UK Serious Fraud Office publishes "refreshed" guidance on evaluating a corporate compliance programme

For Norwegian companies with operations in the UK, the Guidance provides relevant insight into how the SFO will assess the effectiveness of a compliance programme when investigating and deciding whether to prosecute corporate criminal offences. Given the lack of specific guidance on this topic from Norwegian authorities, however, even Norwegian companies without any connection to the UK may find the SFO's guidance illustrative in implementing or enhancing their corporate compliance programmes.  

New vs. old guidance

In brief, the refreshed Guidance explains how a company's compliance programme may impact the SFO's considerations in six specific scenarios: 

1. In determining whether to prosecute a company in the first place;
2. In considering whether to offer an offending company a deferred prosecution agreement (DPA);
3. In deciding whether to include compliance terms and/or a monitorship as part of any DPA;
4. In assessing whether an organisation has a defence of 'adequate procedures' under section 7 of the UK Bribery Act (UKBA);
5. In assessing whether an organisation has a defence of 'reasonable procedures' to a charge of failure to prevent fraud under section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA); and
6. In connection with sentencing considerations.

Of these, points 3 and 5 were not included in the original version. The original version was primarily anchored in the six guiding principles set out in the UKBA statutory guidance (the "UKBA Guidance"), being proportionate procedures, top level commitment, risk assessment, due diligence, communication (including training) and monitoring and review. Beyond noting that these principles represented "a good general framework for assessing compliance programmes", the original guidance did little more than quote directly from the UKBA Guidance.

What constitutes an effective compliance programme?

The most relevant part of the refreshed Guidance is contained in its final pages, which set out three FAQs, the first of which is titled "What is the difference between "adequate" or "reasonable" procedures and an "effective compliance programme?"". The SFO thus clearly recognises that this is a question many companies grapple with in assessing their risk exposure and designing compliance programmes. Unfortunately, the Guidance does not actually answer its own question, noting simply that "each compliance programme is different" and that it is critical that a compliance programme is "proportionate, risk-based and regularly reviewed". Organisations with links to the US or France are encouraged to look to (much more detailed) guidance issued by the US Department of Justice or the French Anti-Corruption Agency in the determination of what constitutes an effective compliance programme. 

Readers may not be surprised to learn that the SFO's assessment of whether a compliance programme is effective or not will be "a holistic one, based on the organisation's individual circumstances". More useful is the SFO's express recognition that isolated compliance failures do not inevitably mean that a compliance programme is ineffective. The Guidance notes that the effectiveness of a compliance programme will be judged at two points in time – at the time the offending conduct occurred and at the time of charge/resolution. Any genuinely proactive remedial actions taken in the meantime will also be relevant. Notably, the SFO firmly establishes its outcome-based approach, stating that the fact that an organisation has in place policies, procedures and controls does not necessarily mean that the compliance programme is effective. In that regard, the SFO will "seek to get behind pronouncements" to determine how such policies, procedures and controls translate into actual conduct on the ground. The SFO also notes that it will consider whether organisations have sufficient systems and controls against circumvention. 

Conclusion

Although the updated Guidance provides snippets of useful insights in the SFO's own words, it also spends large parts of its 13 pages quoting directly from various guidance documents, including the Corporate Prosecution Guidance, the DPA Code, the UKBA Guidance, the Failure to Prevent Fraud Guidance and the Sentencing Council guidelines. On the failure to prevent bribery and fraud offences, the SFO's insight is limited to summarising that the relevant evaluation is whether the organisation had adequate / reasonable procedures in place to prevent the bribery / fraud (respectively) at the time of the offence.  

In practice, international companies with established compliance programmes are unlikely to need to make significant (or any) changes to their compliance programmes as a result of the revised Guidance. The emphasis on substance rather than form, however, is a useful reminder that companies cannot hide behind policies and procedures which look good on paper. Rather, such policies and procedures must be followed by tangible implementation, as well as regular monitoring, review and updates, as necessary.