"Adequate procedures" under the UK Bribery Act is a well-known term in Compliance circles. Having adequate procedures is the only defence to a charge against a commercial organisation of failing to prevent bribery.
US prosecutors speak of the requirement to have an "effective" compliance programme. Whilst not an absolute defence, companies that have an effective compliance programme will benefit from more lenient treatment in the US with regards to charging decisions and monetary penalties and when deciding on whether a monitor or ongoing reporting obligations are required following commission of a bribery offence.
A key difficulty facing companies both in the UK and the US is determining what exactly "adequate procedures" means, or what an "effective" compliance programme is.
The UK Ministry of Justice issued guidance on adequate procedures when the Bribery Act came into force ("the UK guidance", although there has been no case law in the intervening years to assist in understanding how the guidance will be applied in practice.
Some assistance has been rendered on the meaning of an having effective compliance programme from a US perspective recently. On 30 April 2019, the US Department of Justice ("DOJ") issued revised guidance on "Evaluation of Corporate Compliance Programs" ("the revised Guidance"), which states that prosecutors should ask three fundamental questions when evaluating a company’s compliance program:
- Is the compliance programme well-designed?
- Is the programme being applied earnestly and in good faith, i.e., is the compliance programme effectively implemented?
- Does the compliance programme work in practice?
The revised guidance provides a detailed, practical, road map to allow for a thorough assessment of any organisation's compliance programme, allowing the C-suite and senior management to understand whether their programme is fit to withstand prosecutorial scrutiny, whether from the UK, US or elsewhere.
Is the Compliance Programme well-designed?
In considering whether the programme is well-designed, the revised Guidance directs prosecutors to consider:
- Risk assessment - as in the UK, the bribery risk assessment is key. It should take into account factors such as the location of the business, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments and foreign officials, the use of gifts, travel, and entertainment expenses, charitable and political donations etc. Importantly, risk assessments must be updated periodically to take account of evolving risks.
- Policies and procedures - again in common with the UK, the revised Guidance focusses on the requirement for tailored policies and procedures that seek to both document and effect ethical norms within the organisation and mitigate the specific risks identified during the risk assessment process. Interestingly, the revised guidance highlights the importance of business units being consulted prior to the roll out of revised policies and procedures, an issue which, if missed, often causes consternation in an organisation. Policies and procedures should be tailored, accessible (eg, in multiple languages where necessary) and updated regularly to meet evolving risks.
- Training and communications - the revised guidance states that prosecutors should assess whether the company's policies and procedures have been integrated effectively, through periodic training and certification for directors, officers, relevant employees, agents and business partners (as appropriate). The mode of training should take into account the audience's size, sophistication and subject matter expertise. Case studies and practical advice on real life scenarios may be appropriate, taking into account lessons learned where appropriate.
- Confidential reporting structure and investigation process - the revised guidance specifically draws out the importance of having an efficient and trusted mechanism for anonymous or confidential reporting of suspected breaches. Complaints should be routed to proper personnel and investigations completed thoroughly and in a timely manner. This element is only mentioned briefly in the UK guidance but is undoubtedly key in detecting and preventing misconduct.
- Third-party management - as with the UK guidance, the importance of applying continuous, proportionate due diligence to monitor third-party relationships (including agents, consultants, and distributors) is specifically drawn out. The organisation should understand the qualifications, reputation and associations of third party partners and the clear business rationale for their engagement. Clear contract terms and ongoing monitoring of the relationship should be implemented.
- Mergers and acquisitions - only touched upon briefly in the UK guidance, the revised guidance gives some detail on the importance of M&A due diligence. In particular, it notes that flawed or incomplete due diligence can allow misconduct to continue at the target company and highlights the importance of tracking the implementation of remedial actions through into the acquired business.
Is the Compliance Programme effectively implemented?
A compliance programme may appear "gold-plated" on paper, but it will only be effective if implemented effectively. In assessing this, the revised guidance requires prosecutors to consider:
- Commitment by senior leaders and middle management - as per the UK requirement for top level involvement in bribery prevention, the revised guidance highlights the need to consider conduct at the top (e.g. senior leaders), shared commitment among middle-management stakeholders (e.g., operational managers, finance, procurement, legal, human resources) and the effectiveness of oversight by the board of directors.
- Autonomy and resources - prosecutors should consider whether those charged with day to day oversight of the compliance programme have (1) sufficient seniority and stature; (2) sufficient experience, qualification and resources to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy to access to the board of directors or the board’s audit committee. Whatever the size of the organisation, compliance personnel should be empowered.
- Incentives and disciplinary measures - the revised guidance highlights the importance of having in place incentives for compliance and disincentives for non-compliance. Promotions, rewards and bonuses might be placed in balance to disciplinary procedures, up to and including termination to encourage compliance. The revised guidance notes that the publication of disciplinary action (anonymised as necessary) can promote positive behaviours.
Does the Compliance Programme actually work in practice?
US prosecutors are required to assess the adequacy and effectiveness of the corporation's compliance programme at both the time of the offence as well as at the time of a charging decision, whereas an assessment of adequate procedures as a defence to the offence of failing to prevent bribery in the UK only need consider the programme that was in place at the time of the offending.
The revised guidance notes that the existence of misconduct does not, by itself, mean that a compliance programme has failed or was ineffective at the time of the offence, accepting that it is an insurmountable task for any compliance programme to prevent all criminal activity by a corporation's employees.
Prosecutors will assess, however, whether the compliance programme did in fact operate to identify the misconduct and whether it resulted in timely remediation and self-reporting. In those circumstance, the prosecutor will view the occurrence as an indicator that the compliance programme was working effectively in practice.
In assessing the programme at the time of the charging decision, prosecutors will consider whether it has the capacity to allow for continuous improvement, evolving over time to address existing and changing risks. They will also consider whether the company conducted an adequate and honest root cause analysis of the contributing factors to the misconduct and implemented remedial actions to prevent its reoccurrence.