In a recent update to its internal guidance, the UK Serious Fraud Office provides insight into the general approach its investigators may take for evaluating organizations’ compliance programs—an approach similar to that of the US Department of Justice.

The UK Serious Fraud Office (SFO) has released a long-awaited update to its internal Operational Handbook.  The January 2020 update, Evaluating a Compliance Programme (the SFO Guidance), provides insight into what criteria the SFO may employ in evaluating the effectiveness of an organization’s antibribery and anticorruption compliance programmes. It also demonstrates the continued alignment of the SFO and the US Department of Justice (DOJ), which has issued a similar guidance update, Evaluation of Corporate Compliance Programs. This alignment is all the more important in view of a recent joint SFO/DOJ resolution, which signals a continued cooperative posture between the two enforcement agencies.

While the SFO Guidance is expressly stated to be for its internal purposes only and is not to be relied on as the basis for any legal advice or decision, it provides a useful indication of how the SFO may assess an organization’s compliance procedures and programs. This assessment can impact the SFO’s approach toward investigative and prosecutorial decisions, including the suitability of a deferred prosecution agreement (DPA).

Compliance Program Assessment

The SFO Guidance states that prosecutors may assess the state of an organization’s compliance program taking into consideration the following:

• At the time the offense was committed: The existence of an effective compliance program at the time an offense was committed will have a bearing on whether a defense of “adequate procedures” could be successful and thus whether a prosecution should be brought. Conversely, an ineffective compliance program will be considered to be a public interest factor in favor of prosecution. These considerations will feed into the SFO’s decisions as to which cases to pursue.
• The current state of an organization’s compliance program: Consideration will be given to whether an organization has taken remedial actions to improve its compliance program and whether there is now a genuinely proactive and effective corporate compliance program in place. Any such remedial actions would be public interest factors against prosecution and would also be relevant to the assessment of an organization’s suitability to enter into a DPA.
• Going forward: Even where an organization does not yet have a fully effective compliance program in place, a DPA may yet be an option as it can impose requirements for an organization to implement a compliance program or change its existing program, policies, or timing.

The SFO Guidance provides insight into the general approach its investigators may take and highlights that compliance programs will be considered as part of the overall investigation strategy. Significantly, the SFO Guidance mirrors the approach taken by the DOJ within its Principles of Prosecution of Business Organizations (also known as the Filip Factors), which look to “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision,” in addition to “the corporation’s remedial actions.”

Six Principles

The SFO Guidance also makes clear that it does not prescribe a particular approach, but instead relies on a framework of Six Principles, which are in line with the principles published as part of its March 2011 guidance on the Bribery Act 2010. The Six Principles are outlined as a “good general framework for assessing compliance programmes.”

Principle 1: Proportionate Procedures. Internal procedures to prevent bribery should be proportionate to the bribery risks an organization faces and to the nature, scale, and complexity of its activities.

Principle 2: Top-Level Commitment. Top-level management, and in large organizations, the board of directors, should be responsible for the setting, design, and regular review of the policies and procedures in place for bribery prevention.

Principle 3: Risk Assessment. Ongoing risk assessments that evolve with the organization are essential. Organizations are expected to assess both internal and external risks, and to be mindful of any new risks in response to corporate, business, or jurisdictional changes.

Principle 4: Due Diligence. Due diligence procedures need to be applied to any individuals who perform or will perform services for or on behalf of the organization, including employees, intermediaries, and vendors. Organizations should be particularly aware of additional risks that can arise as the result of a merger or acquisition.

Principle 5: Communication (Including Training). It is essential that antibribery procedures be embedded and understood throughout the organization. The organization can demonstrate this through tailored and effective training (including training of third parties), internal communications, and top-level management responsibility, and by having secure, confidential, and accessible means for employees and agents to receive compliance advice and raise concerns.

Principle 6: Monitoring and Review. Organizations need to conduct ongoing reviews of their policies and procedures. These policies should evolve with the organization and their efficacy should be checked through both internal and external monitoring mechanisms, internal investigations and controls, staff surveys, and other detection measures.

Sarah Lawson, the general counsel of SFO, emphasised in an October 2019 speech at the TRACE London Forum that compliance functions must be well resourced and protected from cost‑cutting pressures, notwithstanding the current uncertainty and economic pressures in the United Kingdom.

The SFO Guidance is a timely reminder of the SFO’s continued commitment to the scrutiny of an organization’s compliance program and the need for organizations to continue to review and reevaluate the effectiveness of their compliance policies, processes, and procedures. The SFO Guidance and the parallel DOJ policy signal the importance of constructing and improving compliance programs with an eye on the enforcement expectations under which they may be evaluated.