Out-Law Legal Update | 06 Mar 2017 | 12:38 pm | 5 min. read
The UK and the US allegations against Rolls Royce were resolved through Deferred Prosecution Agreements (DPAs). In the UK, DPAs are designed to encourage businesses to self-report wrongdoing in the hope of more lenient treatment, including the possibility of avoiding a criminal investigation and potential prosecution if strict conditions set by a judge are met. Prosecutors in England and Wales have had the power to put DPAs in place with corporate offenders since February 2014.
As part of the UK DPA, Rolls Royce admitted 12 counts of conspiracy to corrupt, false accounting and failure to prevent bribery. Its DPA with the DOJ relates to one charge of conspiracy to violate the US Foreign Corrupt Practices Act.
Prior to Rolls Royce there was a question whether companies that did not self-report wrongdoing could successfully resolve matters via a DPA and avoid a criminal prosecution. Judge Sir Brian Leveson, approving the DPA (32-page / 360 KB PDF), said that Rolls Royce qualified in large part because the degree of its cooperation was "extraordinary" even though it had not self-reported.
Rolls Royce's internal investigation spanned several divisions of its business, seven jurisdictions and involved hundreds of interviews and tens of millions of documents. It shared the significant failings uncovered by the investigation with the SFO.
The main factor that Sir Brian Leveson said amounted to extraordinary co-operation was that "the company could not have done more to expose its own misconduct, limited neither by time, jurisdiction or area of business". Documentation was provided voluntarily without requiring the SFO to use its statutory powers of compulsion, along with un-reviewed digital material and the company reported the findings of its internal investigation on a rolling basis.
The scale of Rolls Royce's review is unusual. Its approach in this case might raise the bar and lead the SFO to expect internal investigations to be wider in scope than is often the case in the UK. A company should factor this expectation into its initial scoping exercise.
The Rolls Royce case has significant ramifications in the area of corporate self-reporting and on the extent of self-investigation and co-operation expected to secure a resolution of corporate misconduct that avoids a criminal conviction for the company. Sir Brian Leveson said in his judgment that "A responsible company will engage openly in the way that Rolls-Royce [did]...". Whether in practice this changes the UK SFO's expectations about the scope of internal investigations undertaken and extent of cooperation expected remains to be seen, but the case does present a stark reminder to corporates from the UK court about the benefits of not only self-reporting issues but fully cooperating with law enforcement agencies if and when these choose to investigate allegations of serious fraud and corruption.
Examples of what went wrong at Rolls Royce
Amongst other things, the Rolls Royce's internal investigation revealed significant failings in the previous implementation of its earlier compliance policies and processes with, for example, those responsible for giving approvals being provided with either selective or misleading information; instances of approvers adopting an overly favourable view of an intermediary's risk profile; Rolls Royce's compliance and legal teams raising concerns but subsequently softening their stance or the business units ultimately not following the compliance advice and developing a work around that in fact only underscored the compliance risks of an activity that the legal and compliance teams had previously highlighted.
How to avoid those problems
Compliance procedures are only adequate if they are properly implemented and followed by employees and management and are rigorously tested to provide early warning signs if they are working or not. Risk ratings must include objective criteria and the approval process for higher risk third parties may need to be by people sufficiently independent of the business line that wishes to engage that third party. Systems should be adopted to give greater consistency and transparency to decision-making and to ensure that records of decision making are maintained.
Having a set of procedures and a compliance function will be insufficient if the culture of the business is to hold back relevant information from those functions; or there is insufficient importance attached to compliance within the 'corporate culture', including within senior management. As part of the solution, legal and compliance teams need to be respected and empowered to tell the business not to proceed. Investing in Board Level-led awareness raising, training, and wider ethics-related activities is paramount.
Parent companies will be held to account for subsidiaries' activities
The UK Court found no difficulty in imposing a DPA on the respective Rolls Royce parent companies for activities of subsidiaries and other Rolls Royce business units. Whilst a parent company is not automatically liable for bribery carried out by subsidiaries, the Bribery Act 2010 and associated Ministry of Justice guidance on the "adequate procedures" defence make it clear that is possible. This will happen if it can be shown that the briber was providing services for the parent company and that there was an intention to benefit the parent company and not simply the subsidiary. In many cases this will not be difficult, particularly where the subsidiary is set up to carry on business in a particular jurisdiction with all profits flowing back to the parent.
The Rolls Royce case and other recent enforcement actions show that the SFO will seek to establish corporate criminal liability whenever it can, whether this is at parent or subsidiary company level. It is also clear the SFO will routinely pursue investigations in to the board room and seek to understand the level of knowledge and involvement of senior management teams.
In fact the actions that companies take to avoid this kind of liability can themselves be a red flag to investigators. Where companies deliberately decentralise responsibilities with arm's-length approaches to contracts placed by subsidiaries in the hope of reducing the prospect of parent company and main board director liability, this is likely to be viewed by investigators as an indicator of a failure of a parent to take its compliance responsibilities seriously.
Similarly, where corporates organise their compliance reporting and other structures to enable parent company boards to bury their heads in the sand, this will likely be an aggravating feature in any law enforcement investigations and any eventual sanctions.
There is no substitute for a robust and regularly reviewed compliance programme which is properly resourced and supported, from the top down. An approach that navigates a middle ground between the positions of centralisation and decentralisation in respect of different compliance functions and responsibilities can devolve some day-to-day management responsibilities to subsidiary level but should also establish a compliance function or ethics committee that oversees higher risk issues in a business. It should include other structures that ensure regular direct reporting to senior management and appropriate representation on the parent board. This also ensures consistency across global operations and that there remains visibility of compliance threats faced by business units or subsidiaries operating thousands of miles from head office.
The SFO and DOJ are both investigating criminality by former employees of Rolls Royce and other employees. The Rolls Royce case is also likely to have unearthed evidence of bribery involving other companies which used the services of the same intermediaries. Like other large corporate bribery cases by the DOJ, the Rolls Royce case will inevitably be the start of more investigations and enforcement action against other companies - in particular, the intermediary Unaoil is named in the UK judgment. Other intermediaries are described in the US papers.