On January 17, 2020, the United Kingdom’s Serious Fraud Office (“SFO”) published new guidance regarding how the office assesses the compliance programs of organizations that are under investigation. “Evaluating a Compliance Programme” is an eight-page guidance document that was incorporated into the SFO’s Operational Handbook, an internal document that is meant to be a resource to British prosecutors. At the outset, the SFO acknowledged the need for such guidance due to the increased focus on compliance in recent years as organizations “recognise the importance of effective compliance procedures in helping reduce the risks of regulatory breaches and the resulting financial and reputational harm.” The SFO’s guidance document follows the release of other compliance guidance that have been promulgated this year, including most notably, the U.S. Department of Justice Criminal Division’s “Evaluating Corporate Compliance Programs,” which was published in April 2019. The SFO stated that the key to any assessment of a compliance program is ensuring that the policies and procedures instituted by an organization work effectively and are not simply a “paper exercise.”
This new SFO document appears to harmonize past statutory guidance rather than offer any particularly new concepts. Most of this new compliance guidance summarizes the six principles the Ministry of Justice released in 2011, following the codification of the Bribery Act to aid organizations in crafting anti-bribery procedures. The document is helpful insofar as it provides some clarity as to how the SFO will view an organization’s compliance program and how that may impact its decision-making process during an investigation. However, the SFO document does not go so far as to actually define specific tools or best practices that, from the government’s perspective, should be in place to get its seal of approval.
Assessment Over Time is Key
In the new guidance, the SFO emphasized the importance of assessing compliance throughout the investigation period. The structure and effectiveness of a compliance program at the time of the alleged offending action(s), the current state of the program, and the changes that could be made to the program in the future are all relevant to the SFO and may impact its decision-making process.
State of Compliance at Time of Alleged Offending Action(s)
The SFO identified three specific areas that the state of compliance at the time of the alleged offending action(s) may impact: (1) the decision to prosecute; (2) the SFO’s view on any potential defenses; and (3) sentencing. Whether an organization has appropriate policies and procedures could either positively or negatively impact the SFO’s decision to prosecute. In the new guidance, the SFO specifically referred to the “Guidance on Corporate Prosecution,” which specifies that a poorly structured and ineffective compliance program is a public interest factor in favor of prosecution. However, on the flip side, if the compliance program is strong and the organization is in fact following the procedures it set forth, the organization would have a defense against a failure to prevent bribery offense for having “adequate procedures” under Section 7 of the U.K. Bribery Act. Finally, if the organization’s compliance program at the time of offense falls somewhere in middle, where the organization does have a program and procedures in place but they are not adequate or are ineffective, the SFO may consider the status of the program in the process of sentencing.
Current State of Compliance Program
How the organization adapts and changes as a result of an alleged offending action(s) is also an important point for the SFO. For example, the SFO will consider any positive changes to the organization’s policies and procedures, enforcement of said policies and procedures, and remedial actions taken by the organization at the time of charging, even if those policies and procedures were ineffective at the time of the offending action(s). The SFO will also consider any changes made or remedial measures taken when deciding if a Deferred Prosecution Agreement (“DPA”) is appropriate for the organization. Finally, the current state of an organization’s compliance program may impact the fine or sentencing of the organization.
Potential Changes to the Compliance Program in the Future
Finally, the SFO will assess any potential for change in the compliance program and enforcement of said program moving forward to help determine the terms of any DPA. If the SFO believes an organization is eligible for a DPA, understanding what changes can be made to a program or its enforcement is a key component of crafting the DPA. In its new guidance, the SFO noted that a DPA “may still be appropriate, even where an organisation does not yet have a fully effective compliance programme,” but that the DPA may include terms requiring the organization to implement certain procedures or change existing policies. The SFO also stated, in the instance of a DPA, it will need to be able to assess an organization’s compliance with the DPA’s terms; thus, a monitor may be required.
Scope and Focus of Compliance Assessments
In addition to delving deeply into the potential impacts the status of an organization’s compliance program over time can have on the investigation process, the SFO also discussed what should be covered in a compliance assessment. As described above, the SFO closely tracked and referenced the 6 principles of guidance the Ministry of Justice published in 2011 to aid organizations in developing compliance programs, which include:
- Proportionate procedures based on the organization’s risk assessment, as well as the nature, scale, and complexity of the organization’s activities;
- Commitment from top-level management, including the board of directors, C-suite, and senior managers;
- Periodic and documented risk assessments that consider external risks (e.g., country, business sector, partnerships) and internal risks (e.g., employee training, bonus culture that may encourage risk taking, lack of clear financial controls);
- Extent and scope of due diligence performed on agents, partners, vendors, intermediaries, and potential mergers or acquisitions;
- Internal and external communication of bribery prevention policies and procedures at the organization, including training, evaluations, and methods of obtaining compliance advice; and
- Monitoring and review of the bribery prevention policies and procedures.
The SFO’s guidance is a step in the right direction, even if only a small one. As the SFO has matured in its ability to investigate and prosecute cases, more prosecutors will be called upon to assess the quality of a corporate compliance program, and thus, it is helpful to have guidance documents like this in place to give prosecutors general guideposts to help them with their task. Still, given the available expertise and resources that exist in today’s compliance culture, the business community needs more concrete guidance from governments to help them better appreciate the government’s objectives. As the SFO resolves more corporate matters through DPAs and otherwise, we hope to see more forward-leaning guidance in the future.