The decision whether to disclose voluntarily a breach or wrongdoing on the part of a company involves various complex and interrelated issues. In some cases, there may be clear advantages to self-reporting, and, where a decision is taken to disclose on this basis, this should be carefully managed. This chapter considers the advantages and disadvantages of self-reporting, including how the manner and timing of a self-report can make a crucial difference to mitigating any potential penalties which may be imposed (see Sections 3.3 to 3.6).1 Understanding the current views of authorities in the United Kingdom and how these views have evolved is an important part of this analysis.
In 2009 the Serious Fraud Office (SFO) issued guidance (the 2009 Guidance) to encourage companies to self-report instances of overseas bribery by promoting the idea that ‘in appropriate cases’ such self-reports would receive a civil rather than a criminal penalty.2 The 2009 Guidance appears to have followed on from the approach adopted by the SFO in its settlement with Balfour Beatty plc in 2008, which self-reported overseas corruption and received a civil recovery order instead of criminal sanctions.3 This approach changed in 2012 when the SFO abruptly withdrew its policy of favouring civil settlement in self-reported cases. This followed a report by the Organisation for Economic Co-operation and Development (OECD), which criticised the SFO’s position as undermining the seriousness of a bribery offence. It also followed soon after a change in regime at the SFO when Richard Alderman was succeeded by David Green CB QC as director. In a revised statement of policy citing the OECD’s concerns, the SFO stated, ‘Self-reporting is no guarantee a prosecution will not follow.’4
Today, authorities in the United Kingdom continue to encourage companies to self-report and consider an open and co-operative relationship to be an important factor when determining what further action to take. The Financial Conduct Authority (FCA), in particular, describes the nature of a firm’s overall relationship with the regulator as an ‘important consideration before an enforcement investigation and/or action is taken forward’.5 Similarly, the SFO considers voluntary disclosure and full co-operation as key preconditions to any potential settlement, as illustrated by its comments in relation to the United Kingdom’s first deferred prosecution agreements (DPAs).6
As well as the approach of authorities in the United Kingdom, it is also essential to consider what impact self-disclosure will have on other jurisdictions. Information sharing between enforcement agencies in different countries has become much more common, which means that the timing, order and manner of disclosures must be carefully assessed.
3.2 Reporting to the board
As a first step, and before any external disclosure is made, details of the breach should be reported to and considered by senior management. Companies should have procedures in place for the escalation of issues to board level. Issues that may materially affect the company should be reported to the board in a timely manner and potential conflicts of interest between the company, management and directors should be carefully considered when deciding how to review or investigate any potential issue. (See also Chapter 5 on beginning an internal investigation.) In many cases, it may be most appropriate for the board or a special committee of the board to oversee the investigation and ultimately any potential reporting decision. More specifically, if the allegations implicate senior management or board members, an independent investigation committee should be established. Alternatively, larger companies may have an oversight or audit function that has sufficient autonomy.
Communication to members of the board should also be proactively managed to maintain legal privilege. Under English law, privilege will not extend to the whole corporate entity, or even the whole group or department seeking advice.7 The ‘client’ for the purposes of legal privilege will only include those individuals specifically tasked with seeking and obtaining legal advice. It is, therefore, important to establish who the client is when conducting an investigation with the assistance of in-house or external counsel. This may be more straightforward where an independent investigation committee has been established as the client will be a clearly defined group. (See also Chapter 31 on privilege.) This will also help to control information flows internally and ensure that the board receives timely and appropriate information regarding an investigation. (See also Chapter 5 on beginning an internal investigation.)
3.3 Advantages of self-reporting
Where there is no mandatory requirement to disclose, deciding whether to voluntarily self-report a breach or issue to the authorities will require a review of all possible advantages and disadvantages.8
3.3.1 Information control
Generally speaking, a company will have an element of control over the information disclosed to a government authority, at least at the outset. A voluntary disclosure provides an opportunity for the company to explain and clarify matters on its own terms. In circumstances where there is a possibility of the information being disclosed to the authorities in another way, for example by a whistleblower, such factors may weigh heavily in favour of self-reporting.
3.3.2 Demonstration of a culture of compliance
Self-reporting can also be an opportunity to demonstrate a culture of good compliance, particularly if the company’s own compliance systems detected the wrongdoing and the company moved quickly to remediate and disclose it. This backdrop can help cast subsequent interactions with government authorities in a positive and co-operative light, which may improve the likelihood of an early resolution and mitigate any penalties.
3.3.3 Co-operation credit and penalty mitigation
The DPA Code of Practice 2014 (DPA Code) lists co-operation first as an additional public interest factor against prosecution.9 The prosecutor will decide whether the company subject to the investigation has supplied sufficient information about the circumstances of the breach concerned, as well as any relevant conduct, when considering the extent of co-operation. The DPA Code provides specific examples of co-operation including ‘identifying relevant witnesses’, ‘providing a report in respect of any internal investigation’ and ‘where practicable . . . making the witnesses available for interview when requested.’10
While full co-operation is stated as being a condition for a DPA, the United Kingdom’s shorter track record in this area makes it harder to assess the true level of co-operation expected. Certainly comments from the SFO have made clear that co-operation has to be full and unfettered on the part of a disclosing company. Ben Morgan, Joint Head of Bribery and Corruption at the SFO, said in October 2015 that ‘you companies don’t have to co-operate, but if you say you want to – back it up, really do it; don’t say one thing, but really work to a different agenda. We see straight through that and it doesn’t work. Self-reporting alone is not sufficient.’11 However, what this requires of companies in practice is unclear and this uncertainty may deter self-reporting, despite the availability of DPAs (see Section 3.4.4).
Failure to report wrongdoing within a reasonable period after the offence comes to light is regarded by prosecutors as being a public interest factor in favour of prosecution.12 An attempt made to conceal misconduct is a factor that will increase the seriousness of the offence and will likely result in steeper penalties being imposed.13 The threat of criminal sanction and associated reputational damage once the matter becomes public may encourage a company to self-report, particularly for more serious breaches.
In contrast to the United States, co-operation credit is a newer and less predictable concept in the United Kingdom. This has led to uncertainty as to the consequences of co-operation and makes it more difficult to weigh the benefits of self-reporting. Prosecutors in the United Kingdom have made clear that self-reporting does not provide a guarantee that prosecution will not follow, but there are indications that early disclosure does confer some advantages. The UK Sentencing Council’s Fraud, Bribery and Money Laundering Offences: Definitive Guideline (UK Guidelines) makes clear that early admissions by a company or voluntary self-reporting will reduce the seriousness of the offence or otherwise reflect mitigation, reducing the sentence imposed.14 However, unlike the United States’ Federal Sentencing Guidelines for Corporations, the UK Guidelines are not based on factors that have a set numerical value attributed to them. Instead, any weight given to the factors set out in the UK Guidelines, including self-reporting, is solely within the judge’s discretion. In addition to the quantitative approach of its Federal Sentencing Guidelines for Corporations, the United States has recently moved to further increase certainty for companies looking to co-operate. In April 2016, the Department of Justice (DOJ), announced its Pilot Program to standardise co-operation credit in FCPA cases, with the first two non-prosecution agreements under the Program entered in June 2016 (see Chapter 4 on self-reporting to US authorities, Section 4.3.1). There is no similar scheme as yet in the United Kingdom.
The United States also has a much longer history of providing formal mechanisms by which companies are incentivised to co-operate, such as DPAs. DPAs have existed in the United States since the 1990s, whereas the United Kingdom implemented DPAs relatively recently in February 2014.15 As of the time of writing, the DPAs entered into between the SFO and ICBC Standard Bank plc (Standard Bank) and separately with a currently unnamed company identified as ‘XYZ Limited’,16 (XYZ) are the only two DPAs approved in the United Kingdom.17 This, coupled with the relative lack of corporate criminal convictions in the United Kingdom (again, as compared with the United States), makes it difficult to assess the extent to which the penalties imposed were mitigated by early self-reporting and full co-operation (see Section 3.5.1). The level of credit granted to companies remains to be seen until the United Kingdom builds up more of a track record of both corporate criminal convictions and DPA settlements. (See also Chapter 21 on negotiating global settlements.)
The DPA Code initially provided clarity on the level of discount available for financial penalties imposed pursuant to a DPA by stating that a one-third discount must be provided for DPAs where the circumstances are comparable to the submission of an early guilty plea by the company.18 This went beyond the statutory position in the Crime and Courts Act 2013, which only requires that the financial penalty for a DPA ‘to be broadly comparable to a fine that the court would have imposed . . . following a guilty plea.’19
However, the SFO recently suggested that the current one-third discount applicable under the DPA Code may be reconsidered. In a Q&A on 17 June 2016, David Green QC, the Director of the SFO, said that the DPA regime may be modified in the future, particularly concerning what reduction in financial penalty companies can expect. Mr Green also touched on the continuing development of the DPA system in the United Kingdom as part of his consideration of discounts by explaining that ‘as our experience of DPAs develops there will be space to consider if the system is correctly balanced.’20 This Q&A preceded the DPA in XYZ Ltd being made public and in which the judge said that in the circumstances set out there ‘a discount of 50% could be appropriate not least to encourage others how to conduct themselves when confronting criminality as XYZ has.’21 Nevertheless, a level of uncertainty as to the effect of self-reporting on any penalty imposed remains. As a consequence, any assessment of the level of co-operation credit or mitigation of any penalty afforded to a company by a self-report will be difficult to determine with any real certainty.
3.4 Risks of self-reporting
3.4.1 Self-reporting does not prevent prosecution
Companies in the United Kingdom should be aware that self-reporting is no guarantee that prosecution will not follow in cases of more serious wrongdoing and where proceeding to prosecute is in the public interest. Significantly, this decision can be made by the SFO or the court late in the process and after documents, details and transcripts of witness interviews and other information have already been provided to prosecutors, effectively building the case against the company. In addition, any statement of facts within a proposed DPA can be used against a company if prosecution is pursued. This is a major risk for a company looking to self-report, as it could face prosecution (and the associated negative publicity that brings) based largely on information provided by the company in the context of voluntary DPA negotiations and a co-operative company approach.
3.4.2 Greater scrutiny and long-term obligations to co-operate and remediate
Companies should consider the risk of increased scrutiny as a consequence of self-reporting and the likelihood of longer-term obligations to co-operate: the DPA Code lists co-operation as one of the three standard terms of a DPA.22 Even without the costly appointment of a corporate monitor pursuant to a DPA, authorities in the United Kingdom are likely to require ongoing involvement and substantial interaction with the company to address the breach or wrongdoing. This will often mean implementing remedial measures and reviewing and improving compliance systems and controls. These changes can be costly to implement and can cause disruption to the business. Ongoing interactions with authorities should also be carefully managed and only made via designated individuals within the company or its external counsel.
3.4.3 Potential loss of control of any internal investigation
A reduced ability to ‘control’ or influence the scope or conduct of its own internal investigation is also likely to be a concern for a company that self-reports in the United Kingdom. David Green QC has made clear that the agency may require a company to undertake aspects of an internal investigation in a particular way and keep the SFO informed of particular developments.23 For example, a company or its counsel could be required to conduct witness interviews in a particular order and may be required to produce full transcripts of interviews, rather than just summaries. The rationale for the SFO’s role and influence over internal investigations is, according to Mr Green, due to the potential dangers of what he refers to as ‘churning up the crime scene’, where an internal investigation conducted by a company allegedly hinders an SFO investigation.24 Mark Steward, the FCA’s Head of Enforcement, has been similarly critical of internal investigations by describing the effect of them as ‘the crime scene being trampled over.’25
The shift towards increased control over internal investigations by the SFO is further illustrated by recent comments, again by David Green QC, that suggest he would like to formalise the process in the same way as the FCA uses ‘skilled persons’ reviews to investigate authorised firms.26 Under this process, the FCA will engage an independent law or accountancy firm to investigate areas of concern within an authorised firm.27 Significantly, while the firm under review is required to pay for the investigation, the third party engaged to conduct the review must be approved by and will report to the FCA, an approach somewhat akin to the imposition of a court-appointed monitor following a corporate resolution.28 In comparison with the United Kingdom’s preferred level of involvement in internal investigations, authorities in the United States often encourage companies to conduct internal investigations more independently so long as they coordinate on scope and share their findings, of course reserving the right to provide direction where necessary. The risk of intrusion into an internal investigation will need to be weighed against the benefits of self-reporting (see Chapter 7 on witness interviews).
3.4.4 Level of co-operation required and impact on privilege is unclear
There has been considerable debate recently as to whether full co-operation may necessitate a waiver of privilege by disclosing companies. Both the SFO and the FCA have commented publicly that companies are ‘letting legal privilege become an unnecessary barrier’ in sharing the output of internal investigations.29 In contrast, the DOJ and the Securities and Exchange Commission both have policies that clearly prohibit them from even requesting a waiver of privilege.
The level of co-operation required by the SFO and the necessity of any waiver of privilege is a developing area. For instance, consider the SFO’s differing approaches to its settlements with Standard Bank and XYZ Ltd and the conviction of Sweett Group plc (Sweett). All three companies instructed external counsel to conduct internal investigations. However, while Standard Bank and XYZ were praised for being transparent and collaborative, Sweett was viewed by the SFO as being unco-operative. Standard Bank and XYZ appear to have conducted their own internal investigations alongside the SFO’s own review and seemingly maintained full co-operation with the SFO throughout the investigation process. In his judgment in Standard Bank’s DPA, Sir Brian Leveson, President of the Queen’s Bench Division, specifically noted that Standard Bank assisted the SFO ‘in identifying relevant witnesses, disclosing their accounts and the documents shown . . . making witnesses available for interview . . . providing a summary of first accounts of interviews, facilitating interviews of current employees, providing a timely and complete response to requests for information and material, and providing access to its document review platform.’30
Similarly, in approving the SFO’s second DPA against XYZ, Leveson P again highlighted that he had given ‘considerable weight’ to the level of the company’s co-operation, explaining in similar language to the Standard Bank DPA that XYZ had ‘provided oral summaries of first accounts of interviewees, facilitated the interview of current employees, and provided timely and complete responses to requests for information and material.’31 Leveson P also referred to the level of co-operation and disclosure of information undertaken by XYZ as ‘materially similar’ to the co-operation terms specified in the Standard Bank DPA and commented that ‘it may be appropriate that they be considered standard in these cases.’32 Further, in determining the level of fine to impose against XYZ, which if substantial would have forced the company into insolvency, Leveson P took into account the ‘level and nature’ of co-operation and set a fine that he acknowledged appeared ‘extremely modest’ when compared with the sums to be disgorged (but paid by XYZ’s parent company). In this instance, full co-operation with the SFO was of significant benefit to the company.
In contrast with both the Standard Bank and XYZ DPAs, Sweett’s interactions with the SFO appear to have deteriorated following its self-report in 2014. In December 2015 Sweett became the first company to plead guilty to the offence of failing to prevent bribery under section 7 of the UK Bribery Act 2010. Employees of Sweett’s subsidiary in the UAE were found to have paid bribes to secure and retain a contract with Al Ain Aihlia Insurance Company (AAAI). Sweett was required by the SFO to issue a statement to investors not long after its self-report stating that the SFO viewed the company as unco-operative as it had decided to continue its own internal investigation into bribery allegations. It appears that Sweett took the decision to continue its independent investigation and exercise its privilege rights after the SFO had begun its formal investigation into the company. A conflict between the company and the SFO appears to have arisen as a result of Sweett’s unwillingness to provide evidence from first witness accounts. In response, and as an indicator of the deterioration in relations, the SFO issued a demand to Sweett that it not ‘trample’ on evidence. It was also discovered that while the SFO investigation was ongoing, Sweett Group representatives attempted to secure a letter from AAAI stating that the sham subcontract was in fact legitimate. It was not until November 2015 that Sweett Group repudiated all of its contracts with the agent. Taken together, this conduct undoubtedly influenced the SFO’s decision to refrain from offering Sweett the opportunity to enter into a DPA with the SFO. Sweett ultimately pleaded guilty to failing to prevent bribery under section 7 of the Bribery Act 2010.33 In contrast, both Standard Bank and XYZ were deemed to have fully co-operated with the SFO and entered into DPAs, despite the SFO not conducting interviews with certain key individuals in the case of Standard Bank, and only having been provided with oral summaries of key witness accounts in both the Standard Bank and XYZ examples.
Adding to the confusion, the SFO recently issued a number of public statements on the issue of whether witness summaries or transcripts should be provided by a company, none of which provide a clear answer. On 18 May 2016, the SFO stated publicly that companies do not need to waive privilege to qualify for co-operation credit, but will be required to provide the SFO with first witness accounts if taken, meaning that the SFO expects access to witness interview summaries and associated materials flowing from a company’s internal investigation.34 Shortly after this statement, on 24 May 2016, the SFO attempted to clarify the position again, explaining that a ‘charge of inconsistency assumes that there is a difference in terms of privilege between a contemporary record of a witness account, a written summary of it or an oral summary of it. It is an interesting question how valid that assumption is and not one that was required to be tested on the Standard Bank case.’35 The SFO’s conflicting responses to companies seeking to co-operate and the implied suggestion that co-operation without waiver of legal privilege may not result in full co-operation credit will likely cause companies to consider carefully the risks associated with self-reporting, particularly taking into account the effect of a privilege waiver on matters in other jurisdictions such as the United States where aggressive civil litigation is often pursued based on information obtained through such waivers. (See also Chapter 29 on parallel civil litigation.)
3.4.5 Dealing with authorities in multiple jurisdictions
A decision to self-report is further complicated where the company is contemplating disclosures in multiple jurisdictions, particularly where the approach of the authorities and the benefits of self-reporting are inconsistent or uncertain. For example, in contrast with the United Kingdom’s discretionary approach, authorities in the United States are moving towards a more standardised methodology in relation to co-operation credit, as recently indicated by the introduction of the Pilot Program (see Section 3.3.3). The DOJ has also published its FCPA Enforcement Plan and Guidance to enable companies to make an informed decision whether to co-operate under the Pilot Program. Similarly, authorities in the United Kingdom and the United States have seemingly different views regarding privilege and the level of their expected involvement in an internal investigation (see Section 3.4.4).
There may also be scenarios where companies are subject to mandatory reporting obligations in the United Kingdom, but not in other jurisdictions in which they operate. For example, an entity operating in the ‘regulated sector’, which is required to file suspicious activity reports (SARs) with the National Crime Agency (NCA) in certain circumstances to comply with its obligations under the Proceeds of Crime Act 2002 (POCA), will also have to consider whether, as a result of this mandatory disclosure, other disclosures should be made elsewhere.36
In addition to these challenges, authorities in different jurisdictions are increasingly sharing information and combining enforcement efforts. In the 2010 case of BAE Systems PLC, the United States’ DOJ and the United Kingdom’s SFO worked in conjunction to investigate BAE and reach a settlement. In a press release, the DOJ acknowledged and expressed its appreciation of the significant assistance provided by the SFO.37 Today authorities continue to consider how they can go further to proactively collaborate in their enforcement actions. Jamie Symington, Director in Enforcement at the FCA, recently described the collaboration between authorities in different jurisdictions as ‘key’. He also remarked that collaboration should go further than co-operation to mean ‘building relationships’, having a ‘shared strategy’ and ‘learning from each other what the challenges are to delivering successful outcomes.’38 Practical examples of collaboration provided included ‘talking early’, proactively ‘sharing information’, ‘regular updates’, and ‘coordination of outcomes’. Companies subject to authorities in multiple jurisdictions will therefore need to consider the ramifications of disclosure in each, and the potential sequence and manner of any such disclosure.
3.5 When to disclose and to whom
Having made the decision to self-report, the company and its counsel will need to consider the timing of a report and to which authority (or authorities) it will disclose. It is understandable that before making a report, companies will want to have an idea of the nature and scale of the breach or wrongdoing, so far as practicable, and that requires some level of internal investigation. However, the SFO has made clear that early reporting is vital and any delay will likely count against a company. The SFO’s guidance on corporate self-reporting states that ‘prosecutors will also be mindful that a failure to report the wrongdoing within a reasonable time of the offending coming to light is a public interest factor in favour of a prosecution.’39 This, coupled with the court’s ability to consider DPA negotiations and agreed facts means that the timing even of a voluntary disclosure that may not otherwise have come to light could be used against a company if it is deemed to be too late or insufficiently complete.
The value of early self-reporting was emphasised in the DPAs entered into with the SFO. First, and most dramatically, Standard Bank notified the authorities before its external counsel had started an internal investigation on the bank’s behalf. In the XYZ Ltd example, the company retained legal counsel immediately on becoming aware of the issues in late August 2012. While investigating, XYZ’s counsel orally reported to the SFO effectively a little more than one month later on 2 October 2012 (without naming the client). Thereafter, the company and its counsel continued to conduct an internal investigation and actively met and engaged with the SFO on 13 November (confirming that XYZ would be making a written self-report) before making a formal written self-report on 31 January 2013. Two further reports were also made.40
In contrast, during the Sweett prosecution, HHJ Beddoe criticised the company for only submitting a self-report after it had received information that the Wall Street Journal was going to publish bribery allegations against it. Sweett received no credit for self-reporting.41 Distinguishing this exact fact scenario, Leveson P, when approving the XYZ DPA, specifically noted that there was no suggestion of a whistleblower and that had it not been for the self-report the offences may have continued undetected by the SFO.42 This indicates that the timing, openness and motivation behind a self-report may determine whether a company receives any credit for self-reporting, which, in turn, could be an important factor in the SFO’s decision to pursue a DPA or a prosecution.
Although the authorities have repeatedly emphasised that early self-disclosure is crucial to the availability of a DPA in the United Kingdom, it seems unlikely that timing alone will determine whether a DPA is offered. The authorities have consistently recognised the need for companies to conduct internal investigations to establish the facts and are cognisant that disclosing companies have a difficult balance to strike between the need to disclose promptly and also ensuring they have investigated the issue as far as is reasonable to be able to make an accurate report.43
3.5.2 Priority of disclosures to multiple agencies
Any mandatory disclosures, such as the filing of an SAR with the NCA for those operating in the regulated sector, should be considered and made first.44 However, as illustrated by the Standard Bank case, this mandatory reporting requirement has a significant consequence if the knowledge or suspicion of a money laundering offence being committed by another arises as a result of criminal activity, in this case bribery, which may prompt a separate (discretionary) notification to the SFO.
In the Standard Bank example, the SFO noted the short timeline of disclosure to both it and the Serious Organised Crime Agency (SOCA) (predecessor to the NCA) in its press release announcing the Standard Bank DPA, highlighting that it was notified six days after Standard Bank submitted its mandatory SAR to SOCA.45 Companies considering, or required to make, disclosures to multiple agencies should bear in mind any time lapse between notifications to different authorities.
In this scenario, companies should also bear in mind the likelihood of information sharing between authorities. The NCA’s guidance note on Submitting A Suspicious Activity Report within the Regulated Sector specifically states that by submitting a SAR, companies will provide law enforcement agencies with ‘valuable information of potential criminality.’46 With 381,882 SARs filed between October 2014 and September 2015, the volume of SARs constitutes a large body of intelligence at the NCA’s disposal.47
As stated elsewhere in this chapter, mandatory reporting obligations such as SARs can have a significant impact on a company’s decision whether to make a discretionary disclosure, particularly when an internal investigation is already under way. For example, there may be circumstances in which the threshold for filing a SAR is met during the course of an investigation into underlying criminal conduct, but the information that gives rise to the SAR represents an incomplete or even a misleading impression of the true underlying misconduct – pending further internal investigation. There is case law that says that a ‘suspicion’ for POCA purposes must be ‘settled’, but this does not necessarily mean that a company can wait until the end of its internal investigation before making a SAR.48
In practical terms, POCA reporting obligations may force or accelerate a separate, additional disclosure to, say, the SFO or overseas enforcement agencies. This is particularly true where the POCA report is made to obtain ‘appropriate consent’ from the NCA in relation to a substantive money laundering offence, rather than so-called ‘regulated sector’ reporting. A company that has discovered bribes being paid by its own employees or agents in circumstances where those bribes have resulted in contracts being won will need to seek and obtain such ‘consent’ if they wish to avoid the risk of charges of money laundering on top of any charges of bribery. Seeking consent from the NCA, unlike the making of a ‘regulated sector’ SAR, requires more direct contact with the NCA, which must determine whether consent should be granted.
There may also be situations where POCA reporting obligations will have little bearing on a decision to self-report. The threshold for making a SAR under Part 7, POCA is low and can result in the reporting of another person’s very minor misconduct that conceivably has no link to the United Kingdom beyond the maker of the report being subject to POCA reporting obligations. In such circumstances there may well be nothing to self-report. However, where a company has made a report to the NCA seeking ‘appropriate consent’ because it believes that it possesses criminal property as a result of, say, a bribe being paid, it is much more likely that issues of voluntary self-reporting to the SFO will arise.
3.6 Method of disclosure
Certain authorities in the United Kingdom have prescribed methods for corporates to disclose information. For example, HM Treasury provides a ‘breach form’ on its website for ‘relevant institutions’ to report a breach of financial sanctions.49 The data protection regulator in the United Kingdom, the Information Commissioner’s Office (ICO), also requires to be notified of serious data security breaches in writing via a specific form. Similarly, the SFO has outlined the process to be adopted by corporate bodies and their advisers when self-reporting.50 This requires that initial contact be made via the SFO’s Intelligence Unit through an online secure reporting form, with hard-copy reports setting out the nature and scope of any internal investigation to follow.51 The level of information required by the SFO at this initial notification stage reflects its view on the level of co-operation required of companies that self-report (see Section 3.4.4).
Where there is no prescribed format to disclose, in practice initial self-reports may be made orally to the relevant authority, with a more formal and detailed oral or written report, or both, to be provided at a later stage. There are risks and benefits associated with both oral and written disclosures, however.
Oral disclosures provide authorities with the necessary information, without the company or its advisers having to produce a written document that may be open to misinterpretation or misuse. An oral report, with written materials as appropriate, is also likely to be produced more quickly and efficiently and should allow the disclosing company to promptly and fully explain the issues at hand.
Alternatively, a written report can help manage any particularly difficult disclosures and provide a clear record of what information was provided to the authorities and when. It may also provide a roadmap for authorities to conduct their own investigation, which could be an advantage to a disclosing company as they effectively retain more control over the direction of the investigation.
Bearing in mind the emphasis on full co-operation, any information disclosed must be accurate and complete, avoiding even the perception that the company is withholding relevant information. The SFO is sensitive to disclosures that seek to confess and avoid, as David Green QC has said: ‘There is, of course, little or no value to the SFO in an expensive and glossy lawyer’s final report which minimises culpability and ignores difficult facts.’52
The decision whether to voluntarily self-report is not straightforward. Companies and their counsel will need to carefully weigh the various factors for and against to judge whether the benefits of self-reporting outweigh the risks, and inevitably this judgement will depend on the particular circumstances of the breach or wrongdoing in question.
Determining whether to report is, to a certain extent, more complicated and less certain for companies in the United Kingdom than in the United States. With only two DPAs entered into so far in the United Kingdom, authorities do not yet have the same track record of co-operation arrangements and penalty reductions, as seen in the United States, to which companies can refer, assess and more easily quantify the risks and benefits of self-reporting. Further, authorities in the United States understand that certainty of outcome is an important factor that encourages companies to self-report, as indicated by the introduction of the Pilot Program.
With further DPAs anticipated in the United Kingdom and the SFO’s repeated and public statements on self-reporting and co-operation, it remains to be seen whether certainty of outcome following a self-report is something that can be relied on in the United Kingdom and whether it will encourage more self-reporting by companies.
Appendix to Chapter 3
Summary of Mandatory Disclosure Obligations
The chart below details some of the key mandatory reporting requirements that companies (and in some cases their directors) in the United Kingdom may encounter, depending on the sector in which they operate and their regulatory status. As noted in this chapter, these obligations must take priority over any voluntary report, and companies should assume that information from these mandatory disclosures could likely be shared with other authorities.
|Directors’ duties||Directors owe fiduciary duties to a company to act in the company’s best interests and exercise independent care and skill. Company directors considering self-reporting (or omitting to do so) will need to be satisfied that the proposed course of action is in the best interests of the company having regard to the matters and other duties detailed above. A director’s personal interests could conflict with those of the company.|
|Sanctions breaches||Where a ‘relevant institution’ (defined in UK statutory instruments that enforce the various EU regulations as including firms with permission under Part IV of the Financial Services and Markets Act 2000, such as a bank or investment firm) believes it has committed a sanctions offence, for example by holding funds or assets of a sanctioned party, this must be reported to HM Treasury, as soon as practicable. Relevant institutions should provide information about the sanctions target and all information relevant to the breach, such as the nature and amount of funds received from the party subject to sanctions. HM Treasury requires disclosing companies to report breaches via a specific disclosure form, which can be submitted with any relevant documents.|
|Anti-money laundering legislation||
Persons within the ‘regulated sector’ (including, for example, FCA regulated firms lawyers, accountants and tax advisers) must submit SARs to the NCA under Part 7 of POCA and the Terrorism Act 2000 (TACT), where an entity knows or suspects that a person is engaged in money laundering or terrorist financing, or is otherwise attempting to do so. Failure to report suspicions of money laundering or terrorist financing are criminal offences.Companies not within the regulated sector must seek consent from the NCA via an ‘authorised disclosure’ (section 338 POCA) to undertake an activity that would otherwise constitute a substantive money laundering offence under POCA (sections 327-329), such as using or retaining the proceeds of crime. This disclosure provides the reporting entity with a defence to the substantive money laundering offences set out in POCA. The government has recently published the Criminal Finances Bill, which introduces significant changes to the SAR regime, although it has not proposed, as had originally been suggested, the abolition of the ‘consent regime’. Instead it has proposed its modification, by giving the NCA the ability to extend the moratorium period following initial refusal of consent by a maximum of six months (in 31-day increments).
|Data security breaches||
All ‘data controllers’ (defined in the Data Protection Act 1998 as a person who determines the purposes for which and the manner in which any personal data is processed) are required by the Data Protection Act to ensure appropriate and proportionate security of the personal data they process. With limited industry-specific exceptions, under the current UK legislation, there is no general legal obligation on data controllers to report data security breaches (for example, the loss or theft of customer information). However, the ICO has published non-binding guidance that makes clear that in its view there are circumstances in which data breaches should be reported – in particular, where a breach is deemed to be ‘serious’. Its guidance sets out factors to bear in mind when considering whether to disclose to the ICO. If a serious but non-reported data security breach comes to the ICO’s attention, the ICO may use its discretion to impose greater fines than if the breach had otherwise been reported.Discretion as to whether to disclose a data breach will be restricted under the new EU General Data Protection Regulation, which is expected to come into effect in mid 2018. Under the Regulation, data controllers in the UK must notify almost all data breaches to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. In certain cases, the data controller will also be obliged to inform the affected data subjects.
|Competition law breaches||Entities regulated by the FCA must notify the regulator if they have or may have committed a ‘significant infringement’ of competition law. In contrast, companies not authorised and regulated by the FCA are not subject to a positive legal obligation to report breaches of competition law to the Competition and Markets Authority or the European Commission.|
|Listing Rules and Disclosure and Transparency Rules||Companies whose securities are admitted to trading on a market operated by the London Stock Exchange (LSE) are subject to ongoing disclosure obligations pursuant to the AIM Rules, the Listing Rules (LRs) and/or the Disclosure and Transparency Rules (DTRs). For example, inside or price-sensitive information and any details of transactions involving the company’s directors, managers or substantial shareholders will need to be disclosed to the LSE, the FCA, the company’s shareholders and the public via a regulatory information service and/or via the company’s website. The exact application of the rules will vary depending on the nature of a company’s listing and the business sector in which a company operates. In addition to specific disclosure requirements, companies subject to the AIM Rules or the LRs must provide the FCA and the LSE with all information reasonably required to ensure the smooth operation of the market and to protect investors.|
|Disclosures relating to audit||
Auditors reviewing companies operating in the financial sector also have their own obligations to disclose to FCA and/or the Prudential Regulation Authority certain matters relevant to the soundness of the regulated entity, for example, the ability to maintain adequate financial resources or circumstances that give reason to doubt whether senior management are effective as ‘fit and proper persons’.Directors must volunteer information to auditors. If a director knowingly or recklessly misrepresents the information provided to an auditor, for example by concealing or not reporting a legal or regulatory breach, he or she will be guilty of a criminal offence. Directors may also be asked by the company’s auditors to make written representations to confirm that the information the auditors have relied on in forming their opinions is free of misstatements and omissions, and that the effects of any uncorrected misstatements identified by the auditor are immaterial.
|Disclosures by authorised firms to the Financial Conduct Authority||The fundamental obligation requiring disclosure to the FCA is set out at Principle 11 of the Principles for Businesses in the FCA Handbook. Principle 11 requires authorised firms to deal with its regulators in an open and co-operative way. Firms must disclose to the FCA anything relating to the firm of which it would reasonably expect notice.|
|Disclosures to insurers||Notifications to insurers of issues that may give rise to an internal or external investigation should be made at an early stage to ensure costs coverage. This is likely to be a condition of the policy. Insurers are also likely to require updates on the progress of an investigation, whether internal or external, including any findings made by authorities.|
- In addition to the potential risks and benefits of self-reporting, this chapter also outlines the mandatory disclosure obligations companies may face (see Appendix to Chapter 3). Depending on the entity’s regulatory status and the sector in which it operates, certain disclosure obligations may be imposed by statute, regulatory requirements or membership of professional bodies. Companies must first consider mandatory disclosure obligations as well as the impact those disclosures may have on any decision to self-report to other authorities who may become aware of the misconduct through information sharing.
- The 2009 Guidance is no longer publicly available.
- The 2009 Guidance was also published approximately two weeks after the SFO secured the first ever corporate criminal conviction for bribery offences against Mabey & Johnson Ltd. The company pleaded guilty to corruption charges related to the alleged payment of bribes to win contracts in Jamaica and Ghana between 1993 and 2001, voluntary disclosure of which was made by Mabey & Johnson’s holding company to the SFO in February 2008. While the company had launched an internal investigation prior to notifying the SFO, it appears its self-report to the SFO was only triggered after public allegations of improper payments were made by a former company executive. The self-report was also likely deemed flawed in that the company was already under investigation by the SFO for its alleged participation in violations of the United Nations Oil-For-Food programme and corrupt payments to officials.
- The SFO’s revised statement of policy can be accessed here: https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/corporate-self-reporting/.
- FCA Enforcement Guide, which can be accessed here: https://www.handbook.fca.org.uk/handbook/document/eg/EG_20160101.pdf.
- See, for example, speech by Alun Milford, SFO General Counsel, European Compliance and Ethics Institute, Prague, 29 March 2016 ‘It should . . . be obvious from a cursory review of the public policy guidance that we will not enter into a DPA with a company that has not co-operated with us. Our Director . . . has repeatedly emphasised this point . . . . The Standard Bank case shows how this can be made to work in practice. . . . Their conduct was an object lesson in how to co-operate.’ Available at https://www.sfo.gov.uk/2016/03/29/speech-compliance-professionals/.
- Three Rivers District Council v. Bank of England 2003 EWCA Civ 474.
- See Appendix for potential mandatory disclosures. The likelihood of information sharing between authorities may very well lead a company to proactively make other timely disclosures in hopes of receiving full co-operation credit and benefit from a voluntary disclosure.
- Paragraphs 2.8.2(i) and 7.8(iii) of the DPA Code which can be accessed here: https://www.cps.gov.uk/publications/directors_guidance/dpa_cop.pdf.
- Ben Morgan, Joint Head of Bribery and Corruption at the SFO, Speech at the Annual Anti-Bribery and Corruption Forum, 29 October 2015, which can be accessed via: https://www.sfo.gov.uk/2015/10/29/ben-morgan-at-the-annual-anti-bribery-corruption-forum/.
- Guidance on Corporate Prosecutions, issued by the Director of Public Prosecutions, the Director of the Serious Fraud Office and the Director of the Revenue and Customs Prosecutions Office at p. 7.
- Sentencing Council’s Fraud, Bribery and Money Laundering Offences Definitive Guide, at p. 50.
- The Guidelines are effective from 1 October 2014 and provide a structure for the sentencing of corporate offenders in the United Kingdom for the first time.
- DPAs were deployed sparingly during the 1990s and early 2000s in the United States, with a significant increase in the number entered into from 2005. See Anthony and Rachel Barkow, Prosecutors in the Boardroom: Using Criminal Law to Regulate Corporate Conduct, p. 4 (NYU Press, 2011).
- SFO v. XYZ Limited, Crown Court (Southwark), 11 July 2016.
- As of the time of writing and due to ongoing related litigation, the Court took the decision not to name the company concerned.
- The DPA Code of Practice states: ‘a financial penalty for a DPA must provide for a discount equivalent to that which would be afforded by an early guilty plea. Current guidelines provide for a one third discount for a guilty plea at the earliest opportunity.’ DPA Code of Practice 2013 which can be accessed here: https://www.cps.gov.uk/publications/directors_guidance/dpa_cop.pdf.
- Schedule 17, Paragraph 5(4) of the Crime and Courts Act 2013.
- David Green QC, SFO Director, ‘As our experience of DPAs develops there will be space to consider if the system is correctly balanced…And I say that… because I know that in our system by law the discount for the DPA is the same as that for a guilty plea.’ Q&A, London, 17 June 2016, organised by The Fraud Lawyers Association and the European Fraud and Compliance Lawyers association. Excerpts from the Q&A sessions can be accessed here: http://globalinvestigationsreview.com/article/1036163/david-green-sfo-can-learn-from-fca-approach-to-internal-investigations.
- XYZ Ltd, at para. 57: ‘Looking to the discount following a guilty plea, it is necessary to take into account the appropriate reduction in accordance with s.144 of the Criminal Justice Act 2003 and the relevant guideline (issued by the Sentencing Guidelines Council). In particular, under s.144(1)(a) and (b) of the Act, a court must take into account the stage in the proceedings the offender indicated his intention to plead guilty and the circumstances in which the indication was given. Given the self-report and admission, under the guideline, a full reduction of one third is justified and appropriate. In addition, given that the admissions are far in advance of the first reasonable opportunity having been charged and brought before the court, that discount can be increased as representing additional mitigation. In the circumstances, a discount of 50% could be appropriate not least to encourage others how to conduct themselves when confronting criminality as XYZ has. On the face of it, that reduces the figure to £8.2 million.’ See also Chapter 21 on negotiating global settlements.
- DPA Code, para. 7.8(iii), which lists ‘cooperation with an investigation related to the alleged offence(s)’ as one of the terms that will ‘normally’ appear in a DPA and whose footnote expands as follows: ‘For example in respect of individuals. The obligation would include the provision of material to be used in evidence and for the purposes of disclosure.’
- David Green QC, SFO Director, comments at GIR Roundtable Discussion on Corporate Internal Investigations, 27 July 2015.
- Mark Steward, FCA Head of Enforcement, comments made at 14th Annual Corporate Accountability Conference in London, 9 June 2016, details of which can be accessed here: http://globalinvestigationsreview.com/article/1036084/mark-steward-don%E2%80%99t-trample-the-crime-scene.
- David Green QC, SFO Director, Q&A, London, 17 June 2016, organised by The Fraud Lawyers Association and the European Fraud and Compliance Lawyers association. Excerpts from the Q&A session in London on 17 June 2016 can be accessed here: http://globalinvestigationsreview.com/article/1036163/david-green-sfo-can-learn-from-fca-approach-to-internal-investigations.
- Section 166 of the Financial Services and Markets Act 2000.
- In addition to also reporting to the authorised firm.
- Jamie Symington, Director in Enforcement (Wholesale, Unauthorised Business and Intelligence), FCA, speech at Pinsent Masons Regulatory Conference, 5 November 2015, which can be accessed via: http://www.fca.org.uk/news/speeches/internal-investigations-firms.
- Paragraph 30 of the Approved Judgment by Leveson P, which can be accessed here: https://www.judiciary.gov.uk/wp-content/uploads/2015/11/sfo-v-standard-bank_Preliminary_1.pdf.
- See paragraphs 61 and 27 of Leveson P’s Preliminary Judgment, which was cross-referenced in the Final Judgment and can be accessed via: https://www.sfo.gov.uk/2016/07/08/sfo-secures-second-dpa/.
- Ibid. at paragraph 62.
- The corporate offence of failing to prevent bribery.
- Matthew Wagstaffe, Joint Head of Bribery and Corruption at the SFO, speaking at the 11th Annual Information Management, Investigations Compliance eDiscovery Conference on 18 May 2016, which can be accessed here: https://www.sfo.gov.uk/2016/05/18/role-remit-sfo/.
- Written statement provided to Global Investigations Review by Ben Morgan, Joint Head of Bribery and Corruption at the SFO, 24 May 2016, which can be accessed here: http://globalinvestigationsreview.com/article/1035797/sfo-cooperation-to-be-considered-in-the-round.
- See Appendix to this Chapter.
- See DOJ press release, March 2010, which can be accessed here: https://www.justice.gov/opa/pr/bae-systems-plc-pleads-guilty-and-ordered-pay-400-million-criminal-fine.
- Jamie Symington, Director in Enforcement (Wholesale, Unauthorised Business and Intelligence), FCA, speaking at GIR Live London conference, 28 April 2016.
- See https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/corporate-self-reporting/ (Revised October 2012).
- The SFO with the assistance of XYZ and its counsel then conducted its own investigation between April 2013 and January 2016, which confirmed the information already provided to the SFO. From the date of the submission of the formal written report and throughout the SFO’s investigation, the company and its counsel continued to investigate and supplement the self-report. See paragraph 12 of Leveson P’s Preliminary Judgment and paragraph 11 of the Final Judgment, both of which can be accessed via: https://www.sfo.gov.uk/2016/07/08/sfo-secures-second-dpa/.
- According to secondary sources as the judgment does not appear to be publicly available.
- Paragraph 25 of Leveson P’s Preliminary Judgment, which can be accessed via: https://www.sfo.gov.uk/2016/07/08/sfo-secures-second-dpa/.
- The timing of a self-report made under the European Competition Commission Cartel Leniency Policy is particularly important given the possibility of full immunity for a company involved in a cartel, provided it discloses to authorities first before any other company in the cartel. For companies involved in the same cartel, a sliding scale of fine discounts applies; the sooner a company discloses the greater the discount with the Commission imposing full penalties on whichever company in the cartel fails to report.
- See Appendix to this chapter.
- See SFO press release dated 30 November 2015, which can be accessed here: https://www.sfo.gov.uk/2015/11/30/sfo-agrees-first-uk-dpa-with-standard-bank/.
- National Crime Agency guidance on ‘Submitting A Suspicious Activity Report (SAR) within the Regulated Sector’ dated February 2015 at p. 2.
- NCA SARs Annual Report 2015, which can be accessed here: http://www.nationalcrimeagency.gov.uk/publications/677-sars-annual-report-2015/file.
- K Ltd v. NatWest 2006 EWCA Civ 1039.
- See Appendix to this chapter.
- See the SFO’s Guidance on Corporate Self-Reporting, revised October 2012.
- David Green QC, SFO Director, Q&A, London, 17 June 2016, organised by The Fraud Lawyers Association and the European Fraud and Compliance Lawyers association. Excerpts can be accessed here: http://globalinvestigationsreview.com/article/1036163/david-green-sfo-can-learn-from-fca-approach-to-internal-investigations.