Compliance – Global Investigations Review
04 January 2023
Compliance issues are at the heart of the vast majority of financial crime and misconduct investigations, and subsequent criminal and regulatory enforcement action. Accordingly, many international government enforcement bodies have sought to articulate formally what is required for effective compliance. In the United Kingdom, corruption, facilitation of tax evasion and money laundering are among the more evolved areas, with the relevant guidance also offering assistance on other specific areas of legal risk. In the United States, corruption and antitrust are two areas where detailed and extensive guidance is available.
Alongside the available guidance offered by international government enforcement bodies, there is an evolving body of criminal and regulatory enforcement outcomes in the United Kingdom, United States and other jurisdictions that address compliance issues. Investigations practitioners can draw on this material to prepare and promote new policies for a corporate, analyse potential compliance issues within an investigation, prepare for potential future criminal or regulatory proceedings where compliance is a central issue and make timely remediation where compliance failures have occurred.
The international corporate compliance landscape is vast and constantly evolving. It is beyond the scope of this chapter to examine in detail the legal and regulatory requirements across all sectors and jurisdictions. This chapter focuses principally on the UK position concerning offences and defences, and reviews the key areas of risk arising from compliance failures and available corporate defences. It draws on the compliance guidance in the United Kingdom and the United States and analyses the impact of compliance on investigatory outcomes. It explores the interplay between culture and compliance, the merits of the US Foreign Corrupt Practices Act (FCPA) Opinion Procedure and, finally, draws on the compliance lessons arising from a variety of UK and US cases.
Practitioners should be mindful of the breadth of compliance issues that may be engaged in a number of jurisdictions in any single investigation, particularly when dealing with multinational corporates operating in high-risk sectors. The insight provided by the UK and US guidance and the lessons learned from the outcomes to date, may also resonate in other jurisdictions, particularly in cross-border investigations.
The implementation of the section 7 offence in July 2011 represented a move away from corporate criminal liability via ‘the identification principle’ towards liability through ‘failure to prevent’ offences.[2] By section 7(1) Bribery Act 2010, a ‘relevant commercial organisation’[3] commits an offence if a person associated with it bribes another person intending to get or keep business, or an advantage in the conduct of business, for the organisation. However, by section 7(2), a company can rely on compliance as a defence to a criminal offence. An organisation that had ‘adequate procedures designed to prevent persons associated with [the organisation] from undertaking such conduct’ will have a defence to the section 7 offence.
The majority of section 7 cases in England have been resolved through deferred prosecution agreement (DPA). The Crown Court has approved DPAs for section 7 offences between the Serious Fraud Office (SFO) and Standard Bank plc,[4] Sarclad Ltd,[5] Rolls-Royce plc and Rolls-Royce Energy Systems Inc,[6] Güralp Systems Ltd,[7] Airbus SE,[8] Airline Services Ltd,[9] Amec Foster Wheeler Energy Ltd[10] and two other companies (AB Ltd and CD Ltd[11]). One company, Sweett Group plc,[12] has pleaded guilty to a section 7 offence. There has been just one contested section 7 prosecution in a Crown Prosecution Service (CPS) case against Skansen Interiors Ltd,[13] where Skansen pursued an adequate procedures defence but was subsequently convicted.
The Criminal Finances Act 2017 introduced the offences of failure to prevent the facilitation of UK tax evasion and failure to prevent the facilitation of foreign tax evasion. These offences hold a ‘relevant body’[14] criminally liable when a person associated with it commits either a UK tax evasion facilitation offence (pursuant to section 45) or a foreign tax evasion facilitation offence (pursuant to section 46). In respect of the section 46 offence, one of three alternative jurisdiction conditions[15] must also be satisfied.
Compliance-based defences are available for both offences[16] if the corporate defendant can prove that ‘it had in place such reasonable prevention procedures it was reasonable in all the circumstances to have in place’ or ‘that it was not reasonable in all the circumstances to expect [the relevant body] to have any prevention procedures’.
To date there have been no prosecutions for either of these offences. As at 13 May 2022, there were seven live investigations with a further 21 ‘opportunities’ under review across 11 business sectors, including software providers, accountancy, legal services and transport, and embracing a full range of corporate entities from small businesses through to some of the United Kingdom’s largest organisations.[17]
A distinction between the failure-to-prevent offences in the Bribery Act and Criminal Finance Act, which otherwise follow a similar concept of corporate criminal liability, is found in the description of the standard of prevention procedures governing the availability of the statutory defences, namely ‘adequate procedures’ compared to prevention procedures that are ‘reasonable in all the circumstances’. It has been argued that the ‘adequate procedures’ standard might be considered a stricter standard, with the effect that where an underlying bribery offence is proved, the prevention procedures must of necessity not have been ‘adequate’. This might be the case notwithstanding the presence of procedures that were ‘reasonable in all the circumstances’ but were circumvented on a particular occasion. Given this potential unintended consequence, attempts were made to replace ‘adequate procedures’ with ‘reasonable procedures in all the circumstances’ during the passage of the Bribery Bill through Parliament, but these were unsuccessful. The argument was revisited in post-legislative scrutiny by a House of Lords select committee.[18] The committee decided that the danger of an overly strict interpretation of ‘adequate procedures’ was unlikely, and statutory amendment of section 7(2) was unnecessary. However, it did recommend changes to the Bribery Act guidance[19] ‘to draw attention to the different wording in the Criminal Finances Act 2017 and in the HMRC guidance to that Act, and to make clear that “adequate” does not mean, and is not intended to mean, anything more stringent than ‘reasonable in all the circumstances’.
There has been no change to the Bribery Act guidance in this, or any other respect. Another relevant distinction is that the Criminal Finances Act offences specifically contemplate and provide for a defence in circumstances in which it is reasonable for a corporate to have no prevention procedures in place.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLTF Regulations) target the ‘gatekeepers’ of the UK financial system. These ‘relevant persons’[20] must have policies, controls and procedures to mitigate the risks of money laundering and terrorist financing.
The MLTF Regulations are deliberately non-prescriptive. They require corporates to tailor their compliance policies according to their individual risk-profile. The requirements extend to ensuring that employees and agents (at group and subsidiary level) are aware of the law relating to money laundering and terrorist financing, are trained appropriately and take proportionate steps to reduce the risks within the ordinary course of their relevant business activities.
Failure to comply with the requirements of the MLTF Regulations is a criminal offence.[21] In deciding whether a corporate has committed an offence, the court will consider whether it followed any relevant guidance, including from the Financial Conduct Authority (FCA) and other supervisory authorities. No offence is committed where a corporate can demonstrate that it took ‘all reasonable steps’ and ‘exercised all due diligence’ to avoid committing it.[22]
In December 2021, National Westminster Bank plc (NatWest) pleaded guilty to offences of failure to comply with the MLTF Regulations, in the first prosecution of a bank for these offences. There were two key aspects to the compliance failures that resulted in the convictions. First, an overreliance on relationship managers when considering suspicious activity on a customer account and second a permitted limitation of a particular form of monitoring to ‘where the capability to do so exists’ rather than an adherence to the risk profile.[23] After a one-third deduction in penalty for guilty pleas, NatWest was fined roughly £265 million.
The FCA Principles[24] embody the fundamental precepts that regulated businesses are expected to uphold. Firms must conduct their business with integrity (Principle 1) and due skill, care and diligence (Principle 2), and take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems (Principle 3).
In addition to the Principles, the FCA Handbook contains a number of binding rules relevant to corporate compliance. Commentary on the relevant guidance provided by the FCA is set out below.
Under the Financial Services and Markets Act 2000 (FSMA), the FCA has an extensive range of disciplinary, criminal and civil powers to take action against businesses and individuals that fail to meet the required standards. These include withdrawing a firm’s authorisation, suspending a firm from undertaking specified regulated activities, imposing a financial penalty and pursuing a criminal prosecution.
The FCA is principally active in the civil enforcement regime. Three recent examples show keen recent FCA enforcement activity. In June 2022, Ghana International Bank Plc was subject to an approximately £5.8 million fine in respect of breaches of the Money Laundering Regulations 2007 related to financial crime in the corporate banks sector.[25] Also in June 2022, JLT Speciality Ltd was fined around £7.9 million in respect of breaches of Principle 3 relating to anti-bribery and corruption and financial crime in the general insurance and protection sector.[26] In the area of cum-ex trading, in July 2022, the FCA imposed a financial penalty of approximately £2 million on TJM Partnership Limited in respect of breaches of Principles 2 and 3 in relation to the risk of financial crime in this trading sector.[27]
Practitioners should be aware that sector-specific and profession-specific regulators have also taken enforcement action against those they regulate for compliance breaches. These include the Financial Reporting Council, the Solicitors Regulation Authority, the Gambling Commission and the Groceries Code Adjudicator, to name but a few.
There is a wealth of compliance guidance available in the United Kingdom and the United States. The core guidance is summarised below and, as will be seen, there are a number of overlapping principles, with a particular focus on the importance of organisations having proportionate, risk-based procedures in place.
The Ministry of Justice (MOJ) has published statutory guidance[28] addressing procedures that organisations can implement to prevent bribery.[29] The guidance aims to assist practitioners to assess or develop a compliance framework but is clear that whether any set of procedures is adequate for the purposes of the section 7 defence is a question of fact that can only be resolved by the courts.
The guidance is aimed at businesses of all sizes operating across all sectors and markets[30] and is founded on the following six principles, which are intended to be flexible and focused on outcomes.
Underpinning each principle is the need to document all steps taken to ensure that, in the event of an investigation, organisations can demonstrate that clear steps were taken to design and implement robust and appropriate procedures.
Guidance was published in September 2017 in respect of the Criminal Finances Act 2017 offences.[31] Critically it recognises that ‘any regime that is risk-based and proportionate cannot also be a zero-failure regime. If a relevant body can demonstrate that it has put in place a system of reasonable procedures that identifies and mitigates its tax evasion facilitation risks, then prosecution is unlikely as it will be able to raise a defence’. This offers reassurance that a corporate that produces reasonable procedures proportionate to its own risk will be protected from criminal prosecution and acts as a strong incentive to implement them. However, the emphasis is placed very specifically on accurate self-assessment and addressing of risk. It warns that it is not intended to provide ‘safe-harbour’ and makes clear ‘even strict compliance with this guidance will not necessarily amount to having reasonable procedures, where the relevant body faces particular risks arising from the unique facts of its own business that remain unaddressed’.
The guidance is formulated around the same six guiding principles articulated in the Bribery Act guidance. It puts considerable onus on a corporate to utilise the guidance and apply it meaningfully to its own circumstances, which will be affected by its size, nature and sector of business, and complexity and location of operations. It expressly does not provide a checklist and should ‘be used to inform the creation of bespoke prevention procedures designed to address a relevant body’s particular circumstances and the risks arising from them’.
The guidance is detailed and specific, in part owing to the more complex assessment of criminal liability under sections 45 and 46 of the Criminal Finances Act 2017, and because it builds on some of the more generic articulations of compliance guidance found elsewhere. For example, the articulation of commonly encountered risks from a tax fraud perspective is practical and useful as a starting point to prompt corporates and their advisers in their approach to risk assessment.
The various sources of FCA guidance are another useful tool in this field. A good starting point is Chapter 6 of the Senior Management Arrangements, Systems and Controls Sourcebook.[32] This provides ‘organisational and systems and control requirements for all firms’. However, the principal detailed source of guidance the FCA provides on this is its Financial Crime Guide.[33] This comprehensive document draws on the FCA Financial Crime Thematic Reviews[34] to address risk in the specific areas of money laundering and terrorist financing, fraud, data security, bribery and corruption, sanctions and asset freezing, insider dealing and market manipulation.
The guidance is non-binding, but, where it is obviously appropriate for a corporate to address a particular risk, adherence to FCA guidance is likely to be beneficial generally and may be viewed favourably by UK law enforcement in the event of an investigation.
The thematic reviews are specific to certain business types, sizes or sectors, but are of more general assistance. Any corporate reviewing its compliance and procedures in a particular area of risk is likely to benefit from consulting any thematic review relevant to that risk area, even if its business does not sit in the reviewed sector.[35]
The Joint Money Laundering Steering Group (JMLSG) guidance[36] is aimed at firms operating under the auspices of the JMLSG’s 14 UK trade association member bodies, in addition to those regulated by the FCA. It is approved by HM Treasury and, therefore, relevant for the offences under the Proceeds of Crime Act 2002 (regulated sector) and Regulation 86 of the MLTF Regulations.
While it is not legally binding, firms ‘will have to stand prepared to justify departures’ from the guidance, which is split into three parts. Part I contains guidance relevant to all firms operating across the UK financial sector. Parts II and III provide additional sector-specific guidance.
The focal point of the JMLSG guidance is the responsibility of senior managers, including the money laundering reporting officer, to identify, assess and effectively manage money laundering risks across different aspects of their businesses. The JMLSG emphasises that there are many similarities between the strategies adopted by businesses to combat money laundering and other types of financial crime, such as fraud and market abuse, and recommends fostering ‘strong links’ between those responsible for managing and reporting on these various areas of risk.
The JMLSG guidance is clear that there is no one-size-fits-all approach, and policies and procedures should be proportionate to the size and nature of the relevant business. There are strong parallels with the MOJ’s six principles.
The SFO has published its internal guidance on how it will evaluate the effectiveness of an organisation’s compliance programme.[37] This evaluation will be key in its determination whether a prosecution is in the public interest. Such assessment will be arranged around the MOJ’s six principles, which the SFO recognises represent ‘a good general framework for assessing compliance programmes’.[38]
In its guidance, the SFO recognises that appropriate compliance arrangements will vary, but states there is an expectation that all organisations, irrespective of size, will have at least some compliance arrangements in place. A compliance programme cannot be a ‘paper exercise’ and, to be effective, must be proportionate, risk-based and regularly reviewed.
The SFO does not state what it will consider adequate, having made clear previously that this is not its role. Each case will be assessed on its facts taking into account the company’s risk profile and the steps taken to mitigate that risk.
Finally, the SFO states that in assessing an organisation’s compliance programme it will look at the past (i.e., what was in place at the time of the alleged offence), the present and, where a DPA is being considered, the future. This emphasises the importance of commencing immediate remediation when potential criminal issues arise. Importantly, the SFO also foreshadows a move towards the use of corporate monitors stating that any DPA that includes terms relating to an organisation’s compliance programme is ‘likely to include a monitor being appointed at the organisation’s expense’.[39]
In July 2020 the Enforcement Division of the Securities and Exchange Commission (SEC) and the Criminal Division of the US Department of Justice (DOJ) produced an updated (from 2012) version of the Resource Guide to the US Foreign Corrupt Practices Act (FCPA),[40] describing it as ‘one of the most thorough compilations of information about any criminal statute’.[41] Chapter 5 ‘Guiding Principles of Enforcement’ includes sections on ‘Hallmarks of Effective Compliance Programs’ and ‘Other Guidance on Compliance and International Best Practice’. Unsurprisingly, given the risk area under consideration, the Guide pays particular attention to ‘Third Party Due Diligence and Payments’ and offers three guiding principles when assessing due diligence in this area:
In addition to a worked-through hypothetical example involving third-party vetting, this Guide also directs corporates to the DOJ Criminal Division guidance on Evaluation of Corporate Compliance Programs, other US government departments’ guidance and well-regarded international guidance such as that provided by the OECD and the World Bank.[42]
This recently updated guidance issued by the DOJ’s Criminal Division is another useful resource.[43] It sits as guidance across the whole of the division and is, therefore, applicable to other corporate offences as well as FCPA matters. It is more informative than the SFO’s guidance, although the underlying principles significantly overlap. The DOJ guidance can also assist UK practitioners in discussions with the SFO about compliance-related issues in the course of DPA negotiations. The guidance comprehensively addresses how the DOJ will measure compliance programmes by reference to three key questions (sourced from the DOJ’s Justice Manual) and is a useful reference for practitioners drafting or updating compliance programmes or considering potential outcomes and remediation in an investigation.
The DOJ will consider the quality of a company’s risk assessment, policies and procedures, and training and communication; the existence and effectiveness of a confidential reporting mechanism; the application of risk-based due diligence to third-party relationships; and, where relevant, appropriate procedures to address mergers and acquisitions risk.
The DOJ will focus on whether the compliance programme is well resourced and empowered to function effectively. This will entail a review of senior and middle management commitment and oversight; whether the compliance function can operate autonomously and with suitable resources; a comparison of the seniority and stature of the compliance function with other strategic functions within the company and the existence of incentives for compliance and disincentives for non-compliance.
The DOJ will assess whether the programme has been periodically tested, reviewed and improved, including how the organisation measures its compliance culture. It will evaluate a company’s investigations structure, its ability to conduct a root cause analysis of misconduct and whether root causes have been remedied in an appropriate and timely manner.
This complementary guidance in the antitrust risk area poses the same three questions identified in the Criminal Division’s Guidance and provides specific guidance looked at from context of ‘criminal violations of the Sherman Act such as price fixing, bid rigging and market allocations’.[44]
In addition to published guidance, the US system also affords companies the ability to request a formal opinion from the DOJ, as to whether a contemplated course of conduct will conform to its current enforcement policy under the FCPA. This mechanism is known as seeking an FCPA opinion.
The applicable regulations are clear that an FCPA opinion may only be sought in respect of ‘prospective – not hypothetical – conduct’.[45] That is to say, ‘the entire transaction which is the subject of the request must be an actual . . . transaction’.[46] While it may contain an element of historical conduct ‘in most – if not all – instances, an Opinion request should be made prior to the requester’s commitment’ to proceeding with the transaction in question.[47]
FCPA opinions are available to ‘issuers and domestic concerns’, which includes individuals who are US citizens, nationals or residents and corporations and partnerships that have their principal place of business in the United States, or which are organised under US law.[48]
An affirmative FCPA opinion creates a rebuttable presumption in any subsequent action brought by the DOJ under the relevant provisions of the FCPA[49] that the requester’s conduct, as specified in the request, is in conformity with the DOJ’s enforcement policy and the relevant provisions of the FCPA.[50] Such a presumption may be rebutted by ‘a preponderance of the evidence’[51] and does not ‘bind or obligate’ any agency other than the DOJ, nor does it alter the requester’s accountancy obligations.[52]
In January 2022 the DOJ issued an FCPA opinion of non-violation in respect of a request from a foreign state, via a third party, for a payment to secure the release of the (medically unwell) captain and the crew of a vessel detained by that state, it being alleged that the vessel had violated various laws and treaties.[53]
The effectiveness of an organisation’s compliance programme is intrinsically linked to its culture. This is recognised in the US Sentencing Commission’s Guidelines Manual, which states that, to have an effective compliance and ethics programme, an organisation shall ‘promote an organisational culture that encourages ethical conduct and a commitment to compliance with the law’.[54]
Culture, which is defined by the FCA as ‘the habitual behaviours and mindsets that characterise an organisation’,[55] significantly impacts compliance in several ways. It will influence whether compliance programmes are implemented and applied effectively; in the event of misconduct, it will have a bearing on the availability of a compliance-based defence to the company; and it will ultimately influence the type of resolution available to the organisation and the terms of that resolution.
The rule-based nature of compliance means that it is more likely that those rules will be ignored or circumvented where a defective organisational culture exists. The FCA has found that ‘culture in financial services is widely accepted as a key root cause of the major conduct failings that have occurred within the industry in recent history’.[56] Similarly, failures in culture have been at the heart of many of the SFO’s DPA resolutions where criticism has been made of corporates who have failed ‘to instil within the wider business a culture of compliance’.[57] In some cases there has been a culture of pressure to meet targets[58] and in others a ‘culture of wilful disregard of the commission of offences’[59] with the consequence that rules were ignored or internal and external compliance procedures deliberately circumvented.[60] In the case of Airline Services Ltd, the court noted that the company’s senior management failed to implement an effective compliance programme, despite receiving a guide and recommendations.[61]
As is apparent from all the available guidance, even if misconduct does occur, an organisation that has fostered a culture of integrity is more likely to be successful in demonstrating the adequacy of its procedures, assuming it can evidence its efforts to do so.[62] The CPS prosecution of Skansen (the only contested adequate procedures case to date) is instructive in this regard. Skansen relied on its culture of honesty and integrity as part of its adequate procedures defence but faced evidential difficulties owing to its failure to document its attempts to implement compliance procedures and instil a culture of compliance.
Finally, culture is an important driver in the outcome of any investigation. Genuine attempts by a corporate to change its culture and focus on compliance are factors the court will consider when determining whether a DPA is in the interests of justice.[63] Effecting culture change is also key to remediation and ensuring that similar misconduct will not occur again. In the United States, cultural change is a common feature of compliance monitorships, and the DOJ has made plain that changes in culture, particularly where there has been a change in leadership, may be sufficient to guard against future misconduct and may avoid the need for a monitor at all.[64] This was the case for gold refinery Republic Metals Corporate (RMC) who entered into a non-prosecution agreement (NPA) with the DOJ in 2019 following an investigation into money laundering and violations of the Bank Secrecy Act. RMC avoided the imposition of a monitor with the DOJ citing its ‘significant efforts to create a culture of proper compliance’.[65]
The available guidance and resolutions to date demonstrate the correlation between effective compliance and the response of enforcement to address alleged corporate offending.
In its compliance guidance, the SFO is clear that its assessment of a corporate’s compliance programme will be a critical consideration in determining whether (1) a prosecution is in the public interest, (2) the organisation should be invited into DPA negotiations, and what conditions the DPA should include, (3) the ‘adequate procedures’ defence is available in the case of a section 7 offence, and (4) it reflects greater or lesser culpability in terms of sentencing.
Similarly, in the United States, the joint DOJ/SEC Resource Guide to the US FCPA directs readers to the US Justice Manual: ‘A prosecutor may also consider other remedial actions, such as improving an existing compliance program or disciplining wrongdoers, in determining whether to charge the corporation and how to resolve corporate criminal cases’.[66] The issue of the potential impact of a positive corporate culture is again reiterated here in the Justice Manual’s comment: ‘In determining whether or not to prosecute a corporation, the government may consider whether the corporation has taken meaningful remedial measures. A corporation’s response to misconduct says much about its willingness to ensure that such misconduct does not recur.’[67]
Compliance features in a number of ways in the decision to prosecute. The UK Guidance on Corporate Prosecutions states that it will be a public interest factor tending towards prosecution if, at the time of the alleged offence, an ineffective compliance programme was in place.[68] Conversely, the existence of a genuinely proactive and effective compliance programme will militate against prosecution. Prosecutors will also undertake a qualitative evaluation of steps taken by a corporate to remediate and enhance its compliance programme. The UK FCA, in its Enforcement Guidance, places similar emphasis on the ability of a firm to demonstrate that it has taken appropriate remedial action, such as addressing any systems and controls issues.[69]
In considering whether to prosecute failure-to-prevent offences, the prosecutor will evaluate whether an adequate procedures or reasonable procedures defence is available to the corporate and the likelihood of its success at trial.
Unlike the United Kingdom, the United States has a formal and public process of declinations that allows for agreed specific improvements to compliance processes, as well as other remediation terms (such as restitution and disgorgement) as factors on which the decision not to prosecute is based. For example, the declination in respect of World Acceptance Corporation issued in August 2020 cited ‘World’s full remediation, including the additional FCPA training added to World’s compliance program, separation from executives under whom the misconduct took place and discontinuing relationships with third parties in Mexico involved in the misconduct’ as one of the five factors on which the decision was based.[70]
Whether an organisation had an effective compliance programme is similarly relevant to deciding whether to invite a corporate to enter into a DPA, as is a corporate’s ability to demonstrate that it has willingly taken remedial action to reform and rehabilitate. The likely terms of a DPA are also closely tied to this issue, in particular regarding the appointment of a monitor.
Paragraph 7.11 of the UK DPA Code of Practice[71] articulates the (sometimes delicate) balance involved in determining whether a monitorship will be appropriate.
Therefore, at the time the terms of a DPA are agreed, a close analysis can be expected of specific remediation undertaken at that point, in the context of the corporate’s overall compliance culture, to determine the most appropriate compliance-related terms of the DPA.
The quality of a compliance programme is also relevant to the determination of any financial penalty, either as a term of a DPA or on sentencing, and will form part of the court’s assessment of the corporate’s culpability. In particular, in the United Kingdom for section 7 offences, evidence of a culture of wilful disregard to the commission of offences by employees or agents, with no effort to put effective preventative systems in place, will indicate high corporate culpability, while some effort to do so may indicate lesser culpability. The level of fine imposed may also be adjusted to avoid any negative impact on the company’s ability to implement an effective compliance programme going forward.
In the United Kingdom, organisations can derive some assistance about what makes for effective compliance from concluded section 7 criminal investigations and FCA regulatory outcomes. However, this is an evolving area and, for example, what constitutes adequate procedures has not been properly tested. The only contested section 7 case is the successful CPS prosecution of Skansen, which provides little insight into the application of the statutory defence except for the importance of documenting compliance efforts. Furthermore, many investigations were resolved by DPA, meaning that the companies accepted that their procedures were not adequate, removing the need for the courts to test the issues.
In the United States, there is a more extensive body of declinations, DPAs and NPAs, in which the principles and guidance in respect of corporate compliance and due diligence have been put into effect.
The compliance deficiencies identified and explained in these cases assist in drawing the following lessons, applicable to all areas of legal risk.
Effective compliance is critical to mitigating the risk of financial crime or misconduct within organisations. While compliance programmes cannot prevent isolated incidents of misconduct, an organisation that has sought to implement robust, risk-appropriate compliance procedures stands a better chance of demonstrating the sufficiency of those procedures and securing a favourable outcome, particularly where it is has done so in the context of a positive culture of corporate integrity. In the event of a suspected breach, as part of the investigation, corporates should be ready to evidence a proportionate and risk-based approach to compliance, driven by senior management, where risk assessments and procedures have been regularly reviewed, staff are adequately trained and the procedures have been fully and properly implemented.
[1] Alison Pople KC is a barrister at Cloth Fair Chambers. Johanna Walsh is a partner, and Mellissa Curzon-Berners is an associate, at Mishcon de Reya LLP.
[2] On 10 June 2022 the Law Commission published its long-awaited options paper on corporate criminal liability in respect of economic crime. Among the options put forward for consideration by the UK government is the creation of an offence of ‘failure to prevent fraud by an associated person’ where the associated person (likely an employee or agent) commits an offence of fraud with intent to benefit the corporate or another person or entity to whom the associated person provides services on behalf of the corporate. Should this option be pursued, and the offence enacted the compliance consequences will be considerable. The timescale in respect of any proposed legislative changes remains unknown.
[3] A ‘relevant commercial organisation’ is defined at s.7(5) Bribery Act as a body or partnership that is incorporated or formed in any part of the United Kingdom irrespective of where it carries on a business, or any other incorporated body or partnership which carries on a business or part of a business in the United Kingdom irrespective of the place of incorporation or formation.
[4] SFO v. Standard Bank plc (now ICBC Standard Bank plc), Crown Court (Southwark), 30 November 2015 [2016] Lloyd’s Rep FC 102 (Standard Bank).
[5] SFO v. Sarclad Ltd, Crown Court (Southwark), 8 July 2016, Case No. U20150856 (Sarclad).
[6] SFO v. Rolls-Royce plc and Rolls-Royce Energy Systems Inc, Crown Court (Southwark), 17 January 2017 [2017] Lloyd’s Rep FC 249 (Rolls-Royce).
[7] SFO v. Güralp Systems Ltd, Crown Court (Southwark), 22 October 2019 [2020] Lloyd’s Rep FC 90 (Güralp).
[8] SFO v. Airbus SE, Crown Court (Southwark), 31 January 2020, Case No. U20200108 (Airbus).
[9] SFO v. Airline Services Limited, 30 October 2020, Case No. U20201913 (Airline Services Ltd).
[10] SFO v. Amec Foster Wheeler Energy Limited, 1 July 2021 (Amec Foster Wheeler).
[11] The final hearing was concluded on 19 July 2021 at the Royal Courts of Justice (listed as SFO v. AB Ltd and CD Ltd). Reporting restrictions apply under the Contempt of Court Act 1981 in respect of aspects of these proceedings. The full documentation (deferred prosecution agreements, statements of facts and judgment) will only be published once those restrictions have been lifted.
[12] R. v. Sweett Group plc (unreported).
[13] R. v. Skansen Interiors Ltd (unreported) (Skansen).
[14] A ‘relevant body’ is defined at s.44(2) as a body corporate or partnership (wherever incorporated or formed). Partnership is separately defined at s.44(3).
[15] As set out in Criminal Finances Act 2017, s.46(2).
[16] See ibid., ss.45(2) and 46(3).
[17] See HMRC Freedom of Information Act release dated 30 June 2022 on the number of live corporate criminal offences investigations. The update shows that HMRC has closed a number of investigations without charge in the preceding year.
[18] House of Lords Select Committee on the Bribery Act 2010, report of Session 2017-19 ‘The Bribery Act 2010: post-legislative scrutiny’.
[19] Ministry of Justice guidance on the Bribery Act 2010 issued pursuant to s.9 of that Act.
[20] Regulations 3(1) and 8 – A firm will be a ‘relevant person’ if it falls within the MLTF Regulations’ definitions of (1) credit institutions, (2) financial institutions, (3) auditors, insolvency practitioners, external accountants and tax advisers, (4) independent legal professionals, (5) trust or company service providers, (6) estate agents and lettings agents, (7) high value dealers, (8) casinos, (9) art market participants, (10) cryptoasset exchange providers, and (11) custodian wallet providers.
[21] Regulation 86.
[22] Regulation 86(3).
[23] See sentencing remarks of Mrs Justice Cockerill dated 13 December 2021 at https://www.judiciary.uk/judgments/r-v-national-westminster-bank/.
[24] FCA Handbook, PRIN 2.
[25] FCA Decision Notice to Ghana International Bank Plc, Ref. 204471, 23 June 2022.
[26] FCA Final Notice to JLT Speciality Limited, Ref. 310428, 16 June 2022.
[27] FCA Final Notice to The TJM Partnership Limited (Formerly known as Neovision Global Capital Limited) (In Liquidation), Ref. 498199, 15 July 2022.
[28] Bribery Act 2010, s.9(1): ‘The Secretary of State must publish guidance about procedures that relevant commercial organisations can put in place to prevent persons associated with them from bribing as mentioned in s7(1).’
[29] https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf.
[30] In post-legislative scrutiny of the Bribery Act, a House of Lords Select Committee concluded that the MOJ Guidance was less helpful in informing and advising small and medium-sized businesses on what would constitute an effective anti-bribery policy and stressed ‘the importance for even the smallest companies of carrying out a properly documented risk assessment’. It recommended amending the Guidance to make this clear and to emphasise that all but the smallest businesses should have appropriately tailored procedures that staff have been trained to understand and follow.
[31] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/672231/Tackling-tax-evasion-corporate-offences.pdf. The Criminal Finances Act, s.47(1), provides that the Chancellor of the Exchequer must prepare and publish guidance about procedures that relevant bodies can put in place to prevent persons acting in the capacity of an associated person from committing UK tax evasion facilitation offences or foreign tax evasion facilitation offences.
[32] Compliance, Internal Audit and Financial Crime.
[33] Financial Crime Guide: A firm’s guide to countering financial crime risks (FCG).
[34] Sixteen thematic reviews were conducted by the FCA between 2006 and 2014 resulting in ‘general guidance’ as defined in FSMA 2000, s.158.
[35] For example, managing bribery and corruption risk in commercial insurance broking – update 2014 contains useful guidance about entering and managing third-party introducer relationships, which may be of assistance to corporates in other business sectors required to manage that risk.
[36] Prevention of money laundering/combating terrorist financing: guidance for the UK financial sector, June 2020 (amended July 2020).
[37] SFO Operational Handbook: Evaluating a Compliance Programme (January 2020).
[38] ibid., p. 5.
[39] This was borne out in SFO v. G4S Care & Justices Services (UK) Ltd, Crown Court (Southwark), 17 July 2020, which was the second DPA to be agreed after the SFO published its guidance and saw the appointment of the first monitor under the DPA regime.
[40] US Department of Justice and the US Securities and Exchange Commission, A Resource Guide to the US Foreign Corruption Practices Act, Second Edition, July 2020.
[41] ibid., Foreword, page iii.
[42] Working Group on Bribery, OECD, Good Practice on Internal Controls, Ethics and Compliance (February 2010); World Bank Group Integrity Compliance Guidelines (2017).
[43] US Department of Justice, Evaluation of Corporate Compliance Programs (updated June 2020).
[44] US Department of Justice, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (July 2019).
[45] 28 C.F.R. part 80 (current as of 1 July 1999), § 80.1, Purpose.
[46] ibid., § 80.3, Transaction.
[47] ibid., § 80.3, Transaction.
[48] ibid., § 80.4, Issuer or domestic concern and 15 USC § 78dd-2(h)(1).
[49] 15 U.S.C. §§ 78dd-1 and 78dd-2.
[50] 28 C.F.R. part 80 (current as of 1 July 1999), § 80.10.
[51] Id.
[52] ibid., §§ 80.11 and 12.
[53] Foreign Corrupt Practices Act Review Opinion Release, 21 January 2022, No. 22-1.
[54] US Sentencing Commission, Guidelines Manual, chapter 8 (§ bB2.1) (2018).
[55] FCA Discussion Paper DP 18/2: Transforming culture in financial services, March 2018, p. 3.
[56] Id.
[57] Rolls-Royce judgment, para. 102.
[58] See SFO v. Tesco Stores Ltd, Crown Court (Southwark), Case No. U20170287 10 April 2017 (Statement of Facts, para. 55).
[59] Rolls-Royce judgment, para. 104.
[60] Airbus judgment, para. 65; Amec Foster Wheeler judgment, para. 24 (‘The policies changed, but they never worked because FWEL [Foster Wheeler Energy Limited] did not want them to.’) (per Edis LJ).
[61] Airline Services Ltd, judgment, para. 49.
[62] See, for example, Principle 2 of the Bribery Act guidance (pp. 23–24).
[63] See Sarclad, preliminary judgment, para. 32.
[64] See the Benczkowski Memorandum, 11 October 2018. ‘Where misconduct occurred under different corporate leadership or within a compliance environment that no longer exists within a company, [prosecutors] should consider whether the changes in corporate culture and/or leadership are adequate to safeguard against a recurrence of misconduct.’ A similar line of reasoning was applied in the UK DPA with Amec Foster Wheeler Energy Limited, where the SFO did ‘not require that a monitor be installed in recognition of the substantial enhancements and modifications to the E&C Programme [multi-year, group wide ethics and compliance policies and procedures] and remediation exercise that have already been undertaken’ (DPA, para. 44).
[65] Non-Prosecution Agreement between DOJ and RMC, 8 March 2019.
[66] US Justice Manual § 9-28.1000(A), Restitution and Remediation.
[67] US Justice Manual § 9-28.1000(B), Restitution and Remediation.
[68] Crown Prosecution Service Guidance on Corporate Prosecutions.
[69] The Enforcement Guide, FCA Handbook.
[70] US Department of Justice, Letter to Womble Bond Dickinson re World Acceptance Corporation, 5 August 2020.
[71] SFO and CPS joint Deferred Prosecution Agreements Code of Practice (Crime and Courts Act 2013).
[72] See Tesco. This was not a section 7 case and Tesco Stores Ltd entered into a DPA in respect of one count of false accounting.
[73] USA v. Siemens Aktiengesellschaft, Information, 12 December 2008.
[74] See, for example, Rolls-Royce, Tesco, Airbus.
[75] As a term of their DPAs, Sarclad’s chief operating officer conducted a compliance review while Güralp Systems’ compliance officer conducted a compliance review.
[76] See US Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs guidance (updated June 2020), Section II.
[77] Standard Bank and Stanbic Bank Tanzania Ltd.
[78] US v. Airbus DPA, 31 January 2020.
[79] The conduct that Sarclad accepted had taken place began some four years after acquisition in 2004 and the acquisition was at a time when compliance programmes were less developed generally and not subject to the same level of scrutiny as today.
[80] The DOJ Compliance Guidance is helpful on this point.
[81] Those agreed between the SFO and Standard Bank, Sarclad, Rolls-Royce, Airbus, Airline Services Limited, Amec Foster Wheeler, and AB Ltd and CD Ltd.
[82] R v. Alstom Network UK Ltd [2019] EWCA Crim 1318. A pre-Bribery Act prosecution that concluded in November 2019 with Alstom Power Ltd having pleaded guilty to one count of conspiracy to corrupt and Alstom Network UK Ltd having been convicted of a further count of conspiracy to corrupt.
[83] Final Notice, 19 December 2013.
[84] SFO v. Serco Geografix Ltd, Crown Court (Southwark), 4 July 2019 Case No. U20190413. Serco Geografix Ltd entered into a DPA in respect of five counts of fraud and false accounting.
[85] Final Notice, 17 March 2014.
[86] See, for example, US Department of Justice Criminal Division, Letter to K&L Gates dated 3 June 2016 in respect of Nortek, Inc.
Author | Barrister
Author | Partner
Author | Associate
Judith Seddon, Eleanor Davison, Christopher J Morvillo, Luke Tolaini, Celeste Koeleveld, F Joseph Warin and Winston Y Chan
Dechert LLP, Fountain Court Chambers, Clifford Chance and Gibson Dunn & Crutcher
Judith Seddon, Eleanor Davison, Christopher J Morvillo, Luke Tolaini, Celeste Koeleveld, F Joseph Warin and Winston Y Chan
Dechert LLP, Fountain Court Chambers, Clifford Chance and Gibson Dunn & Crutcher LLP
William H Devaney, Joanna Ludlam, Mark Banks and Aleesha Fowler
Baker McKenzie
Judith Seddon and Andris Ivanovs
Dechert LLP
F Joseph Warin, Winston Y Chan, Chris Jones and Duncan Taylor
Gibson Dunn & Crutcher
Alison Wilson, Sinead Casey, Elly Proudlock and Nick Marshall
Linklaters
Daniel Silver and Benjamin Berringer
Clifford Chance
Simon Airey and James Dobias
McDermott Will & Emery UK LLP
Bruce E Yannett and David Sarratt
Debevoise & Plimpton LLP
Nichola Peters, Michelle de Kluyver and Jaya Gupta
Addleshaw Goddard LLP
Avi Weitzman, John Nowak, Jena Sold and Amanda Pober
Paul Hastings LLP
Stuart Alford KC, Serrin A Turner, Gail E Crawford, Hayley Pizzey, Mair Williams and Matthew Valenti
Latham & Watkins LLP
Caroline Day and Louise Hodges
Kingsley Napley
John Nathanson, Katherine Stoller and Cáitrín McKiernan
Shearman & Sterling LLP
Glenn Pomerantz and Paul Peterson
BDO LLP
Matthew Bruce, Ali Kirby-Harris, Ben Morgan and Ali Sallaway
Freshfields Bruckhaus Deringer LLP
John D Buretta and Megan Y Lew
Cravath Swaine & Moore
Caroline Black, Clare Putnam Pozos, Chloe Binding and Carla Graff
Dechert LLP
Tamara Oppenheimer KC, Rebecca Loveridge and Samuel Rabinowitz
Fountain Court Chambers
Richard M Strassberg and Meghan K Spillane
Goodwin
Nicholas Purnell KC, Brian Spiro, Jessica Chappatte and Eamon McCarthy-Keen
Herbert Smith Freehills
Nicolas Bourtin
Sullivan & Cromwell LLP
Nichola Peters and Michelle de Kluyver
Addleshaw Goddard LLP
Sam Amir Toossi and Farhad Alavi
Akrivis Law Group, PLLC
Robin Barclay KC, Nico Leslie, Christopher J Morvillo, Celeste Koeleveld, Meredith George and Benjamin Berringer
Fountain Court Chambers and Clifford Chance
Tom Epps, Andrew Love, Julia Maskell and Benjamin Sharrock
Cooley LLP
Matthew Kutcher, Alexandra Eber, Matt K Nguyen, Wazhma Sadat and Kimberley Bishop
Cooley LLP
Jessica Lee and Chloë Kealey
Brown Rudnick LLP
James P Loonam and Ryan J Andreoli
Jones Day
Rita Mitchell, Simon Osborn-King and Yannis Yuen
Willkie Farr & Gallagher LLP
David Mortlock, Britt Mosman, Nikki Cronin and Ahmad El-Gamal
Willkie Farr & Gallagher LLP
Francesca Titus, Andrew Thornton-Dibb, Mehboob Dossa, William Boddy and Oscar Ratcliffe
McGuireWoods
Emily Goddard, Anna Kirkpatrick and Ellen Lake
Clifford Chance
Alison Pople KC, Johanna Walsh and Mellissa Curzon-Berners
Cloth Fair Chambers and Mishcon De Reya LLP
Kevin Roberts, Duncan Grieve and Charlotte Glaser
Cadwalader, Wickersham & Taft LLP
Jodi Avergun and Cheryl Risell
Cadwalader, Wickersham & Taft LLP
James Carlton, Sona Ganatra and David Murphy
Fox Williams LLP
Milton L Williams, Avni P Patel and Jacob Gardener
Walden Macht & Haran LLP
Natalie Sherborn, Carl Newman, Perveen Hill, Anthony Hanratty and Sophie Gilford
Withersworldwide
Christopher LaVigne, Martin Auerbach and Georges Lederman
Withersworldwide
Richard Sallybanks, Anoushka Warlow and Greta Barkle
BCL Solicitors LLP
Amanda Raad, Michael McGovern, Meghan Gilligan Palermo, Abraham Lee, Chloe Gordils and Ross MacPherson
Ropes & Gray
Elizabeth Robertson, Vanessa McGoldrick and Jason Williamson
Skadden, Arps, Slate, Meagher & Flom (UK) LLP
Victoria L Weatherford and Tera N Coleman
Baker & Hostetler
Ben Brandon and Aaron Watkins
Mishcon De Reya LLP and Kingsley Napley
Judith Seddon, Eleanor Davison, Christopher J Morvillo, Luke Tolaini, Celeste Koeleveld, F Joseph Warin and Winston Y Chan
Dechert LLP, Fountain Court Chambers, Clifford Chance and Gibson Dunn & Crutcher LLP
Kyle Wombolt and Pamela Kiesselbach
Herbert Smith Freehills
Robert Dalling and Karam Jardaneh
Jenner & Block
María González Calvet
Ropes & Gray
Michael S Diamant
Gibson Dunn & Crutcher LLP
Gustavo Morales Oliver, María Lorena Schiariti and María Agustina Testa
Marval, O’Farrell & Mairal
Tim Grave and Lara Gotti
Clifford Chance
Jonathan D King, Ricardo Caiado Lima, Antonio Tovo, André Sampaio Lacerda Ferraz and Mellina Bulgarini Gerhardt
DLA Piper LLP (US) and Campos Mello Advogados in Cooperation with DLA Piper
Sabrina A Bandali, Emrys Davis, Alan P Gardner, Laura Inglis, Amanda C McLachlan, Ruth E Promislow and Nathan J Shaheen
Bennett Jones
Rafael Collado González, Lucía Álvarez Galvez, Josefa Zamorano Quiroga and Camilo León Millones
FerradaNehme
Kyle Wombolt, Helen Tang and Tracey Cui
Herbert Smith Freehills
Marcela Cristina Blanco and Marcelo Buendía Vélez
Díaz Reus Abogados
Stéphane de Navacelle, Thomas Lapierre and Julie Zorrilla
Navacelle
Eike W Grunert, Michael Reich, David Stoppelmann and Stephan Appt
Pinsent Masons
Ilias Anagnostopoulos, Jerina Zapanti and Alexandros Tsagkalidis
Anagnostopoulos
Donna Wacker, Jonathan Wong, Anita Lam and Michael Wang
Clifford Chance
Sherbir Panag, Tanya Ganguli and Lavanyaa Chopra
Law Offices of Panag & Babu
Karen Reynolds and Connor Cassidy
Matheson
Giuseppe Fornari, Enrico Di Fiorino, Emanuele Angiuli and Lorena Morrone
Fornari e Associati
Antonio Cárdenas Arriola, Jonathan D King, Daniel González Estrada and Yesica L Garduño Sandoval
DLA Piper
William Fotherby and Caitlin Anyon-Peters
Meredith Connell
Dayo Adu, Temiloluwa Dosumu and Esther Randle
Famsville Solicitors
Alberto Rebaza, Augusto Loli, Héctor Gadea, María Haydée Zegarra and Sergio Mattos
Rebaza, Alcázar & de las Casas
Kabir Singh, Janice Goh and Joey Ng
Clifford Chance LLP
Edward James, Deirdré Simaan, Adam Gunn, Thorne Godinho, Sarah Burford and Jazquelyn Govender
Pinsent Masons
Jaime Alonso Gallo
Uría Menéndez
Flavio Romerio, Claudio Bazzani, Katrin Ivell and Reto Ferrari-Visca
Homburger
Burcu Tuzcu Ersin, E Benan Arseven and Z Ertunç Şirin
Moroğlu Arseven
Simon Airey, James Dobias and William Merry
McDermott Will & Emery UK LLP
Bradley J Bolerjack and Francisca M Mok
Reed Smith LLP
Get more from GIR
Sign up to our daily email alert
Sign up
Unlock unlimited access to all Global Investigations Review content
