There is no legal requirement to report bribery to either the SFO or the DoJ: self-reporting is a commercial decision for the company, balancing the benefits and risks on the facts in question, in particular, the scale of the potential issue and the risks of it otherwise being reported or publicised. In the UK, a company may have other reporting obligations, for example to the Financial Conduct Authority (FCA) or the need to seek consent from the National Crime Agency? in relation to dealing with potentially tainted funds, which mean that the SFO may become aware of the matter in any case.
Given the global increase of enforcement actions in relation to bribery, enhanced international co-operation between authorities, and the move towards DPA systems in more jurisdictions, a company considering whether or not to self-report needs to ensure that it considers the risks and benefits of doing so on a global basis and with a clear understanding of regulators’ likely expectations as to further co-operation (see feature article “Deferred prosecution agreements: moving into the unknown”). For example, self-reporting is mandatory in some jurisdictions such as South Africa. Further DPAs have been introduced in France and Singapore, and are being considered in Canada, Poland and Australia.
Individual directors also need to consider carefully their own position and potential criminal and civil liability, and act appropriately in the circumstances (see below "Considerations for individuals"). A company needs to ensure that any self-report is made to relevant authorities quickly enough to gain co-operation credit, or (in the US) achieve a declination (where the authorities decline to prosecute the matter) or deferment of prosecution in the relevant jurisdictions. There is a tension between self-reporting sufficiently quickly and the need to investigate an allegation to determine whether (and if so, what) to report.
Some of the key considerations for companies to take into account when considering whether to self -report include the need to
- Consider carefully the benefits and risks of self-reporting in all relevant jurisdictions, noting that an increasing number of jurisdictions are moving towards DPA systems. Specialist advice may be required from lawyers who are experienced in investigations as well as in dealing with the relevant regulators and prosecutors.
- Potentially self-report bribery issues much sooner than they may have expected in order to gain credit for doing so. Preliminary investigations should therefore be conducted as quickly as possible.
- Be aware that self-reporting is unlikely in itself to result in a company avoiding prosecution. Extensive further co-operation is likely to be required, which should be taken into account when deciding whether or not to self-report.
- Take appropriate steps to investigate and remediate the issue to manage risks for individuals and the company going forward. This action will be required whether or not a company decides to self-report.
The UK position
Under English company law, directors have to consider the best interests of the company as a whole in making decisions. The Companies Act 2006 provides that directors must act in the way that they consider, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole (section 172(1)). This includes consideration of the likely consequences of any decision in the long term and the desirability of the company maintaining a reputation for high standards of business conduct.
So in deciding whether or not to self-report, the directors will have to weigh up the potential benefits and risks of self-reporting. Benefits include:
- The potential to secure a DPA.
- The reduction in financial penalties.
- Potential long-term reputational advantages.
Possible risks include:
- The potential damage to the company’s share price resulting from an announcement of an external investigation.
- Additional investigation and remediation costs.
- Business disruption.
- Senior management changes that may be required.
- Potential civil litigation.
In a speech given in September 2017, Alun Milford, general counsel at the SFO, emphasised that reform, including the removal of senior managers who are either implicated in, or should have been aware of, the criminality, has been a key element in all DPA judgments.(https://www.sfo.gov.uk/2017/09/05/alun-milford-on-deferred-prosecution-agreements/).
Civil litigation arising out of bribery issues is well established in the US and is increasing in the UK and other jurisdictions (see Briefing "Third-party bribery and corruption: managing the legal risks when issues arise", www.practicallaw.com/w-010-4888).
Many companies that self-report to the SFO do so primarily in order to increase the likelihood of securing a DPA, which
- Avoids a corporate criminal conviction, which could result in unwanted consequences such as likely debarment from tendering for public procurement contracts (in the UK, under the Public Contracts Regulations 2015 (SI 2015/102)).
- Is likely to lead to a quicker resolution of the matter as compared to a prosecution.
- Should lead to a reduction in any fine so that it is broadly comparable to the fine that a court would have imposed following conviction after a guilty plea, where the circumstances are comparable to the submission of an early guilty plea by the company. For example, in the Standard Bank DPA, which was the UK's first DPA, there was a reduction of 30 per cent (see News brief "Bribery Act 2010: SFO concludes first deferred prosecution agreement", www.practicallaw.com/3-622-1169). In the case of the DPA for the unidentified company known as XYZ, there was a reduction of 50 per cent, which was stated to be as a result of admissions having been made far in advance of the first reasonable opportunity of being charged (www.sfo.gov.uk/2016/07/08/sfo-secures-second-dpa/).
While self-reporting is not a requirement for a DPA (Rolls Royce, for example, achieved a DPA but did not self-report), it will be a significant factor in determining whether or not a DPA is offered (see box "The Rolls Royce DPA"). The SFO has been clear that self-reporting is still a key feature of the profile of a case suitable for resolution by DPA but it is no guarantee of achieving a DPA in the UK; it forms only part of the co-operation required to potentially qualify for a DPA (www.sfo.gov.uk/2017/03/08/the-future-of-deferred-prosecution-agreements-after-rolls-royce/).
The decision on whether to approve a DPA will ultimately be determined by the court, having considered public interest factors as well as the level of co-operation by the company. For example, in R v Skansen Interiors Limited, a dormant company was prosecuted on public interest grounds for failing to prevent bribery despite self-reporting the matter to the police and asking them to investigate the matter (unreported; see News brief "Failure to prevent bribery: first contested prosecution", www.practicallaw.com/w-013-8901).The Crown Prosecution Service (CPS) explained that there was a public interest in sending a message to industry to take the Bribery Act 2010 seriously and to implement proper controls.
In appropriate circumstances, self-reporting may also lead to no criminal action being taken, although it is likely that the SFO will undertake some level of investigation in any case and require a significant amount of information and material to be provided by the company.
Sir David Green, then Director of the SFO, speaking at the Annual National Institute on White Collar Crime in March 2018, made it clear that the SFO will not accept a "Damascene conversion"; that is, a situation where a company and its lawyers fail to co-operate with the SFO for a lengthy period and then suddenly the company makes some management changes, replaces its lawyers and requests a DPA. Sir David Green said that no self-reporting meant no DPA.
|The Rolls Royce DPA
The SFO initially became aware of issues concerning Rolls Royce after allegations were published online on an anonymous blog. The court, however, in approving the DPA emphasised the company’s extraordinary co-operation overall and that it could not have done more to expose its own misconduct, including in relation to wrongdoing in parts of its business that were wholly unconnected to the business areas that the SFO had initially asked for information about (www.judiciary.gov.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf; see News brief "Rolls-Royce deferred prosecution agreement: the SFO gains traction", www.practicallaw.com/6-638-0859).
The court found that Rolls Royce's level of co-operation put it in the same position as if it had self-reported, although there was no self-report and no indication that a self-report was imminent. For this reason, it was able to achieve a DPA.
The US position
The DoJ clearly wants companies voluntarily to disclose potential FCPA violations, but whether or not a company should make this disclosure requires a careful analysis of the potential benefits as well as the serious risks. In recent years, the DoJ has made a significant effort to encourage companies to engage in ethical corporate behaviour, including by fully co-operating with government investigations, doing what is necessary to remedy misconduct and notifying law enforcement about wrongdoing (www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign).
It should be noted that this move towards encouraging good corporate behaviour extends beyond the FCPA and foreign bribery; DoJ officials announced in March 2018 that the FCPA policy will be used as non-binding guidance in non-FCPA cases (https://globalinvestigationsreview.com/article/1166274/doj-expanding-use-of-fcpa-declination-policy-principles). Along these lines, the FCPA policy, announced in November 2017, aims to provide benefits to companies who voluntarily self-disclose potential violations, fully co-operate with the DoJ and appropriately remediate the violations in a timely manner (www.justice.gov/usam/usam-9-47000-foreign-corrupt-practices-act-1977).
The FCPA policy, on its face, appears to incentivise companies to self-disclose potential FCPA violations and fully co-operate in any resulting investigations. It provides that when a company has voluntarily self-disclosed misconduct, fully co-operated, and remediated in a timely and appropriate manner, there will be a presumption that the company will receive a declination, in the absence of aggravating circumstances. This presumption is a significant change from the previous policy under which the DoJ would merely consider granting a declination. Even if aggravating factors are present and therefore the DoJ pursues the company, the company achieves greater certainty than under the previous policy as the DoJ will grant a 50 per cent reduction in fines, whereas previously the DoJ was only committed to consider a reduction in fines.
Companies must take into account many potential consequences when considering a disclosure. The FCPA policy is only a non-binding guideline that does not create any enforceable rights or provide any ability for recourse if the DoJ chooses to deviate from it (www.justice.gov/usam/usam-1-1000-introduction). Even if it were binding, the DoJ retains significant discretion under the FCPA policy to grant or withhold credit for disclosure. For example, unlike the UK position, self-reporting in the form of a voluntary self-disclosure is a requirement to receive a declination under the FCPA policy. The DoJ alone determines whether a given disclosure is, in fact, voluntary.
Companies therefore risk not receiving any credit for their disclosure even with the apparently more business-friendly FCPA policy in place. In addition, receiving a declination from the DoJ will not necessarily preclude civil enforcement actions being taken against the disclosing company. The Securities and Exchange Commission (SEC), for example, frequently pursues parallel civil enforcement actions that will not necessarily be settled by a resolution under the FCPA policy. Companies considering making a disclosure to the DoJ must also consider simultaneous disclosures to the SEC, and be prepared for additional penalties and remediation requirements beyond the DoJ. For example, the SEC Enforcement Division operates a co-operation programme which provides incentives to encourage greater co-operation by individuals and companies in SEC investigations and enforcement actions (www.sec.gov/spotlight/enforcement-cooperation-initiative.shtml).
Companies need to also keep in mind that admissions made in a DPA or in connection with a declination may be used against them in a shareholder action. While these cases have been generally unsuccessful, the cost of possible future litigation needs to be considered. For example, in Re VEON Ltd, litigation which relied on admissions made in a DPA was permitted to continue (Sec Litig, No 15-CV-08672 (ALC), 2017 WL 4162342 (SDNY September 19, 2017).
Accordingly, while the FCPA policy provides greater clarity in many respects, considerable uncertainty remains. For example, the DoJ has not defined what constitutes "aggravating circumstances" that would preclude the presumption of a declination. Also, the FCPA policy statement that companies must pay all disgorgement, forfeiture or restitution resulting from the misconduct to qualify for the potential benefits of the FCPA policy is so broad that payments for all misconduct, rather than just FCPA-related conduct, may be required to qualify for any benefit.
The DoJ has said that the FCPA policy does not provide a guarantee or eliminate all uncertainty because preserving a measure of prosecutorial discretion is central to ensuring the exercise of justice. However, the FCPA policy aims to strike the balance in favour of greater clarity about the DoJ's decision-making process. The DoJ has said that the advantage of the FCPA policy for businesses is that it provides transparency about the benefits available for those that satisfy the requirements and that it wants corporate officers and board members to better understand the costs and benefits of co-operation (www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign).
Leap into the unknown
One of the great difficulties in assessing whether or not to self-report is the uncertainty as to whether self-disclosure will result in a DPA in the UK, or a DPA or a declination in the US. This uncertainty exists in both jurisdictions, although to different extents. Historically, in the UK, it used to be the case that a company which self-reported was likely to receive only a civil sanction. However, following criticism from the Organisation for Economic Co-operation and Development, the SFO revised its self-reporting guidance (SFO self-reporting guidance) in 2012 to make it clear that self-reporting is no guarantee that a prosecution will not follow (www.sfo.gov.uk/publications/guidance-policy-and-protocols/corporate-self-reporting/; see News brief "Self-reporting financial crime: moving the goal posts", www.practicallaw.com/1-522-6197).
In comparison, the US historically took the position that there was no guarantee of a declination or DPA even where a company made a voluntary self-disclosure, but the adoption of the FCPA policy arguably provides greater certainty that a company will receive a declination or DPA. Neither the SFO nor the DoJ consider self-reporting to be sufficient in itself to achieve a DPA or, in the US, a DPA or a declination. It is only the first stage in the extensive co-operation that will be required, the terms of which will be unknown at the time of the self-report.
In both the US and the UK, self-reporting starts a process over which the company has little control and which, if it does not co-operate to the prosecutor’s satisfaction, may put it in a worse position than it started in, particularly given that it may have disclosed an issue which may otherwise not have come to light or provided material to the prosecutor that it might otherwise not have obtained. Reporting to one regulator may also bring a matter to the attention of other regulators in that jurisdiction and other jurisdictions.
There are also considerations unique to each jurisdiction that increase the uncertainty associated with self-disclosure. For example, in the UK, court approval is required for a DPA, so even if the SFO recommends a DPA after extensive co-operation, the court may reject it.
Whilst judicial approval is not required for a declination or DPA in the US, uncertainty arises in connection with the significant leeway that US prosecutors have to withhold the benefits under the FCPA policy even after a company has self-disclosed. In addition, the requirements for timely disclosure in the US may mean that decisions regarding disclosure will need to be made quickly and with imperfect information, which raises the risk that the benefits of disclosure may not be granted (see "US timing requirements" below).
The US courts have almost no authority to approve or monitor a company's compliance with a DPA, although charges remain pending on the court's docket where a DPA is entered into. At most, a court can determine that a DPA is bona fide and not a disguised attempt to circumvent the requirements of the Speedy Trial Act of 1974 (United States v HSBC Bank USA, NA, 863 F.3d 125, 138 (2d Cir 2017); United States v Fokker Services BV, 818 F.3d 733, 744 (DC Cir 2016).
Considerations for individuals
In the UK, individuals, including directors, may be exposed to the risk of committing money laundering offences in relation to funds that are potentially the proceeds of crime (for example, proceeds of potentially tainted contracts) unless the company obtains consent from the NCA to take decisions in relation to those funds under section 338 of the Proceeds of Crime Act 2002. The NCA may then report the matter to the SFO. UK directors should also take advice on their own duties and liability if contracts potentially obtained by corruption are ongoing and the counterparties to those contracts are not informed that corruption may have been involved.
In the US, individuals are also subject to potential liability. The FCPA policy makes clear that, in order to qualify for voluntary disclosure credit, a company must disclose all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law. The language is broad enough that companies must disclose information regarding any potential criminal conduct, not just FCPA violations, if seeking to make a voluntary disclosure.
Considering that conduct that potentially violates the FCPA could also be covered by a number of other US statutes, ranging from wire and mail fraud to Travel Act or tax law violations, individuals and companies must keep in mind that voluntary disclosure of possible FCPA violations may open the floodgates to other criminal liability.
Companies must be ready to make current and former directors, officers, employees and agents available for interviews with the DoJ if requested. This requirement covers persons outside of the US who might not otherwise be subject to US jurisdiction, and, where possible, third parties. Since disclosure must be made at an early stage in the US, companies must be prepared to make this level of disclosure without full knowledge about the extent of an individual's involvement or the individual's exposure to liability.
Reaching and documenting the decision to self-report
Companies need to consider how they will decide to make a self-report. In the UK, it is essential that any decision on self-reporting is taken by directors who are independent from the underlying allegation and that the decision is properly considered with appropriate advice and documented. Whatever decision is made, a board needs to ensure that the matter is investigated and appropriate remediation steps are taken to minimise ongoing criminal, civil and reputational risks, and avoid the perception of having suppressed the matter (see feature article “Corporate investigations: key issues for boards and in-house lawyers”, www.practicallaw.com/0-619-0485).
Failing to respond properly to a potential bribery issue will make it very difficult to obtain any credit or make out a defence of “adequate procedures” under section 7 of the Bribery Act 2010, and will expose the directors to the risk of litigation whether or not they were involved in the underlying issue (see Briefing "Bribery Act 2010: still a sleeping giant", www.practicallaw.com/8-584-9550).
In making a decision regarding self-reporting, companies must take care to ensure that any internal investigation is conducted properly, and be conscious that the decisions made as a part of that investigation may be opened to external scrutiny. The FCPA policy explicitly requires companies to provide all relevant facts gathered during their independent investigation to the DoJ, even when not specifically asked to do so. Investigating an allegation but then choosing not to disclose it in a timely manner virtually guarantees that the DoJ will refuse to provide any credit for disclosures made later, as can be seen in the case of Panasonic's DPA (United States v Panasonic Avionics Corp, No 18-CR-00118 (DDC 30 April 2018); www.justice.gov/criminal-fraud/file/1058571/download).
Beyond disclosure to law enforcement agencies, companies may also be obliged to release internal investigation records to the public, especially if the company is a public company (see box Public disclosure).