the U.S. authorities, others followed investigations that were led by UK or EU authorities and ultimately resulted in larger monetary settlements outside of the United States.5 There also have been cases in which the U.S. authorities deferred to ex-U.S. enforcement authorities and declined to bring separate enforcement actions.6 Finally, European enforcement authorities have secured high-value resolutions in cases that do not appear to have included any U.S. enforcement dimension.7
Enforcement activity in Africa is also showing an upward trend. Although most domestic enforcement in Africa is focused on individuals--with a particular focus on government officials--African enforcement focused on companies is beginning to emerge. For example, French defence firm Thales is currently facing a trial in South Africa related to allegations that it made improper payments to former President Jacob Zuma in relation to an arms deal concluded in 1999.8 The charges originally were filed more than a decade ago and were reinstated in light of pressure from non-governmental organisations ("NGOs") and politicians. Further, recent changes to evidence-sharing rules in South Africa's long-running "State Capture" inquiry are expected to help prosecutors build corruption cases more efficiently, and may lead to additional prosecutions. The African Development Bank ("AfDB") also has become more active in recent years in bringing suspension and debarment proceedings in relation to fraudulent and corrupt practices in AfDB-financed projects. While the World Bank remains the most active enforcer of
3 See OECD Working Group on Bribery, The Netherlands: Follow-up to the Phase 3 Report & Recommendations (May 12, 2015), Annex 4; see also Department of Justice, Office of Public Affairs, SBM Offshore N.V. And United States-Based Subsidiary Resolve Foreign Corrupt Practices Act Case Involving Bribes in Five Countries (Nov. 29, 2017). 4 Examples include actions against: Odebrecht and Braskem in 2016 (~$3.5 billion settlement with the U.S., Brazilian, and Swiss authorities); Vimpelcom in 2016 (~$795 million settlement with the U.S. and Dutch authorities); Telia in 2017 (~$965 million settlement with the U.S., Dutch, and Swedish authorities); Rolls-Royce in 2017 (~$800 million settlement with the U.S., UK, and Brazilian authorities); and Socit Gnrale in 2018 (~$585 million settlement with the U.S. and French authorities). 5 For example, this was the case in relation to the coordinated multijurisdictional resolutions with RollsRoyce and Airbus. Consistent with its policy against "piling on," which aims to avoid unfair duplicative penalties and maintain good relationships with foreign enforcement counterparts, the U.S. DOJ has in recent years offset financial penalties imposed under FCPA settlements against those paid to foreign authorities. 6 For example, this occurred following parallel investigations by the U.S. and UK authorities into the activities of Gralp Systems Limited. The DOJ issued a declination under the FCPA Corporate Enforcement Policy and cited as one of its reasons for declining to prosecute that Gralp was the subject of an ongoing parallel investigation by the SFO and had committed to accepting responsibility in the SFO action. Gralp subsequently entered into a deferred prosecution agreement with the SFO. 7 In October 2019, for example, Swiss prosecutors secured a conviction of commodity trading group Gunvor related to alleged bribery in Congo-Brazzaville and the Ivory Coast. Gunvor was ordered to pay CHF 94 million (approximately 88 million) comprised of a fine of CHF 4 million and disgorgement of CHF 90 million. In March 2019, Hempel, a Danish manufacturer of coating products, announced that it had agreed to pay DKK 220 million (approximately 30 million) to German and Danish prosecutors to settle a bribery case. 8 See, e.g., Reuters, French arms firm Thales to appeal Zuma corruption charge ruling in S. Africa's top court (Nov. 4, 2019).
its suspension and debarment regime among multilateral development banks ("MDBs"), the AfDB's current list of debarred parties includes 92 individuals and entities debarred as a result of AfDB-led debarment proceedings, in addition to the hundreds of cross-debarments based on proceedings instituted by other MDBs.9
In addition to increasing corporate enforcement, we continue to see authorities across the EMEA region bring bribery-related prosecutions against individuals, including private sector employees and government officials.10 Moreover, guidance published by enforcement authorities in the EMEA region suggests that they will continue to prioritise enforcement against individuals in cases that also involve potential corporate enforcement.11
The foregoing trend of increased enforcement activity in the EMEA region is expected to continue. For example:
In the United Kingdom, several large Serious Fraud Office ("SFO") investigations involving foreign bribery allegations remain active, including a recently-announced investigation into suspected bribery at mining and commodity trading group Glencore, which is separately under investigation in the United States, Switzerland, and Brazil.
French authorities have signalled in public commentary the country's intention to become a leading anti-corruption enforcement authority.12 That intention is borne out in recent enforcement activity, including but not limited to the settlements described in this alert.13
As discussed in further detail below, Germany is set to introduce significant reforms to its anti-corruption laws, which are likely to result in increased enforcement against corporates. That will bolster Germany's already strong enforcement record, which prompted the OECD to label it "among the leading enforcers of the Anti-Bribery Convention" in its 2018 Germany monitoring report.14
9 See African Development Bank Group, Debarment and Sanctions Procedures, https://www.afdb.org/en/projects-operations/debarment-and-sanctions-procedures (last visited Sept. 1, 2020). 10 For example, there have been recent arrests and prosecutions of individuals for bribery-related offences in, among other countries, the UK, France, Germany, Spain, Italy, Greece, Denmark, South Africa, Kenya, Nigeria, Namibia, Zimbabwe, the UAE, and Saudi Arabia. 11 See, e.g., SFO, Operational Handbook, Corporate Co-operation Guidance (Aug. 2019) ("SFO Cooperation Guidance"), at 1, 4; Ministre de Justice, Circulaire de politique pnale en matire de lutte contre la corruption internationale (June 2, 2020) ("French Ministry of Justice Circular"), at 15 (both emphasising that companies seeking cooperation credit must identify the individuals involved in misconduct and avoid taking steps that may interfere with the government's ability to prosecute such individuals). 12 See, e.g., Affichages Parisiennes, Corruption: "la France doit retrouver sa souverainet judiciaire", selon Nicole Belloubet (June 4, 2020) (quoting former Justice Minister Nicole Belloubet as stating that the Justice Ministry's objective was to overtake foreign authorities in anti-corruption enforcement). 13 See, e.g., Ministre de la Justice, Manquements la probit: lments statistiques (Feb. 2020) (reporting that French prosecutors secured 131 convictions in corruption cases in 2018). 14 OECD Working Group on Bribery, Implementing the OECD Anti-Bribery Convention Phase 4 Report: Germany (June 14, 2018).
In Italy, prosecutions are ongoing in a long-running investigation into suspected corruption related to Nigeria's OPL 245 oil block (which also has been the subject of investigations by other enforcement authorities) and reports emerged in June 2020 that prosecutors are investigating several engineering companies in relation to a suspected bribery scheme to win tenders for the construction of the Milan subway system.15 Italy's anti-corruption and associated compliance legal regime--including the "Law 231" legislation summarised below--has gained momentum and become a focus of both Italian-headquartered companies and international companies operating in Italy, which have been required to consider local law standards in rolling out anti-corruption compliance programmes in Italy.
In the Netherlands, the Dutch Public Prosecution Service has demonstrated a willingness and capacity to take on large corruption cases, and has put in place dedicated resources to focus on Dutch foreign bribery laws.
Saudi Arabia's Control and Anti-Corruption Authority (Nazaha) announced in July 2020 that it had initiated a total of 105 bribery-related cases, including one involving the arrest of three employees of national utility company Saudi Electricity Company for allegedly receiving bribes from a French company in exchange for purchase orders.
Consistent with the global trend of increased cross-border cooperation, enforcement authorities in the EMEA region have continued to cement their relationships with one another and their international counterparts.
Cooperation with U.S. enforcement authorities has been particularly prevalent. Press releases issued in connection with FCPA resolutions by the U.S. Department of Justice ("DOJ") and U.S. Securities and Exchange Commission ("SEC") in 2019 and 2020 alone have included acknowledgements of assistance received from authorities in EMEA countries including Austria, Belgium, Cyprus, France, Greece, Guernsey, Ireland, Isle of Man, Italy, Latvia, Luxembourg, Monaco, the Netherlands, Norway, Portugal, Sweden, Switzerland, the United Arab Emirates, and the United Kingdom.
Cross-border cooperation in the EMEA region is, however, not limited to cooperation with the U.S. authorities. For example, the Swiss authorities have provided extensive assistance to the Brazilian authorities in relation to Lava Jato investigations, including by freezing numerous bank accounts and returning funds to Brazil.16 In France, the Agence franaise anticorruption ("AFA") has engaged in a broad range of activities to develop ties with its foreign counterparts, including by partnering with the OECD, the Council of Europe's Group of States against Corruption ("GRECO"), and the Network of Corruption Prevention Authorities ("NCPA") to launch a global
15 See, e.g., Reuters, Italy arrests Siemens, Alstom executives over Milan subway deals (June 23, 2020). 16 See, e.g., Office of the Attorney General of Switzerland, Report of the Office of the Attorney General of Switzerland on its activities in 2019 for the attention of the supervisory authority (Jan. 2020) (noting that "by the end of 2019 more than CHF 400 million had been returned to Brazil."). More broadly, the report states that 317 mutual assistance proceedings were ongoing at the end of 2019.
mapping of national anti-corruption authorities, with a view to enabling more effective cooperation among them.17
At the European Union level, existing cooperation and information-sharing mechanisms will soon be bolstered by the establishment of a European Public Prosecutor's Office ("EPPO"), which is expected to become operational by late 2020. The EPPO will be an independent, decentralised EU-level prosecution agency with broad powers to investigate and prosecute fraud and corruption impacting the EU budget. It will act in partnership with existing EU crimefighting agencies Eurojust, Europol, and the European Anti-Fraud Office.18
UK and European Authorities are Leveraging DPAs and Similar Settlement Vehicles
A growing number of countries in the EMEA region have begun to look to deferred prosecution agreements ("DPAs") and similar settlement vehicles to resolve bribery cases.
The United Kingdom introduced a DPA regime, based loosely on the U.S. DPA model, in 2014. It has now secured eight DPAs, including five in bribery cases (with an overall financial value of approximately 1.4 billion) and three in fraud and false accounting cases. The SFO's success in securing high-value settlements through DPAs has markedly improved its corporate enforcement track record.
France introduced a variation of the DPA--known as a Convention judiciaire d'intrt public ("CJIP")--in late 2016 under the Sapin II law, which was introduced in response to a combination of international criticism that France was not enforcing its bribery laws and concerns within France that significant fines imposed on French companies by the U.S. enforcement authorities were undermining the country's "judicial sovereignty." As in the United Kingdom, the introduction of the CJIP resolution vehicle has improved France's corporate enforcement record; French prosecutors have now secured 11 CJIPs, six of which related to bribery offences and had an overall financial value of over 2.3 billion.
In Germany, a new Associations Sanctions Act ("ASA")--which is expected to be passed into law in the near term--would establish DPA-like mechanisms that can be used by a prosecutor during the course of an investigation, or by a court after charges have been filed.19 During the investigation stage, a prosecutor will have the authority, with the approval of the court, to enter into an agreement with a company under which the prosecutor will provisionally refrain from bringing charges in exchange for the company's agreement to comply with specified conditions. After charges have been brought, the court will be able, with the agreement of the prosecutor and the company, to suspend proceedings and impose conditions on the company (including
17 See AFA/GRECO/OECD/NCPA, Global Mapping of Anti-Corruption Authorities Analysis Report (May 2020). Additional AFA activities described in its 2019 annual report included: receiving 43 foreign delegations; signing cooperation agreements with authorities in Brazil, Egypt, and Kuwait; taking steps to reinforce cooperation agreements previously executed with other authorities; reinforcing its partnerships with the World Bank and Inter-American Development Bank; and participating in 61 international anticorruption events. AFA, Rapport Annuel d'Activit (July 9, 2019) ("AFA 2019 Annual Report"). 18 See European Commission, Protecting Taxpayers Against Fraud and Corruption: The European Public Prosecutor's Office (Oct. 23, 2019). 19 See German Ministry of Justice, Draft bill, Law to strengthen integrity in business (adopted by the Federal Government on June 16, 2020). For further information on the law, see our prior alert.
conditions agreed through negotiations between the prosecutor and the company). In either case, the conditions that may be imposed include the payment of a sum of money or a requirement to implement or enhance a compliance programme under the supervision of an independent expert. A third option will be available under which a court can convict the company but issue a warning and reserve the right to impose a monetary penalty if the company commits another crime during the reservation period or fails to comply with specified conditions.
Use of Compliance Monitorships
Compliance monitorships have long been a feature of the U.S. corporate enforcement landscape, but historically were viewed with a degree of scepticism by some enforcement authorities outside the United States. While UK and European enforcement authorities have imposed monitoring requirements in connection with anti-corruption enforcement actions, they have for the most part done so in a more targeted way than their U.S. counterparts.
Although four of the eight DPAs secured by the UK SFO to date have included external monitoring components, the monitoring requirements have in most cases been targeted in nature.20 However, a recent DPA agreed with G4S Care & Justice Services (UK) Limited set forth more detailed monitoring requirements than prior DPAs.21 The SFO also recently issued internal guidance for prosecutors indicating that a compliance monitor will "likely" be appointed under any DPA that includes terms requiring reforms to the organisation's compliance programme, suggesting that the imposition of compliance monitors may become an increasingly common feature of UK enforcement actions.22
In France, each of the five CJIPs secured in bribery cases to date has included a monitorship by the AFA. Sapin II created the AFA and gave it various compliance oversight responsibilities, including one in the form of an option for a prosecutor to require a company, as part of a CJIP, to submit to an AFA monitorship of up to three years in length. Sapin II provides that the AFA is entitled to engage external advisers to support such a monitorship--at the expense of the monitored company--but that the maximum costs associated with the monitorship must be fixed in the CJIP. In practice, the ceiling costs that have been set in CJIPs have been considerably lower than the typical costs of an FCPA monitorship, ranging from 200,000 in a relatively small domestic bribery settlement to 8.5 million in connection with the Airbus settlement.
Expectations Concerning Voluntary Disclosure and Cooperation
European enforcement authorities have begun to embrace corporate cooperation as a key strategy in bribery investigations. As in the United States, this is manifested in efforts to encourage companies to disclose misconduct and take steps to facilitate government
20 For example, Standard Bank was not required to submit to a full monitorship but was required under its DPA with the SFO to commission an independent report focused on specific aspects of its anti-bribery policies and implement the recommendations in the report. In the Rolls-Royce matter, the company had already entered into a voluntary monitoring arrangement with an external adviser, and the DPA required Rolls-Royce to continue that arrangement for a period of time, implement the adviser's recommendations, and share reports with the SFO. 21 Deferred Prosecution Agreement between the SFO and G4S Care & Justice Services (UK) Ltd. (July 17, 2020). 22 See SFO, Operational Handbook, Evaluating a Compliance Programme (Jan. 2020).
investigations--for example, by sharing key information with the authorities and making witnesses available for interviews.
In the United Kingdom and France, the potential to obtain a DPA or CJIP has been used to incentivise self-reporting. The UK DPA Code of Practice, for example, provides that a prosecutor deciding whether to enter into a DPA may take a company's self-report into account, and the SFO has indicated in its Corporate Co-operation Guidance that it considers reporting issues to the agency "within a reasonable time of the suspicions coming to light" to be a core component of cooperation.23 However, self-reporting is only one factor that is taken into account in assessing whether a DPA is in the public interest, and not all DPAs have been preceded by self-reports.24 In France, the National Financial Prosecutor's Office (Procureur national financier, or "PNF") and the AFA have published guidance indicating that cooperation is a prerequisite to obtaining a CJIP, and that voluntary disclosure within a reasonable period of time will be viewed favourably in the assessment of a company's cooperation efforts.25 The benefits of self-reporting are, however, somewhat uncertain and require case-by-case consideration. Prosecutors in both countries retain the discretion to prosecute where a self-report has been made, and there is a lack of sufficiently detailed guidance or enforcement precedent to enable a company to predict precisely how a self-report might impact reductions in fines and other resolution terms.
The role of companies and their advisers in conducting investigations has been a subject of recent attention in certain European countries. In the United Kingdom, for example, SFO officials have in the past expressed concerns that internal investigations risk "trampling over the crime scene."26 The SFO's Corporate Co-operation Guidance reflects a more pragmatic view of internal investigations, acknowledging that a company can cooperate effectively with an SFO investigation by sharing information obtained in the course of such an investigation. Nonetheless, the SFO's reservations concerning potential prejudice to its investigations continue to be reflected in the new guidance, with the SFO noting that companies should "consult in a timely way with the SFO before interviewing potential witnesses or suspects, taking personnel/HR actions or taking other overt steps."27
In France, internal investigations conducted by lawyers have not historically been a common practice, but they have become more frequent following the passage of Sapin II. Indeed, the French authorities recently issued guidance indicating that they expect companies to conduct internal investigations and share their findings with the PNF.28 Joint guidance published by the PNF and AFA states that a company may conduct an internal investigation before information is disclosed to the PNF, but that any investigation that occurs prior to the opening of a government
23 SFO Cooperation Guidance, at 1. 24 See, e.g., Serious Fraud Office v. Rolls-Royce plc and anor., Approved Judgment (Jan. 2017), at paras. 2122. 25 See Procureur de la Republique Financier and Agence franaise anticorruption, Lignes directrices sur la mise en oeuvre de la convention judiciaire d'intrt publique (June 2019) ("PNF-AFA CJIP Guidance"). 26 See, e.g., SFO, Ben Morgan, Speech at the Global Anti-Corruption and Compliance in Mining Conference 2015, Compliance and Cooperation (May 20, 2015). 27 See SFO Cooperation Guidance, at 4. As we have previously commented, this potentially puts companies in a difficult position, given that it is often necessary to commence internal investigations to ascertain whether any misconduct has taken place (i.e., before there is anything to report to the SFO). 28 PNF-AFA CJIP Guidance, at 9.
investigation must be conducted in a manner that ensures the preservation of key evidence.29 Where an internal investigation occurs in parallel with a PNF investigation, the guidance states that a company should engage in regular exchanges with the prosecutor to ensure effective coordination.30
Germany's new ASA law is expected to create incentives for internal investigations in the form of potential reductions to sanctions or the ability to avoid a sanction altogether. A unique feature of the ASA is that it requires a separation between internal investigations and corporate defence, meaning that the lawyers who conduct the investigation will not be permitted to defend the company during the public prosecutor's investigation or in related court proceedings. Otherwise the court will not be bound to consider the investigation as a mitigating factor.
In the Netherlands, the role of law firms in supporting corporate criminal investigations is set to be reviewed by the Ministry of Justice, following a proposal from the Justice Minister to formalise the practice of allowing lawyers to support investigations.31 Proponents of the approach cite successful enforcement actions against corporates in cases where internal investigations were conducted and argue that allowing law firms to conduct investigations preserves government resources, whereas critics argue that law firms lack the necessary independence to conduct credible investigations and cite the risk of law firms presenting evidence to prosecutors in a biased manner.
In certain EMEA countries, direct or indirect disclosure obligations may arise that can create enforcement risks both locally and internationally. For example, obligations to disclose bribery offences and other crimes may arise in countries including Ireland, Luxembourg, South Africa, Kenya, and the UAE.32 Mandatory disclosure obligations for criminal violations also exist under the laws of various Eastern European jurisdictions. Requirements also may arise under local anti-money laundering laws to disclose dealings with property that is suspected to be the proceeds of bribery. For example, the UK Proceeds of Crime Act creates affirmative disclosure obligations for parties in certain regulated sectors when they have reasonable grounds to know or suspect that money laundering is occurring, and any party (i.e., whether they are in a regulated sector or not) may attain a defence to a money laundering offence by disclosing to the UK National Crime Agency ("NCA") that property is suspected to be the proceeds of crime before proceeding with a transaction involving the property. Such disclosures are made by filing suspicious activity reports with the NCA, which shares intelligence with other law enforcement agencies, including the SFO. Money laundering regimes in a number of other European jurisdictions operate in a similar manner.
In some jurisdictions, public officials or agencies may be subject to reporting obligations that serve to enhance enforcement risks for companies. For example, the AFA has made several
29 Id. 30 Id. 31 See Tweede Kamer der Staten-Generaal, Motion by Groothuizen and Van Nispen on independent research into the advantages and disadvantages of "self-examination" (June 2020). 32 See Section 19 of the Irish Criminal Justice Act 2011; Article 140 of the Luxembourg Criminal Code; Section 34 of the South Africa Prevention and Combating of Corrupt Activities Act; Section 14 of the Kenya Bribery Act 2016; and Article 274 of the UAE Penal Code.
referrals to French prosecutors pursuant to an obligation imposed on public officials to report offences they identify in the course of performing their duties.33 As a further example, the Airbus investigation was prompted by disclosures Airbus made to UK Export Finance ("UKEF")-- through which Airbus had obtained export credit financing--regarding inaccuracies in its prior disclosures pertaining to the use of agents. Upon receiving disclosures that it believed raised red flags of corruption, UKEF informed Airbus that it was under an obligation to report its suspicions to the SFO, which prompted Airbus to make a simultaneous disclosure.34 In Germany, the tax authorities are required to inform the public prosecutor if there is a suspicion of bribes being paid.
Publicly-traded companies also may come under pressure from market regulators to disclose bribery issues. For example, in March 2019, the Netherlands Authority for Financial Markets imposed a 2 million fine on SBM Offshore for failing to report details of investigations into foreign bribery in a timely manner.35
Any company conducting an investigation that may give rise to disclosure obligations should consider such obligations at the outset of an internal investigation and as the investigation progresses. With limited guidance on key aspects of many of these laws, such as the amount or nature of evidence required to trigger a reporting obligation, companies should seek local law advice on the application of these standards and assess as the facts are developed whether there is an obligation, or other compelling reason, to make a report. In cross-border matters, companies should also consider how a report in one country may warrant coordination with any disclosures to enforcement authorities in other jurisdictions, in order to preserve credit for voluntary disclosure and cooperation in all jurisdictions.
Cross-Border Privilege and Data Issues
The adoption of more active enforcement practices across the EMEA region has served to bring into sharper focus differences between U.S. and international legal regimes, including in relation to legal privilege and laws related to processing and transferring data. Companies conducting investigations in the region should at the outset of an investigation obtain advice on the applicable rules in all relevant countries to understand how best to preserve privilege and ensure compliance with other local laws.
Navigating cross-border privilege rules is a complex exercise that can be fraught with pitfalls. For example, in many EMEA countries it is possible that privilege may not: cover communications with in-house counsel; extend to non-lawyer third parties (even if they are acting at the direction of counsel); apply to communications between a lawyer and employees of a corporate client who are not authorised to instruct the lawyer; or, in the case of "professional secrecy" regimes that apply in many civil law jurisdictions, protect documents when they are in
33 See Article 40 of the French Code of Criminal Procedure; see also AFA 2019 Annual Report (indicating that the AFA made seven referrals to prosecutors in 2019) and AFA, Rapport Annuel d'Activit (2018) (indicating that the AFA made five referrals to prosecutors in 2018). 34 See Deferred Prosecution Agreement between the SFO and Airbus SE (Jan. 31, 2020). 35 See Autoriteit Financile Markten ("AFM"), AFM fines SBM Offshore for non-timely disclosure of inside information (Apr. 5, 2019).
the hands of the client rather than the lawyer. Those substantive differences can be compounded by the fact that in most jurisdictions outside the United States, case law clarifying the application of privilege to corporate investigations is often unclear or underdeveloped. Moreover, some enforcement authorities in the EMEA region either encourage companies to waive privilege to obtain cooperation credit, or fail to honour privilege rights in practice--for example, by seizing documents in dawn raids without regard to potential privilege issues.
While a comprehensive overview of the complexities associated with navigating different privilege regimes is beyond the scope of this article, we provide examples below of some recent developments highlighting the approach of certain European enforcement authorities to privilege issues in the context of corporate investigations.
The UK SFO has for several years taken the position that companies seeking cooperation credit should be prepared to waive legal privilege over materials documenting witness interviews, including transcripts, notes, and other documents. That position is reiterated in the SFO's recent Corporate Co-operation Guidance, albeit in a moderated form--the guidance states that "[a]n organisation that does not waive privilege and provide witness accounts does not attain the corresponding factor against prosecution . . . but will not be penalised by the SFO."36 Similar expectations were reflected in a pivotal 2018 English Court of Appeal privilege decision, which included comments in obiter dicta suggesting that a court determining whether a DPA should be approved "will consider whether the company was willing to waive any privilege attaching to documents produced during internal investigations."37 The SFO's Corporate Co-operation Guidance also reflects more onerous requirements than had previously been communicated by the agency with regard to privilege claims, including requirements to provide a detailed schedule of documents withheld on the basis of privilege (i.e., a privilege log) and a certification by independent legal counsel that the materials are privileged.38
Recent guidance published by the French authorities indicates that companies seeking cooperation credit should exercise caution in making privilege assertions. Specifically, CJIP guidelines published by the PNF and AFA state that a prosecutor should assess whether a refusal to share documents on the basis of professional secrecy is justified, and that an unjustified refusal may be viewed as a failure to cooperate.39 The guidance also states that not all aspects of an internal investigation report will necessarily be covered by professional secrecy, and that professional secrecy only binds the lawyer, not the company.40
In Germany, there are various exemptions to the protection against the seizure of documents subject to professional secrecy. German prosecutors have relied on such exemptions to seize internal investigation documents from the offices of companies in relatively exceptional circumstances and--to the dismay of investigations lawyers both inside and outside of Germany--law firms. Of particular note, in March 2017, Munich prosecutors and police officers conducted a dawn raid at the Munich office of U.S. law firm Jones Day to seize documents
36 SFO Cooperation Guidance, at 5. 37 Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation,  EWCA Civ 2006, at para. 117. 38 SFO Cooperation Guidance, at 5. 39 PNF-AFA CJIP Guidance, at 10. 40 Id.
related to an investigation the firm had conducted for Volkswagen and its subsidiary Audi. German courts, including the German Federal Constitutional Court, subsequently upheld the legality of the seizure, including on the basis that the search was focused on documents related to Audi, which had not itself formally retained Jones Day.41
Data Privacy Laws and the French Blocking Statute
The inherent tension between corporate investigations and European data privacy laws has been heightened in recent years by the passage of the EU General Data Protection Regulation ("GDPR"), which increased the maximum available penalties for data privacy violations to up to 4% of annual turnover. Although the GDPR did not fundamentally alter the core principles underlying European data privacy laws, it altered the risk calculus for companies weighing the potential risks of an anti-corruption enforcement action against those of a data privacy enforcement action, with companies now placing increased attention on complying with data privacy laws in the course of corporate investigations. This raises various challenges associated with processing employee data in the course of investigations and transferring data across borders, which is often necessary in the context of cross-border investigations and enforcement proceedings.42 Accordingly, companies with a European footprint may wish to develop dedicated procedures for processing European data in the context of investigations and enforcement proceedings that take into account both the exigencies of such investigations and proceedings and the requirements of the GDPR.
A unique challenge that arises in the context of investigations in France is the French Blocking Statute, which prohibits French nationals and residents from communicating sensitive business information to foreign authorities. The Blocking Statute reportedly played a notable role in the Airbus matter, for example, by allowing the PNF to control the extent to which documents were shared with the DOJ and SFO. While the French government has been criticised in the past for not enforcing the Blocking Statute on a consistent basis, there have been recent calls to strengthen enforcement of the law, including in a 2019 report presented to the French Prime Minister by Member of Parliament Raphal Gauvain.43 Among other things, the Gauvain report called for the maximum penalties available in the event of a breach of the Blocking Statute to be increased.44 The report included strong rhetoric regarding the use of extraterritorial laws by the United States and stated that French companies do not currently have sufficient legal tools to
41 See, e.g., Federal Constitutional Court Order of June 27, 2018; Ref. 2 BvR 1287/17. 42 Transfers of data to the United States recently came under scrutiny in the Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems ("Schrems II") case, where the European Court of Justice issued a landmark decision striking down the EU-U.S. Privacy Shield--an agreement between EU and U.S. authorities authorizing transfers of EU personal data to the United States--but upholding the validity of standard contractual clauses, another mechanism that EU-based organisations use to transfer data internationally. See Covington's alert on the case for further information. 43 Assemble Nationale, Rtablir la souverainet de la France et de l'Europe et protger nos entreprises des lois et mesures porte extraterritoriale (June 26, 2019) ("Gauvain Report"). 44 The current penalties for violating the Blocking Statute are up to 18,000 in fines and 6 months' imprisonment for natural persons and up to 90,000 in fines for legal entities. The Gauvain Report proposed increasing the penalties to 2,000,000 and 2 years' imprisonment for natural persons and up to 10,000,000 in fines for legal entities.
defend themselves against extraterritorial legal actions.45 It is unclear whether the French legislature will act on the recommendations in the report.
European Compliance Regimes
Over the course of the past two decades, various European countries have implemented measures to incentivise investments in corporate compliance programmes. Although it is one of the most recent entrants to this category, France is now arguably at the forefront of those efforts, having taken the unique approach of implementing a mandatory compliance programme regime for large French companies, which is backed up by a dedicated enforcement agency and financial penalties--for both companies and individuals--that may be imposed where a subject entity fails to maintain an adequate anti-corruption compliance programme. Those penalties are, notably, available regardless of whether a violation of primary anti-corruption laws has occurred. Several other European countries have sought to incentivise compliance by either establishing a defence to corporate liability where a corporation charged with an offence had adequate compliance procedures in place, or by making the absence of adequate compliance measures an element of liability.
This growing number of compliance regimes can be helpful to in-house compliance professionals, insofar as they add to the already substantial business case for investing resources in compliance programmes. Indeed, in most European countries, having a robust compliance programme in place is likely to result in a more favourable outcome in an enforcement action.46
At the same time, the emerging patchwork of compliance regimes can present practical challenges for multinational corporations seeking to comply with local regimes without deviating from existing and proven compliance best practices that have been developed from the perspective of the U.S. FCPA. In our experience, it should generally be possible to meet the requirements of local regimes without making substantial departures from existing compliance programmes designed with the FCPA in mind, as guidance on the core components of an effective compliance programme tends to be broadly similar across jurisdictions. In certain instances, however, local regulators and enforcement authorities have indicated a bias toward technical, more easily auditable compliance programme requirements, including features such as volume-based third party due diligence and employee training standards, gift and hospitality
45 See Gauvain Report, at 3. 46 For example, in addition to the examples discussed in detail in this section, the implementation of an effective compliance programme may support more favourable enforcement outcomes in, among other countries: Germany (where a failure to implement a compliance programme that could have prevented a criminal offence may result in substantial administrative fines for corporations and personal liability for senior management); Switzerland (where "defective organisation" is a condition for corporate criminal liability and a prosecutor must establish that the corporation has not taken "all reasonable and necessary organisational measures" to prevent the offence); the Netherlands (where a corporation can only be held liable for conduct that occurred "within the setting" of the company, and a corporation that has established adequate supervision and control measures will be in a better position to argue that the offence in question was not part of the normal business activities of the company); and Ireland (where a defence similar to the UK "adequate procedures" defence was established under the Criminal Justice (Corruption Offences) Act 2018).
registries, and quantitative assessments of whistleblower hotlines. While useful for some companies, over-reliance on those types of measures can serve to undermine the overall effectiveness of a compliance programme if they divert resources from measures such as substantive risk assessments, "deep-dive" due diligence analyses for higher-risk third-party relationships, and practical reporting and consultation between compliance and business personnel. The latter measures are often harder to reflect in quantifiable data but can be more effective in allowing compliance professionals and senior managers to understand and manage a company's actual corruption risk profile.
It is notable, in this regard, that the U.S. DOJ's Evaluation of Corporate Compliance Programs guidance, which the Department updated in June of this year, avoids reliance on rigid formulas.47 Rather, the DOJ guidance emphasises the need for a company to ensure that the design and implementation of its compliance programme is effective in practice, taking into account the size and industry of the company, its geographic footprint, and other considerations. As such, if a company with potential FCPA exposure finds itself faced with the task of re-evaluating its compliance programme under local compliance regimes like those described herein, it would be important to undertake that exercise with a view both toward the local regimes in question and FCPA compliance best practices, as seen through the lens of the DOJ guidance. Efforts to revise local compliance practices on the basis of emerging local law standards should--and, in our experience, can--be resisted if those measures do not serve to reflect the best practical use of a given company's compliance resources, based on the company's experience managing corruption risks under the FCPA or other international regimes.
France's Mandatory Compliance Programme Regime
Under Article 17 of Sapin II, French companies that meet specified turnover and employee thresholds are required to implement compliance programmes that include eight core elements: (1) a Code of Conduct; (2) internal whistleblowing procedures; (3) risk mapping; (4) third party due diligence procedures; (5) accounting controls; (6) training; (7) disciplinary processes; and (8) an internal system to evaluate and control the implementation of the foregoing elements.48 These requirements are monitored by the AFA, which is tasked with conducting compliance programme audits and can bring cases before the AFA's Sanctions Commission where it believes that a company has failed to meet the requirements.
The AFA has published detailed guidelines--in English and French--on the implementation of Sapin II compliance programmes.49 Although the guidelines do not have the force of law, they reflect the AFA's approach to evaluating the adequacy of a compliance programme and therefore serve as a useful starting point for a company seeking to satisfy the Sapin II
47 See our alert discussing the update. 48 Article 17 applies to any French company that has more than 500 employees (or a corporate group that is headquartered in France and employs more than 500 people across the group), and whose annual turnover, or annual consolidated turnover, exceeds 100 million. 49 AFA, Guidelines to help private and public sector entities prevent and detect corruption, influence peddling, extortion by public officials, unlawful taking of interest, misappropriation of public funds and favouritism (Dec. 2017) ("AFA Guidelines"). The AFA also recently published "Practical Guides" (in English and French) on "Anti-corruption due diligence for mergers and acquisitions" and "The corporate anticorruption compliance function."
requirements and avoid proceedings before the Sanctions Commission. Notably, although the core compliance programme elements required under Sapin II are derived from and broadly consistent with the best practices that have emerged under the FCPA and other international anti-corruption laws, the AFA guidance is more prescriptive in many respects than guidance issued by authorities in other jurisdictions. For example, the DOJ guidance requires companies to conduct effective risk assessments but does not dictate the specific risk assessment methodology that a company must follow, whereas the AFA guidance sets forth a detailed six-step methodology to satisfy the Sapin II risk mapping requirement.50 As a result, while it should be possible for companies with existing compliance programmes to leverage and build on their existing efforts, it may be necessary to take additional steps to comply with the technical requirements of Sapin II.
The AFA has now conducted dozens of compliance programme audits, including 36 audits in 2019 alone.51 The level of scrutiny the AFA applies in such audits is evidenced by the extensive questionnaire it uses to commence the audit process (a 21-page document that includes 163 questions) and the positions that the AFA Director has taken in cases before the Sanctions Commission. For example, in each of the two cases brought before the Sanctions Commission to date, the AFA argued that the company's risk mapping methodology was inadequate, notwithstanding the fact that each company had conducted an extensive risk mapping exercise with the assistance of an external adviser.52 The AFA's criticisms have been granular in nature, including arguments that risk map scenarios were too generic or that it was inappropriate to exclude particular functions, activities, or geographies from the interviews underlying the risk map.53 However, the Sanctions Commission has so far rejected the AFA's arguments concerning the adequacy of risk mapping processes, reflecting a position that appears to be more deferential to companies' risk-based judgments.54
The United Kingdom's "Adequate Procedures" Defence
A defence to the "failure to prevent bribery" offence under Section 7 of the UK Bribery Act is available to a company able to establish that it had "adequate procedures" to prevent bribery. In 2011, the UK Ministry of Justice ("MoJ") published statutory guidance on adequate procedures, which is organised according to six core principles: (1) proportionate procedures; (2) top-level commitment; (3) risk assessment; (4) due diligence; (5) communication and training; and (6) monitoring and review.55
The UK Government's guidance has remained largely unchanged since the publication of the MoJ guidance. Although the SFO recently published internal guidance for prosecutors on Evaluating a Compliance Programme, the guidance focused on the relevance of compliance
50 See AFA Guidelines, at 1518. 51 See AFA 2019 Annual Report, at 9. The 36 audits conducted in 2019 reportedly included 20 audits of companies and 16 audits of public bodies. 52 See AFA, Commission des sanctions, Dcision no. 19-01, Socit S. SAS et Mme C. (July 4, 2019); AFA, Commission des sanctions, Dcision no. 19-02, Socit I. et M.C.K. (Feb. 7, 2020). 53 Id. 54 Id. 55 See UK Ministry of Justice, The Bribery Act 2010: Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing (Mar. 2011).
programme evaluations to prosecution decisions and for the most part reiterated the MoJ guidance without elaborating on the factors the SFO will examine to assess whether a compliance programme is effective.56 The SFO guidance did stress the importance of ensuring that a compliance programme is effective in practice and not simply a "paper exercise," echoing public comments that SFO Director Lisa Osofsky had previously made suggesting that the SFO will scrutinise compliance programmes and "window dressing will not suffice."57
It is difficult to draw meaningful conclusions on the adequate procedures defence from the UK enforcement actions brought to date. The only contested prosecution in which the defence has been asserted was a prosecution brought by the Crown Prosecution Service against a small interior design firm called Skansen Interiors, which did not have dedicated anti-bribery policies or controls. Skansen sought to rely in its defence on a general policy requiring employees to act with honesty and integrity when dealing with third parties, arguing that it did not require elaborate anti-bribery policies because it was a small company (it had approximately 30 employees), its business was localised, and it was "common sense" that employees should not engage in bribery. The jury rejected those arguments and convicted the company. The case confirms that a company will likely need to have at least some dedicated anti-bribery policies and controls--regardless of its size and risk profile--to avail itself of the adequate procedures defence, but it is not otherwise particularly illuminating.
Most corporate enforcement actions under Section 7 have been resolved pursuant to DPAs, which makes it difficult to assess whether an adequate procedures defence would have succeeded at trial. However, some insights can be gleaned from the DPAs that have been agreed with the SFO. For example, one DPA described alleged deficiencies related to, among other things: (1) training and awareness of relevant policies and bribery risks; (2) allowing the formal structures of transactions and relationships rather than substantive risks to dictate the extent to which due diligence obligations arose; and (3) an inability to demonstrate an anticorruption compliance culture.58 Taken together, such criticisms and the SFO's messaging on compliance programmes suggest that a corporate seeking to persuade the SFO that it had adequate procedures to prevent bribery will need to demonstrate that it had a programme in place that was effective in practice and focused on the key substantive risks facing the company. That position ultimately is consistent with--albeit somewhat less developed than--the stated expectations of the U.S. authorities.
Italian and Spanish Regimes
Italian Legislative Decree No. 231 of 8 June 2001 ("Law 231") established administrative liability for corporations for certain forms of criminal activity, including corruption offences, and established an exemption from such liability for a company that implements a compliance programme that meets specified criteria. In 2015, Spain established a defence to corporate criminal liability modelled on and broadly similar to the Italian Law 231 exemption.
The essential elements of a compliance programme under the Italian and Spanish frameworks will for the most part be familiar to compliance professionals with experience of other regimes: they include risk assessment, policies and procedures, financial controls, training, reporting
56 See SFO, Operational Handbook, Evaluating a Compliance Programme (Jan. 2020). 57 See Lisa Osofsky, Keynote address at the FCPA Conference, Washington D.C. (Dec. 2018). 58 Deferred Prosecution Agreement between the SFO and ICBC Standard Bank plc (Nov. 30, 2015).
requirements, disciplinary sanctions, and periodic review. Both regimes further require the appointment of an independent supervisory body to monitor the implementation of the programme, which represents something of a departure from compliance "best practice" standards in other jurisdictions (which do not contemplate the necessity for independent supervisors, operating below the company's Board of Directors, to oversee compliance programmes).
Case law and other sources of guidance have further articulated robust standards for compliance programmes under these frameworks. For example, Italian case law has highlighted the importance of ensuring that a compliance programme: is effective in practice and goes beyond the execution of policies and guidelines; includes tailored procedures focused on key risk areas, including in relation to the specific crime for which the corporation is charged; includes a control system to verify the use and implementation of such procedures; and is periodically updated.59 Italian case law and industry guidance have also focused on the importance of having a Supervisory Body that is independent and adequately resourced, has the skillset required to oversee the compliance programme, and reports directly to the Board of Directors.60 In Spain, a Guidance Circular published by the Public Prosecutor's Office in 2016 highlights the importance of ensuring that a company's compliance programme reflects a "true compliance culture" and is tailored to the company's key risks--the Circular includes a specific warning against simply copying compliance programmes developed by other companies, particularly when they originate from different sectors.61 Among other things, the Circular emphasises that compliance personnel should have sufficient knowledge and experience to fulfil their roles and adequate resources to do so.62
Recent and Expected Legal Reforms
Certain countries in the EMEA region have recently taken steps to strengthen their anticorruption laws in ways relevant to companies, including by establishing corporate criminal liability for corruption offences, expanding the extraterritorial reach of anti-corruption laws, and increasing available penalties. We set forth some key examples below.
Germany's new ASA law is expected to introduce a range of reforms in addition to those discussed above. Most notably, the law would establish criminal liability for corporations, as opposed to the administrative penalties that are currently available. Further, the investigation
59 See Milan Tribunal, order of Oct. 28, 2004 (Siemens AG); Rome Tribunal, order of Apr. 4, 2003 (Finspa S.p.A.); Naples Tribunal, order no. 33 of June 26, 2007 (Impregilo S.p.A.); and Supreme Court, sentence no. 4677 of Dec. 18, 2013 (I. S.p.A). Guidance published by industry association Confindustria has highlighted further best practices, such as ensuring that work performance targets are achievable without resorting to illegal, unethical or negligent behaviour. See Confindustria, Linee Guida per la Costruzione dei Modelli di Organizzazione, Gestione e Controllo ai Sensi del Decreto Legislativo 8 Giugno 2001, N. 231 (rev. Mar. 2014) ("Confindustria Guidance"). 60 See Supreme Court, Sentence no. 52316 of Dec. 9, 2016 (Riva S.p.A.); Milan Tribunal, sentence of Sept. 20, 2004 (I.V.R.I. Holding S.p.A. and COGEFI S.p.A.); Rome Tribunal, order of Apr. 4, 2003 (Finspa S.p.A.); Naples Tribunal, order no. 33 of June 26, 2007 (Impregilo S.p.A.); Confindustria Guidance. 61 See Fiscalia General del Estado, Circular 1/2016, Sobre la Responsabilidad Penal de las Personas Jurdicas Conforme a la Reforma del Cdigo Penal Effectuada Por Ley Orgnica 1/2015 (Jan. 2016), at 22. 62 Id. at 24, 29.
and prosecution of a corporation would no longer be at the discretion of the prosecutor, as is currently the case under the administrative regime, but would generally be mandatory if there is a sufficient basis to believe that a crime was committed. The law would apply extraterritorially to corporations with registered offices in Germany for crimes committed abroad and is expected to make potentially crippling financial penalties available to prosecutors--the current draft law provides that penalties as high as 10% of a corporation's annual turnover may be imposed against corporate groups with an average annual turnover of more than 100 million.
In France, one of the various reforms introduced by Sapin II was an expansion of extraterritorial jurisdiction for corruption offences, which now apply to any individual or entity that exercises all or part of its economic activity in France. The French Ministry of Justice recently issued a Circular that reminds French prosecutors of the provision and states that the PNF is expected to "systematically verify" whether it has jurisdiction over companies and individuals involved in foreign bribery.63 The Circular states that the concept of exercising economic activity in France should be broadly interpreted to include any foreign entity with a subsidiary, branch, commercial office, or other office operating in France, even if such offices do not have their own legal personality.64 While it is too soon to know how aggressively the PNF will seek to use the extraterritorial reach of France's anti-corruption laws, the guidance raises the spectre of potential enforcement against foreign companies with representative offices or other commercial activities in France, even where the conduct in question lacks a meaningful nexus to France.
The Criminal Justice (Corruption Offences) Act 2018 introduced various reforms to Ireland's anti-corruption laws. The Act includes offences related to active and passive bribery, trading in influence, and corruption of public officials, and it expanded corporate criminal liability by providing that a company can be held liable for offences committed by its officers, employees, agents or subsidiaries. A company will have a defence--similar to the UK Bribery Act's "adequate procedures" defence--where it can prove that it took all reasonable steps and exercised diligence to avoid the offence. The Act also provides for extraterritorial effect where an offence is committed abroad by an Irish official, citizen, resident, or corporate, provided that the conduct constitutes an offence both in Ireland and the country where the conduct occurred. The latter requirement, which is typically referred to as a "dual criminality" requirement, has prompted criticism by the OECD, which considers this aspect of the legislation to be inconsistent with the OECD Anti-Bribery Convention and has encouraged Ireland to amend the law.65
The extraterritorial reach of Norway's anti-corruption laws was expanded in July 2020 amendments to the Norwegian Penal Code, under which non-Norwegians acting abroad on behalf of a company registered in Norway are subject to Norwegian anti-corruption laws, even if they have no other connection to Norway. In addition to broadening the application of the law to persons acting on behalf of Norwegian companies, the changes clarify that Norwegian companies can be prosecuted when an offence is committed by a foreign national acting abroad.
63 See French Ministry of Justice Circular, at 9. 64 Id. 65 See OECD Working Group on Bribery, Implementing the OECD Anti-Bribery Convention Phase 1bis Report: Ireland (Oct. 10, 2019).
The Covington EMEA Anti-Corruption Practice--which includes lawyers in the firm's offices in London, Brussels, Frankfurt, Johannesburg, and Dubai--is well-placed to advise clients on anti-corruption matters in the EMEA region. If you have any questions concerning the material discussed in this client alert, please contact the following members of our EMEA team:
David Lorello Ian Hargreaves Mark Finucane Monique O'Donoghue Sarah Crowder Ian Redfearn Deirdre Lyons Le Croy Matthew Beech Robert Henrici Emanuel Ghebregergis Ben Haley Kgabo Mashalane Ahmed Mokdad Julie Teperow Marc Norman
+44 20 7067 2012 +44 20 7067 2128 +44 20 7067 2185 +44 20 7067 2352 +44 20 7067 2393 +44 20 7067 2116 +44 20 7067 2058 +44 20 7067 2310 +49 69 768063 355 +49 69 768063 359 +27 11 944 6914 +27 11 944 6903 +27 11 944 6915 +971 4 247 2107 +971 4 247 2110
[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
This information is not intended as legal advice. Readers should seek specific legal advice before acting with regard to the subjects mentioned herein.
Covington & Burling LLP, an international law firm, provides corporate, litigation and regulatory expertise to enable clients to achieve their goals. This communication is intended to bring relevant developments to our clients and other interested colleagues. Please send an email to [email protected] if you do not wish to receive future emails or electronic alerts.