The UK's Serious Fraud Office has updated the guidelines that it follows when it evaluating financial firms' internal systems and procedures that help them to ensure that they and their employees comply with legal requirements and internal policies and procedures. Bribery seems to be uppermost in the prosecutor's minds.

In large organisations, the MoJ expects this responsibility to rest on the shoulders of the board of directors. Top-level involvement in the prevention of bribery includes, among other things, "assurance of the risk assessment," whatever that means, involvement in the detail of high-profile and crucial decision-making and the selection and training of senior managers to lead the firm's anti-bribery effort.
 
Principle 3: the need to assess risks

"The commercial organisation [ought to assess] the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment [should be] periodic, informed and documented."

Common external risks mentioned in the guidelines are (according to principle 3.5):

• country;
• sectoral;
• transactional;
• business opportunity;
• business partnership.

 Common internal factors which may increase the level of risk included in the guidelines are (as per principle 3.6):

• deficiencies in employees' training, skills, and knowledge;
• a "bonus culture" that encourages risk-taking;
• ambiguous internal rules regarding hospitality and promotions;
• no clear financial controls; and
• no clear message from the top.

Principle 4: due diligence

"The commercial organisation [should apply] due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks."

Principle 5: communication (including training)

Training, especially tailored training for those in highly risky functions such as purchasing, contracting, distribution and marketing, or those working in highly risky locations, or involved in 'speak up' procedures (e.g. being an informant). Effective training should be continuous, and regularly monitored and evaluated (principle 5.6).

It may (or may not) be appropriate to require third parties to undergo training, particularly for people associated with high risks (principle 5.7).

There must be a secure, confidential and accessible way in which employees and agents can obtain prompt "compliance advice," whatever that is, and to raise concerns about bribery (principle 5.3).

Principle 6: monitoring and review

The commercial organisation ought to monitor and review procedures designed to prevent bribery by persons associated with it and make improvements if necessary. The MoJ only suggests that it might be a good idea for the firm to send in people from outside to assess this. It is at this stage that the SFO's paper for "evaluating a compliance programme" ends abruptly.

When to prosecute?

Throughout the text, the SFO mentions the circumstances under which it might prosecute the financial firm. It says that it "needs to assess the state of an organisation's compliance programme for different time periods." It has, of course, a statutory obligation only to take on cases that are in the public interest.

For a true in-depth insight into prosecutions for all corporate offences, the compliance officer ought to read the Guidance on Corporate Prosecutions in conjunction with the Code for Crown Prosecutors. The former is to be found at https://www.cps.gov.uk/legal-guidance/corporate-prosecutions while the latter is at https://www.cps.gov.uk/publication/code-crown-prosecutors