Why an Effective Compliance Program is a Differentiator in a Regulatory Investigation
By Tapan Debnath, Senior Legal Counsel, Business Integrity Group, Nokia Corporation
No amount of compliance measures can ever truly eradicate the risk of bad actors associated with a company from breaking the law. If the worst does happen, a robust compliance program, together with a well-considered response to the issues, play a vital role in mitigating the consequences for the beleaguered company. This article considers some of the key benefits and components of an effective compliance program. While the article is primarily UK focused and directed towards large multi-nationals, the points raised will also be relevant for smaller, single jurisdiction entities.
So, exactly what are the benefits?
It helps the company to Identify the issues before others do
Discovering a major problem involving the company for the first time through a dawn raid, press reports, whistle-blowers or auditors immediately puts the company on the back foot, causing it to be reactive rather than proactive. A system for the internal reporting of compliance concerns in several ways, such as through email, web links, telephone, and designated employees, which is available for internals and externals, is essential. A genuine company-wide commitment to a ‘speak-up’ culture, with protection against retaliation for who raise compliance concerns, paired with cyclical audit and review of high risk business functions and locations further enhances the prospects of discovering the skeletons before someone else does. One of the key benefit of making the first discovery of a serious criminal conduct is that it allows the company to weigh-up self-reporting the problem to the authorities.
Prompt self-reporting could help to avoid a prosecution or reduce regulatory penalties or both
The decision to self-report is an extremely important one which requires expert professional advice, careful consideration of the risks and potential benefits, and a degree of internal investigation to understand the scope and extent of the criminal misconduct in question. In the absence of mandatory disclosure obligations, for instance, the duty on UK relevant financial institutions and firms in the regulated sector to report, respectively, sanction breaches and suspicions of money laundering or terrorist financing, voluntary self-reporting allows the company to: (1) have an element of control over the information disclosed to the authorities and to the public; (2) demonstrate a culture of good compliance, especially if its own systems detected and remediated the wrong-doing; (3) gain maximum co-operation credit and penalty mitigation.
The Serious Fraud Office (“SFO”), the lead UK agency for top-tier fraud and corruption, has been increasingly using the deferred prosecution agreement (“DPA”) regime, which was introduced in February 2014 by the Crime and Courts Act 2013. A DPA is a court approved agreement between the prosecution and defence whereby corporate criminal charges are suspended for a defined period on condition that, for example, the company pays a fine and compensation, disgorges profits from the misconduct and implements certain compliance remediation measures. Provided the company fulfils the terms of the DPA, the charges are discontinued, so there is no conviction against the company and therefore, crucially, none of the additional damage to reputation and business, or other consequences like debarment from bidding for public contracts.
It may eliminate the need for costly corporate monitors
A corporate monitor is an independent reviewer who oversees the implementation of compliance and remediation programs to rectify the deficiencies which gave rise to the misconduct in the first place. Typically, monitors are a requirement of the DPA, though on occasion are installed by the company as part of its own remediation and mitigation strategy, regardless of whether it discloses matters to the authorities.
Both US and UK guidance on the appointment of monitors sets out very similar important considerations, including whether the company already has a ‘genuinely proactive and effective corporate compliance program’: section 7.11, UK DPA Code of Practice. Of the four UK DPAs to date, only one has not included a monitor, SFO v XYZ Ltd, which is perhaps largely due to the relative small size of the company and the financial impact that a monitor would have had on it. In US proceedings, Telia, the Swedish telecoms company, avoided a monitor in September 2017 when it entered into a $548.6m settlement with the US and Dutch prosecutors and disgorged nearly the same amount as the profit from bribery offences. Telia avoided a monitor by modelling its compliance program on the US DOJ’s February 2017 ‘Evaluation of Corporate Compliance Programs’ guide. It is noteworthy that the DOJ is less frequently imposing corporate monitors in recent times.
Monitor’s fee, which are paid by the company, can run into the tens of millions. Therefore, it pays to not only have a compliance program which is effective and robust but, when having to deal with the authorities, to also earn their trust through firm remediation action, including removing culpable employees, demonstrating that it can implement the necessary changes and enhancement to its compliance program itself, and continuing to co-operate with the authorities. It might avoid the need to have an independent monitor installed in the company for several years.
It could provide a defence to the offence of failing to prevent bribery
The UK Bribery Act 2010, changed the landscape of corporate criminal liability by making a company criminally liable for failing to prevent the corrupt acts of persons associated with the company, unless it can prove that it had adequate procedures in place to prevent such misconduct. Indeed, this new method of attributing criminal liability to corporates has been extended to another offence; failing to prevent the facilitation of tax evasion and is likely to be further extended in the near future to other economic crime offences.
The Ministry of Justice has issued guidance on adequate procedure and six high level principles when implementing preventative procedures: proportionate procedure; top-level commitment; risk assessment; due diligence; communication, including training; monitoring and review. What is clear is that the bar to succeed with this defence is set high and a box-ticking approach to ensuring compliance will fall woefully short. It requires, at the least, a genuine corporate culture, running from the top-level and throughout the organisation, of continuously striving to do business ethically, and a compliance function that is sufficiently empowered and independent of the business to be able to first spot and then respond accordingly to red flags.
There are of course other general benefits of an effective compliance program, not just to uncover and protect the company from serious criminal activities, such as helping to set the company apart from its competitors, recognition by industry bodies that it is doing business in the right way and minimising the risk of future misconduct. Needless to say, it pays to be compliant.
Tapan Debnath is Senior Legal Counsel for Nokia handling Ethics & Compliance Investigations in Europe and Middle East & Africa. Prior to joining Nokia in January 2016, Tapan was a prosecutor at the UK Serious Fraud Office where he investigated and prosecuted major international economic crime cases. Tapan is an experienced UK qualified solicitor specialising in white collar crime and spent four months seconded to Eversheds Sutherland’s corporate crime and investigations team in London in late 2017 and early 2018.