UK companies can learn a lot from new US Prosecutors’ Guidance on Evaluation of Corporate Compliance Programs

The Criminal Division of the US Department of Justice (“DoJ”) has published updated guidance for prosecutors on the Evaluation of Corporate Compliance Programs (“DoJ Guidance”). The DoJ Guidance is intended to assist prosecutors when considering (i) whether to bring charges against a corporate and/or (ii) the terms of any plea agreement, including whether a monitor should be appointed to assist in improving controls.

Unlike the UK Bribery Act 2010, which provides a defence to the corporate offence of failing to prevent bribery where a company can demonstrate it had “adequate procedures” at the time of the wrongdoing, the US Foreign Corrupt Practices Act 1977 has no similar defence. However, US prosecutors will take account of any corporate compliance program when assessing wrongdoing and how to deal with it. Such a program can significantly impact the final outcome for a corporate. As a result, the DoJ Guidance looks at the program which was in place not only at the time of the wrongdoing (which is all that would be relevant from the UK Bribery Act defence perspective), but also at the time of any charging decision, as evidence of true remediation can impact that decision and any negotiated outcome, in particular the need for a monitor to review the implementation of enhanced compliance controls.

At the time of the UK Bribery Act’s implementation, the UK’s Ministry of Justice was required to publish non-prescriptive guidance on the steps corporates can take to develop “adequate procedures”. That guidance, published in March 2011, was novel at the time and predated any similar published guidance from the DoJ. It identified and gave indicative examples of six broad principles that companies might wish to follow in the development of their controls: proportionate procedures; top level commitment; risk assessment; due diligence on third party relationships; communication and training; and monitoring and review. All of those principles are covered in the new DoJ Guidance, albeit described differently in some cases.

The DoJ Guidance also focuses more explicitly than the UK guidance on the need for: whistleblower reporting procedures and protections for the whistleblower; investigation policies and procedures to ensure issues are properly investigated; M&A due diligence processes; and demonstrable incentives and disciplinary measures associated with compliance.

The DoJ Guidance builds on similar guidance published in February 2017, but now reorganises and expands the factors for consideration into topics to reflect a more sensible ordering of issues. While noting that the guidance is not intended to provide a rigid formula or checklist for assessing the effectiveness of any individual compliance program, it recognises that there are certain common questions and themes that prosecutors will need to consider. It then orders these 12 themes under three fundamental questions that all companies should ask themselves when assessing their compliance controls:

• Is the compliance program well designed? (Under this heading are the topics of risk assessment, policies and procedures, training and communication, confidential reporting and investigation processes, third party management, as well as M&A controls.)
• Is the program being implemented effectively? (Prosecutors are told to look at senior and middle management commitment to compliance, autonomy and resources of the compliance function, as well as incentives and disciplinary measures.)
• Does the program work in practice? (Here, prosecutors should look at continuous improvement, periodic testing and review, investigation of misconduct, as well as analysis and remediation of any underlying misconduct.)

How the prosecutor is supposed to assess those questions is slightly different depending on whether they are looking at the controls in place at the time of the wrongdoing or at the time of a charging decision, and differentiated guidance is offered for both scenarios. The DoJ Guidance is also somewhat more specific than the UK guidance as to what will interest a prosecutor. That is hardly surprising – the DoJ Guidance has a different remit to the UK guidance, as it is not guidance for companies on how to develop controls, but rather guidance to prosecutors on how to evaluate the adequacy of controls that do exist, where an incident has occurred and whether credit should be given for the program in place at the time and the way the company has responded subsequently (but before charge) to improve the program and remediate. In some ways, that makes this guidance of even greater interest and value to companies than the UK guidance, as it gives an insight into what they will need to be able to demonstrate to a prosecutor if something goes wrong and an investigation is undertaken. Of course, the DoJ Guidance comes from a particular cultural and legal approach that is not necessarily replicated in the UK. However, given the extraterritorial reach of the US FCPA and its impact in the development of the bribery laws and enforcement activity in many other countries, including the UK, corporates with no FCPA exposure but who are looking to develop or improve their anti-bribery controls should at least consider this latest guidance and ask themselves whether they would be able to meet the expectations set out in it, or even whether they could demonstrate and prove that they had undertaken the sort of assessments that a DoJ prosecutor would be looking for. Such an analysis should help corporates identify gaps in their current compliance controls which they may wish to prioritise for improvement in the near future.

What is very clear from this new guidance is that companies will be expected to be able to justify the choices they have made in the design and implementation of their compliance programs, each step of the way, including their decisions as to how and when to review and update those programs. There is a keen focus on looking for evidence of the company measuring the appropriateness and effectiveness of its controls, gathering data that then drives the development and evolution of the compliance program and supports the justification for the approach taken, including proof that the data gathered has been taken on board and responded to within the controls.

This all points to the need for having clear assessments and documented justifications for the choices made as to the development of the program (e.g. is training provided online or in person or both and what is the company’s rationale for that choice?). It also points to the need to keep a clear record of all those analyses and decisions and of all iterations of the elements of the program, including demonstrating how lessons are learned from issues that do arise.

There will be many corporates, even large international businesses, who would struggle to meet these requirements, but those who can will be well placed to receive more palatable treatment and outcomes from prosecutors when issues arise or, better yet, avoid them happening in the first place.