In a recent speech to the Cambridge International Symposium on Economic Crime (see here), Lisa Osofsky, the new Director of the Serious Fraud Office, concluded a general survey of her background and initial approach to the role by making a few remarks on Deferred Prosecution Agreements (“DPAs”). The comments will undoubtedly be of interest to companies and law firms keen to learn about the new regime at the SFO and how this may impact on their businesses.
Whilst some general comments on DPAs were to be expected, notably, Ms Osofsky’s comments focussed not on DPAs per se, but on the availability of DPAs in the context of a defence of ‘adequate procedures’. The new Director observed:
‘When considering resolutions short of trial (for example, DPAs), we must analyse whether the company has a credible and colourable defence under Section 7 (Adequate Procedures). Has the company engaged in proactive efforts to clean house and to reform?
Has the company instilled the right controls?
Are these backed by demonstrable commitment at the appropriate level?
The SFO will want assurance that companies are doing everything they can to ensure the crimes of the past won’t be repeated long after the watchful eye of the prosecutor moves on to another target.’
Considered in context the remarks might be considered surprising: adequate procedures have – to date – played no formal role in the DPA process, other than in an indirect sense.
What might these comments then tell us about the new regime at the SFO?
The defence of ‘adequate procedures’ is contained in section 7(2) of the Bribery Act 2010. It provides a complete defence to the offence contained in section 7(1) of that Act: namely a failure by a commercial organisation to prevent bribery. The relevant sections provide:
‘(1) A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C bribes another person intending –
(a) to obtain or retain business for C, or
(b) to obtain or retain an advantage in the conduct of business for C.
(2) But it is a defence for C to prove that C had in place adequate procedures designed to prevent persons associated with C from undertaking such conduct.’
Where ‘adequate procedures’ are in place for the purposes of section 7(2), no offence contrary to section 7(1) is committed. If a company is confident that it has a ‘credible and colourable defence’ available under section 7(2), such as would persuade a jury, it is unlikely to wish to engage in DPA discussions at all.
Nor do ‘adequate procedures’ feature in the legislative regime governing DPAs. The statutory test of whether a DPA may be approved by a Court is provided by paragraphs 7 and 8 of Schedule 17 to the Crime and Courts Act 2013, namely whether the DPA is ‘in the interests of justice’ and its terms are ‘fair, reasonable and proportionate’.
The Deferred Prosecution Agreements Code of Practice provides guidance on the circumstances in which a prosecuting agency (the SFO or the Crown Prosecution Service) may invite a commercial organisation into DPA discussions and subsequently may make an offer of a DPA. The adequacy of a commercial organisation’s procedures in place to prevent bribery plays no express role here either. What does feature in numerous guises, however, is the role of a commercial organisation’s compliance history as a factor in considering whether it is in the public interest to make an offer of a DPA to a commercial organisation. The essential question is to what extent the failure of a commercial organisation’s compliance measures aggravate, or mitigate, its culpability. In determining whether a DPA may be considered an appropriate resolution in any case, a company rife with corruption, lacking an adequate compliance department or possessing a complicit and corrupt one is to be distinguished from an otherwise well-governed corporate entity which has suffered at the hands of a rogue individual.
Doubtless, Ms Osofsky is not ignorant of this legal landscape and the difference between ‘adequate procedures’ in the sense the term features in the Bribery Act 2010 and the somewhat different considerations arising in relation to the public interest in making an offer of a DPA. So what (if anything) is to be made of these recent remarks?
One clue may be found in Ms Osofsky’s curriculum vitae. Unlike previous Directors of the SFO, whose careers were spent in prosecuting agencies, the greater part of Ms Osofsky’s background is in compliance. She has worked variously as a Regulatory Advisor at Control Risks; the Money Laundering Reporting Officer at Goldman Sachs International; and as Deputy General Counsel and Ethics Officer (an internal compliance role) at the FBI. Immediately before her appointment to the SFO, Ms Osofsky was EMEA Regional Chair and Head of Investigations at Exiger and played a central role in monitoring the anti-money laundering and sanctions programme at HSBC Bank. This depth and breadth of experience in compliance matters would seem to mean that she is well placed to assess whether a company has ‘instilled the right controls’, backed by ‘commitment at the appropriate level’, and engaged in efforts to ‘clean house and reform’. It may also foreshadow a genuinely new approach at the agency and one which places compliance at the heart of future DPA negotiations.
It is possible to identify many good reasons why a greater emphasis on compliance would be a welcome change in the DPA regime: not least that a DPA is a form of resolution which is essentially ‘forward looking’ (that is to say, it is concerned with assurances about future good conduct as opposed to focusing on past performance).
The likelihood of a company successfully adhering to the conditions of a DPA will invariably depend on the quality of its compliance framework. To use the Director’s phrase, it is entirely sensible that a DPA may only be used in circumstances where the SFO (and a Court) may be assured ‘that companies are doing everything they can to ensure the crimes of the past won’t be repeated long after the watchful eye of the prosecutor moves on’.
However, if the ‘adequacy’ of procedures is likely to become a litmus test for the quality of a company’s compliance department in this context, caution is required. The use of the phrase ‘adequate’ in the context of section 7(2) has a long and somewhat involved, if not controversial, history. It would be a source of potential confusion for the phrase to be applied in both a statutory and wider sense. It is already well established that where a commercial organisation has in place procedures which fall short of a section 7 defence (by definition inadequate for that purpose), the procedures might nevertheless form part of the consideration of whether a DPA should be offered (viz. adequate for a different purpose).
It is important that the nature of the section 7(1) offence should not become clouded in this discussion. There is a critical distinction to be drawn between compliance procedures at the time of the alleged offending (which goes to the commission of an offence), and those in place at the time of an SFO investigation (which goes to the availability of a DPA).