Compliance programs for dealing with fraud and corruption

21 June 2013

Harry Rek

Doing business brings along risks of fraud, bribery and corruption. Especially companies with foreign subsidiaries are exposed to the risk of liability or even prosecution if an employee gets involved in these kinds of criminal practices. It is not sufficient to fight fraud and corruption if and when it is uncovered. Therefore it is "best practice" that a commercial organization: (i) assesses its business risks across the organization, (ii) includes such risks in a strong and tailored compliance program, and (iii) implements such program in its strategy and makes it an important part of the DNA of the organization.

Many countries prohibit bribery; the US Foreign Corrupt Practices Act of 1977 ("FCPA") and the UK Bribery Act 2010 are known for their strict and detailed provisions on bribery of foreign officials and prevention of bribery, but also for their extra-territorial reach: the provisions do not only apply to US and/or UK businesses acting within their national borders, but also to persons or entities with a certain degree of connection to the UK or the US. The impact on multinationals, with subsidiaries or activities in the UK and/or US, can be considerable.

As a consequence, many organizations use the FCPA and the UK Bribery Act as standards for their anti-bribery compliance programs. Having a code of conduct or an anti-bribery policy, which clearly sets out what is permitted and what not, is clearly step one. However, a compliance policy can only be effective if embedded in all layers of the organization, and if there are clear procedures around reporting and enforcement.

Putting it to practice

"After-the-fact damage control" is not sufficient, nor is a simple "check-the-box" approach. The best way to defend against liability exposure is a pre-existing compliance program which is risk tailored. An effective compliance program must be designed and tailored to deal with fraud and corruption risks that are specific for the business operations and geographies in which the company operates. The program should apply to and be implemented at all employee levels, and for all business entities in the group and affiliates, and should be reviewed regularly. The policies and the procedures should be embedded and understood. Therefore, training of employees is essential, and should focus on the risks that are specific for the environment in which they operate. In addition, the company should have effective procedures in place to uncover fraud and corruption risks in due diligence on business partners and (if applicable) pre-acquisition due diligence.

In case of violation

Most compliance programs include an arrangement for reporting violations in good faith; however this does not always mean that such person is protected from reprisal when the person making the report is himself at fault. Also, the company should have a clear and fair "whistle-blower" arrangement which protects employees who in good faith report cases of possible breaches of the code of conduct (for instance to a trusted person who will investigate the reported incident without revealing the identity of the whistle-blower). Furthermore, it is recommended that companies respond swiftly in order to estimate the consequences of the allegations, secure the evidence and to form an effective strategy.

It should be noted that no compliance programme, no matter how extensive, can provide absolute assurance. However a strong compliance programme can mitigate risks. Furthermore, the existence of a well-designed and actively enforced compliance program can help a company escape from criminal liability. No compliance program is 100% bullet-proof, but a general counsel who can show that the company's compliance program was in line with "best practices" may be able to achieve that only the perpetrating employee and not the company itself will be criminally prosecuted. In the light of that discussion, it will help if the general counsel can show that all reasonable efforts have been applied (which may include having the code of conduct and compliance procedures reviewed by a professional advisor).

For practical guidance and more do's and don'ts, please view our page of tips and guidelines.

About the author:

Harry Rek (51) co-founded Bird & Bird’s Dutch office on 1 December 2001. Harry was managing partner and member of Bird & Bird's Global Board until 2007, and now heads the Dutch Corporate Group. Harry's practice areas are corporate law, M&A and international commercial contracts. Harry has been acknowledged in various legal publications as a leading and recommended Dutch M&A lawyer. His work experience includes cross-border M&A deals and international commercial contract projects, and client relationship management of multinational clients for all their corporate, commercial and regulatory work. He has been leading FCPA due diligence for US clients in many different countries.