On 17 January 2020, the UK’s Serious Fraud Office (the “SFO”) released guidance on evaluating compliance programmes (the “SFO Guidance”). This is the first time the SFO has issued guidance on how it will assess the effectiveness of an organisation’s compliance programme. Forming part of the SFO’s internal Operational Handbook, the SFO said it published the guidance in the interests of transparency and with the disclaimer that it should not be relied on as the basis for any legal advice or decision. The SFO Guidance nonetheless serves to assist organisations not only in evaluating the strength of their compliance programmes but also sets out what organisations can expect from the SFO and what remediation measures they should take in relation to their compliance programmes, if they are being investigated by the SFO.
The SFO Guidance, which must be read together with the SFO’s Guidance on Corporate Prosecutions and Code for Crown Prosecutors, covers three key areas:
Stages at which the SFO may consider the state of a compliance programme
The SFO Guidance makes clear that the SFO will consider the state of an organisation’s compliance programme at different points of time. The expectations are different at each stage, and the SFO’s assessment will have an impact on decisions such as the decision to prosecute, the suitability of a deferred prosecution agreement (DPA), sentencing and whether or not a monitor should be appointed. Put simply, the SFO will consider an organisation’s compliance programme in the past, present and future.
SFO investigation of compliance programmes
The SFO Guidance also sets out (in brief terms) how it will assess compliance programmes. It does not prescribe a particular approach, with the SFO acknowledging that individual cases differ. This is particularly true for smaller organisations that the SFO is investigating. The SFO Guidance does, however, stress that prosecutors should consider compliance issues early on in an investigation and ensure that their approach to obtaining information on compliance programmes keeps in mind the aims of the broader investigation. The SFO Guidance states that organisations should have a variety of written records on their compliance programmes and highlights the investigatory tools at the SFO’s disposal for obtaining such information.
Organisations can therefore expect, at a very early stage in the SFO’s investigation, to be required to produce documents such as compliance policies and procedures, gifts and hospitality registers, compliance training records and manuals, risk assessments, and data around the management of whistleblower reports. For organisations with global businesses, such documents may be stored across various countries and/or sit with external vendors, so it will be important for organisations to involve their compliance functions and their vendors at an early stage of the investigation to ensure that such information can be effectively collated, reviewed and produced to the SFO in a timely manner.
Assessment of compliance programmes through the MoJ’s “Six Principles”
In assessing compliance programmes, the SFO Guidance states that the “Six Principles” in the Ministry of Justice’s guidance on the Bribery Act (the “MoJ Guidance”), published in March 2011, are a good general framework. The SFO Guidance states that the “Six Principles” are not prescriptive and are intended to be flexible, particularly when assessing the compliance programmes of smaller businesses. These “Six Principles” are also previously adopted in the HMRC’s guidance for corporate offences under the Criminal Finances Act 2017.
Although the MoJ Guidance specifically discusses these principles within the context of the prevention of bribery, the “Six Principles” in the MoJ Guidance set out detailed considerations that can be applied by organisations when devising and reviewing their compliance programmes. It will remain to be seen how the SFO will apply the MoJ Guidance when assessing compliance programmes more broadly for non-bribery offences. For example, it is unclear whether such principles will be applied for policies and procedures around financial controls for offences such as false accounting or other offences in relation to which DPAs may be entered into.
Echoing DOJ Guidance
The U.S. Department of Justice (the “DOJ”) issued guidance on the evaluation of corporate compliance programmes (the “DOJ Guidance”) in March 2017 and updated the guidance in April 2019. Like the SFO, the DOJ reinforces the need for a compliance policy to be effective, and not simply a “paper program” (the SFO uses the phrase “paper exercise”), and also recognises that compliance programmes must be evaluated in the specific context of the criminal investigation undertaken and that prosecutors ought not to use a rigid formula when conducting that evaluation.
The DOJ Guidance states that prosecutors should ask three “fundamental questions”:
1. “Is the corporation’s compliance program well designed?”
2. “Is the program being applied earnestly and in good faith?” In other words, is the program being implemented effectively?
3. “Does the corporation’s compliance program work” in practice?
To expand on these three questions, the DOJ Guidance lays out 12 criteria upon which an organisation’s compliance policy will be assessed, although the DOJ expressly states that these form neither a checklist nor a formula and their relevance ought to be considered in the circumstances of each case. The table below compares the criteria from the MoJ Guidance, applied by the SFO Guidance, and DOJ.
(applying the six principles in the MoJ Guidance)
(Evaluation of Corporate Compliance Programs)
I. Is the Corporation's Program Well Designed?
A. Risk Assessment
B. Policies and Procedures
C. Training and Communications
D. Confidential Reporting Structure and Investigation Process
E. Third-Party Management F. Mergers and Acquisitions
II. Is the Corporation's Compliance Program Being Implemented Effectively?
A. Commitment by Senior and Middle Management
B. Autonomy and Resources
C. Incentives and Disciplinary Measures
III. Does the Corporation's Compliance Program Work in Practice?
A. Continuous Improvement, Periodic Testing and Review
B. Investigation of Misconduct
C. Analysis and Remediation of Any Underlying Misconduct
Like the SFO Guidance, the DOJ Guidance, referring to the Principles of Federal Prosecution of Business Organizations in the Justice Manual, states that factors prosecutors should consider, when investigating an organisation include the adequacy and effectiveness of the company’s compliance programme at the time of the offence and at the time of a charging decision, as well as the company’s remedial efforts to implement or improve an existing compliance programme. The DOJ Guidance states that the existence and effectiveness of an organisation’s compliance programme will also be taken into account during sentencing and when prosecutors are determining whether the appointment of a monitor is appropriate.
Although crafted differently and even though the DOJ Guidance is much more detailed, the SFO Guidance and DOJ Guidance use overlapping and consistent principles and have the same purpose, namely, to steer prosecutors in their evaluation of corporate compliance programmes. For example, in the area of risk assessment, both the SFO and DOJ call for a tailored, periodic and evolving risk assessment approach, and in mergers and acquisitions, stress the importance of due diligence into acquired companies. This consistency allows organisations faced with concurrent investigations by the DOJ and the SFO to align their approach to responding to investigators’ queries in relation to compliance programmes. With transatlantic cooperation between the SFO and DOJ (e.g., in the investigations of Rolls-Royce Plc, Standard Bank Plc and Guralp Systems Ltd) set to continue, such alignment is helpful to organisations in understanding and meeting the expectations of prosecutors on both sides of the Atlantic.
Organisations Must Ensure Compliance Programmes Are Fit for Purpose
The SFO Guidance is an excellent addition to the growing library of guidance related to corporate prosecutions issued under SFO Director Lisa Osofsky since she took office in August 2018. It not only provides transparency on what the SFO looks for when it is investigating organisations’ compliance programmes but serves to reassure smaller businesses that prosecutors will consider proportionality when evaluating their compliance programmes.
That said, the SFO Guidance makes clear that all businesses, no matter their size, must have internal systems and procedures for ensuring that they comply with legal requirements. While the scope of those arrangements will vary depending on the size and nature of each business, it is clear from the SFO Guidance that there is no “one-size-fits-all” compliance programme and organisations must ensure that they undertake regular and proportionate risk assessments to ensure that their compliance programmes are tailored to address the particular risks that they face and are adequately communicated within their organisations.