The US Department of Justice (DoJ) recently published a useful document on the Evaluation of Corporate Compliance Programs. The document sets out the things that the DoJ would be looking for in a corporate compliance program under 11 helpful headings.
In some respects the document is similar to the Guidance that the UK Ministry of Justice issued under the Bribery Act 2010 in March 2011. That is not a coincidence as the US authorities cooperated in producing the MoJ Guidance. We give more background to the MoJ Guidance and the Bribery Act 2010 in our Bribery Act 2010 FAQs here. Whilst the MoJ Guidance has just six principles it can be seen that a lot of the same ground is covered. As an illustration the table below shows some comparisons between the two documents:
|US DoJ||UK MoJ|
|1.||Analysis & remediation||Covered in Principle 1 – see e.g. 1.2, 1.3|
|2.||Senior & middle management||Covered in Principle 2 although Bribery Act 2010 Guidance concentrates more on top-level commitment rather than middle management.|
|3.||Autonomy & resources||No specific Principle as such but resourcing is dealt with elsewhere e.g. 3.3 “Appropriate resourcing – this should reflect the scale of the organisation’s business and the need to identify and prioritise all relevant risks”.|
|4.||Policies & procedures||Covered in Principle 1 – see e.g. 1.2, 1.6, 1.7, 3.3|
|5.||Risk Assessment||Covered in Principle 3 – Risk Assessment|
|6.||Training & communication||Covered in Principle 4 : Communication (including training). See also e.g. 2.3 regarding a statement|
|7.||Confidential reporting of investigations||Covered in Principle 6 : Monitoring and review|
|8.||Incentives & disciplinary measures||No specific Principle as such. Some aspects are referred to in other Principles – for example 1.7 looks at “Direct and indirect employment, including recruitment, terms and conditions, disciplinary action and remuneration”.|
|9.||Continuous improvement, periodic testing & review||Covered in Principle 6 : Monitoring and review.|
|10.||Third party management||No specific Principle as such but covered in Principle 4 : Due Diligence.|
|11.||M&A||No specific Principle as such but covered in Principle 4 : Due Diligence.|
We have looked at the possible conflicts between data protection law in the EU and investigations into possible wrong doing in our Bribery Act FAQs. It is likely that these issues will be magnified with the Evaluation’s renewed focus on issues like information gathering and analysis, the increasing use of Big Data in investigations and regulatory enforcement and forthcoming changes to EU Data Protection Law including the General Data Protection Regulation (GDPR). We have written on the SFO’s use of Big Data here and our GDPR FAQs are here.
The heightened penalties under the GDPR in particular are likely to cause increased conflicts. Under GDPR the possible fine for breach of data protection law is 4% of global annual revenue or €20m whichever is greater. As an example much has been made of the perceived high level of fine in the Rolls-Royce Deferred Prosecution Agreement under the Bribery Act 2010 in January. Our alert on that is here. The UK element of the Rolls-Royce fine was around £497million. As an illustration of the higher fines under GDPR currently were Rolls-Royce to breach data protection law the maximum fine in the UK is £500,000. After 25 May 2018 when GDPR comes in Rolls-Royce would be subject to a potential file for data protection breaches of £549million.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|