Bribery and corruption are firmly in the spotlight for 2017 with an ever-increasing commitment from regulators in the UK and abroad to work together and take a harder line against companies which fall foul of anti-corruption laws. The results can be seen in the wave of high profile investigations and record-breaking prosecutions and fines that have hit the headlines over the past few years.
Regrettably, corruption is a fact of life and unlikely to ever be completely eradicated, as some people in an organisation will always do the wrong thing. So how can an organisation protect itself? The answer is that an organisation’s protection is in its procedures and their rigorous application and observance.
This article provides practical guidance and insights on the challenges that businesses face. It is vital that businesses get it right: firstly, when putting prevention procedures in place; and, secondly, if trouble does arise, in how they deal with it. The recent spate of cases shows the harm that a business and brand can suffer when at the sharp end of corruption allegations. No one can afford to be complacent.
Step one - compliance
The starting point is to get the basics right – that is, for businesses to get appropriate policies and procedures in place, to put them into practice, and then to keep them under review.
Businesses should by now be familiar with the Ministry of Justice’s (MoJ) “adequate procedures” guidance, which provides advice on how to avoid corporate liability under section 7 of the Bribery Act 2010 (the Act) for failure to prevent bribery. In October 2016, a new global anti-bribery certified standard, ISO 37001, was also introduced. Both are considered in more detail below.
The novel and controversial “failure to prevent” model for corporate criminal liability, which was established under the Act, has proved so effective that it is now set for expansion. The new Criminal Finances Bill (expected to receive the Royal Assent in Spring 2017) (the Bill) proposes a new corporate offence of failing to prevent the facilitation of tax evasion offences. It also contains a corresponding defence for organisations of having “reasonable procedures” in place to prevent tax evasion offences being committed. Whether there will be any substantive difference between the “adequate procedures” of the Act and the proposed “reasonable procedures” under the Bill remains to be seen. Extending the “failure to prevent” model to other economic crimes such as fraud, money laundering and false accounting is also on the cards, with the MoJ issuing a “call for evidence” (which consultation closed on 31 March) canvassing views on reform of the law to that effect.
We are undoubtedly in a period of considerable upheaval and change, but one thing we can be certain of is that the regulatory burden is set to increase. It is therefore more important than ever that the right policies and procedures are in place, and that they are effectively implemented.
The cost of implementing an anti-bribery programme and maintaining it, whether or not ISO 37001 certification is obtained, is likely to be relatively small compared to the loss and damage which could be sustained if an organisation faces bribery charges.
“Adequate procedures” defence
Whether or not businesses decide to pursue the ISO 37001 certification, all should be complying with the MoJ’s “adequate procedures” guidance. The “adequate procedures” guidance has been in existence now for over five years and should already be familiar to businesses. However it is so important that it is worth briefly recapping here again.
The Act’s section 7 “corporate” offence of failing to prevent bribery means that organisations face potential liability if they fail to take adequate steps to prevent their associated persons from engaging in bribery on their behalf. An associated person is defined intentionally broadly in section 8 as a person who performs services for or on behalf of the organisation. It could include, for example, employees, agents or subsidiaries.
Although the section 7 offence is onerous, an organisation potentially has a full defence if it can demonstrate that it had “adequate procedures” in place to prevent bribery. The MoJ’s published guidance on what constitutes “adequate procedures” sets out six guiding principles:
- Proportionate proceduresThe measures that an organisation takes should be proportionate to its size and to the particular risks that it faces.
- Top-level commitmentThose at the very top of an organisation, from CEO and board level downwards, are expected to foster a culture where bribery is unacceptable (the “tone from the top”).
- Risk assessmentOrganisations must take steps to assess the risk of bribery occurring, so that they can make informed decisions on how to manage the risk by putting appropriate procedures in place.
- Due diligenceKnowing exactly who you are dealing with by carrying out sufficient investigations, commensurate with the risk level determined at stage three.
- Communication (including training)Anti-bribery policies and procedures must be regularly communicated throughout the organisation (including to those based abroad). Communication is a two-way street and procedures should also be in place to allow staff to safely blow the whistle without fear of reprisals.
- Monitoring and reviewThe risks an organisation faces can evolve over time: as such, policies and procedures must be adjusted accordingly if they do. The process is therefore a continual one.
A core aspect of effective communication is creating an environment in which whistle blowers will come forward (not only in relation to bribery, but also wider corruption). "Whistle blowing" means reporting or exposing wrongdoing either within the organisation, or externally, eg to the media or a regulator. Whistle blowers are often central to exposing corruption. The cases of Rolls Royce and Tesco for example (discussed below), both began with a whistle blower.
The importance of whistle blowing has also been underlined by the recent campaign announced by the UK Competition and Markets Authority (CMA) under which the CMA may give cash rewards of up to £100,000 to those who come forward to expose cartels. Vast as this sum may seem, it is dwarfed by a similar scheme in the US under which some whistle blowers have received rewards in the millions of dollars (due to the rewards being calculated as a percentage of the regulatory fine imposed).
Organisations should foster an environment where effective whistle blowing can take place without the whistle blower concerned fearing negative consequences for themselves. The benefits to it in doing so are multiple:–
- better compliance due to issues being uncovered earlier thereby preventing more serious breaches;
- protection from criminal liability (in the cases of bribery and tax evasion), reducing the risk of litigation related to the wrongful activities; and
- minimising disclosures to external parties such as the press or regulators (accordingly reducing the risk of bad publicity and reputational damage).
It is vital that organisations have effective whistle blowing policies and procedures in place.
ISO 37001 is a global anti-bribery management system standard which has been developed through international consultation over a three year period and was published in October 2016. Its purpose is to help organisations of all types and sizes implement an effective anti-bribery management system. An increase in the number of procuring entities stipulating that bidders must be certified to ISO 37001, as part of tender requirements, is anticipated. Even where holding the ISO 37001 certification is not a tender requirement, organisations that are ISO 37001 compliant may be at an advantage in the procurement process.
To be ISO 37001 compliant, an organisation must implement specific minimum requirements. These include, for example, establishing an anti-bribery policy and programme, communicating it to all relevant personnel and business associates, providing training, assessing bribery risks including undertaking due diligence, implementing appropriate procurement, financial and other commercial controls, controlling gifts and hospitality, implementing whistle blowing procedures, and monitoring and improving the effectiveness of the anti-bribery programme.
Readers may have noticed that these requirements bear more than a passing resemblance to the already established MoJ guidance on the adequate procedures that businesses should put in place to avoid corporate criminal liability for failure to prevent bribery under the Act. Both incorporate the principles of proportionate measures, top level commitment, risk assessment / due diligence, communicating / training and ongoing monitoring and review. There are differences however. While the “adequate procedures” guidance is just that – guidance, ISO 37001 is a certifiable standard. Consequently, ISO 37001 is more prescriptive and detailed as to how organisations should achieve compliance.
So how do the two fit together? Organisations should be aiming to comply with the “adequate procedures” guidance as a minimum. This is imperative to equip them properly to expose and prevent bribery, and importantly to avail them of the adequate procedures defence if they are ever faced with charges of failing to prevent it. Some organisations may decide to take the further step and obtain ISO 37001 certification. Obtaining ISO 37001 does not guarantee that the organisation will be found to have had adequate procedures should it ever need to invoke that defence. However, it is likely to be persuasive evidence in the organisation’s favour.
Step two – meeting trouble head on
If step one is getting the proper compliance procedures and practices in place, step two is making sure that if an issue does arise, it is dealt with swiftly and effectively. Even with the best compliance controls and the best will in the world, some individuals will be drawn into corrupt activities. The regulators accept that this may happen through no fault of the organisation. However, how the organisation reacts to uncovering corruption is critical, particularly in the early stages.
Prosecutions under the Act for bribery offences, in addition to other corruption offences, have gathered pace recently, and the Serious Fraud Office (SFO) has had several major successes. What these cases show us is that those who co-operate and work with the regulators can probably expect a considerably more favourable outcome than those who don’t.
In January 2017, the SFO announced it had entered into a Deferred Prosecution Agreement (DPA) with Rolls Royce, marking the end of a four year investigation - its largest ever. A DPA is an agreement between a prosecutor and an organisation facing potential prosecution for bribery, fraud or other economic crime. It enables the organisation to avoid a criminal conviction and potential disbarment from competing for public contracts (although adverse publicity and hefty fines are still par for the course).
Under the DPA, Rolls Royce will pay a record-breaking £497.25 million (the largest enforcement fine ever in the UK) for systematic criminal conduct spanning three decades and multiple jurisdictions relating to the award of high value contracts. The offences include:
- bribery (including bribing foreign public officials);
- failure to prevent bribery; and
- false accounting to conceal payments.
Rolls Royce has also agreed to pay large fines to regulators in the US and Brazil.
The Rolls Royce case is the latest of several demonstrating the severe consequences that businesses with involvement in bribery and corruption will now face (although those consequences can be reduced where prosecution is avoided by way of a DPA).
It is particularly interesting as it indicates that the SFO may consider offering a DPA even if a business hasn’t self-reported, where the business in question has significantly co-operated in the investigation. In this case, on discovering the bribery, Rolls Royce took major steps to change the culture of the organisation (eg appointing new senior management and reviewing relationships with agents and intermediaries), spent a vast sum on internal investigations and compliance, and gave a limited waiver of legal professional privilege (privilege).
Privilege, and extent to which it should be waived, is a hot topic in the bribery and corruption arena. The law of privilege provides organisations with protection from having to produce evidence for inspection in certain situations. Where privilege arises, it entitles a party to withhold documents from inspection by a court or other party (for example the SFO, the Financial Conduct Authority or the Crown Prosecution Service), and no adverse inference can be drawn against them in court if privilege is claimed. There are several different types of privilege that can arise such as legal advice privilege, litigation privilege, without prejudice privilege, common interest privilege and the privilege against self-incrimination.
The SFO has made it clear that it may expect businesses, in the course of co-operating with an investigation, to waive privilege over otherwise potentially privileged materials such as whistle blowing reports or other witness first accounts. This is increasingly a main factor in the SFO’s considerations when deciding whether or not to offer a DPA. The SFO has also shown itself willing to challenge claims to privilege in order to try and access relevant documents, and has brought a number of cases. These cases are often heard in private so as not to prejudice the underlying criminal investigation. Examples include claims brought by the SFO against Barclays and Eurasian Natural Resources Corporation, in attempts to access material during criminal investigations over which privilege was asserted.
An organisation can choose to waive privilege and disclose privileged documents. This should not be done lightly however, because waiver of privilege is a slippery slope. The risk is that an organisation that waives Privilege over particular documents may then find itself obliged to disclose other associated privileged documents. This is known as a collateral or “subject matter” waiver. The purpose behind collateral waiver is to prevent parties "cherry picking" only the most helpful privileged documents to disclose, and deliberately withholding less helpful ones. The rationale is fairness - ensuring that a full and even picture is put forward, rather than a partial and potentially partisan picture. A good way of thinking about collateral waiver is as a ripple effect - if you waive privilege in one document, it might cause bigger waves than you intended.
Because of the unpredictable nature of collateral waiver, organisations should be very cautious about waiving privilege and disclosing privileged material. If an organisation has uncovered corruption, it should take legal advice as early as possible:
- before interviewing witnesses;
- before documents are created in the course of its internal or an external investigation; and
- before responding to any requests for disclosure of documents from a regulator or other party.
Taking early legal advice in order to manage the risks associated with privilege could be critical to how the investigation later develops. This now is even more important in light of the controversial recent decision in The RBS Rights Issue Litigation  EWHC 3161 (Ch) under which privilege was construed by the court very narrowly.
In the RBS case, notes taken by the Bank’s lawyers when interviewing employees during an internal investigation were held not to attract privilege. The relevant type of rivilege, legal advice privilege, only arises between a lawyer and the client. The definition of the “client” in the case of corporates generally means a particular group of people within the business, who are specifically tasked with taking legal advice for the business on a particular issue/matter. In the RBS case, the court found that those employees interviewed as part of the investigation were not classed as a member of the “client” group. Further, the confidential notes taken could not be classed as lawyers’ working notes, which would also have attracted privilege. Consequently the notes were held not to be privileged and RBS was forced to disclose them to the claimant. The case emphasises the increased importance of ensuring that an investigation is properly structured from the outset in order to preserve privilege where appropriate.
Lessons from recent cases
Rolls Royce is just one of several big names to hit the headlines in recent months on bribery and corruption allegations. Mining group Rio Tinto has referred itself to the SFO and the US Department of Justice after discovering unexplained multimillion-dollar payments to a contractor relating to a project in Guinea. The SFO and the French authorities have both opened criminal investigations into Airbus based on suspicions of fraud, bribery and corruption in relation to some of its third party consultants. The international gas and oil intermediary Unaoil is under SFO investigation on grounds of suspected bribery and corruption in respect of the awarding of contracts, as well as suspected money laundering. Tesco has just entered into a DPA with the SFO in relation to the accounting scandal in which it overstated its profits, after reportedly co-operating with the investigation and undergoing an extensive period of change.
However, bribery and corruption incidents/investigations are not confined to large corporates or to overseas conduct. One interesting case concerned a procurement fraud within the Royal Household. The Deputy Property Manager Ronald Harper, a trusted and respected employee of 18 years who controlled a substantial budget, received kick-backs from suppliers in return for the award of contracts, and the payments were disguised using false invoices. Mr Harper and the suppliers in question were all found guilty of conspiracy to make corrupt payments. The moral of this story is that bribery and corruption can occur in any type of organisation and not just in an international setting. Do not think that it could not happen in your organisation.
Some other recent examples include:
- An NHS director of informatics accepting multiple payments from an IT company, facilitated through the use of false invoices, which the court concluded were inducements to award an NHS software contract. Both were convicted of corruption offences.
- An employee at East Sussex Fire and Rescue Service, who was responsible for purchasing new IT, receiving payments from a potential supplier in return for recommending that supplier and disclosing rival bids to them. Convictions for bribery, fraud by abuse of position and false accounting followed.
These examples particularly highlight the vulnerability of public sector procurement processes to bribery and corruption.
The NHS case especially demonstrates the necessity for businesses to have systems in place which flag up multiple payments authorised at or just under the limit at which a person can sign them off. In addition, payments, particularly those which give little detail on the services provided, should be regularly audited and verified, and individuals with the necessary technical expertise should also check that goods and services contracted for are suitable and in line with the organisation’s requirements.
In all of these cases, significant custodial sentences were imposed.
Some final practical thoughts
The UK and many other countries are heavily clamping down on bribery and corruption, and the current trend seems set only to gather momentum. The cases mentioned above are just the tip of the iceberg. Wide ranging and often cross-border investigations are increasingly commonplace. Blockbuster cases are more and more frequently in the news, and this is set to increase in 2017. Businesses ignore the current climate at their peril. The penalties for getting it wrong are severe – substantial prison sentences, unlimited fines, debarment from tendering for public sector contracts, serious reputational damage, and criminal records for the individuals in question, as well as disqualification from being a company director.
Get the basics right and utilise the following:
- Carry out adequate due diligence on associated persons, especially agents, intermediaries and suppliers.
- Include anti-bribery clauses and rights to audit third parties in contracts.
- Follow the MoJ’s adequate procedures guidance and consider obtaining ISO 37001 certification.
- Require the parties you contract with to have adequate anti-bribery and corruption procedures in place.
- Ensure that all statutory obligations are complied with (for example, new disclosure requirements have come in requiring large enterprises to produce a non-financial statement covering anti-bribery and corruption matters).
- Take legal advice if necessary.
- Implement systems to identify repeated payments authorised at close to a person’s limit of authority.
- Regularly audit payments, and check that goods or services contracted for are in line with the organisation’s needs.
On discovering an issue:
- Seek legal advice and act quickly and to rectify the situation (see Rolls Royce).
- Consider self-reporting.
- Co-operate and work with regulators.
- Having taken early legal advice, consider whether to offer a partial waiver of Privilege.
- Be pro-active in making any adjustments needed to change the wider culture of the business.
Organisations may not be able to fully eradicate corruption, but getting into the right mind set and embracing their obligations will give them protection, and potentially a full defence, if they find themselves the focus of a bribery or corruption investigation.
This article was published in Procurement & Outsourcing Journal in May 2017.