Palmina M. Fava (pictured right) is a Partner in the Litigation Department, based in the New York office of Paul Hastings LLP. More on the authors below.
On July 1, 2011, when the UK Bribery Act (the Bribery Act) came into effect, apprehension flooded the business and legal communities. The Bribery Act’s expansive scope, far-reaching application and severe penalties caused it to be dubbed the “toughest anti-corruption legislation in the world” at that time.
That’s because under the Bribery Act: (1) a wide array of conduct can constitute “bribery,” including items of value offered or provided to private persons and not just government officials; (2) any company that conducts business within the UK, regardless of where it is headquartered or incorporated, can be prosecuted; (3) those who violate the Bribery Act face unlimited fines and, potentially, imprisonment for up to 10 years; and (4) Section 7 criminalizes a company’s failure to prevent bribery.
While many companies viewed the Bribery Act with trepidation when it was first released, it took nearly five years before UK authorities investigated and imposed penalties upon companies pursuant to Section 7. By way of background, Section 7 holds companies strictly liable when any “associated persons” violate the Bribery Act, regardless of whether the company’s management knew or should have known about the misconduct. “Associated persons” include any person who performs services for, or on behalf of, the company, including employees, consultants, third-party agents and subsidiaries.
There is no requirement that the associated person be convicted of bribery under the Bribery Act for a company to be liable under Section 7.
The only defense available to a company is a showing that it had “adequate procedures” in place to prevent or detect bribery. For large, multinational corporations operating in an increasingly complex business world, establishing such adequate procedures is no small feat, but the recent spate of prosecutions and resolutions demonstrate ways in which companies can mitigate the risks of liability.
Standard Bank Plc and the SFO’s First-Ever Deferred Prosecution Agreement
In March 2013, Standard Bank Plc (Standard Bank) and its former sister company, Stanbic Bank Tanzania Ltd (Stanbic), were engaged by the Tanzanian government to raise US$600 million in funds for a proposed private placement. Stanbic encountered difficulties in negotiating within the Tanzanian market and sought assistance from a local firm, Enterprise Growth Market Advisors Limited (EGMA).
In exchange for EGMA’s assistance, Stanbic agreed to pay the company a fee of 1 percent of the funds raised. To offset this extra expense, Stanbic and Standard Bank increased the fee charged to the Tanzanian government from 1.4 percent to 2.4 percent of the funds raised.
Standard Bank relied on Stanbic to conduct appropriate due diligence on EGMA and did not separately inquire about EGMA’s role in the transaction or ownership structure. As a consequence, Standard Bank was not aware that two of the three directors and shareholders of EGMA were Tanzanian government officials.
While the US$600 million was raised, the evidence suggests that EGMA provided little to no assistance in exchange for its fee of US$6 million.
Within days of its deposit, the vast majority of the fee was withdrawn in cash. The large withdrawal alerted Stanbic’s staff, who reported the matter to the head office of Standard Bank Group Ltd. Outside counsel was engaged and, within three weeks of the first report—long before the investigation was concluded—Standard Bank informed both the UK Serious and Organised Crime Agency and the UK Serious Fraud Office (SFO) of potential impropriety.
The SFO indicted Standard Bank, alleging that, in contravention of Section 7 of the Bribery Act, Standard Bank failed to prevent Stanbic and others from committing bribery. The indictment against Standard Bank was the first brought by any prosecutor pursuant to the Bribery Act’s corporate offense provisions. It signaled that the SFO was ready to begin testing the boundaries and applicability of those provisions in court.
Nevertheless, after reviewing Standard Bank’s internal reports and conducting its own investigation, the SFO determined that a Deferred Prosecution Agreement (DPA) would best serve the public interest. The DPA was ultimately approved on November 30, 2015. It allows Standard Bank to avoid prosecution provided it complies with the terms of the DPA. The DPA is effective for three years and imposes:
- a fine of US$16.8 million;
- a compensation payment to the government of Tanzania of US$6 million plus interest of over US$1 million;
- US$8.4 million in disgorgement of profits; and
- payment of costs incurred by the SFO.
Standard Bank also has agreed to continue to cooperate fully with the SFO and to be subject to an independent review of its existing anti-bribery and corruption controls, policies and procedures.
While the penalties imposed represent a stringent approach to corporate crime, the terms of the DPA indicate that both the SFO and the judiciary are willing to reward ethical approaches to self-reporting with some leniency. The court emphasized Standard Bank’s early reporting and cooperation with the SFO as reasons for approving the DPA, echoing principles set forth in the DPA Code of Practice.
The court also cited Standard Bank’s cooperation as a factor in reducing the fine imposed against the company by one-third, from US$25.2 million to US$16.8 million.
The Standard Bank DPA marks the first plea agreement of its kind and ushers in a new era of Bribery Act jurisprudence. It provides the first indication of how a DPA can work in practice and has been characterized as a template for future agreements. The DPA also appears to presage a shift from the UK’s traditional focus on individual liability (which attributes guilt to individuals who direct a corporation) to corporate liability (which attributes guilt to the corporation itself for the actions of its directors and officers).
Continued Scrutiny: Brand-Rex and Sweett Group
Brand-Rex Settlement
Shortly before the finalization of the Standard Bank DPA, Scotland’s independent public prosecutor announced that Brand-Rex Limited (“Brand-Rex”) had paid approximately US$310,000 following a self-report of its acceptance of responsibility for violations of Section 7 of the Bribery Act.
The Brand-Rex settlement arose from an incentive scheme which, on its face, was lawful, but was misused by one of Brand-Rex’s associates. Brand-Rex develops cabling solutions for network infrastructure and industrial applications. Between 2008 and 2012, it offered UK distributors and installers travel rewards for meeting certain sales targets. One of Brand-Rex’s independent installers provided travel tickets he had received through the incentive program to an employee of one of his customers; that employee was able to influence purchasing decisions.
Although it was not directly involved in the improper use of the incentive scheme, Brand-Rex accepted responsibility for its failure to prevent bribery.
In addition to repaying profits earned as a result of the misuse of the incentive scheme, Brand-Rex also agreed to improve its anti-bribery and corruption policies and procedures and to implement an anti-bribery and corruption training program.
Sweett Group’s Conviction
In December 2015, the SFO charged UK construction company Sweett Group Plc (“Sweett Group”) with failure to prevent bribery under Section 7 of the Bribery Act. Shortly thereafter, Sweett Group pled guilty to the bribery offense, marking the SFO’s first conviction under the Bribery Act and further illustrating the SFO’s intent to pursue allegations of a company’s failure to prevent bribery. Sweett Group will be sentenced in the coming weeks, although the SFO has yet to announce the penalties it will seek to impose against the company.
The SFO launched an investigation into Sweett Group’s activities in July 2014, after allegations of corruption involving a United Arab Emirates-based employee were reported in The Wall Street Journal. The company then launched its own internal investigation, which uncovered two related instances of misconduct. These improper activities were reported to the SFO upon their discovery.
The circumstances surrounding Sweett Group’s prosecution differ in certain ways from those in the Brand-Rex and Standard Bank cases.
Whereas both Standard Bank and Brand-Rex launched internal investigations upon discovering evidence of misconduct, it appears that Sweett Group’s investigation was conducted more in response to the claims of misconduct publicized by The Wall Street Journal. However, Sweett Group did take steps to proactively report additional instances of misconduct to the SFO. Given the emphasis that the SFO has placed on early reporting and willingness to cooperate with relevant authorities, it is possible that Sweett Group’s efforts will militate in favor of reduced penalties.
What Companies Can Learn From These Matters
These Section 7 cases make clear that a company’s cooperation with relevant authorities will factor into charging decisions. All three companies—Standard Bank, Brand-Rex and Sweett Group—conducted thorough internal investigations into alleged wrongdoing and promptly self-reported to the appropriate authorities, which factored into charging and resolution decisions. None of these companies, however, successfully avoided penalties by using the adequate procedures defense.
The Adequate Procedures Defense
The Bribery Act specifies that companies with adequate compliance procedures may avoid prosecution or be eligible for prosecution alternatives such as a DPA. As the Joint Guidance issued by the Director of Public Prosecutions and the Director of the SFO in March 2011 made clear, to rely on this defense, a company must demonstrate the “existence of a genuinely proactive and effective corporate compliance programme.”
According to the UK Ministry of Justice’s March 2011 Bribery Act Guidance, a company’s bribery prevention policies should be designed to both mitigate identified risks and prevent future misconduct.
The Guidance suggests that company policies should mandate, inter alia, involvement by senior management, risk assessment procedures such as third-party due diligence, adequate recordkeeping and transparent transactions, controls over business courtesies, mechanisms to ensure reporting, and enforcement of violations.
The recent Section 7 matters suggest that the establishment of adequate procedures is a key factor considered by the SFO when deciding whether to prosecute and when calculating a penalty. For example, in the Standard Bank case, there was “no allegation of knowing participation in an offence of bribery … either against Standard Bank or any of its employees; the offence is limited to an allegation of inadequate systems to prevent associated persons from committing an offence of bribery.”
The Director of the SFO argued that Standard Bank “did not have a realistic prospect” of raising the adequate procedures defense because the Bank’s policies were “unclear” and “not reinforced effectively.” The Director also noted that the Bank “did not undertake enhanced due diligence processes to deal with the presence of any corruption red flags” related to transactions involving government officials, high-risk countries and substantial fees paid to third parties.
Nevertheless, it appears the Director ultimately believed that a DPA was appropriate because it would allow “the court to oblige Standard Bank to enhance its anti-bribery and corruption policies and procedures and how they are practically implemented, and the Bank has agreed to an independent review of its anti-corruption policies, procedures and training.”
In approving the DPA, the court noted “[w]eight is to be given to any corporate compliance programme in place at the time of the offence, at the time of reporting and any improvement that has occurred.” In that regard, the Director of the SFO acknowledged that the Bank had made “significant enhancements” to its compliance program in recent years, specifically noting that the Bank improved in the following ways: “extensive steps [taken] in regard to recruitment, risk classification and due diligence on customers, and a very clear ‘tone from the top’ to remediate the pre-existing failures.”
Key Considerations in Ensuring “Procedures” Are “Adequate”
Based on the recent Section 7 investigations and prosecutions, it is clear that “adequacy” requires examining the company’s risk profile, implementing policies and due diligence processes, monitoring compliance with such policies and investigating red flags that arise in due diligence or during monitoring activities.
Practically speaking, properly assessing risk and monitoring compliance requires a company to collect and review data and, in certain circumstances, perform internal audits or investigations if the risks so warrant. To that end, in designing and implementing policies and procedures, consider the protection afforded to individuals pursuant to data privacy and labor laws, which differ throughout the world.
For example, companies doing business in the UK must comply with the 1998 UK Data Protection Act (UKDPA), which applies to any company located, incorporated or operating in the UK, if data processing occurs because of its UK presence. The UKDPA also applies to companies located outside of the UK and outside any European Economic Area State that uses equipment in the UK for processing data.
The UKDPA protects personal data that contains any identifying information related to an individual or forms a part of a set of similar information that, taken together, constitutes identifying information. Personal data may only be “processed”—i.e., collected, reviewed or disclosed to third parties—subject to the UKDPA’s Data Protection Principles.
The Data Protection Principles prohibit processing of data unless the company has the individual’s consent or the processing is necessary to further the “legitimate interests” of the company. Companies must give notice of these “legitimate interests” to the individual whose data is being processed or to the Data Protection Commissioner and must narrowly tailor collection and review to these purposes.
Additionally, companies may not transfer the personal data to countries outside of the European Economic Area unless the recipient country “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” Companies may transfer data outside of the European Economic Area pursuant to a contract that includes model clauses provided by the European Commission that are designed to ensure the data will be transferred with appropriate safeguards in place.
These Data Protection Principles, however, are not without exemptions. Potentially applicable to internal investigations are Section 29, which exempts personal data that is processed for the purposes of “prevention or detection of crime,” and Section 35, which exempts processing of data that is necessary “for the purpose of obtaining legal advice.”
Notably, on December 15, 2015, the European Parliament, Council and Commission reached an agreement on new data protection rules called the General Data Protection Regulation (GDPR). Changes to the European data protection regulations will likely impact the UKDPA.
The GDPR establishes enhanced requirements for the processing and review of data. It mandates that companies adopt “appropriate technical and organizational measures” to ensure compliance, including “minimizing the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing [and] enabling the controller to create and improve security features.”
Additionally, when a company processes data under the “legitimate interests” provision of the UKDPA, the GDPR requires that the company demonstrate that the compelling legitimate interests override the data subject’s individual rights. Where data processing “is likely to result in a high risk for the rights and freedoms of individuals,” companies must carry out an impact assessment to evaluate the “origin, nature, particularity and severity of this risk.”
Conclusion
The recent Section 7 cases portend increased use of the UK Bribery Act by the SFO. As the SFO continues to test its powers, the agency may attempt to stretch the applicability of Section 7 to non-UK companies or to conduct occurring outside of the UK.
Companies should be prepared for such scenarios by assessing and improving existing compliance programs, taking into consideration their risk profile, business realities and the restrictions imposed by other laws applicable to their business operations, including data privacy and labor laws.
Author Biographies
Palmina M. Fava is a Partner in the Litigation Department, based in the New York office of Paul Hastings LLP. She handles internal corporate investigations and risk assessments worldwide, represents companies and individuals in government investigations, drafts and implements comprehensive global compliance programs and conducts due diligence in M&A and investment transactions. She has been listed in Ethisphere’s Attorneys Who Matter List in each of the last four years.
Sunayna Ramdeo and Jeanette Kang are Associates in Paul Hastings’ Litigation Department, based in New York. Their practices similarly focus on investigations, white collar defense, and global compliance matters.
Upcoming Events
Want more on this topic? Join us at our London Ethics & Compliance Forum on Oct. 11 for an exclusive one-day event assembling diverse company leaders to address the issues largely impacting corporate integrity today. Hear from some of the most reputable multinational and leading regional company business executives, GCs, Chief Compliance Officers and other top experts as they assemble to take action, share cutting edge practices and offer new insights on ethics and compliance across Europe and around the world. Register here.