A common feature of corporate criminal disposal in the US for several decades, the use of corporate monitors in the UK in the same period has been, at best, sporadic. This was expected to change with the introduction of Deferred Prosecution Agreements (“DPAs”) in the UK in February 2014, with some commentators also expressing concern about the UK merely importing the perceived failings of the US approach to monitors into its own regime, specifically US monitors’ occasional unduly broad or poorly-defined terms of engagement and high financial cost borne by the company.
This article considers whether the use of monitors in the four DPAs concluded to date in the UK has managed to avoid the same pitfalls and in doing so, strike a balance between the interests of the company and the interests of justice.
A recent history of corporate monitors in the UK
Monitors (typically law firms, forensic accountancy firms or risk advisory consultants) are sometimes imposed on companies who have been the subject of a criminal or regulatory investigation to assess and monitor the company’s internal controls, advise on any necessary compliance improvements and report specified misconduct to the prosecutor.
Prior to the introduction of DPAs in the UK, the Serious Fraud Office (“SFO”) had no statutory basis for imposing a monitor on a company. Monitors were appointed sporadically, either by way of civil agreement entered into between the parties (such as the Civil Recovery Orders entered into between the SFO and Balfour Beatty in 2008, Macmillan Publishers in 2011 and Oxford Publishing in 2012) or by order of the criminal court (as was the case with Mabey & Johnson in 2009 and Innospec in 2010).
The Innospec resolution saw the first appointment of a joint US-UK monitor. This drew criticism on both sides of the Atlantic, with US District Judge Huvelle (referring to the often-high financial cost of monitors in the US) making her view clear, “It’s an outrage that people get $50m to be a monitor… It's a boondoggle for some of these people”1 and Lord Justice Thomas (as he was then) highly critical of the imposition of a monitor, describing it as, “an expensive form of “probation order”, and, “unnecessary for a company which will also be audited by auditors well aware of the past conduct.”2 This was the last time that a UK criminal court considered the imposition of a corporate monitor prior to ICBC Standard Bank plc (“Standard Bank”) entering the first DPA with the SFO in November 2015.
The UK framework
Corporate monitors are not a compulsory feature of a DPA. The DPA Code of Practice (the “Code”) provides for discretion, stating that the appointment of a monitor, “will depend upon the factual circumstances of each case” and, critically, “must always be fair, reasonable and proportionate.”3
Speaking in April 20174, the SFO’s general counsel, Alun Milford, emphasised the inherent flexibility in the UK’s regime: “there are different ways of achieving that sort of process [corporate reform] … We’re interested in having companies tailor it, as far as possible, to what we [the SFO] think is going to be effective in achieving rehabilitation.”
How then has this flexibility manifested itself in the four DPAs concluded to date?
No ‘one size fits all’
An external monitor, PwC, was imposed on Standard Bank and tasked to complete, at the bank’s expense, an independent report on the bank’s anti-bribery and corruption controls, policies and procedures. The bank was obliged to implement the recommendations made in PwC’s report, to PwC’s satisfaction, within twelve months of the report being finalised.
XYZ Limited (“XYZ”)
No external monitor was imposed on the company. XYZ’s agreement saw the first use of self-monitoring in the UK’s regime. Under the terms of the DPA, XYZ’s Chief Compliance Officer is to prepare a report for submission to the SFO on the company’s anti-bribery and corruption policies and their implementation. Unlike in Standard Bank, the requirement for the production of a report in not a one-off. XYZ’s Chief Compliance Officer is obliged to prepare a report within twelve months of the DPA coming into effect and annually thereafter for the duration of the DPA, i.e. for at least three years and up to a period of five.
Rolls-Royce plc and Rolls-Royce Energy Systems Inc. (“Rolls-Royce”)
Rolls-Royce’s DPA mandates the continuing role of Lord Gold (described by Sir Brian Leveson as a “quasi-monitor” and first retained by Rolls-Royce four years before its DPA was concluded) in conducting an independent review of the company’s approach to anti-bribery and corruption compliance and overseeing the implementation of any recommendations made following his review. Lord Gold is to issue a final report to Rolls-Royce and the SFO once the implementation measures are complete.
Tesco Stores Limited (“Tesco”)
Though the terms of Tesco’s DPA have not yet been published due to ongoing reporting restrictions, we know from the FCA’s Final Notice that pursuant to its DPA, Tesco will commission Deloitte, as an external monitor, to report on, and make recommendation for improvements to, the segregation of duties between relevant teams, functions and controls, governance and policies and training in respect of the recognition of commercial income and review and comment on the implementation of those improvements.
Emerging trends and best practice
In the three concluded DPAs which mandate the imposition of an external monitor (or quasi-monitor in the case of Rolls-Royce) it is reassuring that the monitor’s terms of engagement are narrowly drafted; restricting the monitor’s role to the review, and implementation of improvements to, specified existing controls, policies and procedures. The prospect of the monitor’s engagement spiralling out-of-hand, leading to expensive and potentially incriminating reports being made to the SFO on areas of the company’s business quite unrelated to the subject of its DPA, is consequently much reduced.
Companies subject to criminal investigation would be well-advised to be pro-active in their selection of a corporate monitor, for several connected reasons. Firstly, the Code provides that the company should proffer a short-list of three potential monitors to the court and the SFO and that the SFO should, “ordinarily accept” the company’s preferred choice of monitor.5 Secondly, and as seen from Lord Gold’s continuing role as a quasi-monitor at Rolls-Royce, selecting a monitor to review and improve a company’s compliance efforts before DPA negotiations have commenced can be a helpful way of conveying to the SFO that the company is invested in and committed to substantive corporate reform. Thirdly, and most practically, the imposition of a monitor can be burdensome and easily lead to a straining of relations with the company. Being able to persuade the SFO and the court to allow an existing monitor, i.e. one who is familiar with the practices of the company and the sector in which it operates, to continue in its role is likely to be of significant benefit to the company.
The flexible willow trumps the mighty oak
No two corporate criminal resolutions are the same and it should therefore follow that no two monitoring programmes will be the same. Indeed, the Code explicitly acknowledges this principle.6 Though the SFO is sometimes viewed as being doctrinaire in its approach to investigating and prosecuting alleged corporate criminal wrongdoing, in the four DPAs concluded to date, the SFO and the court (guided by counsel for each of the respondents), have utilised the flexibility of the UK’s DPA regime to arrive at four bespoke monitoring outcomes that reflect the unique facts and circumstances of each case. This is a welcome development.