There are certain things that businesses can do to prevent criminal activity at source which is, of course, the optimum solution. Indeed, businesses operating in the UK are obligated to put in place ‘adequate’ procedures to prevent bribery (Bribery Act 2010) and ‘reasonable’ procedures to prevent the facilitation of tax evasion (Criminal Finances Act 2017).
These procedures should be designed and implemented in a way that is consistent with government guidance issued alongside the two Acts referred to above. In the first instance, the measures must be proportionate to the size of the business, the resources at its disposal and the universe of financial crime risks that it faces.
There are in fact a number of practical ‘easy wins’ that can be put in place without significant difficulty. Many businesses will already have done so. However, in light of recent enforcement activity, a review of the defences is timely. Accordingly, we have set out below some of these easy wins, together with the principles that underpin them.
1. Top level commitment
There are some relatively straightforward measures that can help demonstrate this:
- A board resolution committing the business to a zero tolerance approach to bribery and tax evasion and endorsing a review of the business's procedures.
- An all-staff memorandum communicating the business’s approach and the impending procedural review.
- Appointing, and properly resourcing, legal and/or compliance personnel who will be responsible for leading the co-ordination and monitoring of the procedures under the ultimate supervision of the senior management.
- Refresher training for the board, if needed, to ensure that they understand the offences, enforcement environment and the need for defensive procedures.
2. Written risk assessment
This is critical to demonstrating active engagement with the prevention of corporate crime. The risk assessment should cover at least the following questions:
- What are the principal risk areas for bribery and/or facilitation of tax evasion (e.g. business sector, country, business partnership, business opportunity, transaction, product and client)?
- Who are the ‘associated persons’ that could put the business at risk?
- What are the ‘incoming’ risks (e.g. receiving bribes in procurement) and ‘outgoing’ risks (e.g. sales teams providing corporate gifts and hospitality)?
- Have there been any actual examples of historic wrongdoing? What was done about them? Is further preventative action needed?
3. Written policies
The following actions can be taken once the risk assessment is complete:
- Tailoring of policies to deal with the risk profile of the business.
- Policies communicated by senior management to all staff.
- Policies made readily available in electronic and/or hard copy form.
- Policies distributed to agents or intermediaries acting on behalf of the commercial organisation on a risk-based approach.
4. Due diligence
Consider a risk-based written due diligence procedure including the following:
- A questionnaire for potential new associated persons, especially if they are located in countries recognised as posing a higher risk of corruption and/or tax evasion.
- A review of contractual arrangements with associated persons. Consider prohibitions, rights to information, rights of termination and obligations for reporting of suspicions.
- A letter to associated persons informing them of the business’s zero tolerance approach to financial crime, including bribery and tax evasion.
5. Monitoring and review
Consider scheduling the following:
- A procedural review, at least annually, and also when there are significant changes in the business (e.g. entering new sectors/countries).
- A mystery shopper exercise in which you ask a random sample of staff who have been trained questions in order to gauge ‘on the ground’ knowledge.
- A third party review by ourselves in order to identify, understand and deal with any gaps in the procedural defences.
Provide training on key legislation such as the corporate offences under the Bribery Act 2010 and Criminal Finances Act 2017 for the following staff:
- Employees, either in person or via e-learning.
- Relevant associated persons, if needed in order to deal with a specific identified risk.
- Senior management, if a refresher is needed (see above).
7. ‘Speak Up’ procedure and protections
Ensure that you have the following:
- A clear, written, independent reporting process for staff to communicate concerns.
- Appropriate protections in place for staff that speak up.
- An investigations team earmarked to investigate any allegations of wrongdoing.
In the event that allegations of wrongdoing arise, whether from an internal whistle-blower, disgruntled ex-employee, a competitor, or any other source, it is vital to conduct a preliminary investigation into the allegations to determine whether there is substance to them. The decision as to whether reports need to be made to supervisory and/or enforcement authorities, for example a Suspicious Activity Report to the National Crime Agency and/or self-report to the Serious Fraud Office, must be kept under constant review.
Here are some recommended actions during your preliminary investigation.
1. The allegation
Consider the following questions, upon first receipt of the allegation(s):
- What evidence, if any, has been presented?
- What offences are in play in relation to individuals and/or corporates?
- Do the allegations trigger any mandatory reporting obligations?
2. Investigation team
Ensure that the team includes the following:
- Sufficiently senior staff including HR, legal and IT expertise.
- External legal counsel to provide legally privileged advice.
- An IT forensics firm, appointed by external legal counsel.
3. Initial steps
Include the following preliminary protective steps:
- Establish secure systems to confidentially manage the investigation including anonymous project name.
- Implement documentation preservation and creation controls.
- Devise an investigation plan covering key persons, allegations, evidence, actions and deadlines.
Carefully control communications relating to the investigation:
- Mark communications: ‘strictly confidential and legally privileged’ where appropriate.
- Disseminate investigation documents amongst the investigation team only.
- Refrain from creating any documents that you would not want to be disclosed.
5. Evidence gathering
Consider the sources of evidence relevant to the allegations:
- Identify sources (electronic and physical) of potentially relevant data.
- Instruct the IT forensics firm to extract data (including a ‘control’ copy for the authorities if necessary) from sources.
- Devise and apply relevant search terms to apply to dataset.
- Review and amend search terms as the evidence emerges.
- Create a bundle of relevant documents to be put to witnesses.
Ensure that the interviews are conducted fairly and accurately:
- Conduct interviews in the presence of HR and legal counsel and in accordance with interview plan setting out questions and evidence.
- Instruct interviewees to keep the matter confidential.
- Consider note taking and the issue of legal privilege. Keep any notes secure.
In light of the evidence obtained in the preliminary investigation, consider both internal and external reporting:
- Produce a legally privileged internal report on allegations made, investigation methods used, evidence discovered, conclusions made and recommendations for next steps.
- Instruct legal counsel to assist on management of processes for any implicated employees.
- Document the decision on whether allegations justify self-report to the Serious Fraud Office and/or other relevant enforcement agencies.