12. US Ordered Cross Border Monitorships
A monitorship can be difficult to manage in the best of circumstances. Even the most basic arrangement requires the monitor to evaluate a company that he or she does not represent, to report to an agency for which he or she does not work and to gather sensitive information without invading attorney–client privilege. Worse, the company will almost certainly not welcome the monitorship, let alone its intrusive features – including the monitor’s examination of proprietary data, interviews with company personnel and customers, and findings that could require the company to abandon well-established practices or discipline long-standing employees.
A US-ordered cross-border monitorship poses all these challenges and more. To monitor a company with operations outside the United States, especially one with operations around the globe, is to contend with several, if not dozens, of disparate legal systems and business cultures. As a result, while the work that a monitor typically performs – such as conducting interviews, collecting data and recommending discipline – can be accomplished with little difficulty in the United States, it may be sharply restricted in some countries. Moreover, practices or attitudes that are commonplace in one affiliate may be radically different in another affiliate of the same company.
In the face of these legal and practical challenges, the cross-border monitor would do well to consider a few key attributes of cross-border monitorships before proceeding. First, it is not the monitor’s primary job to investigate misconduct. That is a basic tenet of almost any monitorship but one that is not always well understood. Second, the monitor may not be able to visit every place in which a company does business – particularly if the company operates around the world – and consequently must devise ways to assess the company’s compliance with that limitation in mind. Third, foreign privacy and labour laws may apply and must be considered carefully, as they could impede the monitor’s work (or worse). The same is true for foreign laws governing the imposition and publicising of employee discipline. Finally, while companies must implement a coherent global compliance programme, local variations will be appropriate and necessary to account for differences in local business culture and practice.
The role of the monitor
The monitor is not always an investigator
Infrequent in the United States, monitorships are entirely unknown in many parts of the world. The first challenge facing a cross-border monitor, therefore, is the most fundamental: clarifying the role of a monitor and, perhaps more important, what the monitor is not. As the US Department of Justice’s guidance on corporate monitorships makes clear, the monitor’s ‘primary responsibility is to assess and monitor a corporation’s compliance with the terms of the agreement specifically designed to address and reduce the risk of recurrence of the corporation’s misconduct . . . [t]he monitor’s mandate is not to investigate historical misconduct’.
Clarity on this issue is important in any monitorship; only by understanding the purpose of their work can monitors design an appropriate work plan and discharge their mandate effectively. In a cross-border monitorship, clarity of purpose is crucial. Some countries prohibit or restrict corporate investigations of misconduct and, in these jurisdictions, the consequences of overextending the monitor’s role could be significant. If witnesses mistake the monitor for a criminal investigator, they may report the monitor to the local authorities. Those authorities, which may previously have been unaware of the monitorship, could begin investigating the monitored entity or insist on exploring the contours of the monitorship with the monitor and the enforcement agency. At the very least, interference of this kind would unnecessarily complicate the monitorship and potentially delay the monitor’s work. Before beginning their work outside the United States, monitors must ensure that the company and its employees – particularly the witnesses they intend to interview – clearly understand the monitor’s role.
The monitor cannot go everywhere
When a company has wide-ranging operations across the world, potentially spanning multiple business lines, the monitor’s team may be unable to visit each location during the course of the monitorship – nor should they. The monitor’s goal is not to assess every facet of compliance in every jurisdiction where the company does business, but rather the company’s overall compliance environment. The monitor must thus think critically about which sites to visit, bearing several considerations in mind.
First, the monitor should make a priority of reviewing the company’s operations in jurisdictions that pose the highest risk. These will almost certainly include locations where the underlying misconduct occurred. They may also include countries where the company’s largest operations are situated, or where the highest-risk functions take place. Another indicator of risk is the nature of the violations that led to the monitorship in the first place. In cases involving violations of the US Foreign Corrupt Practices Act (FCPA), for example, the monitor should focus on countries with a known corruption risk – taking into account Transparency International’s Corruption Perception Index and any risk rankings generated by the company itself.
The more difficult choices arise beyond the highest-risk locations. Because monitors cannot go everywhere, they should identify a representative sample of locations that will enable them to assess the company’s global compliance efforts, which can be a formidable task. Compliance risks can vary not only by country but by business line, business unit and even by product. They can also depend on the business model. Joint ventures, in which authority is shared between the monitored entity and its partner, may pose a greater risk than wholly owned subsidiaries, over which the company has full control. Manufacturing plants may be riskier than commercial operations, and commercial operations riskier than distributorships. Recent acquisitions typically pose an enhanced compliance risk, especially if the acquired company’s compliance culture is immature and not yet fully integrated into the company’s global culture. And third-party relationships often pose the greatest risk of all, warranting a sharper focus on business units that retain third parties in high numbers or for sensitive engagements.
How can a monitor practically assess the adequacy of a company’s global compliance programme under these circumstances? One viable strategy is to identify common operational or other relevant features among the company’s different affiliates; group the affiliates according to those common features; visit an affiliate within a group; and extrapolate findings from that affiliate to others in the same group. Deciding which common features to select depends heavily on the company at issue, of course, but the following are a few options:
- Common reporting structure: the monitor should consider whether business operations fall under the same global reporting structure. If several sites report to the same business unit or managers, they will at least have some elements of supervision in common. Depending on the conduct under review, the monitor may be able to draw some conclusions about the adequacy of compliance by evaluating the common supervisory team.
- Common processes: if the company has compliance processes that vary from region to region or between different business lines, the monitor can group sites according to the processes they share. In an FCPA inquiry, for example, the company might employ the same third-party due diligence procedures at five of 25 affiliates. The monitor could test the procedures at one of the five affiliates and extrapolate his or her findings to the remaining four in the same group (after accounting for any site-specific anomalies).
- Common business models: a monitored company might employ different business models across the world, each with a different risk profile. The monitor should test each model – especially those that present heightened risk, such as recent acquisitions.
- Common systems: a key component of any functioning compliance programme is internal controls, which are usually embedded within a company’s enterprise resource planning and procurement systems. If the company employs a unified global platform across all its affiliates, the monitor’s examination of internal controls may be relatively simple. However, if the company does not make use of a single platform – as is often the case for companies that have expanded through acquisitions – there may be multiple legacy systems, each with its own user interface and technical challenges. In these cases, the monitor should endeavour to visit representative sites where each of the systems is in use.
All these approaches can be fruitful under the right circumstances. However, they are of limited value for assessing a company affiliate that does not share common features with any other, and where the monitor simply cannot visit because of civil unrest, armed conflict, public health emergencies, or the like. These types of affiliates are a vexing challenge for the monitor – especially in corruption cases, where they are often located in the same countries that pose the highest corruption risk – and dealing with these locations requires some creative thinking. Among other workarounds, the monitor team could perform remote transaction testing, conduct video interviews with in-country employees and interview in person any employees outside the country who may be assisting the affiliate with implementing financial and compliance controls.
Observing privacy and labour laws
Companies in cross-border monitorships must abide by the privacy laws of the countries in which they operate. The complexity of these laws can be daunting for the monitored entity and the monitor alike but they are vitally important to the cross-border monitor: because the life blood of a monitorship is information, any limitations on acquiring it could jeopardise the monitor’s ability to fulfil his or her mandate. It is incumbent on the monitor team, therefore, to identify applicable privacy laws in advance of its work and take the steps necessary to comply with them.
Among the most recent and best known privacy laws that monitors must contend with is the EU General Data Protection Regulation (GDPR). The GDPR restricts the ability of companies that operate, provide services, sell goods or even track the behaviour of individuals in the European Union and Member States from processing personal information without first obtaining permission to collect and distribute it, or satisfying one of several other specified criteria for processing the information. Processing is defined broadly to include ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available’.
Additionally, and perhaps most relevant to the activities of a monitor, the GDPR restricts companies from transferring personal data to countries lacking – in the eyes of the European Commission – adequate protection for personal data. To satisfy the requirements of the GDPR, the monitor may need to enter into an agreement with the monitored entity to verify the steps the monitor will take to protect personal data being transferred by the monitored entity. Further, depending on the monitorship, the monitor may hire third-party experts, accounting firms, data processing companies and others. The GDPR would govern the monitor’s transfer of personal data from the monitored entity to any such third parties. As a result, the monitor may also need to enter into contractual arrangements with these vendors to ensure that the monitored entity can lawfully share information.
The monitor should also be aware that EU Member States are free to enact requirements that surpass those found within the GDPR. Thus, monitors must assess not only the GDPR but any country-specific laws that may govern the transfer of information from the monitored entity to the monitor. And, of course, EU Member States are not alone in imposing privacy-related restrictions.
In addition to restricting access to documents, privacy laws also address the manner in which the monitor and monitored entity receive reports of wrongdoing throughout the monitored entity. Most multinational companies have established a reporting mechanism, or hotline, through which employees can report potential misconduct either by company employees or by a third party associated with the company. Some countries permit companies to implement systems for confidential reporting, but others may require companies to obtain permission from employees or government authorities before doing so. Still other countries limit the types of conduct that can be reported, and others discourage any confidential reporting at all.
In short, privacy laws can create stumbling blocks to the smooth transfer of information during the monitorship. The monitor and the company must consider privacy issues as early as possible and establish protocols for document and information transfers well in advance of the monitor’s field work.
Some countries in which monitors may operate have enacted what are known as blocking statutes. Intended to protect the sovereignty of the enacting country against extraterritorial interference by other countries, these statutes bar or limit the transfer of evidence to foreign jurisdictions. In China, for example, the International Criminal Judicial Assistance Law restricts companies from providing evidence to foreign law enforcement authorities conducting a criminal investigation. And in Switzerland, Article 271 of the Swiss Criminal Code forbids Swiss parties, under certain circumstances, from cooperating with foreign governments in connection with foreign proceedings. The consequences of violating these laws are not merely theoretical. In 2019, the Swiss Federal Supreme Court upheld the criminal conviction of a company executive for sharing information with the US government, in violation of Article 271.
Although monitors are not government authorities, they are often appointed by, work closely with and submit detailed reports to them. Companies may therefore be reluctant to disclose information for fear of running afoul of a blocking statute. And even where blocking statutes provide a means for disclosing information to foreign authorities, the process may cause a delay in the monitor’s work, which is by definition of limited duration. To avoid these issues and delays, the monitor should identify potentially applicable blocking statutes as soon as possible during the monitorship and develop a plan to obtain the necessary information without triggering liability for any of the parties involved.
Local labour laws may also restrict a monitor’s access to both information and employees. Some countries in Europe, for example, require that employee representatives (known as work councils) be consulted prior to an employee’s interview. In some countries, employees have the right to refuse to attend an interview or otherwise cooperate with the monitor. Employees in certain countries may also expect to receive, or at a minimum review, any notes taken during interviews or other materials prepared as a result of interviews. Labour laws also limit the type of discipline companies can impose. Some labour laws impose penalties or other liabilities on companies for terminating an employee in a manner that does not comply with specified legal protections. Others have restrictions on when employers can take disciplinary action against employees. These restrictions range from requiring an employer to impose discipline within a certain time frame to forcing an employer to follow a particular procedure before dismissing an employee.
There is, in short, great variety among the labour laws that companies and monitors may encounter. Sophisticated multinational companies are well aware of them. The monitor must thoroughly understand them as well, and can draw upon the company’s own expertise for assistance. (The US DOJ contemplates that very process, often requiring monitored companies to provide guidance to the monitor on applicable local law.) As with most aspects of the monitorship, careful planning is critical at the outset to account for and ensure compliance with local labour laws.
Publicising employee discipline
One of the most important tasks for a monitor is to assess whether the monitored company has undertaken appropriate remedial measures in the wake of wrongdoing, and one of the most important of these measures is the disciplining of employees responsible for misconduct. Indeed, US regulators have repeatedly emphasised this component of a remediation programme. The US DOJ’s Justice Manual, for example, highlights appropriate discipline of employees as one of five components required for a company to demonstrate that it has remediated FCPA violations appropriately and in a timely manner. It also makes clear that discipline should extend not only to those who committed the misconduct but also to those in oversight positions:
The following items will be required for a company to receive full credit for timely and appropriate remediation . . . Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred.
The US Securities and Exchange Commission (SEC) likewise emphasises appropriate discipline as a component of an effective compliance programme.
Beyond underscoring the importance of discipline itself, the US DOJ and the SEC both encourage companies to turn discipline into a teaching opportunity. In describing how a company can effectively enforce its anti-corruption compliance programme, for example, those agencies have noted that ‘[m]any companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences’. The challenge for companies seeking to follow this guidance is discerning what, precisely, may or may not be ‘appropriate under local law’.
The GDPR is a case in point. As noted, it restricts the processing of personal data, and it defines ‘personal data’ broadly to cover ‘any information relating to an identified or identifiable natural person’, the latter being any person ‘who can be identified, directly or indirectly’. This definition encompasses information that in the aggregate could be used to identify a particular person. Likewise, ‘processing’ is defined broadly to include the ‘collection, recording, organization . . . storage . . . use . . . [or] dissemination’ of personal data by either automated or non-automated means. To the extent that the GDPR applies to the dissemination of information about an incident of employee misconduct, a company would have to comply with the law’s requirements before sharing any information. Among other steps, the company would be obliged to provide the employee with notice of how his or her data may be processed, and to conduct a legal analysis to assess whether the company has an appropriate legal basis to distribute the information.
None of these data privacy protections should prohibit a company from publicising fully anonymised information about an incident of employee misconduct. Nevertheless, companies operating in an environment of heightened sensitivity to employee privacy may be hesitant to engage in the legal analysis necessary to determine what information can be shared, and how, under local law. That is particularly true in countries where the privacy laws are new and the regulatory guidance sparse. Given the importance to US regulators of imposing and publicising appropriate discipline, however, monitors should be examining how companies make use of discipline – and companies should carefully consider what information they can share with employees.
Variations in local business culture and practices
Multinational companies must maintain a coherent global compliance programme, while at the same time contending with local distinctions in business culture and practice. That is no easy feat, especially for companies that span the globe, but the monitor should expect nothing less, as that is what the government requires. As the US DOJ makes clear in its compliance guidance, a corporate compliance programme must actually work in practice, not simply have the right components on paper. To succeed in this regard, multinational companies must understand relevant local practices and adapt their global compliance principles accordingly.
Corruption cases offer a useful illustration. Regardless of where a company operates, it can never, under the FCPA or other anti-bribery legislation, permissibly bribe a government official in exchange for business. A company’s compliance policy must be unyielding on this point. However, the means to prevent bribery from occurring may require some variation from country to country to account for the local business environment. In larger countries, for example, where the pool of qualified employees might be abundant, a company could, without jeopardising its business, choose not to hire any employee with close family ties to a distributor that sells company products to the government. In smaller countries, the relevant talent pool might be much smaller, making it impractical for a company to impose a blanket ban of this sort. Instead, a company might reasonably apply rigorous controls to its hiring process, such as walling off potentially conflicted employees from any interactions with a distributor.
The number of examples of this nature is nearly limitless. The point is that one size does not necessarily fit all in the implementation of a global compliance programme. Variations may be entirely appropriate and often critical. If a company’s policies create significant practical barriers to conducting business in a particular country, the company runs a greater risk that employees will circumvent compliance controls. By calibrating its programme to account for local variations in business practice, while still maintaining a compliant environment, a company can make its compliance policies both more practical and more likely to be effective in the long run. Like the other lessons for cross-border monitors noted above – clarifying the monitor’s role, strategically choosing the right locations to visit, and being mindful of privacy and labour laws – careful attention to local culture and practice will position the monitor well to achieve his or her primary mission: assessing whether the company’s compliance programme adequately addresses and reduces the risks that led to the monitorship in the first place.
1 Gil M Soffer is a partner and Nicola Bunick and Johnjerica Hodge are associates at Katten Muchin Rosenman LLP.
2 US Department of Justice [US DOJ] memorandum, Acting Deputy Attorney General Craig S Morford, ‘Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations’, at 2 (7 March 2008), at https://www.justice.gov/sites/default/files/dag/legacy/2008/03/20/morford-useofmonitorsmemo-03072008.pdf.
3 id., at 6.
4 e.g., KPMG International, ‘Cross-border investigations: Are you prepared for the challenge?’ (2013), at 10, at https://assets.kpmg/content/dam/kpmg/pdf/2013/12/cross-border-investigations.pdf. (‘In some jurisdictions, it can be illegal for companies to investigate alleged employee misconduct because the local government considers itself to be the exclusive investigator responsible for law enforcement.’)
5 In some countries, monitors may be required to notify the local government or regulator if they are doing work there. Even if such a disclosure is not required, it may still be considered good practice.
6 A similar risk exists in traditional internal investigations, where employees may ‘seek the intervention of local government officials’ in an attempt ‘[t]o deflect from the investigation’. John Frangos, ‘Southeast Asia: Conducting Successful Corporate Internal Investigations’, Society for Human Resource Management (28 August 2017), at https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/southeast-asia-investigations.aspx.
7 Transparency International, Corruption Perceptions Index, Overview, at https://www.transparency.org/research/cpi/overview (last accessed 25 March 2020).
8 In light of such variations in risk, the US DOJ recently underscored the importance of tailoring a compliance programme to a company’s risk profile. See generally, US DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (April 2019), at 2, at https://www.justice.gov/criminal-fraud/page/file/937501/download (‘The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how a company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.’)
9 European Commission, ‘Who does the data protection law apply to?’, at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en (last accessed 25 March 2020) (‘The GDPR applies to: 1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or 2. A company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.’)
10 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) [GDPR], Article 6(1), at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=EN. The GDPR imposes even stricter requirements on the distribution of information related to criminal offences. See also id., at Article 10.
11 GDPR, Article 4(2).
12 GDPR, Article 45(1) (‘A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.’)
13 GDPR, Article 46(2)(f); see also id., at Article 46(3) (noting that a third party can receive personal data if there are, among other things, ‘contractual clauses between the controller or processor or the recipient of the personal data in the third country or international organisation’).
14 e.g., KPMG China, ‘Overview of China’s Cybersecurity Law’, at 8, at https://assets.kpmg/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf (listing the privacy-related restrictions in China); see also Daniel Chen and Michael R Fahey, ‘Data protection in Taiwan: overview’, at https://uk.practicallaw.thomsonreuters.com/5-578-3485?transitionType=Default&contextData=(sc.Default)&firstPage=true&comp=pluk&bhcp=1 (discussing the privacy-related restrictions in Taiwan); see also Alexei Koseff, ‘California promises aggressive enforcement of new privacy law’ (16 December 2019), at https://www.sfchronicle.com/politics/article/California-promises-aggressive-enforcement-of-new-14911017.php#photo-18082189 (discussing the California Attorney General’s intent to enforce the state’s new privacy law, which mirrors the GDPR).
15 e.g., GDPR (footnote 10, above).
16 e.g., World Law Group, Global Guide to Whistleblowing Programs 2016, at 1, at http://www.gop.it/doc_pubblicazioni/616_ub5zro2b1w_ita.pdf (noting that, in Argentina, ‘Companies must always notify their employees before the implementation of a whistleblower program’); see id., at 41 (noting that ‘the Czech Data Protection Authority has to be notified prior to the collecting or processing of personal data’).
17 See id., at 62, 66, 69.
18 International Criminal Judicial Assistance Law [ICJAL], Article 4. Some companies have invoked the ICJAL, albeit unsuccessfully, as a basis for resisting grand jury and Patriot Act subpoenas. In re: Sealed Case, Nos. 19-5100, 19-5102, 19-5103 at 29 (D.C. Cir., 30 July 2019), at https://www.cadc.uscourts.gov/internet/opinions.nsf/6E2FAD8DB7F6B3568525844E004D7A26/$file/19-5068-1800815.pdf.
19 Swiss Criminal Code, Article 271.
21 See e.g., Directive 2009/38/EC of the European Parliament and of the Council of 6 May 2009; see also Philipp von Holst, ‘Germany’ in The European, Middle Eastern and African Investigations Review 2017 (25 May 2017), Global Investigations Review, at https://globalinvestigationsreview.com/benchmarking/the-european-middle-eastern-and-african-investigations-review-2017/1142027/germany (‘[A] hostile works council can cause serious problems to an internal investigation from delaying it to blocking single measures and leaking information to the press’).
22 See, KPMG International, ‘Cross-border investigations: Are you prepared for the challenge?’ (footnote 4, above), at 17 (‘Many countries have data privacy laws that allow a target or a witness to have access to certain investigatory material, including a written investigation report.’)
23 See e.g., Juliana Sá de Miranda and Ricardo Caiado, ‘Brazil: Handling Internal Investigations’, The Investigations Review of the Americas 2019, Global Investigations Review (21 August 2018), at https://globalinvestigationsreview.com/benchmarking/the-investigations-review-of-the-americas-2019/1173349/brazil-handling-internal-investigations (‘As in many other Latin American countries, the Brazilian labour legislation is complex and inclined to protect employees. It is no overstatement that there is a culture of judicial claims by employees against employers in the country, even in cases of weak or lack of proper grounds’).
24 See e.g., Donald C Dowling Jr, ‘Internal investigations in overseas workplaces’, Lexology (2 April 2013), at https://www.lexology.com/library/detail.aspx?g=8088dd7e-b170-43f4-a0ea-daf3fdfd2672.
25 US DOJ, Justice Manual (2017), Title 9-47.120(3)(c), at https://www.justice.gov/jm/jm-9-47000-foreign-corrupt-practices-act-1977.
26 US DOJ and US Securities and Exchange Commission, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (2012), at 59, at https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf.
27 id. The DOJ has echoed that theme in recent guidance, noting that ‘some companies have found that publicizing disciplinary actions internally, where appropriate, can have valuable deterrent effects.’ See US ‘Evaluation of Corporate Compliance Programs’ (footnote 8, above), at 13.
28 GDPR, Article 6(1).
29 GDPR, Article 4(1).
30 Amelia Hairston-Porter, ‘INSIGHT: EU Enacts New Data Privacy Regime with Potential Effects on Cross-Border Investigations’, Bloomberg Law (28 September 2018), at https://news.bloomberglaw.com/white-collar-and-criminal-law/insight-eu-enacts-new-data-privacy-regime-with-potential-effects-on-cross-border-investigations.
31 GDPR, Article 4(2).
32 The GDPR permits companies to process personal data in a limited number of instances, including when the employee consents (although consent can be revoked), when necessary to comply with a legal obligation and when necessary to pursue a legitimate company interest after this interest is balanced against the interests and rights of the employee. See GDPR, Article 6(1), Paragraphs (a), (c) and (f) (lawfulness of processing) and Article 7(3) (consent may be withdrawn at any time).
33 Companies will need to consult local experts regarding the full range of laws and regulations that may limit their ability to disseminate information about employee discipline in a particular jurisdiction.
34 See ‘Evaluation of Corporate Compliance Programs’ (footnote 8, above), at 13. The UK Serious Fraud Office [SFO] has also emphasised that compliance programmes will not be considered effective if they are merely a ‘paper exercise’. See SFO Operational Handbook, ‘Evaluating a Compliance Programme’ (January 2020), at 1, at https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/sfo-operational-handbook/evaluating-a-compliance-programme/.