BLOG: From Large Corporations To Small And Medium-sized Enterprises, What Can Be Learnt From “The Serious Fraud Office Operational Handbook – Evaluating A Compliance Programme?”

Colin Aylott KC and Ben Brown read between the lines on the SFO’s operation handbook on the issue of compliance

On 17 January 2020 the Serious Fraud Office (“SFO”) updated its Operational Handbook to include a new section entitled, “Evaluating a Compliance Programme” (“the ECP”).  

Whilst it is paramount to keep in mind that the Operational Handbook is not statutory guidance and is for internal SFO use, it is an extremely useful guide to organisations, whether large corporates or small and medium-sized enterprises (“SMEs”), when reflecting on their own compliance programmes and identifying potential risk areas. 

What is a compliance programme?

The ECP defines a compliance programme as, “an organisation’s internal systems and procedures for helping to ensure that the organisation – and those working there – comply with legal requirements and internal policies and procedures”. 

There is a pragmatic appreciation within the ECP that compliance arrangements will vary in scope depending on the size of an organisation and the nature of the business, with larger firms having entire compliance units and SMEs having “at least some compliance arrangements”. What is important however, is that irrespective of the size of the organisation a compliance programme “needs to be effective and not simply a paper exercise” and must be “proportionate, risk-based and regularly reviewed”.  So instructing a compliance adviser to draft a compliance programme but leaving it to gather dust on the shelf is not enough.  There is an expectation that an organisation should have “a variety of written records of its compliance programme and its operation”. Companies large and small are expected to proactively implement their policy alongside training and educating employees to a level commensurate with the size of the business. 

What is the relevance of a compliance programme in SFO Cases?

The ECP emphasises the importance of a company’s compliance programme noting that from the outset in every investigation of an organisation the SFO, “will need to assess the effectiveness of the organisation’s compliance programme”.  Any company under investigation can expect their compliance programme to be targeted early in an investigation. The ECP notes specifically that compliance material is deemed to be “relevant information” for the purpose of the Criminal Justice Act 1987 allowing the SFO to use their investigatory tools including compelled disclosure of documents and information, section 2 witness interviews and even interviews under PACE. Once there has been an assessment of a compliance programme that will be one factor that will “inform decisions on the case” including: 

A. Is a prosecution in the public interest?

B. Should the organisation be invited into Deferred Prosecution Agreement (“DPA”) negotiations and, if so, what conditions should the DPA include?

C. Does the organisation have a defence of ‘adequate procedures’ against a charge under s.7 of the Bribery Act 2010?

D. Might the existence and nature of the compliance programme be a relevant factor for sentencing considerations? 

What is the scope of an assessment?

The SFO remains an investigative prosecuting body and is not seeking through the provision of this guidance to enter the sphere of corporate regulation. The ECP does not outline an approach to exclusively assess compliance programmes. Instead, it proffers the six principles detailed in the Bribery Act 2010 Guidance published by the Ministry of Justice (“MOJ guidance”) as a “good general framework for assessing compliance programmes”.

The six principles are:

1.    Proportionate Procedures
2.    Top Level Commitment 
3.    Risk Assessment
4.    Due Diligence 
5.    Communication (including training)
6.    Monitoring and Review

The fact that the ECP incorporates those six principles should provide further encouragement, if it is needed, for companies to ensure that they have in place compliance programmes that are tailor-made for their business and the sector they operate within. As was made clear when the MOJ guidance was published, and is repeated in the SFO’s guidance, it is aimed “at organisations of all sizes and all sectors…it is not prescriptive and not one-size-fits-all”.

At what point in the chronology will the SFO assess a compliance programme? 

Within the ECP it states that prosecutors will need to assess the state of an organisation’s compliance programme at different times namely:

A.    The state of the compliance programme at the time of offending;
B.    The current state of the compliance programme;
C.    How the compliance programme could change going forward.

A. The state of the compliance programme at the time of offending

The ECP is clear in re-iterating the Guidance on Corporate Prosecutions that it will be in the public interest to prosecute, if at the time the offence was committed, “the company had an ineffective corporate compliance programme”. If a company, however, has had the good sense to historically have in place a robust, regularly reviewed and updated compliance programme it follows that the risk of prosecution may diminish. 

The ECP specifically requires any prosecutor in reaching a decision as to whether to prosecute to evaluate whether there is a defence under section 7 of the Bribery Act 2010 which is established if the organisation had in place “adequate procedures designed to prevent persons associated with [it] from undertaking such conduct”. A compliance programme that was in place at the time of the offending but falls short of providing a defence under section 7 may be an important factor in reflecting lesser culpability with regards to sentencing.

B. The current state of the compliance programme

Even if the SFO reaches the view that a company’s compliance programme was inadequate or unsatisfactory, that will not necessarily be determinative of whether there will be a prosecution.  The ECP makes it plain that the SFO will look at the conduct of the company from the time of wrongdoing through the investigation and to the point of charge. The SFO in particular will be looking for evidence of “remedial actions”, as required by the Guidance on Corporate Prosecutions, putting in place a “genuinely effective proactive and effective corporate compliance programme”. How did the company react once on notice? Did it proactively review its policies and procedures? Has it strengthened its compliance practices? If the answer to those questions is in the affirmative, this will positively feed into the decisions whether to charge or consent to the company entering into a DPA.

C. How the compliance programme could change going forward

The ECP reminds prosecutors that even if an organisation does not have an acceptable compliance programme in place, a DPA may still be appropriate as the terms of any agreement may require an organisation to implement or change an existing programme, policies or training. If such terms are included they will have to be justified to the court and the expected reforms would have to be assessed whilst any DPA is in force.  

For those following the developing use of DPAs in high profile cases of corporate wrongdoing the ECP formalises the recent use in the Rolls Royce and Sarclad DPAs of SFO appointed monitors whose role is to oversee and test any ongoing compliance programme agreed to as part of the DPA. The ECP states that the DPA should set out the means by which a company will satisfy the prosecutor that the terms of the DPA are being complied with and “this is likely to include a monitor being appointed at the organisation’s expense” (See DPA Code of Practice s.7.11-22).  If observers of the corporate fraud world were looking for a sign of the direct influence that the SFO’s Director Lisa Osofsky is having, this US style approach is as good an example as one could want. 

Where does the ECP leave companies?

Anyone retained to advise companies on their compliance arrangements should be aiming to remind organisations of the need to review the adequacy of their procedures, the training of employees and the effective implementation of their policies. Directors should be encouraged to use the framework provided by the MOJ Guidance and now enshrined in the ECP to test and review any policies and procedures already in use. Equally, if enforcement action is taken against a company they should be advised not to stand still and wait for the investigation to take its course. Policies and procedures should be reviewed and if there is a genuine acceptance that they fall short of what should have been in place, change must be enacted. Considerable thought must be given to previous inadequacies and explanations prepared to justify the rationale underlying the original policy and how the changes enacted have robustly “future proofed” the company going forward.