Evaluating a Compliance Programme
SFO OPERATIONAL HANDBOOK
The SFO Operational Handbook is for internal guidance only and is published on the SFO’s website solely in the interests of transparency. It is not published for the purpose of providing legal advice and should not therefore be relied on as the basis for any legal advice or decision. Some of the content of this document may have been redacted.
The relevance of compliance for SFO cases
If the SFO is investigating an organisation, it will need to assess the effectiveness of the organisation’s compliance programme.
This assessment is relevant in all cases involving an organisation. Its purpose is to inform decisions on the case, including:
a) Is a prosecution in the public interest?
b) Should the organisation be invited into DPA negotiations and, if so, what conditions should the DPA include?
c) Does the organisation have a defence of ‘adequate procedures’ against a charge under s.7 of the Bribery Act 2010 (failure of a commercial organisation to prevent bribery)?
d) Might the existence and nature of the compliance programme be a relevant factor for sentencing considerations?
What a Compliance Programme Is
A ‘compliance programme’ is an organisation’s internal systems and procedures for helping to ensure that the organisation – and those working there – comply with legal requirements and internal policies and procedures.
Generally, there has been an increased focus on ‘compliance’ over recent years as organisations recognise the importance of effective compliance procedures in helping reduce the risks of regulatory breaches and the resulting financial and reputational harm.
Compliance arrangements vary in scope, depending on the size of the organisation and the nature of the business. Many larger firms have a unit, such as a compliance department, tasked with overseeing and helping ensure effective compliance across the organisation, or even across a whole group of companies. In some sectors, such as financial services, organisations are expected to have a compliance unit, and effective systems and controls. Small and medium-sized enterprises (‘SMEs’) might not have a separate compliance unit, but organisations of any size can be expected to have at least some compliance arrangements.
A key feature of any compliance programme is that it needs to be effective and not simply a ‘paper exercise’. A compliance programme must work for each specific organisation, and organisations need to determine what is appropriate for the field in which it operates. It is critical that the compliance programme is proportionate, risk-based and regularly reviewed.
Time periods relevant to decisions
Prosecutors need to assess the state of an organisation’s compliance programme for different time periods.
It is necessary to consider the past, the present and, in some cases, even the future.
This is because the state of the compliance programme at the time of offending is relevant for some decisions; its current state is relevant for other decisions; and, if a DPA is under consideration, how it could change going forward can also be relevant. Examples are provided below.
1. The state of the compliance programme at the time of offending
Decision to prosecute
For all corporate offences, the Guidance on Corporate Prosecutions, which sets out the common approach of the Director of Public Prosecutions (DPP) and the Director of the Serious Fraud Office (DSFO) to the prosecution in England and Wales of corporate offending, specifies that it is a public interest factor in favour of prosecution if “The offence was committed at a time when the company had an ineffective corporate compliance programme”. This guidance should be read in conjunction with, and is subordinate to, the Code for Crown Prosecutors. Both must be fully considered prior to making a decision to charge.
Conversely, an organisation has a defence against a s.7 Bribery Act offence (failure of a commercial organisation to prevent bribery) if, at the time of the bribe, the organisation had in place “adequate procedures designed to prevent persons associated with [it] from undertaking such conduct.” While it would be for the organisation to satisfy the Court of this at trial, evaluating the likelihood of such a defence being raised successfully is an important factor in the decision to prosecute.
If the organisation had made an effort to put some bribery prevention measures in place, but these were “insufficient to amount to a defence” under s.7, this may still be relevant to sentencing (reflecting lesser culpability).
2. The current state of the compliance programme
Decision to prosecute
An organisation with a poor programme at the time of wrongdoing may, nonetheless, have strengthened its programme by the time of the charging decision. This would be relevant to a charging decision under the Guidance on Corporate Prosecutions because a prosecutor should consider whether an organisation has taken “remedial actions” (e.g. has enhanced its compliance programme) and whether there is “a genuinely proactive and effective corporate compliance programme”. These are public interest factors against prosecution. Again, the Guidance on Corporate Prosecutions and the Code for Crown Prosecutors must be fully considered prior to making a decision to charge.
Considering a DPA
The prosecutor also needs to consider the current state of the organisation’s compliance programme when assessing its suitability for a DPA, “An important consideration for entering into a DPA is whether P [the organisation] already has a genuinely proactive and effective corporate compliance programme”. This is an important part of determining whether (and to what extent) the organisation has reformed and rehabilitated itself.
The Court may consider the current state of an organisation’s compliance programme when sentencing, including whether the level of fine impacts the organisation’s ability to implement effective compliance programmes.”
3. How the compliance programme could change going forward
Terms of a proposed DPA – and monitoring those terms
A DPA may still be appropriate, even where an organisation does not yet have a fully effective compliance programme, as the DPA can impose further improvements. A DPA can include terms requiring the organisation to implement a compliance programme, or change its existing programme, policies or training.” A prosecutor considering a DPA therefore needs to assess whether such terms may be appropriate, and to be ready to justify this to the Court.
If a DPA includes terms about the organisation’s compliance programme, the prosecutor will need to be able to assess the expected reforms while the DPA is in force, to determine whether the organisation is complying with the terms of the DPA. The DPA should set out the means by which the organisation will satisfy the prosecutor. This is likely to include a monitor being appointed at the organisation’s expense.”
Investigating a Compliance Programme
Teams should begin to explore compliance issues early in the investigation.
Investigators will need to obtain information from a variety of sources about the organisation’s compliance programme. The sources of this information – in particular, sources of information concerning failures of a compliance programme – are also likely to be sources of information on wider questions such as direct or circumstantial evidence of criminality. It is important therefore that compliance issues are considered as part of the overall investigation strategy.
As with any aspect of the investigation, deciding on the best approach in an individual case will involve strategic and tactical questions, including when to seek information from the various potential sources. This may involve using a variety of the SFO’s investigatory ‘tools’, deciding which ones will be most effective in the circumstances, in what sequence, and at what stage. This could include voluntary disclosures and interviews; s.2 compelled disclosure of documents or information; s.2 witness interviews and, in some cases, suspect interviews under PACE. Compliance material is considered to be “relevant information” for the purposes of the Criminal Justice Act 1987
The organisation should have a variety of written records of its compliance programme and its operation.
Considerations about which tools to use and the other factors which impact on investigating compliance should be reflected in any relevant case decision log entries and Investigation Plans addressing how the compliance programme will be evaluated.
As individual cases differ, this chapter does not prescribe a particular approach. However, it is important to maintain an open investigative mind-set, testing and corroborating evidence from a number of sources.
What to cover in an assessment
It is helpful to arrange the assessment around the six principles in the guidance published by the Ministry of Justice.
The 2011 Guidance: the “Six Principles”.
In 2011, the Ministry of Justice published statutory guidance under the Bribery Act, to help organisations understand the sorts of procedure they can put in place to prevent bribery committed by their ‘associates’ (i.e. their employees or agents) on their behalf (“the Guidance”).
This Guidance is aimed at organisations of all sizes and all sectors, and sets out six guiding principles, followed by commentary and examples. It is not prescriptive and not one-size-fits-all; small or medium-sized enterprises (SMEs) in particular may have alternative procedures in place which are also adequate. Although it relates specifically to the ‘adequate procedures’ defence to the s.7 offence.” Its principles represent a good general framework for assessing compliance programmes.
Summary of the Six Principles
Each of the six principles is summarised below.
The Guidance sets out that: “These principles are not prescriptive. They are intended to be flexible and outcome focussed, allowing for the huge variety of circumstances that commercial organisations find themselves in”. This flexibility is particularly important in evaluating the programmes of SMEs.
Principle 1: Proportionate Procedures
“A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced”.
The Guidance states that the word “procedures” in this context applies both to the policies prohibiting bribery and to the measures put in place to implement them.
The Guidance ties the issue of proportionality directly to the need for the commercial organisation to perform a risk assessment: “Adequate bribery prevention procedures ought to be proportionate to the bribery risks that the organisation faces. An initial assessment of risk across the organisation is therefore a necessary first step”. (Principle 1.2)
Principle 2: Top Level Commitment
“The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.”
In large organisations, the Guidance expects this responsibility to be on the board of directors: “In a large multi-national organisation the board should be responsible for setting bribery prevention policies, tasking management to design, operate and monitor bribery prevention procedures, and keeping these policies and procedures under regular review.” (Principle 2.4)
Top-level involvement in bribery prevention includes, among other things, assurance of the risk assessment, specific involvement in high-profile and critical decision-making, and the selection and training of senior managers to lead anti-bribery work.
Principle 3: Risk Assessment
“The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.”
The Guidance describes the evolutionary nature of risk assessment: “As a commercial organisation’s business evolves, so will the bribery risks it faces and hence so should its risk assessment”. (Principle 3.4)
The Guidance also sets out typical external and internal factors to be considered, and emphasises that top management must oversee the evolving risk assessments conducted in response to corporate, business or jurisdictional changes. Policies and procedures should evolve to match what is disclosed by periodic risk assessments or other stimuli (Principles 3.4 and 6.1).
Common external risks included in the Guidance are (Principle 3.5):
- Business opportunity
- Business partnership
Common internal factors which may increase the level of risk included in the Guidance are (Principle 3.6):
- Deficiencies in employee training, skills, and knowledge
- A “bonus culture” that encourages risk- taking
- Lack of clarity regarding hospitality and promotional policies and procedures
- Lack of clear financial controls
- Lack of a clear message from the top.
Principle 4: due diligence
“The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.”
The Guidance addresses both the use of intermediaries and vendors, as well as the hiring of employees. As to employees, the Guidance notes: “The organisation may wish, therefore, to incorporate in its recruitment and human resources procedures an appropriate level of due diligence to mitigate the risks of bribery being undertaken by employees which is proportionate to the risk associated with the post in question”. (Principle 4.6)
As to other business entities, the Guidance warns that organisations “will need to take considerable care in entering into certain business relationships, due to the particular circumstances in which the relationships come into existence”. (Principle 4.4)
The Guidance additionally points out one type of third party relationship that warrants robust due diligence by an organisation: the area of mergers and acquisitions. “Another relationship that carries particularly important due diligence implications is a merger of commercial organisations or an acquisition of one by another”. (Principle 4.4)
Principle 5: Communication (including training)
“The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training that is proportionate to the risks it faces.”
Under the principle of communication, the Guidance addresses a number of important issues, including:
- Training, especially tailored training for those in high-risk functions such as purchasing, contracting, distribution and marketing, or those working in high-risk locations, or involved in ‘speak up’ procedures (e.g. whistleblowing). Effective training is continuous, and regularly monitored and evaluated. (Principle 5.6)
- Potential training of third parties: it may be appropriate to require them to undergo training, particularly for high-risk associated persons, or to encourage them to adopt bribery prevention training. (Principle 5.7)
- Internal communication, including policies, penalties for breach of the rules and management responsibilities at different levels. (Principle 5.3)
- Secure, confidential and accessible means for employees and agents to obtain prompt compliance advice and to raise concerns about bribery. (Principle 5.3)
Principle 6: Monitoring and Review
“The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.”
Linked to the Guidance’s focus on the continuing evolution of a compliance programme (Principles 1 and 3) is ongoing monitoring and review. The commentary for Principle 6 discusses the “wide range” of possible internal and external monitoring mechanisms that “help provide insight into the effectiveness” of the programme, ranging from investigations and internal controls to staff surveys and other detection measures (Principle 6.2). The Guidance discusses periodic internal reports for top management and the possibility of seeking external verification of the programme’s effectiveness (Principles 6.3 and 6.4).
 See also the defence of ‘reasonable procedures’ against a charge under ss.44-46 of the Criminal Finances Act 2017 (failure to prevent facilitation of tax evasion offences).
 Guidance on Corporate Prosecutions, (paragraph 32.c).
 Bribery Act 2010, sec. 7(2).
 Guidance on Corporate Prosecutions (32 second (a) and second (c).
 SFO and CPS Deferred Prosecutions Agreements Code of Practice (7.11).
 See Schedule 17, Crime and Courts Act 2013
 See s.7.11 – 22 in the DPA Code of Practice
 Criminal Justice Act, 1987
 Ministry of Justice, The Bribery Act 2010: Guidance (March 2011) https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf There is a broad consistency in the guidance provided by regulators and prosecutors in different jurisdictions. Other examples of guidance include the OECD Good Practice Guide on Internal Controls, Ethics and Compliance, the BS 10500 Anti-Bribery System Standard, the US Sentencing Commission’s Federal Sentencing Guidelines Manual, in particular its guidance on effective compliance and ethics programmes, and the guidance on corporate compliance programmes in the US Department of Justice’s Principles of Federal Prosecution of Business.
 Bribery Act 2010, s. 9(1) “The Secretary of State must publish guidance about procedures that relevant commercial organisations can put in place to prevent persons associated with them from bribing as mentioned in section 7(1)”.
Version OGW 1, Published January 2020 © Crown Copyright, 2020.
This information is licensed under the Open Government Licence v3.0. To view this licence, visit http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/ or write to the Information Policy Team, The National Archives, Kew, Richmond, Surrey, TW9 4DU.
Any enquiries regarding this publication should be sent to the Serious Fraud Office, 2-4 Cockspur Street SW1Y 5BS email: firstname.lastname@example.org