The UK’s Financial Services Authority (FSA) published on March 29, 2012, the findings of its “thematic review into anti-bribery and corruption systems and controls in investment banks.” On the whole, the report was not complimentary of financial institutions’ steps to mitigate bribery and corruption risk. Indeed, the FSA concluded that “the majority of firms in our sample did not have robust anti-bribery systems and controls in place and some firms fell short of our regulatory requirements.” As a result, the regulator is “considering whether further regulatory action is required in relation to certain firms in [its] review.” Financial services organizations should take a hard look at their own anti-bribery and corruption systems and controls, in order to address the FSA’s concerns.
Offenses under the UK Bribery Act
The UK Bribery Act, which went into effect in July 2011, creates an offense for commercial organizations that fail to prevent persons associated with them from committing acts of bribery to obtain or retain business for the organization. Under the Bribery Act, a “full defense” is available to firms charged with failing to prevent bribery that have in place “adequate procedures” to prevent persons associated with them from committing acts of bribery.
The UK’s Serious Fraud Office (SFO) is principally responsible for investigating and prosecuting alleged violations of the UK Bribery Act. While the FSA does not enforce the Bribery Act, it has regulatory authority over firms in the financial services markets, and is empowered to bring actions against firms for their roles in “financial crime,” including bribery and corruption.
The FSA’s Prior Industry Sweeps
The FSA’s review of investment banks does not mark the first time the FSA has considered an industry’s response to bribery and corruption risk. In a May 2010 report, titled “Anti-bribery and corruption in commercial insurance broking: Reducing the risk of illicit payments or inducements to third parties,” the FSA scrutinized commercial insurance brokers’ standards and practices in “addressing the risks of becoming involved in corrupt practices such as bribery.”
The FSA concluded that the insurance brokers were “not operating at acceptable standards,” and identified several industrywide weaknesses (some of which are strikingly similar to its finding in the banking industry report), including: “a poor understating of bribery and corruption risk among senior managers”; “failure to implement a risk based approach to anti-bribery and corruption”; “very weak due diligence on, and monitoring of, third party relationships and payments”; “very little or no specific training … on anti-bribery and corruption”; and a need to “reassess the adequacy of their preventative systems and controls.” The FSA also found that “many firms are not currently in a position to demonstrate adequate procedures to prevent bribery — a defense to the Bribery Act 2010’s new criminal offence of ‘failing to prevent bribery.’ ”
Significantly, as in its investment banking report, the FSA in 2010 threatened regulatory action against insurance brokerage firms. And the FSA made good on its promise: as a direct result of its findings in the 2010 report, it pursued successful enforcement actions against two insurance firms, procuring a £5.25 million fine against Aon Limited and a £6.9 million fine against Willis Limited.
Thus, commercial organizations in the financial services industry should take very seriously the FSA’s warning that regulatory action could be on the horizon for firms that are not properly addressing bribery and corruption risks.
Investment Banks: The FSA’s Findings
The FSA’s goal in reviewing investment banks was to determine “how firms mitigate bribery and corruption risk.” Alarmingly, the FSA found that, “despite a long-standing regulatory requirement to mitigate financial crime risk, the majority of firms [in the sample group] had more work to do to implement effective anti-bribery and corruption systems and controls.” Notably, the FSA found several “common weaknesses”:
- firms have not taken adequate steps to become UK Bribery Act compliant;
- 50 percent of the firms do not have adequate bribery and corruption risk assessment policies or procedures;
- senior management are not sufficiently knowledgeable about bribery and corruption risk;
- 87 percent of the firms had not started or completed internal audits related to bribery and corruption risk;
- significant concerns endure around firms’ use of third parties to win or retain business;
- the firms fail to adopt adequate procedures to ensure gifts, hospitality and expenses are reasonable on a cumulative basis as to particular clients/projects.
The FSA characterized financial institutions as “slow and reactive in managing bribery and corruption,” though it recognized the UK Bribery Act has been a catalyst for some to revisit anti-bribery and corruption issues. Indeed, the report recognizes that all firms acknowledge the need to address bribery and corruption risks: “All firms claimed they adopted a ‘zero tolerance’ approach to bribery and corruption … [h]owever, the number and range of risk factors they used to inform their risk assessments varied considerably, … [a]nd we were concerned that nearly half of the firms in our sample were significantly less well advanced in terms of their ABC risk assessment than we would have expected.”
Key Takeaway: “Adequate Procedures”
The most critical takeaway from the FSA report relates to the procedures financial institutions should put in place to prevent bribery. The creation and implementation of “adequate procedures” provides a full defense to prosecution under the UK Bribery Act, yet the FSA report indicates that firms are not taking steps to put in place “adequate procedures,” concluding that most firms “did not have robust anti-bribery systems and controls in place and some firms fell short of our regulatory requirements.”
The FSA report explains that regulated firms are required “to establish and maintain effective systems and controls to mitigate financial crime risk,” including the risk of bribery and corruption. To that end:
Identifying and assessing bribery and corruption risk is a prerequisite for an effective [anti-bribery and corruption] control framework. … We expect firms to identify, assess and regularly review and update their bribery and corruption risk assessment. The risk assessment should be also used to inform the development of monitoring programmes; policies and procedures; training; and be embedded into operational processes.
Tracey McDermott, the FSA’s acting director of enforcement and financial crime, later underscored this point, noting that “[f]irms across all sectors must have appropriate controls to manage their financial crime risks … .”
To assist firms in devising “adequate procedures,” the Ministry of Justice issued guidance on the UK Bribery Act that sets out six principles commercial organizations should consider: (1) periodically assess the nature and extent of the organization’s exposure to bribery risk; (2) adopt bribery prevention procedures that are proportionate to their institutional risk; (3) conduct adequate due diligence of persons who will perform services on behalf of the organization; (4) foster top-level commitment to an anti-bribery corporate culture; (5) cultivate firmwide awareness of bribery risk through communication and training; and (6) put in place measures to monitor and review anti-bribery procedures.
The critical point for financial institutions, however, is, even if in devising procedures to prevent bribery you follow the letter and spirit of the guidance, you must nevertheless be cognizant of the following concerns:
- Procedures modeled on the Ministry of Justice Guidance may not pass the FSA’s smell test. Assessing the “adequacy” of a financial institution’s procedures is discretionary with the FSA. Even if an organization has procedures modeled on the guidance — and even if the procedures are otherwise compliant with applicable laws and regulations — the organization may nevertheless find itself on the wrong side of an FSA investigation if the regulator deems the procedures to be inadequate. A determination that the procedures in place are inadequate need not turn on a finding of wrongdoing. In many respects, the FSA’s analysis is likely to be a contextual one. The FSA, for example, may take a dim view of procedures that have all the hallmarks of a successful anti-bribery program, but in practice amount to little more than a paper tiger.
- Inadequate procedures may result in review by multiple regulators. The FSA’s authority to review financial institutions’ procedures is limited to a review of their systems and controls. If the FSA deems a financial institution’s procedures to be inadequate, or if the regulator discovers actual wrongdoing, the FSA will report the matter to the SFO’s division of enforcement for further investigation. The result: simply by failing to design and implement adequate procedures, a financial institution may subject itself to the scrutiny of multiple regulators.
The FSA has made clear that, in its view, most investment banks have more work to do in implementing effective anti-bribery and corruption procedures. If the FSA’s sweep of the insurance industry is any indication, the FSA will move swiftly — either through an enforcement action or reference to the SFO — to root out firms it believes to be in violation of the UK Bribery Act. Thus, all regulated financial services firms should take a close look at their anti-bribery and corruption systems and controls. At a minimum, this should include an evaluation of the firm’s risk assessment policies and procedures, payment controls, third-party due diligence measures, gifts and hospitality policies, and anti-bribery and corruption training regime. The adoption of “adequate procedures” may prove to be a saving grace in an enforcement action.