On 6 May 2014, the British Bankers’ Association (“BBA”) published its updated Anti-Bribery and Corruption Guidance to provide banks with practical procedures and recommendations for complying with the Bribery Act 2010 (“the Act”) and the anti-corruption regulatory obligations banks face from the UK’s Financial Conduct Authority (“FCA”).
This updated Guidance replaces the BBA’s 2011 Guidance, which was primarily intended to assist banks in implementing adequate policies and procedures under the Act. It provides banks with a detailed assessment of their regulatory requirements under both the Act and the Money Laundering Regulations 2007, whilst also stressing the importance of the FCA’s thematic reviews, recent enforcement actions and policy statements. Close adherence to the principles and procedures in the Guidance will enable banks to hone their regulatory compliance controls. Further, they provide valuable insights for non-financial services organisations.
“Meeting the standard” of the Ministry of Justice’s Six Principles
A number of practical suggestions as to how organisations may meet this standard have been included, with the following three notable additions to the BBA’s previous Guidance:
- “[T]he involvement of senior managers”, has now been revised to reference to “the active and ongoing sponsorship by senior managers”. This change, which appears to strengthen the obligations of senior managers, could be seen as supporting the “tone from the top” approach that the Act advocates.
- “Adequate resourcing of anti-bribery work” has been inserted. This is an important addition, which focuses on the adequacy of the compliance unit within the organisation, and the budgetary and other resources available to them to carry out their work. The U.S. Department of Justice’s (“DOJ”) and the U.S. Securities and Exchange Commission’s (“SEC”) FCPA Guidance highlights that resources should be “sufficient” to ensure that the company’s compliance program is implemented effectively.
- “Enhanced controls where ‘cross-border’ activity is undertaken, with particular consideration to the risks arising from facilitation payments” has been inserted. This is likely in light of the prevalence of requests for facilitating payments in the customs and immigration contexts.
Organisations’ Regulatory Obligations
The Guidance highlights that the FCA has “given enhanced prominence to the need for banks to have effective anti-bribery and corruption controls in place”. It goes on to emphasise that the FCA’s expectations therefore need to be addressed by regulated institutions and that banks need to take account of the FCA’s thematic review findings.
In this respect, the BBA points out that the FCA’s Rules and Principles in relation to the Act are not identical to the Ministry of Justice’s Guidance, therefore banks will need to bear this in mind when reviewing their anti-bribery policies and procedures. The FCA’s focus is wider than the Act’s scope and will cover behaviour that falls under the definition of “financial crime” referred to in the FCA’s handbook. Furthermore, the FCA, like the US SEC, does not need to find evidence of bribery or corruption to bring an enforcement action, as evidenced by its recent decisions in JLT Speciality and Besso Limited.
“The Tone from the Top” and Internal Governance
These areas are discussed in detail in Chapter 4, with the following notable points:
- Top-level commitment
A distinction can be seen between the Act and the FCA’s approach when it comes to the appropriate level of commitment: the Act’s focus is on the ‘tone from the top’, whilst the FCA has extended the focus down the organisation. In particular, the FCA’s chairman, Mr. John Griffith-Jones, has emphasised that the ‘tone from the top’ will be insufficient for improving ethical and behaviour standards, therefore the FCA will be looking increasingly towards the ‘tone in the middle’, as a way of translating ‘tone’ into observable, on the ground, actions. The DOJ and SEC have also stressed the importance of the ‘message in the middle’ approach.
The BBA also points out that in order for banks to support the ‘tone from the top,’ they will need to “consider how best to deploy their existing oversight structures, including committees and audit functions, so as to drive forward their anti-bribery programmes via appropriate, regular review”. The BBA also stresses that “a key indication of top level commitment is the quantity and quality of dedicated resources committed to anti-bribery work”.
- Governance structure
The updated Guidance includes a number of suggestions for how organisations can achieve a clearly defined governance structure. These include: codes of ethics and conduct; a risk assessment (for the organisation as a whole, its business, the jurisdictions in which it operates and the types of its associated persons); resourcing levels appropriate to the organisation’s risk appetite; appropriate policies and procedures; suspicious activity reporting; a transparent system for transactions and interactions such as charitable and political donations, and gifts and hospitality; training; and whistleblowing.
- Responsibilities of the Board
The updated Guidance notes that banks will need to keep abreast of anti-bribery and corruption developments. In this respect, the Parliamentary Commission on Banking Standards is referred to for having made several recommendations on whistleblowing, including that a non-executive board member should be given specific responsibility under the Senior Managers Regime for the effective operation of the firm’s whistleblowing regime. Furthermore, the Guidance suggests that the board members that are given this responsibility should be held personally accountable for protecting whistleblowers against detrimental treatment.
- Practical examples of driving the “tone from the top”
Three practical examples are included for how organisations could foster such an attitude from the top level of management. These are: introducing “business line champions”, e.g. nominating senior managers to be responsible for anti-bribery work in their area of the business; making the public aware of the organisation’s anti-bribery policies by publishing them online; and governance, e.g. ensuring that senior management is equipped to fulfil the role required to assist with anti-bribery actions.
Identifying Risks and Undertaking Risk Assessments
Risk assessment is a fundamental step that organisations need to take so as to identify the bribery risks that they face, and how anti-bribery policies and procedures can be effectively developed, implemented and maintained.
The updated Guidance points out that a risk assessment that is purely limited to “bribery”, as defined by the Act, is likely to be viewed as insufficient by the FCA, whose expectations are that a risk assessment cover all forms of bribery and corrupt behaviour falling within the definition of ‘financial crime’. In regards to what constitutes an adequate risk assessment, the BBA notes that it will vary enormously depending on the size of the organisation, its activities and the markets in which it operates.
Examples of areas where control weaknesses may give rise to an increased risk of bribery are listed in section 5.1.4, which include: lack of a clear anti-bribery message from top-level management; insufficient resourcing to manage risk; a bonus culture or aggressive sales targets; inadequate, inconsistent or poorly documented due diligence procedures; lack of clear financial controls; and deficiencies in employee training.
The Guidance suggests that organisations put in place a process for undertaking periodic risk assessments of their business as a whole, so as to promote a cost effective and proportionate anti-bribery programme.
With regard to the scope of such risk assessments, the BBA notes that broad categories such as country risk, product and business opportunity, business partnership risk, government and public official interactions and the risk of missing data should be included, in addition to a variety of wider risks, such as lobbying, procurement and sourcing, licensing, charitable or political donations and advisory or consulting activities. What should ultimately be assessed will depend on the type of organisation and its activities. For example, private wealth banks may wish to include risks associated with politically exposed persons, as highlighted by the FCA’s recent decision in Standard Bank.
- Conducting a risk assessment
The BBA notes that “there is no exact science” as to what a risk assessment should include or how it should be done. It points out that there are a range of resources available for organisations to draw upon, in particular referring to Transparency International’s 2013 Guidance.
A number of appropriate risk assessment methodologies have been provided, including: using existing information in the organisation, e.g. audits or operational risk reports; focus groups/workshops; client/customer complaints; questionnaires; use of ‘heat maps’ to identify the types of activities to be assessed.
Crucially, whatever method an organisation decides to utilise for its risk assessment, it should be fully documented and updated on a periodic basis, so as to reflect the organisation’s risks and risk appetite. Moreover, it is essential that sufficient skilled resources and expertise are dedicated to this task.
Due Diligence on Associated Persons/Third Parties
Chapter 6 deals with due diligence on “associated persons” as broadly defined in the Act and “third parties” as per the FCA’s terminology, with the reminder that “it is feasible that under both the Bribery Act and FCA systems and controls a bank could be held responsible for corrupt payments made, offered, or promised by an associated person it retains, even if it did not know the associated person intended to pay or offer a bribe”.
It is noted that banks have adopted a pragmatic approach to identifying associated persons/third persons. However, the sheer volume and complexity of associated person relationships and related payments flows makes it vital for banks to utilise a risk-based approach for conducting due diligence on such associated persons/third parties, in particular before entering into any formal relationship. The level of such due diligence will vary according to risk factors, which can initially be categorised into ‘high’, ‘medium’ or ‘low’ risks.
The approach organisations take to risks should be informed by awareness that bribery may potentially extend to the entire supply chain. The degree of due diligence required will need to consider the locality, nature of the relationship and risks attached to the associated person/third parties. The presence of ‘heightened’ risk factors may necessitate additional due diligence, which could include: performing supplementary background and screening searches; conducting direct interrogative enquiries; validating direct requests for information; and ascertaining the financial standing and credibility of the associated person.
The Guidance lists a number of possible ‘red flags’ that should be monitored in this regard, including: unexplained reasoning provided by business areas for changes to, or relocation of, third party/supplier/contractors; requests for one-off or unusually high commissions or fees on payments; over-invoicing/use of non-standard invoices; large/frequent fourth-quarter adjustments to contractual payments by associated persons; exclusive dealings by an employee with a single supplier/contractor/agent; and reluctance or inability to provide information requested in full and in a timely manner.
The Guidance recommends that due diligence results and any authorisation processes undertaken in relation to associated persons/third parties should be accurately recorded. Records such as a ‘risk register’ that records new business proposals and a ‘breaches log’ to record procedural breaches, could be kept and that information then be reported through the appropriate governance structure. Although such documents may potentially facilitate oversight and monitoring, liability risks can arise if risks and/or breaches have been recorded and the company fails to take adequate steps to mitigate or remediate them.
Gifts and Hospitality
The intent behind gifts, entertainment and hospitality needs to be a key consideration, in particular whether these actions are to induce or reward someone to improperly perform their duties with a view to obtaining a business advantage.
In this context, the BBA refers to the Serious Fraud Office’s (“SFO”) statement of policy in 2012, expressly reaffirming the important point that bona fide hospitality or promotional or other legitimate business expenditure is recognised as an established and important part of doing business.
Nonetheless, organisations need to ensure that they have clear written policies detailing the principles for giving and receiving gifts, entertainment and hospitality, as well as maintaining adequate records. The Guidance suggests introducing a ‘gifts register’, which includes the following information: the dates on which employees or third parties gave or received gifts, entertainment or hospitality, plus the employees’ details; risk assessment questions, e.g. was the timing of such an action related to any specific business activity; details of the item/activity, e.g. what it was, estimated value, authorisation details; the rationale for accepting or declining the item/activity; and evidence of any approval given.
Basic and Targeted Training of Employees
The importance of training employees on bribery prevention cannot be emphasised enough. The BBA suggests that the minimum content for such training include: the organisation’s policies and procedures, which include provisions of the Act and FCA Rules and Principles; the definition of, and explanation, of the term ‘bribe’; explanation of the employee’s duty under the law and the organisation’s policy; penalties for committing an offence under the Act; social and economic effects of failing to prevent bribery; and explaining when and how to seek advice and report any concerns or suspicions of bribery.
In addition to any such basic training, employees who may be more exposed to elevated risks of bribery and corruption would also benefit from some targeted training. Content could include: associated parties; facilitation payments; sponsorship and events; charitable and political donations.
As a general point, the content of all of the organisation’s training should be regularly monitored and evaluated.
Monitoring, Reviewing and Managing Information
Chapter 9 highlights that monitoring and reviewing need to be done so as to ensure that the organisation’s policies and procedures are, and continue to be, appropriate and effective. Notably, such monitoring should not only challenge whether the processes to mitigate bribery and corruption have been followed, but also whether the processes have indeed been effective.
With respect to the implementation of programmes, organisations will need to consider appropriate management information and the allocation of responsibility for its monitoring and review. Practical examples include: hiring processes; appointing an ABC ‘Champion’; volumes of internal staff bribery investigations; gift & hospitality; payments, e.g. to staff or associated persons as bonuses or commissions; whistleblowing trend analysis; and internal audit findings in relation to anti-bribery or corruption policy or control weaknesses.
Incident Management and Reporting
Chapter 10 of the Guidance notes that there is no prescribed regime under the Act for how to manage an incident. However, a bribery-specific policy may be helpful, especially to meet the FCA’s expectations. A practical suggestion included in the Guidance is having in place agreed media handling arrangements, should an investigation arise.
The BBA notes that self-reporting poses a number of possible risks and this is an area where organisations should seek expert legal advice from the outset. Additionally, consideration should be given as to who the relevant authorities may be, whether domestic (e.g., FCA) or international (e.g., the DOJ or SEC), as there may be overlapping interests of these regulators and prosecutors.
The Guidance notes the SFO’s encouragement of self-reporting. However, although the SFO has no legal power to offer immunity in relation to organisations that self-report, it may be a relevant consideration as to whether or not to pursue a Deferred Prosecution Agreement or a more lenient outcome to an investigation.
The updated Guidance is a useful tool for all organisations, as it is thorough and includes practical tips and examples. Therefore, irrespective of whether an entity is regulated by the FCA, this Guidance should be borne in mind when developing an ABC compliance programme. Updating of the programme should take place on a regular basis. Furthermore, banks will also need to be aware of their obligations in respect of the FCA and the Act, which may not always be identical.
In respect of the compliance programme, it is imperative that adequate resources are budgeted for and put in place to develop, implement and monitor it. Furthermore, not only must senior management be aware of and responsible for such programme, this awareness and responsibility needs to be flowing down the organisational structure, to middle management and beyond.