Are your compliance systems ready to meet tomorrow’s challenges?
Published on 15th Feb 2017
Few in-house lawyers or compliance professionals relish asking the Board for more budget to improve compliance systems. The budget for in-house legal spend is often tight and the in-house legal function can be perceived within many businesses solely as a cost. Working out how to spend that hard won budget as efficiently and effectively as possible is therefore a key decision for the in-house legal team.
This is particularly so in relation to overseeing regulatory and corporate criminal compliance. There is, of course, always more that can be done, and no system is entirely perfect, but trying to get away with the bare minimum can be a false economy and regulators are increasingly attuned, and unsympathetic, to businesses that pay lip service to compliance but no more.
The emphasis on regulation and criminalisation of corporate activity is on the increase. We have now had the first corporate prosecution under the Bribery Act for failing to prevent bribery. We have also seen the first three deferred prosecution agreements entered into by the SFO relating to potential offences under the Bribery Act, most recently the Rolls Royce case. We have also seen the recent introduction of the Modern Slavery Act with obligations on large and medium size businesses to report on the steps they have taken in their business and supply chain (if any) to ensure slavery and human trafficking is not taking place. The legal obligations may be quite limited but as with the Bribery Act, protection of reputation is a key driver of good practice.
Looking ahead, we continue to look for signs indicating the introduction of broader corporate ‘failure to prevent’ offences for issues relating to fraud and money laundering, as well as the imminent introduction of the new failure to prevent tax evasion offence, now expected in the autumn.
Given the increased and persistent attention on corporate liability, many in-house lawyers should be asking: in this fast moving environment how do I ensure that my investment in compliance monitoring not only meets the current needs of the business but will also meet the future needs which are appearing on the horizon?
Static policies and procedures are not enough
For UK corporate liability, the implementation of the Bribery Act 2010 was a watershed moment because it imposed liability on corporates for conduct carried out overseas on a strict liability basis. To have a defence, the corporate needs to demonstrate that it had “adequate procedures” in place to prevent bribery.
In the rush of attention when the Bribery Act came in, many businesses invested significantly (in time and money) in anti-bribery policies and procedures. That early investment in ABC procedures is increasingly justified by the recent high-profile scandals and fines, which have demonstrated both the level of risk involved in getting it wrong and the increasingly high standards that authorities are expecting of corporates. However, there is an understandable benefit in avoiding having to repeat such investment every time a new corporate criminal offence arises.
There is also a danger for some corporates that policies have been left framed in glass and the procedures not updated to meet the changing nature of the business and the risks faced. For example, opening up new operations or markets in higher risk jurisdictions could fundamentally alter the bribery risk profile and require a major overhaul of reporting and monitoring processes.
Now the compliance challenge for corporates is becoming a more three dimensional puzzle, involving not only the on-going need to monitor and improve ABC compliance, but to have policies and procedures identifying and addressing risks across an increasing range of corporate criminal behaviour.
What are the main challenges on the horizon?
The FCPA and Bribery Act led the way, but new corporate liability risks are now coming from a number of different directions. In the UK, the new offence of failure to prevent tax evasion is expected to be modelled in many respects on the Bribery Act; it will require adequate procedures to be in place to prevent practices that breach foreign tax laws by “associated persons” of the corporate. This might include action such as VAT fraud by suppliers, which for most businesses will not be straightforward to protect against.
As noted above, the UK government has also been consulting on an even wider “failure to prevent” offence: “failure to prevent economic crimes” (see our article here). This could expose businesses to an even greater level of risk, which may be even more difficult to protect against.
Worldwide, other jurisdictions such as France (here) and Belgium (here) are tightening up their own anti-bribery legislation, and national authorities like the SFO in the UK and the DoJ in the US are increasingly working together. Each of those regimes will have their own requirements and expectations in terms of the standards expected by corporates.
What should businesses be doing to protect themselves?
Taking an incremental and reactive approach to new legislation risks creating a compliance structure with duplicative systems, which are less efficient than they could be, less effective than they should be, and as a result, cost more than they should do.
Instead, businesses need to develop multifunctional compliance structures that, to the extent possible, share mechanisms to meet the company’s varying compliance needs and obligations. This structure typically needs to pervade the business and constantly evolve.
What the systems and monitoring should look like is a question which is particularly pertinent to those considering how to maintain adequate procedures for the purposes of the Bribery Act. Having put systems in place following the introduction of the Bribery Act, many are now asking (both internally and of their advisers), what monitoring should we be doing and is what we are doing enough?
While the appropriate approach will vary between companies, good solutions are likely to include some or all of the following:
- Closer coordination between teams. An obvious example being compliance and corporate social responsibility functions working closely together to share information and drive better business and labour practices, which are central to both corporate citizenship (and therefore brand) and regulatory compliance;
- Building legal compliance into commercial processes, so that in-house legal can monitor activity effectively with minimum effort and therefore devote more resources to key issues;
- Developing systems that have inherent flexibility to allow them to be repurposed for new compliance demands;
- Adoption of new technologies, such as analytics or artificial intelligence, which can give new insights into business performance at the same time as mitigating risk; and
- Increasing planning for crisis response. For example, planning for decision making when the interests of directors and the company diverge. As the SFO and others regulators and prosecutors increasingly seek corporate cooperation to enable them to proceed against individuals, agility in this respect could be key to getting the best outcome for the company.
Another message that has come through loud and clear from the prosecutions and DPAs to date is the emphasis on a compliance culture being driven from the very top. Practically, this means producing useful management information that is considered in board meetings and (crucially) acted on. It is not enough simply to make the right noises; these are things that can (and will) be assessed objectively if an issue does come to light.
The developing corporate criminal landscape can appear daunting. However, there is cause for optimism. As the weight of compliance regulation grows, the early indicators suggest the direction of travel to be increasing expectations of companies that they have a good understanding of the risks in their business, that they have taken adequate and responsible steps to address or mitigate those risks, including appropriate policies and procedures which are applied and effective, and that they have sufficient oversight to monitor the risks and actions taken by the business and to identify issues early. This reflects the approach and mechanisms most company’s already have in place to some extent. Therefore, the solution may often be an extension of current operating procedures rather than remaking the wheel.
Broaching it with the Board
The other good news for in-house lawyers and those in charge of compliance is that the headlines generated by high-profile scandals have done much to increase awareness and appreciation within the Boardroom. Requests for budget may therefore be likely to receive a more sympathetic reception than they might have done a few years ago.
This creates an opportunity to make a case for real change, by re-thinking the role of compliance within the organisation and designing a function to meet tomorrow’s challenges. Rather than being a mere cost-centre, a well-designed system can also bring business benefits; it can enhance your reputation and become a core part of your global brand.
We work with businesses that operate around the world to understand their risk profile, design practical compliance systems and stress-test those systems against current or future threats. Please contact us if you would like to know how we can help you.