Bribery Risk and Controls. Enforcement Actions Show What Needs to Be in Place

July 2011 enforcement actions by the UK Financial Services Authority (FSA) and the Serious Fraud Office (SFO) against two companies identify critical components that you must have in place as part of your anti-bribery processes. While they apply to UK and global companies under the jurisdiction of the UK Bribery Act, I think companies in every jurisdiction should ask whether they would pass the test.

The FSA acted against Willis Limited (an insurance broker) and Macmillan Publishers Limited, with total penalties in excess of 18 million pounds. The actions are covered in an article by the legal firm of Skadden, Arps.

The Macmillan case is also covered in the Wall Street Journal and in a blog dedicated to the Bribery Act. It talks as much about the need for companies to cooperate with investigations as that, according to the SFO, it was “plain that the company may have received revenue that had been derived from unlawful conduct.” The fact that the company reported the case itself to the SFO, after a report by the World Bank, may have reduced the still-significant settlement. All they ended up paying (apart from the cost of the investigation and being barred from bidding on World Bank tenders for three years) is the estimated profit on the deals where bribery is suspected.

The blog mentioned above summarizes the case succinctly:

The World Bank put out a contract to tender, for the provision of educational materials in Southern Sudan. An agent acting on behalf of Macmillan’s tried unsuccessfully to secure the contract by way of a bribe. (Worth remembering here that the Section 1 offence only requires the offer or promise of a financial or other advantage.  The more so if it’s actually given, and it doesn’t have to succeed).

The World Bank reported it to the City of London Police, and thence to the SFO.

Macmillan agreed to fund an investigation aimed at uncovering corruption risks within the organisation. In other words they were paying for someone else to police them. The investigation covered the various countries in Africa in which they currently carried on business which presented a potential risk of corruption, or where it had actually taken place in the past.

As a result, the SFO calculated that Macmillan had benefited to the tune of £11.2 million. They therefore sought and were granted a Civil Recovery Order in the High Court in that sum

The telling factors listed by the SFO as to why they chose the Civil recovery route really boil down to the fact that Macmillans fell over themselves to make full disclosure and give total co-operation to the investigation. They paid for it themselves, weren’t hugely guilty, and had lost the opportunity to tender for a lot of valuable work in the future. Also they were very sorry.

The FSA detailed three failures in Willis’ controls:

  • Between January 2005 and August 2008, Willis did not adequately establish and record the business rational for use of third parties; did not perform sufficient due diligence of third parties; and did not ensure that employees complied with record keeping and diligence requirements regarding third parties;
  • Willis introduced improved anti-bribery policies and guidance in August 2008, but did not ensure that the policies were adequately implemented; and 
  • Willis' board did not receive sufficient information from management to assess the performance of the company’s improved anti-corruption policies.

The Skadden analysis makes important points:

  • The FSA has firmly placed anti-corruption systems and controls on its watch list for regulated entities.
  • The Willis Final Notice makes clear that the FSA views anti-bribery controls as mandated by the FSA's Principles for Business, which require "adequate risk management systems."
  • Regulatory guidance emphasizes the importance of assessing risk, addressing risk, and ensuring appropriate internal escalation of risk and compliance procedures.
  • As an immediate matter, both enforcement actions underscore the importance of tailoring control procedures to specific industry and geographic risks. The FSA’s action in Willis demonstrates the importance of procedures that function in practice, and the necessity of fulsome internal reporting to senior management and governance bodies
  • The FSA and SFO have highlighted the importance of cooperation in an investigation, but the risks and benefits of voluntary disclosure and cooperation should be weighed on a case-by-case basis. In resolving the Macmillan investigation, the SFO emphasized the company’s compliance with its guidance regarding reporting overseas corruption. In so doing, the SFO has sought to underline the benefits of: (i) fulsome and timely cooperation; (ii) ongoing compliance enhancements before and throughout the investigation; and (iii) agreeing to the appointment of a monitor.

Are your bribery and corruption controls in good shape? Have you completed a risk assessment and evaluated whether your controls are adequate to prevent inappropriate activity? Detection is probably not going to be enough.

Posted on Aug 1, 2011 by Norman Marks

Share This Article:    

  1. Hi Norman, A couple of quick thoughts. 1. I agree that detection is not probably not going to be enough. The company will have to be more proactive with its internal controls and reporting. 2. It is noteworthy that the Willis board did not receive adequate information. Failure to properly report to the board opens up the company to criticism. 3. These enforcement actions by the FSA and SFO should grab the attention of global companies. The UK Bribery Act will be enforced. Doug
  1. Thanks for the comment, Doug. Yes, it is very interesting that the UK laws specifically state that controls have to prevent bribery and corruption. Management is not permitted to take a risk and rely on detection.

    It is also interesting that the Act requires involvement in the anti-bribery program by top execs, who must approve the risk assessment, and the board, who must receive reports, etc.

  1.  Anti-bribery laws require adequate risk monitoring tools for internal auditors. It means internal auditors have to make professional judgement in stating what specifically requires "reporting standard items for the Audit Committee meetings" and further make decision about non-standard reported items in keeping audit committee members abreast of the changes as part of auditing universe that includes "compliance with laws and regulations".

  1. It is also true that "adequate" may have several different meanings depending on each particular jurisdiction and context. I am always concerned when I see international companies roll out their compliance programs from Corporate as if no level of customization was necessary (sometimes with incorrect translations made by entry-level associates without much experience). I just hope all companies which adopt compliance programs will appreciate the fact that some level of customization is necessary in each country without jeopardizing the main concept (and foundation of the Anti-Bribery Act), which is great, by the way.

Leave a Reply