Hro Banner
January 30, 2020

SFO Publishes Internal Guidance on Evaluating Compliance Programmes

The Serious Fraud Office (“SFO”) recently published internal guidance for its staff on how to evaluate the effectiveness of the compliance programmes in place at the organisations they investigate (the “Guidance”). The Guidance, published on the SFO website, is part of the SFO’s internal Operational Handbook and is published in the interest of transparency, rather than to provide guidance to outside organisations. However, it is helpful in understanding when and how the SFO will consider an organisation’s compliance programme as relevant to its enforcement decisions.

The SFO considers it relevant to consider the compliance programme in place in all cases involving an organisation, regardless of the underlying conduct being considered. It is therefore not only relevant to the corporate offence of failure to prevent bribery under the Bribery Act, or the similar failure to prevent tax evasion offences under the Criminal Finances Act, but could also be relevant to other conduct, such as fraud, or substantive bribery. Companies subject to investigation by the SFO can expect it to use its investigative powers to obtain information about their compliance programme as well as the specific conduct under investigation. Similarly, we recommend that organisations conducting internal investigations into suspected misconduct always consider the relevant compliance framework as part of their review.

In addition, the Guidance sets out that organisations “of any size can be expected to have at least some compliance arrangements”, even if they do not have a formalised compliance department in place. In that context, the SFO considers it “critical” in its assessment of any compliance programme that it is “proportionate, risk-based and regularly reviewed”. This is in line with best-practice in this area, where companies increasingly are taking a tailored, risk-based approach to compliance, with policies and procedures clearly referenced to an assessment of the compliance risks faced by their business.

When is the compliance programme relevant?

The Guidance states that the SFO will assess the state of the compliance programme of organisations under investigation for different purposes.

Firstly, when making a decision as to whether or not to prosecute:

  • the state of an organisation’s compliance programme at the time when the offending behaviour occurred is a relevant public interest factor in deciding whether or not to prosecute:
    • it may act in favour of prosecution if “the offence was committed at a time when the company had an ineffective corporate compliance programme” (as stipulated in the Guidance on Corporate Prosecutions);
    • conversely, it may be a relevant factor against a decision to prosecute if the SFO considers that the company is likely to have a statutory defence because it had an effective compliance programme in place at the time of offending (such as the so-called “adequate policies and procedures” defence under the Bribery Act); and
    • where an organisation with a substandard programme at the time of wrongdoing takes “remedial actions” by enhancing its compliance programme to make it genuinely proactive and effective by the time of any charging decision, then that may also be a relevant factor in a decision not to prosecute the company.

Secondly, when deciding whether or not to offer a Deferred Prosecution Agreement:

  • whether an organisation already has a genuinely proactive and effective corporate compliance programme by the time of any charging decision is important in determining whether the organisation has “reformed and rehabilitated” since the conduct in question, and is therefore relevant to deciding whether or not to offer a deferred prosecution agreement (“DPA”) as an alternative to prosecution; and
  • if a DPA is under consideration, how the compliance programme could change going forward may be relevant, since a DPA may include stipulations requiring a company to take steps to improve its compliance programme, and for those to be monitored under the terms of the DPA.

Thirdly, when sentencing a company for criminal wrongdoing:

  • where an organisation did have a compliance programme in place but that programme was determined to be insufficient to allow it to rely on a statutory defence, such as under the Bribery Act, or for it to be offered a DPA, then it may still be relevant to sentencing to reflect lesser culpability; and
  • a Court will need to consider whether the level of a fine to be imposed might impact the organisation’s ability to implement an effective compliance programme.

Other points to note

The Guidance encourages the SFO’s investigative teams to ensure that compliance issues are explored at an early stage of any investigation and that information regarding the organisation’s compliance programme is obtained from a variety of sources. The Guidance also refers to the “Six Principles” detailed in the Bribery Act guidance, published in 2011, as representing “a good general framework for assessing compliance programmes”. These principles are:

  1. Proportionate Procedures: Adequate bribery prevention procedures ought to be proportionate to the bribery risks that the organisation faces and to the nature, scale and complexity of the commercial organisation’s activities.
  2. Top-Level Commitment: The board, or top-level management, of a commercial organisation should be committed to preventing bribery by persons associated with it. They should be responsible for setting bribery prevention policies and keeping these policies and procedures under regular review.
  3. Risk Assessment: A commercial organisation should periodically conduct assessment of the nature and extent of its exposure to potential external and internal bribery risks. This assessment should be informed, documented and evolve as the organisation’s business evolves. Common external risks include: country, sectoral, and business partnership risks.
  4. Due Diligence: To mitigate identified bribery risks, a commercial organisation should apply due diligence procedures regarding persons who perform or will perform services for or on behalf of the organisation. This relates both to the use of intermediaries and vendors, as well as the hiring of employees.
  5. Communication (including training): A commercial organisation should ensure that its bribery prevention policies and procedures are embedded and effectively communicated internally and externally.
  6. Monitoring and Review: Procedures designed to prevent bribery should be monitored and improvements made where necessary.

Click here to download this article.