31 May 2016
Is self-policing the answer to the need for global reach on regulatory compliance?
When the UK’s Bribery Act 2010 came into force in July 2011 many of us wondered how this new ‘gold standard’ for anti-bribery and corruption could be regulated effectively when it had such far-reaching effect. Rumours of a 100-strong dedicated team at the Serious Fraud Office (SFO) hardly seemed sufficient to make a dent in the issues covered by the Act, particularly given the cross-jurisdictional impact. The lack of speedy prosecutions seemed by some to support the suggestions of insufficient resource, although in reality it was much more likely to simply be a consequence of how long such investigations realistically take to bring to successful prosecution, coupled with the fact that the Act was not retrospective.
One of the most prominent provisions in the Bribery Act was the so-called ‘Corporate Offence’, introducing the new offence for which a corporate entity could now be found guilty if it failed to prevent an act of bribery occurring on its behalf. Key to this new stick of the Corporate Offence was the possible carrot of an available defence. If the business in question could establish it had adequate procedures in place to prevent such an act taking place it might be protected from such a conviction.
In this way, businesses have been encouraged to essentially self-police against acts of bribery taking place on their watch, not only by managing the behaviour of their own employees, but also taking a responsibility for a wider group of people associated with the business. Significantly the businesses tasked with this self-policing weren’t just those incorporated here in the UK, but also those which carry on some part of their business in the UK, even if they are a non-UK company. And so we saw the development of this principle of self-policing in the world of compliance, but now with a global reach.
Earlier this year saw the first successful Corporate Offence prosecution by the SFO of Sweett Group PLC which was ordered to pay a total of £2.25 million. The group parent company had failed to prevent bribes made between 2012 and 2015 by one of its subsidiary companies, Cyril Sweett International Limited, to secure and retain a contract for the building of a new hotel in the United Arab Emirates. Going to the heart of the self-policing principles behind the Corporate Offence (section 7 of the Act), His Honour Judge Beddoe stated that:
“The whole point of section 7 is to impose a duty on those running such companies throughout the world properly to supervise them. Rogue elements can only operate in this way – and operate for so long – because of a failure properly to supervise what they are doing and the way they are doing it.”
At the recent 2016 Anti-Corruption Summit held in London, David Cameron trailed a potential progression from the Bribery Act’s Corporate Offence to a new offence of failing to prevent, not just acts of bribery, but other economic crimes such as tax evasion, fraud and money laundering. The new harmonised approach on data protection across Europe, governed by the General Data Protection Regulation (GDPR) coming into force on 24 May 2016, will bring into effect in two years’ time the strengthened self-reporting requirement. In the event of a personal data breach, an organisation will need to notify the regulatory authority within 72 hours of discovery, unless the breach is unlikely to result in a risk to an individual’s rights and freedoms.
So not only do these developments show the continuing trend for self-policing across regulatory compliance areas, but also demonstrate that this is the method of choice for managing the global reach many businesses now have. It certainly isn’t possible for any business to claim that the actions of its subsidiaries or associated businesses are ‘out of sight, out of mind’ anymore even if they take place half way across the globe.
If you have any queries about the above, or would like any further information, please contact Emma Roe, commercial and IP partner, on 0113 288 2817 or at firstname.lastname@example.org.