What the SFO Looks For in a Compliance Programme—New Guidance Published January 2020
By Simon Airey, Morgan Miller, Chris Hardjasa & Joshua Domb
On 17 January 2020, the Serious Fraud Office (“SFO”) published the latest chapter from its internal Operational Handbook (the “Handbook”, directed at SFO staff) entitled “Evaluating a Compliance Programme” (the “Guidance”). This Guidance provides broad principles and a degree of further insight into the framework by which the SFO aims to assess the effectiveness of compliance programmes when considering prosecutions, DPA negotiations, “adequate procedures” defences under s.7(2) of the Bribery Act 2010, and general mitigation for sentencing. However, many critical details continue to be left unanswered.
To ensure the limitations of the Guidance, the preamble notes it is not published for the purpose of providing legal advice and “should not therefore be relied on as the basis for any legal advice or decision”. Rather, the Handbook is designed for SFO prosecutors and investigators and the Guidance is published “solely in the interests of transparency”.
This invites comparison with the publication by the US Department of Justice (“DOJ”) of its recently updated Evaluation of Corporate Compliance Programs (“ECCP”) guidance. US enforcement agencies, including both the DOJ and the Securities and Exchange Commission (“SEC”), have historically issued more detailed and substantive guidance on US Foreign Corrupt Practices Act (“FCPA”) enforcement and effective compliance programmes. The updated ECCP has been well-received by both counsel and companies due to its substantive focus on assessing programmes and detailed elucidation of more complex compliance concepts. The ECCP expanded on and provided more specificity around the original ten “Hallmarks of Effective Compliance Programs” (the “Ten Hallmarks”), first described in the DOJ and SEC’s A Resource Guide to the FCPA.
The Guidance provides an overarching investigative and assessment framework, rather than focusing on the elements of an adequate compliance programme or how the SFO will evaluate these elements if an offence is suspected. In defining a compliance programme, the Guidance states that a “key feature of any [such] programme is that it needs to be effective and not simply a ‘paper exercise’”. An organisation must show that it runs a tailored programme which works for that specific organisation and the field in which it operates. Similar to the DOJ ECCP document, the Guidance indicates that it is not prescriptive due to the fact that individual cases will differ.
Above all, the SFO looks for compliance programmes to be “proportionate, risk-based and regularly reviewed”. This is consistent with global compliance standards and regulatory expectations.
Time Periods Relevant to Decisions
The SFO considers past, present and future compliance when evaluating compliance programmes. In particular, the SFO considers the following:
when considering prosecution, the effectiveness of a compliance programme at the time the offence was committed;
whether an organisation could raise a successful defence in demonstrating it had put in place “adequate procedures” at Court to prevent the relevant criminal conduct;
even if an organisation falls short of the “adequate procedures” defence, the SFO takes into account whether an organisation has made an “effort” when considering sentencing requests;
what, if any, enhancements and remedial actions have strengthened a compliance programme by the time of the charging decision;
whether the current state of an organisation’s compliance programme makes it suitable for a DPA; and
whether a DPA should include terms which impose a future compliance programme which may include a monitor being appointed at an organisation’s expense.
Investigating a Compliance Programme
While the DOJ ECCP and the Guidance both focus on their respective assessments of a company’s compliance programme, the Guidance expands on the investigation process, including the sources of information they may request, and the tools they may use at different stages of an investigation. This section provides more practical insight into what companies may expect the SFO to request or compel from their organisations, and the manner in which the SFO may do so. The Guidance also advises SFO investigators that compliance issues be “considered as part of the overall investigation strategy”, highlighting the relative importance of compliance programme assessment as a necessary element of an SFO investigation.
The Guidance states that, as individual cases differ, it does not prescribe a particular approach and that it is important for SFO investigators to “maintain [an] open investigative mind-set, testing and corroborating evidence from a number of sources”. Specifically, the SFO advises its investigating officers to:
explore compliance issues “early in the investigation”;
obtain information about a company’s compliance programme from a “variety of sources”, including in particular, sources of information concerning failures of a compliance programme, which may also provide details on broader questions such as “direct or circumstantial evidence of criminality”;
tailor their approach to the specific case in determining whether and how to use SFO “tools”, including voluntary disclosures and interviews, s.2 compelled disclosure of documents or information, and s.2 witness or suspect interviews; and
document considerations about “which tools to use and other factors that impact investigating compliance in a relevant case decision log and Investigation Plans” that address how the company’s compliance programme will be evaluated. It is clear from the Guidance that an organisation is expected to have and provide a “variety of written records of its compliance programme and its operation”.
The remainder of the Guidance concerns what SFO investigators should cover in an assessment of a compliance programme. In anticipation of the Bribery Act entering into force in 2011, the UK Ministry of Justice published associated guidance (“MOJ Guidance”) detailing six core principles (the “Six Principles”) commercial organisations ought to consider in designing “adequate procedures” intended to prevent people associated with them bribing others. The SFO summarises these Six Principles as a “good general framework” for SFO investigatory officers to assess compliance programmes.
The main compliance question in the Guidance is whether the organisation has a defence of “adequate procedures” under s.7 of the U.K. Bribery Act. In the DOJ ECCP, there are three questions set out: (1) whether the compliance programme is well designed; (2) whether the programme is applied earnestly and in good faith (implemented effectively); and (3) whether the company’s compliance programme works in practice. As discussed above, the Guidance echoes some of these fundamental principles in the ECCP in its definitional section. Both documents make clear that enforcement agencies want companies to show them that their compliance programmes are (a) tailored appropriately to risk; (b) designed and implemented effectively; and (c) regularly reviewed.
In its section regarding the Six Principles, the Guidance generally summarises the MOJ Guidance. The Six Principles also map to the Ten Hallmarks and other regulator and NGO guidelines regarding the critical elements of compliance programmes.
Similar to the ECCP, the Guidance indicates that the principles are not prescriptive, but flexible and outcome-focused, and summarises the Six Principles as follows:
Proportionate procedures. The SFO notes Principle 1.2, that “adequate procedures” ought to be proportionate to the specific bribery risks faced by an organisation. Organisations should accordingly perform a risk assessment as an initial first step. Similarly, the ECCP states that any well-designed compliance programme has policies and procedures that “give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process”.
Top level commitment. The SFO emphasises that a strong tone at the top is imperative, which should include assurance of the risk assessment, specific involvement in high-profile and critical decision-making, and the selection and training of senior managers to lead anti-bribery work. Similarly, the ECCP discusses “commitment by senior and middle management” as essential to evaluating whether a compliance programme is being implemented effectively, or whether it is merely a “paper program”. It also notes that effective implementation requires those individuals charged with day-to-day oversight of a compliance programme to have sufficient autonomy, authority, and stature.
Risk assessment. Risk assessment is said to be “periodic” and “evolutionary”, and takes into account external and internal factors overseen by top level management in response to corporate, business or jurisdictional changes. The ECCP identifies the company’s risk assessment efforts, and application of resources and scrutiny to its spectrum of risks, as the starting point of evaluating of whether a company has a well-designed compliance programme.
Due diligence. Due diligence should be “proportionate and risk based”, as well as address intermediaries, vendors, and hiring of employees. The SFO places particular importance on due diligence with respect to any M&A activity. The ECCP similarly emphasises the importance of third party risk management to evaluating the design of a compliance programme, as well as comprehensive due diligence of acquisition targets.
Communication (including training). The SFO considers that training should be continuous, as well as regularly monitored and evaluated. The SFO also notes that prompt compliance advice should be secure, confidential, and accessible for employees and agents, and that there should be clear whistleblowing channels to raise bribery concerns. Similarly, the ECCP indicates that tailored training and communications are another hallmark of a well-designed programme, as is a confidential reporting structure and investigation process.
Monitoring and Review. The SFO encourages officers to assess internal and external monitoring mechanisms which provide feedback into the effectiveness of compliance programmes, such as investigations, internal controls, and staff surveys. The ECCP likewise indicates that effective compliance programmes have capacity to improve and evolve, and that prosecutors should consider whether a company has engaged in meaningful efforts to review its compliance programme and ensure that it is evolving appropriately.
Overall, the new Guidance is a welcome addition to the limited selection of information available regarding the UK Bribery Act, and provides companies with some additional insight into the overall framework through which SFO investigators will evaluate company compliance programmes. The Guidance does not, however, provide significant details into many of the critical considerations made by the SFO, including how the SFO evaluates “adequacy” of compliance programmes, beyond the previous MOJ Guidance.
The Guidance is most useful in providing greater insight into specific time periods, tools, and methodology that the SFO will focus on when assessing a company’s procedures, and in explaining the different rationales behind evaluation of compliance programmes at different stages. As Bribery Act enforcement in the UK continues to evolve, and the SFO gains more experience in reviewing and evaluating compliance programmes, it will have further opportunities to provide more complex and sophisticated analyses of compliance programmes and more insight into its expectations of “adequate procedures”.
Companies looking to improve their compliance programmes, or to ensure their programmes are consistent with best practices internationally, would perhaps be best served by consulting that FCPA-related guidance (such as the DOJ ECCP and the DOJ/SEC’s A Resource Guide to the FCPA, and international standards such as the OECD’s Good Practice Guide on Internal Controls, Ethics and Compliance), in combination with the SFO’s Guidance.