Self-reporting bribery: the ongoing dilemma

"This article was first published in the August 2018 issue of PLC Magazine"

Ruth Cowley, Pamela Reddy, Keith Rosen, Andrew Reeves and Daniel Kacinski of Norton Rose Fulbright examine the key considerations for companies in the UK and the US in deciding whether, when and what to self-report.

Authorities in the US, the UK and other jurisdictions are increasingly seeking to incentivise corporate self-reporting of bribery issues, but deciding whether or not to self-report remains a complex balancing act.

The likelihood of obtaining the potential benefits of self-reporting in the US and the UK appears less certain following the revised US Foreign Corrupt Practices Act of 1977 (FCPA) corporate enforcement policy (FCPA policy) released in November 2017 by the US Department of Justice (DoJ), and recent Serious Fraud Office (SFO) cases and commentary (www.justice.gov/criminal-fraud/file/838416/download).

Deciding whether, when and how to report are just the first steps in a long process towards potentially receiving a deferred prosecution agreement (DPA). Despite the efforts of US and UK authorities to incentivise voluntary self-reporting, significant risks remain, ranging from possibility of exposure to civil liability to the possibility of not receiving full disclosure credit or not receiving a DPA, as in R v Skansen Interiors Limited (unreported) (see The UK position below). While reporting is ultimately a business decision, it is one with wide-reaching implications, and one that companies must make carefully, yet quickly, weighing the risks against the potential benefits.

This article sets out the key considerations in the US and UK for companies in deciding whether, when and what to self-report (see box Key takeaways).

There is no legal requirement to report bribery to either the SFO or the DoJ: self-reporting is a commercial decision for the company, balancing the benefits and risks on the facts in question, in particular, the scale of the potential issue and the risks of it otherwise being reported or publicised. In the UK, a company may have other reporting obligations, for example to the Financial Conduct Authority (FCA) or the need to seek consent from the National Crime Agency? in relation to dealing with potentially tainted funds, which mean that the SFO may become aware of the matter in any case.

Given the global increase of enforcement actions in relation to bribery, enhanced international co-operation between authorities, and the move towards DPA systems in more jurisdictions, a company considering whether or not to self-report needs to ensure that it considers the risks and benefits of doing so on a global basis and with a clear understanding of regulators’ likely expectations as to further co-operation (see feature article “Deferred prosecution agreements: moving into the unknown”). For example, self-reporting is mandatory in some jurisdictions such as South Africa. Further DPAs have been introduced in France and Singapore, and are being considered in Canada, Poland and Australia.

Individual directors also need to consider carefully their own position and potential criminal and civil liability, and act appropriately in the circumstances (see below "Considerations for individuals"). A company needs to ensure that any self-report is made to relevant authorities quickly enough to gain co-operation credit, or (in the US) achieve a declination (where the authorities decline to prosecute the matter) or deferment  of prosecution in the relevant jurisdictions. There is a tension between self-reporting sufficiently quickly and the need to investigate an allegation to determine whether (and if so, what) to report.

The UK position

Under English company law, directors have to consider the best interests of the company as a whole in making decisions. The Companies Act 2006 provides that directors must act in the way that they consider, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole (section 172(1)). This includes consideration of the likely consequences of any decision in the long term and the desirability of the company maintaining a reputation for high standards of business conduct.

So in deciding whether or not to self-report, the directors will have to weigh up the potential benefits and risks of self-reporting. Benefits include:

• The potential to secure a DPA.
• The reduction in financial penalties.
• Potential long-term reputational advantages.

Possible risks include:

• The potential damage to the company’s share price resulting from an announcement of an external investigation.
• Additional investigation and remediation costs.
• Business disruption.
• Senior management changes that may be required.
• Potential civil litigation.

In a speech given in September 2017, Alun Milford, general counsel at the SFO, emphasised that reform, including the removal of senior managers who are either implicated in, or should have been aware of, the criminality, has been a key element in all DPA judgments.(https://www.sfo.gov.uk/2017/09/05/alun-milford-on-deferred-prosecution-agreements/).

Civil litigation arising out of bribery issues is well established in the US and is increasing in the UK and other jurisdictions (see Briefing "Third-party bribery and corruption: managing the legal risks when issues arise", www.practicallaw.com/w-010-4888).

Many companies that self-report to the SFO do so primarily in order to increase the likelihood of securing a DPA, which

• Avoids a corporate criminal conviction, which could result in unwanted consequences such as likely debarment from tendering for public procurement contracts (in the UK, under the Public Contracts Regulations 2015 (SI 2015/102)).
• Is likely to lead to a quicker resolution of the matter as compared to a prosecution.
• Should lead to a reduction in any fine so that it is broadly comparable to the fine that a court would have imposed following conviction after a guilty plea, where the circumstances are comparable to the submission of an early guilty plea by the company. For example, in the Standard Bank DPA, which was the UK's first DPA, there was a reduction of 30 per cent (see News brief "Bribery Act 2010: SFO concludes first deferred prosecution agreement", www.practicallaw.com/3-622-1169). In the case of the DPA for the unidentified company known as XYZ, there was a reduction of 50 per cent, which was stated to be as a result of admissions having been made far in advance of the first reasonable opportunity of being charged (www.sfo.gov.uk/2016/07/08/sfo-secures-second-dpa/).

While self-reporting is not a requirement for a DPA (Rolls Royce, for example, achieved a DPA but did not self-report), it will be a significant factor in determining whether or not a DPA is offered (see box "The Rolls Royce DPA"). The SFO has been clear that self-reporting is still a key feature of the profile of a case suitable for resolution by DPA but it is no guarantee of achieving a DPA in the UK; it forms only part of the co-operation required to potentially qualify for a DPA (www.sfo.gov.uk/2017/03/08/the-future-of-deferred-prosecution-agreements-after-rolls-royce/).

The decision on whether to approve a DPA will ultimately be determined by the court, having considered public interest factors as well as the level of co-operation by the company. For example, in R v Skansen Interiors Limited, a dormant company was prosecuted on public interest grounds for failing to prevent bribery despite self-reporting the matter to the police and asking them to investigate the matter (unreported; see News brief "Failure to prevent bribery: first contested prosecution", www.practicallaw.com/w-013-8901).The Crown Prosecution Service (CPS) explained that there was a public interest in sending a message to industry to take the Bribery Act 2010 seriously and to implement proper controls.

In appropriate circumstances, self-reporting may also lead to no criminal action being taken, although it is likely that the SFO will undertake some level of investigation in any case and require a significant amount of information and material to be provided by the company.

Sir David Green, then Director of the SFO, speaking at the Annual National Institute on White Collar Crime in March 2018, made it clear that the SFO will not accept a "Damascene conversion"; that is, a situation where a company and its lawyers fail to co-operate with the SFO for a lengthy period and then suddenly the company makes some management changes, replaces its lawyers and requests a DPA. Sir David Green said that no self-reporting meant no DPA.

The US position

The DoJ clearly wants companies voluntarily to disclose potential FCPA violations, but whether or not a company should make this disclosure requires a careful analysis of the potential benefits as well as the serious risks. In recent years, the DoJ has made a significant effort to encourage companies to engage in ethical corporate behaviour, including by fully co-operating with government investigations, doing what is necessary to remedy misconduct and notifying law enforcement about wrongdoing (www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign).

It should be noted that this move towards encouraging good corporate behaviour extends beyond the FCPA and foreign bribery; DoJ officials announced in March 2018 that the FCPA policy will be used as non-binding guidance in non-FCPA cases (https://globalinvestigationsreview.com/article/1166274/doj-expanding-use-of-fcpa-declination-policy-principles). Along these lines, the FCPA policy, announced in November 2017, aims to provide benefits to companies who voluntarily self-disclose potential violations, fully co-operate with the DoJ and appropriately remediate the violations in a timely manner (www.justice.gov/usam/usam-9-47000-foreign-corrupt-practices-act-1977).

The FCPA policy, on its face, appears to incentivise companies to self-disclose potential FCPA violations and fully co-operate in any resulting investigations. It provides that when a company has voluntarily self-disclosed misconduct, fully co-operated, and remediated in a timely and appropriate manner, there will be a presumption that the company will receive a declination, in the absence of aggravating circumstances. This presumption is a significant change from the previous policy under which the DoJ would merely consider granting a declination. Even if aggravating factors are present and therefore the DoJ pursues the company, the company achieves greater certainty than under the previous policy as the DoJ will grant a 50 per cent reduction in fines, whereas previously the DoJ was only committed to consider a reduction in fines.

Companies must take into account many potential consequences when considering a disclosure. The FCPA policy is only a non-binding guideline that does not create any enforceable rights or provide any ability for recourse if the DoJ chooses to deviate from it (www.justice.gov/usam/usam-1-1000-introduction). Even if it were binding, the DoJ retains significant discretion under the FCPA policy to grant or withhold credit for disclosure. For example, unlike the UK position, self-reporting in the form of a voluntary self-disclosure is a requirement to receive a declination under the FCPA policy. The DoJ alone determines whether a given disclosure is, in fact, voluntary.

Companies therefore risk not receiving any credit for their disclosure even with the apparently more business-friendly FCPA policy in place. In addition, receiving a declination from the DoJ will not necessarily preclude civil enforcement actions being taken against the disclosing company. The Securities and Exchange Commission (SEC), for example, frequently pursues parallel civil enforcement actions that will not necessarily be settled by a resolution under the FCPA policy. Companies considering making a disclosure to the DoJ must also consider simultaneous disclosures to the SEC, and be prepared for additional penalties and remediation requirements beyond the DoJ. For example, the SEC Enforcement Division operates a co-operation programme which provides incentives to encourage greater co-operation by individuals and companies in SEC investigations and enforcement actions (www.sec.gov/spotlight/enforcement-cooperation-initiative.shtml).

Companies need to also keep in mind that admissions made in a DPA or in connection with a declination may be used against them in a shareholder action. While these cases have been generally unsuccessful, the cost of possible future litigation needs to be considered. For example, in Re VEON Ltd, litigation which relied on admissions made in a DPA was permitted to continue (Sec Litig, No 15-CV-08672 (ALC), 2017 WL 4162342 (SDNY September 19, 2017).

Accordingly, while the FCPA policy provides greater clarity in many respects, considerable uncertainty remains. For example, the DoJ has not defined what constitutes "aggravating circumstances" that would preclude the presumption of a declination. Also, the FCPA policy statement that companies must pay all disgorgement, forfeiture or restitution resulting from the misconduct to qualify for the potential benefits of the FCPA policy is so broad that payments for all misconduct, rather than just FCPA-related conduct, may be required to qualify for any benefit.

The DoJ has said that the FCPA policy does not provide a guarantee or eliminate all uncertainty because preserving a measure of prosecutorial discretion is central to ensuring the exercise of justice. However, the FCPA policy aims to strike the balance in favour of greater clarity about the DoJ's decision-making process. The DoJ has said that the advantage of the FCPA policy for businesses is that it provides transparency about the benefits available for those that satisfy the requirements and that it wants corporate officers and board members to better understand the costs and benefits of co-operation (www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign).

Leap into the unknown

One of the great difficulties in assessing whether or not to self-report is the uncertainty as to whether self-disclosure will result in a DPA in the UK, or a DPA or a declination in the US. This uncertainty exists in both jurisdictions, although to different extents. Historically, in the UK, it used to be the case that a company which self-reported was likely to receive only a civil sanction. However, following criticism from the Organisation for Economic Co-operation and Development, the SFO revised its self-reporting guidance (SFO self-reporting guidance) in 2012 to make it clear that self-reporting is no guarantee that a prosecution will not follow (www.sfo.gov.uk/publications/guidance-policy-and-protocols/corporate-self-reporting/; see News brief "Self-reporting financial crime: moving the goal posts", www.practicallaw.com/1-522-6197).

In comparison, the US historically took the position that there was no guarantee of a declination or DPA even where a company made a voluntary self-disclosure, but the adoption of the FCPA policy arguably provides greater certainty that a company will receive a declination or DPA. Neither the SFO nor the DoJ consider self-reporting to be sufficient in itself to achieve a DPA or, in the US, a DPA or a declination. It is only the first stage in the extensive co-operation that will be required, the terms of which will be unknown at the time of the self-report.

In both the US and the UK, self-reporting starts a process over which the company has little control and which, if it does not co-operate to the prosecutor’s satisfaction, may put it in a worse position than it started in, particularly given that it may have disclosed an issue which may otherwise not have come to light or provided material to the prosecutor that it might otherwise not have obtained. Reporting to one regulator may also bring a matter to the attention of other regulators in that jurisdiction and other jurisdictions.

There are also considerations unique to each jurisdiction that increase the uncertainty associated with self-disclosure. For example, in the UK, court approval is required for a DPA, so even if the SFO recommends a DPA after extensive co-operation, the court may reject it.

Whilst judicial approval is not required for a declination or DPA in the US, uncertainty arises in connection with the significant leeway that US prosecutors have to withhold the benefits under the FCPA policy even after a company has self-disclosed. In addition, the requirements for timely disclosure in the US may mean that decisions regarding disclosure will need to be made quickly and with imperfect information, which raises the risk that the benefits of disclosure may not be granted (see "US timing requirements" below).

The US courts have almost no authority to approve or monitor a company's compliance with a DPA, although charges remain pending on the court's docket where a DPA is entered into. At most, a court can determine that a DPA is bona fide and not a disguised attempt to circumvent the requirements of the Speedy Trial Act of 1974 (United States v HSBC Bank USA, NA, 863 F.3d 125, 138 (2d Cir 2017); United States v Fokker Services BV, 818 F.3d 733, 744 (DC Cir 2016).

Considerations for individuals

In the UK, individuals, including directors, may be exposed to the risk of committing money laundering offences in relation to funds that are potentially the proceeds of crime (for example, proceeds of potentially tainted contracts) unless the company obtains consent from the NCA to take decisions in relation to those funds under section 338 of the Proceeds of Crime Act 2002. The NCA may then report the matter to the SFO. UK directors should also take advice on their own duties and liability if contracts potentially obtained by corruption are ongoing and the counterparties to those contracts are not informed that corruption may have been involved.

In the US, individuals are also subject to potential liability. The FCPA policy makes clear that, in order to qualify for voluntary disclosure credit, a company must disclose all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law. The language is broad enough that companies must disclose information regarding any potential criminal conduct, not just FCPA violations, if seeking to make a voluntary disclosure.

Considering that conduct that potentially violates the FCPA could also be covered by a number of other US statutes, ranging from wire and mail fraud to Travel Act or tax law violations, individuals and companies must keep in mind that voluntary disclosure of possible FCPA violations may open the floodgates to other criminal liability.

Companies must be ready to make current and former directors, officers, employees and agents available for interviews with the DoJ if requested. This requirement covers persons outside of the US who might not otherwise be subject to US jurisdiction, and, where possible, third parties. Since disclosure must be made at an early stage in the US, companies must be prepared to make this level of disclosure without full knowledge about the extent of an individual's involvement or the individual's exposure to liability.

Reaching and documenting the decision to self-report

Companies need to consider how they will decide to make a self-report. In the UK, it is essential that any decision on self-reporting is taken by directors who are independent from the underlying allegation and that the decision is properly considered with appropriate advice and documented. Whatever decision is made, a board needs to ensure that the matter is investigated and appropriate remediation steps are taken to minimise ongoing criminal, civil and reputational risks, and avoid the perception of having suppressed the matter (see feature article “Corporate investigations: key issues for boards and in-house lawyers”, www.practicallaw.com/0-619-0485).

Failing to respond properly to a potential bribery issue will make it very difficult to obtain any credit or make out a defence of “adequate procedures” under section 7 of the Bribery Act 2010, and will expose the directors to the risk of litigation whether or not they were involved in the underlying issue (see Briefing "Bribery Act 2010: still a sleeping giant", www.practicallaw.com/8-584-9550).

In making a decision regarding self-reporting, companies must take care to ensure that any internal investigation is conducted properly, and be conscious that the decisions made as a part of that investigation may be opened to external scrutiny. The FCPA policy explicitly requires companies to provide all relevant facts gathered during their independent investigation to the DoJ, even when not specifically asked to do so. Investigating an allegation but then choosing not to disclose it in a timely manner virtually guarantees that the DoJ will refuse to provide any credit for disclosures made later, as can be seen in the case of Panasonic's DPA (United States v Panasonic Avionics Corp, No 18-CR-00118 (DDC 30 April 2018); www.justice.gov/criminal-fraud/file/1058571/download).

Beyond disclosure to law enforcement agencies, companies may also be obliged to release internal investigation records to the public, especially if the company is a public company (see box Public disclosure).

Both the DoJ and SFO require a self-report to be made within a reasonable time and before they are aware of the matter in question

The FCPA policy specifies that, to be considered voluntary, a disclosure must

• Occur before an imminent threat of disclosure or government investigation.
• Occur within a reasonably prompt time after becoming aware of the offence.
• Disclose all relevant facts known about the violation.

In the UK, the SFO's and CPS's Code of Practice on DPAs (UK DPA Code) states that co-operation involves reporting offending otherwise unknown to the prosecutor within a reasonable time of the offending coming to light (www.cps.gov.uk/sites/default/files/documents/publications/dpa_cop.pdf).

The UK DPA Code states that not reporting within a reasonable period is a public interest factor in favour of prosecution, while the Sentencing Council states that concealing an offence may result in heavier penalties being imposed (www.sentencingcouncil.org.uk/wp-content/uploads/Fraud_bribery_and_money_laundering_offences_-_Definitive_guideline.pdf).

What is a reasonable time?

In the Standard Bank DPA, the court gave considerable weight to the fact that Standard Bank immediately reported itself to the authorities. Much has been made of their promptness in self-reporting within days of suspicion coming to its attention. However, Standard Bank should not be viewed as setting a precedent for the speed of self-reporting given the unique context of the case

• The bank had already filed a suspicious activity report with the NCA in accordance with the Proceeds of Crime Act 2002 and is regulated by, and has reporting obligations to, the FCA. Given information-sharing processes between UK regulators, the SFO would likely have found out about the matter very quickly had Standard Bank not self-reported promptly.
• The fact pattern was relatively straightforward and self-contained: money was paid to an entity identified as potentially controlled by a government official, the majority of the funds paid were withdrawn in cash by another former government official, and the payment related to a specific contract with an easily identifiable benefit.

In the XYZ DPA, a law firm was retained within a week after concerns came to light and the SFO was orally informed around four weeks later that a self-report may be made by an unidentified party. The identity of the company was not disclosed for another five weeks, making a total of around ten weeks after the concerns came to light. Taking these DPAs together with indications from the SFO in 2016 that it increasingly recognises that some level of initial internal investigation is required (see below), a period of around two months of internal investigation would seem to be acceptable before a self-report is made. However, this will need to be accelerated if the matter is likely to come to the SFO’s attention sooner.

For example, Matthew Wagstaff, the SFO's joint head of Bribery and Corruption, has acknowledged that it is unrealistic to expect a company to pick up the phone to the SFO at the very moment it first becomes aware of potential wrongdoing (www.sfo.gov.uk/2016/05/18/role-remit-sfo/). In a similar vein, Alun Milford has said that it is reasonable for a company to undertake an initial assessment of the strength of a complaint (www.sfo.gov.uk/2016/03/29/speech-compliance-professionals/). These views contrast with an earlier speech in 2013 in which Sir David Green stated that an initial report of suspected criminality should be made to the SFO as soon as it is discovered (http://thebriberyact.com/self-reporting-the-definitive-sfo-guide/).

US timing requirements

The US requirement that companies must report before an immediate threat of disclosure or government investigation is perhaps the most opaque element of the FCPA policy for companies considering voluntary disclosure. As noted, any amount of public information from any source could disqualify a company from receiving any credit for disclosure, even if that information is not easily accessed, readily available, or the company is not otherwise aware of it.

Worse still, the "imminent threat" language could disqualify disclosure by a company even where no public information exists at the time of the disclosure; if the DoJ determines that the information might have become known, it can deny credit and pursue a prosecution.

In addition, the "government investigation" language means that it is possible for credit to be denied if a government investigation, even one in secret, began before disclosure, despite that fact that it would have been impossible for a company to know this information.

However, a company can still receive credit if its disclosure is not timely as long as it fully co-operates and appropriately remediates but it will not be entitled to a declination and will receive, at most, a 25 per cent reduction off of any sentence. Companies therefore have a very narrow window for self-reporting any FCPA violation in order to receive a declination, and this compressed timeline may require companies to make decisions on self-reporting based on substantially incomplete information.

Given the importance of the timeliness of the self-disclosure, companies will often have to make a decision on self-reporting at an early stage, before a proper internal investigation can be completed and before the extent of the alleged misconduct may be understood. The FCPA policy and UK DPA Code refer respectively to self-reports “after becoming aware of the offence” and “within a reasonable time of the offending coming to light” but, in most cases, offences are not identified in the initial stages of an investigation. Instead, allegations or red flags are identified which require investigation to determine the likelihood of offences having been committed and, if so, in which jurisdictions. In some cases, therefore, a company may need to consider self-reporting in all relevant jurisdictions despite having a very provisional understanding of the underlying facts.

Once a decision to self-report has been made, there are specific requirements that must be met. The SFO self-reporting guidance states that a self-report must include any internal investigation reports, supporting evidence (for example, emails and banking evidence) and witness reports. In practice, where a self-report needs to be made quickly, it may make sense to notify the SFO without having all of this material, whether anonymously, as in the case of XYZ, or not, as in the case of Standard Bank, and then follow up with further material.

Under the FCPA policy, companies face significant reporting requirements to qualify for full co-operation. Beyond fully and timely disclosing all relevant facts, they must also proactively co-operate and disclose information even if not asked; collect and preserve relevant documents; engage in de-confliction of internal investigations where asked (that is, defer interviews of employees and other internal investigatory steps until the government has completed its investigation); and make current and former employees and officers available for interviews.

Consistent with the September 2015 USA Yates Memorandum on individual accountability for corporate wrongdoing, the FCPA policy requires a self-disclosure to include details of all individuals involved in the violation of law. Considering that reports may need to be made based on imperfect information due to the importance of timeliness of reporting, there is therefore a challenging balance to be struck between timely self-reporting and ensuring the accuracy of what is being disclosed. Additionally, as noted above, reporting may not be limited to the DoJ; the SEC frequently pursues its own parallel civil FCPA enforcement actions with which companies would also have to co-operate (see "The US position" above).

Co-operation does not end at self-reporting or the provision of information and data. To receive co-operation credit, companies must take proactive measures both to understand and remediate the issue, demonstrate that they have analysed the cause of the issue and addressed its root causes (including dealing with employees at fault, and implementing an effective compliance programme to seek to prevent a repeat).

Ruth Cowley and Pamela Reddy are partners, and Andrew Reeves is a senior associate, at Norton Rose Fulbright London. Keith Rosen is a partner in the Washington DC office, and Daniel Kacinski is an associate in the New York office, of Norton Rose Fulbright.