Now is not the time to neglect your corporate compliance programme particularly as law enforcement are currently warning of a general increase in fraudulent activity. Here, we explain what they are, and why you need one right now to protect your business from fraud and misconduct.
Blockbuster fraud cases have raised awareness of reputational risk to businesses and of the need to implement effective compliance measures to combat, amongst other things, the threat of fraud, bribery and tax evasion to protect the business, it’s directors, staff and shareholders. Despite this there are still large numbers of businesses operating on the mistaken assumption that their policies and procedures provide adequate compliance protection.
What is a compliance programme?
The Serious Fraud Office (SFO) in its Operational Handbook – Evaluating Compliance Programmes identifies such a programme as “an organisations internal systems and procedures for helping that organisation – and those working there comply with legal requirements and internal policies and procedures”.
Businesses recognise the detrimental consequences for companies who are investigated by law enforcement including the SFO. These include:
- corporate and personal criminal liability (directors, senior managers, employees)
- imprisonment, prosecution costs, and of course potential external sanction costs and other regulatory fines;
- direct financial loss through fraud;
- reputational damage;
- loss of contracts and debarment from public tender processes;
- low morale within in the work force, the cost of replacing staff and disciplinary costs (including investigation).
Why do you need a compliance programme?
Guidance on corporate prosecutions issued by the Director of Public Prosecutions and the director of the SFO explicitly states that it is a public interest factor in favour of prosecution where an offence is committed at a time when the corporate has an ineffective corporate compliance programme but that a genuinely proactive and effective corporate compliance programme is a public interest factor against prosecution.
Creating a robust compliance culture is therefore not only key to the prevention of and fight against fraud and other regulatory breach it is also provides a corporate organisation with strong mitigation against prosecution provided that the compliance programme is effective and not simply a paper exercise. The SFO guidance goes further and states that it is critical that the “compliance programme is proportionate, risk based and regularly reviewed”.
It is those organisations with a weak anti-fraud and compliance culture which are most exposed to investigation and ultimately prosecution. These organisations are typically those that, among other things:
- have no or limited formal anti-fraud and/or compliance statements and policies;
- have a lack of fraud and regulatory compliance awareness which may manifest itself in a failure to understand the risk and the threat to the organisation;
- exercise a relaxed culture.
- have weak management;
The good news is that it is never too late to strengthen an organisations compliance programme and provided the organisation has taken remedial actions following an incident of wrongdoing and the compliance programme is genuine and proactive then the prosecutor will treat this as a relevant factor in any charging decision. The SFO guidance identifies these as public interest factors against prosecution.
What steps should we take?
We recommend that an organisation adopt a holistic approach to compliance and consider the interplay of bribery, tax evasion, specific business relevant regulatory breach, anti-money laundering, anti-fraud and where relevant, sanctions and export control. There are numerous pieces of guidance available.
The SFO’s guidance on evaluating a compliance programme has direct reference to the guidance issued by the Ministry of Justice in respect of the Bribery Act 2010. This is useful and should be factored into an organisation’s anti-fraud and compliance programme along with other guidance including that issued by HM Revenue & Customs in relation to tackling tax evasion
The SFO, Ministry of Justice and HM Revenue & Customs guidance is generic and aimed at all organisations from large to small. It is not a one-size fits all but does provide a set of guiding principles which should be considered along with industry/sector specific guidance of which there are many examples. Some of the recommendations include:
Top level commitment
Of central importance to any compliance programme is the need to set the tone from the top. The SFO and other regulators will look to establish that the organisation’s senior management are actively engaged in compliance or walking the walk, not just talking the talk.
Although the guidance is not prescriptive the expectation is that directors and boards will communicate that commitment to the business through statements, policies, training, monitoring and implementation.
A business will find it beneficial to create an overarching criminal and regulatory compliance document to set the tone of the business. This document might, for example, link the business’ policies and procedures to the business’ code of conduct or ethics. The document should set out the zero-tolerance policy adopted by the business;
Drilling down more specifically a business should consider implementing additional specific compliance statements dealing with, for example, bribery, tax evasion and anti-fraud.
These documents will among other things:
- Give high level commitment from the board to standards of criminal and regulatory integrity and anti-fraud behaviour;
- Identify policies and compliance procedures in general terms based on risk and provide guidance as appropriate with the intention of mitigating risk;
- Commit the business to taking all appropriate disciplinary or criminal proceedings where appropriate;
- Perhaps most importantly, setting out the route by which employees can report malpractice or concerns, knowing they can do so without fear of retribution.
Most UK business is used to and will already have undertaken some form or indeed a range of risk assessments relating to their business. Without undertaking risk assessments, a business will be unable to draft and implement necessary policies and procedures and ultimately implement an effective compliance programme.
The Bribery Act guidance suggests that “the commercial organisation assesses the nature and extent of its exposure to external and internal risks….The assessment is periodic, informed and documented”.
HM Revenue & Customs guidance suggests that “Ultimately, relevant bodies need to “sit at the desk” of their employees, agents and those who provide services for them or on their behalf and ask whether they have a motive, the opportunity and means to criminally facilitate tax evasion offences, and if so how this risk might be managed.”
- Both sets of guidance recognise the need for risk assessments to be periodically reviewed and updated in line with changing circumstances. This guidance is generically applicable to all criminal and regulatory risk that a business might face.
- The guidance identifies a number of features common to risk assessment procedures including:
- Oversight of the risk assessment process by senior management;
- Appropriate allocation of resource to oversee the identification and monitoring of risk reflective of the size and nature of the business;
- Relevant due diligence enquiries;
- The identification or internal and external information sources that will enable risk to be more readily identified and reviewed;
- The appropriate recording of the risk assessment.
Proportionate policies and procedures
A business’ compliance procedures will to some extent be determined by the sector it operates in and the risk it faces. For example, a business in the financial services sector may have very different anti-money laundering policies and procedures to one operating in the retail sector. It is important to understand that an effective compliance programme will include formal policies which are intended not only to encourage a responsible and ethical corporate compliance culture but to prevent criminal and regulatory breach. Policies in themselves will not be enough and the procedures adopted by a business will need to properly implement them.
The available guidance identifies a number of procedures that a business may want to consider and which are generally applicable across compliance programmes when tailored to a specific risk including:
- A top level commitment to ethical corporate behaviour and culture with a zero tolerance policy to bribery, tax evasion and other unethical or criminal behaviour;
- Clearly articulated risk assessment procedures;
- Details of how the organisation plans to implement the policies intended to mitigate the risk tailored, where necessary, to specific parts of the business;
- Details of how the organisation will undertake its due diligence on those that may have a commercial relationship with the business, including for example, agents, suppliers, sub-contractors and consultants.
- Enforcement procedures which detail how the business will approach a breach of the relevant policies both by internal staff and external suppliers, contractors, agents and so on;
- Whistleblowing policies enabling a clear route to report wrongdoing whilst providing protection for whistle blowers.
Monitoring and review
Over time the type of risks faced by a business will change and evolve as will the market in which they operate. This may be down to any number of reasons from unforeseen changes in the business environment such as the current coronavirus pandemic, governmental or legislative change through to growth of the business, whether in terms of size or other factors such as expansion into different countries. As such it is vitally important to maintain continuing monitoring and evaluation of the compliance programme so that any changes required can be identified and then implemented.
Such monitoring can be conducted internally and externally through:
- Seeking internal feedback from staff members including through surveys and questionnaires;
- Through internal and external audit conducting periodic review whether announced or announced;
- The documenting and review of findings of feedback and audit;
- Drawing on the experience of industry bodies and others operating within the same sector and therefore potentially experiencing the same risks.
Communication including training
Finally, an organisation should devise a training programme which communicates all aspects of its compliance culture whether it be anti-money laundering, anti-fraud or anti-bribery. Such training should commence at the employee’s induction and then continuing to be reinforced throughout their employment. Such training should not be prescriptive and one size fits all but should be appropriate to the roles of the employees undertaking it. When creating an effective training strategy, the following should be included:
- Delivery of a clear anti-financial crime and unethical conduct message;
- Awareness of the risks of fraud, corruption and unethical practice;
- Identification to the employee of the relevant policies and procedures and raising their awareness of them;
- Red flags that employees should look out for;
- Provision of a forum where employees are able to discuss fraud risks and contribute to the prevention programme;
- Deterrence of fraudulent activity by establishing the zero tolerance and anti-fraud culture.
There are many reasons for an organisation to establish a strong compliance programme. If saving money and protecting the business, employees and shareholders is not enough then perhaps the threat of sanctions, including prosecution, under UK legislation for offences involving bribery, money laundering and tax, might be.
Establishing a strong code of ethics with proper training will go some way to showing law enforcement such as the SFO that the business they are investigating is an ethical one and has endeavoured to implement practical measures to combat the risk of fraud and unethical behaviour. That said, law enforcement will be looking for more than simple rhetoric from the board when it comes to enforcement.
It is clear, now more than ever, that businesses need to have robust compliance measures in place to protect themselves against fraud and misconduct and in doing so maintain hard earned reputations.