The FSA has fined Aon Limited ("Aon") £5.25 million for systems and controls failures in relation to its management of corruption risk associated with payments to third parties in high risk jurisdictions. Aon made 'suspicious payments' to overseas third parties totalling approximately US$2.5 million and €3.4 million between January 2005 (when Aon first became FSA-authorised) and September 2007, and generated approximately US$7.2 million and €1 million of commission/brokerage as a result.

The fine was imposed for breach of Principle 3 (systems and controls) of the FSA's Principles for Business, and reflects a 30% settlement discount on what would otherwise have been a £7.5 million penalty. The FSA found that there was a weak controls environment surrounding overseas third party payments, and an unacceptable risk that Aon could become involved in corrupt payments.

The circumstances surrounding the breach are serious: despite a number of opportunities for Aon to identify the issue – and despite a past regulatory penalty for similar failings – not only were its systems and controls defective, but these defects led to payments of concern. Nonetheless, the decision can be seen as part of a general stepping up of anti-corruption enforcement, both by the FSA, the Serious Fraud Officei and, in the US, the SECii and DOJiii. With this in mind, firms would be well advised to ensure their anti-bribery systems and controls are sufficiently robust.

The FSA's emphasis on anti-bribery systems and controls is in step with the Law Commission's draft Corruption Bill which, if enacted, will, in effect, require firms to have adequate procedures to prevent persons performing services on their behalf engaging in bribery; or otherwise risk committing the new 'failure to prevent bribery' offence (see our earlier e-bulletin).

Key points

  • The FSA considers that where payments are made to third parties in 'high risk' countries, this gives rise to a "significant risk" which needs to be mitigated by appropriate systems and controls.
  • High level ethics manuals are not enough. Codes of Conduct and self-certification procedures "can play important roles" but "are not of themselves sufficient controls but need to be supplemented by adequate training and written guidance, robust procedures for the authorisation of third party payments and proper monitoring".
  • The decision outlines both Aon's prior (deficient) procedures and new (best practice) procedures, which may be of interest to firms seeking to benchmark their compliance, and which we consider further below.
  • The outcome also highlights the importance of ongoing compliance monitoring and appropriate follow up of internal reviews. The FSA was clearly influenced by the fact that Aon had not taken a number of opportunities to put in place adequate procedures and/or identify 'suspicious payments'. Further, if the results of an internal review are inconclusive, that may itself require action – if the firm's documentation does not conclude the matter one way or the other, does that indicate that documentation procedures are inadequate?  
  • The fine is the largest financial-crime related penalty in the FSA's history, and reflects the FSA's policy of imposing higher fines to achieve "credible deterrence".

We comment below on the FSA's detailed findings.

Why were anti-corruption procedures required?

Aon is a leading insurance and reinsurance broker in the London market, and is FSA-authorised in respect of insurance mediation activities. In common with many businesses (both regulated and non-regulated), it used third parties to help secure and retain business from overseas clients. Business units within Aon's Aviation and Energy divisions, in particular, routinely dealt with clients in 'high risk' countries. Those clients were often state owned or had government connections.

The FSA concluded that "although it was not unusual or necessarily inappropriate for Aon Ltd to make payments to Overseas Third Parties, there was a significant risk in some countries that some of the money involved might be used… to bribe persons… or… for potentially inappropriate purposes". It is clear that merely paying representatives/agents in high risk countries will be sufficient, in the FSA's view, to trigger the need for specific anti-corruption compliance procedures.

Appropriate anti-corruption procedures

The FSA highlighted a number of detailed failings in Aon's procedures, and set out the revised controls which Aon adopted following an independent review in late 2007. Based on these, in our view the FSA's thinking in relation to appropriate procedures is likely to include the following:

  1. Codes of Business Conduct and staff self-certification procedures can play important roles, but are not sufficient unless supplemented by training, guidance, procedures and monitoring
  1. The scope of procedures should be clear
  • In particular, it should be clear what relationships and third parties are covered. In Aon's case, as late as 2007 a 'suspicious payment' was made which circumvented its controls because the intended recipient of funds was not correctly categorised as a third party, and the wrong procedures were followed.  
  1. Companies may wish to restrict payments to third parties in high risk countries altogether
  • Under Aon's new procedures, save in low risk countriesiv, the use of third parties is prohibited where their only service to Aon is assisting it in obtaining and retaining business solely through client introductions. In our view, such an extreme restriction may not be essential for all firms, albeit that it is the most risk-averse approach.
  1. Procedures should require adequate levels of due diligence to be carried out before relationships with overseas third parties are entered into

Many firms will have procedures for documenting the due diligence undertaken on overseas representatives, the nature of the proposed relationship and the payment arrangements – this is a fundamental control. However, the Aon decision highlights how easy it is for basic failings to result in inadequate documentation in this area. In particular:  

  • there must be sufficient guidance for staff on how to fill out forms;
  • there must be sufficient space on the forms to fill in a meaningful amount of information; and
  • there should be a requirement to explain the business case for the relationship.  
  • the completeness of forms submitted should be monitored, with some degree of authorisation/review of relationships. Historically, Aon's Compliance department only authorised forms to indicate that appropriate members of management had signed: there was no substantive review. Under the new regime, Aon implemented risk-based procedures for the review of all existing and proposed third party relationships through global regional working groups, with the Aon Ltd working group chaired by the CFO and comprised of senior management, business, Finance, Legal and Compliance executives and external advisers.

It is apparent that the company's prior experience has led to a very senior level of engagement on this aspect – perhaps more so than might typically be necessary, provided that senior management are otherwise engaged in, and seen to be responsible for, ethical issues – but some level of independent review of proposed relationships is a sensible control.  

  • Where procedures draw a distinction between individuals and corporates (the former being higher risk), account should be taken of circumstances where a corporate entity is synonymous with an individual.
  1. Staff in business divisions which deal with overseas third parties should be provided with sufficient guidance / training on bribery and corruption risks involved in such dealings
  • Appropriate staff (eg, for Aon, particularly those in Energy/Aviation) should receive "focussed training" specifically relating to corruption risks. Training should cover new joiners, and records of training should be kept.
  • The FSA suggests that staff should also be tested on their understanding.  
  • Aon's new procedures involve enhanced risk-based training, including in-depth in-person training from an external law firm, and the development of on-line staff training including example-based scenarios reflecting issues identified from the investigation.  
  1. Procedures should require adequate levels of due diligence to be carried out before payments are made
  • After a relationship has been established, there should be further controls over payments made to overseas third parties.
  • Payment authorisation processes should take account of jurisdictional risk.  
  1. Relationships with overseas third parties should be monitored in respect of bribery risks
  • The FSA's criticisms clearly point to a need not only for forms and guidance to be adequate, but for relationships and payments to be reviewed and monitored on an ongoing basis.
  • The FSA does not clarify how such monitoring should, in its view, be conducted, but does comment on the fact that Aon's third party relationships were not part of Compliance's ongoing monitoring programme, nor Internal Audit's routine audits.  
  1. Relevant oversight committees should receive relevant management information and consider whether bribery and corruption risks are being managed effectively
  • The FSA envisages that, in appropriate cases, corruption risks will be considered regularly at a senior level – it comments on the fact that such risks were not specifically considered by Aon at meetings of the Board or the Risk & Compliance or Finance Committees.
  • The FSA suggests that information such as the number and amount of payments made and the countries in which the third parties operated might have enabled oversight of overseas third party risks within the business.  
  1. Culture

The FSA notes Aon's new efforts to ensure personal accountability and responsibility, and to make clear that anti-corruption compliance is a top-down management-led initiative. Aon's Code of Conduct values are now subject to regular evaluation through the performance management system, and variable compensation is driven by a mixture of financial and non-financial metrics, with disciplinary action taken for compliance breaches.  

  1. Entertainment expenses

Entertainment and marketing expenses are a perennial source of concern from a corruption perspective and, where a firm's client basis presents a high corruption risk, should, in our view, usually be subject to monitoring and/or additional authorisations. In Aon's case, such expenses were recorded in a separate accounts payable system and Aon relied on senior managers approving invoices to exercise judgment in ascertaining that they were for legitimate business. In the event, a number of expenses were identified as "inappropriate".  

  1. Dealing with problems
  • The FSA praised Aon for – eventually – dealing thoroughly, promptly, and seriously with the matter. When the 'suspicious payments' finally came to light in 2007, Aon:

  • acted promptly in notifying the Serious Organised Crime Agency and the FSA;

  • established a dedicated steering committee reporting to the Board;

  • undertook a full, independent review and a past payments review; and

  • took disciplinary action against employees concerned.

  • In the FSA's view, the "pro-active determination... to identify past issues and improve… systems and controls… is a model of best practice".  

Conclusions and comment

The UK's (lack of a) record of anti-corruption enforcement has received significant attention recently, particularly by comparison to the US experience. The OECD issued a highly critical report on the UK regime in October 2008. Against this background, an increased emphasis on 'wins' in corruption cases was anticipated from the SFO, but it is interesting to see the FSA, as part of the financial crime agenda it has been highlighting for some time, now 'joining the party' and emphasising corruption risk as a serious concern for the regulated sector.

The FSA's emphasis on systems and controls in this area also chimes with the Law Commission's draft corruption Bill, which proposes the introduction of a new offence for companies of negligently failing to prevent an act of bribery by a person performing services on behalf of a company, offset by an 'adequate systems' defence (see our e-bulletin "The Law Commission's draft Bill - reforming the law of bribery"). The idea is that a company will be prosecuted for endemic and systemic failings as opposed to one off errors of judgment. Assuming the bill is enacted in its current form, the risk of corporate prosecution for failures like Aon's will be placed in even sharper focus.

Against this background, further enforcement from law enforcement and/or the FSA is to be anticipated, and firms may wish to consider the adequacy of their own compliance procedures.