No matter the industry, maintaining effective corporate compliance programs has never been a more essential part of operations to address the legal risks that corporates face. This article, the third in a series about corporate compliance from BCLP’s Global Investigations team, considers the factors to consider when devising, and features of, a strong corporate compliance program.
Why does the corporate compliance program matter?
Fundamentally, a good corporate compliance program will ensure that the company and its employees follow the laws, regulations, standards and practices applicable in the relevant industry and that any deviations from this are detected and addressed expeditiously. But why does this matter? Putting aside the moral dimension, there is quite simply a practical impetus here. As we discussed in detail in the previous two articles in this series – dealing with the current position on corporate criminal liability in the US, UK and France and the enforcement tools in the armoury of prosecutors in these countries – corporate criminal liability is now not only easy to establish in the US, UK and France, but it also is targeted with vigour in each of these jurisdictions. Given this, corporates must ensure that they have comprehensive compliance programs that appropriately address the risks that they are facing.
In France, under the Law on Transparency, Anti-Corruption and the Modernization of the Economy, known as the “Sapin II Law”, which we discussed in our second article, certain corporates are affirmatively required to implement compliance programs and failure to do so is a violation of the laws themselves. We deal with this in further detail below. Moreover, even when not required by law, the existence of such programs may make a difference to whether the government or regulator ultimately decides to criminally charge a corporate.
In the US, federal prosecutors take into account whether the corporate has a strong compliance program. Deputy Attorney General Rod Rosenstein recently stated that “Corporate America is often the first line of defence for detecting and deterring fraud. Meaningful compliance measures help the Department preserve its finite resources”. In addition, he noted that the US Department of Justice (“DOJ”) wants “to reward companies that invest in strong compliance measures”. Thus, a corporate with a strong compliance program is more likely to receive a non-prosecution agreement or a better deal than one that does not have such a program. This is clearly a big incentive.
Whilst it is not a strict legal requirement in the UK outside of the regulated sector, having an adequate compliance program forms the basis of the defence to the corporate “failure to prevent” offences for bribery and facilitation of tax evasion outlined in the first article in this series. We are yet to see a corporate successfully invoke the Section 7 defence under the Bribery Act 2010, and recent comments from the Serious Fraud Office (“SFO”) have emphasized that it is a high hurdle to overcome. Indeed, we understand that some senior investigators at the SFO take the view that if there has been bribery, de facto any procedures were not reasonable. Whilst this logic may apply where a number of employees were involved in bribery that went undetected by the corporate or was condoned by it, this approach should not work where there is a dishonest employee whose activities were not reasonably foreseeable. The SFO's reputed view here has led some to question whether the defence is merely theoretical and that prosecutors would simply always conclude that procedures were logically deficient if bribery took place. That is not, however, consistent with the Ministry of Justice guidance on adequate procedures under the Bribery Act. The guidance acknowledges that no policies and procedures are capable of detecting and preventing all bribery, and the key to the defence is a proportionate risk-based approach.
The defence was never going to be a realistic prospect for the likes of Rolls Royce and Standard Bank given the scale of the corruption at issue in those cases. However, it is worth reiterating that, even where the statutory defence is unlikely to be made out, an existing compliance programme can still be a factor in avoiding a criminal prosecution. Section 2 of the Deferred Prosecution Agreement (“DPA”) Code of Practice published by the UK Director of Public Prosecutions and the Director of the SFO makes clear that the existence of a “proactive corporate compliance programme” both at the time of the offending and at the time of the reporting, which failed to be effective in this instance, will be a factor in whether the prosecutors are willing to grant a DPA.
The importance of a robust risk assessment
What constitutes a good compliance programme will depend on the offence, but it is usually informed by a robust risk assessment undertaken by the firm at the outset and recorded appropriately. Therefore, the first step for any successful compliance program is to evaluate the risks that the company faces, which means that the corporate must conduct an appropriately-scoped risk assessment.
As with many compliance activities, it is critical that they are appropriately documented at every stage, but none more so than at this early stage. The UK authorities have made this particularly clear with regard to the importance of the risk assessment documentation. In order to assess whether a corporate has compliance procedures in place, UK authorities have said that they would need to be able to assess the procedures by reference to the risk assessment to ascertain whether the procedures are appropriately calibrated to address the risks identified through the assessment. Further, showing that a risk assessment properly engaged the relevant business areas will be important.
Given multi-national corporates may be prosecuted for corporate criminal liability in one country in certain circumstances even where no criminal activity has in fact taken place in that country, it is vital that the risk assessment process, and subsequent development of policies, is conducted on a global basis. For example, where a corporate operating in the UK has branch offices overseas, it will not be sufficient to protect the corporate by only conducting risk assessments in relation to UK business. In order to ease this process, Bryan Cave Leighton Paisner have developed a series of questionnaires to help corporates identify risk areas and produce appropriate procedures to help to try to protect them from corporate criminal liability.
Devising and maintaining a strong compliance program
Once those risks are identified, appropriate policies and procedures that recognize both the organizational structure and the individuals within that structure can be drafted and implemented. This does not mean that a corporation can simply type up a set of policies and procedures and put them on the shelf. Merely having a strong compliance program on paper does not suffice. It is critical that the procedures are appropriately tailored to the risks posed by the business that the corporate conducts. Such an approach is much more likely to result in the corporate obtaining the benefit of a defence, where applicable, than if it were to have an "off the shelf" set of procedures in place.
Further, the corporate also must demonstrate real efforts to make compliance a part of the entity’s culture. To ensure that a company has a culture of compliance, corporates need to ensure that there is adequate training and reinforcement of the compliance program, including with the top-down messaging from management. Thus, the corporate must devote sufficient resources to ensure successful implementation, and monitoring and updating, of its corporate compliance program.
It is notable that there has been an increasing trend from the UK Financial Conduct Authority to bring criminal investigations for suspected breaches of UK money laundering legislation. This follows the current focus by UK authorities on money laundering and extensive reviews into the adequacy of regulated corporates' compliance programmes. If as a corporate you fall within the scope of the UK anti-money laundering regime, it is important that your processes should be reviewed and updated to ensure that you are best protected from the increased trend for criminal investigations in this area.
In France, the Sapin II Law, which was passed in December 2016 and came into effect on June 1st, 2017, requires public administrations/groups, companies organized under French law and groups (or sub-groups) controlled via France with over 500 employees and with annual revenues of at least €100 million to implement a documented program comprising eight specific features to prevent acts of corruption and influence peddling in France or abroad. Failure to implement and maintain a satisfactory and documented compliance program can lead to penalties, including sanctions from the newly created French Anti-corruption Agency, the agence française anticorruption (“AFA”), by way of deterring fines against companies and their management. This means that CEOs, Presidents, Managing Directors, Executive Board Members and Managers can all be held individually liable, with individuals subject to fines up to €200,000 and the firms to fines of up to €1 million. Compliance with the Sapin II Law specifically including setting-up risk exposure mapping, i.e., an anticorruption code of conduct, internal warning mechanism, risk map, procedures for assessing third parties, procedures for accounting controls, tools for the prevention and detection of corruption, training program on corruption risk, procedure for internal control and evaluation. . In December 2017, the AFA also issued guidelines detailing what the AFA expects for each of the items listed in the Sapin II Law. The purpose of the guidelines is to ensure that corporates and their management are clear that compliance should not be limited to a tick-the-box exercise and that the work product (including the policies, procedures for assessing third parties or for accounts controls and mapping) should reflect a strong and consistent involvement of management at all levels in addressing the risk of corruption.
Given all of the above, it is now more important than ever for corporates operating in the UK or France to ensure that they have implemented appropriate corporate compliance programs. Such compliance programs can effectively limit the risk of the corporate being prosecuted by increasingly aggressive enforcement authorities. US companies have spent years developing such programs and lessons learned from the US can be readily applied in Europe.
BCLP’s Investigations, Financial Regulation and White Collar Team regularly advise corporates on implementing and strengthening their compliance programs. We have designed and operated bespoke global risk assessment processes for corporates and are well placed to advise on the best processes and approaches to developing an appropriate compliance programme. Through our years of experience, our team can help the company adequately address risks and better prevent and detect wrongdoing. In addition, our team can effectively and efficiently conduct global investigations to help prepare a company to respond to a corporate crisis and to defend the company from government prosecutors.
For questions in relation to this or the accompanying two articles (which can be found here and here), or to discuss anything in connection with this area, please contact Mark Srere (Washington), Andrew Tuson or Oran Gelb (London) or Constantin Achillas, David Père (Paris) or Cécile Terret (Paris).