Mishcon Investigates from Mishcon de Reya. Conversations and insight into some of the biggest issues, challenges and cases in the world of investigations.
Welcome to the third episode of Mishcon Investigates. My name is Joanna Walsh and I am a Partner in the White Collar Crime and Investigations Team at Mishcon de Reya. In this episode I am joined by my colleague Christopher Gribbin and we will be talking about financial crime risks and the systems and controls that can be put in place to mitigate those risks. We will be drawing on our direct experience of internal investigations linked to financial crime and the way in which problems can develop within organisations that have not put in place the necessary systems and controls.
Yes, we are going to look at, first, what systems and controls one might expect to see and how that has changed in recent years, including how failings can invite enforcement action. Secondly, how to put those systems and controls into place and conduct effective risk assessments in this context. And finally, we will be briefly looking at the greatest area of risk for many companies, third party relationships. But to begin, Jo, how has financial crime compliance developed, in your experience, in recent years?
Well, it’s a concept that has been important in the last ten years, since the introduction of the Bribery Act and in particular the Section 7 offence which is the criminal offence of failure by a commercial organisation to prevent bribery. That failure to prevent offence has spun off two new corporate offences of failing to prevent UK tax evasion and also failing to prevent overseas tax evasion and it’s looking increasingly likely that we will see the introduction of a further failure to prevent offence in the next year or so, which is one that would relate to a failure to prevent additional economic crime, such as fraud and false accounting.
The introduction of the failure to prevent offences was particularly interesting from a systems and controls perspective because they came with the compliance based defences of having adequate or reasonable procedures in place which are designed to prevent the particular misconduct in question. I am thinking particularly of the introduction of the Section 7 offence in July 2011, that incentivised many companies to overhaul their compliance programmes in order to introduce adequate procedures, aimed at preventing bribery and based on the Ministry of Justice’s guidance and six core principles about what constitutes adequate, and those were proportionality, top level commitment, risk assessment, due diligence, communication and monitoring and review. And then just one more word on the development of financial crime compliance, fairly soon after the Bribery Act came into force, we saw the introduction of Deferred Prosecution Agreements in the UK and these are US style negotiator settlements of criminal conduct, which are available only to corporates. We’ve had 12 DPAs so far, which have been agreed between the Serious Fraud Office and a variety of well known and less well known corporates for a range of bribery, fraud and false accounting offences.
Okay and when we talk about procedures, adequate reasonable procedures and systems and controls, how should companies go about evaluating what they have got in place already?
Well that’s a great question actually because it can be difficult to know where to start. When advising companies, I often suggest that they look at the US Department of Justice Criminal Division guidance which sets out how they will measure the effectiveness of a compliance programme in the event that a key issue arises and they will ask themselves three key questions which I think sum up the components of an effective compliance framework and which are actually very useful for legal and compliance teams to ask themselves when they are taking stock of what they already have in place.
So the first question is whether or not the programme is well designed and in looking at that, the DOJ will consider the quality of a company’s risk assessment, its policies and procedures and its training and communication. They will look at the existence and effectiveness of a confidential reporting mechanism, the application of risk based due diligence to third party relationships and where it’s relevant, they will also look at whether there are appropriate procedures to address mergers and acquisitions risk in place.
The next thing that they’ll ask themselves, the second question, is whether or not the compliance programme is being applied earnestly and in good faith, and in doing this, this will look at whether it’s well resourced and empowered to function effectively. So, this will often entail a review of senior and middle management commitment and oversight, whether the compliance function can operate autonomously and with suitable resources and also a comparison of the seniority and stature of the compliance function with other strategic functions within the company.
And finally they will look at the existence of incentives for compliance and also disincentives for non-compliance, such as clawbacks. And the last question they’ll ask themselves is whether or not the compliance programme works in practice and in answering this question, the DOJ will assess whether the programme is periodically tested, whether it’s being reviewed and improved and that will include how the organisation measures its compliance culture. It will also evaluate a company’s investigation structure and assess its ability to conduct a root cause analysis of misconduct and whether those root causes have been remedied in an appropriate and timely manner. And I touched on risk assessment in that and that’s something the DOJ will consider but how do risk assessments come into this, Chris, why are they so important?
Well, yeah, it builds on what you have been talking about there really, about the DOJ’s approach to it. Risk assessments are important because the presence or otherwise of an informed and well documented risk assessment in this area, is a recurring theme in corporate settlements in financial crime cases, where we see organisations that have repeatedly often failed to evaluate risk and to record that evaluation and to act on the results because as recently as May this year, the Financial Conduct Authority wrote one of the Dear CO letters in which they focused on common control failures that they see and anti-money laundering frameworks in the regulated sector and failures in risk assessment were near the top of that list and it’s just worth looking at what they found, with the sort of common failings in this area which are an absence of or poor quality, business-wide risk assessments, so taking a sort of narrow, siloed approach rather than a holistic look.
There was often, they found, insufficient detail on any financial crime risks to which the business was exposed, so sort of just the generic assessment. In some cases, they found that firms had taken steps to consider and document the risks but had not evidenced that assessment or the strength of the mitigating controls that they had put in place and in respect of international firms, they found that although there may have been group level risk assessments, they were not country specific risk assessments. So, is it interesting to look at what the FCA thought were some of the more common failings and to consider how that may be instructive for organisations or organisations you might advise, that want to conduct their own risk assessments because there is no overarching definition of risk assessment? In a financial crime and compliance perspective, at its simplest, what we would be talking about is an audit of the day-to-day operations of that business in order to identify areas of potential vulnerability to financial crime and/or regulatory non-compliance. They are the sort of first step in providing a foundation for effective corporate compliance programmes and it stands to reason that the fuller one’s understanding of the risks inherent within a business, the more effective your efforts may be at preventing non-compliance. The reason that they are so important is partly that but also because not doing them is, in some cases, not really a viable option. Not engaging is perhaps the highest risk path of all and I am thinking of a failure to prevent offences under the Bribery Act or the Criminal Finances Act, where the defence the corporate may wish to rely on, relies on having those adequate procedures or money laundering regulations where there is an active obligation. So, that’s why risk assessments are important but in terms of how one assesses financial crime risks, what are the key principles, Jo that should be looked for there?
Well, I think there are three that are the most important. The first one is proportionality. Organisations need to consider the nature, scale and complexity of their business so, for example, to take an obvious one, if you have no international exposure, you won’t need to consider the risk of bribing a foreign public official.
The next one is a tailored consideration of risks so, this is connected to proportionality but there are various types of risks that organisations ought to be thinking about and it’s very important that they focus on the inherent risks in doing this and they try to avoid any preconceptions or assumptions about the effectiveness of any particular controls already in place as that could impede it and effective risk assessment and so the particular areas of risk that I have in mind are country risks so the types of jurisdiction that organisations are operating in, are they ones with a high level of corruption with a poor history of human or employment rights, so that the Modern Slavery Act might be engaged. There’s sectoral risk, whether or not the nature of the business that the organisation is carrying on, carries any particular vulnerabilities, transactional risk, looking at the particular deal in question and whether that carries any specific risk and also business partnership risk and whether or not, you know, there’s an intermediary or a subcontractor in place such that there is a higher risk of bribery and just to add to that, of the twelve differed prosecution agreements that have taken place, nine of them have involved bribery offences and eight of those have involved intermediary relationships.
The next thing that you need to look at is employee training and whether or not your employees are adequately equipped to identify compliance issues, if there is a greater need for investment in staff for training and going back to bonus culture, which I touched on when I set out what the DOJ are interested in. Does your business reward risk taking behaviour? Are there target driven bonuses in place that might encourage employees to disregard compliance risks? And then gifts and hospitality is a key feature of many anti-bribery policies and hospitality and promotional expenditure that’s reasonable, proportionate and made in good faith, shouldn’t present a problem but organisations should keep in mind the four guiding principles, which is the intention of the gift, so what is the intention behind the gift or hospitality? The timing. When is the gift or hospitality made? So, a gift at the conclusion of a contract is likely to be more appropriate than during the tender process. Transparency. Is the gift or hospitality open and transparent or employees required to declare and record gifts? And self-awareness. You have to advise employees to think about how a gift might look if it was made public. It’s the usual ‘How would it look on the front page of the Daily Mail?’ test.
And then the final principle is management oversight and this really is something that runs across all effective systems and controls and that is the tone from the top, there has to be a clear and demonstrable commitment to the risk assessment process at the most senior level within the company and that includes setting aside adequate resources both in terms of time and also personnel to properly review and improve the risk assessment process. So, I touched on business partnership risk there, Chris and obviously third parties aren’t by definition within the control of an organisation. What kind of risks arise when it comes to third parties and how can they be addressed?
Yeah, the risks with third parties is really interesting actually because we have historically dealt with the legal risks which, we’ve touched on a bit in this talk already so, the Bribery Act is sort of the standout offence, Section 7, where a company and potentially its directors, may be guilty if a person associated with the organisation bribes another person, anywhere in the world with the intention of obtaining or retaining business for the organisation, or an advantage in the conduct of business for the organisation.
Now, associated, is the key term there and it is defined to mean anyone performing services for or on behalf of you, as in the organisation, so the supply chain risk there is obviously huge and I’m thinking of inflated invoices, facilitation payments or payments to secure contracts or access. They are all examples of corrupt payments that may be made by somebody associated with the business and the trigger of Section 7 liability and the same test of somebody associated with a company is applied in the Criminal Finances Act where somebody associated with the company facilitates the evasion of tax anywhere in the world, creating liability for a company in that context and with both of those offences, one had a potential defence of having adequate or reasonable procedures but the point is that once you are dealing with third parties, it’s much easier to see how those risks can come about and we see the same thing with money laundering, the Proceeds of Crime Act, Modern Slavery Act touches on it as well and there are other sort of health and safety pieces of legislation.
So, they’re the legal risks which we sort of historically focussed on but increasingly we are seeing a focus on reputational risks, which is the sort of broader and rapidly evolving concept where organisations want to get ahead of this strict legal provision of black letter law, compliance in a narrow sense of the word, and instead develop best practice and define their own standards to a higher standard and that’s driven partly because it’s the direction of travel, legally, in that there’s going to be more legislation requiring that sort of approach and I’m thinking, for example, of the Environment Bill which is, as we speak, going through Parliament and will introduce a new, or should introduce a new due diligence requirement which is designed to tackle deforestation whereby any corporate dealing in, and then term is ‘forest risk commodities,’ will have an obligation to take steps to ensure that the product that they are dealing in, was produced in compliance with local laws so, the idea being to preclude products coming to market in the UK which is a product of deforestation and this sort of legislation seems likely to grow in volume and has already, we’ve seen it, across Europe, the French Government has introduced legislation that requires larger companies to undertake due diligence to ensure that their supply chains are free of human rights abuses.
Germany has done similar but it is also, in addition with it being the direction of travel, sort of really a recognition of a broader cultural shift, both by consumers who may be more anxious about these sort of issues and seeking to direct their spending accordingly, and also investors and the concept of ESG, Environmental, Social and Governance concerns, they are increasingly a red line of sorts for investors, certainly institutional investors in many cases and the reality is that companies are therefore taking these issues seriously for that reason also. So, the reputational side of things don’t necessarily carry a strict legal risk but they are increasingly being dealt with as seriously so, we see corporates wanting to consider human rights audits, for example, throughout their supply chains. From the perspective of how to deal with those risks, the good news is that for both reputational and legal risks, the fundamental mitigation steps that are appropriate are broadly the same. Now, the precise position will obviously need amending to deal with the precise risks but generally, there are a few key principles and the first really goes back to what we’ve already spoken about with risk assessments that the first step is to step back and to consider what risk a supply chain arrangement presents and that’s a matter, almost always, of at least identifying the third parties in that supply chain in so far as possible and then gathering information about those third parties in the supply chain. How much information is ultimately a question of fact to be determined by what’s proportionate, but it may be public domain information or gathering knowledge from within your organisation or it could be going direct to the third party with a questionnaire, for example, the sort of questions one would be looking to bottom out are whether or not there was a history of financial misconduct or convictions or investigations both by the company but also its directors or its owners. And one might even want to consider commissioning research by third parties, there are external parties that will look into the background of third parties in a supply chain if that is proportionate and the point really is to understand the risk in order to be able to be in a position to mitigate against that risk so, not everything that one can put in place, is going to be appropriate but sometimes it will be and one of the things that almost always is appropriate when one is thinking about supply chain risks is making use of the contract that is agreed between an organisation and a third party, simply because it’s the most straightforward way of explicitly communicating your standards throughout the supply chain and ensuring that there is a commitment to meet those standards.
Just to briefly outline what those measures may be, the sort of things that we may expect to be included are a requirement to comply with local laws and the organisations, anti-bribery or anti-modern slavery policies or to provide training to the employees, that can be done either by the third party or the organisation may offer to do it themselves, and that may be training on bribery or whatever the issue may be. There may also be something we see quite frequently, the right to audit the third party, which is something which one may want to do on an annual basis or it may only be triggered in the event of a report of wrongdoing but it can be a very valuable right to be able to go into a business and review their records. Looking forward in an arrangement, one of the risks that supply chains and subcontracting aspects of a business brings about, is that the subcontractor may subcontract the contract themselves and it’s possible to gain some comfort by including the right to be informed of any such subcontracting in the initial contract and for there to be a process set out whereby the organisation will have some degree of control and possibly even in turn, audit rights over that subcontracted party. So, the contract is really the easiest way in which to manage a relationship but there are other ways which, just to outline them briefly, one may look at communications and publicising the message and it comes back to what you were saying, Jo, about the tone from the top and if that’s clear that’s it a priority for the business, it’s more likely to be treated seriously throughout the supply chain and there are many organisations, particularly in food retail, for example, where there are hundreds of parties in all of their supply chains where the organisation has a dedicated page on their website together with policies and that can be very helpful in setting the tone but also in drawing to the attention of anyone who visits that website, what whistleblowing provisions may be in place and whistleblowing can be, as we’ve talked about elsewhere on this podcast, a key way to draw attention to non-compliance.
So, that’s really third parties in a nutshell.
And that’s so interesting, Chris, and do you think there is a benefit to companies in opening up their whistleblowing hotlines to suppliers?
Yes. When one talks about whistleblowing hotlines and suppliers, it’s important to be clear what they’ll be blowing the whistle about and in this case, when you are looking at third party risks, it comes back to sorting out, in your policies and procedures, what the risks are but in so far as those risks do attach some liability to attach to the company through the actions of the third party so, obviously bribery and if the company takes a view about the reputational harm that may be done by a third party, for instance, engaging in environmental harms or human rights abuses, then absolutely that whistleblower structure should be available to those who are part of that supply chain and should not be for the exclusive use of those within the company because otherwise one runs the risk of defeating the purpose of the whistleblowing structure, given the nature of the risks.
Well, I think that’s probably all we have time for today so, thank you very much for joining us for this third episode of the Mishcon Investigates podcast. And if you have any questions you’d like answered or suggestions of what you’d like us to cover next, then do let us know. You can either contact us directly or else by visiting Mishcon.com/contact.
Mishcon Investigates is brought to you by Mishcon de Reya. To access advice for businesses, that is regularly updated, please visit Mishcon.com.