Across the world regulators are more powerful and better resourced than ever before. Most westernised governments have realised that for businesses to take regulation seriously it is necessary to criminalise liabilities, to personalise responsibilities on individual directors and to apportion blame when things go wrong.
Regulators are now armed with extensive investigatory powers and their investigations can lead to criminal or quasi-criminal sanctions being imposed on businesses and senior managers. Awareness of the regulatory environment and of the consequences of non-compliance is only the first stage in managing this ever-increasing risk.
The recent successful Serious Fraud Office (SFO) prosecution of three former senior officials of Independent Insurance serves as a timely reminder of the possible consequences. Michael Bright (former chief executive and founder), Philip Condon (former deputy managing director) and Dennis Lomas (former finance director) received prison sentences ranging from three to seven years and were disqualified from holding company directorships for up to 12 years. They also face losing personal assets in confiscation proceedings.
But for every successful prosecution, there are many other regulatory investigations and high-profile enforcement actions that have seriously adverse consequences for the individuals and corporates involved. Even where enforcement action is unsuccessful, the mere fact of an investigation often leads to reputational damage, significant cost and involves huge amounts of management time.
So how does this risk arise and what can be done about it?
Regulation is becoming more international and we are seeing an increased political will to deal with worldwide issues such as bribery and corruption, cartels and tax avoidance using offshore accounts. This has led to more cross-jurisdictional information sharing, joint investigations and action against both individuals and businesses. International cooperation is increasing through mutual legal assistance agreements and increased collaboration with foreign prosecutors. Businesses need to be aware of the regulatory risks, not just locally but in every country in which they operate.
For example, the Foreign and Corrupt Practices Act (FCPA) has become a high priority for both the US Department of Justice (DoJ) and the Securities and Exchange Commission (SEC). The DoJ has increased the number of staff dealing with FCPA enforcement and the SEC is making increased efforts to obtain enforcement assistance abroad. The DoJ has also shown willingness to pursue cases even if enforcement action has already been taken under another jurisdiction’s anti-bribery laws.
In 2004 Statoil, a Norwegian oil corporation, was fined by criminal law enforcement authorities in Norway for making improper payments to an Iranian official. In 2006 the US brought charges under the FCPA in connection with the same payments that led to Statoil entering into a deferred prosecution agreement under which it had to admit responsibility, accept monitoring of its compliance programme for three years and pay a further penalty.
At the same time, individuals have also become more vulnerable to extradition to the US, as its regulators take a tough stance on white-collar crime, Sarbanes-Oxley and the FCPA. Although the long reach of the US regulators attracts the headlines, it is also important to remember that extradition to Europe has been simplified since the introduction of the European Arrest Warrant.
Despite the risks, many businesses and their senior personnel remain complacent. The results of the DLA Piper European Regulatory Risk Survey 2007 showed that 61 per cent of those surveyed were unaware of the FCPA and just more than half were correctly aware of the investigative powers of regulators. A recent reminder of the scope of these powers comes from the recent EU Court of First Instance judgement in Akzo Nobel Chemicals and Akcros Chemicals v Commission of the European Communities (2007), which confirmed the position that in-house counsel cannot claim legal professional privilege in relation to documents seized in connection with a competition investigation.
There is also complacency about complying with new laws and issues that are high on the worldwide political agenda. For example, in relation to bribery and corruption, some have been tempted in the past to continue with illegal practices for fear of losing out to competitors. Although there is often a significant delay between new laws coming into effect and the regulators taking action, this does not mean that companies can afford to defer compliance.
A regulator may suddenly change focus if it is given an increased budget to deal with a high-priority issue, a good example being the SFO’s expanding corruption remit. It has already happened in the US where the FCPA came into force 30 years ago, but the past three years have seen a huge spike in enforcement actions.
So what should European businesses be doing to better manage their regulatory risk? The only sensible way forward is to take a holistic approach.
What this means is coordinating a company’s approach to managing the risks associated with all the regulatory authorities, whether it is competition, financial services, tax or fraud. It also means managing those risks at every stage of the regulatory cycle, starting with monitoring and seeking to influence impending legislation coming over the horizon from Whitehall, Brussels, Washington, Beijing and elsewhere.
Once it has become law the process becomes ##continuedone of ensuring compliance. Finally it is necessary to have a proactive plan in place for dealing with unwelcome intervention.
In the US, where there have been many high-profile interventions and aggressive prosecutions, the attitude of businesses towards regulation is very different. US companies tend to employ in-house counsel who have worked for the DoJ or the SEC. They have historically, tended to be more attuned to the risk of regulatory intervention with criminal consequences. The implementation of regulatory risk management systems therefore has, in the past, tended to be more readily implemented by US corporates than across Europe and the rest of the world.
DLA Piper’s 2007 risk survey revealed that although European businesses may be aware of the threats posed by the failure to remain compliant – 40 per cent think that a regulatory investigation into their company in the next year is likely, 57 per cent think that their industry is likely to be investigated in the next year, while 76 per cent believe that the risk of criminal penalties for regulatory breaches will grow over the next five years – many are not sure how to manage the process. Effective forward planning is crucial in managing risk but 51 per cent of those surveyed do not have a crisis management plan and only 43 per cent carried out regular reviews of their plans.
This is startling. Most mature businesses are very adept at managing financial, political and operational risk, yet the evidence is there that many are leaving regulatory risk to chance. The consequences of an investigation, let alone enforcement action, are potentially devastating for corporates across Europe, and with the health, wealth and liberty of senior executives at stake, regulatory intervention is the one risk you just cannot ignore.
Jonathan Pickworth is UK group head of regulatory and government affairs at DLA Piper