Episode 5: Legal Ops...Real Stories with Phillip Norah
The difficulties of strategic planning for legal functions when they are too busy fighting fires.
As the year 2015 drew to a close, the Serious Fraud Office (SFO) entered into its first-ever deferred prosecution agreement (DPA) after approval was granted by the Crown Court in Serious Fraud Office v Standard Bank Plc: Deferred Prosecution Agreement (Case No. U20150854) (Standard Bank case).
This historic case arose out of the first invocation by the SFO of the section 7 “failure to prevent bribery” offence under the Bribery Act 2010 (Bribery Act). Since the Bribery Act came into force in 2011, the flurry of activity prompted by concerns over the potential impact of the law was gradually replaced by cynicism and disappointment over the actual effect it will have on corporate behaviour due to the lack of significant prosecutions over the years, in particular of corporations for the strict liability offence of failure to prevent bribery. The landmark Standard Bank case signalled the awakening of the Bribery Act. Given that the corrupt conduct took place in Tanzania, and in light of the extraterritorial effect of the UK legislation, the Standard Bank case has profound implications and lessons for compliance and investigations in other parts of the world, including Asia. One clear reason for this is the extensive reach of the Bribery Act, and the consequent potential for SFO enforcement in respect of corrupt conduct in Asia, including any improper practices of third party agents. Another less predictable – but no less important – reason is the prospect of SFO collaboration with its counterpart enforcement agencies and authorities in Asia in investigating such corrupt conduct. It is therefore advisable for businesses situated in Asia to note the lessons of general applicability that can be extracted from the Standard Bank case and apply them to their own contexts.
The importance of having a robust corporate compliance programme that is closely adhered to by all employees should not be underestimated, given its role in helping to prevent corrupt conduct within the organisation. On the facts of the Standard Bank case, the bank was unable to mount a convincing argument based on the adequate procedures defence due to its ineffectively designed and implemented compliance programme.
As regards design, it is crucial to ensure that the compliance programme is relevant to the corporate entity’s business, operations and risk profile. Generic compliance programmes should be avoided in favour of more nuanced ones. The sophistication of a corporate compliance programme can be increased by tailoring it to factors such as the jurisdictions involved, nature of the business and capacity in which other parties may be engaged.
As regards implementation, the Standard Bank case clearly shows that ensuring employees understand when various component policies, processes and procedures of a compliance programme apply, is vital. On the facts of that case, Standard Bank staff had been unclear about whether a particular policy on introducers applied to the local partner (EGMA), and consequently failed to conduct due diligence checks on EGMA. Mere desktop checks, if conducted, would have revealed that two directors of the local partner were politically exposed persons and that one was a serving public official at the time, undeniable red flags for corruption and bribery. However, Standard Bank relied on checks purportedly conducted by its sister entity, Standard Bank Tanzania, in the transaction instead. Those checks were deficient and failed to identify the political status of both directors. As a result, measures to contain the risks and protect Standard Bank from being involved in any questionable payments were not taken. Evidently, clarifying the applicability of each policy, process and procedure making up the compliance programme will be necessary to ensure that employees comply with them in practice. Ideally, the question of applicability should be addressed both at the outset, when designing and scoping the compliance programme, and consistently thereafter, throughout the implementation of the programme.
Maximising the effectiveness of internal compliance training programmes is a concern common to many business organisations in Asia. Organisations are becoming increasingly aware of the need to tailor training to the seniority and risk profile of the employee. While all employees should undertake a minimum level of general, broad-based compliance training, upper management should undergo additional training in areas relevant to their responsibilities and the risks that they face.
In terms of mode of delivery, while e-learning frequently features as a component of internal compliance training programmes, it is generally regarded as a relatively ineffective way to reinforce anti-bribery and corruption obligations to employees as participants tend to treat online sessions as mere ‘click-through’ exercises. Sessions conducted via video conference may be marginally better, but are also considered ineffective at ensuring complete comprehension of the training content in spite of the slightly higher level of mutual interaction. Face-to-face trainings are viewed as the most effective method of getting employees to engage with, and in turn retain for a longer period, the content of the training course. On that note, some organisations additionally find that having business managers provide compliance training directly to their teams helps to increase the lasting effects of training sessions. This could be because having a team leader or direct supervisor conduct the training sends a strong signal of prioritising full adherence to a compliance culture. The business manager delivering the training would, of course, need to be knowledgeable about and engaged with the compliance programme.
Relating bribery and corruption risks to employees’ context is also advisable. Sharing actual instances of bribery or corruption that other employees of their respective organisations had encountered in the course of their work had been found to be helpful in increasing the awareness of such risks in other employees. Illustrative stories, where practical steps were taken and some form of resolution reached, are often better received than training that focuses heavily on the technicalities of applicable legal obligations.
Third party due diligence raises two main issues: (1) identifying the parties on whom due diligence should be conducted, and (2) determining the extent of the third party due diligence to be conducted.
The first issue arises due to the factual matrix of the Standard Bank case. Although Standard Bank Tanzania and its officers had been identified as the “associated persons”1 of Standard Bank, the court stated that Standard Bank should have conducted due diligence on EGMA. Although there was some suggestion that EGMA was providing some form of services, it had not expressly been identified as an associated person. The question is whether conducting due diligence on associated persons, like agents with which there is a contractual relationship, would continue to suffice or whether there is now a further obligation to conduct such checks further down the supply chain, particularly on entities with whom there may be no contractual relationship. One prudent view is that, in light of the Standard Bank case, checks on entities that a corporation knows or is likely to know about (e.g., sub-contractors) will probably be expected despite the absence of a direct contractual relationship with that entity. The proximity of the third party to the corporation, in the sense of whether the company should have known of the third party’s engagement or involvement, and the substance of their relationship with the corporation, have been proposed as ways of assessing the proper scope of due diligence checks.
The issue of the extent of the third party due diligence to be conducted follows on naturally once the parties to be checked upon are identified. This usually involves determining whether simplified or normal due diligence will suffice or enhanced due diligence is required. The extent of third party due diligence ought also to be revisited and adjusted where necessary throughout the lifetime of the business relationship, particularly where changes occur in relation to the risk profile and/or business operations of the third party, or scope of the third party’s role in the relationship.
There is a general consensus that co-operating with the relevant authorities during internal investigations is important, particularly in light of the emphasis placed on how Standard Bank’s extensive co-operation with the SFO helped it secure the DPA. However, questions remain about the type of co-operation that would be expected in Asia given the lack of clear rules of engagement with the authorities, rendering the outcome more unpredictable. When considering self-disclosure and co-operation with the enforcement authorities, it would be imperative to obtain proper advice on whether there are any parallel mandatory obligations to report to regulatory authorities, in particular obligations arising out of anti-money laundering legislation.
Enforcement activity in the anti-bribery and corruption space is likely to increase in light of the prevailing climate, and companies need to be prepared. Given the extraterritorial effects of laws like the Bribery Act and the US Foreign Corrupt Practices Act, companies in Asia would be wise not to be complacent. The Standard Bank case could be a sign that the UK authorities are joining their US counterparts in actively investigating international corruption. Internally, companies would do well to review their existing compliance programmes and perform gap analyses against international benchmarks, or design and implement a programme if they have not already done so. The “Six Principles”, established by the UK Ministry of Justice, and the ten hallmarks of an effective compliance programme, published by the Department of Justice and Securities and Exchange Commission, are valuable resources and helpful starting points. The delivery of training programmes should also be given much attention, so as to maximise employees’ understanding of their risks and responsibilities. Where external parties are involved, third party due diligence should be undertaken seriously, bearing in mind the risks posed in such relationships with regard to both the identification of third parties to be reviewed and the extent of due diligence to be undertaken.
This was co-written by Lisa Ho.
Section 8 of the Bribery Act defines “associated person” as a person (A) who performs services for or on behalf of another person (C). Whether A performs services for or on behalf of C is to be determined by reference to all relevant circumstances, not merely by reference to the nature of the relationship between A and C. The substance of, rather than the label affixed to, the relationship will be determinative. Employees, agents and subsidiaries have been expressly identified in the legislation as examples of associated persons. In particular, it should be noted that employees are presumed to be associated persons. This presumption is, however, rebuttable.
The difficulties of strategic planning for legal functions when they are too busy fighting fires.
In this issue, we again cover a broad spectrum of important issues in international arbitration, with a focus on international arbitration developments and important revisions to major arbitral rules and guidance.
© Norton Rose Fulbright LLP 2021