What Are "Adequate Procedures" for Anti-Corruption Compliance?
The UK Bribery Act is a significant double-edged sword – one the one hand, the Serious Fraud Office (SFO) can enforce the strict liability offense of failing to prevent bribery; on the other hand, the putative defendant company can raise the defense that it had “adequate procedures” in place to prevent bribery. All of this begs the question – what exactly will “adequate procedures” look like? Of course, the Ministry of Justice cites its so-called guidance on the issue, but as everyone knows the guidance is not really any guidance at all since it borrows from the US Sentencing Guidelines concepts and is a collection of platitudes or to put it bluntly: a bunch of bones with no meat on them.
A reliable indicator of what the UK enforcers may look at is to examine some earlier enforcement actions. So, lets look at one in 2009 against Aon Ltd.
On 6 January 2009, the U.K. Financial Services Authority (“FSA”) imposed a £5.25 million fine (approximately $7.2 million) on Aon Limited (Aon Corporation’s principal U.K. subsidiary), for failing to implement effective systems and controls for countering bribery risks. The FSA found that Aon’s practices violated Principle 3 of the FSA’s Principles for Businesses, which sets forth a general requirement for FSA-regulated entities to “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”
The FSA determined that limitations in Aon’s pre-existing anti-corruption compliance program contributed to the company making 66 “suspicious” payments between January 2005 and September 2007. Those payments amounted to USD $2.5 million and €3.4 million, and were made to third party representatives who assisted Aon in obtaining or retaining business in various countries presenting high bribery risks (including Bahrain, Bangladesh, Bulgaria, Burma, Indonesia, and Vietnam).
In its decision, the FSA noted that Aon’s controls were either inadequate or had not been fully implemented. The Aon code of conduct had, for instance, contained statements prohibiting Aon employees from offering bribes or excessively generous gifts or entertainment, and Aon had implemented certification requirements for certain managers that included anti-bribery issues. The FSA found, however, that insufficient measures were taken to ensure that those general principles were implemented in the company’s day-to-day global operations.
The FSA noted the following points in particular:
— Aon’s prior due diligence procedures for overseas third-party representatives did not contain an adequate level of scrutiny over potential representatives at the time of the formation of the relationship, or measures for monitoring the practices of those representatives on an ongoing basis. The procedures also did not take into account heightened anti-bribery risks in certain countries where Aon operated.
— Aon had not provided relevant staff with adequate training or written guidance with regard to bribery and corruption risks.
— Aon’s internal compliance and audit functions, and the management committees responsible for oversight of third-party representatives, had failed to adequately monitor whether corruption risks were being managed effectively.
The FSA observed that although codes of conduct and self-certification processes can represent important elements of compliance programs, they “are not of themselves sufficient controls but need to be supplemented by adequate training and written guidance, robust procedures for the authorisation of third party payments and proper monitoring particularly of areas where risks are high.”
The Aon fine represented a 30% discount from the base fine amount cited by the FSA (£7.5 million). The FSA reduced Aon penalty as a result of Aon’s ongoing cooperation with the FSA, its disclosure of suspicious payments to the FSA, and its decision to conduct a thorough investigation of past payments and to implement, on a moving forward basis, what the FSA characterized as “a model of best practices for other firms to adopt.” Those new compliance procedures included, among other measures, (1) stringent restrictions on engaging third party representatives where the representative’s only services to Aon is through introductions to potential clients; (2) global anti-corruption protocols, including specific approval requirements for entering into third-party representative contracts and for paying those representatives (with enhanced controls in high-risk jurisdictions); (3) enhanced risk-based compliance training for Aon staff in a range of company roles; and (4) closer senior management oversight and accountability over the anti-corruption compliance program.
The Aon case underscores important aspects of compliance programs for companies falling under the UK Bribery Act – this is perhaps the best source of “guidance” when it comes to the UK Bribery Act.