Global Investigations Review | Mark Hunting | Margaret B Beasley | Bracewell LLP
This is an extract from the 2025 Edition of GIR’s The Americas Investigations Review. The whole publication is available here.
This is an Insight article, written by a selected partner as part of GIR’s co-published content. Read more on Insight
1. Introduction
This chapter addresses the compliance requirements and expectations on corporate organisations that conduct business, have a presence or are regulated in the United Kingdom.
Generally, subject to a few exceptions for specific markets, industries or circumstances, there is no legal requirement to have a compliance programme. Nor, in most cases, are there specific requirements as to a programme’s structure or contents. However, an effective compliance programme can prevent and mitigate a wide range of legal, compliance, financial and other health and safety risks, may assist an organisation with meeting its legal obligations, and may provide complete legal defences to three corporate failure to prevent offences (FTP offences): failure to prevent bribery, failure to prevent fraud and failure to prevent tax evasion.[1]
This chapter focuses on core financial crime risks, namely: fraud, bribery and corruption, money laundering and financial sanctions. While not addressed specifically, this guidance may also apply to risks such as trade sanctions, compliance with trading regulations, tax evasion, human rights and modern slavery, and health, safety and environment risks, among others.
Using a principle- and purpose-based approach, this chapter considers:
- the key principles all compliance programmes should have as their foundation; and
- the generally recognised components one would expect to see in any compliance programme.
For simplicity, the ‘Core components’ section, below, follows, but also expands on, the six principles in the Ministry of Justice (MOJ) Guidance to the Bribery Act.
The chapter also covers, at a more macro level, considerations for entities regulated by the Financial Conduct Authority (FCA) and other regulators, highlighting some of the significant additional requirements to which such entities may be subject.
2. Key principles
The primary goal of any compliance programme is that it be holistically effective. That is, the controls operate together to prevent, minimise or mitigate the financial crime risks identified. Four key principles should be the foundation of any such programme:
- efficacy;
- risk-targeted;
- friction-based; and
- culture-driven.
Efficacy should be measured by reference to the calculation of the risk the controls are designed to mitigate; that is, an effective programme should reduce the likelihood, the harm, or both, of the identified risk occurring. It is not necessary, in the authors’ view, (or, often, even achievable) to reduce the risk to zero (by either rendering it impossible or harmless). Not every possible risk can be completely countered and bad actors may circumvent controls in unpredictable ways. An effective compliance function, however, will learn from these incidents and improve the programme in response.
An effective programme often will contain a range of controls, including:
- barrier or preventive controls that eliminate or prevent a risk from occurring (e.g., system access permissions);
- ‘directive’, or human, controls that direct how individuals should manage a risk (e.g., policies, procedures, guides);
- ‘detective’ controls that detect potential breaches (e.g., ongoing monitoring of counterparties for sanctions); and
- ‘corrective’ controls that correct detected breaches.
The measures that are most appropriate will depend on the risk. Where no single measure is sufficient, combining several in the ‘Swiss cheese’ model can help; that is, although each measure has gaps (or holes, as in a slice of Swiss cheese), when combined, they collectively form a complete barrier (i.e., the holes do not line up).
The second foundational principle is that the compliance programme be risk-targeted. It should identify the risks that it is designed to manage, assess them for severity and apply controls to the areas of highest need. When assessing risk, it is generally recommended to start at a micro level (specific jurisdictions or business units) and then ‘roll up’ the risks into larger functions or business groupings, and finally into a company-wide assessment. The results of this assessment can then inform where and how a company assigns resources and what matters they should prioritise.
Third, compliance programme controls should be friction-based.[2] When something is very high risk, it is appropriate to have a series of high friction controls. Where the activity is generally lower risk, lower friction controls, or no controls at all, may be more suitable. As an example, when a business wants to navigate government consents in a high-risk jurisdiction, a series of high friction controls may be warranted, such as:
- very senior approval requirements;
- a written, socialised business case;
- internal functional approvals (e.g., approval from the legal, tax, compliance, risk and credit departments);
- stringent counterparty due diligence requirements;
- segregation of duties and responsibilities;
- limitations on the use of agents or third parties; and
- clear review and reporting requirements.
Conversely, approving a new flower vendor for the office reception desk, a likely low-risk activity, may warrant low or no friction controls, such as appropriate cash management controls, simplified due diligence and a requirement for the vendor to be tax-registered.
The advantage of a friction-based system is that it is easy to compare controls for different risks (and thereby internally benchmark control frameworks). It also contributes to a supportive compliance culture whereby the compliance requirements for any activity are easily explained by reference to the risk (and to other risks). When done correctly, it avoids the criticism that ‘X is riskier than Y, but Y has more stringent controls’. This is particularly important in generating confidence in and support for the programme.
Finally, culture is often considered the compliance professional’s most powerful tool, but also the hardest to create and utilise effectively. Although in some ways culture is ‘free’, given its outsized importance in the health of an organisation, companies should nevertheless invest heavily in creating and maintaining a strong culture of ethical conduct. Failure to do so may result in significant costs in the future, whether in the form of prosecution, regulatory penalties or reputational damage.
When a culture of compliance is leveraged correctly, employees and third parties will identify and refrain from misconduct even when not explicitly prohibited by the compliance programme, and appropriately challenge controls that have little compliance value but restrict business. On the other hand, when done badly, the compliance programme and function is seen as an obstacle to circumvent or a box to ‘tick’; an annoyance rather than an asset. In the worst cultures, disaffected individuals may use the compliance programme as a weapon to attack colleagues and management through baseless whistleblowing and complaints.
The best cultures, from a compliance perspective, are those that:
- recognise a distinction between good conduct and good intentions, and reward each appropriately; for example, employees should be incentivised to raise good-faith concerns, even where the concern is not actually an issue;
- encourage continuous learning and feedback so that individuals and the programme can improve; and
- promote transparency such that issues are properly identified and shared and, where appropriate, multidisciplinary teams can work together to resolve them.
Although addressing the challenges of improving culture is beyond the scope of this chapter, proper application of many of the components discussed below are fundamental to success in this space.
3. Core components
The following discussion of the core components of an effective compliance programme, for simplicity, is organised by reference to the six elements listed by the MOJ: risk assessment, proportionate procedures, top-level commitment, due diligence, communication, and monitoring and review.
The MOJ asserts that its rules and regulations are ‘directed at making life difficult for the mavericks responsible for corruption, not unduly burdening the vast majority of decent, law-abiding firms’ and that ‘combating the risks of bribery is largely about common sense, not burdensome procedures’.[3] Companies should be encouraged to keep this pragmatic view in mind when developing, implementing and enforcing their compliance programmes.
3.1 Component 1: risk assessment
Before an organisation can properly manage or mitigate compliance risk, it must identify those risks specific to its personnel and operations through a tailored organisation assessment. This assessment is not a one-and-done endeavour; a comprehensive risk assessment is both the foundation for devising an effective compliance programme and a continuing process that provides the company with insights into where significant risks lie as markets and business practices evolve. Although most large companies have some form of established risk assessment procedure and compliance programme, these should not be adopted ‘off-the-shelf’ as a ‘one-size-fits-all’ solution. Regulators and prosecutors have made clear that training on the generic gold standard is insufficient; companies must create the gold standard for their business. To do so, they must conduct an organisation-wide assessment to identify the specific risks faced at every level and in every function and business unit.
Common areas of risk to consider include the following:
- Country risk: Indications of high risk include high levels of corruption, weak money laundering control frameworks and lack of transparency.
- Sectoral risk: Certain sectors present greater risk, particularly large-scale infrastructure and the extractive industries.
- Transactional risk: Higher-risk transactions include obtaining licences and permits, transactions relating to public procurement, and any transaction involving a charitable or political contribution.
- Business opportunity risk: Certain transactions present many opportunities for corruption, such as projects involving numerous contractors or intermediaries, projects for which there is no clear business purpose, and projects not undertaken at market price.
- Partnership risk: The use of intermediaries, consortia or politically exposed partners may present a higher degree of risk.
The risk assessment should be done on the conventional basis of ‘harm x likelihood’; that is, high harm and likely frequent occurrence leads to high risk, whereas low harm and low likelihood equals low risk. Many organisations use a 5 x 5 or 8 x 8 grid model to map where such risks lie.[4]
Harm can be calculated by reference to financial harm but allowance should be made for other business and social impacts. A serious injury to an employee might not cause serious financial harm but clearly should be considered highly harmful for the purpose of the risk assessment. Other factors such as a licence to operate in a specific market or industry or reputational risk should also be considered.
Likelihood is the number of times an event is likely to occur within a set period. That period should be long enough not to artificially reduce the risk; for example, if a risk is likely to materialise once in an asset’s 30-year life, considering the risk annually is likely to incorrectly suggest that the harm will never occur. The higher the potential harm, the longer the period should be. That is, a more strategic view of risk should be taken for high harm risks.
This assessment and its conclusions should be documented. These records will serve as evidence of a company’s dedication to compliance should a regulatory action ever arise, and provide a starting point for future iterations of the assessment.
Finally, when considering harm, it is important to properly specify the risk. In compliance matters, businesses should consider the risk of investigation, prosecution and conviction separately because much of the harm that befalls an organisation occurs at the investigation stage prior to any decision to prosecute (or seek a settlement).
This is important because the risk of conviction is generally remote (many instances of wrongdoing are not investigated and there are several dispositions available before conviction). The harmful outcomes of conviction, however, might be significant and include financial penalties, reputational harm, costs of running a defence, disgorgement of profits and debarment. Conversely, the likelihood of being investigated is higher (than that of being convicted) and the harm may be similar in terms of costs and reputational harm. When viewed through this lens, many organisations consider the real risk to their business to be investigation, not conviction. This conclusion necessitates a change in approach to compliance because investigations often occur when there is no actual misconduct, merely the appearance of it.
In addition to external risk, companies should evaluate whether their internal procedures unwittingly contribute to risk. These issues are discussed below.
3.2 Component 2: proportional procedures
Whether termed policies, procedures or guidance, an organisation should articulate its dedication to compliance and demonstrate how that dedication will be enforced. The policies should be clear, practical, accessible, comprehensively implemented and consistently applied.
Proportionality is key to ensuring that procedures are adequate for the organisation and risk at issue. Proportionality may reflect the size of the organisation, the nature and complexity of its business, the identities of its counterparties or the jurisdictions in which it operates; for example, two compliance professionals may be inadequate for a department with 200 staff members operating in the extractive sectors in a jurisdiction known for corruption, whereas a requirement for daily compliance reports in a department procuring office supplies in a purely domestic market may be seen as excessive. While practicality demands that organisations devise and implement procedures to cover a wide range of activity, management should keep in mind that, ultimately, a prosecutor or regulator will focus on those procedures designed to prevent the offence that allegedly occurred. In other words, companies must consider what their procedures will look like on the ground as implemented, not just on a corporate organisation chart.
Notably, an organisation’s key defence against charges of failure to prevent bribery is that it had adequate procedures in place to prevent its associated persons from engaging in bribery. It must establish that defence on the balance of probabilities.[5] However, the SFO has described this showing as ‘a high bar’.[6]
The first company to rely on this defence at trial failed to satisfy that bar, providing a sobering lesson for others who may anticipate invoking it. Skansen Interiors Limited (SIL)[7] was a London-based dormant company that traded in office interior design. In 2013, SIL’s managing director bribed a client to secure two contracts. In 2014, SIL’s newly appointed CEO, concerned by the payments, initiated an internal investigation and established a specific anti-bribery and corruption (ABC) policy. When the managing director attempted to make another payment to the client, the ABC policy caught it and the investigation concluded with the dismissal of the managing director. SIL subsequently submitted a suspicious activities report to the authorities, reported the matter to the police and cooperated fully. Nevertheless, SIL was charged with failure to prevent bribery.
SIL argued that, despite the lack of an ABC policy when the initial payments were made, it had adequate procedures such as anti-bribery clauses in contracts, multiple levels of approval in the payments system, and a culture of honesty and integrity. The company contended that these measures were adequate for a company of its size (30 employees) and its domestic focus. The jury disagreed. The prosecution’s arguments, and the jury’s apparent acceptance of them, are instructive for companies in considering what procedures are adequate. Key takeaways include the following:
- Significance of compliance records: SIL did not have written records evidencing its compliance procedures or training; testimony about a culture of integrity was no substitute for records showing a history of written policy.
- Updating procedures and training to reflect changes in legislation: SIL had not implemented procedures in response to the Bribery Act in 2010 but waited years to do so until bribery surfaced, at which point it was too late.
- The need to have a designated individual responsible for anti-bribery, even if that person’s sole function is not compliance: SIL had not appointed such an individual nor did it have a clear reporting process for employees to raise concerns.
SIL is a difficult case. By the time it was prosecuted, the company had no funds or assets (a result of a corporate reorganisation, which predated the prosecution) and the Crown Prosecution Service (CPS) had secured convictions against relevant individuals. In these circumstances, it might be expected that the CPS would not proceed on the basis that the relevant wrongdoers had been held to account. However, the CPS opted to prosecute the company to set a clear precedent. SIL received an absolute discharge, the only sentence available to a dormant entity.
3.3 Component 3: top-level commitment
Ultimately, the effectiveness of a compliance programme requires a company’s leaders to create and nurture a culture of ethics and compliance throughout the organisation. No matter how well designed, an unsupported programme will never succeed. This section considers what that commitment might look like.
A company’s board of directors and executives should clearly articulate the company’s ethical standards and be seen to convey them in unambiguous terms, such as at a corporate town halls. The compliance policy should also be easily accessible. Further, leadership should demonstrate adherence by example, making it clear that no business objective is worth compromising a company’s compliance standards. Middle management, in turn, should demonstrate this commitment in executing its varied functions; for example, when discussing new engagements and vetting new contractors, they can articulate the business benefits of rejecting bribery.
An increasingly crucial indication of top-level commitment is investment in and support of a compliance department. Although all organisations should have a designated compliance individual, depending on size and complexity, many will warrant an entire department. That department should be well staffed, well funded and autonomous, and have a literal seat at the boardroom table. A compliance function that exists in name only, with no voice and no power, will not suffice. Management should convey to the rest of the organisation its support for the compliance department and respect of its determinations, including any required remedial measures.
Another way to demonstrate and perpetuate top-level commitment is through a compensation scheme designed to foster a compliance culture. Companies can implement ‘carrots’, such as promotions or bonuses, for improving compliance, or deferral of certain compensation tied to conduct consistent with company values and policies. Conversely, they can use ‘sticks’, such as contract provisions, permitting the company to recoup previously awarded compensation if the recipient is found to have been responsible for wrongdoing, or limits on the indemnification of individuals for fraud-related allegations. Compensation structures that clearly and effectively impose financial penalties for misconduct and reward ethical conduct both demonstrate leadership’s commitment to compliance and deter risky behaviour.
3.4 Component 4: due diligence
A compliance programme must also apply risk-based due diligence to its third-party relationships, including with customers, service providers and goods suppliers. Both the need for and degree of appropriate due diligence will depend on the size and nature of the counterparty and the transaction.
There are many approaches, but counterparty due diligence generally includes:
- screening third parties against sanctions lists;
- conducting open-source research, either directly or through an external diligence vendor;
- requesting relevant documents;
- requiring third parties to complete a due diligence questionnaire;
- conducting human intelligence (known as HUMINT), normally through an external vendor; and
- conducting interviews with both management and line-level employees at the third party.
Further, companies should consider conducting due diligence on their own hires, as employees are persons associated with an organisation for purposes of the FTP offences, and therefore can incur liability for the organisation. This diligence should be proportionate to the potential employee’s position in the company, with greater diligence required for those who would be entering into contracts or making procurement decisions than for potential new hires at a lower level of seniority in an organisation.
Finally, companies must understand that due diligence is not a single occurrence. Effective due diligence requires continuing monitoring of third-party relationships through refreshed data gathering, training, audits and periodic compliance certifications. This approach is discussed further below.
3.5 Component 5: communication and training
An effective compliance programme must be put into action with proper communication and training.
While the ‘tone from top’, discussed above, is an important starting point in communicating a company’s dedication to compliance, internal communications and training should focus on the implementation of the policies and procedures at every level of the organisation. Generic training has its uses, but the best compliance programmes will deliver training on a risk basis, with more detailed, job-specific training as appropriate.
An hour-long presentation on the law is generally accepted as a starting point, but the best programmes combine online and in-person formats, deep dives and bite-size sessions, and include role play, real-life scenarios and case studies. Organisations may need to cover topics such as macro ethical decision-making, compliance with financial controls, treatment of hospitality and promotional expenditures, handling of facilitation payment requests, and providing charitable and political donations.
In all cases, the organisation should be sure to record completed training accurately. It should follow up with employees who do not complete mandatory training and treat continual refusal to engage with training as a disciplinary matter.
Another important element of internal communication is a secure, confidential and accessible whistleblowing channel through which employees may raise concerns about bribery by others within the organisation, provide suggestions for improving the company’s compliance functions and request advice on compliance issues. This should not be an inbox that is checked periodically; rather it should be a prioritised channel reviewed by personnel with the ability to triage and act on incoming information in a meaningful way.
Externally, a prominent statement of a company’s dedication to anti-bribery or a code of conduct may both assure ethical counterparties and deter any potential unethical counterparties intending to seek or pay bribes in connection with future transactions. Furthermore, dealing with third parties should be done in a manner that always conveys the organisation’s compliance expectations.
3.6 Component 6: monitoring and review
An organisation must ensure that any compliance programme both functions as intended and evolves in response to changing risk factors and government expectations.
Internal review mechanisms may include barrier controls designed to deter and detect bribery. Increasingly, companies are employing data-led approaches, consistent with regulators’ expectations that companies leverage their data to manage compliance programmes effectively.[8] This data can generally be divided into two groups:
- Data collected to identify wrongdoing, such as conducting analyses on travel and entertainment spending.
- Data that provides insight into the effectiveness of a compliance programme, such as per capita whistleblowing numbers.
There is currently much discussion around the use of complex technological solutions, such as artificial intelligence systems, to support an organisation’s compliance programme. Although these can be excellent solutions, particularly for organisations with mature and sophisticated programmes, they present ethical, legal and compliance challenges of their own.[9] In many cases, simpler data approaches will yield equally good results.
The advantage of simplicity is that it is easier to implement, monitor and update. Companies are likely to be held responsible for failures by technology, and so simpler approaches can help non-specialists identify when a system is not working as intended.
Communicating with and paying attention to employees is another important way to monitor compliance programmes; for example, staff surveys, questionnaires and panels often provide important information about the effectiveness of compliance policies. Whistleblowing, discussed above, is a crucial component of any compliance function and, given the expectation of false alarms, companies should be concerned rather than content when there are no such reports during a given amount of time.[10] Although companies should not seek to instil an environment of fear, they must also face the reality that businesses regularly fall victim to bribery and remain alert.
Audits are another common form of evaluating compliance policies. Internal and external audits are complementary processes that vary in scope, purpose and benefit. The primary role of an internal audit is to help a company’s decision makers safeguard organisational assets while supporting operational sustainability and scalability. The scope of an internal audit can vary depending on a business’s needs and objectives. An external audit provides an independent opinion of a company’s position that can establish stakeholder confidence and, if necessary, address regulatory enquiries. External audits are conducted by third parties with no connection to the organisation, who report their findings directly to leadership.
4. Third-party risk management
For most organisations, third parties such as agents and contractors present the greatest source of financial crime and compliance risk.[11] Accordingly, companies should consider developing an integrated system to combat and comprehensively address this risk. Many of the relevant tools have already been discussed; however, it is important that they are combined to build a holistic system for managing third party risk.
Depending on the organisation, such tools may include:
- a contract manager, or similar, responsible for setting expectations, understanding the relationship, and identifying and escalating concerns;
- counterparty due diligence, both at initial instruction and, where appropriate and proportionate, throughout the life of the relationship;
- contractual terms and warranties that set expectations, ensure compliance by the third party and address any further subcontractor risk;
- requirements of the third party regarding compliance programmes and training;
- monitoring of third parties on a risk basis, including, as appropriate, audit or review of the compliance programme, business activities and identified concerns; and
- other contractual terms such as (1) cost-shifting of failed compliance audits to the failing third party, (2) provisions that require third parties to cooperate with compliance enquiries, and (3) termination rights in appropriate situations.
5. Additional considerations
This section considers, at a macro level, areas of mandatory requirements on certain businesses by virtue of their operation in particular markets and industries (especially financial services or related industries).
Entities carrying on specified regulated activities that are authorised by either the FCA or the Prudential Regulation Authority (PRA) may be subject to specified compliance requirements that go beyond the core components above. It is beyond the scope of this chapter to identify all these specific requirements, but the key structural requirements of the FCA and the PRA include the following:
- Certain firms are required to have a permanent, effective and independent compliance function that is responsible for management of the compliance programme and advising persons responsible for carrying out regulated activities.[12]
- Firms are required to establish, implement and maintain adequate policies and procedures that are sufficient to ensure compliance.[13]
- Certain firms are required, on a proportionate basis, to establish an internal audit function designed to test the adequacy and efficacy of the firm’s systems and internal control mechanisms.[14]
In addition to these structural requirements, the FCA and PRA impose a wide range of specific compliance requirements that do not generally exist in unregulated sectors. Examples include mandatory recording of telephone and electronic communications[15] and immediate record-keeping requirements.[16]
Separate from the regulated sector, above, certain other firms and businesses must register with an anti-money laundering (AML) scheme or with a supervisory authority (or both), and comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. These Regulations set out mandatory compliance requirements for affected entities, including (1) conducting AML risk assessments, (2) criteria for standard, simplified and enhanced customer due diligence, (3) record-keeping and (4) the provision of information about ultimate beneficial owners.
Finally, businesses may be subject to other financial crimes compliance requirements because of their presence in certain industries or the nature of activities they undertake; for example, utility companies are regulated by Ofgem (gas and electricity markets) and Ofwat (water services), and are subject to specific compliance requirements.
6. Certifications and sources
When designing, implementing and evaluating their compliance programmes, companies may wish to seek independent certification from civil society organisations or refer to guidance from regulators; for example, the International Organisation for Standardization’s ISO 37001 is an anti-bribery management system intended to be flexible enough to be used by companies of all sizes in all jurisdictions.[17] ISO 37001 is currently undergoing a refresh; no final draft is approved, but the current draft modernises the standard by introducing many of the concepts discussed above.
Relying on this type of established framework of recognised best practices and procedures can provide leadership with confidence that their organisation is thinking about compliance appropriately and provide customers with assurance that the organisation is a good corporate citizen.
In the face of a bribery investigation, demonstrable adherence to such external standards may provide evidence that an organisation took reasonable steps to prevent bribery. However, we reiterate that simply adopting best practices without tailoring them to an organisation’s specific risk needs will not be sufficient.
Similarly, there are numerous government guidance documents to which organisations may look when designing, implementing or evaluating their compliance programmes. For entities with domestic operations, the MOJ has published ‘The Bribery Act 2010 Guidance’,[18] which addresses procedures that organisations should implement to prevent bribery, and the Director of Public Prosecutions and the SFO have issued joint guidance[19] for use by prosecutors in determining whether to bring a prosecution. Companies operating internationally, or in US dollars, may wish to also consider the United States Department of Justice’s ‘Evaluation of Corporate Compliance Programs’[20] and ‘Resource Guide to the Foreign Corrupt Practices Act’.[21]
Subscribe here for related content, breaking news and market analysis from Global Investigations Review.
Global Investigations Review provides exclusive news and analysis and other thought-provoking content for those who specialise in investigating and resolving suspected corporate wrongdoing.
To view all formatting for this article (eg, tables, footnotes), please access the original here.
This article first appeared on Lexology. You can find the original version here.
GIR is the complete global platform for the law and practice of international investigations. It provides a comprehensive analysis of the intricacies of cross-border investigations and their aftermath worldwide. Get the full cross-border view of market trends from leaders in the field, to guide your strategy, streamline decision-making and keep your practice at the forefront.