For the past decade or so, the UK has been criticized for its Laissez-faire attitude toward commercial bribery, particularly due to its glaring gap in enforcement legislation. As of July 1, the UK “Bribery Act 2010” went into effect, and in many ways it leapfrogs the 34-year-old American equivalent—the Foreign Corrupt Practices Act (FCPA).
While ostensibly similar, the Act differs from the FCPA in a number of ways, many of which broaden applicability. For example, unlike the FCPA, the Act covers bribes to both the public and private sectors, and does not make an exception for facilitation payments (small payments given to public officials to speed up a routine service). Similarly, the Act applies to all organizations that do business in the UK, even if they’re not based there, and even if the bribery occurs in another country.
There are essentially four key offenses under the Act:
- Active bribery or offering bribes (Section 1)
- Passive bribery or accepting bribes (Section 2)
- Bribery of a foreign public official (Section 6)
- A company’s failure to prevent bribery (Section 7)
The Bribery Act originally was scheduled to become effective in October of last year but, after numerous delays and outcries from the business community, the Ministry of Justice recently issued its “Bribery Act 2010: Guidance,” and announced that the Act will finally take effect July 1. This Guidance has been eagerly awaited by anxious enterprises given the extremely broad scope of the Act. In concert with the recently promulgated prosecutorial guidelines, the guidance documents give some insight into how UK prosecutors (as enforced by the Serious Fraud Office) will initially decide whom to pursue and then how the Act will be applied. Fortunately, the promulgated guidance documents suggest that the Act is “directed at making life difficult for the mavericks responsible for corruption, not unduly burdening the vast majority of decent, law-abiding firms.”
To this end, the Guidance states that “[i]t is a full defence for an organisation to prove that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing.” It is these “adequate procedures” that provide a safe harbour of sorts and, therefore, should be perused quite carefully by impacted organizations to ensure that their compliance programs are up to muster. The six guiding principles are designed not be prescriptive or “one size fits all,” but rather as suggesting a risk-based and proportionate approach to managing bribery risks.
“As the principles make clear commercial organisations should adopt a risk-based approach to managing bribery risks. Procedures should be proportionate to the risks faced by an organisation. No policies or procedures are capable of detecting and preventing all bribery. A risk-based approach will, however, serve to focus the effort where it is needed and will have most impact. A risk-based approach recognises that the bribery threat to organisations varies across jurisdictions, business sectors, business partners and transactions.”
The Guidance’s six principles are as follows:
- Proportionate procedures: A commercial organisation's procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation's activities. They are also clear, practical, accessible, effectively implemented and enforced.
- Top-level commitment: The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.
- Risk assessment: The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.
- Due diligence: The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.
- Communication (including training): The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training that is proportionate to the risks it faces.
- Monitoring and review: The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.
Organizations looking for clarity should certainly start with an analysis of how well their existing anti-bribery procedures (many likely designed with the FCPA in mind) correlate to the six principles. The hope of many is that the Bribery Act won’t inherently require a complete reworking of policies for entities trying to comply with the Act. Instead, a more measured and reasonable goal should be to have compliant entities examine the Act to see if any augmentation is necessary. Fortunately, the Guidance principles are peppered with terms like “proportionate,” “risk-based” and “practical,” which should give solace to the entities that had significant indigestion when the Act was first released.
Traditional e-discovery solutions may very well be called into duty to help augment an organization’s “adequate procedures,” particularly regarding provision No. 3 (risk assessment) and No. 4 (due diligence). These two principles specifically call out procedures that proactively facilitate:
- Identification of the internal and external information sources that will enable risk to be assessed and reviewed
- Accurate and appropriate documentation of the risk assessment and its conclusions
- Conducting direct interrogative enquiries, indirect investigations or general research on proposed associated persons
- Appraisal and continued monitoring of recruited or engaged “associated” persons may also be required, proportionate to the identified risks
These elements are easily achieved by utilizing next-generation electronic disclosure applications. The repurposing of analytical tools in this compliance context makes sense given how things have played out with the FCPA, and provides yet another way to rationalize bringing electronic disclosure solutions in-house. In this compliance scenario, the software’s analytical components likely will come more into play than will the downstream review and production elements.
This expansion of traditional e-discovery/disclosure concepts, procedures and applications is logical, and coincides with the movement left on the Electronic Discovery Reference Model (EDRM) spectrum. It’s also aligned with rapidly expanding notions of information governance which, according to research firm Gartner Inc., is defined as follows:
“Information governance is the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
Similarly, the EDRM organization has attempted to include notions of governance into its newly promulgated Information Governance Reference Model (IGRM), which purports to meld notions of electronic discovery with compliance obligations since both involve significant organizational risk attendant to data retention, destruction and deletion.
We’re already on the cusp of a reality where it is simply too limiting to just talk about pure e-discovery/disclosure tools since it inherently leaves out the rest of the compliance story. The movement left on the EDRM spectrum becomes even more mandatory now that the UK Bribery Act is in play, requiring the repurposing of analytical tools formerly deployed with only a singular purpose.