Implementing an Effective Compliance Management System

The primary objective – and advantage to a corporate – of an effective compliance management system is that it might prevent a compliance issue from arising at all. However, if such an issue does arise, and if companies subsequently face criminal or regulatory investigation as a result, the existence of an effective compliance management system can have an important impact on the way in which any such investigation is resolved, as well as on the severity of any sanctions imposed. For instance, in many cases, having an effective compliance programme in place, either at the time of the wrongdoing or at the time charges are brought, can lead to a reduction of fines or more favourable settlements. In certain jurisdictions companies may even avoid criminal liability for particular offences if they had an effective compliance programme in place at the relevant time. We explore the consequences of effective compliance management systems on corporate criminal liability, with a focus on the US, the UK, and Germany.

US

In cases involving corporate wrongdoing, the United States Department of Justice (“DOJ”) explicitly considers the strength of a company’s compliance program as an important factor in two ways: 

1. determining the form of a corporate resolution; and 
2. the nature of a penalty, including the amount of a fine and the decision to impose a corporate monitor. 

These principles can be drawn from two sources:

1. DOJ’s Justice Manual (“JM”) and other policy statements; and 
2. the United States Sentencing Guidelines (“USSG”), which governs sentencing recommendations.

Decision to Charge and the Nature of Resolution

The Justice Manual (“JM”) outlines 11 factors which DOJ prosecutors are required to consider in evaluating corporate culpability. In addition to important factors focusing on the nature and seriousness of the offense, voluntary self-disclosure and cooperation with the government, corporate recidivism, and complicity of management, two separate factors explicitly focus on the strength of corporate compliance programs:

• The adequacy and effectiveness of the corporation’s compliance program at the time of the offense and at the time of a charging decision (factor #5); and
• The corporation’s remedial actions, including any efforts to implement an adequate and effective corporate compliance program (factor #7).

DOJ policy explicitly states the adequacy of a compliance program can have a “direct and significant” impact on the decision to charge, as well as the terms of a corporate resolution and the decision to require the imposition of an independent corporate monitor (which can carry significant expense). The guidance asks prosecutors to consider whether programs have established a commitment to a strong culture of compliance at all levels of the company.  Having strong policies on paper is insufficient, as the DOJ will evaluate whether policies are reasonably applied through employee discipline and how whistleblower complaints are treated. In addition, the DOJ has announced a recent focus on compliance incentives created by compensation plans. In March 2023, the DOJ launched a Compensation and Incentives Clawback Pilot Program, which allows companies to reduce criminal fines by attempting in good faith to claw back compensation from individual offenders, even if the attempts are unsuccessful, and allows the company to retain recovered funds. Notably, these factors are assessed at the time of the offence, as well as the point in time that a resolution is finalized, which provides opportunities to companies to earn credit towards leniency by taking serious remedial steps after detecting unlawful activity to strengthen compliance programs to reflect lessons learned. 

The strength of corporate compliance programs is also directly accounted for in the USSG, which provides sentencing recommendations which must be accounted for by DOJ in negotiating resolutions, and by courts in approving them. Specifically, USSG 8B2.1 outlines the elements of a strong compliance and ethics program, including, among other things, that it is subject to adequate management oversight, be effectively implemented and enforced, be periodically reevaluated for effectiveness, permits anonymous and confidential whistleblower reporting, and creates appropriate incentives through discipline. In instances in which an effective corporate compliance program exists within the guidance set forth by the USSG, the recommended maximum fine is reduced by approximately 30 percent. Over the past two years, DOJ resolutions that have permitted such resolutions have consistently referred to credit being provided because of the target company’s compliance program’s timely remedial measures, including conducting an analysis of the root cause of the underlying conduct, undertaking a comprehensive risk assessment with focus on high risk areas and controls around payment processes, eliminating third parties, significantly increasing its budget and resources devoted to its compliance program, and enhancing internal policies.

UK

A company which is able to show that it had at the time of offending, or has currently in place, an effective compliance system designed to prevent economic crime may benefit in a number of ways under UK law if it becomes the subject of enforcement action. For instance, it may impact:

• whether or not an offence has been committed at all;
• the decision to prosecute;
• whether a Deferred Prosecution Agreement (“DPA”)is suitable (as an alternative to prosecution) and, if it is, the conditions contained within the DPA; and 
• sentencing and the level of any fine imposed. 

We briefly consider each these points below. 

Complete Defence to Certain Offences

The existence of adequate or reasonable prevention procedures affects whether certain offences have been committed at all under UK law. Specifically, under the ‘failure to prevent’ model contained within section 7 of the UK Bribery Act 2010 (for bribery), part 3 of the Criminal Finances Act 2017 (for the facilitation of tax evasion) and, most recently, section 199 of the Economic Crime and Corporate Transparency Act 2023 (for fraud), the existence of adequate or reasonable procedures designed to prevent these offences being committed provides a complete defence. 

The adequate or reasonable procedures defence has not yet been seen to operate as a full defence in this context and remains relatively untested. However, if a company has a positive story to tell on its compliance environment, then even if a complete defence is not available this can have a strong mitigating impact on the outcome of an enforcement process in other ways. 

Decision to Prosecute

First, as expressed in the SFO’s Guidance on Evaluating a Compliance Programme, the SFO’s assessment of an organisation’s compliance framework informs whether a prosecution is in the public interest and should be pursued at all. This operates in two ways:

• In relation to the state of a corporate’s compliance programme at the time that the alleged offending took place, the existence of an ineffective corporate compliance programme is a public interest factor weighing in favour of prosecution. 
• By contrast, remedial action taken by an organisation to strengthen an otherwise inadequate programme operates as a public interest factor weighing against prosecution.

DPA Availability and Terms

Secondly, for many companies faced with criminal exposure, entering into a DPA as an alternative to prosecution is an attractive option and the state of the company’s compliance programme is a factor that will be taken into account both when a prosecutor is assessing an organisation’s suitability for a DPA and, if an invitation to negotiate a DPA is issued, when settling the terms of the agreement. 

In practice, DPAs entered into in the UK have largely included terms requiring the relevant organisation to implement or make improvements to its existing compliance programme. The extent of these terms can range from undertaking to make necessary updates and revisions to an existing, effective compliance programme (where, for example, that programme has already been the subject of significant enhancement, as in the CPS’s recent DPA with Entain plc) to appointing, and implementing the recommendations of, an independent external reviewer for the period of the DPA (as in the SFO’s 2020 DPA with G4S Care & Justice Services (UK) Limited).  In our experience, the cost to and management-time commitment involved for the corporate in relation to situations like the latter can be onerous, particularly when the discharge of the DPA depends on achieving a measurable degree of compliance transformation. There are therefore significant benefits to be derived from being able to show, by the time that any criminal exposure is being resolved, that the organisation’s compliance framework is fit for purpose, especially insofar as it relates to preventing a repeat of issues of the same nature as those being resolved. 

Sentencing

The state of a corporate’s compliance system is also relevant to sentencing considerations. 

Specifically, the Sentencing Council’s Guideline on Fraud, Bribery and Money Laundering offences for corporate offenders indicates that where an organisation has made an effort to put bribery prevention measures in place, but these are insufficient to amount to a defence under section 7 of the UK Bribery[1], this may reflect ‘lesser culpability’ and could, therefore, contribute to a lower fine being imposed. 

However, unlike in the US and Germany, there has been little overt consideration of the existence of an effective compliance environment as a factor leading to a reduction of fines. Greater weight is given, in practice, to factors such as proactive co-operation with the authorities (which has led to reductions of up to 50% being applied in multiple DPAs) and early guilty pleas (which can result in reductions of one-third).

Germany

In Germany, companies cannot be held criminally liable, but can be subject to (high) fines in regulatory offence proceedings if criminal or regulatory offences committed by a representative or employee of the company can be attributed to the company. For example, offences committed by employees can be attributed to the company if board members or other persons in leading positions fail to establish appropriate controls that would likely have prevented the offence, or at least would have made it significantly more difficult to commit. This means that failure to implement a compliance management system to prevent non-compliance can result in severe fines – for the company and the individual person who has violated supervisory duties – if non-compliance occurs. In addition, if compliance management systems are in place ensuring that appropriate supervisory measures have been undertaken this may lead to a complete exclusion of liability. However, in practice, we rarely see such exclusion of liability. Rather, enforcement authorities tend to conclude that the compliance management system was inadequate when non-compliance occurs because otherwise it would have prevented the non-compliance. The situation may be different in cases involving a single offender (“bad actor”) who has deliberately and intentionally circumvented existing compliance regulations; in these cases, authorities seem to be more open to the argument that the misconduct could not have been prevented.

However, effective compliance management systems can lead to a reduction in fines, even if this is not expressly provided for in the German Administrative Offences Act (OWiG). There have been numerous cases where public prosecutor’s offices have reduced the fine against the company due to a – basically effective – compliance management system. Further, the German Federal Court of Justice (BGH) has confirmed in a landmark decision in 2017 that the establishment of an effective compliance management system designed to prevent non-compliance can be considered when determining the amount of a fine, as well as measures that have been taken after proceedings have already been initiated in order to make future violations significantly more difficult (BGH, decision of 9 May 2017 – 1 StR 265/16; confirmed by BGH, decision of 27 April 2022 – 5 StR 278/21). In addition, recent legislation in antitrust law and in the Supply Chain Due Diligence Act expressly provides that adequate and effective precautions should be considered when determining the amount of the fine; even measures that have been implemented after the misconduct has taken place can be considered when determining a fine. 

Apart from the compliance management system, one other factor plays an important role in reducing the fine imposed on a company: internal investigations and cooperation with authorities. In cases where the company cooperated and provided the authorities with the results of the internal investigation, we have seen cases where the fine was reduced by more than EUR 10 million. Further, authorities tend to take costs for an internal investigation into account when calculating the fine.

Conclusion

Effective compliance management systems play an essential role in mitigating the impact of corporate criminal liability. By fostering a culture of compliance and implementing robust preventive measures, companies can not only prevent misconduct but can also significantly improve outcomes and reduce fines when violations occur. The US, UK and Germany each offer clear examples of how strong compliance systems can lead to more favourable outcomes for companies facing criminal investigations. This also helps companies to maintain their reputation and integrity in the market. In practice, this underscores the important of companies looking ahead and installing effective compliance programmes to tackle corporate crime and to mitigate risks arising from enforcement action. 

[1] The Guideline was produced before the ‘failure to prevent’ offences in the Criminal Finance Act 2017 and the Economic Crime and Corporate Transparency Act 2023 were introduced but would no doubt apply equally to those offences.