Compliance With The UK Bribery Act: Use Existing Technology To Solidify Your "Adequate Procedures" Affirmative Defense

Thursday, September 1, 2011 - 01:00

The Editor interviews Mary Mack, Enterprise Technology Counsel for ZyLAB.

Editor: How aware are U.S. companies of the requirements and scope of the UK Bribery Act?

Mack: In my experience companies are not yet fully aware of the reach of the UK Bribery Act (the "Act"). Like with the Federal Rules of Civil Procedure and the FCPA, the magnitude of the law will take some time to really sink in for most, although there are some early adopters of the UK Bribery Act.

Editor: Please tell us about the jurisdiction of the Act. What kinds of contacts with the UK must one have?

Mack: The FCPA's jurisdiction is clear: if your company is listed on the stock exchange and you operate in the United States, you're covered. The UK Bribery Act covers UK nationals or ordinary residents in the UK as well as organizations, including private companies, that are either established in the UK or that conduct some part of their business there, which is pretty vague. Companies do not really have a handle on jurisdiction yet.

Editor: Are Bermuda, the Cayman Islands and other British possessions included in the UK Bribery Act?

Mack: Yes. Companies should also consider whether they have a business partner or major supplier that operates wholly or in part in these locations, or even a salesperson on assignment. Some of the things that we suggest companies do to prepare are things they are already doing in other areas. In many cases, they won't need to reinvent the wheel to comply with the UK Bribery Act.

Editor: When we spoke in March, the UK Bribery Act was not yet enacted, and guidelines were still pending. What have we learned since its enactment, particularly with respect to the requirement for companies to have "adequate procedures in place to prevent bribery?"

Mack: The "adequate procedures" is interesting, because it is an affirmative defense: if you have procedures and are making good faith due diligence efforts, you can use this as a defense when you have a bad actor in your midst. Many companies have already put forward compliance programs, including training and communicating with employees for FCPA, workplace harassment and other issues. Also, we have found that the same technical underpinnings of a legal hold system can also be used to help an organization get its house in order for the UK Bribery Act.

Editor: Tell us about how ZyLAB technology helps companies implement such "adequate procedures" referenced in the UK Bribery Act.

Mack: Let's examine two technologies in particular. One is the ability to communicate with employees and have them complete questionnaires, which can help a company assess risk and associations in various countries as well as the efficacy of compliance training. ZyLAB's Legal Hold allows a company to communicate throughout organizations and track quickly who has received notices, who has acknowledged notices and who has agreed to comply with the corporate standards around bribery and "facilitation payments." Many companies have already purchased and installed similar software; they just need to adapt it to a new use.

The second is technology that is used within e-discovery to conduct early case assessment and data mining. ZyLAB's solutions go much further than simple key words. We can actually extract company names out of emails and put them in a database. We can sort out everything that's happening in Nigeria, for example, or pull out anything that has currency-related symbols or nomenclature. Our pattern-based searches allow you to pull out phrases that indicate something more than a machine-aided investigation is required, such as "let's discuss this offline." The results can be tracked and escalated, a workflow similar to surfacing and resolving "hot docs" in e-discovery.

Interestingly, companies that have been outsourcing their e-discovery - especially those in Europe - are now looking at the UK Bribery Act and deciding they need an in-house system that can handle many things, including the UK Bribery Act, FCPA and the new SEC whistleblower law.

Editor: How is pattern-based searching different from concept searching?

Mack: A pattern might be as simple as three digits then two digits then four digits equals a Social Security number, or as complex as "X gave Y to Z," which indicates the pattern of a transaction. You can also find the pattern of a sentiment, such as "I hate it," "I love it," "I'm really angry." On the other hand, concept searching is along the lines of all documents about coffee go into one folder. Pattern recognition is more granular, and I think it's ZyLAB's recognition of the patterns of behavior ("someone" "gave" "something" to "someone") that makes us unique.

Editor: What has ZyLAB's experience been with investigatory agencies?

Mack: Our technology has been used for over 20 years in the United States, the UK and the EU by investigatory agencies such as the DOJ and the CIA. Our pattern-based recognition has been developed with multiple languages because the reach of these organizations is global and the stakes are very high.

Editor: Why is it important to conduct early risk assessment on all company data to detect or mitigate bribery, and how can ZyLAB help?

Mack: The UK authorities' guidance provides six principles around the U.K. Bribery Act, including proportionality, which we have been talking about for the last year and a half with e-discovery, top level commitment, risk assessment, due diligence, communication and monitoring and review.Using the tools as described above, with top-level commitment, will buttress your affirmative defense for adequate procedures should you be so unlucky as to need it.

The risk to corporate officers is much greater under the UK Bribery Act than under the FCPA. Surprisingly, the penalties under the UK Bribery Act are much greater than they are under FCPA, including double the years of imprisonment for individuals.

Fortunately, technology that a company may already have can reduce such risks. If you are able to take a look at the global map of where you do business and then juxtapose that with corruption statistics to find out where your hotspots are, you could then sample your key salespeople in those areas using early case assessment techniques used for e-discovery. Our system has an automatic randomizer to be defensible for e-discovery and would likely be persuasive for investigators as well. You may select the people to assess and then conduct a random sampling among their related documents to be reviewed by an attorney or a compliance officer to look for hotspots. In addition to emailing questionnaires about activity, you can ask everybody in your company if they have contacts or business with UK entities. You might start a tracking database and an education campaign for those employees who fall under the jurisdiction.

Editor: So it is very important to have a state-of-the-art system to uncover bribery from the standpoint of senior officials?

Mack: Absolutely. As with the FCPA, no one is looking for the small fish. As a self-interested step as well as for the health of the corporate entity, you should weigh the cost of not instituting compliance and due diligence programs. Beyond the fines, consider the damage to your reputation, to the brand, to morale. Key personnel could inadvertently find themselves in criminal proceedings adverse to the corporate entity. None of this helps the bottom line or any of the stakeholders.

Editor: How accurate is your machine translation?

Mack: Machine translation is still a little bit past infancy, but our system goes beyond translating into English idiom because we have been working with the intelligence agencies worldwide. We can search in English and return results in another language.

That said, when you are looking to monitor, you are not necessarily looking to translate huge datasets and then have people review gigabytes of data. Instead, if you surface one or two hot documents, you want to find out who that person communicated with, and then you want to start interviewing and move into the investigatory stage. When you are monitoring, you don't need to catch everything: you need to be confident that your technology will give you an early warning. Once you have that early warning, you can further process the data for entity extraction and visualization diagrams so that you can see with whom they have been speaking during particular time periods, or, for example, who their contacts in Nigeria were in the year 2011. This gives the legal department and compliance department somewhere to start. Later, you can move to collect and review data to produce.

Some companies are daunted by the scope of the UK Bribery Act. I'm suggesting that they may already have some technology to cope with this. Many companies have legal hold questionnaires in place right now and could adapt from there. Some companies also have e-discovery technology in place, either on an outsourced basis or in-house, and this can be adapted as well. The leap is not large. If you don't have these capabilities, we would be happy to show you ours, which is very easily installed and operated and has a great track record.

Editor: Why is transparency important for purposes of documenting proof and defensibility?

Mack: If you can't explain what you've done, it looks like you're hiding something. Your technology may be whiz bang, but if you can't comfortably explain it to the person you are trying to persuade that you are being forthcoming, you won't look very credible. With ZyLAB's systems, we can show on one page all of the elements that go into our system, which allows individuals in the company to say convincingly, for instance, "Look, we have done the due diligence. We pulled all of the communications to, from and about Nigeria, and from there we took our top ten sales people. From there we took a random sampling of their documents and reviewed them."

Editor: Can your system monitor activity in real time such that it could detect the beginnings of a possible violation? Say somebody sends an email that reads, "I'm not sure we should be doing this."

Mack: Yes, at which point there could be some counseling of that employee so that you nip the problem in the bud. Of course it is important to work with privacy officers to ensure that the software's installation and the employee's notice are appropriate for the jurisdiction.

Editor: What about other communications?

Mack: We can search telephone message audio files in multiple languages through what are called phonemes: words are broken down into sounds, and the audio file is pulled up at the point where the sound has a hit. Our system can point to the cloud if the company has access rights, and we can search social media as well. A lot of communication these days is off the corporate network. There are terabytes of information both inside and outside the corporation.

Editor: The knowledge by employees that ZyLAB is being employed must serve as a deterrent in itself.

Mack: We have a footer on corporate email stating that we do some scanning of our messages and that by replying to the message you consent to the scan. That alone could deter individuals who are seeking to make offers to individuals within our company. You can train your own employees, but you can't train the outside world, and everybody is subject to peer pressure.

For our clients, we provide documentation with our system that is customized to the specific corporation. We work with their privacy officers to make sure that our system dovetails with theirs; we also provide sample questionnaires for the various compliance statutes throughout the world. It is always good to have people in a country who understand what privacy regulators will do in that particular country, and for that reason we have facilities in Amsterdam that handle EU issues. We don't practice law, but we do provide enabling tools (and some foundational tools) for attorneys conducting due diligence.

Please email the interviewee at with questions about this interview or visit