Compliance issues are at the heart of the vast majority of financial crime and misconduct investigations, and subsequent criminal and regulatory enforcement action. Accordingly, many international government enforcement bodies have sought to articulate formally what is required for effective compliance. In the United Kingdom, corruption, facilitation of tax evasion and money laundering are among the more evolved areas, with the relevant guidance also offering assistance on other specific areas of legal risk. In the United States, corruption and antitrust are two areas where detailed and extensive guidance is available.
Alongside the available guidance offered by international government enforcement bodies, there is an evolving body of criminal and regulatory enforcement outcomes in the United Kingdom, United States and other jurisdictions that address compliance issues. Investigations practitioners can draw on this material to prepare and promote new policies for a corporate, analyse potential compliance issues within an investigation, prepare for potential future criminal or regulatory proceedings where compliance is a central issue and make timely remediation where compliance failures have occurred.
The international corporate compliance landscape is vast, and it is beyond the scope of this chapter to examine in detail the legal and regulatory requirements across all sectors and jurisdictions. This chapter focuses principally on the UK position concerning offences and defences, and reviews the key areas of risk arising from compliance failures and available corporate defences. It draws on the compliance guidance in the United Kingdom and the United States and analyses the impact of compliance on investigatory outcomes. It explores the interplay between culture and compliance, the merits of the US Foreign Corrupt Practices Act (FCPA) Opinion Procedure and, finally, draws on the compliance lessons arising from a variety of UK and US cases.
Practitioners should be mindful of the breadth of compliance issues that may be engaged in a number of jurisdictions in any single investigation, particularly when dealing with multinational corporates operating in high-risk sectors. The insight provided by the UK and US guidance and the lessons learned from the outcomes to date, may also resonate in other jurisdictions, particularly in cross-border investigations.
46.2 UK criminal liability for corporate compliance failures
46.2.1 Section 7 Bribery Act 2010
The implementation of the section 7 offence in July 2011 represented a move away from corporate criminal liability via ‘the identification principle’ towards liability through ‘failure to prevent’ offences.2 By section 7(1) Bribery Act 2010, a ‘relevant commercial organisation’3 commits an offence if a person associated with it bribes another person intending to get or keep business, or an advantage in the conduct of business, for the organisation. However, by section 7(2), a company can rely on compliance as a defence to a criminal offence. An organisation that had ‘adequate procedures designed to prevent persons associated with [the organisation] from undertaking such conduct’ will have a defence to the section 7 offence.
The majority of section 7 cases in England have been resolved through deferred prosecution agreement (DPA). The Crown Court has approved DPAs for section 7 offences between the Serious Fraud Office (SFO) and Standard Bank plc,4 Sarclad Ltd,5 Rolls-Royce plc and Rolls-Royce Energy Systems Inc,6 Güralp Systems Ltd,7 Airbus SE,8 Airline Services Ltd,9 Amec Foster Wheeler Energy Ltd10 and two other companies (AB Ltd and CD Ltd11). One company, Sweett Group plc,12 has pleaded guilty to a section 7 offence. There has been just one contested section 7 prosecution in a Crown Prosecution Service (CPS) case against Skansen Interiors Ltd,13 where Skansen pursued an adequate procedures defence but was subsequently convicted.
46.2.2 Sections 45 and 46 Criminal Finances Act 2017
The Criminal Finances Act 2017 introduced the offences of failure to prevent the facilitation of UK tax evasion and failure to prevent the facilitation of foreign tax evasion. These offences hold a ‘relevant body’14 criminally liable when a person associated with it commits either a UK tax evasion facilitation offence (pursuant to section 45) or a foreign tax evasion facilitation offence (pursuant to section 46). In respect of the section 46 offence, one of three alternative jurisdiction conditions15 must also be satisfied.
Compliance-based defences are available for both offences16 if the corporate defendant can prove that ‘it had in place such reasonable prevention procedures it was reasonable in all the circumstances to have in place’ or ‘that it was not reasonable in all the circumstances to expect [the relevant body] to have any prevention procedures’.
To date there have been no prosecutions for either of these offences. As at 27 May 2021, there were 14 live investigations with a further 14 ‘opportunities’ under review across 10 business sectors, including financial services, oils, construction, labour provision and software development embracing a full range of corporate entities from small businesses through to some of the United Kingdom’s largest organisations.17
46.2.3 Compliance-based distinctions between failure-to-prevent offences
A distinction between the failure-to-prevent offences in the Bribery Act and Criminal Finance Act, which otherwise follow a similar concept of corporate criminal liability, is found in the description of the standard of prevention procedures governing the availability of the statutory defences, namely ‘adequate procedures’ compared to prevention procedures that are ‘reasonable in all the circumstances’. It has been argued that the ‘adequate procedures’ standard might be considered a stricter standard, with the effect that where an underlying bribery offence is proved, the prevention procedures must of necessity not have been ‘adequate’. This might be the case notwithstanding the presence of procedures that were ‘reasonable in all the circumstances’ but were circumvented on a particular occasion. Given this potential unintended consequence, attempts were made to replace ‘adequate procedures’ with ‘reasonable procedures in all the circumstances’ during the passage of the Bribery Bill through Parliament, but these were unsuccessful. The argument was revisited in post-legislative scrutiny by a House of Lords select committee.18 The committee decided that the danger of an overly strict interpretation of ‘adequate procedures’ was unlikely, and statutory amendment of section 7(2) was unnecessary. However, it did recommend changes to the Bribery Act Guidance19 ‘to draw attention to the different wording in the Criminal Finances Act 2017 and in the HMRC Guidance to that Act, and to make clear that ‘adequate’ does not mean, and is not intended to mean, anything more stringent than ‘reasonable in all the circumstances’.
There has been no change to the Bribery Act Guidance in this, or any other respect. Another relevant distinction is that the Criminal Finances Act offences specifically contemplate and provide for a defence in circumstances in which it is reasonable for a corporate to have no prevention procedures in place.
46.2.4 Regulation 86 Money Laundering Regulations 2017
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLTF Regulations) target the ‘gatekeepers’ of the UK financial system. These ‘relevant persons’20 must have policies, controls and procedures to mitigate the risks of money laundering and terrorist financing.
The MLTF Regulations are deliberately non-prescriptive. They require corporates to tailor their compliance policies according to their individual risk-profile. The requirements extend to ensuring that employees and agents (at group and subsidiary level) are aware of the law relating to money laundering and terrorist financing, are trained appropriately and take proportionate steps to reduce the risks within the ordinary course of their relevant business activities.
Failure to comply with the requirements of the MLTF Regulations is a criminal offence.21 In deciding whether a corporate has committed an offence, the court will consider whether it followed any relevant guidance, including from the Financial Conduct Authority (FCA) and other supervisory authorities. No offence is committed where a corporate can demonstrate that it took ‘all reasonable steps’ and ‘exercised all due diligence’ to avoid committing it.22
To date, there have been very few criminal convictions for a breach of the MLTF Regulations.23
46.3 UK regulatory liability for corporate compliance failures
46.3.1 The FCA
The FCA Principles24 embody the fundamental precepts that regulated businesses are expected to uphold. Firms must conduct their business with integrity (Principle 1) and due skill, care and diligence (Principle 2), and take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems (Principle 3).
In addition to the Principles, the FCA Handbook contains a number of binding rules relevant to corporate compliance. Commentary on the relevant guidance provided by the FCA is set out below.
Under the Financial Services and Markets Act 2000 (FSMA), the FCA has an extensive range of disciplinary, criminal and civil powers to take action against businesses and individuals that fail to meet the required standards. These include withdrawing a firm’s authorisation, suspending a firm from undertaking specified regulated activities, imposing a financial penalty and pursuing a criminal prosecution.
The FCA is principally active in the civil enforcement regime. For example, in February 2019, the FCA fined Standard Chartered Bank (SCB) over £102 million for breaches of the Money Laundering Regulations 2007.25 The FCA found that SCB had failed to establish and maintain adequate risk-sensitive policies and procedures and failed to apply UK-equivalent anti-money laundering (AML) standards to its branches and subsidiaries outside the European Economic Area, specifically within the United Arab Emirates. One of the key aggravating features in SCB’s case was that its breaches occurred against a backdrop of ‘heightened awareness’ of deficiencies in its global financial controls. As early as 2013, group internal audit had identified that weaknesses in the escalation of AML risks from country to group level were impeding the board’s ability to exercise adequate oversight of AML controls.26
46.3.2 Other professional regulators, specialist regulators
Practitioners should be aware that sector-specific and profession-specific regulators have also taken enforcement action against those they regulate for compliance breaches. These include the Financial Reporting Council, the Solicitors Regulation Authority, the Gambling Commission and the Groceries Code Adjudicator, to name but a few.
46.4 Compliance guidance
There is a wealth of compliance guidance available in the United Kingdom and the United States. The core guidance is summarised below and, as will be seen, there are a number of overlapping principles, with a particular focus on the importance of organisations having proportionate, risk-based procedures in place.
46.4.1 Examples of UK guidance
The Ministry of Justice (MOJ) has published statutory guidance27 addressing procedures that organisations can implement to prevent bribery.28 The guidance aims to assist practitioners to assess or develop a compliance framework but is clear that whether any set of procedures is adequate for the purposes of the section 7 defence is a question of fact that can only be resolved by the courts.
The guidance is aimed at businesses of all sizes operating across all sectors and markets29 and is founded on the following six principles, which are intended to be flexible and focused on outcomes.
- Proportionate procedures: Procedures should be proportionate to the level of bribery risk faced by each organisation, taking into account the nature, scale and complexity of that organisation’s activities. They must be clear, practical, accessible, and effectively implemented and enforced.
- Top-level commitment: There must be a clear and demonstrable commitment to preventing bribery at the most senior levels. Top-level management must involve themselves in anti-bribery procedures, foster a culture of integrity and communicate, internally and externally, that bribery will never be accepted.
- Risk assessment: Organisations should regularly undertake an informed evaluation of the nature and extent of their bribery risk. These should address external risk (including country, sectoral, transaction, business opportunity and business partnership risk) and internal risk (including evaluating the sufficiency of employee training, skills and knowledge; bonus culture; gifts and hospitality policy; financial controls and the tone from the top).
- Due diligence: To mitigate bribery risk, due diligence must be applied (taking a proportionate and risk-based approach) to any persons who will or do perform services for or on behalf of the company. Due diligence should address the types of external and internal risk considered in regular risk assessments. This is particularly important where the use of third-party intermediaries is contemplated.
- Communication: Policies and procedures must be well embedded through internal and external communication and regular training. The principle of proportionality applies.
- Monitoring and review: Organisations should keep under close review whether their procedures are still fit for purpose, having regard to any changes to the bribery risk faced or the nature and scale of their business.
Underpinning each principle is the need to document all steps taken to ensure that, in the event of an investigation, organisations can demonstrate that clear steps were taken to design and implement robust and appropriate procedures.
184.108.40.206HMRC Facilitation of Tax Evasion Guidance
Guidance was published in September 2017 in respect of the Criminal Finances Act 2017 offences.30 Critically it recognises that ‘any regime that is risk-based and proportionate cannot also be a zero failure regime. If a relevant body can demonstrate that it has put in place a system of reasonable procedures that identifies and mitigates its tax evasion facilitation risks, then prosecution is unlikely as it will be able to raise a defence’. This offers reassurance that a corporate that produces reasonable procedures proportionate to its own risk will be protected from criminal prosecution and acts as a strong incentive to implement them. However, the emphasis is placed very specifically on accurate self-assessment and addressing of risk. It warns that it is not intended to provide ‘safe-harbour’ and makes clear ‘even strict compliance with this guidance will not necessarily amount to having reasonable procedures, where the relevant body faces particular risks arising from the unique facts of its own business that remain unaddressed’.
The guidance is formulated around the same six guiding principles articulated in the Bribery Act Guidance. It puts considerable onus on a corporate to utilise the guidance and apply it meaningfully to its own circumstances, which will be affected by its size, nature and sector of business, and complexity and location of operations. It expressly does not provide a checklist and should ‘be used to inform the creation of bespoke prevention procedures designed to address a relevant body’s particular circumstances and the risks arising from them’.
The guidance is detailed and specific, in part owing to the more complex assessment of criminal liability under sections 45 and 46 of the Criminal Finances Act 2017, and because it builds on some of the more generic articulations of compliance guidance found elsewhere. For example, the articulation of commonly encountered risks from a tax fraud perspective is practical and useful as a starting point to prompt corporates and their advisers in their approach to risk assessment.
220.127.116.11FCA Guidance – Financial Crime Guide and other sector-specific guidance
The various sources of FCA guidance are another useful tool in this field. A good starting point is Chapter 6 of the Senior Management Arrangements, Systems and Controls Sourcebook.31 This provides ‘organisational and systems and control requirements for all firms’. However, the principal detailed source of guidance the FCA provides on this is its Financial Crime Guide.32 This comprehensive document draws on the FCA Financial Crime Thematic Reviews33 to address risk in the specific areas of money laundering and terrorist financing, fraud, data security, bribery and corruption, sanctions and asset freezing, insider dealing and market manipulation.
The guidance is non-binding, but, where it is obviously appropriate for a corporate to address a particular risk, adherence to FCA guidance is likely to be beneficial generally and may be viewed favourably by UK law enforcement in the event of an investigation.
The thematic reviews are specific to certain business types, sizes or sectors, but are of more general assistance. Any corporate reviewing its compliance and procedures in a particular area of risk is likely to benefit from consulting any thematic review relevant to that risk area, even if its business does not sit in the reviewed sector.34
Another useful source of guidance for those responsible for compliance are the ‘Dear CEO’ warning letters the FCA issues with increasing frequency. For example, the FCA recently wrote to the chief executives of retail banks to share common themes arising out of its assessments of financial crime systems and controls within that sector.35
18.104.22.168Joint Money Laundering Steering Group guidance
The Joint Money Laundering Steering Group (JMLSG) guidance36 is aimed at firms operating under the auspices of the JMLSG’s 14 UK trade association member bodies, in addition to those regulated by the FCA. It is approved by HM Treasury and therefore, relevant for the offences under the Proceeds of Crime Act 2002 (regulated sector) and Regulation 86 of the MLTF Regulations.
While it is not legally binding, firms ‘will have to stand prepared to justify departures’ from the guidance, which is split into three parts. Part I contains guidance relevant to all firms operating across the UK financial sector. Parts II and III provide additional sector-specific guidance.
The focal point of the JMLSG guidance is the responsibility of senior managers, including the money laundering reporting officer, to identify, assess and effectively manage money laundering risks across different aspects of their businesses. The JMLSG emphasises that there are many similarities between the strategies adopted by businesses to combat money laundering and other types of financial crime, such as fraud and market abuse, and recommends fostering ‘strong links’ between those responsible for managing and reporting on these various areas of risk.
The JMLSG guidance is clear that there is no one-size-fits-all approach and policies and procedures should be proportionate to the size and nature of the relevant business. There are strong parallels with the MOJ’s six principles.
22.214.171.124SFO Guidance on Evaluating a Compliance Programme
The SFO has published its internal guidance on how it will evaluate the effectiveness of an organisation’s compliance programme.37 This evaluation will be key in its determination whether a prosecution is in the public interest. Such assessment will be arranged around the MOJ’s six principles, which the SFO recognises represent ‘a good general framework for assessing compliance programmes’.38
In its guidance, the SFO recognises that appropriate compliance arrangements will vary, but states there is an expectation that all organisations, irrespective of size, will have at least some compliance arrangements in place. A compliance programme cannot be a ‘paper exercise’ and, to be effective, must be proportionate, risk-based and regularly reviewed.
The SFO does not state what it will consider adequate, having made clear previously that this is not its role. Each case will be assessed on its facts taking into account the company’s risk profile and the steps taken to mitigate that risk.
Finally, the SFO states that in assessing an organisation’s compliance programme it will look at the past (i.e. what was in place at the time of the alleged offence), the present and, where a DPA is being considered, the future. This emphasises the importance of commencing immediate remediation when potential criminal issues arise. Importantly, the SFO also foreshadows a move towards the use of corporate monitors stating that any DPA that includes terms relating to an organisation’s compliance programme is ‘likely to include a monitor being appointed at the organisation’s expense’.39
46.4.2 Examples of US-based guidance
126.96.36.199 Joint SEC and DOJ Resource Guide
In July 2020 the Enforcement Division of the Securities and Exchange Commission (SEC) and the Criminal Division of the US Department of Justice (DOJ) produced an updated (from 2012) version of the Resource Guide to the US Foreign Corrupt Practices Act (FCPA),40 describing it as ‘one of the most thorough compilations of information about any criminal statute’.41 Chapter 5 ‘Guiding Principles of Enforcement’ includes sections on ‘Hallmarks of Effective Compliance Programs’ and ‘Other Guidance on Compliance and International Best Practice’. Unsurprisingly, given the risk area under consideration, the Guide pays particular attention to ‘Third Party Due Diligence and Payments’ and offers three guiding principles when assessing due diligence in this area:
- Identity: A careful assessment of the identity of the third party; its qualifications and associations;
- Rationale: A clear understanding of a legitimate business rationale for the use of the third party in any piece of business it is involved in. This is likely to include information as to specificity of services, payment commensurate to the services undertaken, proof of work undertaken and payment terms and mechanisms which are regular and verifiable;
- Ongoing Monitoring: examples provided are periodic updating of due diligence, exercising audit rights, periodic training and annual compliance certification.
In addition to a worked-through hypothetical example involving third-party vetting, this Guide also directs corporates to the DOJ Criminal Division guidance on Evaluation of Corporate Compliance Programs, other US government departments’ guidance and well-regarded international guidance such as that provided by the OECD and the World Bank.42
188.8.131.52 US DOJ Criminal Division: Evaluation of Corporate Compliance Systems
This recently updated guidance issued by the DOJ’s Criminal Division is another useful resource.43 It sits as guidance across the whole of the division and is, therefore, applicable to other corporate offences as well as FCPA matters. It is more informative than the SFO’s guidance, although the underlying principles significantly overlap. The DOJ guidance can also assist UK practitioners in discussions with the SFO about compliance-related issues in the course of DPA negotiations. The guidance comprehensively addresses how the DOJ will measure compliance programmes by reference to three key questions (sourced from the DOJ’s Justice Manual) and is a useful reference for practitioners drafting or updating compliance programmes or considering potential outcomes and remediation in an investigation.
Is the programme well designed?
The DOJ will consider the quality of a company’s risk assessment, policies and procedures, and training and communication; the existence and effectiveness of a confidential reporting mechanism; the application of risk-based due diligence to third-party relationships; and, where relevant, appropriate procedures to address mergers and acquisitions risk.
Is it being applied earnestly and in good faith?
The DOJ will focus on whether the compliance programme is well resourced and empowered to function effectively. This will entail a review of senior and middle management commitment and oversight; whether the compliance function can operate autonomously and with suitable resources; a comparison of the seniority and stature of the compliance function with other strategic functions within the company and the existence of incentives for compliance and disincentives for non-compliance.
Does it work in practice?
The DOJ will assess whether the programme has been periodically tested, reviewed and improved, including how the organisation measures its compliance culture. It will evaluate a company’s investigations structure, its ability to conduct a root cause analysis of misconduct and whether root causes have been remedied in an appropriate and timely manner.
184.108.40.206 US DOJ Antitrust Division: Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigation
This complementary guidance in the antitrust risk area poses the same three questions identified in the Criminal Division’s Guidance and provides specific guidance looked at from context of ‘criminal violations of the Sherman Act such as price fixing, bid rigging and market allocations’.44
220.127.116.11 DOJ FCPA Opinion Procedure
In addition to published guidance, the US system also affords companies the ability to request a formal opinion from the DOJ, as to whether a contemplated course of conduct will conform to its current enforcement policy under the FCPA. This mechanism is known as seeking an FCPA opinion.
The applicable regulations are clear that an FCPA opinion may only be sought in respect of ‘prospective – not hypothetical – conduct’.45 That is to say, ‘the entire transaction which is the subject of the request must be an actual . . . transaction’.46 While it may contain an element of historical conduct ‘in most – if not all – instances, an Opinion request should be made prior to the requester’s commitment’ to proceeding with the transaction in question.47
FCPA opinions are available to ‘issuers and domestic concerns’, which includes individuals who are US citizens, nationals or residents and corporations and partnerships that have their principal place of business in the United States, or which are organised under US law.48
An affirmative FCPA opinion creates a rebuttable presumption in any subsequent action brought by the DOJ under the relevant provisions of the FCPA49 that the requester’s conduct, as specified in the request, is in conformity with the DOJ’s enforcement policy and the relevant provisions of the FCPA.50 Such a presumption may be rebutted by ‘a preponderance of the evidence’51 and does not ‘bind or obligate’ any agency other than the DOJ, nor does it alter the requester’s accountancy obligations.52
The most recent opinion was issued on 14 August 202053 after a gap of nearly six years, which is the longest period of inactivity since the inception of the procedure in 1980. This gap raises issues as to the extent of the availability of opinions under the procedure and whether this potentially valuable procedure will be more frequently used in the future.
The DOJ confirmed that it would not bring enforcement proceedings in relation to a proposed fee of US$237,500 to be paid to a wholly owned subsidiary of a foreign investment bank by a multinational firm headquartered in the United States. Compliance and due diligence issues featured heavily in the rationale for the opinion. In granting the Opinion, the DOJ placed reliance on the identification of specific legitimate services in respect of the fee, the commercially reasonable and commensurate nature of the fee to the services rendered and the representations from the chief compliance officer of the entity receiving the payment that the monies will not be forwarded to any entity or individual or used to benefit any individual. This is a clear example of the Opinion Procedure in action and is likely to be of wider use to corporates, beyond the original corporate requester, seeking to understand how the guidance might apply to a set of facts under investigation.
46.5 The interplay between culture and effective compliance
The effectiveness of an organisation’s compliance programme is intrinsically linked to its culture. This is recognised in the US Sentencing Guidelines Manual, which states that, to have an effective compliance and ethics programme, an organisation shall ‘promote an organisational culture that encourages ethical conduct and a commitment to compliance with the law’.54
Culture, which is defined by the FCA as ‘the habitual behaviours and mindsets that characterise an organisation’,55 significantly impacts compliance in several ways. It will influence whether compliance programmes are implemented and applied effectively; in the event of misconduct, it will have a bearing on the availability of a compliance-based defence to the company; and it will ultimately influence the type of resolution available to the organisation and the terms of that resolution.
The rule-based nature of compliance means that it is more likely that those rules will be ignored or circumvented where a defective organisational culture exists. The FCA has found that ‘culture in financial services is widely accepted as a key root cause of the major conduct failings that have occurred within the industry in recent history’.56 Similarly, failures in culture have been at the heart of many of the SFO’s DPA resolutions where criticism has been made of corporates who have failed ‘to instil within the wider business a culture of compliance’.57 In some cases there has been a culture of pressure to meet targets58 and in others a ‘culture of wilful disregard of the commission of offences’59 with the consequence that rules were ignored or internal and external compliance procedures deliberately circumvented.60 In the case of Airline Services Ltd, the court noted that the company’s senior management failed to implement an effective compliance programme, despite receiving a guide and recommendations.61
As is apparent from all the available guidance, even if misconduct does occur, an organisation that has fostered a culture of integrity is more likely to be successful in demonstrating the adequacy of its procedures, assuming it can evidence its efforts to do so.62 The CPS prosecution of Skansen (the only contested adequate procedures case to date) is instructive in this regard. Skansen relied on its culture of honesty and integrity as part of its adequate procedures defence but faced evidential difficulties owing to its failure to document its attempts to implement compliance procedures and instil a culture of compliance.
Finally, culture is an important driver in the outcome of any investigation. Genuine attempts by a corporate to change its culture and focus on compliance are factors the court will consider when determining whether a DPA is in the interests of justice.63 Effecting culture change is also key to remediation and ensuring that similar misconduct will not occur again. In the United States, cultural change is a common feature of compliance monitorships, and the DOJ has made plain that changes in culture, particularly where there has been a change in leadership, may be sufficient to guard against future misconduct and may avoid the need for a monitor at all.64 This was the case for gold refinery Republic Metals Corporate (RMC) who entered into a non-prosecution agreement (NPA) with the DOJ in 2019 following an investigation into money laundering and violations of the Bank Secrecy Act. RMC avoided the imposition of a monitor with the DOJ citing its ‘significant efforts to create a culture of proper compliance’.65
46.6 The impact of compliance on prosecutorial decision-making
The available guidance and resolutions to date demonstrate the correlation between effective compliance and the response of enforcement to address alleged corporate offending.
In its compliance guidance, the SFO is clear that its assessment of a corporate’s compliance programme will be a critical consideration in determining whether (1) a prosecution is in the public interest, (2) the organisation should be invited into DPA negotiations, and what conditions the DPA should include, (3) the ‘adequate procedures’ defence is available in the case of a section 7 offence, and (4) it reflects greater or lesser culpability in terms of sentencing.
Similarly, in the United States, the joint DOJ/SEC Resource Guide to the US FCPA directs readers to the US Justice Manual: ‘A prosecutor may also consider other remedial actions, such as improving an existing compliance program or disciplining wrongdoers, in determining whether to charge the corporation and how to resolve corporate criminal cases’.66 The issue of the potential impact of a positive corporate culture is again reiterated here in the Justice Manual’s comment; ‘In determining whether or not to prosecute a corporation, the government may consider whether the corporation has taken meaningful remedial measures. A corporation’s response to misconduct says much about its willingness to ensure that such misconduct does not recur.’67
Decision to prosecute
Compliance features in a number of ways in the decision to prosecute. The UK Guidance on Corporate Prosecutions states that it will be a public interest factor tending towards prosecution if, at the time of the alleged offence, an ineffective compliance programme was in place.68 Conversely, the existence of a genuinely proactive and effective compliance programme will militate against prosecution. Prosecutors will also undertake a qualitative evaluation of steps taken by a corporate to remediate and enhance its compliance programme. The UK FCA, in its Enforcement Guidance, places similar emphasis on the ability of a firm to demonstrate that it has taken appropriate remedial action, such as addressing any systems and controls issues.69
In considering whether to prosecute failure-to-prevent offences, the prosecutor will evaluate whether an adequate procedures or reasonable procedures defence is available to the corporate and the likelihood of its success at trial.
Unlike the United Kingdom, the United States has a formal and public process of declinations that allows for agreed specific improvements to compliance processes, as well as other remediation terms (such as restitution and disgorgement) as factors on which the decision not to prosecute is based. For example, the declination in respect of World Acceptance Corporation issued in August 2020 cited ‘World’s full remediation, including the additional FCPA training added to World’s compliance program, separation from executives under whom the misconduct took place and discontinuing relationships with third parties in Mexico involved in the misconduct’ as one of the five factors on which the decision was based.70
Whether an organisation had an effective compliance programme is similarly relevant to deciding whether to invite a corporate to enter into a DPA, as is a corporate’s ability to demonstrate that it has willingly taken remedial action to reform and rehabilitate. The likely terms of a DPA are also closely tied to this issue, in particular regarding the appointment of a monitor.
Paragraph 7.11 of the UK DPA Code of Practice71 articulates the (sometimes delicate) balance involved in determining whether a monitorship will be appropriate.
An important consideration for entering into a DPA is whether [the corporate] already has a genuinely proactive and effective corporate compliance programme. The use of monitors should therefore be approached with care. The appointment of a monitor will depend upon the factual circumstances of each case and must always be fair, reasonable and proportionate.
Therefore, at the time the terms of a DPA are agreed, a close analysis can be expected of specific remediation undertaken at that point, in the context of the corporate’s overall compliance culture, to determine the most appropriate compliance-related terms of the DPA.
Determining financial penalty
The quality of a compliance programme is also relevant to the determination of any financial penalty, either as a term of a DPA or on sentencing, and will form part of the court’s assessment of the corporate’s culpability. In particular, in the United Kingdom for section 7 offences, evidence of a culture of wilful disregard to the commission of offences by employees or agents, with no effort to put effective preventative systems in place, will indicate high corporate culpability, while some effort to do so may indicate lesser culpability. The level of fine imposed may also be adjusted to avoid any negative impact on the company’s ability to implement an effective compliance programme going forward.
46.7 Key compliance considerations from previous resolutions
In the United Kingdom, organisations can derive some assistance about what makes for effective compliance from concluded section 7 criminal investigations and FCA regulatory outcomes. However, this is an evolving area and, for example, what constitutes adequate procedures has not been properly tested. The only contested section 7 case is the successful CPS prosecution of Skansen, which provides little insight into the application of the statutory defence except for the importance of documenting compliance efforts. Furthermore, many investigations were resolved by DPA, meaning that the companies accepted that their procedures were not adequate, removing the need for the courts to test the issues.
In the United States, there is a more extensive body of declinations, DPAs and NPAs, in which the principles and guidance in respect of corporate compliance and due diligence have been put into effect.
The compliance deficiencies identified and explained in these cases assist in drawing the following lessons, applicable to all areas of legal risk.
- Policies and procedures: Should be carefully tailored to the corporate’s individual risk profile in a specific area. This is a recurring theme in all of the guidance and the failure to do so, resulting in a failure to prevent the criminal risk, features in many of the DPA and final notice cases.
- Compliance functions: Should be independent, well resourced and empowered.
- Independence: Both Rolls-Royce and Airbus restructured their compliance units to ensure functional independence from the business including reorganisation of reporting lines. Similarly, Tesco plc72 simplified reporting lines to ensure that there was clearer accountability and that those who had oversight of the business were independent from those that led it. Although these were steps taken by large multinational organisations, the principle has equal importance for small and medium-sized enterprises (SMEs), where fewer checks and balances tend to exist and a smaller group of individuals will control the business. Conversely, a failure to address this issue was a factor in the prosecution of Siemens in the United States in 2008. The information upon which Siemens’ guilty plea was based cited an under-resourced corporate compliance function and ‘an inherent conflict in its mandate, which included both defending the company against prosecutorial investigations and preventing and punishing compliance breaches’.73
- Resourcing: A common feature of remediation in the DPAs is the increase in compliance resourcing.74 The DPAs indicate that SMEs can take a proportionate approach to resources and that the SFO and court will be willing to take into account size and means. For example, it was sufficient for SMEs Sarclad and Güralp Systems to undertake their DPA compliance reviews internally75 while listed companies Standard Bank and Tesco agreed to instruct leading accountancy firms as a term of their DPAs.
- Empowerment: In both the Rolls-Royce and Airbus UK DPAs compliance teams were not ‘empowered to function effectively’76 and, as a consequence concerns raised by compliance staff were ignored or overruled. For a compliance function to be empowered a true culture of compliance, led from the top, must be instilled. This will embrace the ‘top level commitment’ principle in the Bribery Act guidance. Empowerment will be easier to achieve if the compliance function is independent and well resourced.
- Compliance functions: Should be fully integrated across a group structure: Organisations must ensure that compliance procedures are applied across the group and that checks are in place to ensure that key processes are not overlooked. This is particularly important where complex multi-jurisdictional structures are involved. This issue arose in Standard Bank, in which two subsidiaries77 of Standard Bank Group collaborated to raise funds on the debt capital markets for the government of Tanzania. Although both Standard Bank and Standard Bank Group had a number of committees, policies and procedures in place to prevent bribery, the SFO found the applicable policies to be unclear and not reinforced effectively through communication. Further, training had provided insufficient guidance about applicable anti-bribery obligations and procedures where two Standard Bank Group entities were involved in a transaction and one engaged an intermediary. A more sophisticated approach is likely to be required where multi-disciplinary compliance functions require integration by the corporate. In the US Airbus DPA, the statement of facts noted that one of the factors that had resulted in Airbus’ violation of the ITAR (International Traffic in Arms Regulations) was ‘the Company structuring the compliance function as separate and siloed from business sales and the export compliance function, which prevented accurate ITAR compliance’.78
- M&A risk should be adequately assessed: Where relevant, organisations should ensure that their compliance programmes address M&A activity. In Sarclad, Heico Companies LLC had acquired Sarclad in February 2000. While there is no suggestion of compliance failures on Heico’s part,79 it does raise the question what compliance steps Heico might take if the acquisition took place now. Pre-acquisition due diligence is a common feature of compliance programmes but companies should also design processes for the full, effective and timely integration of compliance procedures post-acquisition.80
- Intermediary relationships are very high risk: Organisations should pay particular attention to compliance processes in respect of intermediaries. Eight of the nine section 7 DPAs81 have involved intermediaries, and they also featured in the SFO’s prosecution of Alstom.82 By the time the court approved the Rolls-Royce DPA, the company had already addressed the potential risks arising from its use of intermediaries through the review of 250 such relationships across the organisation, resulting in the suspension of 88 intermediaries. In its final notice to JLT Speciality Ltd,83 the FCA noted that an element of the breach of Principle 3 was that there was no separate assessment of risk in respect of each new piece of business introduced by the intermediary, meaning the company could not ensure it took sufficient steps to counter the risk of bribery and corruption. There should be ongoing scrutiny of any intermediary relationship, including whether it remains necessary, and a rigorous assessment of the compliance function that reviews it.
- Act on warnings and learn from past mistakes: A failure to act on early warnings or improve systems and controls following a previous incident may be an aggravating feature in determining outcome and penalty. This was the case for SCB, which did not act on AML weaknesses identified by Group Internal Audit, which may have prevented the breach. However, the Rolls-Royce UK DPA was approved by the court, notwithstanding criminal investigations in different countries that indicated the presence of these failures. The issue was relevant to the overall balancing exercise of whether a DPA was in the public interest, but on this occasion Rolls-Royce benefited from a DPA in any event.
- Proactive self-assessment is beneficial: Corporates should be prepared for an improved compliance programme to the surface current or historic issues and may require consideration of a self-report. This was the case for Heico when it integrated its compliance programme into Sarclad. For those organisations that do discover potential misconduct, it is apparent from an analysis of each DPA that it is less likely that an independent reviewer or monitor will be imposed where corporates have engaged in proactive remediation. Rolls-Royce and Airbus had each retained and acted on the recommendations of an independent reviewer prior to the court’s consideration of the terms of their DPAs. Equally, the Serco Group84 had implemented a comprehensive corporate renewal programme. As a term of their DPAs, Rolls-Royce and Airbus were allowed to continue with their choice of independent reviewer, and the Serco Group was given responsibility for the review of its own group-wide compliance programme. However, this should be contrasted with the outcome for G4S who, despite extensive remediation, had stringent compliance conditions imposed as a term of its DPA, including the appointment of an SFO-approved reviewer at the company’s expense. This appointment constitutes the closest the SFO has come to requiring the appointment of a US-style monitor to date. Conversely, any corporate that fails to identify its failings in this area, or worse, fails to respond adequately to intervention by law enforcement or regulators should expect a more severe outcome in the event of prosecution or regulatory action. For example, the final notice issued to Besso Ltd85 for breaches of Principle 3 identified a failure to take sufficient or timely steps to remedy shortcomings in its bribery and corruption risk systems and controls after two visits from the FCA to inspect them as an aggravating feature. In the United States, where declination is available to law enforcement, the benefits of proactive self-assessment may be even greater. Invariably, the DOJ FCPA declinations cite ‘the steps that the Company has taken to enhance its compliance program and its internal accounting controls’ as a factor contributing to the decision not to prosecute.86
- A comprehensive documentary record of all compliance processes is essential and promotes good practice: From an investigations perspective, a solid evidential basis for defending potential enforcement action is critical. A good quality record of the implementation of compliance processes is likely to be the best evidence of this.
Effective compliance is critical to mitigating the risk of financial crime or misconduct within organisations. While compliance programmes cannot prevent isolated incidents of misconduct, an organisation that has sought to implement robust, risk-appropriate compliance procedures stands a better chance of demonstrating the sufficiency of those procedures and securing a favourable outcome, particularly where it is has done so in the context of a positive culture of corporate integrity. In the event of a suspected breach, as part of the investigation, corporates should be ready to evidence a proportionate and risk-based approach to compliance, driven by senior management, where risk assessments and procedures have been regularly reviewed, staff are adequately trained and the procedures have been fully and properly implemented.
1 Alison Pople QC is a barrister at Cloth Fair Chambers. Johanna Walsh is a partner, and Mellissa Curzon-Berners is an associate, at Mishcon de Reya LLP.
2 On 3 November 2020, the UK Ministry of Justice published the government’s response to its ‘Corporate liability for economic crime: call for evidence’, which ran between January 2017 and March 2017. It reported that the evidence received was inconclusive and that the government was not persuaded there was a sufficient evidence base on which to make immediate legislative change. Instead, in November 2020, the government asked the Law Commission to examine the issue of corporate criminal liability and provide an assessment of the different options for reform. On 9 June 2021, the Law Commission published ‘Corporate Criminal Liability: A discussion paper’, which invites responses to 13 questions for discussion. Following the consultation, the Law Commission will proceed to policy development and advice to government, https://s3-eu-west-2.amazonaws.com/lawcom-prod-storage-11jsxou24uy7q/uploads/2021/06/Corporate-Criminal-Liability-Discussion-Paper.pdf.
3 A ‘relevant commercial organisation’ is defined at s.7(5) Bribery Act as a body or partnership that is incorporated or formed in any part of the United Kingdom irrespective of where it carries on a business, or any other incorporated body or partnership which carries on a business or part of a business in the United Kingdom irrespective of the place of incorporation or formation.
4 SFO v. Standard Bank plc (now ICBC Standard Bank plc), Crown Court (Southwark), 30 November 2015  Lloyd’s Rep FC 102 (Standard Bank).
5 SFO v. Sarclad Ltd, Crown Court (Southwark), 8 July 2016, Case No. U20150856 (Sarclad).
6 SFO v. Rolls-Royce plc and Rolls-Royce Energy Systems Inc, Crown Court (Southwark), 17 January 2017  Lloyd’s Rep FC 249 (Rolls-Royce).
7 SFO v. Güralp Systems Ltd, Crown Court (Southwark), 22 October 2019  Lloyd’s Rep FC 90 (Güralp).
8 SFO v. Airbus SE, Crown Court (Southwark), 31 January 2020, Case No. U20200108 (Airbus).
9 SFO v. Airline Services Limited, 30 October 2020, Case No. U20201913 (Airline Services Ltd).
10 SFO v. Amec Foster Wheeler Energy Limited, 1 July 2021 (Amec Foster Wheeler).
11 The final hearing was concluded on 19 July 2021 at the Royal Courts of Justice (listed as SFO v .AB Ltd and CD Ltd). Reporting restrictions apply under the Contempt of Court Act 1981 in respect of aspects of these proceedings. The full documentation (deferred prosecution agreements, statements of facts and judgment) will only be published once those restrictions have been lifted.
12 R. v. Sweett Group plc (unreported).
13 R. v. Skansen Interiors Ltd (unreported) (Skansen).
14 A ‘relevant body’ is defined at s.44(2) as a body corporate or partnership (wherever incorporated or formed). Partnership is separately defined at s.44(3).
15 As set out in Criminal Finances Act 2017, s.46(2).
16 See ibid., ss.45(2) and 46(3).
17 See HMRC Freedom of Information Act release dated 26 May 2021 on the number of live corporate criminal offences investigations.
18 House of Lords Select Committee on the Bribery Act 2010, report of Session 2017-19 ‘The Bribery Act 2010: post-legislative scrutiny’.
19 Ministry of Justice guidance on the Bribery Act 2010 issued pursuant to s.9 of that Act.
20 Regulations 3(1) and 8 – A firm will be a ‘relevant person’ if it falls within the MLTF Regulations’ definitions of (1) credit institutions, (2) financial institutions, (3) auditors, insolvency practitioners, external accountants and tax advisers, (4) independent legal professionals, (5) trust or company service providers, (6) estate agents and lettings agents, (7) high value dealers, (8) casinos, (9) art market participants, (10) cryptoasset exchange providers, and (11) custodian wallet providers.
21 Regulation 86.
22 Regulation 86(3).
23 HM Treasury reported three convictions in cases brought by HMRC in its ‘Anti-money laundering and counter-terrorist financing: supervision report 2018-2019’, published August 2020. The limited number of prosecutions may be set to change. In its 2020/21 Business Plan, the FCA emphasises a shift in focus towards firms that fail to meet the required standards. Following this, on 16 March 2021, the FCA announced that it had launched criminal proceedings against National Westminster Bank plc in respect of offences under the Money Laundering Regulations 2007. This is the first prosecution brought by the FCA in respect of these regulations. Similarly, in its consultation on the 2020–2023 Business Plan, the Solicitors Regulation Authority notes that money laundering ‘has increasingly become a priority area for us and one in which we robustly scrutinise those we regulate’.
24 FCA Handbook, PRIN 2.
25 Decision Notice, 5 February 2019.
26 The FCA also regularly takes civil enforcement action against regulated individuals for breaches of its Principles. For example, see the recent decision notice against Markos Theodosi Markou (Reference No. MXM01997), 29 January 2021, imposing a financial penalty of £25,000 and withdrawing approval to carry out senior management functions or any functions in relation to regulated activities, for reckless failure to, inter alia, establish, maintain and enforce effective crime systems and controls contrary to Principle 1. Similarly to SCB’s case, an aggravating feature was that the FCA had ‘repeatedly communicated serious concerns’ in relation to the financial crime systems, controls and oversight, so that Mr Markou’s conduct took place against a backdrop of ‘obvious risk’. Mr Markou has referred the decision notice to the Upper Tribunal and it is therefore provisional.
27 Bribery Act 2010, s.9(1):‘The Secretary of State must publish guidance about procedures that relevant commercial organisations can put in place to prevent persons associated with them from bribing as mentioned in s7(1).’
29 In post-legislative scrutiny of the Bribery Act, a House of Lords Select Committee concluded that the MOJ Guidance was less helpful in informing and advising small and medium-sized businesses on what would constitute an effective anti-bribery policy and stressed ‘the importance for even the smallest companies of carrying out a properly documented risk assessment’. It recommended amending the Guidance to make this clear and to emphasise that all but the smallest businesses should have appropriately tailored procedures that staff have been trained to understand and follow.
30 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/672231/Tackling-tax-evasion-corporate-offences.pdf. The Criminal Finances Act, s.47(1), provides that the Chancellor of the Exchequer must prepare and publish guidance about procedures that relevant bodies can put in place to prevent persons acting in the capacity of an associated person from committing UK tax evasion facilitation offences or foreign tax evasion facilitation offences.
31 Compliance, Internal Audit and Financial Crime.
32 Financial Crime Guide: A firm’s guide to countering financial crime risks (FCG).
33 Sixteen thematic reviews were conducted by the FCA between 2006 and 2014 resulting in ‘general guidance’ as defined in FSMA 2000, s.158.
34 For example, managing bribery and corruption risk in commercial insurance broking – update 2014 contains useful guidance about entering and managing third-party introducer relationships, which may be of assistance to corporates in other business sectors required to manage that risk.
35 Unsigned copy of a Dear CEO letter sent to Retail Banks (only) on 22 May 2021, ‘Action needed in response to common control failings identified in anti-money laundering frameworks’, https://www.fca.org.uk/publication/correspondence/dear-ceo-letter-common-control-failings-identified-in-anti-money-laundering-frameworks.pdf.
36 Prevention of money laundering/combating terrorist financing: guidance for the UK financial sector, June 2020 (amended July 2020).
37 SFO Operational Handbook: Evaluating a Compliance Programme (January 2020).
38 ibid., p. 5.
39 This was borne out in SFO v. G4S Care & Justices Services (UK) Ltd, Crown Court (Southwark), 17 July 2020, which was the second DPA to be agreed after the SFO published its guidance and saw the appointment of the first monitor under the DPA regime.
40 US Department of Justice and the US Securities and Exchange Commission, A Resource Guide to the US Foreign Corruption Practices Act, Second Edition, July 2020.
41 ibid., Foreword, page iii.
42 Working Group on Bribery, OECD, Good Practice on Internal Controls, Ethics and Compliance (February 2010); World Bank Group Integrity Compliance Guidelines (2017).
43 US Department of Justice, Evaluation of Corporate Compliance Programs (updated June 2020).
44 US Department of Justice, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019).
45 28 C.F.R. part 80 (current as of 1 July 1999), § 80.1, Purpose.
46 ibid., § 80.3, Transaction.
47 ibid., § 80.3, Transaction.
48 ibid., § 80.4, Issuer or domestic concern and 15 USC § 78dd-2(h)(1).
49 15 U.S.C. §§ 78dd-1 and 78dd-2.
50 28 C.F.R. part 80 (current as of 1 July 1999), § 80.10.
52 ibid., §§ 80.11 and 12.
53 No. 20-01, 14 August 2020, Foreign Corrupt Practices Act Review Opinion Procedure Release.
54 US Sentencing Guidelines Manual, chapter 8 (§ bB2.1) (2018).
55 FCA Discussion Paper DP 18/2: Transforming culture in financial services, March 2018, p. 3.
57 Rolls-Royce judgment, para. 102.
58 See SFO v. Tesco Stores Ltd, Crown Court (Southwark), Case No. U20170287 10 April 2017 (Statement of Facts, para. 55).
59 Rolls-Royce judgment, para. 104.
60 Airbus judgment, para. 65; Amec Foster Wheeler judgment, para. 24 (‘The policies changed, but they never worked because FWEL [Foster Wheeler Energy Limited] did not want them to.’) (per Edis LJ).
61 Airline Services Ltd, judgment, para. 49.
62 See, for example, Principle 2 of the Bribery Act guidance (pp. 23–24).
63 See Sarclad, preliminary judgment, para. 32.
64 See the Benczkowski Memo, 11 October 2018. ‘Where misconduct occurred under different corporate leadership or within a compliance environment that no longer exists within a company, [prosecutors] should consider whether the changes in corporate culture and/or leadership are adequate to safeguard against a recurrence of misconduct.’ A similar line of reasoning was applied in the UK DPA with Amec Foster Wheeler Energy Limited, where the SFO did ‘not require that a monitor be installed in recognition of the substantial enhancements and modifications to the E&C Programme [multi-year, group wide ethics and compliance policies and procedures] and remediation exercise that have already been undertaken’ (DPA, para. 44).
65 Non-Prosecution Agreement between DOJ and RMC, 8 March 2019.
66 US Justice Manual § 9-28.1000(A), Restitution and Remediation.
67 US Justice Manual § 9-28.1000(B), Restitution and Remediation.
68 Crown Prosecution Service Guidance on Corporate Prosecutions.
69 The Enforcement Guide, FCA Handbook
70 US Department of Justice, Letter to Womble Bond Dickinson re World Acceptance Corporation, 5 August 2020.
71 SFO and CPS joint Deferred Prosecution Agreements Code of Practice (Crime and Courts Act 2013).
72 See Tesco. This was not a section 7 case and Tesco Stores Ltd entered into a DPA in respect of one count of false accounting.
73 USA v. Siemens Aktiengesellschaft, Information, 12 December 2008.
74 See, for example, Rolls-Royce, Tesco, Airbus.
75 As a term of their DPAs, Sarclad’s chief operating officer conducted a compliance review while Güralp Systems’ compliance officer conducted a compliance review.
76 See US Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs guidance (updated June 2020), Section II.
77 Standard Bank and Stanbic Bank Tanzania Ltd.
78 US v. Airbus DPA, 31 January 2020.
79 The conduct that Sarclad accepted had taken place began some four years after acquisition in 2004 and the acquisition was at a time when compliance programmes were less developed generally and not subject to the same level of scrutiny as today.
80 The DOJ Compliance Guidance is helpful on this point.
81 Those agreed between the SFO and Standard Bank, Sarclad, Rolls-Royce, Airbus, Airline Services Limited, Amec Foster Wheeler, and AB Ltd and CD Ltd.
82 R v. Alstom Network UK Ltd  EWCA Crim 1318. A pre-Bribery Act prosecution that concluded in November 2019 with Alstom Power Ltd having pleaded guilty to one count of conspiracy to corrupt and Alstom Network UK Ltd having been convicted of a further count of conspiracy to corrupt.
83 Final Notice, 19 December 2013.
84 SFO v. Serco Geografix Ltd, Crown Court (Southwark), 4 July 2019 Case No. U20190413. Serco Geografix Ltd entered into a DPA in respect of five counts of fraud and false accounting.
85 Final Notice, 17 March 2014.
86 See, for example, US Department of Justice Criminal Division, Letter to K&L Gates dated 3 June 2016 in respect of Nortek, Inc.