Further to the much-anticipated Corporation Co-Operation guidance published by the SFO last summer, on 17 January 2020, the SFO published a new chapter of its Operational Handbook entitled “Evaluating Compliance Programs” (the “ECP”), which provides guidance to assist prosecutors in assessing the compliance programs of companies under investigation.
The ECP closely follows the six principles published by the Ministry of Justice in its statutory guidance note, which accompanies the Bribery Act 2010 (the “Guidance”) particularly in relation to adopting a risk-based approach when considering the proportionality of a company’s policies, procedures, and controls (the “Compliance Programme”).
For what purposes should a corporate Compliance Programme be assessed?
According to the ECP, prosecutors should assess the existence and strength of Compliance Programmes for the purposes of deciding whether:
- it is in the ‘public interest’ to prosecute a company;
- the company should be afforded the opportunity to enter into a DPA, and if so, which conditions should be included in the negotiations;
- the company is likely to have an ‘adequate procedure’ defence for a s.7 charge under the Bribery Act 2010; or
- the company’s compliance program should be considered for sentencing purposes.
What constitutes a Compliance Programme and when should it be assessed?
After defining what a Compliance Programme is, the ECP clarifies that a “…key feature of any compliance programme is that it needs to be effective and not simply a ‘paper exercise’”. According to the ECP, companies are expected to adopt a risk-based approach to develop and implement a compliance programme which is adequate and proportionate to the risk to which the entity is exposed in the course of its business operations.
It is, however, important to note that the assessment of a company’s Compliance Programme is not a ‘static’ exercise, nor the mere assessment of a snapshot of the Compliance Programme at a certain point in time. Rather, the ECP provides that prosecutors must consider and assess the existence and effectiveness of a company’s Compliance Programme at different time periods.
Prosecutors will, of course, still be required to evaluate a company’s Compliance Programme at the time at which the alleged offence(s) took place but they will also need to assess how it has evolved during the course of the investigation, and, in some instances, the company’s future intentions to develop the Compliance Programme.
Aside from providing companies with mitigation for the purposes of sentencing, in the event of a conviction, it is clear that a company which had an unsatisfactory Compliance Programme at the time of the offending may be able to either avoid prosecution altogether or, otherwise, dramatically increase the likelihood of reaching a negotiated resolution with the SFO, such as a DPA, if it has worked to strengthen its compliance practices and demonstrated a genuinely proactive and effective approach to enhance its internal policies and controls.
Codification of recent practice and more formality around monitoring requirements?
This aspect of the ECP appears to codify aspects of how the SFO has previously approached its DPA negotiations with companies, in particular, to date – with the six Court-approved UK DPAs reflecting the importance that was placed upon improvements in the Compliance Programmes of the respective companies, and incorporating requirements that required their ongoing monitoring and/or further improvement.
The ECP makes it plain that any requirements imposed on a company regarding its Compliance Programme, as part of a DPA, will also be closely monitored by the prosecution, most likely via the appointment of a monitor at the company’s expense.
This confirms that the SFO will adopt a more US-style approach to monitor and to test a company’s ongoing approach to compliance. This is, perhaps, unsurprising given the background of the SFO’s Director, both in terms of her US experience and her work as a monitor. It also reflects a trend towards more formal monitorship which has developed since the early DPAs – Standard Bank and Sarclad Ltd – which did not include requirements to appoint a monitor or for de facto monitorships, such as those which then featured in Rolls-Royce and Sarclad; rather, the companies were subjected to requirements of self-policing and/or regular reporting by the companies’ in-house compliance teams.
Where does the ECP leave companies?
The ECP formally puts corporate compliance programmes in the spotlight, requiring prosecutors to consider corporate compliance (or lack thereof) at the outset as an important pillar of the overall strategy of an investigation.
Companies should, therefore, continue to focus their minds and resources on putting in place Compliance Programmes which are robust, reasonable, and proportionate to the risks faced in the course of its business activities.
The Compliance Programme should also follow the six principles posed by the Guidance and be closely monitored and regularly reviewed in order to ensure it is adequate to fully address, or at least, mitigate as far as possible, compliance risks.
In the event of enforcement action, companies will need to be ready to explain and justify their Compliance Programmes. It is now clearer than ever that, with evidence of a truly effective Compliance Programme, companies will be able to insulate themselves from the possibility of facing punitive enforcement action if, and when, their employees and those associated with them commit financial crime.