5 Min Read

Organisations’ compliance programmes – a question of adequacy

By Anne-Marie Gregory


Published 13 March 2020


1 July 2021 will mark the tenth anniversary of the Bribery Act 2010 (the “Act”), and despite almost ten years passing many organisations remain non-compliant with the Act.

Focus on corporate compliance

2018 saw the first prosecution under Section 7 of the Act (a company’s failure to prevent bribery), which brought out several key points, including: (i) self-reporting does not prevent the full force of the regulators; (ii) size does not matter; and (iii) anti bribery policies must be more than a paper exercise. The case of R v Skansen Interiors Limited brought a renewed interest in the meaning of “adequate procedures” and how, if an organisation is facing prosecution, it can demonstrate it did all that could reasonably be expected of it. Organisations should also note that it is not only the Serious Fraud Office (“SFO”) who will seek to ensure effective compliance programmes are in place and enforced; the FCA may take regulatory action against organisations that it authorises for failing to establish and maintain effective systems and controls to mitigate financial crime risk and the Charity Commission may pursue trustees for misconduct or mismanagement if bribery is allowed to take place within a charity.

One size doesn’t fit all

All commercial organisations in the UK (regardless of size and type) must have in place procedures to prevent bribery and corruption. Procedures must be proportionate and tailored to the risks faced by the organisation, enforced and responsive. In our experience there is no industry that is not touched by corruption. UK and international organisations who carry on business in the UK must also note the extra-territorial reach of the Act; compliance with domestic regimes might not equate to compliance under the Act. Combined group based international policies will only work if the organisation is compliant with the most stringent regulatory regime. For an organisation based in the US with subsidiary undertakings in the UK, any group policy would need to be compliant with the Act - there are important differences between UK law and other legislative frameworks (including the US), most notably that facilitation (grease) payments remain illegal in the UK .

Effective compliance programmes and the decision to prosecute

Ultimately, the decision to prosecute for failing to prevent bribery will depend on a number of factors taken together, including whether or not the prosecution is in the public interest.

The SFO have recently updated their Operational Handbook with regard to evaluating compliance programmes and, whilst this document is intended as an internal guide for the SFO, it provides a useful starting point for producing or reviewing compliance programmes. In comparison to the document produced by the US Department of Justice (“DOJ”), the SFO document is relatively light, although the Ministry of Justice (“MOJ”) issued more lengthy guidance in 2011 on what “adequate procedures” mean.

The SFO Handbook is reflective of the DOJ guidance, in that there are three main questions for prosecutors evaluating a compliance programme:

  • Is the compliance programme well designed?
  • Is the programme being implemented effectively?
  • Does the corporation’s compliance programme work in practice?

The more developed and internally enforced programmes are, the more likely the organisation is to be offered a deferred prosecution agreement (“DPA”) or a more lenient sentence, though neither is guaranteed. It is emphasized that compliance programmes must be effective; processes and procedures, whether detailed or not, which are not enforced internally will not result in a defence against Section 7. A key takeaway from both the SFO and the DOJ is that compliance programmes must not be a paper exercise. It is essential that all organisations have compliance programmes which are enforced, risk based and regularly reviewed (usually annually on a risk basis). Appropriate direction and tailored training should be provided to employees, which must be relevant to their role. Similarly, contractual levers should be used to ensure that supply chains are free from bribery and corruption, especially when operating in high risk jurisdictions, where facilitation payments and kickbacks are common practice.

If an offence occurs, the compliance programme at the time of the offence will be considered, including the responsiveness of the compliance programme to the offence. Additionally, remedial actions are a relevant consideration when the public interest is considered; a well-designed programme which is adapted due to a misdemeanour may assist organisations in mitigating liability, either by a reduced charge or the offer of a DPA.

The DOJ guidance has been provided to “provide transparent and comprehensible standards to the public so that companies can understand how [the DOJ] evaluate compliance programs” (Assistant Attorney General Brian A. Benczkowski), and whilst noting the legal differences between the US and UK regime, Part II of the DJ guidance is not dissimilar to the MOJ guidance. Helpfully, the DOJ guidance explores in detail the theory of “top level commitment”, by expanding on this key feature of compliance programmes. By way of example, not only is executive commitment a requirement but operational management support is crucial, and furthermore vital to detecting and dealing with offences that occur. Relatedly, the board, and management (where applicable), must have access to expert advice, this not only covers the initial creation of the programme but also advice on ongoing controls, reviews and high risk jurisdictions. Whilst the board will sign off the programme, the content of the programme, its implantation and its ongoing review should be the task of an individual with appropriate authority. Commonly we see Compliance Officers reporting in to other functions, this indicates that Compliance should be reporting directly to the Board.

What should commercial organisations be doing?

  • Be clear on the requirements of the Bribery Act, sector specific regulatory requirements and the specific risks faced by trading activities. For large organisations, anti-bribery programmes should feature as part of wider anti-financial crime programmes.
  • Check compliance with the relevant industry standards, where applicable. Even if the organisation is not a member of a particular industry body, following industry codes can assist in mitigating risk, especially in highly regulated sectors.
  • Ensure your anti-corruption policies are clear, have been implemented, communicated and are enforced, with bespoke training in place.
  • International companies should review their policies and procedures to ensure they fully meet the UK regime, as compliance with other EU or US anti-corruption regimes does not guarantee compliance with the Act.
  • Commission bespoke risk assessments when undertaking activities in high risk jurisdictions.
  • Stress-test compliance programmes.

Key Contact