UK Serious Fraud Office Clarifies Its Approach to Compliance Programmes
In the UK, as is the case in other jurisdictions, prosecutors’ assessments of corporate organisations’ compliance arrangements are crucial to whether investigations will be concluded through deferred prosecution agreements (“DPAs”) or prosecutions. Guidance published by the UK Serious Fraud Office (“SFO”) on 17 January 2020 provides the clearest indications yet about when and how it will evaluate compliance programmes maintained by corporate organisations it is investigating and what it is looking for when making these decisions.
The guidance is designed to be read in conjunction with and to assist prosecutors when they are applying other guidance, in particular the Guidance on Corporate Prosecutions and the Code of Practice on Deferred Prosecution Agreements (“the DPA Code”) (both published jointly with the Crown Prosecution Service) and the SFO’s Corporate Co-operation Guidance.
It is not prescriptive, and leaves prosecutors with significant discretion when evaluating corporate organisations’ compliance programmes and deciding how to proceed.
However, there are some key messages:
The SFO will start assessing corporate organisations’ compliance programmes at an early stage of investigations – The guidance refers to assessments of the adequacy of compliance arrangements being made at various important stages of investigations, including when decisions are being made about whether a prosecution is in the public interest and whether the SFO is prepared to enter into negotiations about a potential DPA (and if so on which terms). It also points out that prosecutors should feed their assessments on this point into decisions about whether a corporate organisation being prosecuted under section 7 of the Bribery Act 2010 for failing to prevent bribery is able to establish that it had “adequate procedures” in place. If the corporate organisation concerned is not able to do so, the guidance makes clear that prosecutors must consider whether the compliance arrangements it has in place justify it suggesting to the Court that a lesser sentence may be appropriate.
Although it has identified these key waypoints, in practice the SFO’s view of the historical and current compliance arrangements and any proposed remediation will weigh significantly in its ongoing assessments of whether the organisation concerned is taking a “genuinely proactive approach” to the investigation. This is a key test set out in the DPA Code. Cases concluded since the introduction of DPAs in 2014 (both those where DPAs have been negotiated and those where they have not) illustrate that maintaining the SFO’s continuing confidence on this point is a precondition to a negotiated settlement. This is consistent with the longstanding practice of U.S. prosecutors and courts.
Deficiencies in a corporate organisation’s compliance programme (or even the absence of such a programme) will not necessarily preclude a DPA – The guidance confirms that the SFO will consider the past, present and, in some cases, proposed future states of the compliance programme maintained by the corporate organisation. This elaborates on the indication in the DPA Code that the fact that an organisation had “no or an ineffective corporate compliance [at the time of the offending] and it has not been able to demonstrate a significant improvement in its compliance programme since then” will be a public interest factor in favour of prosecution rather than a DPA.
The SFO’s realistic indications that it will look for whether there have been signs of amelioration rather than perfection in compliance programmes is consistent with the approach it and the Courts have taken in DPAs negotiated to date in the UK. In those cases (most recently the DPA agreed with Güralp Systems Limited in December 2019 – click here for summary and analysis) they have attached substantial importance to a demonstrable clean break with past misconduct and deficiencies, both in terms of the individuals in charge of the corporate entity and its compliance practices.
The SFO will take a principles-based approach to assessing compliance programmes – The guidance points to the six principles set out in the UK Ministry of Justice’s guidance on “adequate procedures” (“the Adequate Procedures Guidance”) for the purposes of the corporate offence of failing to prevent bribery (“the Corporate Offence”) as “a good general framework for assessing compliance programmes” (not only in respect of that offence but also others investigated by the SFO).
However, it is much less detailed than corresponding guidance issued by the U.S. Department of Justice, which has been in force since 2017 and which was most recently updated in April 2019. Although that guidance is clear that it provides “neither a checklist nor a formula”, it does set out an extensive list of questions for prosecutors to ask about specific aspects of corporate organisations’ operations in order to establish whether compliance programmes are “well-designed”, “applied earnestly and in good faith” and “working in practice”.
As such, ambiguity remains as to when prosecutors will consider procedures to have been “adequate” for the purposes of the Corporate Offence. The prosecution of Skansen Interiors Limited by the Crown Prosecution Service in 2018 is still the only case where the issue has been considered by a jury. The relatively small size of that company and the fact that it was a dormant company at the time of the prosecution (meaning that the Court could not impose a financial penalty) mean that the case provides little practical assistance to larger corporate organisations.
Cases where DPAs have been agreed to date in respect of the Corporate Offence offer some salutary reminders of the consequences of shortcomings in particular processes and procedures but are highly fact-sensitive. They therefore similarly offer little practical guidance.
The SFO is interested in what happens in practice within corporate organisations, not just what is written in their compliance manuals – the SFO has reiterated the expectations frequently conveyed through public statements by its most senior figures that corporate organisations should design and operate compliance programmes reflecting the particular activities they undertake and risks they face. Consistent with the stated approach of prosecutors in other jurisdictions, compliance programmes assessed as “paper exercises” will not be considered to be effective.
External monitors will be required to verify improvements to compliance programmes prescribed by DPAs – The guidance suggests a departure from the practice in a number of the DPAs negotiated to date in the UK, which have allowed corporate organisations promising to make improvements to compliance arrangements to make periodic reports to the SFO about their progress in doing so. The SFO has now indicated that, where DPAs include provisions about corporate organisations’ compliance programmes, prosecutors are likely to require the appointment of a monitor (at the organisation’s expense) to verify that required improvements are made.
This may be an indication of a greater willingness on the part of the SFO to impose external monitors in connection with DPAs. A move in this direction has been widely expected given the background of its director Lisa Osofsky as a former U.S. federal prosecutor and monitor in private practice. The SFO’s guidance does not mandate the appointment of a monitor in all cases where DPAs provide for improvements to compliance programmes; the sections of the DPA Code making clear that the scope of external monitors’ engagements should be carefully limited still stand.
French anti-corruption authorities are taking a slightly different approach. In guidance on corporate settlements issued in June 2019, they indicated that they would require reimbursement from the corporate organisation concerned for monitoring and evaluation (by them rather than an external monitor) of required improvements to compliance programmes under Conventions Judiciaire d’intérêt public (see full details in our Ropes & Gray Alert here). Joint UK and French (and US) settlements due to be approved and published imminently may provide further detail on how variations in approaches across the English Channel will be addressed in practice.
What does the guidance mean for due diligence processes?
The guidance only applies to assessments to be made of corporate organisations’ compliance programmes in the context of investigations being carried out by the SFO. As its previous director was careful to emphasise throughout his tenure, the SFO is first and foremost a criminal prosecutor. It is not about to become a quasi-regulator and will not approve particular compliance arrangements.
That said, the guidance underlines the importance of effective due diligence processes, both at the acquisition stage and in the course of corporate organisations’ day-to-day operations. Although it does not provide any definitive indications, the Adequate Procedures Guidance remains the foundation for evaluating corporate compliance programmes maintained by corporate organisations in the UK (in respect of all economic offences – not only bribery). It forms a central part of the guidance that will be adopted by the SFO when evaluating compliance arrangements for corporate organisations under investigation. As such, it should occupy a correspondingly important place in internal and transaction due diligence arrangements.