Compliance programmes – why it pays to be up to scratch

While in-house lawyers were struggling during 2020 to deal remotely with the myriad commercial crises affecting their company, financial crime prosecutors globally were continuing to raise the bar on company compliance programmes – signalling repeatedly that any company seeking a reduced penalty or other form of leniency following a compliance incident would need to demonstrate by proof positive the adequacy of its compliance programme.

We take a look in the paragraphs that follow at some of the key compliance risks companies are facing in 2021, the potential pitfalls for companies that fail to implement a compliance programme that reflects the company’s changing compliance risk profile, explain why compliance programmes typically fail and flag the most important issues in-house counsel need to think about when assessing whether their company’s compliance programme is ‘up to scratch.’

Legal and reputational risks to address in 2021

Despite the slowdown in new investigations in 2020, the Serious Fraud Office (SFO) in the UK has continued to use the UK Bribery Act’s ‘failure to prevent’ offence to prosecute companies for bribery benefitting the company by its associated persons. In November 2020, the UK government also tasked the UK Law Commission with analysing and making recommendations for improving the UK’s corporate criminal liability laws, including considering the creation of new offences to make it easier to prosecute companies for crimes such as fraud, money laundering and false accounting. With the possible lowering of the threshold for corporate criminal liability, companies operating in the UK would be well advised to assess sooner rather than later in 2021 whether their compliance programme is operating – and can be shown to be operating – effectively and that it covers the full spectrum of compliance risks the company faces.

The Financial Conduct Authority (FCA) in the UK has identified financial corner cutting relating to Covid-19 to be a significant 2021 compliance risk area. The FCA has emphasised the need for sufficient investment by regulated firms in the resilience of their governance systems, including their financial control systems and those otherwise addressing financial crime, market abuse and the giving of unsuitable investment advice.

Guidance published during 2020 by UK/US financial crime prosecutors places squarely on companies subject to their jurisdiction the burden of ‘improving continuously’ their risk identification and mitigation. The SFO’s Operational Handbook, which contains internal guidance on evaluating compliance programmes, emphasises that compliance programmes should be ‘proportionate, risk-based and regularly reviewed.’ In addition, the second edition of the Department of Justice/Securities and Exchange Commission Resource Guide to the US Foreign Corrupt Practices Act stresses the importance of companies being able to demonstrate ‘with appropriate metrics’ the effectiveness of their compliance programme.

To satisfy the foregoing expectations, a company needs to monitor and document proactively the effectiveness of the controls the company has implemented to address its evolving compliance risks. The tools a company uses to identify emerging risks and take account of lessons from past experiences will vary, of course, depending on a range of factors, including the company’s size, geographic scope of its operations and nature of the company’s business. It should now be clear to all that simply presenting to a prosecutor a paper copy of the company’s compliance policies and procedures – without data confirming their actual impact – no longer will be sufficient to demonstrate the ‘adequacy’ of the company’s compliance programme.

Companies also need to take account during 2021 of several types of compliance risk on which leading prosecutors increasingly are focusing. The importance of proactively managing data privacy and cyber security risks, for example, was underlined during 2020 by the significant fines the UK Information Commissioner’s Office imposed on British Airways (£20,000,000) and Marriott International (£18,400,000). In addition, companies operating both within and beyond the UK currently are facing an additional layer of sanctions complexity stemming from the UK’s exit from the European Union. It also is worth noting here that the UK Competition and Markets Authority and SFO signed in 2020 a memorandum of understanding enabling them to investigate criminal cartel offences, either jointly or independently, thus raising the prospect of increased UK enforcement actions in that area during 2021.

The UK government’s policy on the regulation of crypto assets also continued to evolve during 2020 as a result of the devaluing effects on fiat currencies of the Covid-19 pandemic and the experience many Central Banks have had with digital currencies. In addition, the FCA’s November 2020 censure of three holders of controlled functions at authorised firms signalled increased regulatory focus in the UK on non-financial misconduct. The FCA found in the foregoing proceedings that the individuals who were censured – following their conviction for sexual offences – lacked the integrity needed to operate in the regulated financial sector.

The increasing importance of reputational risk management over the past several years is a trend we expect to continue in 2021. In particular, tackling human rights abuses and modern slavery in supply chains continues to gain prominence. The UK government has published a series of proposed amendments to strengthen and expand supply chain transparency in view of the Modern Slavery Act 2015 while the US government has introduced a raft of measures targeting forced labour in China’s Xinjiang Uyghur Autonomous Region.

When deciding whether to do, or continue to do, business with companies, current and prospective investors and other stakeholders, any company headquartered or otherwise operating in the UK also would be well advised to assess during 2021 the sustainability and environmental impact of the company’s activities as well as its management of other key social and corporate governance risks, including corporate culture, diversity/inclusion and conflicts of interest. The negative impact on bank share prices following the release of the FinCEN files also underlines the extent to which stakeholders now expect companies to comply with the spirit as well as the letter of the applicable law.

Why an effective compliance programme pays

Compliance programmes that adequately address the full spectrum of a company’s compliance risks offer a number of benefits. Robust compliance controls can prevent legal and reputational damage in two main ways. First, they can create a culture of integrity and accountability reducing the frequency of compliance incidents. Second, they can enable the early detection and mitigation of compliance risks.

A robust compliance programme also can improve outcomes when a compliance incident arises. It is a complete defence under the UK Bribery Act ‘failure to prevent’ bribery offence for a company to show by proof positive its adoption and implementation of adequate procedures to prevent its associated persons from engaging in bribery on behalf of or benefitting the company. In addition, a demonstrably strong compliance programme is an important factor prosecutors and regulators consider when determining whether to launch an investigation into problematic conduct and respond to conduct they determine to have been non-compliant.

Joint guidance by the SFO, Crown Prosecution Service (CPS) and Revenue and Customs Prosecutions Office (now part of the CPS) addressing the criminal prosecution of corporate bodies identifies ‘the existence of a genuinely proactive and effective corporate compliance programme’ as a public interest factor militating against prosecution of a company. A compliance programme that looks good on paper but cannot be shown to have been implemented in an appropriately robust manner simply will not satisfy the foregoing standard.

Conversely, companies that fail to adopt, implement and periodically refine their compliance programmes can face negative consequences when a compliance incident occurs, including the imposition of larger financial penalties, harm to the company’s reputation and business disruption. The UK Sentencing Council’s sentencing guideline for fraud, bribery and money laundering identifies, for example, a ‘culture of wilful disregard of offences… by employees or agents with no effort to put effective systems in place’ as a factor that can result in a financial penalty of up to four times the amount obtained or loss avoided by a company’s criminal conduct.

An even bigger financial cost of non-compliance often can be traced to business disruption. That often occurs because companies have been forced to implement compliance changes before being able to resume business as usual. Following concerns raised by the FCA, for example, Commerzbank AG’s London branch (Commerzbank London) was required to work with a ‘skilled person’ to improve its financial crime controls. Among other remediation measures, Commerzbank London imposed a series of business restrictions for a period of more than two years, including temporarily ceasing onboarding new high-risk customers, ceasing new business with certain existing high-risk customers and suspending all new trade finance business activities.

A compliance programme that fails to meet expectations also can limit a company’s ability to compete at all, or compete successfully, for business. Investors, customers and other stakeholders increasingly are examining a company’s management of compliance risks when deciding whether to do or continue to do business with the company. A finding – or even a perception – that a company has fallen short in mitigating its compliance risks or, worse, has operated in a non-compliant manner can and often has had a long-term negative effect on the company’s ability to retain its existing business relationships or form future relationships.

What in-house counsel need to think about during 2021

The starting point toward ensuring a company’s compliance programme adequately addresses its evolving compliance risks is a thorough evaluation of the full spectrum of the company’s compliance risks. The risk assessment process can and should be used, inter alia, to gather information enabling the company to make decisions about the subject matter areas that should sit within the compliance department. It also should assist the company in determining how best to manage the company’s compliance risks in a manner that protects as needed the company’s legal privilege rights.

Without adequate staffing, sufficient financial resources or appropriate targeting, compliance programmes have been shown repeatedly to have been doomed to failure, even when the company’s compliance policies and procedures appear on paper to reflect state-of-the-art recommendations. In addition, irrespective of the size of a company’s compliance department, the compliance function needs to have a ‘seat’ at the most senior levels of the company. That means, among other things, that the company’s chief compliance officer should have unfiltered access to the company’s board of directors.

The absence of appropriate and robustly implemented compliance policies and procedures can exacerbate, of course, the risk of non-compliant or otherwise illegal conduct. Such policies and procedures should explain as clearly and simply as possible the standards of conduct and processes directors, officers, employees and business partners must follow. Policies and procedures that lack clarity, practicality or sufficient detail seldom are embraced and effectively implemented, increasing the risk that non-compliant conduct will occur and depriving the company of even a theoretical defence if it does. In addition, companies operating internationally need to translate their compliance policies and procedures on an as-needed basis to make them accessible to the company’s non-English speaking personnel. They also need to ensure that their compliance policies and procedures take appropriate account of overarching issues such as conflicts of laws, legal privilege and data privacy.

Communication and training is another important factor affecting the effectiveness of compliance programmes. It is crucial that C-suite management set the ‘tone from the top’ by regularly emphasising the importance or compliance in fora ranging from employee town halls to investor relations settings. Equally importantly, a company’s training programme must prepare company employees to deal effectively with the compliance challenges they individually are likely to face, encourage employees to ask any compliance questions they have and report any concerns they develop.

Consideration also should be given to whether the compliance risks posed by agents, suppliers and other business partners necessitate the company’s educating and monitoring those groups to a standard commensurate with the company’s own code of conduct. Failure to do so has been identified repeatedly by prosecutors as being a significant or determinant compliance programme failure.

Data analytics and other techniques to monitor the effectiveness of corporate compliance programmes are important but currently underutilised tools for compliance. Routinely checking whether compliance controls are being adhered to can reveal both incidents and trends in non-compliance. Such checks also should assist in identifying policies and procedures in need of updating. Obtaining that feedback allows compliance departments to manage the compliance risks the company faces. Ongoing monitoring also provides a significant deterrent effect to employees and business partners who otherwise may be tempted to engage in non-compliant conduct.

While the adoption and robust implementation of appropriate compliance policies and procedures should minimise the likelihood of non-compliant conduct, such conduct nevertheless can occur and needs to be addressed promptly. With the number of whistleblower reports increasing and access to social media facilitating the sharing of concerns by individuals, problems within companies tend not to remain buried forever. Companies that have implemented appropriate investigations procedures are best placed to respond to compliance misconduct if or when it does arise.

A company’s investigation procedures should cover a variety of issues, including the scoping, managing and documenting of any internal investigations that are deemed to be needed. A company’s investigation procedures also should pay adequate attention to the steps that must be taken to preserve the company’s right to assert legal privilege with respect to the fruits of the investigation. In addition to enabling the company appropriately to manage any disclosures that may be needed stemming from the investigation, a company’s investigation procedures should include adequate consideration of interim remediation minimising the risk of continuing misconduct.

Author biographies

Alex Melia, partner, London

Alex Melia, a partner in the London office of Steptoe & Johnson, assists several of the world’s largest private equity firms as well as many other companies in addressing the compliance risks posed by investment and acquisition candidates. She has over 14 years’ experience in assisting companies with designing, refining and implementing compliance programmes that satisfy the expectations of enforcement officials around the world. In addition, Alex has conducted many internal investigations focusing on possible compliance related misconduct and represented clients in various sectors in financial crime investigations by the SFO, FCA and other agencies worldwide.

Zoe Osborne, partner, London

Recognised by The Legal 500 2021 as a ‘Leading Lawyer’ for Regulatory Investigations and Corporate Crime and a ‘Next-Generation Partner’ for Fraud: White-Collar Crime, Zoe Osborne is a partner in the London office of Steptoe & Johnson. She has over 18 years’ experience in cross-border financial crime and regulatory investigations, and has represented companies, banks and individuals in various sectors in investigations and enforcement actions by the SFO, FCA, HMRC and other agencies in the UK and worldwide. In 2019, Zoe advised the Board of Serco in relation to its DPA with the SFO. Zoe is regularly involved in advising on crisis management issues including undertaking internal investigations and also advises clients on all aspects of their compliance programmes and procedures.

John Rupp, partner, London

John Rupp, also a partner in Steptoe & Johnson’s office in London, assists several of the world’s largest private equity firms as well as many other companies in addressing the compliance risks posed by investment and acquisition candidates. A US-trained lawyer, he also has assisted many companies in developing, refining and implementing compliance programmes satisfying the expectations of enforcement officials around the world. In addition, John has conducted many internal investigations focusing on possible compliance related misconduct. Having served early in his career as an assistant to the Solicitor General at the US Department of Justice, John has been an editorial board member of the Global Investigation Review since its founding several years ago.