The Bribery Act 2010 and associated white-collar crime legislation may have caused a headache for the c-suite but in-house teams have much to be thankful for.
‘The period in which the Bribery Act came in and its run-up recognised the need for significant uplift in capability, both technically and in breadth of compliance and legal functions and also required cost savings – insourcing a lot of that work is cheaper than outsourcing it,’ says Jonathan Peddie, a partner in Baker McKenzie’s disputes team and previously global head of financial crime at Barclays.
‘Bribery legislation has certainly elevated the importance of the legal team,’ adds one white-collar crime partner. ‘They are seen as an integral part of the business now because if things are neglected, that is a very easy win for a prosecutor.’
And with the recent Criminal Finances Act 2017 introducing two new offences of failure to prevent the facilitation of UK tax evasion offences and failure to prevent the facilitation of foreign tax evasion offences it is clear there will be no easing up of the pressure on corporates to ensure they have adequate structures in place.
The way that UK bribery laws work alongside the regulatory environment means that companies are feeling the pinch more, according to Peddie. The prosecutor is now able to investigate and prosecute an individual and prosecute the company for its failure to prevent that individual’s actions and senior managers are deemed accountable for the misconduct and may be de-authorised or otherwise disciplined. ‘The reputational and commercial impact of those for an organisation is unthinkably dangerous. When it comes to filling in procurement or doing any M&A work – the first question asked is “have you paid a bribe – yes or no?” And if you have a conviction or regulatory enforcement in relation to this, it closes down your business.’
Prevention versus cure
Businesses went under substantial structural and cultural change as a result of the Bribery Act and although this change is considered by many general counsel to be historical, corporates still need to keep up with the shifting agendas of enforcement agencies and new legislation even if they argue that it fits comfortably into existing anti-bribery and corruption regimes.
What changes over time is enforcement mentality, says Philip Bramwell, group GC of defence multinational BAE Systems. ‘There are two sides to this, it isn’t just the legislation. It is as much about the enforcement regime and the behaviour of those responsible for enforcing the law.’
Over the last decade, certainly in the UK, more robust controls have been put in place over business conduct and the fact that both the resource and capability are now available at companies has substantially changed governance and corporate ethics. ‘Tax evasion is one that fits quite comfortably into an anti-bribery and corruption regime, because you are tracing movements of funds, you are doing due diligence on business relationships and you are doing due diligence on third parties with whom you are dealing. That is not a giant leap,’ adds Bramwell.
According to Jonathan Middup who leads the anti-bribery and corruption team in the UK at EY, there are two broad reporting models that exist in-house in response to changes required by various white-collar crime legislation. The first is where compliance and compliance-related functions report through to legal and the second is where compliance and compliance-related functions are answerable to the audit committee.
‘If compliance is reporting in through the legal function, then it often drives more of an attitude of “what would we do if there was an issue?” and the compliance side of it follows in with “Let’s prepare ourselves and make sure that policies and training are up-to-date and we are able to evidence the adequate procedure side of things that follows off the back of the Bribery Act?”’
‘If it goes into the audit committee, there is generally much more of an engagement with risk and what business processes look like and it is driven by “Where in the business is our risk and what should we be doing to minimise it?”’ According to Middup the preferred structure for corporates is to handle risk through a compliance focus – the audit committee approach – as it is better to identify your sources of risk, put in controls and minimise the chances of it emerging at all, instead of engaging with risk on a reactive basis with policies and training.
However, the structures at companies vary substantially. At BAE Systems, compliance reports into legal and lawyers are involved immediately in any investigation (see box below).
‘The view that compliance goes into the audit committee is an accountant’s view,’ counters Bramwell. ‘But accountants are not able to provide privileged legal advice and they are not legal experts. The people you want in the first instance to determine whether or not you have a legal problem are lawyers.’
For Peddie, anti-bribery strategy used to be a compliance issue and legal played a janitorial role, mopping up the consequences. That has changed to a more educative approach. ‘A good amount of budget is being directed towards prevention rather than detection, so you find legal teams supporting compliance and risk to strengthen the control environment to stop the conduct happening in the first place. It puts more lead in the pencil of the compliance environment.’
In response to bribery legislation, Barclays created a new financial crime legal team that deals with three areas: money laundering, sanctions and bribery, on an advisory basis supporting compliance and risk. The bank, like many in the finance sector, also has members of compliance specifically responsible for anti-bribery and corruption policy on the law as well as a further sub-division within compliance called GENIE (the gifts and entertainment compliance team), which makes decisions on whether staff can accept gifts and hospitality.
According to Ben Morgan, partner at Freshfields Bruckhaus Deringer who was previously at the Serious Fraud Office, from a prosecution point of view the most impressive examples of businesses handling anti-bribery legislation are those where multi-disciplinary teams handle the risk. This also leans more towards the preventative rather than reactive response.
‘They all have a different angle and it means nothing falls through the gaps. Nothing is passed on to somebody else but there is a rounded answer to this kind of risk. That presents very well to the prosecutor if something has gone wrong.’
Legal versus compliance
With different parts of the business working in tandem to prevent risk, there is naturally some tension and overlap, which can cause additional problems – each department needs to be clear on its role. The natural tension between legal and compliance is particularly prevalent when it comes to handling anti-bribery and corruption legislation. Although the exact relationship between the two functions varies substantially from business to business, most commentators agree that although compliance and legal should work closely together, the compliance function should be kept strictly independent.
‘Legal and compliance are separate at KPMG,’ says UK legal chief Jeremy Barton. ‘The three lines of defence in risk management mean you will often have the compliance function dealing with procedures to help mitigate risk and then the advisory element that the legal function provides is separate from that. There are areas of compliance where it is unhelpful for compliance people to be within legal.’
At pharma giant Novartis, group GC Felix Ehrat is in the process of separating legal and compliance for a variety of reasons. Compliance previously reported into legal. ‘We want to be as aligned as possible, which we believe is more likely if the reporting lines of compliance are not going into legal first and then onto group level in a separate ethics and compliance function. All of that doesn’t change the fact that legal and compliance will continue to collaborate very closely.’
Peddie argues they are two very different functions with very different responsibilities. Legal is there to evaluate the limitations of fact, consider legal risk and advise on strategy. Compliance is there to own the process of adequate controls, which is a different issue altogether. ‘It is important the two are separated and everybody would recognise that the best governance model for all organisations is that legal and compliance are different.’
When it comes to good governance, it is no surprise that those sectors with the greatest risk of corruption – banking, pharmaceuticals, aerospace and defence – handle bribery legislation better than most.
Middup gives the example of the automotive sector – a business that has anti-bribery and corruption specialist posts, people within legal teams who are specialist anti-bribery and corruption lawyers and are therefore able to look at areas like due diligence and access third-party relationships that they have. ‘They can go back and make an assessment of risk associated with all of those third parties with a specific focus on bribery and corruption and that is where you see it done well. If I contrast that with mid-market businesses who don’t have the resources – some are behind the curve in tackling bribery and corruption as a risk and are still thinking about how they would respond if there was an issue rather than trying to understand if their business is exposed.’
Because large businesses often have the required structures in place, they tend to use external counsel in two scenarios: assessing risk or responding when things eventually go wrong.
‘These guys are weighing up the attitude of Americans, the attitude of the French and the attitude of the British and trying to work out what to do because they aren’t consistent positions and that is a real challenge,’ adds Morgan. ‘They’ll ask: “how do we please all these masters?”; “how do we get this right?” and that synthesis of bringing all those together into a single course of action is certainly what I have been doing most of.’
The fact that the latest instances of litigation mostly concern third parties acting as agents, introducers and intermediaries means that the UK is going some way to cement its status as one of the major enforcers. However, according to a recent report by an Organisation for Economic Co-operation and Development (OECD) working group, efforts still must be sustained to improve detection of foreign bribery and achieve stronger enforcement of its anti-bribery legislation.
As Morgan concludes: ‘It is a bet-the-farm strategic decision. If you get it wrong in one country, it could all come crashing down. It’s about keeping all options on the table and steering a progressive path through.’
Novartis: ‘Accountability is with the business’
At pharma giant Novartis any suspicious activity is dealt with through a centralised and group level ‘business practices’ office (BPO), which collects all the allegations and reports. ‘You are a complainant. You have seen something that looks suspicious. You bring that to the attention of the BPO office through whatever channel,’ says group general counsel Felix Ehrat.
After the BPO receives a certain complaint it assigns investigation accountabilities, which could be directed at legal if it concerns legal matters, although according to Ehrat that is ‘relatively rare’.
‘It may be directed to a separate investigation unit called corporate security, which does not report into legal. It may be outside counsel if the issue is particularly complex.’
Once the issue is investigated by the relevant party, the report goes back to the BPO.
Ultimately the business has to decide – but in strong alignment with BPO – whether there is a sanction and what measures need to be taken. ‘Obviously legal and compliance are supporting, enabling and monitoring but the accountability is with the business. It is very important to note that.’
Compliance previously reported into legal – the business is now in the process of separating the two functions although they will continue to collaborate very closely. Compliance will report into a separate function of ethics and compliance, which is a direct report to the chief executive. And although the group has a centralised BPO, there is no centralised risk function. There are different risk functions in different areas, including quality risk and an enterprise risk management function that reports into audit.
Historically the BPO could have involved compliance in a certain allegation or report but now Novartis is trying to avoid this. ‘Compliance is much more of an enabling function, not a policing function. We want to keep them, to the extent possible, off-the-radar. They have to come up with compliance policies, educate and train the business – they have an advisory function.’
BAE Systems: ‘It’s not what we do, it’s how we do it’
It is no surprise that BAE Systems has one of the most stringent structures in place for anti-bribery and corruption of any company in the UK. In 2006 the British defence, security and aerospace multinational was mired in controversy over allegations of bribery to Saudi Arabian officials for a contract to deliver Tornado fighter aircraft, the so-called Al Yamamah scandal. The investigation was later dropped by the Serious Fraud Office on ‘public interest grounds’ but led to a wholesale reorganisation of the company’s internal functions.
‘The seismic change that occurred a decade ago was the shift towards the view within the company that it was a key responsibility of leadership and management to profligate rules within the business,’ says BAE’s group general counsel Philip Bramwell. ‘Our former chief executive officer Ian King had a great phrase he coined eight or nine years ago: “It’s not just what we do, it’s how we do it.” We ran a huge communications and culture change programme within the company to make sure every employee felt fully versed in the standards we expected.’
Anti-bribery compliance is now the responsibility of the head of governance and compliance, who sits within the legal department. At BAE legal, regulatory and compliance are all under one roof and work very closely with the ethics and corporate social responsibility function. There is also a compliance audit capability, which sits alongside internal audit.
Although responsibility for anti-bribery and corruption ultimately lies with the head of governance and compliance, BAE has an empowerment culture where each one of the company’s 90,000 employees also takes personal responsibility. ‘This is not something you can do centrally from a department,’ adds Bramwell. ‘It is not just one person who has responsibility for compliance. The head of governance and compliance has responsibility for standard-setting and overseeing the effective operation of the internal controls over business conduct. And doing the due diligence with third parties with whom we do business and so on.’
The first port of call for an employee who has suspicions about certain behaviour within BAE is to report to their line manager or the company’s confidential helpline, which is manned by an external provider and is available 24 hours a day in multiple languages. If the employee raises an issue concerning bribery either through the helpline or a line manager, in the first instance it will always go to compliance, which reports into legal. In all likelihood, the issue would then be the subject of an investigation by the compliance team. The legal team is involved almost immediately.
‘There is really only the legal department and the security department who have the forensic skills to conduct investigations,’ says Bramwell. Compliance and legal typically form a team to conduct an investigation with the required experts from internal audit or finance, depending on the degree of complexity involved.
Although bribery and corruption at BAE is managed internally by ‘world-class experts’, the company’s internal policies and procedures also involve passing cases in front of a permanently-convened external panel of legal specialists. BAE has an expert on the US Foreign Corrupt Practices Act (FCPA) as well as a UK Bribery Act expert and a general compliance adviser who review the work of the company’s compliance teams and ensure that the judgement calls that BAE makes are consistent with beliefs of experts in the field.
‘By using external counsel in that standing panel way – they might meet for half a day a month, every month – you are ensuring that you get an absolutely up-to-the-minute sense from practitioners who are trying cases or defending cases on a daily basis. We are very systematic. We deal very carefully with our supply chain and we require companies in our supply chain either to adopt our integrity and business dealing standards or adopt equivalent standards of their own. And we do the same with joint venture partners – every material party with who we do business. We flow down our standards of business conduct.’
KPMG: ‘Evolution not dramatic change’
In-house lawyers at Big Four accountancy group KPMG have an obvious advantage when dealing with the impact of various anti-bribery and corruption legislation – they can draw on the benefit of client service teams within the business and have a broader view of practices within the business community.
‘Within the range of consulting advisory services at KPMG, we have some that relate to financial crime and anti-bribery,’ says Jeremy Barton, KPMG’s UK general counsel. ‘Those people are experts who advise clients – they are not necessarily lawyers – we also draw on the internal team to help and so our money laundering reporting officer, for example, is a client-serving partner who also spends a bit of time working on internal matters.
‘If you are looking at what are adequate procedures under the Bribery Act, we are able to draw on the benefit of having seen what other organisations are putting in place. They may find that they are only able to do that by taking law firm advice or working out for themselves what they consider to be adequate procedures.’
The in-house legal team has also seconded in a financial crime specialist from the client service team. At KPMG, legal is separate from the compliance function, which sits within risk management to deal with procedures to help mitigate risk. ‘The advisory element that the legal function provides is separate from that,’ adds Barton. ‘There are areas of compliance where it is unhelpful for compliance people to be within legal.’
Overall, he says that as certain anti-bribery and corruption laws have been around for a while (the Bribery Act came into force in 2011) at KPMG the team is now concerned with ‘evolution rather than dramatic change’.
One such change concerns client onboarding procedures or ‘know your client’, where KPMG took best practice from clients and applied it to its own business. However, KPMG does not always need to draw on the expertise of its internal client-facing teams.
‘When you look at bribery, one of the things that has changed over time is the approaches to gifts and hospitality,’ says Barton. ‘What we have done on that is develop our gifts and entertainment procedures, our procurement procedures. We have probably developed those within our own risk function without having to draw on the client-facing function. We have got a lot of experience on that.’
RSA: ‘It only works if it is embedded within the business’
Although executive ownership of anti-bribery and financial crime at RSA is held by group chief legal officer and company secretary Charlotte Heiss, responsibility for anti-bribery and corruption policy is handled by what the business calls ‘the first line’ – ie various business units.
RSA’s head of financial crime Peter Townsend, who is a lawyer, sits within the compliance function – ‘it gives me that compliance side – in a heavily regulated industry – while maintaining the legal piece as much of this is founded in statute’. Advice on anti-bribery legislation comes from legal compliance, which has a dotted line into Heiss. Other areas of oversight are the internal audit function and a risk function.
‘It also adds a compliance approach to the implementation,’ adds Townsend, who works with a financial crime officer. ‘I will work with our businesses in the UK and our regional businesses across the group as well. While clearly we advise and set the framework for this, the implementation of it has to be done by “the first line” – individual areas within businesses that have to embed the risk mitigants, whether it is the Bribery Act or preventing facilitation of tax evasion. Whatever it is – it only truly works if that is embedded within the business itself. We test and risk assess it.’
Although there is a group-wide policy, all businesses are also required to do regular risk assessments. On a local basis that is the responsibility of the regional owner, which might be local compliance or legal but has a lot of contact with the centralised function.
‘I think of them as one person to pull it all together but they need to work with a wide range of people within their businesses to respond to those risk assessments. They put it together and then it goes from them back to us for review.’
The main cultural change brought about by the implementation of legislation such as the Bribery Act is the formalisation of a lot of the compliance process within RSA. There is mandatory learning on topics including anti-corruption, fraud and airmail. ‘For example, I will meet with relevant people from procurement to make sure they fully understand what the potential exposures might be to something like bribery. And scenarios they could come across – checking they know what to do,’ adds Townsend.