1 Aug 2012
The UK Bribery Act came into force in July 2011 and as a result, the UK now has one of the toughest anti-bribery regimes in the world. The act covers all bribery, not just that of public officials, and includes the offence of requesting, agreeing or receiving a bribe and also a new corporate offence of failure to prevent bribery.
The introduction of a new offence for corporates ‘failing to prevent bribery’ is the most significant departure from previous legislation, and a company will commit the offence if an ‘associated person’ performing services on its behalf, bribes another person for business advantage. In this instance, as the only defence available to the company is that it had ‘adequate procedures’ in place designed to prevent bribery, organisations need to ensure that their risks are properly assessed and appropriate procedures are put in place.
The Ministry of Justice (MOJ) guidance of March 2011 detailed six principles to assist organisations in considering and putting in place the necessary ‘adequate procedures’ and the guidance addressed many of the areas of concern voiced by the business community during the consultation period. These included:
– issues concerning both corporate hospitality and entertainment;
– obligations of businesses to properly assess and manage bribery risks within their organisations; and
– treatment of joint ventures and subsidiaries in the context of the actions of ‘associated persons’.
Assessing and managing bribery risk
A key part of the ‘adequate procedures’ defence centres around the ability to properly manage the bribery risks within an organisation, which can only be done once companies have properly assessed their risk exposure and determined the form and scope of the procedures required to mitigate their risks. A robust risk assessment needs to consider, and include, a number of differing factors, specifically:
– locations the organisation operates in;
– the extent of business conducted with government or other public officials;
– the volume and nature of business conducted through agents and other third parties; and
– sales processes where business entertainment is a significant element of winning in business.
To consider these factors fully the risk assessment not only needs to have the backing of senior management within the organisation, but also requires significant data input and management information from the locations and businesses within the organisation. Centralised ‘ivory tower’ risk assessments that do not involve receiving input from key management in higher risk geographies will no doubt fail to identify and highlight the corruption risks that need to be managed.
In their thematic review of investment banks (published in March 2012) the FSA was highly critical of the anti-bribery and corruption compliance in place at the institutions they reviewed. The review highlighted, among other issues, that there was a lack of management information around anti-bribery and corruption, and that the anti-bribery and corruption risk assessments were below the expected standard. While this review was focused on investment banks, it is likely that this issue would equally apply to other market segments and the report should be seen as a call for senior management teams to generally ensure that their risk assessment procedures have been robust and are meaningful.
Actions of associated persons
During the bribery risk assessment management will need to consider the use of, and actions of ‘associated persons’ who act on their behalf. In relation to this, the MOJ guidance states that companies should apply ‘due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.’ This principle highlights the need for companies to identify and understand the background, activities and reputation of a wide range of ‘associated parties’ (such as representatives, agents, joint ventures, business partners, key employees, key members of a supply chain and merger or acquisition targets) both prior to entering into a relationship with them and, where relevant, through an on going basis.
Despite case study six of the MOJ guidance describing ‘undertaking research, including internet searches, of the prospective agents and, if a corporate body, of every person identified as having a degree of control over its affairs’ as a key element of this due diligence, many companies are still putting in place the requisite resources (either internal or external) to conduct required research on their prospective and existing associated parties, and have yet to tackle the challenge of completing new or retrospective due diligence checks on what could, for some companies, amount to literally hundreds of entities or individuals.
The challenges faced
This task presents a challenge to many companies, not least because conducting the research required can be complex and operationally demanding, particularly where large numbers of associated parties need to be checked, the associated parties are located in countries where public record information is inaccessible or unreliable (which can be an issue in countries subject to heightened corruption risks) and information is only available in the local language. The situation is further complicated by the fact that staff involved in either commissioning or completing the checks need adequate training so that they understand the accessibility availability and reliability of information in higher risk jurisdictions and common red flags that can be identified by the process.
Companies also need to determine the issues of relevance to be addressed by the due diligence and, whether in line with principle four’s guidance that a proportionate and risk-based approach should be utilised, a tiered approach may be more appropriate. A tiered approach might typically comprise of two or three different levels of checks depending on the level of risk attached to an associated party (due to a range of factors, including the level of risk associated with the sector and jurisdiction in which they operate, or the nature or size of the relationship with them). Where the associated party is a company, however, the issues addressed might typically include:
– the identity of the company (registration details, ownership and management);
– background activities, track record in the services to be provided and reputation;
– official or political connections of a company and its principals;
– involvement in ‘red flag’ issues (including bribery and corruption); and
– existence on relevant sanctions lists.
With the UK Bribery Act in its second year, management teams should ensure that they are not closed to the risks that bribery and a potential prosecution under the new Act might mean for their business.