Strategies for Avoiding and Managing Regulatory Violations

In the wake of the financial crisis, regulators around the world have stepped up anti-corruption enforcement activity and are adopting a more rigorous and aggressive stance.  There has been a global increase in investigations, not only into bribery and corruption, but also into cartels and breaches of securities laws.  EU cartel settlements reached £3 billion in 2010 with more potentially significant cases in the pipeline.¹

An expansion of regulatory powers is underway as the UK Bribery Act is set to come into force in 2011. Described by some as the most draconian anti-corruption legislation in the world, it introduces a new strict liability offence where a company fails to prevent bribery and also criminal sanctions.  There has also been an expansion of the scope of the Foreign Corrupt Practices Act (FCPA) in the US.  Regulators are extending their territorial reach, co-operating across borders and becoming more proactive in seeking out corrupt practices. Given the severe penalties and reputational damage associated with regulatory breaches companies need to adopt a proactive response to avoid business conduct that might result in violations.

Regulatory Climate

In the US, the Department of Justice (DOJ) and the Securities Exchange Commission (SEC) have stepped up enforcement of the FCPA.  Between 2005 and 2009 the DOJ brought over sixty FCPA cases, more than in the almost thirty year period prior to that. In early 2010, one hundred and thirty open cases were under investigation indicating an acceleration of this trend. US authorities have flexed their powers internationally with nineteen of the forty-seven fines handed down in 2008 and 2009 involving non-US companies.²

Historically, UK authorities have not been as active in the prosecution of bribery and corruption offences. With the new UK Bribery Act in the wings, the situation is poised for change and other European countries like Germany have also recently increased anti-bribery efforts.³

UK Bribery Act

The UK Bribery Act expected to come into force in 2011 is more stringent than the FCPA.  Unlike the FCPA, it prohibits not only the bribery of foreign officials but also corruption between commercial entities making facilitation payments illegal.  It also creates a new offence for commercial organisations that fail to prevent bribery imposing strict liability on a company for the acts of its employees whereas the FCPA requires prosecutors to prove intent and awareness of the bribe at a senior level.  There is a move towards expanding the scope of the FCPA to cover executive accountability regardless of their degree of knowledge or culpability.  UK authorities will have broad jurisdictional reach over the failure by companies to prevent bribery by anyone associated with the company anywhere in the world.  Penalties are severe with up to 10 years imprisonment for individuals convicted of the new offences and unlimited fines for organisations that fail to prevent bribery.  A company’s only defence will be to show it had in place “adequate procedures” to prevent wrongdoing.

Are Companies Prepared?

A Kroll survey indicates that not many companies understand the current regulatory situation.⁴  Of respondents with a presence in the UK and the US (and subject to the Bribery Act and the FCPA) only 36% believe these laws apply to them and only a third that their senior managers are familiar with the legislation.  Not surprisingly, only 42% have assessed the risks and put in place necessary monitoring and reporting procedures.  The survey highlights the need for a proactive response to combat potential violations. Companies with links to the US or the UK need to review their legal position and the controls needed to avoid falling foul of anti-corruption laws.

Practical Anti-Corruption Guidance

The draft guidance on adequate procedures to prevent bribery sets out general principles for companies to follow. The guidance is not prescriptive and the adequacy of procedures is ultimately a matter for the courts, taking into account the circumstances of a particular case.  The principles nevertheless reflect good housekeeping practice and recommend the following approach:

Risk Assessment - Companies should perform a risk assessment to identify bribery risk areas whether those relate to territories, functional areas or market sectors susceptible to risk.  Procedures need to be put in place to reduce or avoid these risks.

Top Level Commitment - Top level management need to express a zero tolerance policy towards bribery, set out the consequences of breaching policy and state the company will avoid doing business with others unless they make a similar commitment. Management need to become involved not only in developing a code of conduct but in embedding it in the organisation.

Due Diligence - Companies need to know who they are doing business with as well as why, when and to whom they are releasing funds.   Various types of due diligence are suggested including the assessment of risks relating to specific locations, business opportunities, prospective business partners, agents and partners.

Policies and Procedures - Companies should have policies and procedures to prevent bribery which are clear, practical and enforceable. Policies should, amongst other things:

• prohibit bribery
• include guidance on making gifts, charitable donations and on hospitality
• provide advice on relevant laws and regulation

Careful thought needs to be given to how procedures such as financial and auditing controls, disciplinary procedures and “speak-up” procedures can be used to prevent bribery. Standards of behaviour can, for example, be incorporated into employment contracts.

Effective Implementation - The guidance notes that: “Like all corporate programmes, anti-bribery policies and procedures cannot manage the risk of bribery if left in a file on a shelf but need to be implemented through the allocation of roles and responsibilities and by setting milestones for delivery and review.” 

Monitoring and Review - Internal checks and balances are needed to monitor compliance and identify issues.  Financial and audit controls might pick up actual and potential irregularities and the Serious Fraud Office has suggested that a helpline can be set up to guide staff and allow issues to be reported. External verification on the effectiveness of policies might be appropriate especially when entering new markets.

Innovative Technology for Internal Audits

Now that business is conducted digitally investigators have a rich source of evidence to tap into.  E-mails, voicemails and long forgotten copies of documents on servers and smartphones are readily accessible to regulators and they have powerful tools to exploit this evidence. It is not unusual to find that bribery and corporate wrongdoing is brazenly referred to in corporate emails. Companies are now reviewing electronically stored information (ESI) as part of their internal audit process to ensure compliance with regulations and uncover wrongdoing such as corrupt practices and anti-competitive behaviour.  Those that do will be better-placed to identify potential problems early on and either avoid regulatory breaches or manage the process of reporting violations to the authorities and defending themselves.

Early incident detection allows a company time to investigate suspicious conduct, adopt remedial measures, self-report to the authorities if necessary and apply for leniency or enter into negotiations and prosecution agreements.  Having the ability to carry out internal audits in this way adds a further dimension to compliance monitoring and adds weight to the adequacy of the procedures a company has in place to prevent bribery.  These evidence reviews can be carried out routinely to check on compliance with policy, laws or regulations focusing on high risk business practices, transactions or departments.  They can also be conducted when a company is alerted to the possibility of wrongdoing (perhaps due to a whistleblower) and needs to carry out an internal investigation.   Internal audits and compliance reviews may be triggered by circumstances such as:

• Routine examination of business practices to ensure compliance with competition laws
• Post-merger due diligence audit to ensure a newly acquired entity adheres to company ethics and policies
• In a case of suspected bribery, emails and large volume of documents can be interrogated quickly to assess whether a problem exists and if it is necessary to self-report to the authorities

Companies like Kroll Ontrack now offer unique Compliance Review services which rely on sophisticated document review tools and expert consultancy to design internal audits and support the review of company data. Kroll Ontrack’s Advanceview™, for example, allows companies to analyse their data and assess the risk of suspected wrong-doing early on so that appropriate action can be taken. Powerful searching and data analysis tools help companies work out quickly what has been going on and the extent of legal exposure.

Conclusion

Regulatory compliance has become a top risk area. Companies need to implement programmes to prevent violations and procedures to audit business practices and monitor compliance with laws like the Bribery Act and FCPA. Just how far companies associated with the UK will ultimately need to go to prevent bribery is not clear.  Nevertheless, the global march against corruption continues and as a matter of good corporate governance, companies need to consider how to respond to the changing regulatory climate.  The focus of regulatory scrutiny will inevitably vary but those that carry out risk assessments, implement policies and carry out proactive internal audits to detect wrongdoing will be better placed to prevent violations and manage them should the need arise.

Quick Facts

• More than 40% of reported information theft occurs in the financial sector.  (Source:  Kroll Fraud Report, 2010)
• The average cost for a data breach in the UK rose to £1.9 million in 2010, up 13% from 2009.  (Source:  IT Pro, 2011)
• Fifty-three per cent of UK companies do not have or do not know if they have an inventory of where all their data is stored.  (Kroll Ontrack ESI Trends Report, 2010)

Tracey Stretton is a Legal Consultant at Kroll Ontrack London

Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.

¹Rise in EU Anti-trust Settlements Anticipated, 23 December 2010, FT.com
²Economist Intelligence Unit Overview”, Kroll Global Fraud Report, Annual Edition 2010/11
³Germany’s Stronger Anti-Corruption Enforcement”, Kroll Global Fraud Report, April 2010
⁴The Regulatory Challenges of Crossing New Frontiers”, Kroll Global Fraud Report, Annual Edition 2010/11