On 17 January 2020 the Serious Fraud Office (SFO) issued guidance on “Evaluating a Compliance Programme” (the Guidance).
The Guidance provides a helpful summary of the points at which a compliance programme will be assessed by the SFO and by what means it will be assessed (including document requests and interviews). The Guidance emphasises the importance of a compliance programme in seeking to defend the position of an organisation when wrongdoing is alleged (particularly in relation to decisions as to whether or not to prosecute).
Disappointingly, however, the Guidance does not provide any practical guidance on what the SFO is looking for when assessing compliance programmes; it simply summarises the existing Adequate Procedures Guidance published in 2011. The SFO’s guidance on expectations in relation to compliance programmes is high level, particularly compared to the March 2019 guidance published by the U.S. Department of Justice (DOJ). The SFO may argue that it is not its role to provide guidance (and that it is simply publishing a chapter of its internal operational handbook in the interests of transparency). That said, we assume the SFO does have more detailed internal guidance on assessing compliance programmes given the importance of this assessment in making charging decisions and decisions as to suitability for a Deferred Prosecution Agreement (DPA).
The key takeaway from the Guidance is that companies need to make sure that they can evidence an effective compliance programme in order to best position themselves regarding prosecution decisions, their ability to be invited to enter into a DPA, and sentencing. The Guidance makes clear that companies will need a substantial amount of documentation to show that their compliance programme goes beyond what the SFO describes as “a paper exercise”.
At what stage will compliance programmes be assessed?
The SFO emphasises that compliance programmes will be assessed from an early stage of an investigation and throughout the life of a criminal case (see summary below). The most important stage is arguably the first, i.e. the decision as to whether or not to prosecute. Depending on the broader strategy of the case it may be beneficial to front-load work and invest resources in demonstrating an effective compliance programme (both at the time of the alleged offending and subsequently) in order to try and show that a prosecution is not justified.
Compliance programmes will be assessed at three key stages of the criminal process:
- The decision as to whether to prosecute
- it is a factor in favour of prosecution if “the offence was committed at a time when the company had an ineffective corporate compliance programme”;
- whether or not the organisation has a defence of ‘adequate procedures’ (as at the time of the potential offences) “will be an important factor in the decision to prosecute”; and
- factors against prosecution include the organisation having taken “remedial actions” (e.g. enhancing its compliance programme) and having “a genuinely proactive and effective corporate compliance programme”.
- In assessing suitability for a DPA (and the proposed terms of the DPA)
- an important consideration in the SFO proposing a DPA is whether the organisation already has in place a genuinely proactive and effective compliance programme (DPA Code of Practice), which is described by the Guidance as an “important part of determining whether (and to what extent) the organisation has rehabilitated itself”.
- all of the SFO’s DPAs to date have included provision for enhancement/review of the compliance programme and we can expect that to continue.
- At sentencing:
- a compliance programme which is “insufficient to amount to a defence” as at the time of the offending may still be relevant to sentencing (because it may reflect lesser culpability); and
- the court may also consider whether the level of fine impacts the organisation’s ability to implement effective compliance programmes.
How will the SFO assess compliance programmes?
The Guidance states that a variety of different information-gathering tools may be used, including:
- voluntary disclosures and interviews (this could include, for example, interviews of compliance officers);
- section 2 compelled disclosure of documents or information in relation to the compliance programme;
- section 2 witness interviews; and
- suspect interviews.
What this makes clear (and what is being seen in practice) is that increasingly the SFO’s investigation of the facts and of potential offences will merge with its assessment of the compliance programme. This will give rise to some difficult decisions as to how enhancements to compliance programmes are presented (i.e. a positive change may be viewed as an acceptance of an existing deficiency) and also some tricky privilege decisions in relation to the status of communications in relation to compliance reviews and enhancements.
What is the SFO looking for?
The SFO does not specify in any granular detail what it is looking for. The Guidance provides a high level and generic summary of the SFO’s expectations in relation to a compliance programme:
“… it needs to be effective and not simply a ‘paper exercise’. A compliance programme must work for each specific organisation, and organisations need to determine what is appropriate for the field in which it operates. It is critical that the compliance programme is proportionate, risk-based and regularly reviewed.”
The Guidance does not provide any additional parameters setting out what the SFO is looking for when evaluating compliance programmes: it simply summarises the key principles set out in the Ministry of Justice Adequate Procedures Guidance (published nearly a decade ago).
As things stand, the best reference guide in terms of designing and evaluating a compliance programme arguably remains the DOJ guidance (read together with the Adequate Procedures Guidance).
The broader landscape
Regulators globally are increasingly demanding in both their expectations and levels of challenge regarding compliance programmes. Strong governance and oversight are fundamental, and surrounding this companies need to have robust frameworks, management information, policies and procedures, training, and compliance monitoring, accountability and reporting. Regulators are also increasingly looking at how culture influences companies. This means that companies need to reflect on their purpose, vision, and values – considering “how” they seek to instil an ethical culture as well as “what” policies and procedures say.
Companies that can show evidence that they have proactively monitored, reviewed and improved their compliance programme are likely to be in the best position in the event of potential issues, particularly if they can demonstrate they have taken steps to enhance their programme where monitoring has identified weaknesses and taken appropriate action where issues have arisen.
 Guidance on Corporate Prosecutions (paragraph 32.c).
 Crime and Courts Act 2013, schedule 17.