The foreign bribery scandal currently plaguing Securency International (Securency) and its sister company Note Printing Australia (NPA), each subsidiaries of the Reserve Bank of Australia (RBA), is a pertinent example of the acute divide between compliance and risk management, a perennial problem in corporate governance.

In July 2011, Securency and NPA were each charged with contravening the foreign bribery provisions in the Criminal Code Act 1995 (Cth) (Code) on the basis that ‘senior managers acted as the mind and will’ of the companies, and that the companies received a benefit in the form of contracts to print bank notes. Eight current and former executives were also charged. Further charges were laid against Securency in August 2011 and NPA in September 2011. The charges alleged conspiracy to offer to pay, or pay, a benefit to a foreign official not legitimately due, in Malaysia, Indonesia, Vietnam  and Nepal. The cases are still before Victorian courts and are subject to suppression orders.

In corporate scandals, misconduct is often explained through a ‘rotten apple’ defense, i.e. the poor judgment of an individual is not representative of the value-system of the firm. However, often it is a toxic ‘corporate culture’ that drives that poor judgment, as most recently evidenced though the manipulation of the London Inter-Bank Offered Rate. Commentary surrounding this case is no different, largely addressing individual culpability (i.e. ‘who knew what and when’) rather than questioning how the corporate culture at NPA and Securency perpetuated such behaviour for so long.

Section 12.3 of the Code provides that corporate criminal responsibility may attach if a ‘body corporate…expressly, tacitly or impliedly authorised or permitted the commission of the offence’ [§12.3(1)]. ‘Authorisation’ may be established by:

proving that a corporate culture existed within the body corporate that directed, encouraged, tolerated or led to non-compliance with the relevant provision; or proving that the body corporate failed to create and maintain a corporate culture that required compliance with the relevant provision [§12.3(2)(c)-(d)].

The Code defines ‘corporate culture’ to mean ‘an attitude, policy, rule, course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities takes place [§12.3(6)]. Some factors relevant to the application of the cultural culpability provisions include:

Whether the employee, agent or officer of the body corporate who committed the offence believed on reasonable grounds, or entertained a reasonable expectation, that a high managerial agent of the body corporate would have authorised or permitted the commission of the offence [§12.3(4)(b)].

With the Code extending corporate culture beyond mere procedural compliance to include ‘attitudes’, it appears that that the legislature intended (i) domestic regulators to take an anti-formalist approach when prosecuting corporate criminal conduct; and (ii) firms to facilitate an appropriate corporate culture.

However, the RBA appears to be using a formalist approach to governance in justifying ignorance of foreign bribery allegations at Securency. In 8 October 2012 testimony before the House of Representatives Standing Committee on Economics, Mr. Glenn Stevens, Governor of the RBA, submitted a memorandum detailing the sequence of events that began with the RBA asking about the use of foreign sales agents by both the companies in April 2006. Mr. Stevens maintains that the RBA ‘was completely surprised by the allegations that were published in the middle of 2009’ as audits conducted in 2007 and 2008 found that ‘unlike NPA, Securency had [a]‘good and robust process’ in place in relation to overseas agent contracts and payments [and] it is for this reason that the Securency board, and the Reserve Bank, had no reason at that time to discontinue the use of agents, as had occurred at NPA.’ As a verification process rather than a forensic process, the veracity of an audit relies substantially upon the quality of information received from the organisation. Corporate culture will inevitably impact the quality of information. In hindsight, when a forensic audit was performed by KPMG in response to the expose by The Age in 2009, it was discovered that ‘critical information regarding the use of agents was withheld from the audit teams and the Securency board in 2007 and 2008.’

This questionable corporate culture was noted by Justice Elizabeth Hollingworth in the 20 August 2012 sentencing of former Securency company secretary and chief financial officer Mr. David John Ellery:

A culture [was developed] in Securency whereby staff were discouraged from examining too closely the use of, and payment arrangements for overseas agents…secrecy and the denial of wrongdoing, also seem to have been part of the corporate culture at the time [§28].

Justice Hollingworth’s perspective on Securency’s corporate culture was corroborated by a former Asia-Pacific Securency sales associate in a recent interview, where he stated that ‘Securency management definitely knew and participated in the planning and implementation of the bribe payments via the use of an agent. Nothing was written down, always alluded to in conversations only’ [on file].

The probity checks of Securency, including the 2006 review of agents and the subsequent 2007 and 2008 audits share one commonality. They were verification processes, not forensic processes.  They failed to take into account the realities of the environment in which the firm operated and the  ‘attitudes’ inherent in corporate culture. The result, at best, is that while compliant, Securency fell far short of robust risk management. At worst, it may soon have to answer questions relating to cultural culpability.