DPA No. 8 – G4S Group plc: the case for independent compliance monitors
Introduction
On 17 July 2020, the Serious Fraud Office ("SFO") received Court approval to enter into its eighth Deferred Prosecution Agreement ("DPA") – in this instance with British multinational security services company G4S Care & Justice Services (UK) Limited ("G4S C&J"), a wholly-owned subsidiary of G4S Group plc ("G4S Group"). In entering into the DPA, G4S C&J accepted liability for three offences of fraud against the Ministry of Justice ("MoJ") between 2011 and 2012, which arose from a scheme to deceive the MoJ in connection with electronic monitoring contracts. G4S C&J agreed to pay a financial penalty of £38.5m and the SFO's full costs of £5.9m. In addition, G4S C&J and the G4S Group entered into significant compliance remediation commitments which included the appointment of an independent compliance monitor to review and report on such commitments. This is evidence of a stronger emphasis on post DPA oversight and assurance.
KEY TAKEAWAYS
Leaving aside the further reinforcement of the importance of full cooperation with the SFO – even if delayed as in this case – this eighth DPA serves to illustrate the SFO’s evolving approach to compliance and its expectations in terms of compliance programme remediation, both prior to and following any DPA, and it sheds important light on the process termed "Corporate Renewal." In particular:
- The DPA marks a departure from its seven predecessors in so much as it involves the appointment of an independent compliance monitor or External Reviewer. This is the first time an independent compliance monitor has been formally mandated, but not specified, in the context of a DPA and will afford the SFO distinctly more oversight of a company’s compliance activities throughout the three year term of the DPA.
- We are likely to see a greater use of independent monitors in future settlements as the SFO builds on the experience of both US government enforcement agencies and development banks such as the World Bank and the African Development Bank, who have for some time relied on independent monitors or independent integrity compliance consultants as part of their sanctions processes.
- The Corporate Renewal process highlighted in the earlier Serco DPA and again in this latest DPA provides important insight for other companies engaged in UK Government work. As Davis J states at paragraph 43: "The intensity of the external scrutiny [in this DPA]… is necessary and appropriate given the exposure of both G4S C&J and the parent company [G4S Group] to government contracts."The heightened compliance expectations and standards which G4S Group and Serco are now set on meeting are likely to serve as a benchmark in future UK Government procurement processes and subsequent contract monitoring.
Background
Between 2005 and 2013 G4S C&J provided electronic monitoring services for the UK Government. The agreement governing the provision of the services between G4S C&J and the Home Office contained terms that the company would co-operate in order to demonstrate "value for money" throughout the life of that agreement. In order to demonstrate this, G4S C&J agreed to implement "reasonably achievable opportunities to reduce the cost of providing electronic monitoring services". Specifically, it agreed that the Home Office would be entitled to recover 50% of the value of "any unanticipated cost efficiencies" which the company achieved. G4S C&J was required to submit a financial model every six months, which displayed the actual revenues and costs incurred together with a forecast of revenues and costs over the remainder of the contract term to provide the Home Office (and later the MoJ) with sight of G4S C&J's underlying costs. G4S C&J submitted ten financial models in total.
Reporting the misconduct – and restitution
In 2013, the MoJ notified the SFO of concerns that G4S C&J was knowingly rendering invoices for monitoring individuals when no actual monitoring had taken place. Upon investigation, the SFO determined that there was not sufficient evidence that invoices had been presented dishonestly. However, in December 2013, the MoJ raised a further concern that G4S C&J had not complied with its obligations in relation to financial reporting and notification of unanticipated costs efficiencies. This prompted G4S C&J, in January 2014, to self-report to the SFO that it had discovered material indicating that it had failed to provide accurate financial reports to the MoJ.
The SFO investigation was commenced in January 2014 and concluded that there had been fraudulent conduct in relation to the contracts for the provision of the electronic monitoring services. On 12 March 2014, G4S C&J entered into an agreement to settle the MoJ's civil claims. This included the sum of £22,115,505 representing a 50% share of "unanticipated cost efficiencies" for the period April 2005 to December 2013.
Offences
The draft indictment contains three counts of fraud, specifically relating to false representation that the financial models reported costs which were actually and genuinely incurred under the contract. In its judgment, the Court indicated that the conduct of G4S C&J appeared to be motivated by "a desire to conceal unanticipated cost efficiencies" rather than overtly attempting to defraud the MoJ from the outset. Although a review of the financial models revealed that G4S C&J engaged in inaccurate reporting of cost efficiencies across a six year period (approximately November 2005 to May 2012), the criminal liability of G4S C&J only related to a period of approximately 12 months between 2011 and 2012. Corporate liability for the fraud was attached to G4S C&J via the identification principle, whereby a company is held criminally liable where the commission of an offence can be attributed to an individual who at the material time was the "directing mind and will" of the company or "an embodiment of the company". This was accepted in the circumstances.
Co-operation and compliance remediation steps
Co-operation is a significant factor under the DPA Code of Practice 1 ("DPA Code"). The Court observed that G4S C&J co-operated from the outset, but the level of cooperation appears to have increased significantly after October 2019.
"The level of co-operation initially was less than it was after October 2019 at which point [G4S C&J's] level of co-operation intensified very significantly. It was then that [G4S C&J] provided access to all interviews conducted by its solicitors and accountants… Overall [G4S C&J] assisted in a substantial way with the SFO investigation: responding voluntarily to many investigative requests from the SFO; providing digital and hardcopy material to the SFO and/or notifying the SFO of when and how data had been destroyed; assisting the SFO to obtain or trace third party evidence and material."
The Court suggested that G4S C&J’s "less than full cooperation with the SFO investigation until a relatively late stage point[ed] to the public interest being properly served by prosecution of G4S C&J". In this instance however, the Court was prepared to look at the “overall level of cooperation” and the Court stated that "initial reluctance to cooperate fully can be dealt with when considering the discount on any financial penalty" (see below).
Another factor given weight under the DPA Code is the extent to which a company has implemented a compliance remediation programme. If a company lacks an effective compliance programme, or fails to improve its compliance programme after it engages in misconduct, then this will be taken into account by the Court when deciding whether it is in the interests of justice to award a DPA. The DPA provides the following details relating to the reinforcement of G4S Group’s compliance programme, many of which were highlighted by the Court in its Judgment:
- significant personnel changes, including by the removal and departure of implicated individuals and those who had relevant oversight and the appointment of new leadership;
- the creation of a Board Risk Committee – separate from G4S Group’s Audit Committee;
- changed reporting lines for regional CFOs, legal counsel and internal auditors to ensure they report along functional rather than business lines;
- a revised and expanded Internal Audit remit (and G4S Group’s External Quality Assessment Report of its internal audit function by the Chartered Institute of Internal Auditors);
- modified criteria and risk thresholds for contracts requiring Group level (and Board) approval;
- a “Contract 360 Review” process for UK Government contracts to improve management oversight of such contracts;
- the two reports commissioned by HM Treasury on G4S corporate renewal programme in 2013;
- a “360 Benchmark“ report on G4S Group’s whistleblowing arrangements prepared by Protect, the whistleblowing charity; and
- ongoing engagement with the Cabinet Office by G4S Group and G4S C&J on the topic of corporate renewal including through the Cabinet Office's Standard Supplier Management Relationship Processes.
Davis J commenting on the above observed:
"I am satisfied that the steps which have been taken and will be taken are very significant. They are steps which can only be enforced under the aegis of a DPA. Prosecution and conviction of G4S C&J could not sensibly achieve this objective, The public interest in the remedial steps is very high." (Emphasis added)
Interests of Justice
The Court, as it must, considered whether it was in the interests of justice to enter into a DPA, or whether it was more appropriate to prosecute under the Fraud Act. Factors cited by the Court which might have weighed against approving the proposed DPA included:
- the analysis of the financial models revealed that G4S C&J's poor business practice in relation to historic costs spanned a six-year period (albeit that the offences for which liability was agreed arising from the identification principle related to a period of just 12 months);
- the fraud practised by G4S C&J related to an important part of the criminal justice system and involved a very substantial loss to public funds;
- the fraud undermined confidence in the contracting-out of public functions by the UK government; and
- G4S C&J did not fully co-operate with the SFO investigation until a relatively late stage.
Nevertheless the Court ultimately decided that it was in the interests of justice to agree to a DPA on the basis of inter alia:
- the prompt reporting by G4S C&J to the SFO in January 2014, following the fraudulent conduct being brought to its attention by the MoJ in December 2013;
- G4S C&J’s co-operation with the SFO in their investigation;
- the relative age of the conduct (going back almost 10 years);
- the disproportionate consequences which would potentially flow from a conviction of G4S C&J; and
- the potential collateral impact on the public and on employees and shareholders of G4S C&J in the event of a successful prosecution.
The Court also placed particular emphasis on the remedial measures taken by G4S Group and G4S C&J – and proposed further steps. The Court referred to the fact that G4S C&J "has undertaken a root and branch self-cleaning process which is continuing. This latter factor is of particular significance. It will protect the public in the longer term in a manner more effective than any prosecution could expect to achieve." As was the case with the Serco DPA, the entity engaging in misconduct (G4S C&J) is a wholly owned subsidiary of a larger parent company (G4S Group). Unlike in Serco, G4S Group continues to trade, and therefore the remedial steps it undertook were considered by the Court to be "all the more important". A guarantee of oversight by a parent company may become a more common theme going forwards as the SFO continues to place an emphasis on remediation actions in DPAs.
Independent compliance monitor
In a notable departure from previous DPAs (including the Serco DPA which in many other respects is very similar) and by way of additional oversight and assurance, the DPA provided for an extensive programme of review, assessment, and reporting on G4S Group’s and G4S C&J’s internal controls, policies, and procedures to be undertaken over a 3 year period by an external Reviewer or independent compliance monitor who will report to the SFO. Lisa Osofky, Director of the SFO, referred to this as "unprecedented, multi-year scrutiny and assurance". 2 In the Judgment, Davis J commented as follows:
"...an independent person will be appointed as Reviewer of the corporate renewal being undertaken by G4S. By December 2020 the Reviewer will provide a report to the SFO identifying any additional steps which G4S should take to ensure that their internal controls, policies and procedures meet defined criteria intended to prevent any fraudulent or corrupt practices."
"The intensity of the external scrutiny as set out in the DPA is greater than in any previous DPA. This is necessary and appropriate given the exposure of both G4S C&J and the parent company to government contracts. Equally, it is an important factor in providing reassurance to the SFO, to relevant government departments and to the wider public that both companies have proper controls in place to ensure the integrity of their accounting and governance processes. The DPA will last for three years during which period the compliance measures will continue and will be reviewed. This will provide further reassurance as to the conduct of G4S [Group] and G4S C&J."
This is not the first time that a settlement with the SFO has involved the company under investigation agreeing to the appointment of an external monitor. For example, the compliance programmes of Balfour Beatty, Mabey and Johnson, Macmillan Publishers, Innospec and Oxford University Press were all subject to review, and reporting to the SFO, by independent compliance monitors. In some cases, the reporting entity had dual reporting responsibilities (e.g. to the US Department of Justice or the World Bank). These earlier appointments preceded the Crime and Courts Act 2013, which conferred a statutory power on the SFO to require companies to appoint compliance monitors, and the DPA Code which stated that "the appointment of a monitor will depend upon the factual circumstances of each case and must always be fair, reasonable and proportionate."
Although previous DPAs have invariably involved some form of reporting to the SFO, this DPA represents the first time the appointment of an independent compliance monitor has been mandated, but not specified, in the context of a DPA. 3 This reflects public comments and guidance made by the SFO in relation to independent compliance monitors. For example, in February 2018, the SFO’s then co-head of Fraud and Corruption stated:
"Under the DPA regime in appropriate cases the SFO will seek assurance the Company has genuinely reviewed its internal controls, policies and procedures regarding compliance and as necessary, adopt new or modify existing controls, policies and procedures in order to ensure it complies with all applicable anti-corruption laws and most importantly that these are actually embedded into the business. The ultimate responsibility for identifying, assessing and addressing risks remains with the Board of Directors and is a critical factor in any DPA discussion.
The decision about whether to impose as a term of the DPA a monitor will be informed by the extent to which the programme of corporate governance enhancements is complete at the time of the DPA resolution and whether an ongoing independent review and sign off on-completion is considered necessary in the context of the deficiencies identified in the corporate compliance programme and corporate governance. Monitors have always been available and we will use them in the right situations. It’s a question of achieving a substantive outcome, and we have to date focused on that, more than the method through which that might be achieved." 4
More recently, in January 2020, the SFO publicly released guidance from the SFO Operational Handbook on Evaluating a Compliance Programme ("SFO Compliance Guidance") that states:
"If a DPA includes terms about the organisation’s compliance programme, the prosecutor will need to be able to assess the expected reforms while the DPA is in force, to determine whether the organisation is complying with the terms of the DPA. The DPA should set out the means by which the organisation will satisfy the prosecutor. This is likely to include a monitor being appointed at the organisation's expense." 5 (Emphasis added)
The Court’s position is very different from that of Lord Justice Thomas when handing down the sentencing judgment in the Innospec case in 2010 who described the proposed monitorship as "an expensive form of "probation order" [which] seems to me unnecessary for a company which will also be audited by auditors well aware of the past conduct and whose directors will be well aware of the penal consequences of any similar criminal conduct. ... In my view, there is a real case for saying that the resources allocated to th[e proposed monitorship] should more properly have been made available for fines, confiscation or compensation. For the future, the request for such an order will have to be fully explained in terms of its cost effectiveness." 6
Whilst Innospec was determined before the coming into force of the statutory DPA regime which has court oversight of DPAs and their terms "baked in", it is an important reminder that the Court will not act as a "rubber stamp" to the terms agreed between the prosecutor and the company. The Court will scrutinise the proposed terms very carefully when determining (as is now the case under the DPA regime) whether a DPA is in the interests of justice and fair, reasonable and proportionate.
Fair, reasonable and proportionate; calculation of the fine
The terms of the DPA were deemed by the Court to be fair, reasonable and proportionate. In calculating the £38.5m fine imposed on G4S C&J the Court calculated the profit unlawfully obtained from the fraud at £21.3m – the base figure. This figure was increased by 300% as a result of the seriousness of the harm suffered by the MoJ, and was then discounted by 40%. Notably, this is only the second time that a discount lower than 50% was applied to a DPA settlement sum, and this reflected the delayed nature of G4S C&J's substantial cooperation with the SFO's investigation. In addition to the fine, G4S C&J agreed to pay the SFO’s full costs of £5.9 million.
Conclusion
Much of the approach reflected in this latest DPA covers familiar ground. Companies will note the continued emphasis on "full cooperation" and will take some comfort from the fact that the SFO (and Court) will give credit for cooperation (albeit at a reduced discount) even if such cooperation is less than full at the outset. Beyond cooperation, it has long been clear that companies have to demonstrate that implicated individuals and senior executives responsible for the compliance failings have been replaced, and G4S appears to have implemented substantial personnel and leadership changes. This DPA provides further illustration of the importance of compliance remediation, which has to commence well before any settlement, and the DPA builds on the SFO Compliance Guidance issued in January 2020.
Whilst the SFO has not taken on a specialist compliance expert as the US Department of Justice did with its appointment of Hui Chen, it does have a Director who is very familiar with compliance best practice. In particular, Lisa Osofsky’s compliance monitor related experience prior to joining the SFO may well in part explain the detectable shift in the SFO’s approach towards compliance monitors. This approach has been confirmed with the requirement that G4S Group and G4S C&J appoint an external Reviewer or independent compliance monitor, a move that was foreshadowed by the SFO Compliance Guidance and found ready approval by the Court, in contradistinction to the earlier judicial scepticism towards compliance monitors expressed in the Innospec case in 2010. It seems likely that we will see more of such appointments where a DPA contains terms about the organisation’s compliance programme, as DPAs will in most if not all cases.
There are lessons here also for those involved in UK Government contracting. A close read of this DPA, the earlier Serco DPA and related National Audit Commission and other Government reports on Corporate Renewal provides important insight into UK Government’s heightened compliance expectations. In particular, the standards which G4S Group and Serco plc are now set on meeting are likely to serve as a benchmark in future UK Government procurement and subsequent contract monitoring – and the G4S and Serco DPAs demonstrate that the implications of not meeting those standards can be very significant indeed.
1 Deferred Prosecution Agreements Code of Practice, Crime and Courts Act 2013, SFO and CPS, available at: https://www.cps.gov.uk/sites/default/files/documents/publications/dpa_cop.pdf
2 SFO receives approval for DPA with G4S Care & Justice Services (UK) Ltd, SFO News Release, 17 July 2020, available at: https://www.sfo.gov.uk/2020/07/17/sfo-receives-final-approval-for-dpa-with-g4s-care-justice-services-uk-ltd/
3 In the Tesco DPA, external auditors Deloitte were expressly directed to “review and report on two aspects of Tesco’s Global Finance Transformation Programme” (at paragraph 97), SFO v Tesco Stores Limited, 10 April 2017, available at: https://www.judiciary.uk/wp-content/uploads/2019/01/sfo-v-tesco-stores-ltd-2017-approved-final.pdf
4 Corporate criminal liability, AI and DPAs, 5th Annual Corporate Crime and Investigations Conference, 21 June 2018, available at: https://www.sfo.gov.uk/2018/06/21/corporate-criminal-liability-ai-and-dpas/
5 SFO Operational Handbook, Evaluating a Compliance Programme, 17 January 2020, available at: https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/sfo-operational-handbook/evaluating-a-compliance-programme/
6 R. v Innospec Ltd, [2010] Crim LR 665, [2010] EW Misc 7 (EWCC) (18 March 2010), at paragraph 49.