As the name suggests, a deferred prosecution agreement (DPA) is a voluntary agreement reached between a prosecutor and a defendant organisation, whereby prosecution for the alleged offences is deferred in exchange for the organisation agreeing to fulfil certain conditions. Such conditions can include varying combinations of an admission of agreed-to facts; disgorgement of monies associated with the offence; payment of a monetary fine or penalty, or both; implementation of an effective compliance programme to prevent and detect future violations; imposition of a multi-year monitorship (or the legal equivalent in the home country of the organisation); imposition of self-monitoring and reporting to the regulator; full cooperation with regulators in ongoing related investigations; and not committing a repeat offence or otherwise violating the terms of the DPA throughout its duration. DPAs can be used to settle charges for fraud, bribery, money laundering, violations of sanctions and export control laws, and other economic or white-collar crime.
The primary advantages for a company entering into a DPA are an ending and greater certainty about the ending. DPAs can bring a swifter end to a government investigation and minimise reputational and economic losses caused by the uncertainty of the outcome of a prosecution. In turn, shareholders, suppliers, employees and business partners will not be unduly punished for the actions of a few. The disadvantages, however, are the very conditions that the organisation agrees to, and if they do not honour those conditions, prosecution for the offence may resume.
Many of the other advantages of DPAs are skewed toward the prosecuting regulator or agency (although victims sometimes benefit too, through compensation paid from the monetary conditions), and perhaps this is why they are becoming a bit of a global trend. Originating in and often used by regulators in the US, DPAs were introduced in England in 2014 and have subsequently been used in four enforcement actions by the UK Serious Fraud Office (SFO). Other countries where the DPA mechanism is available include France and Argentina, and it will shortly be available in Canada. In the Asia-Pacific region, DPAs were recently adopted in Singapore, and Australia is likely to soon follow suit. There are murmurings that Indonesia and India may also look at adopting them.
While Singapore is the first country in Asia-Pacific to adopt DPAs, companies in the region have been subject to DPAs with foreign regulators. Examples include two Japanese companies in 2011 and 2012, and a Singaporean company in late 2017. These three companies were subject to the extraterritorial reach of the US Foreign Corrupt Practices Act of 1977 (FCPA).
Two conditions commonly required for DPAs are cooperating with ongoing investigations, and implementing and improving a compliance programme. This article deals with the practicalities of complying with these two conditions.
Cooperating with an ongoing investigation
Both the SFO and the US Department of Justice (DOJ) have provided public information about their expectations for cooperation in ongoing investigations. From the UK perspective, the SFO has advised that to cooperate means to 'work with us in identifying the full extent of the alleged wrong-doing' and 'telling us about something that we do not already know'.1 In their co-publication with the US Securities and Exchange Commission (SEC) released in November 2012 and titled 'A Resource Guide to the US Foreign Corrupt Practices Act' (the FCPA Guide), the DOJ states that their evaluation of cooperation includes assessing 'the company's willingness to provide relevant information and evidence'.
Going further, the DOJ's 'FCPA Corporate Enforcement Policy', as updated in November 2017, discusses cooperation as:
disclosure on a timely basis of all facts relevant to the wrongdoing at issue, including: all relevant facts gathered during a company's independent investigation; attribution of facts to specific sources where such attribution does not violate the attorney-client privilege, rather than a general narrative of the facts; timely updates on a company's internal investigation, including but not limited to rolling disclosures of information; all facts related to involvement in the criminal activity by the company's officers, employees, or agents; and all facts known or that become known to the company regarding potential criminal conduct by all third-party companies (including their officers, employees, or agents).
It further discusses cooperation as being proactive rather than reactive.
The US government's ongoing interest in cooperation is often seen in DPAs. As an example, in the case of the Singaporean company mentioned above, in the DPA from December 2017, the DOJ specified that the company's cooperation involved conducting a thorough internal investigation, meeting requests from regulators promptly and proactively identifying issues and facts that would likely be of interest to the regulators. This DPA also requires future full cooperation by the company until all investigations and prosecutions associated with the corrupt conduct are concluded, or until the end term of the DPA.
Navigating through the requirements and expectations of regulators in a government investigation can be challenging. While engaging outside legal counsel is often necessary for dealing with these challenges, counsel will usually require assistance in developing the company's response to identify and report on the issues and facts. Such assistance can be provided practically by incorporating a forensic response.
Fraud, bribery and many forms of misconduct associated with white-collar crime are usually identified in, and evidenced through, the financial and accounting records of a company. As such, forensic accountants are often engaged to assist with financial data analysis and other fact-finding tasks. The in-depth and objective analysis that a forensic accountant performs will help uncover trends that bring to light the issues that have caught the attention of the regulator. This may involve reconstructing a series of transactions or checking the appropriateness of how any improper activity may have been reflected in the financial statements. Key witnesses and subjects will also need to be interviewed to provide information regarding the issues.
But the forensic accountant does not act alone. Other professionals will be involved to ensure evidence is identified, forensically collected and thoroughly analysed. An overview of the additional skill sets that round out the forensic response is provided below.
Computer forensics and e-discovery
Computer forensics specialists – experts in handling and analysing digital evidence – collect, analyse and report on digital evidence in a forensically sound manner (ie, the evidence is collected, analysed, handled and stored in a manner that would be acceptable in a court of law). Digital evidence is crucial in investigating key subjects and understanding their conduct relevant to the issues under investigation. It also helps identify additional key custodians, whether they be providers of information, fact witnesses or potential defendants. Such digital evidence is obtained from multiple sources (eg, the company's email servers, the cloud, or personal devices such as laptops, mobile phones or tablets for SMS and other messaging applications).
In a cross-border investigation, the volume of digital evidence to be reviewed can be massive, collected from multiple custodians and locations around the world. The use of a centralised review platform can expedite a company's obligations to review the evidence and identify relevant information about the issues and facts. With potentially millions of records to review, utilising a platform that provides the ability to quickly search for key people, words and dates is mandatory. Applying analytics that are integrated into a review platform is also critical. Examples include:
- Deduplication, near deduplication, email threading: the removal of duplicated emails or documents so that an investigation team is only reviewing one copy of an email. This also groups similar documents together, for example, multiple versions of a contract Word document, or groups 'back-and-forth' email chains. This saves time and costs.
- Concept clustering: using the contents of communication between key players, grouping conceptually similar documents together. For example, all documents related to sales opportunities, expenses, transactions or outliers that may be suspicious are grouped together for review.
- Artificial intelligence and predictive coding: with the millions of records, a sample of this population is reviewed by senior members of the investigation or legal team for 'hot' documents. That sample is then applied to the remaining population and the artificial intelligence system predicts and returns similarly 'key' documents. This saves time and costs, whereby the entire population does not need to be reviewed, and in some instances, provides for greater accuracy.
Using targeted querying of the company's databases, patterns that may be signatures of improper activity can be efficiently and effectively identified. Data analytics involves the transformation, analysis and visualisation of complex data to reveal actionable insight in an investigation. It is used to provide a deep understanding of the company's transactional data (operating and financial) and how that data is collected and used by the company in daily operations. This data will provide additional insight through complex analysis, data mining for specific transactional activity, and the ability to define relationships across multiple disparate data sources, both internal and from third parties.
Business intelligence effectively involves an investigator discreetly gathering actionable intelligence externally related to key subjects or entities without unnecessarily alerting the subjects. The discreet nature of the methodology used lowers the risk of evidence that could be material to the investigation being destroyed. Such intelligence may include identifying corporate information (including key principals and shareholders or ultimate beneficiaries), business reputation, government and political connections, financial health, business strategies, involvement in nefarious activities or misconduct, violations of law, involvement in litigation and bankruptcy. At the very least, this type of review can verify whether the third party is or was associated with a bona fide company. It could be crucial in identifying additional key subjects for the investigation.
Undertaking investigations in more challenging jurisdictions where publicly available and reliable information is limited requires a well-structured and often creative intelligence-gathering exercise to allow the investigator to identify any undisclosed business relationships or interests, as well as ascertain the source of wealth and location of assets.
Determining the scope of and approach to an investigation
Demonstrating cooperation in an investigation requires more than just incorporating a reasonable forensic response. Thought must be applied in determining the scope to ensure the skill sets described above are deployed appropriately. Determining the scope may involve formulating theories to prove or disprove allegations and reaching appropriate conclusions. This should involve thinking outside the box to devise a thorough investigation work plan. In turn, this will enable the issues and facts to be presented in a clear manner that is understandable and properly supported by the evidence.
Experience shows that if a company can clearly articulate and demonstrate a modern or even innovative approach to determining issues and finding relevant facts, especially one that is technology-driven, regulators may view this as a sign of cooperation. Regulators know that a technology-driven approach to an investigation can bring greater clarity on existing and known fact patterns and new insights that may not have been known before.
This was evidenced in our experience working with an oil and gas company that received a 'please explain' letter from a regulator after it became embroiled in a corruption scandal. Among others, the 'please explain' requested the company to specifically quantify the amount of bribes that had been paid. This was challenging for two reasons. First, the bribes paid were contained in line items of invoices from a subcontractor the company had engaged. These line items were not individually captured in the company's accounting system and the supporting documents were stored in a warehouse in a remote location. Second, the line items on the subcontractor's invoices were described in both a mix of common words used to describe bribes and local slang equivalents.
The solution to respond to the regulator's request involved building a database that listed all of the subcontractor's invoices paid by the company while the supporting documents for each payment were scanned. In turn, forensic accountants reviewed the scanned documents and identified the line items in the invoices that likely reflected the bribes being paid. This information was then queried against the database, including the words used to describe the bribes. The database allowed the company to not only quantify the bribes paid but also assist with determining how and when they were paid, thus demonstrating how the company was determining relevant issues and facts. This cooperation was part of the reason that the company was able to enter into a DPA with the DOJ.
Implementing a programme to improve future compliance
To help avoid non-compliance and potential regulatory scrutiny, a company should proactively implement a compliance programme. Should an issue arise, regulators will consider the adequacy of such a programme when deciding what, if any, prosecutorial or settlement action should be taken against the company. In the context of agreeing a DPA, if such a programme was lacking or inadequate at the time the issue arose, regulators will look for specific changes the company has made after discovering the issue (including during the investigation) to reduce the risk of future occurrence. This is reflected in the DPA the Singaporean company entered into with the DOJ where it was noted that the company had 'enhanced and has committed to continuing to enhance its compliance program and internal controls'.
In the same DPA, the DOJ specified the minimum compliance programme elements that the company was required to enhance or implement. These elements are in line with the DOJ and SEC's 10 hallmarks of an effective compliance programme as set forth in the FCPA Guide. The DOJ and SEC are not the only regulators to provide guidance on the elements of a compliance programme. With the introduction of the UK Bribery Act 2010, the UK Ministry of Justice issued 'The Bribery Act 2010 Guidance'.
Other guidance and best practices are published by globally recognised organisations, including the Good Practice Guidance on Internal Controls, Ethics, and Compliance adopted by the Organisation for Economic Co-operation and Development (OECD), Anti-Corruption Ethics and Compliance Handbook for Business, which was jointly developed by the OECD, the United Nations Office on Drugs and Crime and the World Bank, Internal Control – Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission and the UN Convention against Corruption, and more recently the International Organization for Standardization's ISO 37001 Anti-Bribery Management Systems. Indeed, even governments in the Asia-Pacific region have issued similar guidance, including in Hong Kong, Japan, Korea and Singapore. While most of these guides are focused on combating bribery, a company can use them as a reference for compliance with other rules and regulations combating economic or white-collar crime.
Though described in different ways, the underlying elements of these guides are similar and reflect internationally recognised standards for an effective compliance programme that should:
- create a culture of compliance;
- assess risk;
- have supporting policies and procedures;
- manage risks created by third parties;
- engage stakeholders;
- monitor compliance; and
- continuously improve.
With these objectives in mind, it is important that the compliance programme is well constructed and thoughtfully implemented. Designing and implementing a compliance programme that is effective for the company is challenging. This is why in the context of a DPA, the company may be required to report back to the regulator on its compliance efforts or be subject to a compliance monitor. In the case of the Singaporean company, the DPA specifies that they are required to report annually on the remediation and implementation of the compliance measures. For one of the Japanese companies mentioned earlier, the DPA specified that the company 'agreed to retain an independent compliance consultant for a term of two years to review the design and implementation of its compliance program' and 'to enhance its compliance program to ensure that it satisfies certain standards'.
Implementing an effective compliance programme
Implementing an effective compliance programme requires the company to go beyond paper compliance and have adequate resources (people and budget) to design, implement and monitor the programme. This is something many companies grapple with – what are appropriate resources for compliance?
While a team may be identified within the company's headquarters as being responsible for compliance, it is common for little or no guidance to be provided to operational or local country management on the overall compliance standards expected by the company. Quite often, interactions between headquarters and local country management on compliance-related matters are neglected leading to a lack of consultation on priorities, thereby contributing to a lack of effectiveness of the programme. Even worse, compliance risks that local operations are exposed to may not be identified or fully appreciated.
For the successful integration of compliance-related policies and procedures throughout the company, it is crucial for operational or country management to identify and have ready access to compliance subject-matter experts. Such SMEs provide necessary guidance and feedback to ensure that the compliance programme is adequately understood and procedures are being followed by the business.
Knowledgeable employees who understand the local market, business customs and inherent compliance risks should be deployed to high-risk locations where the company operates to help country managers navigate the difficult situations they are bound to encounter. Such resources should have a reporting line back to headquarters about the operation of the programme so that headquarters are aware of the compliance challenges faced by the local operations and can provide appropriate support when necessary. The company should implement a reporting mechanism where local operations are required to report to headquarters on a regular basis with items concerning the operation of the programme. For example, training statistics, progress on remedial actions, and the local gift and entertainment register should be periodically provided to headquarters for review.
The use of a hotline or whistleblower mechanism through which anyone can report concerns without fear of retaliation is a crucial tool to help with detection of potential misconduct. It is important that all allegations are centrally reported, so that they can be appropriately addressed, avoiding a situation where local management may not appreciate the severity of an allegation, or may even be the subject of such allegations, and thus appropriate attention is not given.
Companies should also undertake proactive independent assessments of their compliance programmes, such as conducting employee surveys or performing controls testing with the help of either an outside consulting firm or the internal audit or internal control group within the company. This should not just be at headquarters level. A rotational assessment programme can be set up where different countries or operations are independently tested every few years. More importantly, observations from these assessments must be actioned in a timely manner, with appropriate remedial plans developed, and any lessons learned should be shared throughout the company.
While entering into a DPA can help a company reduce the uncertainty caused by a lingering regulatory enforcement action, it can only be considered as an option if the company is serious about cooperating and conducts a reasonably thorough investigation that proactively identifies relevant issues and facts that the regulator is not already aware of. The company must also be able to demonstrate the enhanced compliance efforts it has and is undertaking. Ultimately though, a company should look to avoid an issue arising in the first place by implementing and operating an effective compliance programme. This is especially relevant for Asia-Pacific companies, given the recent and ongoing adoption of DPAs as an enforcement tool by governments in the region.
The views expressed herein are those of the author and not necessarily the views of FTI Consulting Inc, its anagement, its subsidiaries, its affiliates or its other professionals. The author wishes to acknowledge the contributions of Jason Liew, senior managing director, Brett Clapp, senior managing director, and Gino Bello, senior director, in drafting this article.