The Australian Government has introduced two new Bills into the Senate on the last sitting week of 2017 which, if passed, will increase companies' corporate compliance requirements. Although we will not know the final form of this legislation until next year, companies should anticipate there will be a need to update policies, review their procedures and run additional training for their staff and agents and plan accordingly.
A key aspect of the Crimes Legislation Amendment (Combatting Corporate Crime) Bill 2017 (Corporate Crime Bill) is the introduction of an offence of corporate criminal liability in relation to foreign bribery unless a company can establish that it had "adequate procedures" in place to prevent such misconduct. Although there is no Australian guidance available yet in relation to what will constitute "adequate procedures," there have been some developments overseas which will assist companies to begin devising their procedures.
In relation to the Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2017 (the Whistleblowing Bill) legal and compliance teams should be communicating with their HR teams to consider the practical implications of the new regime on running internal investigations, particularly where whistleblowers would, under the proposed legislation, be permitted to make reports anonymously and still be entitled to the protections set out in the proposed legislation.
Corporate Crime Bill
The Corporate Crime Bill:
- expands and clarifies the scope of Australia's foreign bribery offences (including relating to the scope of what will constitute bribery, the intention behind illegitimate payments or offers of payments, and what matters a court should and should not take into account when determining if an offence is made out);
- introduces the offence of corporate criminal liability in relation to foreign bribery unless the company can establish that it had "adequate procedures" in place; and
- introduces a proposed Deferred Prosecution Agreement Scheme (DPA) which would apply not only to foreign bribery but also bribery of Commonwealth public officials and other identified Commonwealth crimes.
These proposed changes were discussed in our April 2017 alert, although one significant change is that the Corporate Crime Bill no longer seeks to introduce a separate foreign bribery offence based on reckless behaviour.
In relation to the "adequate procedures offence" the Explanatory Memorandum states:
"What constitutes ‘adequate procedures’ would be determined by the courts on a case by case basis. It is envisaged that this concept would be scalable, depending on the relevant circumstance including the size and nature of the body corporate. As noted below, proposed new section 70.5B also provides that the Minister must publish guidance on the steps that body corporates can take to prevent an associate from bribing foreign public officials."
Whilst we wait for guidance from the Minister in relation to this defence, there are a number of overseas sources companies can consult when devising their compliance programs. The most widely-known guidelines are the UK Ministry of Justice's Guidance to help commercial organisations prevent bribery and the US Department of Justice's Evaluation of Corporate Compliance Programs (discussed by our US colleagues here). Additionally, the US Department of Justice's recently-issued FCPA Corporate Enforcement Policy contains details about how it will evaluate companies' compliance programs. While that Policy indicates that the criteria will vary based on the size and resources of each organisation, it also includes examples of some of the elements that may be considered, including the effectiveness of the company's risk assessment and the manner in which the company's compliance program has been tailored based on that risk assessment, the company's culture of compliance, and the resources the company has dedicated to compliance.
Other countries have also introduced similar provisions which may be utilised by the Minister in preparing the Australian guidance. For example, in 2015, Spain introduced amendments to its Criminal Code exempting companies from criminal liability if employees or officers of a company engage in criminal conduct in breach of a compliance program in circumstances where the company has implemented a compliance program that meets Spanish legal requirements, and the supervision of the compliance program was entrusted to an independent body or individual (the "Compliance Body") which has not neglected its duties of supervision, oversight or control. Similar to the UK guidance, the Spanish guidance (discussed by our US and Spanish colleagues here) identifies risk mapping or risk assessment as the initial step in setting up a corporate compliance program.
While waiting for the Australian guidance, conducting a risk assessment has business and compliance benefits for companies that go beyond the desire to protect against potential corporate criminal liability, and would be a practical first step for companies to take at this stage.
On 7 December 2017 the Whistleblowing Bill was introduced in the Senate which, if enacted, will consolidate and expand the existing private sector whistleblowing regime in Australia. The Whistleblowing Bill follows the Report by the Parliamentary Joint Committee on Corporations and Financial Services (discussed in our September 2017 alert) but does not include all of the Report's recommendations, such as a monetary reward scheme for whistleblowers. Some of those recommendations are still being considered and may be introduced at a later stage.
The Whistleblowing Bill strengthens protections for private sector whistleblowers by creating corresponding requirements for companies. In particular:
- by 1 January 2019, all public companies will be required to have an internal whistleblower policy. "Large proprietary companies" (as defined in the Corporations Act 2001) and proprietary companies that are trustees of registrable superannuation entities will have a longer period to comply with this requirement;
- from 1 July 2018, all eligible recipients of qualifying disclosures from eligible whistleblowers will, where such confidentiality is sought and unless subject to exceptions outlined in the Bill, be required to protect from disclosure the identity of the discloser and information that is likely to lead to the identification of the discloser; and
- from 1 July 2018, all regulated entities receiving qualifying disclosures from eligible whistleblowers will be required to protect eligible whistleblowers from retaliation. Unlike the existing whistleblower protections under the Corporations Act 2001, there is no requirement for whistleblowers to identify themselves in order to receive those protections.
Our experience working with clients in jurisdictions that have implemented similar regimes is that such changes have the capacity to assist companies to investigate and internally remediate issues before employees decide to take their concerns to a regulator or the media.
However, the challenge for companies will be to ensure that their policies and procedures are not only consistent with the new regime's requirements but also that they work with companies' existing procedures in relation to undertaking investigations and disciplinary measures.
To ensure the company can respond quickly and effectively when potential issues arise, companies need to encourage and make it simple for whistleblowers to disclose their concerns to the company at first instance, and not to regulators so that the company can control any such disclosure. They also need to ensure that their procedures allow whistleblowing complaints to be investigated promptly, particularly as under the proposed Whistleblowing Bill, a whistleblower would be entitled to take their report to the media if, after a "reasonable period" following their internal report, the whistleblower has "reasonable grounds to believe that there is an imminent risk of serious harm or danger to public health or safety, or to the financial system" if the information they disclosed is not acted on immediately.
Although companies that already have robust whistleblowing and anti-corruption policies and associated procedures may wish to wait to see the final legislation before making any adaptations to their compliance programme, companies that do not already have an effective regime in place should consider developing and implementing one now. The legislative requirements are unlikely to alter significantly, and even without the legislative requirements, these are measures that can mitigate a company's risk of reputational damage, regulatory enforcement and litigation.
When establishing effective and risk-based corporate compliance programs, companies can consider Baker McKenzie's distillation of guidance from several jurisdictions into a framework of 5 Essential Elements of Corporate Compliance: Leadership, Risk Assessment, Standards and Controls, Training, and Oversight. For those companies uncertain of where to start the process, a risk assessment or risk-mapping exercise is usually the most effective first step, and we can offer templates and guidance in relation to that process.