Updated SFO guidance on evaluation of compliance programmes

Emphasis on effectiveness in practice

The Guidance further develops the SFO’s previous messaging about the importance of compliance programmes not being “paper” programmes and notes that “the fact an organisation has in place policies, procedures and controls does not necessarily mean that the compliance programme is effective…The SFO will seek to get behind the pronouncements and determine how policies and procedures translate into conduct on the ground.” This echoes the DOJ/SEC guidance on the fundamental question of “does the compliance programme work in practice?” – which, along with the French Anti-Corruption Agency’s (AFA) Guidelines, is referenced in the Guidance. The SFO’s focus on practical effectiveness signals that companies should expect scrutiny beyond policy documentation. The SFO may look for evidence of implementation such as training records, audit trails, testing, and examples of escalation and remediation.

While the SFO acknowledges that “isolated compliance failures do not inevitably mean that a compliance programme is ineffective or anti-bribery and anti-fraud procedures were inadequate” it emphasises the need to have anti-circumvention measures in place, including approval processes and periodic audits – and that the programme needs to be regularly reviewed.

Beyond this, the Guidance does not summarise what it considers constitutes effectiveness in practice (although does refer to other statutory guidance, such as the Ministry of Justice Adequate Procedures Guidance (for Bribery) and the Home Office FTPF guidance). In practice, given the Adequate Procedures Guidance is 15 years old, many companies will consult the FTPF and DOJ/SEC documents in terms of practical pointers which take into account an increasing focus on both technology and culture in building an effective programme. 

Acknowledgement that compliance programmes will differ from organisation to organisation – and should be tailored

The Guidance explains that there are not fixed expectations of compliance programmes: “Compliance arrangements vary in scope, depending on the size of the organisation and the nature of the business”, but notes that even small organisations will be expected to have in place some compliance arrangements.

The importance of compliance programmes being tailored to the risks faced by the organisation comes through strongly: “organisations need to determine what is appropriate for the field in which they operate. Compliance arrangements for any particular organisation need to be specific to and effective for that organisation.” 

As part of this, the Guidance also highlights that references to external sources (including DOJ Guidance or AFA Guidance) may assist the determination of what constitutes an effective compliance programme for those with US or French links – recognising that many multinational companies will be subject to different sets of compliance expectations/requirements. 

The different scenarios in which the SFO will assess a compliance programme

The Guidance sets out the different scenarios in which a compliance programme will be assessed, including, importantly, highlighting that it will be assessed in determining whether a prosecution of the organisation is in the public interest under the Joint SFO-CPS Corporate Prosecution Guidance (as well as considering whether the evidential test is met) and in other scenarios such as considering the availability/terms of a Deferred Prosecution Agreement, or as a mitigating or aggravating factor in sentencing considerations. 

This is a key point which is often missed: having in place an effective compliance programme is not just a defence in the event of a prosecution but may also lead to a decision not to charge a company or otherwise affect the resolution of investigations. Following the recent overhaul of the attribution principle under UK law, being able to engage on this point at the investigative stage is now even more important (because a company facing prosecution for a ‘direct’ criminal offence and not a ‘failure to prevent’ offence for the conduct of a senior manager has no defence in law as to its reasonable/adequate compliance procedures).

Summary of the investigatory tools the SFO will use in investigating a company’s compliance programme

The Guidance highlights that the compliance programme will be assessed early in an investigation and outlines the SFO’s investigatory ‘tools’, including voluntary disclosures and interviews, section 2 compelled requests and witness interviews, as well as suspect interviews under PACE.

Reference to these various investigatory tools emphasises the SFO’s intention to exercise its powers to obtain what it considers to be relevant information. In respect of a company’s compliance programme, that might include s.2 requests for any evidence of how the company’s compliance programme working in practice. Companies should anticipate requests not just for policy documents, but proof of operational effectiveness. Companies should therefore ensure that they are keeping accurate records of the procedures that form part of their compliance programmes. This means maintaining structured records of compliance activities and decisions, ideally in a format that can be readily disclosed. Failure to produce such evidence could undermine arguments for cooperation credit or a DPA, and influence charging decisions.