February 11, 2011
In November 2010, the U.K. Ministry of Justice (MoJ) closed the consultation period on the document containing “adequate procedures” guidelines for businesses. The final guidance was expected to be published in January 2011 to allow businesses an adequate familiarization period before the Act commences on April 1, 2011.
The MoJ currently is still working on the guidance to make it practical and comprehensive for businesses. On January 31, 2011, the MoJ indicated that it would not be able to meet its self- imposed January deadline to release the updated guidance. The MoJ did, however, confirm that when the guidance is published, it would be followed by a three-month notice period before implementation of the Bribery Act. As a result, it has been widely reported that the Act will not come into force until May 2011 at the earliest.
Despite this delay, Protiviti advises companies against delaying preparations for the Act. While further guidance is expected in a number of areas, in particular in relation to corporate hospitality, the key provisions of the Act are not expected to change. It likely will take companies much longer than they expect to define and implement adequate procedures. Defining policies and preparing guidance is only a small part of a comprehensive program. In our experience, many companies will require significantly more than the three-month notice period to roll out and embed a complete set of guidance on a global basis effectively.
The guidelines as they currently stand are not prescriptive and give only a high-level outline of the procedures that companies should put in place. They follow the general principles that the Serious Fraud Office indicated they would expect companies to have in place when deciding whether a company has an adequate defense to allegations of bribery. The guidance sets out six principles that should be considered when assessing the adequacy of procedures for bribery prevention. These are reproduced below.
Six Principles for Bribery Prevention
- Risk Assessment – The business should know and maintain an up-to-date assessment of the bribery risks that are faced in its sector and market.
- Top-Level Commitment – The business should establish a culture across the organization in which bribery is unacceptable. If the business is small or medium-sized, this may not require much sophistication. It is, however, important to make sure the message is clear, unambiguous and reinforced to staff and business partners on a regular basis.
- Due Diligence – The business should know who it does business with; know why, when and to whom it is releasing funds and seeking reciprocal anti-bribery agreements; and be in a position to feel confident that business relationships are transparent and ethical.
- Clear, Practical and Accessible Policies and Procedures – The business should establish an effective set of policies and procedures. These should be applied to everyone it employs and also to business partners under its effective control. The policies should cover all relevant risks, such as political and charitable contributions, gifts and hospitality, promotional expenses, and responding to demands for facilitation payments or when an allegation of bribery comes to light.
- Effective Implementation – This is about going beyond “paper compliance” to embedding anti-bribery in the organization’s internal controls, recruitment and remuneration policies, operations, communications, and training on practical business issues.
- Monitoring and Review – This relates to auditing and financial controls that are sensitive to bribery and are transparent, considering how regularly the organization needs to review its policies and procedures, and whether external verification would help.
The MoJ has provided commentary on these principles but, to date, has offered no specific solutions to the scenarios contained in the document, many of which could typify the situations encountered by businesses, particularly those operating in areas prone to corruption.
The New Offenses
Following is a high-level summary of the four categories of offenses contained in the Bribery Act. Crucial is the new corporate offense which can be committed by a company (or partnership) if an associated person performing services on its behalf bribes another person in order to obtain or retain either business or a business advantage for the company.
- Bribing another person
It will be an offense to offer, promise or give an “advantage” to someone:
- With the intention of inducing that person to behave improperly;
- As a reward for that person to behave improperly; and
- Knowing or believing that the recipient’s acceptance of the “advantage” would constitute improper behavior.
- Being bribed (as the recipient of the bribe)
It will be an offense for a person to receive a bribe if that person requests, agrees to or receives an “advantage” to act in an improper manner. It does not matter whether the recipient receives or accepts the advantage directly or through a third party or whether it is for the recipient’s benefit or that of another. It also does not matter, in most cases, whether the recipient even knows his or her acceptance constitutes a bribe.
- Bribing a foreign public official
It will be an offense to bribe a foreign public official by offering an “advantage” to the official, which is not permitted or required by the written law applicable to that official, with the intention of obtaining or retaining a business advantage. Unlike the above offenses, there is no requirement that the advantage offered or given was “improper.”
- Failure to prevent bribery
A company or partnership will be automatically liable for any bribe offered or given in connection with its business unless it can effectively demonstrate that it has in place adequate procedures designed to prevent such bribery.
Meaning of “An Associated Person”
The Act does not clarify in detail the concept of “an associated person.” The definition reported within the Act states that a person is associated with an organization if he/she performs services on its behalf. As it is currently worded, “an associated person” could be interpreted as an employee, agent, intermediary or even an introducer. It is, again, left to the courts to define the concept of “an associated person.” As stated in the Act, the courts should take into account “all the relevant circumstances” and not just the nature of the relationship between the parties.
The Bribery Act is far reaching. The new corporate offenses apply to any U.K.-incorporated entity and any overseas entity that carries on a business or part of a business in the United Kingdom. No official interpretation is provided by the U.K government to define the concept of “part of a business.” It will be left to the courts to interpret this concept.
The Bribery Act Reaches Beyond the Scope of the FCPA
U.K. companies that are aware of, or comply with, the U.S. Foreign Corrupt Practices Act (FCPA) should bear in mind that the provisions of the Bribery Act are not the same and the penalties for violation of the latter are more severe. The Bribery Act is significantly broader than the FCPA, and features stricter scrutiny and enhanced criminal penalties. It is important to note that U.S. companies with U.K. offices will be responsible for complying not only with the FCPA, but also with the Bribery Act. Consequently, U.S. companies will need to revise their FCPA compliance programs to take into account the U.K. Bribery Act provisions.
Following are the key differences between the Bribery Act and the FCPA:
- The FCPA focuses on anti-corruption of foreign governmental officials, whereas the Bribery Act also covers nongovernmental officials (i.e., private citizens). The Bribery Act makes any bribery illegal – not just the bribing of a foreign government official (or the attempt thereof).
- In addition to making illegal the actual or attempted bribery of private individuals and public officials, the Bribery Act also makes the receipt of bribes illegal. The FCPA contains no such provision.
- Unlike the FCPA, the Bribery Act does not have a facilitation payments defense. Under the Act, certain types of corporate hospitality are prohibited if they are “intended to subvert the duties of good faith or impartiality that the recipient owes his or her employer.”
- The FCPA has no strict liability on the company either written directly into the statute or interpreted by judicial review. The Bribery Act creates a new strict liability of corporate offense for the failure of a corporate official to prevent bribery. Under the Bribery Act, a company will be liable if anyone acting under its authority commits a bribery offense, including employees, agents, subsidiaries, joint venture partners and consultants. The only satisfactory defense is where a company has adequate procedures in place to prevent bribery offenses.
- The FCPA has criminal penalties of five years per offense. Companies may be fined up to $2 million per violation, while individuals may be fined up to $100,000 per violation and/or receive up to five years in prison. Fines may be higher under the Alternative Fines Act. Also, it is important to note that companies may not pay fines on behalf of an employee. The Bribery Act has penalties of up to 10 years per offense and unlimited fines for companies accused of bribery that do not have “adequate procedures” in place.
- The FCPA requires that the company’s books and records provide reasonable detail so that transactions and disposition of assets are reflected accurately and fairly. A “reasonableness” standard, rather than a materiality standard, is applied. This means that if bribes and kickbacks have been made, there ought to be accurate records to reflect this. The Bribery Act has no equivalent provision (except insofar as companies are required to maintain accounts in accordance with the U.K.’s Companies Act 2006).
Frequently Asked Questions About the Bribery Act
Is my company at risk if I offer corporate hospitality to clients and prospective clients?
The Act is not designed to criminalize routine corporate hospitality. The Act states that if a person is induced to act improperly as a result of a reward, this will constitute an offense. Companies will need to take care going forward to ensure that any corporate hospitality can be justified. Consideration should be given not only to the cost when compared to other clients or competitors, but also the timing. In the case of foreign public officials, the element of impropriety does not have to be established and great care should be exercised.
It may not be appropriate to offer entertainment to a procurement panel member ahead of a tender award where, as a result of such entertainment, the panel member might exhibit conduct that falls short of a reasonable person’s expectation of good faith, impartiality or trust.
What types of benefits might be considered a bribe?
Under the Act, a bribe is any benefit offered, promised or given as a reward for that person to behave improperly, knowing or believing that the recipient’s acceptance of the “advantage” would constitute improper behavior. A number of areas have been identified during the consultation as areas that companies should look at carefully. These include:
- Corporate hospitality: Offers of hospitality to prospects, targets or clients
- Gifts: Gifts paid to employees of a third-party organization in recognition of the business that it has provided you
- Facilitation payments: Payments made to an individual to encourage a transaction to be given preferential treatment or to be “fast tracked”
- Commission: Payment of commission to brokers that are expected to act independently and in the interests of their customers
- Reward schemes: Rewards offered to sales representatives to encourage them to favor one product over another product
- Offset arrangements: Provision of additional services (outside of the contract) as an incentive to win the contract
Particular care should be taken when a benefit is offered to an individual rather than to a company or organization. It is not unusual for companies to offer benefits to individuals as a means of thanking them for directing business to you. There is a risk associated with hospitality, gifts, commissions and other reward schemes as these are typically directed to an individual and not the organization that provided you with the work. By comparison, a volume discount built into your standard terms is a means of rewarding a company for directing you a large amount of work.
The standard applied by the courts would be based on the improper performance test. As such, consideration would be given to whether the act represents conduct falling short of a reasonable person’s expectation of good faith, impartiality or trust. It should be noted that this is the standard of a reasonable person in the United Kingdom (to avoid confusion with what someone working in the industry or in a less-regulated environment overseas might expect). Local practices or customs should not be taken into account unless permitted by written local law.
What if I do nothing (this is not a compliance requirement)?
The Act applies to everyone including business entities of all types. “Adequate procedures” are not prescriptive and Transparency International has already stated that “… a company’s anti- bribery programme is more likely to be regarded as constituting ‘adequate procedures’ if it is based on good practice rather than an approach that solely uses compliance with laws to determine the structure of the programme …”. Any company is at risk if it becomes subject to an allegation of bribery and does not have appropriate measures in place to prevent bribery.
How will prosecutors determine whether they will take action against those involved in bribery?
There are a number of factors that will determine whether a case is prosecuted in the criminal courts, but in general the key factors will be based on a reasonable prospect of securing a criminal conviction and whether it is in the public interest to pursue a prosecution.
A company that does not have “adequate procedures” in place is more likely to face prosecution if an incident of bribery is identified within the business or through a third party acting on its behalf.
Our controls are FCPA compliant. Is this enough?
No. The Bribery Act has a far greater reach than the FCPA, and FCPA compliance does not go far enough to provide a defense for offenses created under the Bribery Act. FCPA compliance may provide a foundation on which to build the additional controls needed to fulfill the Bribery Act’s adequate procedures guidelines, but it will be necessary to enhance and improve many aspects of controls to reduce the additional risks.
Have industry representatives expressed any concerns about the Act and “adequate procedures” guidelines during the consultation process?
Yes. Some of the key comments include:
- Concerns over the lack of clarity as to what constitutes acceptable levels of corporate hospitality and corporate gifts.
- Concerns over lack of clarity on whether the Bribery Act applies equally to government bodies operating in the United Kingdom and overseas.
- Concerns that failure to include the impropriety element when dealing with foreign public officials could criminalize legitimate business activities, such as promotional expenditure and proportionate use of corporate hospitality.
- Concerns over the conflict between the FCPA, which allows facilitation payments under certain conditions, and the Bribery Act, which does not.
- Concerns that the term “associated persons” is too broad and has not been defined properly. As it stands, businesses could face criminal liability from the actions of many “associated persons” over which they have no effective control.
- Concerns as to whether a U.K. company can be expected to change behavior of employees in a country where local customs differ significantly from the United Kingdom.
It has been suggested that the adequate procedures guidelines should be updated to provide greater clarity regarding risk-based approaches. Commentators believe this is important to allow a company’s response to the Bribery Act to be reasonable and proportionate to the bribery and corruption risks it faces.
How do I implement “adequate procedures”?
There is no official guidance on how to implement adequate procedures. The guidance issued by the MoJ provides a general overview of what procedures companies should adopt but does not state in detail the process that they need to follow.
Below is a roadmap to compliance suggested by Protiviti, followed by a detailed review of each step.
1. Perform a Risk Assessment
The objective of the risk assessment is to understand the key risk drivers. This will enable the business to focus its efforts on the areas of highest risk to the organization. Key factors that will need to be considered during the risk assessment include: nature of the transactions, rewards and remuneration, geography, cultural norms and common practices, third-party relationships, and perceived level of control. A company would typically perform this risk assessment at two levels. The initial risk assessment would typically be a relatively high-level assessment to analyze the business, considering the factors outlined above, to identify the business activities that are most susceptible to bribery.
A more in-depth analysis would then be performed of the highest-risk areas to determine the specific risk events that the business needs to control to reduce the risk of bribery to an acceptable level. The definition of acceptable level of risk varies from company to company and reflects the risk appetite of the organization.
2. Review Internal Policies and Procedures/Define Key Actions
The second stage in the roadmap to compliance is the review of internal policies and procedures. The objective of this stage is to assess how significant risk events are being managed within the current internal control framework. This process will also enable the company to validate assumptions made when conducting the risk assessment.
This review process would be targeted at the highest-risk areas identified in phase one. A review would typically consider internal processes, guidelines, policies and procedures, and will determine if the company is effectively managing the key risks identified by the risk assessment.
Our approach utilizes Protiviti’s six elements of infrastructure. These are the key attributes that we believe a business needs to establish to effectively manage risk. In particular, the business will need to consider:
3. Define Compliance and Education/Awareness Programs
One of the most critical steps that will ultimately determine the success or failure of the project is the communication and awareness program.
The awareness program aims to improve awareness among employees of the key policies and create an environment in which these policies are respected. When establishing an effective awareness program, senior management should consider the following:
• Singular honed message that speaks directly to the employees
• Creative design of all print materials, which will serve as an image to ensure that the message is correctly perceived by the employees
• Strategic placement of all pieces to ensure the broadest visibility for employees (and where applicable key partners), regardless of location
• Reinforcement of the message through regular training
• Repetition of themes, ideas and structure in order to drive cultural change
• The message and its content must be relevant to the audience with whom the company is trying to communicate.
4. Establish Ongoing Monitoring and Response Process
Defining policies and ensuring effective communication of these policies will not be sufficient to reduce risk to an acceptable level. The business will also place reliance on controls embedded into critical business processes to reduce the risk of potential bribery events.
Furthermore, the business will need to establish processes to detect possible bribery and to take action.
Key risks, events and controls identified via the risk assessment should be captured in a risk control matrix (RCM). Risks and controls that are already covered by other compliance and/or assurance programs should be cross-referenced to the relevant RCMs (if already in place) to avoid duplication of effort.
It is not sufficient simply to document the controls. Management also needs to put in place procedures to ensure that the controls are operating as documented. For each key control captured in the RCM, an assurance strategy needs to be defined to assess the operating effectiveness of the key anti-bribery controls.
Where possible, any testing performed should be integrated with existing assurance work performed by Internal Audit. This will also help to avoid any duplication of effort.
An incident response plan will also need to be prepared that defines how the business will respond if evidence of potential bribery is detected.
When should I start to ensure adherence with “adequate procedures”?
The Bribery Act 2010 was due to come into force on April 1, 2011. Given the recent delay in the release of the updated guidance and the statement by the MoJ that when the guidance is published it will be followed by a three-month notice period before implementation of the Bribery Act, it is now anticipated that the Act will not come into force until May 2011 at the earliest.
Protiviti would, however, advise companies against delaying preparations for the Act. While further guidance is expected in a number of areas, in particular in relation to corporate hospitality, the key provisions of the Act are not expected to change. It takes companies much longer than they expect to define and implement adequate procedures. Defining policies and preparing guidance is only a small part of a comprehensive program. In our experience, many companies will require significantly more than three months’ notice to effectively roll out and embed a complete set of guidance on a global basis.
Companies should now be evaluating their existing policies, controls and training requirements and undertaking a risk assessment to determine where their key risks are likely to occur.
How Can Protiviti Assist?