With Standard Bank having become the first organisation to conclude a DPA, Aziz Rahman explains why gaining one is only the start of the challenge.

The satisfactory conclusion of the first deferred prosecution agreement (DPA) was a milestone. But it should also be viewed as something that anyone in business can learn from.

Standard Bank PLC was told by the Serious Fraud Office (SFO)that it will not face prosecution over allegations of failure to prevent bribery, as it has now met fully the terms of its DPA. The conclusion of this agreement is the first since DPA’s were introduced into the UK legal system

Introduced by the Crime and Courts Act 2013, which came into effect in 2014, a DPA allows a prosecutor to suspend a prosecution for a defined period – providing the organisation completes actions specified in the DPA. A DPA is reached under supervision of a judge and is an alternative to prosecution, available to the SFO and Crown Prosecution Service (CPS).

Conditions

Meeting the conditions in a DPA, as Standard has done,ensures an organisation is not prosecuted for the allegations. But a failure to meet the conditions will lead to the DPA ending and a prosecution commencing.

Standard’s former sister company, Stanbic Bank Tanzania Ltd,was alleged to have made a $6M payment to influence members of that country’s government to help it secure a lucrative contract.

The resulting DPA required Standard Bank to pay nearly $26Min fines and disgorgement of profits, $6M compensation to the Tanzania government and £330,000 SFO costs. Standard Bank was also required to commission an external consultant to report on its anti-bribery and corruption controls, toact on the consultant’s recommendations and to cooperate fully with the SFO’s investigation of the allegations.

Standard met these conditions, the DPA expired at the end of November last year and formal notification was sent to Southwark Crown Court,where the DPA had originally been approved.

It would be tempting to believe that securing a DPA is the simple,obvious route to a prosecution-free future. But, as Standard would no doubt testify, such an agreement’s conditions mean it is far from being aneasily-obtained “get out of jail’’ card.

Obtaining a DPA

DPA’s are not given out freely to any organisation that wants one. The SFO has made it clear that a company has a greater chance of obtaining a DPA if it self-reports its problems to the SFO and cooperates with its investigators. As an example, in the UK’s second DPA – the case known as XYZ – the judge approving the agreement commented on the speed with which the company had self-reported and remarked that it should benefit from such openness.

But self-reporting is no guarantee of a DPA: just four DPA’sin four years is proof of this. Exactly how self-reporting and any resulting negotiations are carried out will affect the likelihood of a DPA being obtained.Which is why it is vitally important that such tasks are conducted (or at least guided) by those who have the relevant legal expertise and experience of dealingwith the SFO and / or CPS.

Any cooperation with the SFO has to be seen by it to be a genuine attempt to put right any wrongs; not merely a last-ditch attempt to save face and avoid prosecution. Factors such as how early a company self-reports, the thoroughness and quality of the internal investigation it has conducted and the access it gives investigators to its findings can all determine whether the SFO considers a case worthy of a DPA.

This is not mere theory. Rolls-Royce did not report its bribery in far-flung countries, yet it obtained the UK’s third DPA by then offering all possible help to the SFO; including reporting wrongdoing that the agency had not known about. The DPA settlement even made reference to the“extraordinary cooperation’’ the company offered the SFO.

The extent to which a company changes to avoid a repeat ofits problems is also a factor. It is no coincidence that all the UK’s DPA’s have been granted to companies that have removed senior staff who were either involved in the wrongdoing or appeared to be turning a blind eye to it.

Complying with a DPA

The aforementioned activities will, if managed correctly,improve a company’s chances of being offered a DPA. But it would be a mistake to believe that the hard work has been done if and when a DPA has been obtained.

A DPA comes with terms. And those terms have to be adhered to if a prosecution is to be avoided. Earlier, we outlined the terms that Standard had to meet: terms that involved a continuous commitment over three years to ensuring it put right the wrongs that brought it close to prosecution.

If Standard had fallen short when it came to meeting those terms, it would very likely be facing prosecution. And being a company that is prosecuted for failing to meet the terms of a DPA could be hugely costly in terms of both finance and reputation.

If a company does obtain a DPA, therefore, it has to make sure it has systems in place so that it complies with all aspects of the agreement at all times. Such systems will differ with the terms of each DPA. But they must be devised in a way that recognises the demands being placed onthe company by the DPA – and must make sure it complies with them at all times.And if a company feels it is not able to create and implement these practices itself, it must seek external expertise.

Leaving compliance with the terms of a DPA to chance or good luck is simply too risky and can be extremely damaging.

Advice

A DPA may have been obtained in circumstances that require careful and on-going legal management.

As an example, when XYZ obtained the second DPA it paid a £6.5M fine. Having anticipated the SFO’s investigation,XYZ instructed external lawyers to conduct interviews with four senior executives suspected of wrongdoing. The interviews were not recorded but the lawyers took notes. The SFO then sought the notes but XYZ refused, asserting legal privilege. XYZ eventually allowed the SFO to record a summary of the interviews.

In R (on the application of AL) v SFO and others [2018] EWHC 856, the applicant, an employee of XYZ who was one of those interviewed, sought to judicially review the SFO’s decision not to pursue the XYZ’s alleged breach of the DPA. His argument was that XYZ’s refusal to let the SFO have the full interview notes constituted a beach of the DPA; asXYZ was failing to cooperate with the SFO. He wanted the full transcripts of his defence to be available as he thought they could assist his defence.

His application failed as it was held that he had not exhausted remedies in the Crown Court. But it highlights issues that could arise when a DPA has been sought or even when it has been obtained.

The DPA regime is fairly new. It has so far faced little judicial scrutiny regarding the rights of an individual who may be prosecuted for the same wrongdoing for which a corporate has gained a DPA. But this may be an area that could have serious implications for the way companies investigate and self-report wrongdoing prior to any DPA. And a company’s disclosure (or non-disclosure) of material to the SFO and whether this breaches a DPA that has already been obtained could well become the subject of legal challenges from individuals in the future. An individual could argue that their right to a fair trial has been prejudiced. If this happens, a company that has a DPA will have to know how to respond.

There is probably another article that could be written on the issues of privilege and corporate versus individual liability that the XYZ case touches on. But the point that needs to be made is that DPA’s are still a relatively new concept. No individuals have yet been convicted of the wrongdoing that prompted the investigation that led to any of the DPA’s. Recent months have seen three Tesco directors cleared of fraud in relation to the accounting black hole that saw the supermarket giant reach a DPA. As such, the development of DPA’s is sure to present new legal questions: questions that some companies that obtain a DPA in the future may need to respond to intelligently.

We have outlined here the challenges in obtaining a DPA. What we have also done is emphasise that gaining a DPA can only be half the battle. Seeing it through to completion, as Standard has, presents its own challenges. Challenges that must be met with the appropriate expertise.

More from Rahman Ravelli