Bribery Act: When are 'adequate procedures' adequate enough?

Love it or loathe it, the Bribery Act 2010 has put anti-corruption compliance on the boardroom agenda like nothing has done before.

When the Act was introduced into the UK in 2011, the most significant change to the pre-existing law was the establishment of the corporate offence of failing to prevent bribery. An organisation is now liable to prosecution if an associated person (who performs services for or on behalf of the company) bribes another, intending to obtain or retain business or an advantage in the conduct of business for that organisation.

Significantly, where organisations can prove that they have 'adequate procedures' in place designed to prevent such unlawful conduct, a full defence is available. But five years on, the question remains - how can a company ensure its 'adequate procedures' are adequate? What has become clear is that this is far more than just a 'box-ticking' exercise.

No one can doubt that the Act (and, in particular, the threat of the corporate offence) has had a huge impact on how bribery and corruption compliance is now viewed by most companies that carry on any of their business in the UK. Indeed, it is now common practice for companies to assess their high-risk areas and develop a myriad of procedures and processes to mitigate their risks as far as possible, and ensure 'adequate procedures' are in place.

Wide jurisdictional reach

Compliance with the Bribery Act has not only impacted those companies that operate in the UK. The jurisdictional reach is extremely wide. But even businesses which are strictly beyond that reach can no longer easily work with those that are within it. Due to the sometimes extensive due diligence carried out on third parties by UK companies, the Act has significantly affected how overseas companies now view their own bribery risk profile.

There has been a particular focus on third-party companies that act as agents or introducers for businesses and on foreign public officials, where the risk of bribery and corruption is arguably at its greatest. The impact of the corporate offence of the failure to prevent bribery (and the potential defence of adequate procedures) is viewed as very significant in achieving better compliance practices.

Limited judicial interpretation

But how has the defence of 'adequate procedures' been tested so far, and what does it mean to say procedures are 'adequate'? Given that the Ministry of Justice's guidance is just that (guidance), the law can only be developed by way of case law or legislative intervention.

The recent case of Sweett Group plc, the first company to be sentenced and convicted for the corporate offence, in February 2016, did not take the analysis of adequate procedures any further, since Sweett pleaded guilty and did not try to avail itself of the defence.

Fortunately, the long-awaited first deferred prosecution agreement (DPA) with Standard Bank plc at the end of 2015 provided judicial consideration (albeit limited) of the meaning of adequate procedures. Lord Justice Leveson found that there was no allegation of knowing participation in an offence of bribery by Standard Bank or its employees: the offence was limited to an allegation of inadequate systems to prevent associated persons from committing an offence of bribery. The applicable policy was found to be unclear and was not reinforced effectively to the Standard Bank deal team. In addition, the training for Standard Bank did not provide sufficient guidance where a different Standard Bank entity engaged an introducer or consultant.

Corporate culture

The DPA judgments highlight the importance of not just having anti-bribery policies and procedures in place, but also ensuring that employees understand those policies and procedures and what those policies are trying to achieve. The DPA also highlights the importance of understanding the various risks in different business transactions - a 'one size fits all' approach is not appropriate when it comes to tailoring 'adequate procedures'.

As the Serious Fraud Office (SFO)'s Ben Morgan commented in December 2015: 'Where the risks and red flags are prevalent, it seems to me no amount of just sticking to a policy is going to be adequate, in the final reckoning. What is really needed is a culture in which people are able to spot what is in front of them, and react to it.'

The Standard Bank DPA (and the commentary by the SFO) has gone some way to re-emphasise that identifying the relevant risks and putting in place 'adequate procedures' is not just a 'box-ticking' exercise: there needs to be a clear understanding within every organisation of the purpose that such policies and procedures are intended to achieve.

The law is yet to be stress-tested. In the meantime, it is important to remember that the purpose of establishing 'adequate procedures' should not merely be to enable defence arguments to be run. Adequate anti-bribery procedures are an essential part of the overarching ethics policy of every company. If the right corporate culture exists, and if there is a genuine desire to stamp out poor behaviour, then it is more likely that the procedures will be 'adequate'. Without such a culture, no written policy document or ethics statement will suffice.

Jonathan Pickworth is a partner, Deborah Williams a professional support lawyer, and Rebecca Findlay an associate in the white collar team at White & Case

@WhiteCase