As organisations set their global compliance agenda for 2008, key messages around, for example, adherence to corporate codes of conduct, anti-bribery and data privacy remain a focal point. In the UK a number of shifts are taking place that will shape the way in which organisational leaders and third party associates may approach compliance and the issues at the forefront of their agenda.
By considering ways in which these developments can be integrated into their compliance plans, entities with a presence in the UK not only address the issues of concern to local businesses, they facilitate the creation of a more integrated international compliance program.
The concept of global cooperation between regulators is increasingly being tested and explored. This presents challenges in terms of settling on compliance benchmarks and ensuring that senior officers have a full appreciation of the ways in which they may personally be exposed.
The idea of stronger ties but also more complex relationships between regulators has been clearly set out by U.S. authorities. In a speech in January 2007, SEC Chairman, Christopher Cox stated:
"[C]onsider the global reaction to the Sarbanes-Oxley Act. There has been loud complaint about its costs, even by some in other jurisdictions to whom it does not apply. But one interesting effect of these reforms has been the degree to which they have been copied, in one form or another, in many other major markets. The SEC's recent management guidance regarding Section 404 of the Sarbanes-Oxley Act benefited greatly from what we observed in other jurisdictions that have implemented issuer internal control standards."
Sarbanes-Oxley style legislation is not being considered in the UK, as opposed to, for example, Japan and Canada. The idea, though, of an exchange and influence between the UK and U.S. regulators may have reached a new level. In December 2007, it was announced that three UK executives alleged to have engaged in price-fixing would be pleading guilty in Texas and then extradited to London to face the first personal British cartel prosecutions under the Enterprise Act 2003.
The process raises the spectre of a double conviction for the same offence.
It may also influence the sentencing approach for offences of this kind in the UK in which less punative custodial sentences have been given for white collar crime in the UK than in the U.S.
One of the features of the deal is that the custodial sentence could be served in the UK with the proviso that it will be equivalent to the period that would have been considered by the U.S. authorities. If this is not the case there would be a reserved right to return the convicted men to the U.S. to serve further jail time.
Extradition has already been a highly charged issue in the UK with the recent conviction of three former Natwest bankers who were extradited from the UK to the U.S. to face trial in connection with Enron. The attention in the UK has centered around the 2003 Extradition Treaty that allows for extradition on the basis of information laid by U.S. regulators rather than the production of evidence in support of the charges that are the foundation for the extradition application.
Many U.S. companies are acutely aware of the very singificant fines that can be levied in the EU for breach of competition laws. The possibilty of personal prosecution for executives in the U.S. and the UK emphasises the need to ensure that sound competition compliance policy is a cornerstone of compliance programs and an important focal point for compliance risk analysis.
Finallly, with regard to extradition, U.S. organisations may well find that their UK counterparts are particularly concerned about this issue. Internal briefings on extradition and how such an issue might be handled within the organisation would be of value.
Anti-bribery And FCPA
UK organsiations are increasingly familiar with U.S. investigative action into Foregin Corrupt Practices Act (FCPA) breach. In a 2007 investigation, Smith & Nephew, a medical devices group, listed in the UK concerned alleged payments to clinicians in return for the use of company products with patients undergoing orthopaedic or spinal surgery. In September 2007, a similar series of related allegations in the medical devices industry gave rise to a $311 million settlement by Federal Prosecutors. Barclays Bank together with American bond traders agreed to pay almost $12 million (6.1 million) in 2007 to settle insider trading charges in the United States.
Unlike much of Europe, UK legislation does not fully reflect the OECD Convention on Anti-bribery and this may continue to invite further action in the UK from U.S. regulators. The continued lack of reform to anti-bribery legislation and the discontinuance of the bribery investigation into BAE Systems plc and the Al Yamamah defence contract with the Government of Saudi Arabia attracted adverse comment in the OECD's July 2007 Follow-Up report on the Implementation of the Phase 2 Recommendations relating to the OECDConvention. The UK has taken a number of positive actions towards implementation of the recommendations but it has a way to go before fully picking up the mantle on bribery prevention.
Ensuring that UK business units appreciate these distinctions is clearly important. In addition the activity of the SEC in respect of the FCPA underscores the importance of measures to make certain that contractors and agents have adequate compliance arrangements in place and that these are actively integrated into their corporate behaviour. Actions to help secure compliance by contractors and agents include:
• the establishment of clear contractual commitments to compliance by both contractors and agents;
• policies that provide that only reputable agents be hired and appropriate due diligence conducted, that proper background checks are completed and that compensation be benchmarked against comparable payments in the country concerned;
• making recruitment, compensation and supervision in relation to indicators of compliance concern expressly part of employee and management obligations, and
• conduct of training for employees and agents.
Audit exercises should ensure that checks include:
• a review of the organisation's anti-bribery documentation,
• on-site visits,
• interviews of operational and finance staff about compliance activities,
• examination of complaint logs and disciplinary investigations,
• a review of incident records and trend reporting.
Specific areas of improvement should be clearly identified and any reason for concern set out. If however, issues of concern are identified, follow-up action must take place to ensure that these issues have been addressed. Compliance officers might also consider involving contractors and agents in their own training exercises and setting up regular opportunities for communication.
Data privacy has had a high degree of prominence in compliance programs for some time now. Organisations need to be alert not just to the general EU principles but the way in which they are being implemented within each jurisdiction and the role and approach of domestic regulators.
In the UK, data security has been centre stage following the largest unauthorised disclosure of personal information in UK history. In November 2007, Her Majesty's Revenue and Customs (HMRC) lost several CDs containing the unencrypted personal details of some 25 million beneficiaries of Child Benefit Allowance. The potential seriousness of this issue was brought home by the revelation that the CDs included information about the old and new identities of individuals who are on the UK witness protection program. The Information Commissioner's Office in the UK (ICO) has been seeking a greater range and scale of enforcement powers including making data breach a criminal offence with the potential for a custodial sentence. The extraordinary data security incident involving HMRC makes such an extension of the role of the ICO more likely. The Prime Minister, Gordon Brown, has already authorised spot checks by the ICO on government departments. The ICO has argued in support of full audit powers for his office to ensure that he is able to effectively enforce UK law.
In terms of compliance guidance, the ICO has also recently launched the UK's first privacy impact assessment handbook to assist organisations in assessing the impact and issues that might arise in relation new initiatives and technologies concerning the collection and storage of personal information.
Health And Safety
The serious impacts of work-related fatalities have been magnfied recently in the UK with the introduction of the Corporate Manslaughter and Corporate Homicide Act 2007. This legislation will come into force on 6 April 2008. It will allow for easier prosecution of companies and managers for deaths caused by organisations due a gross breach of the duty of care toward the deceased.
In assesing what amounts to a "gross breach" one of the factors that can be considered is the failure to comply with any applicable health and safety law and the seriousness of that failure. Under the present law, it is neccesary to identify a single employee who could be said to represent the "controlling mind" of the company.
This is, of course, a challenge in larger organisations where responsibility may be divided. Under the new Act, it will only be neccesary for senior management to act so as to be a "substantial element" in the commission of the offence.
The penalty under the legislation is an unlimited fine, opening the way for prosecution for general management failure. The UK Setencing Advisory Panel has launched a consultation on sentencing for the offence of corporate manslaughter, suggesting that the penalty is comparable with that employed by EU Competition Authorities of up to 10% of average annual turnover. If fines were set with the potential to reach this level there could of course be very serious impacts. In so far as businesses are operating in the UK, this area of regulatory compliance programs may warrant increased attention and a program of training to ensure that managers are up to speed prior to the introduction of the new laws.
In many ways the UK adopted a different compliance path from that of the U.S. For U.S. entities operating in the UK and Europe however, it is important to note that there are elements of convergence and strong interaction at least between regulators that influence the way in which compliance management might be approached. Compliance teams will also want to monitor specific UK domestic developments, such as those in data privacy and health and safety and adapt their programs accordingly.
Diana Newcombe is a Senior Associate in Eversheds LLP. Diana specialises in regulatory compliance, the implementation of legal risk management systems and best practices in corporate governance. Diana also provides advice in relation to corporate criminal defence and civil proceedings relating to civil breaches. Diana is qualified as a barrister and solicitor in England and Australia. She may be reached at +44(0) 845 4970861.