Out-Law Analysis | 21 Sep 2015 | 10:15 am | 3 min. read
While there is no magic answer to the question of how a company can protect itself and prevent regulatory breaches, an effective compliance programme is undoubtedly the strongest armour that a company can have. The most effective compliance programmes take a holistic approach, becoming embedded in the culture and lifeblood of your organisation.
Often, boards can be comforted by the ever-increasing range of policies, procedures and guides in place to cover different regulatory issues: health and safety, anti-bribery, anti-money laundering. However, compliance does not mean merely having an appropriate policy in place. Mere policies will be cold comfort to your organisation if, when the regulators blow the dust off them, they realise that the culture of the company is one of apathy - or, worse still, blatant disregard.
What are the regulators doing?
Across the full spectrum of regulatory issues fines are on the increase, enforcement is gathering speed and companies and their directors are staring very real risks in the face.
To date this year, the Serious Fraud Office (SFO) has opened 16 investigations into companies including Tesco and GlaxoSmithKline and into allegations of fraudulent conduct in the foreign exchange (forex) market. Bearing in mind that its conviction rate was 78%, it achieved £26.5 million in confiscation orders and made further recoveries of £13.7m last year, it is clear that the independent government department has some serious bite.
In December 2014, the SFO obtained its first convictions under the Bribery Act. Two former directors and the current director of Sustainable AgroEnergy received sentences of 13, nine and six years respectively for their conduct in relation to a £23m biofuel scheme in Cambodia. The Smith and Ouzman convictions swiftly followed, in which a company chairman and sales and marketing director were sentenced to 18 months' imprisonment, suspended for two years, for two counts of corruptly agreeing to make payments, and three years' imprisonment for three counts of corruptly agreeing to make payments, respectively. The company itself has not yet been sentenced.
The headlines have rarely been without some reference to the investigations being carried out by the Financial Conduct Authority (FCA). The first criminal conviction by a jury for manipulation of LIBOR, the London Interbank Offered Rate, was secured in August 2015 with a former derivatives trader at UBS and Citigroup found guilty of eight counts of conspiracy to defraud with a substantial jail term of 14 years' imprisonment.
Following recent substantial changes in health and safety regulation, the Health and Safety Executive (HSE) has not taken its eye off the enforcement ball. The HSE has brought over 600 health and safety prosecutions and, notably, investigated over 200 work-related deaths over the last year. It has also served over 6,270 improvement notices and 3,100 prohibition notices.
The HSE boasts an astonishing conviction rate of 96% in the courts, and fines remain significant. Indeed, in September 2015, Hugo Boss Ltd was fined £1.2m following the tragic death of a four-year-old boy at its Bicester Village store.
Earlier this year, the cap which previously existed in England and Wales for fines in the magistrates' courts was abolished. The potential uncertainty created by the absence of any limit on the fines that the magistrates' court can impose will be of serious concern to many corporate defenders, and may result in a tactical change of approach for those charged with health and safety or other regulatory offences.
Courts getting tougher and fines getting bigger
The courts' recent approach to sentencing also sends a resounding message to companies that tough action will be taken when regulations are breached. In a recent environmental case against Thames Water, the Court of Appeal warned that companies needed to appreciate the seriousness of regulatory breaches and, specifically, the fact that the penalty should bring home the gravity of the offence to management and shareholders alike.
Companies should take note, as the Court of Appeal commented that higher fines were likely to be imposed for second or repeat offences, and that fines of £100m might even be appropriate where a repeat offender has a large turnover.
Indeed, fines in the millions have also been mooted as the potential maximum fine following a data protection breach. Currently, fines of up to £500,000 can be imposed for breaches but this could leap considerably to 2% of global turnover if the General Data Protection Regulation (GDPR) which is currently being debated in Europe is passed. The GDPR would not only hit companies hard in terms of the level of fines, but would also require automatic notification to the ICO within 72 hours of a serious breach occurring.
With increasing regulatory enforcement coupled with the potential for higher than ever fines, the necessity of preventing regulatory breaches should be at the top of the corporate agenda.
This is compounded by a number of recent high-profile corporate scandals which have attracted the media spotlight, such as the on-going FIFA corruption investigations. Effective compliance programmes are necessary for reasons beyond potential penalties, including the protection of corporate brand and reputation. The on-going Tesco investigation, concerning overstatement of profits by £263m, illustrates the potential commercial implications of such investigations with Tesco's share price dropping by more than half its value in 12 months.
Laura Gillespie is a regulatory law and risk advisory expert at Pinsent Masons, the law firm behind Out-Law.com. The Pinsent Masons Regulatory Conference, in association with Legal Week, takes place on 5 November 2015.