This month the UK Serious Fraud Office published new guidance about how it assesses the effectiveness of the companies it investigates. The SFO’s eight-page document “Evaluating Compliance Programs” arrived with very little fanfare late last week.
The guidance is actually part of the SFO’s Operational Handbook, which by its terms is “internal guidance” for the SFO only, “and is published on the SFO’s website solely in the interests of transparency.” As part of the internal Operational Handbook, the new document disclaims that it provides legal advice and warns that it “should not therefore be relied on as the basis for any legal advice or decision.”
With those caveats in mind, let’s look at what’s in the new document.
It outlines the stages at which the SFO will examine a company’s compliance: at the time of the alleged offending, when a decision is being made on whether to charge the company and, in some cases, in the future when introducing and maintaining an effective compliance program as a condition of avoiding prosecution.
The new guidance pays close attention to the six principles detailed in the Bribery Act guidance published in 2011 by the Ministry of Justice. So it goes on in some detail about the importance of proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training and monitoring and review.
This is all laudable. But it is hard not to see this as an opportunity missed.
That is because this guidance isn’t really grasping the nettle and telling companies in cold, hard terms exactly what they should be doing. There is very little in what the SFO has just put out that can be classed as solid advice that companies can apply to their workplaces. Yes, there’s plenty of reference to principles – principles that have been available to examine for almost a decade – and a mildly interesting outline of how the SFO goes about its business. But there is little that is new or noteworthy.
We have known for years that the defense of adequate procedures is available. What the business world needs to know is just how the SFO weighs up precisely what it will consider adequate. And then there’s the issue of theory and practice: a company may have a well thought-out, carefully-developed compliance programme but where does it stand if that program fails to prevent wrongdoing? The SFO needs to come out and clarify where it stands when it comes to assessing a compliance program that has fallen short of its goals. We needed to know if such a program could ever be considered adequate and, if so, why. Unfortunately, we haven’t been given this.
A few months ago, the SFO’s General Counsel Sarah Lawson said that corporate compliance functions had to be well resourced and should not suffer as a result of cost cutting. Part of this, I believe, is because compliance cannot be done on a one-size-fits-all basis, due to the variations in companies’ size and structure, the nature of their business and the risks they face. That is why any guidance on such an important issue is always welcome — even it comes in the form of a new chapter inserted into the SFO’s internal Operational Handbook. It is hard, however, to muster much enthusiasm for what the SFO has just produced.
If we take the U.S. Department of Justice’s updated guidance Evaluation of Corporate Compliance Programs from 2019, it emphasises that a compliance program will only be genuinely effective if compliance personnel are empowered in a company. Its message essentially boils down to the importance of a compliance program being well designed, it being implemented effectively and in good faith and it working in practice. It is hard to see anyone using those words about what the SFO has just published.