On 17 January 2020, the Serious Fraud Office (“SFO”) published new internal guidance to assist its staff in evaluating an organisation’s compliance programme as part of an investigation and assessing how that programme may impact on prosecution and deferred prosecution agreement (“DPA”) decisions. Although the 8-page guidance is internal, in that it forms part of the SFO’s Operational Handbook, it provides a useful reminder for corporates of the value and potential importance of implementing effective anti-bribery controls, as well as a reminder of what that means in practice. 

In particular, the guidance identifies how SFO case officers should consider a corporate’s anti-bribery compliance controls concerning:

  • Whether an ‘adequate procedures’ defence exists to the offence of failing to prevent bribery (section 7 Bribery Act 2010)
  • Whether a prosecution is in the public interest
  • Whether to invite the corporate to negotiate a DPA
  • Whether any DPA should include terms requiring compliance improvements and monitoring of those improvements
  • Sentencing following conviction

The corporate’s compliance controls at the time of the alleged offending will of course be relevant. However, the guidance also notes that subsequent improvements to controls can also affect the analysis, as this may help to justify inviting the company to negotiate a DPA (by showing the company has reformed and remediated) and may affect the terms included in it (i.e. around control improvements). In particular, where the SFO considers that the DPA should require further compliance improvements, the guidance notes that its officers will need to be able to assess compliance with those DPA terms and that this is likely to mean a monitor will have to be appointed at the corporate’s expense. Given the onerous and expensive nature of such a requirement, this should provide a real incentive for those who identify issues and/or find themselves under investigation to move quickly to improve controls and remedy failings.

The recent DPA with Güralp Systems Ltd required direct reporting by the company to the SFO on certain (specified) elements of its compliance controls, which it had introduced since the alleged wrongdoing. The inclusion of this term in that DPA appears consistent with the new guidance, in that it involved the SFO looking ahead to what it expects the company to be doing in the future, and reaching a decision on the suitability of a DPA with that in mind. Our detailed Law Now analysing the Güralp DPA is available here.

The SFO describes a compliance programme as an organisation’s internal systems and procedures for helping to ensure that the organisation – and those working there – comply with legal requirements and internal policies and procedures. The programme must be “effective” and not simply a “paper exercise”. Thus, while a SME may not have (or need to have) a separate compliance unit within the organisation, “organisations of any size can be expected to have at least some compliance arrangements”.Those arrangements must be “proportionate, risk-based and regularly reviewed”.

The guidance reminds prosecutors that they need to explore compliance issues at an early stage of any investigation, and obtain information from a variety of sources, using the SFO’s investigatory tools such as compelled or voluntary disclosure and witness or suspect interviews. The guidance notes that a corporate “should have a variety of written records of its compliance programme and its operation”. This is the high watermark of the insights contained in the guidance as to the SFO’s approach and expectations. Not only should corporates have written records of the programme itself, but the SFO will also want to see written records of the effectiveness of the programme in practice.

None of this should come as a surprise to corporates, as it is consistent with the Ministry of Justice’s statutory guidance on adequate procedures published in March 2011 (the “2011 Guidance”) as well as similar guidance published by many other organisations (some of which are referenced in the SFO guidance). However, experience suggests that there are still many corporates operating in the UK who have limited compliance records, focusing on policies and gifts and hospitality registers, but little else. The guidance is a reminder that such an approach is unlikely to provide substantial protection if issues arise.

Less usefully, more than half of the guidance simply summarises the six principles in the 2011 Guidance (i.e. proportionate procedures; top-level commitment; risk assessment; due diligence; communication; and monitoring and review), stating that these offer “a good general framework for assessing compliance programmes”. If one is searching for any particular insights from the manner in which the SFO summarises the 2011 Guidance, one might point to the emphasis placed on performing, documenting and repeating a risk assessment to inform the controls then implemented; differentiated and tailored training for staff in higher risk roles; the need for training to be “continuous, and regularly monitored and evaluated”; and that ongoing monitoring and review may involve staff surveys, periodic internal reports to management and even external verification. These are points that focus on the document trail that may exist for SFO officers to review. However, the guidance identifies the importance of all elements of the 2011 Guidance when assessing the compliance programme.

Unfortunately, the guidance provides no real detail as to the approach that case officers should take when evaluating a programme. In that regard, it is less informative than similar internal guidance published by the US Department of Justice (“DOJ”) in April 2019 on how its staff should evaluate a corporate’s anti-bribery controls. As we reported in our Law Now last year, the DOJ guidance focuses more explicitly on what the questions are that DOJ staff need to address and what sorts of evidence they should specifically look for. 

Notwithstanding the above, the SFO’s new internal guidance should serve as a reminder to corporates that developing and, if necessary, demonstrating effective anti-bribery controls is an involved and significant process. Organisations should ask themselves whether, if the situation arose, they would be able to demonstrate that their compliance programmes are more than tokenistic paper exercises, are based on a proper review of their risks, are effective in mitigating bribery risk and, crucially, whether they have the paper trail to evidence this.