The United Kingdom’s key corporate crime agency, the Serious Fraud Office (SFO), has published new guidance about how it assesses the effectiveness of a company’s compliance function during investigations.
“This guidance isn’t really grasping the nettle and telling companies in cold, hard terms exactly what they should be doing. We have known for years that the defense of adequate procedures is available. What the business world needs to know is just how the SFO weighs up precisely what it will consider ‘adequate.’ ”
Aziz Rahman, Senior Partner, Rahman Ravelli
Part of its Operational Handbook, the SFO’s eight-page document, called “Evaluating a Compliance Programme,” outlines what the agency might consider to determine whether a compliance function is effective enough for a company to merit a defense of having “adequate procedures” in place to avoid being charged under the U.K. Bribery Act or qualify for a deferred prosecution agreement (DPA).
At the crux of the issue, the SFO says—irrespective of the size of the organization and the resources it has at hand—“a key feature of any compliance programme is it needs to be effective and not simply a ‘paper exercise.’ ” The agency says a company’s compliance arrangements should be explored “early in the investigation.”
The SFO also says it’s important to assess the state of the compliance function over different time periods to determine the company’s suitability for a DPA—namely:
- At the time the wrongdoing was being carried out;
- At the time the organization was being charged for an offense (ex. the company may have had a poor record of compliance at the time of wrongdoing, but may have strengthened its program by the time the agency charged it); and
- What the compliance function could look like in the future following internal reviews; an overhaul; additional training; and better executive buy-in, engagement, and oversight.
Evaluating the effectiveness of a compliance program depends on a number of different sources, says the SFO. These include looking at written records, voluntary (and compelled) disclosures, as well as witness and suspect interviews.
The document also says the “Six Principles” guidance issued in 2011 alongside the Bribery Act will play an important role in assessing the adequacy of a compliance function.
In brief, the six principles are:
- Whether the organization can demonstrate it has “adequate procedures” in proportion to the risks it faces to prevent bribery;
- Whether the organization can demonstrate “top level commitment” to prevent/not tolerate bribery;
- Whether there is a regular, adequate, and proportionally resourced risk assessment to determine whether bribery risks are being identified, controlled, and reported;
- Whether there are adequate due diligence procedures to prevent incidences of bribery from occurring;
- Whether adequate training is being undertaken to make staff aware of bribery risks and whether the organization’s anti-bribery policy is being properly communicated to employees so they understand what kinds of conduct/behavior will not be tolerated; and
- Whether the organization monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.
Some attorneys, however, have already suggested the SFO guidance note adds little clarity as to how the SFO would assess whether a compliance function is adequately resourced or the organization’s measures to prevent bribery were “appropriate.”
“This guidance isn’t really grasping the nettle and telling companies in cold, hard terms exactly what they should be doing,” says Aziz Rahman, senior partner at Rahman Ravelli, a U.K. law firm specializing in serious fraud cases. “We have known for years that the defense of adequate procedures is available. What the business world needs to know is just how the SFO weighs up precisely what it will consider ‘adequate,’ ” he says.
“There is very little in what the SFO has just put out that can be classed as solid advice that companies can apply to their workplaces,” says Rahman. “The SFO needs to come out and clarify where it stands when it comes to assessing a compliance program that has fallen short of its goals.”
- PDF, Size 2.29 mb