Clifford Chance

On 17 January 2020, the Serious Fraud Office (SFO) published guidance setting out how and when SFO investigators will assess the effectiveness of the internal compliance programme of a firm under investigation.

The Serious Fraud Office (SFO) has published a new chapter in its Operational Handbook entitled Evaluating a Compliance Programme (the SFO Guidance).

The SFO Guidance, published 17 January 2020, sets out for its investigators how and when they are to assess the effectiveness of the internal compliance programme of a firm under investigation. The SFO Guidance states that it is not to be relied on as the basis for any legal advice, the Operational Handbook being designed for SFO prosecutors and investigators, but nonetheless it contains some key areas for firms to consider when evaluating their own compliance programmes. This is a similar approach to that taken by the US Department of Justice's 'Evaluation of Corporate Compliance Programs' guidance, with which many firms will already be familiar.

When and why will a firm's compliance programme be assessed?

Investigatory teams will assess compliance issues "early in any investigation", and any assessment will be relevant in all cases. The purpose of the assessment is to inform decisions on the case, including:

• whether a prosecution is in the public interest;
• whether the firm should be invited into Deferred Prosecution Agreement (DPA) negotiations and, if so, what conditions the DPA should include;
• whether a firm has a defence of 'adequate procedures' against a charge under s.7 of the Bribery Act 2010 (failure of a commercial organisation to prevent bribery'); and
• whether the existence and nature of the compliance programme is a relevant factor for sentencing considerations.

How will a firm's compliance programme be assessed?

Three key characteristics

Investigators will give regard to: the SFO Guidance on what it considers an effective compliance programme; whether or not it is simply a 'paper exercise'; and whether it has three key characteristics:

• it must work for each organisation and be appropriate for that organisation in the field in which it operates;
• it must be proportionate and risk-based; and
• it should be regularly reviewed.

In addition, investigators will broadly base their assessment around the six guiding principles set out in the Ministry of Justice's Guidance on the Bribery Act 2010 (the MOJ Guidance), published in 2011 in anticipation of the Bribery Act entering into force. The MOJ Guidance relates specifically to the s.7 'adequate procedures' defence, but is aimed at firms of all sizes and in all sectors. However, the SFO Guidance appears to suggest that its assessment of a compliance programme will also affect whether a prosecution is commenced, or whether a Deferred Prosecution Agreement (DPA) will be offered.

Six guiding principles

The six guiding principles in the MOJ Guidance are:

• Proportionate procedures – directly related to a risk assessment identifying the risks a firm actually faces. Procedures, in this context, applies to the policies prohibiting bribery and the measures put in place to implement them.
• Top level commitment - from a board of directors, the owners or any other equivalent body or person who are committed to preventing bribery and who promote and foster a culture within the organisation in which bribery is never acceptable.
• Risk assessment – a firm should periodically assess the nature and extent of its exposure to potential external and internal risks of bribery and document them.
• Due diligence – firms should apply due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of them. This can include incorporating due diligence in its human resource procedures.
• Communication (including training) – anti bribery policies and procedures should be embedded into the firm's culture, including through training and internal communication policies that allow employees to raise concerns.
• Monitoring and review – which might include periodic internal reports for top management and the possibility of seeking external verification of the compliance programme's effectiveness.

Deploying the right tools

Investigators will decide upon the best approach to any assessment of a firm's compliance programme and may use a variety of the SFO's investigatory tools, deciding which ones will be most effective in the circumstances, in what sequence, and at what stage. This could include accessing written records, voluntary and compelled disclosures, interviews of employees and, in some cases, suspect interviews under the Police and Criminal Evidence Act 1984. Compliance material is considered to be "relevant information" for the purposes of the Criminal Justice Act 1987.

Time is of the essence

Firms should note that SFO investigators will go beyond examining a compliance programme at the point of breach, considering its state and effectiveness prior to and after any breach. The effectiveness of a compliance programme at the time of the alleged offending may inform any decision to prosecute, available defences and any issues concerning sentencing. Where a DPA is under consideration, how a firm's compliance programme has developed, and will develop going forward, can also be relevant.