Global Investigations Review - The law and practice of international investigations

The Practitioner’s Guide to Global Investigations, Third Edition

Self-Reporting to the Authorities and Other Disclosure Obligations: The UK Perspective

Ropes & Gray (London)

3.1 Introduction

Whether, when and how a company should report potential misconduct requires an increasingly ‘global’ (in all senses of that word) view of the risks and benefits involved. Around the world, enforcement actions in relation to bribery and money laundering are on the rise, international co-operation between authorities is being expanded and enhanced, and a growing number of jurisdictions are moving towards deferred prosecution agreements (DPAs) and formalised or protected whistleblowing regimes, as part of a general and growing trend towards incentivising corporate self-reporting.[2]

A corporate’s voluntary decision to self-report requires directors to evaluate the potential benefits and risks involved in doing so, while complying with their duties under the Companies Act 2006 to consider and act in the best interests of the company as a whole.[3] Key benefits of self-reporting include the ability to manage the timing and content of the information being provided to the authorities, the potential for securing a DPA, reducing any financial penalties, minimising or managing reputational fallout, and achieving an earlier and more predictable resolution than may otherwise be possible. Particular risks include potential disruptive and damaging action by investigating authorities, damage to share prices, the removal or suspension of senior management,[4] costly internal investigations (including potential regulator involvement and the potential loss or waiver of privilege over key material) and potential civil litigation. Neither the benefits nor the risks are easily quantifiable. The stakes for individuals (usually directors) are also higher than ever in the United Kingdom – those working in firms regulated by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) will need to consider their potential liability under the (relatively) new individual accountability regimes in addition to criminal and civil liability.

Frequently, questions as to how to deal with internal disclosures made by whistleblowers and, in those circumstances, whether, when and how to self-report matters to authorities, go hand in hand. Similarly, where a corporate operates in multiple jurisdictions, any trigger of mandatory reporting obligations in one jurisdiction warrants careful consideration regarding corresponding mandatory or voluntary reporting in others – particularly in light of authorities’ increasingly collaborative approach to (formal and informal) sharing of information.

The decisive and effective management of the risks and benefits of self-reporting, which typically involves balancing complex questions of fact and (criminal, regulatory and employment) law is critical and can help to conclude swiftly or pre-empt regulatory intervention. All of these considerations play out against the backdrop of an obvious tension between self-reporting with sufficient speed to obtain or maximise co-operation credit and the chance of a DPA on the one hand, and taking the time to investigate an allegation sufficiently to understand whether, when and what to report on the other. The recent Court of Appeal decision in the ENRC case[5] emphasises the importance (for the purposes of asserting legal privilege) of recording clearly and in good time the points at which a firm considers that it is involved in the self-reporting process and that litigation or criminal prosecution is reasonably in contemplation.

This chapter examines how authorities are using and interpreting self-reporting and whistleblowing frameworks in the United Kingdom, and identifies key considerations for corporates and their advisers. The extraterritorial reach of several pieces of key legislation (most notably the Bribery Act 2010 (UKBA)) and the comparatively aggressive stance of UK investigating and prosecuting authorities (principally the Serious Fraud Office (SFO)) mean that developments in the country are of interest to corporates operating around Europe and the Middle East, even if they are based, or undertake most of their activities, outside the United Kingdom.

3.2 Culture and whistleblowing

3.2.1 The importance of culture

Self-reporting and whistleblowing are increasingly considered to be fundamental to the ‘culture’ of an organisation. In the wake of the financial crisis and well-publicised corporate scandals, UK regulators and enforcement authorities remain concerned with promoting cultural change across financial institutions and corporates. Particular emphasis is placed on the need for meaningful challenge by (and of) senior management in addition to appropriately robust whistleblowing procedures, which employees are expected to use without fear of reprisal.

In a nod to the SEC’s Whistleblower Programme, the FCA asks firms to consider adopting internal procedures that encourage workers to blow the whistle internally about matters relevant to the functions of the FCA or PRA.[6] What is more, in response to recommendations by the Parliamentary Commission on Banking Standards in 2013, the FCA and the PRA published new rules, which have made it a requirement (since 7 March 2017) for in-scope firms to allocate responsibility for whistleblowing under the individual accountability regimes (i.e. the Senior Managers Regime, and the Senior Insurance Managers Regime) to a ‘whistleblowers’ champion’, who must be a non-executive director.[7]

The whistleblowers’ champion is responsible for overseeing the effectiveness of internal whistleblowing procedures, including arrangements for protecting whistleblowers against detrimental treatment, preparing an annual report to the board, and reporting to the FCA where, in a case contested by the firm, an employment tribunal finds in favour of a whistleblower. Selection of the whistleblowers’ champion should involve careful consideration of the proposed individual’s standing and role within the firm, as well as the capacity, resources and access (e.g., to people and information) necessary to effectively discharge the responsibility for ‘ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing and for ensuring staff who raise concerns are protected from detrimental treatment’.[8] As a result of this new whistleblowing regime, the significance of whistleblowers will likely only increase.

Whistleblowing also features in the UKBA framework – under section 7 of the UKBA, a relevant corporate firm commits an offence where a person associated with it bribes another person, intending to obtain or retain business or a business advantage for the firm. The firm has a ‘defence’ if it can show that it had in place ‘adequate procedures’ to prevent such bribery. The Ministry of Justice published statutory guidance on ‘adequate procedures’ in March 2011, pursuant to section 9 of the UKBA.[9] That guidance recommends that adequate procedures should include procedures for reporting bribery ‘including “speak up” or “whistleblowing” procedures.’[10] In addition, in the context of self-reporting, the SFO has been keen to emphasise the various avenues by which it may come to hear of alleged criminal conduct, including ‘from whistleblowers and disgruntled business rivals … . Any such source can give us, or more particularly the Director, reasonable grounds to suspect the commission of an offence involving serious fraud, bribery or corruption and, with it, the power to open a criminal investigation.’[11]

The DPA Code of Practice (DPA Code)[12] sets out public interest factors for and against prosecution, which, the Director of the SFO has stated, were designed to incentivise self-reporting and effective compliance controls, and to encourage corporates to demonstrate that they are ‘serious about behaving ethically.’[13] Consistent with the emphasis on good corporate governance is the fact that, among other things, a self-report is relevant at later stages in the UK criminal justice process. The Sentencing Council’s Definitive Guideline,[14] which was introduced in October 2014 in relation to the sentencing of corporates for fraud, bribery and money laundering offences, and which is considered in setting financial penalties under a DPA, takes into account to a corporate’s culture in the event of a conviction.[15] Further, the amended Public Contracts Regulations 2015, introduced in February 2015, allow blacklisted companies to bid for public contracts if they can prove (among other things) that they have ‘clarified the facts and circumstances in a comprehensive manner by actively collaborating with the investigating authorities’.[16]

3.2.2 Whistleblowing

The SFO launched its whistleblowing hotline (SFO Confidential) in 2011. Press reports indicate that the take-up of cases has been low, however: despite receiving 2,508 reports in the 12 months to 30 June 2014, the SFO was reported to have accepted only 12 cases for investigation.[17] This was no doubt a function of the constraints on the SFO’s resources, among other factors. The FCA managed 1,106 cases from whistleblowers in 2017, taking further action in 121 of these. The FCA has previously indicated that it expects to see an increase in the proportion of reports that lead directly to enforcement action or other intervention, or that provide intelligence of significant value.[18]

While whistleblower reports in the United Kingdom account for a proportion of the investigations commenced by the SFO, they are by no means the majority. They have led to some relatively high-profile successful prosecutions, although to date these have largely concerned individuals rather than corporate organisations.[19] More are expected to follow, including some of the SFO’s current flagship investigations and prosecutions into large corporates. In September 2013, the SFO commenced criminal proceedings against Gyrus Group Limited, the UK subsidiary of Olympus Corporation in connection with a worldwide fraud valued at approximately US$1.7 billion. That investigation flowed from the widely publicised whistleblowing disclosure made by Michael Woodford, the former CEO of Olympus, although the investigation has since been discontinued following a Court of Appeal judgment in February 2015, which ruled that English law does not criminalise the misleading of auditors by the company under audit. Separately, in December 2012, the SFO started an investigation into Rolls-Royce plc following a whistleblower report, which, despite the company having concluded a DPA with the SFO in January 2017,[20] remains ongoing and has not, at the time of writing, yielded any criminal charges against individuals. The investigation into ENRC by the SFO was also influenced by whistleblower allegations first made to the company by email and then published in the media a few months later.[21]

3.3 The evolution of the link between self-reporting and a DPA

DPAs are now an established feature of the UK investigations landscape. The new Director of the SFO, Lisa Osofsky, recently spoke of her commitment to bringing the most complex and difficult cases of crimes to trial or, if in the public interest, to resolution through DPAs.[22] At the time of writing, four years and four DPAs after the introduction of the regime, not all the questions typically contemplated by corporates wishing to know whether self-reporting will lead to a swifter and potentially more favourable – negotiated – outcome have been answered. However, there are some useful indications as to the SFO’s stance and, equally importantly, the courts’, in the cases decided (including those where DPAs have not been concluded), and in the operation of prosecution guidance in ongoing investigations and negotiations that may lead to further DPAs.

The DPA Code sets out prosecutors’ expectations for self-reporting. A key factor when deciding whether a DPA is appropriate, to be weighed with other factors relating to the nature and seriousness of the offending, is whether the corporate has been ‘genuinely proactive’ in its approach.[23] This is measured by reference to the factors including the timing of a corporate’s self-report, and how comprehensive, relevant and useful the material is (particularly in the context of any potential action to be taken against individuals).

The DPA Code makes clear that the SFO (or Crown Prosecution Service (CPS)) expects to be ‘notified’ of wrongdoing ‘within a reasonable time of the offending conduct coming to light’ for a DPA to be a realistic option.[24] There is some significance to the use of the word ‘notified’ in this context, which replaced the word ‘reported’ originally included in the draft of the DPA Code. In short, prosecutors expect to receive an initial notification of circumstances giving rise to concerns that criminal wrongdoing may have occurred. They do not expect to receive a completed investigation report. Indeed, as is set out in the DPA Code, they expect to be involved in the investigation at the planning stage, and certainly before any witness interviews are conducted.[25] In cases where significant historic wrongdoing that is not already known to prosecutors and which may suitably be resolved through a DPA comes to light, firms should consider making an initial notification to the SFO (or CPS, if appropriate) when they file suspicious activity reports (SARs) or other statutory reports (whether in the United Kingdom or abroad).

The timing of notification relative to details entering the public domain is of particular importance. At the time of writing, Rolls-Royce remains the highest-value DPA concluded in the United Kingdom. That it was still possible for the SFO to conclude a DPA with Rolls-Royce in 2017 despite some details of wrongdoing being already known to the SFO illustrates that this is just one factor informing a prosecutor’s approach and does not by itself determine whether a DPA will follow. However, as Sir Brian Leveson, President of the Queen’s Bench Division, noted in respect of Rolls-Royce, the case was anomalous in this regard, and it was necessary for the company to provide ‘extraordinary’ co-operation and to notify the SFO of matters ‘of a different order’ to those it would otherwise have known to obtain credit for self-reporting in the context of DPA negotiations.[26] Absent such extraordinary co-operation and disclosure, it is clear that a failure to notify the SFO of matters before they become public (or before negative headlines are threatened or imminent) will jeopardise the prospects of successfully negotiating a DPA.

The decision of the SFO in December 2015 to prosecute Sweett Group plc for the corporate offence of failure to prevent bribery under section 7 of the Bribery Act 2010 also illustrates this. Sweett self-reported to the SFO upon learning that a newspaper intended to publish allegations of involvement in bribery in connection with Middle Eastern construction consultancy agreements. Although informal discussions about DPAs did commence at one stage of the SFO’s investigation, they were unsuccessful; and Sweett was deemed to have been unco-operative for much of the investigation, leading ultimately to conviction and the imposition of a fine of £2.25 million in February 2016. Sweett’s experience contrasts starkly with that of Standard Bank plc, with which the SFO agreed the first DPA in the United Kingdom in November 2015.[27] The SFO, and subsequently the court, highlighted and commended Standard Bank for reporting concerns to the SFO within weeks of the suspicious payment, and within days of filing a SAR.

The court’s judgments in respect of Standard Bank and the other corporates with which DPAs have been concluded (and published) to date[28] have added some colour to the indications in the DPA Code as to what a corporate must do when self-reporting to demonstrate ‘genuine and proactive’ co-operation. This has manifested itself largely through pragmatic decisions by firms to waive privilege on a limited basis, to make material available voluntarily (i.e. without requiring the SFO to use powers of compulsion). In all cases it has been crucial to show clear separation from the individuals alleged to have been involved in wrongdoing and commitment to providing material to be used in prosecutions against them (although in no case yet concluded has such material contributed to their convictions).

Finally, in early 2018, the CPS sent a useful reminder that self-reporting, however promptly, is only one factor influencing whether a DPA may be available. In R v. Skansen Interiors Ltd[29] – the first contested case in relation to the corporate ‘failure to prevent’ offence under section 7 of the UKBA – Skansen was prosecuted despite self-reporting to the National Crime Agency (NCA) and provided extensive co-operation to the SFO in the ensuing criminal investigation, including by disclosing privileged material. Skansen argued in court that its policies and procedures were adequate for a small company with operations only in the United Kingdom and a staff of 30, but the jury returned a guilty verdict, finding that the policies and procedures in place were insufficient for the purposes of the ‘adequate procedures’ defence. The CPS justified its decision to prosecute rather than pursue a DPA on grounds that Skansen was a dormant company and could neither pay a fine, nor comply with the terms of any DPA, and that it wanted to send a message more generally to smaller companies as regards the importance of having effective anti-bribery and corruption procedures in place, rather than relying on ‘company values’ to establish proper compliance and conduct.

The new Director of the SFO has set out the sorts of issues that the SFO will be considering under her leadership in determining whether a resolution short of trial is appropriate:

[W]e must analyse whether the company has a credible and colourable defence under Section 7 [of the UKBA]. Has the company engaged in proactive efforts to clean house and to reform? Has the company instilled the right controls? Are these backed by demonstrable commitment at the appropriate level? The SFO will want assurance that companies are doing everything they can to ensure the crimes of the past won’t be repeated long after the watchful eye of the prosecutor moves on to another target.[30]

3.4 Key self-reporting requirements in the United Kingdom

Considerations for reporting may broadly be broken down into two categories – matters firms must report under legislation or regulation, and matters they may choose to report in the hope of bringing about an earlier or more favourable resolution to an investigation. These are examined separately below.

3.4.1 Anti-money laundering and terrorist financing reporting obligations

The sections of the United Kingdom’s anti-money laundering and counter-terrorist financing legislation dealing with reporting are among the most stringent of their type in the world.

In outline, the Proceeds of Crime Act 2002 imposes specific obligations on businesses operating in the ‘regulated sector’ to make SARs to the NCA where they know or suspect, or have reasonable grounds for knowing or suspecting, that another person is engaged in money laundering.[31]

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLTF Regulations) require firms that are ‘relevant persons’[32] to appoint a nominated officer and to ensure that anyone who is working in the firm, handling relevant business, and has the requisite suspicion in relation to money laundering will make an internal report to the nominated officer, who is then obliged to consider whether to file a SAR.[33] This means that there are (internal) reporting obligations on the individuals working in those firms. For businesses operating in the regulated sector, information triggering reporting obligations is likely to have come to them as a consequence of customer due diligence and monitoring obligations imposed by the Money Laundering Regulations 2007 and the MLTF Regulations.

SARs may include a request to the NCA for ‘appropriate consent’ to enable the reporter to do a particular act in relation to the property concerned, which might otherwise amount to the commission of a money laundering offence.[34] Such SARs have historically been referred to as ‘consent SARs’, although they are now referred to by the NCA as ‘requests for a defence against money laundering’ or ‘DAML SARs’.

There is a corresponding reporting and consent regime in relation to terrorist financing under the Terrorism Act 2000.[35] In addition, authorities may impose specific obligations on financial institutions, in particular, to report dealings with certain ‘designated persons’.[36]

The relatively low threshold for making a SAR and the natural desire of businesses and the individuals within them to avoid liability (which can include potentially lengthy periods of imprisonment for individuals) means the NCA receives very substantial volumes of DAML SARs, placing a significant strain on its resources. On average, the 25 dedicated staff of the relevant section of the NCA receives 2,000 SARs per working day, with some 100 reports seeking consent to proceed with a financial transaction.[37]

The volume of SARs, together with the need for the NCA to consult with other enforcement authorities potentially interested in the information (of which there will be many), typically means that the NCA is not in a position to provide consent, or to confirm whether the reporter has ‘appropriate consent’ to proceed (in NCA parlance, whether the reporter has a ‘defence against money laundering’) much before the end of the seven-working-day notice period following the filing of a SAR.[38] This can lead to practical problems during the notice period itself and, if applicable, during the following moratorium period (which may now be extended to up to six months on the application of investigating authorities).[39] Transactions will not be able to proceed. The risk of tipping off or committing other offences also leads to difficulties when communicating with customers, counterparties and others. The courts have been reluctant to interfere to accelerate this process.[40]

At the time of writing, the Law Commission is considering responses received as part of a consultation on the effectiveness of the United Kingdom’s suspicious activity reporting regime for money laundering. It has proposed changes including amending the current threshold to require reporting only where there are reasonable grounds to suspect money laundering and further practical guidance on the meaning of ‘suspicion’.

In practice, a firm’s decision whether and when to file SARs to comply with reporting obligations or to secure defences to substantive offences must form one part of wider strategic calculations about self-reporting. In many cases, it will be clear which enforcement authorities will be interested in investigating the circumstances that have given rise to knowledge or suspicion of (or reasonable grounds to suspect) money laundering. In such cases, it can make sense to consider providing the information set out in the SAR to the relevant enforcement authorities. Doing so when filing a SAR with the NCA (or soon after) can help to secure maximum credit for proactively bringing matters to the attention of the authorities and to expedite obtaining consent to proceed with a transaction.

3.4.2 Other mandatory reporting obligations prescribed by legislation

A company will be subject to a variety of reporting obligations, depending on the nature of its operations, the sector in which it is involved, and the extent (and by which authorities) it is regulated. Each authority will have its own requirements as to the timing, format, content and process for mandatory reports. The key sectoral requirements include reporting:

  • financial sanctions breaches, to the Office for Financial Sanctions Implementation (OFSI) (on behalf of Her Majesty’s Treasury);
  • (for financial institutions) the corporate offences of failure to prevent the facilitation of UK or foreign tax evasion under the Criminal Finances Act 2017, to Her Majesty’s Revenue and Customs (HMRC);[41] and
  • data security breaches under the General Data Protection Regulation (GDPR), within 72 hours of becoming aware of the breach, to the Information Commissioner’s Office (ICO), and, in some cases, to the data subjects concerned.

3.4.3 Self-reporting obligations in DPAs and regulatory and private agreements

Separately, corporates may have self-imposed reporting obligations. It is common for certain reporting obligations to be built into DPAs, ongoing monitorship agreements or other agreements with regulators in relation to historic criminal or regulatory failings, for example. Where a firm has a history of such failings, it is also not uncommon for parties to key transactional and financial agreements to insist on similar reporting obligations, often tied to the corporate’s mandatory reporting requirements to particular authorities. In all cases, these obligations may have short reporting windows, which should be familiar to the corporate and acted on without undue delay.

Separately, corporates may be obliged to bring the fact of an investigation, or the circumstances giving rise to it, to the attention of a host of potentially interested parties. These may include regulators, contractual counterparties, markets on which they are listed, affected customers and insurers. There is a relatively high likelihood of variations in contractual arrangements and legal and regulatory frameworks (for example, in relation to conditions for contracting with government entities under applicable public procurement legislation) across the jurisdictions in which corporates operate. Conducting an early analysis of the potential collateral impact of historic wrongdoing and any investigation, prosecution or negotiated outcome, will therefore often be prudent.

3.4.4 Self-reporting to the FCA and PRA

The FCA is responsible for the conduct of firms authorised under the Financial Services and Markets Act 2000. Of particular relevance is the FCA’s responsibility for ensuring that the firms and individuals regulated by it establish and maintain effective, proportionate and risk-based systems and controls to ensure that they cannot be used for the purposes of financial crime.[42]

The FCA’s Handbook contains detailed rules and guidance on its requirements in this area. These provisions supplement the overarching obligations on regulated firms and individuals to maintain an ‘open and co-operative’ relationship with the FCA and to ‘disclose … appropriately anything relating to the firm of which [the relevant regulator] would reasonably expect notice.’[43] In practice, these broad principles-based requirements oblige regulated firms and individuals to notify the FCA or the PRA, or both, not only of circumstances that may amount to breaches of rules set out in the FCA Handbook or the PRA Rulebook, but also of investigations and other matters that may affect the fitness and propriety of individuals, or the ability of firms to satisfy the threshold conditions required to be authorised to carry on particular regulated activities.

In recent years, the FCA has increasingly used its enforcement powers against firms and individuals for deficiencies in financial crime systems and controls. It continues to do so enthusiastically, with approximately 75 such investigations open at the time of writing, and looks set to continue in this vein, having identified the area as one of its strategic enforcement priorities in its most recent Annual Report.[44] A number of enforcement cases pursued by the FCA in relation to financial crime systems and controls have been based to a significant degree on failures proactively to bring matters to the FCA’s attention.[45] Looking more widely across the FCA’s regulatory purview, in a number of other cases substantial penalties have been imposed on firms and individuals simply for failing to comply with obligations to notify the regulator.[46]

In a number of other areas, firms and individuals must proactively bring particular matters to the attention of the FCA, which may in due course give rise to intensified supervision, or enforcement investigations, or both. Key examples include obligations to file suspicious transaction reports under the Market Abuse Regulation and requirements for firms to notify the FCA (or PRA, as appropriate) of breaches of the Conduct Rules by senior managers, certified persons or other employees. The timescales for such notifications and the level of detail required also vary significantly depending on the circumstances.

The FCA also acts as the UK Listing Authority, meaning that companies listed in the United Kingdom (and their directors) must behave in an open and co-operative manner.[47] Although the wording of the requirement imposed on listed companies differs from that imposed on regulated firms and individuals (it does not include an express requirement to notify the FCA of matters of which it would reasonably expect notice), listed companies and their directors should expect to have to notify the FCA of potentially significant investigations under these obligations.

None of the mandatory reporting obligations described above exists in a vacuum. The FCA in particular collaborates closely with other enforcement authorities within the United Kingdom and internationally. The FCA reiterated its commitment to information sharing and collaboration in its most recent annual report:

We continue to collaborate domestically and internationally with law enforcement agencies, the Government and other regulators to prevent financial crime. In particular, we are helping to develop and strengthen public and private sector partnership working to support the Government’s economic crime reform programme. We also continue to contribute to the Government’s Joint Fraud Taskforce.[48]

Indeed, notwithstanding its ability to prosecute criminal offences, there have been several examples in recent years of cases in which it has supplied information to and otherwise coordinated its action with other authorities, including, notably, the SFO.[49]

The remainder of this chapter will consider self-reporting in relation to the SFO and, to the extent relevant, the FCA, in relation to financial crime issues.

3.5 Voluntary self-reporting to the SFO

The SFO’s decision to prosecute a corporate body will be governed by a combination of the ‘Full Code Test’ in the Code for Crown Prosecutors,[50] the Guidance on Corporate Prosecutions,[51] and (in relevant cases) the Joint Prosecution Guidance of the Director of the SFO and the Director of Public Prosecutions on the Bribery Act 2010 (the Joint UKBA Guidance).[52]

The SFO will prosecute if there is a realistic prospect of conviction on the evidence, and it is in the public interest to do so. The fact that a corporate has reported itself will be a relevant consideration to the extent set out in the Guidance on Corporate Prosecutions. That Guidance explains that, for a self-report to be a public interest factor tending against prosecution, it must form part of a ‘genuinely proactive approach adopted by the corporate management team when the offending is brought to their notice.’[53] The SFO has stated expressly that self-reporting is no guarantee that a prosecution will not follow, and that each case will turn on its own facts.[54]

In appropriate cases the SFO may use its powers under proceeds of crime legislation as an alternative (or in addition) to prosecution.[55] If the SFO uses those powers, it will publish its reasons, the details of the illegal conduct and the details of the disposal.

3.5.1 Advantages of self-reporting

3.5.1.1 Co-operation credit

Most corporates will consider that the primary advantage of making a voluntary self-report is co-operation credit, particularly if the corporate is seeking a DPA. Speaking in June 2018, Camilla de Silva, the SFO’s Joint Head of Bribery and Corruption, said: ‘The SFO will only invite a company to enter into an agreement to defer prosecution where the company has genuinely co-operated with the SFO.’[56] This statement reflects the DPA Code, which lists co-operation as an additional public interest factor tending against prosecution.[57] As noted earlier, the DPA Code is clear that the co-operation has to be ‘genuinely proactive’ and lists as examples of co-operative behaviour ‘identifying relevant witnesses, disclosing their accounts and the documents shown to them … [and] where practicable it will involve making the witnesses available for interview when requested.’[58]

The Guidance on Corporate Prosecutions also lists co-operation as a factor tending against prosecution, but instructs prosecutors to ‘establish whether sufficient information about the operation of the company in its entirety has been supplied in order to assess whether the company has been proactively compliant’ before taking co-operation into account as a factor, and stresses that ‘[t]his will include making witnesses available and disclosure of the details of any internal investigation.’[59]

In approving DPAs between the SFO and each of Standard Bank, XYZ Ltd[60] and Rolls-Royce, Sir Brian Leveson, President of the Queen’s Bench Division, spoke approvingly of the co-operative stance adopted by each of those firms.

Even if a corporate reports at an early stage and takes every step to co-operate with the SFO, it may still not be considered eligible for a DPA because other factors ward against it, for example where the behaviour in question has caused a significant level of harm to victims, or a substantial adverse impact to the integrity or confidence of markets.[61]

Following conviction or a guilty plea, a corporate is still likely to receive some benefit from its co-operation credit when it comes to sentencing. The Sentencing Council’s Definitive Guideline sets out a multi-step process to assist courts in determining the appropriate fine. The first step is to establish the harm caused by the offending. For example, for a bribery offence, the starting point for the calculation is the ‘harm figure’ – the gross profit from the contract obtained. Once a harm figure has been determined, the court has to establish the ‘culpability’ factor by reference to a scale in the Definitive Guideline (from ‘A’ for high culpability down to ‘C’ for lesser culpability). Each level of culpability has attached to it a range of multipliers to apply to the harm figure. For instance, culpability level ‘A’ has a multiplier range of 250 per cent to 400 per cent. In determining exactly which multiplier to apply, the court must take into account many factors. Notably, co-operation with the investigation is listed in the Definitive Guideline as a factor that will tend to reduce the culpability multiplier.

Arguably, corporates in the regulated sector have less scope for truly voluntary self-reporting because the requirement in Principle 11 of the FCA’s Principles of Business require a regulated firm to ‘disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice.’[62] The FCA sets out in its Decision Procedure and Penalties Manual (DEPP) a non-exhaustive list of factors it will consider when deciding to issue a financial penalty or public censure. Included on the list of factors is ‘how quickly, effectively and completely the person brought the breach to the attention of the FCA or another relevant regulatory authority’.[63] If the FCA does choose to take action against a firm, DEPP includes provisions for determining the appropriate level of financial penalty, which operate similarly to the Sentencing Council’s Definitive Guideline. DEPP states that a factor to consider when deciding whether to increase or decrease any fine is ‘the conduct of the firm in bringing (or failing to bring) quickly, effectively and completely the breach to the FCA’s attention’.[64]

3.5.1.2 Demonstrating culture and the strength of systems and controls

As noted earlier, the UK government and regulatory and enforcement bodies continue to be concerned with corporate culture. Effective self-reporting will clearly indicate a good corporate culture. Firms that have taken the necessary steps to institute a good culture supported by robust systems and controls will expect that any matters involving wrongdoing are quickly reported internally via its whistleblowing procedures and escalated and reported to the relevant authorities, as appropriate.

Conversely, for firms in the regulated sector, the failure to identify and self-report wrongdoing could indicate that its systems and controls are inadequate. The FCA Handbook states that a regulated firm:

must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.[65]

There are a number of examples of the FCA taking enforcement action in recent years against regulated firms for having inadequate systems and controls.[66]

3.5.1.3 Information control

Firms often think that choosing to self-report will enable them to retain control over the information that they disclose. In practice, however, the SFO and FCA’s insistence on effective and complete self-reporting means that firms will have to provide as complete an account as possible of the wrongdoing concerned, and hand over any investigative work-product already created. Public companies will also have to give careful consideration to their obligations to make market announcements.

Given the stance adopted by the FCA and SFO, perhaps the only true benefit to self-reporting is that the corporate has some control over the timetable (as compared, for instance, with a dawn raid) and is therefore able (having taken advice on any market abuse risks) to notify key stakeholders of the self-report and to prepare an appropriate media strategy.

3.5.2 Risks of self-reporting

For many companies, the primary driver behind self-reporting is the opportunity to secure a DPA. It should be clear from the analysis above, however, that self-reporting in the United Kingdom does not guarantee a DPA or even necessarily leniency in sentencing (depending on whether other public interest factors are at play). It is also clear that a firm may only be able to gauge its prospects of success relatively late in a process during which the firm will usually have provided a significant amount of information, documents, investigation reports and even witnesses for interview.[67]

Perversely, therefore, a firm’s efforts to secure maximum co-operation credit may actually put it in a worse position than it began in, especially if it has provided information or evidence about an issue or facts that may not otherwise have come to light or been obtainable by the authority. There is an ever-present risk that by the time the corporate has visibility as to the direction in which the SFO or the court is leaning, it may have assisted prosecutors in building a strong case against itself, often at significant financial and other cost, for little or no benefit. Corporates therefore need to evaluate the risks and costs inherent in making self-reports very carefully. Some key risks and practical considerations are set out below.

3.5.2.1 Interest and potential investigation in other jurisdictions

There is always a risk of contagion: it is the nature of complex bribery, fraud, and corruption that it crosses borders and can implicate authorities in multiple jurisdictions. Self-reporting to a regulator in one jurisdiction may draw the attention of other regulators, domestically or abroad. Matters are frequently complicated because the benefits and risks of reporting are seldom consistent or certain across jurisdictions, and authorities in different countries seldom have the same procedures, techniques or demands in conducting their investigations and taking enforcement action.

Increasingly, regulators are sharing information and seeking to collaborate in enforcement actions. As long ago as 2010, the US Department of Justice (DOJ) and the SFO worked together in investigating BAE Systems plc,[68] and such co-operation has since become routine. International co-operation often goes beyond formal mutual legal assistance requests, to encompass informal intelligence sharing (sometimes in advance of formal investigation in any jurisdiction), coordination or division of responsibility or issues for enforcement, and even formal programmes by which to enhance understanding and assist with capacity or resourcing. At a symposium in September 2016, Sir David Green QC, then Director of the SFO, explained that: ‘All [SFO] cases have a significant international dimension. We have invested real effort in building strong co-operative relations with foreign agencies in key financial centres across the globe. This involves secondments, rolling discussions, exchange of information and coordinated activity.’[69]

While there are legal limits to the extent of information sharing and collaboration between authorities, firms need to be strategic in their conduct across all countries. It is important to take heed of cases such as United States v. Allen,[70] in which the US Court of Appeals for the Second Circuit held that the prohibition against the use (and derivative use) of a defendant’s compelled testimony will apply even where the testimony had been compelled by a foreign authority, such as the FCA. The DOJ therefore needs to ensure that it avoids its own investigation becoming ‘tainted’ by compelled testimony when it is collaborating or exchanging information with other countries’ authorities – a particular concern as regards the United Kingdom, where the provision of evidence or interviews is commonly compelled. This also means that there is a risk that, by providing to the DOJ reports or information derived from compelled testimony (even by inadvertence, as part of routine updates or reports on progress or developments in parallel investigations), a firm may risk negating any co-operation credit that they might have established in other ways.

3.5.2.2 Privilege issues and authorities’ involvement in the internal investigation

Legal advice in relation to internal investigations

A key concern for all firms considering and investigating suspicions or allegations of wrongdoing is to establish clearly at the outset that its board, or any committee with oversight of internal investigations, is authorised to seek and receive legal advice in relation to the investigation to ensure that updates to these bodies and related documents will be protected by legal professional privilege. This authorisation is important because English law on the question of who is the ‘client’ for the purposes of legal professional privilege remains rooted in the House of Lords decision in Three Rivers No. 5, such that the ‘client’ was not the corporation itself but only those officers and employees of the corporation who were ‘authorised’ to communicate with the corporation’s lawyers.[71] In its September 2018 judgment in the ENRC case, the Court of Appeal made a number of interesting comments on the latter rule. The court noted in particular that this rule was more appropriate for the 19th century than the 21st century, that its application may result in a disadvantage to modern multinational corporations (where the information required to obtain legal advice would often be in the hands of people not charged with obtaining it),[72] and that it would have been in favour of departing from Three Rivers No. 5 if it had been open to it to do so. Significantly, however, those comments were obiter on the basis that only the Supreme Court can reverse or depart from the decision in Three Rivers No. 5.

Material generated during internal investigations

A significant concern in the context of internal investigations centres on the material generated during an internal investigation, including any investigation work and work-product that may have preceded the self-report. This material typically includes interview notes and summaries of key documents and issues.

The UK authorities are adamant that to self-report in any meaningful sense, firms must provide them with sufficiently detailed information about the wrongdoing. The SFO states: ‘All supporting evidence including, but not limited to emails, banking evidence and witness accounts, must be provided to the SFO’s Intelligence Unit as part of the self-reporting process.’[73] In practice, the SFO’s Intelligence Unit will not always want every email that has been identified during an internal investigation. A key question for a company considering a self-report is thus whether or not it is prepared to disclose its full interview notes; the privileged status of which has been subject to heated debate in the UK in recent years.

By way of context, a good starting point is the April 2018 decision of the High Court in R (AL) v. Serious Fraud Office.[74] The case arose out of the SFO’s investigation of a company anonymised as ‘XYZ Limited’, during which the SFO had accepted ‘oral proffers’ of the first account interviews that had been conducted by another anonymised firm, ABC LLP, the external firm engaged by XYZ to conduct an internal investigation. Having entered into a DPA with the corporate entity in 2016, the SFO turned its attention to a number of individuals, including AL, whose defence team repeatedly asked the SFO to obtain the complete notes of AL’s first account interview with ABC LLP. The SFO asked XYZ to disclose the interview notes but ultimately accepted ABC LLP’s refusal to do so on the basis that they were privileged. Despite declining to exercise its judicial review jurisdiction (as it felt that disclosure disputes were best dealt with in the Crown Court), the High Court took the unusual step of stating that if it had chosen to exercise its judicial review jurisdiction, it would have found for AL. In obiter comments, Mr Justice Green, giving the judgment of the court, was critical of the SFO’s acceptance of ABC LLP’s claims that the current law of privilege was unclear pending the (then undecided) ENRC appeal. In Green J’s view, the ‘law as it stands today is settled. Privilege does not apply to interview notes.’ In support of that statement, Green J cited the decision in Three Rivers No.6 and concluded that the SFO had ‘erred’ as it had ‘simply accepted the assertion of privilege made by ABC LLP even though it is the SFO’s own case that privilege does not apply and the SFO’s position is supported by current case law’ and that the SFO had therefore not fulfilled its duty to ‘assess claims of privilege properly and not cursorily and superficially.’

The thrust of the XYZ decision appeared to be in line with Mrs Justice Andrews’ first instance decision in ENRC. However, as noted already, a few months later, in September 2018, the Court of Appeal overturned her decision and handed down a judgment that does not sit comfortably with XYZ.[75] The Court of Appeal rejected Mrs Justice Andrews’ decision that litigation privilege will only apply in criminal or regulatory proceedings at the point where a company had uncovered evidence of wrongdoing that meant that a criminal prosecution or enforcement again was likely to follow. The Court of Appeal reiterated the established principle that litigation privilege may be claimed over documents that had been created at a time when litigation was in ‘reasonable contemplation’ and for the purposes of that litigation. Such determinations are necessarily fact-specific. Notably, the Court of Appeal held that, on the ENRC facts, the interview notes generated during the course of its internal investigation were subject to litigation privilege on the basis that (1) they had been brought into existence after ENRC’s external counsel (who were conducting an investigation) had advised that there was a real and serious risk of law enforcement and regulatory intervention, including criminal prosecution, and (2) the notes were, in the Court of Appeal’s estimation, drafted to assist any future defence of such proceedings.

The SFO has maintained for some time that firms wishing to co-operate with the SFO need to give serious consideration to waiving privilege, and that it is ready to challenge any overly broad claims to privilege. Speaking in June 2018, Camilla de Silva, the SFO’s Joint Head of Bribery and Corruption, struck a more nuanced tone and urged firms to enter into a dialogue with the SFO ‘about the basis and scope of any claim to [privilege] and the shape of its internal investigation and timing of interviews. Such dialogue makes the process eminently more efficient for all concerned. We are not interested in material that is genuinely privileged.’[76]

Following the Court of Appeal judgment in ENRC, it is open to any company that has conducted an initial investigation and received clear legal advice that the information unearthed may amount to a criminal offence or a regulatory failing[77] to claim that any material generated in the course of that initial internal investigation will be subject to litigation privilege. If that is the case, then, by its own admission, the SFO will not seek such material because it would be, in the words of Camilla de Silva, ‘genuinely privileged’.[78]

In practice – and despite the SFO’s invitation to a ‘dialogue’ – companies are likely to come under pressure from the SFO to disclose interview transcripts (given the judgment in XYZ, it is highly unlikely that summaries will be acceptable) as part of the self-reporting process. The Court of Appeal’s judgment in ENRC made it clear that nothing it said about privilege should adversely impact the DPA regime and, furthermore, that maintaining claims to privilege may adversely affect prospects of obtaining a DPA.[79] The Court also noted: ‘Had the court been asked to approve a DPA between ENRC and the SFO, the company’s failure to make good on its promises to be full and frank would undoubtedly have counted against it.’[80]

In deciding whether to acquiesce in providing witness accounts, a company will need clear advice as to the risks involved in waiving litigation privilege, even on a limited basis, at such an early stage, particularly before it is clear whether a settled resolution is likely and especially where multiple authorities may be involved. The shield of litigation privilege is clearly of paramount importance to any company defending criminal or regulatory enforcement proceedings where, very commonly, civil litigants will be waiting in the wings.

Involvement of authorities in internal investigation

Having ensured that the internal investigation is suitably established for the purposes of privilege, another critical concern for any corporate will be the likelihood of potential involvement in, or loss of control of the scope, timing and conduct of, its own investigation into the matters concerned. The former Director of the SFO, Sir David Green QC, made it clear that the SFO might specify particular areas or issues to be included in the firm’s investigation, how the investigation ought to be conducted in relation to particular issues or persons, and to provide updates to the SFO, usually within agreed time frames.[81] Sir David Green QC explained the SFO’s influence or imposition into internal investigations as being necessary to avoid ‘churning up the crime scene’ and compromising the SFO’s own investigation.

Similar sentiment (if not criticism) was expressed by Mark Steward, the FCA’s Head of Enforcement, who referred to ‘the crime scene being trampled over.’ While he was Director of the SFO, in June 2016, Sir David Green QC also suggested that the SFO’s influence or control over internal investigations might usefully be formalised so that it would be akin to the FCA’s use of ‘skilled persons investigations’ (also known as section 166 investigations) of regulated firms.[82] The latter involves the FCA requiring the firm to engage (and pay for) an independent ‘skilled person’ (typically a law firm or forensic accountants, depending on the subject matter), approved by the FCA, to investigate and report to the FCA on areas or issues of concern specified by the FCA.[83]

This approach and degree of involvement in internal investigations by UK authorities is far greater than is the case in the United States, where authorities allow (if not encourage) firms to conduct internal investigations without much intrusion, on the basis that they can provide direction where necessary and that the firms will share the output and provide updates at agreed points.

3.5.2.3 Impact on witness interviews

In addition to influencing the scope of an internal investigation, UK authorities may also influence a firm’s ability to conduct witness interviews after self-reporting, whether by prohibiting the firm from conducting interviews with certain individuals, or by requiring the firm to delay such interviews until after the authority has interviewed the individuals concerned. In approving the various DPAs to date, Sir Brian Leveson highlighted the assistance provided by firms to the SFO in relation to witness interviews.[84] In relation to the Rolls-Royce DPA, for example, Leveson P noted the high levels of co-operation from Rolls-Royce as regards its witnesses, pointing out that when the SFO commenced its own investigation, not only did it have access to Rolls-Royce’s internal investigations and interview notes (Rolls-Royce having made a limited waiver of its claims for legal professional privilege over them), but Rolls-Royce also deferred certain interviews until after the SFO had completed interviews of them.

3.5.2.4 Scrutiny, including potential monitoring obligations

A DPA or settled resolution will always include a number of non-financial terms and conditions. While these will often be fact-dependent and tailored to the wrongdoing involved and the state of the firm’s remediation at the point of agreement, the DPA Code includes a list of terms that may be agreed as part of a DPA, including requirements for putting in place a robust compliance or monitoring programme, or both, which may include the appointment of an independent monitor.[85]

While the imposition of a corporate monitor is not compulsory, the DPA Code provides lengthy guidance as to monitors’ roles and appointment, and notes that the imposition of a monitor ‘must always be fair, reasonable and proportionate.’[86] Where a monitor is required, the costs to the firm can be significant. Not only will the firm have to pay the monitor’s fees, but it will also have to pay the costs associated with the selection, appointment and reasonable ‘monitoring’ costs of the prosecutor during the monitoring period. There are indirect or non-financial costs, too. The monitor must be given complete access to all relevant aspects of the firm’s business and the firm will need to allocate resources to ensure that the monitor is provided with the information and co-operation required and to establish the systems and controls necessary to effect the remediation agreed with the regulator.

These costs have attracted a degree of judicial and corporate scepticism and criticism in the United Kingdom and the United States. In the Innospec case,[87] for example – where a UK subsidiary agreed with the SFO to plead guilty to corruption charges as part of the first ‘global settlement’ relating to similar conduct prosecuted by US authorities against its parent entity, and the first joint US–UK monitor was appointed – District Judge Huvelle gave a colourful criticism of the role of monitors, saying: ‘It’s an outrage that people get US$50m to be a monitor . . . . It’s a boondoggle for some of these people.’[88] Lord Justice Thomas (the judge in the English case) chose instead to characterise the imposition of a monitor as ‘an expensive form of ‘probation order’, which he considered ‘unnecessary for a company which will also be audited by auditors well aware of the past conduct and whose directors will be well aware of the penal consequences of any similar criminal conduct.’[89]

Such criticism notwithstanding, the appointment of a monitor is likely to feature regularly in DPAs in the future, as had previously been the case in civil recovery orders[90] or criminal court orders,[91] which were the SFO’s preferred means of imposing monitorships before the introduction of the DPA regime provided it with a statutory basis for doing so. Indeed, in early 2017, the then SFO General Counsel, Alun Milford, explained that ‘an integral part of any DPA discussion is the question of corporate reform. As such, monitors aren’t something the SFO has set its face against, but as we’ve seen from the judgments, there are different ways of achieving that sort of process.’[92]

The four DPAs reached to date clearly demonstrate this flexibility in the SFO’s approach to monitorships. While the SFO required Standard Bank to commission and submit to an independent review of its existing compliance programme by PwC, and to implement PwC’s recommendations (perhaps less onerous than a monitorship),[93] it did not require an independent monitor in its DPA with XYZ, opting instead for a form of ‘self-monitoring’ for the first time, with the company’s Chief Compliance Officer being required to report to the SFO on its anti-bribery and corruption policies and their implementation within one year, and annually for the duration of the DPA.[94] The approach in the Rolls-Royce DPA was different again – some four years before the DPA was agreed, Rolls-Royce had appointed Lord Gold to conduct an independent review of (and report on and make and oversee the implementation of recommendations regarding) the company’s anti-bribery and corruption compliance infrastructure. In approving the DPA, which required the continuation of Lord Gold’s work and the production by him of a final report to the SFO after implementation, Leveson P described Lord Gold as a ‘quasi monitor’.[95] Finally, while the details of the Tesco Stores DPA have not been made public owing to ongoing reporting restrictions, it is clear from the FCA’s final notice in relation to Tesco that the DPA requires the appointment of Deloitte as an independent monitor to conduct a review, provide a report and implement recommendations in relation to a number of specific areas of concern.[96]

The current Director of the SFO, Lisa Osofsky, is very familiar with monitorships, and, presumably, their benefits, having led the DOJ-imposed money laundering and sanctions monitorship of HSBC Bank as part of its December 2012 DPA.[97] It is likely that she will be in favour of increasing their use, even if implemented in the United Kingdom in a ‘quasi-monitor’ manner, as described above.

3.6 Practical considerations, step by step

3.6.1 Reaching the decision

Sometimes the decision to self-report may be clear-cut or the only sensible option (particularly where a whistleblower has made serious allegations). More often, however, it will be necessary to conduct an internal investigation to test the information underlying the concerns and to ensure that any report made to authorities is as complete and accurate as possible. How long this takes will depend on a range of factors, including where and when the alleged conduct took place, how many individuals are alleged to have been involved, and the availability of relevant documents and individuals for interview. It is critical to ensure that the decision to self-report is taken by directors who are independent of the underlying events or issues, and that the decision is taken in conjunction with appropriate legal advisers and is suitably documented. One of the first steps in this process must be to immediately preserve all relevant documents, and to ensure that the investigation is carefully scoped and proceeds expeditiously.

There is no one ‘correct’ approach to investigating disclosures, allegations or whistleblowers’ reports. What is necessary and appropriate when following up on a disclosure will vary significantly depending on factors including the jurisdictions, personnel and business areas implicated. Several key principles may, however, help corporates to respond decisively and consistently, and to protect their interests when they receive disclosures of alleged misconduct.

3.6.1.1 Clear communication

Clear communication underpins a successful response to a disclosure, particularly where a whistleblower is involved. Carefully delineated channels must be in place to enable staff receiving disclosures (whether through a dedicated hotline or other less formal channels) to escalate them quickly and to the right people. In particular, policies and procedures should name a designated member of the senior management of the corporate (probably in its legal or compliance function) who should have a direct reporting line to the board or audit committee. Provision should also be made for how to deal with disclosures naming members of the board or the designated senior manager responsible for handling whistleblowing reports.

3.6.1.2 Even, dispassionate investigation

Not every disclosure or whistleblowing report will justify the expenditure of time and resources on comprehensive internal investigations or involve reports to authorities. It is clearly important to guard against complacency or undue cynicism when evaluating issues, or reports by whistleblowers. Level-headedness and even-handedness pay dividends. Allegations should be viewed dispassionately and, where possible, empirically tested by reference to readily available documents, or by means of interviews with relevant individuals (who should be apprised of the importance of confidentiality).

3.6.1.3 Clear protocol and structure

Where initial enquiries show disclosures or allegations to be well founded, firms’ responses should be guided by clear protocols. These should set out the circumstances in which external legal counsel should be instructed (which may well be advisable at an early stage to ensure the preservation of any applicable privilege, as discussed above). They may also deal with how and when other external specialist resources (such as forensic IT consultants or accountants) may be required and instructed, and how such selection and instruction should occur (which should involve instruction by legal counsel, again to maintain privilege as far as possible).

Appropriate senior individuals within the organisation’s human resources function should also be identified to coordinate its approach towards the whistleblower (if there is one) and to deal with any disciplinary action in relation to other employees that may be necessary. The FCA and PRA’s new whistleblowing rules require some regulated firms to have enhanced their existing whistleblowing procedures, including the appointment of a whistleblowers’ champion since 7 March 2016.

3.6.1.4 Senior management involvement

Once notified of the fact of serious issues or allegations made in a whistleblowing report, it is paramount that the firm’s senior management is kept apprised of the progress of enquiries. Once evidence emerges that establishes that complaints appear to be well founded, the window within which firms may receive maximum credit for self-reporting actual or suspected misconduct to the appropriate authorities is relatively short.

3.6.2 Once the decision has been made

Where corporates determine that it is necessary to make a report to authorities, the main challenges facing them are to demonstrate that any self-report (1) has been made in a timely fashion, (2) has been made genuinely voluntarily (i.e., not simply because public disclosure or a regulatory or criminal investigation is imminent), and (3) contains enough information to enable the authority to make a meaningful and informed assessment as to how to proceed.

A firm should aim to be the first to self-report to maximise credit. Generally, authorities will acknowledge that internal investigations into complex matters that may have occurred many years ago take time and give credit for initial notifications based on certain key facts having been established, with an indication that a fuller report will follow the completion of a more thorough investigation.

3.6.3 Documenting the decision

Regardless of whether the decision is to report or not, it is important for the firm’s board to ensure that the issue or allegation is investigated, properly considered with appropriate advice and properly documented. The board must also ensure that appropriate remediation steps are taken, not only to mitigate the risks of criminal, regulatory and civil action, but also to demonstrate the firm’s cultural responsiveness and change.

Firms must be careful in documenting the steps taken in reaching their decisions, so as to preserve privilege as far as possible and with regard to the likelihood of such documentation subsequently becoming subjected to external scrutiny or publicity, the latter being particularly likely where the firm is a public company.

3.6.4 Nature of approach to the authorities

Self-reports to authorities are not generally made in a set format, but instead usually take the form of a preliminary notification (typically verbal) soon after receiving notice of potential wrongdoing followed by a more detailed written or oral report after further investigation. The nature and scope of disclosures to authorities vary significantly between, and often within, jurisdictions and may depend on whether the issues cross borders. Specifically, whether it is possible to preserve any applicable privileges by providing reports orally rather than in writing will depend on the circumstances.

3.6.5 Timing of approach (DPAs) – what is a reasonable time

The SFO requires self-reporting to be made within a reasonable time of an organisation becoming aware of the issue, and certainly before the SFO becomes aware of it by some other means, and before the firm is threatened with investigation or action by other bodies or authorities, including threatened leaks to the press.

Beyond the impact it may have on securing a DPA, the timing of a self-report will also have a bearing on the decision to prosecute and the level of any potential penalties. The Sentencing Council Definitive Guideline states that concealing an offence may result in the imposition of heavier penalties. The Guidance on Corporate Prosecutions expressly states that failing to report within a reasonable time will be a ‘public interest’ factor weighing in favour of prosecution, whereas a ‘genuinely proactive approach involving self-reporting and remedial action’ will be a factor tending against prosecution.[98]

The SFO’s expectations as regards timing has become somewhat more realistic over time. While SFO Director, Sir David Green QC, stated in 2013 that ‘[c]ommon sense suggests that an initial report of suspected criminality should be made to the SFO as soon as it is discovered.’[99] Some three years later (in March 2016), the then SFO General Counsel, Alun Milford, said that it is reasonable for a firm to undertake an initial assessment before doing so,[100] a view that was echoed three months later by Matthew Wagstaff, SFO Joint Head of Bribery and Corruption, when he said that it is unrealistic to expect a firm to pick up the telephone to the SFO at the very moment it first becomes aware of potential wrongdoing.[101] More recently, in March 2018, Camilla de Silva, the SFO Joint Head of Bribery and Corruption, commented that the SFO ‘will not be offering DPAs in cases of a late conversion to the joys of co-operating; DPAs are a reward for openness – the sooner you come in, self-report and the more you are open with us, the more you have to be rewarded for.’[102] In August 2018, Lisa Osofsky began her tenure as SFO Director. In speeches to date, she has indicated that the SFO will be open to firms investigating allegations of misconduct before reporting.[103]

The DPA Code states that, in considering whether a self-reporting corporate body has been genuinely proactive, prosecutors will consider whether it has provided ‘sufficient information, including making witnesses available and disclosing the details of any internal investigation, about the operation of the corporate body in its entirety.’[104] In practice, however, where a self-report needs to be made quickly, it may make sense to make a report without all of this material and to provide further material as and when available, or in line with a timetable agreed with the SFO.

3.6.6 Managing other regulators

Whatever format is used to report matters to authorities, corporates and their advisers should assume that information provided to one enforcement authority will be passed to others, and that referrals may be made where authorities have parallel jurisdiction over some or all aspects of the corporate’s activities. In cases where the SFO does not prosecute a self-reporting corporate, the SFO reserves the right to prosecute the firm for any unreported violations of the law, and may provide information on the reported violation to other bodies (such as foreign police forces or authorities) through the relevant gateway.

The above notwithstanding, corporates should not assume that disclosure to one authority necessarily means that other relevant authorities are aware of the matter – full assessments must be made as to whether it is necessary or appropriate to make separate notifications to other specific authorities (whether in the same jurisdiction or elsewhere) who might expect to be told of the alleged misconduct or of the fact of other investigations by or at the behest of enforcement authorities. The significant fine imposed by the FSA on Goldman Sachs for failing to notify it of a fraud investigation in the United States is particularly instructive in this regard.[105]


Footnotes

1 Amanda Raad and Judith Seddon are partners, and Sarah Lambert-Porter, Chris Stott and Matthew Burn are associates, at Ropes & Gray International LLP in London.

2 In Lisa Osofsky’s first speech as Director of the SFO on 3 September 2018, she referred to the fact that the ‘increasingly multijurisdictional and complex’ nature of SFO cases makes co-operation to achieve global settlements all the more important. She said that ‘[s]trengthening and deepening the relationships that make this happen is going to be a major focus for me,’ and listed the newcomer countries to DPAs as part of that focus. (Lisa Osofsky, SFO Director, speech at the Cambridge International Symposium on Economic Crime 2018, Jesus College, Cambridge, 3 September 2018, available at www.sfo.gov.uk/2018/09/03/lisa-osofsky-making-the-uk-a-high-risk-country-for-fraud-bribery-and-corruption/.

3 Companies Act 2006, s.172.

4 Alun Milford, then General Counsel at the Serious Fraud Office, said in a speech in September 2017 that in all DPA judgments to date, a key element has been the extent of reform in the corporate, including the removal of senior managers who were either implicated in, or should have been aware of, the criminality concerned, available at www.sfo.gov.uk/2017/09/05/alun-milford-on-deferred-prosecution-agreements/.

5 Serious Fraud Office (SFO) v. Eurasian Natural Resources Corp. Ltd [2018] EWCA Civ 2006.

6 SYSC 18.2.2 G.

7 FCA Policy Statement PS15/24 containing the FCA rules applicable to deposit takers with assets over £250 million. The rules are set out in the FCA Handbook at: SYSC 18.1, SYSC 18.31, and SYSC 18.4 and 18.5. The PRA rules are set out in its Policy Statement PS24/15, the PRA General Organisational Requirements Rulebook (applicable to CRR firms) and its Whistleblowing Rulebook (applicable to solvency II firms) and PRA Supervisory Statement SS 39/15 (applicable to deposit takers with assets greater than US$250 million, PRA designated investment firms and insurers).

8 SYSC 18.4.4.R.

9 Ministry of Justice ‘Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing’, available at www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf, March 2011.

10 Ibid. at para. 1.7.

11 Alun Milford, then General Counsel at the SFO, speech at the Cambridge Symposium on Economic Crime 2014, Jesus College, Cambridge (‘The Use of Information to Discern and Control Risk’), 2 September 2014, available at www.sfo.gov.uk/2014/09/02/alun-milford-use-
information-discern-control-risk/.

12 Deferred Prosecution Agreement Code of Practice issued by the Director of Public Prosecutions and Director of the SFO pursuant to the Crime and Courts Act 2013, available at www.cps.gov.uk/sites/default/files/documents/publications/dpa_cop.pdf.

13 DPA Code, s.2.

14 Sentencing Council’s Definitive Guideline ‘Corporate Offenders: Fraud, Bribery and Money Laundering, available at www.sentencingcouncil.org.uk/wp-content/uploads/Fraud-bribery-and-
money-laundering-offences-Definitive-guideline2.pdf.

15 A culture of wilful disregard for the commission of offences will lead to a corporate being placed at the most culpable end of the spectrum and facing the heaviest fines available.

16 The Public Contracts Regulations 2015, Regulation 57(15).

17 ‘Questions over SFO funding as whistleblowers not followed up’, The Times, 7 April 2015.

19 See, for example, prosecutions of individuals associated with Torex Retail PLC: https://www.sfo.gov.uk/2013/06/21/final-conviction-torex-retail-false-accounting-case/.

20 Serious Fraud Office v. Rolls-Royce plc and Rolls-Royce Energy Systems Inc. (Case No: U20170036), paras. 21 and 22, available at www.judiciary.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf).

21 Serious Fraud Office (SFO) v. Eurasian Natural Resources Corp. Ltd [2018] EWCA Civ 2006, at paras. 16-17.

22 Lisa Osofsky, speech at the Cambridge International Symposium on Economic Crime 2018,
Jesus College, Cambridge, 3 September 2018, available at www.sfo.gov.uk/2018/09/03/
lisa-osofsky-making-the-uk-a-high-risk-country-for-fraud-bribery-and-corruption/
.

23 DPA Code, para. 2.8.2.

24 DPA Code, para. 2.8.1(v).

25 DPA Code, para. 2.9.2.

26 Serious Fraud Office v. Rolls-Royce plc and Rolls-Royce Energy Systems Inc. (Case No: U20170036), paras.21 and 22., available at www.judiciary.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf.

27 Serious Fraud Office v. Standard Bank plc (Case No: U20150854), (www.judiciary.uk/wp-content/uploads/2015/11/sfo-v-standard-bank_Final_1.pdf).

28 i.e., the company known as ‘XYZ’ and Rolls-Royce plc – details of the DPA with Tesco Stores Limited being subject to reporting restrictions pending the outcome of the trial of the individuals concerned, which, at the time of writing, is ongoing.

29 R v. Skansen Interiors Limited, unreported.

30 Lisa Osofsky, SFO Director, speech at Cambridge International Symposium on Economic Crime 2018, Jesus College, Cambridge, 3 September 2018, available at www.sfo.gov.uk/2018/09/03/lisa-osofsky-making-the-uk-a-high-risk-country-for-fraud-bribery-and-corruption/.

31 The Proceeds of Crime Act (POCA), ss.330 and 331.

32 A firm will be a ‘relevant person’ if it falls within the MLTF Regulations’ definitions of: (1) credit institutions; (2) financial institutions; (3) auditors, insolvency practitioners, external accountants and tax advisers; (4) independent legal professionals; (5) trust or company service providers; (6) estate agents; (7) high value dealers; (8) casinos. (MLTF Regulations, regulation 8).

33 MLTF Regulations, regulations 19 and 20.

34 POCA, ss.335 and 336.

35 The Terrorism Act 2000 (TACT), ss.21A (duty for the regulated sector) and 19 (duty outside the regulated sector) and s.21ZA (consent).

36 Counter-Terrorism Act 2008, Schedule 7, para. 12, and Terrorist Asset Freezing Act 2010, s.19.

37 Law Commission’s Consultation Paper, July 2018.

38 POCA, ss.335 (appropriate consent) and 336 (nominated officer consent).

39 Note, however, that there are no provisions in TACT for consent to be given within any specified time period. Firms who have made a report to the NCA pursuant to their obligations under TACT must not proceed with any related transaction or activity until such time as the firm is contacted by the NCA or a law enforcement agency. This can mean longer delays for the reporting firm.

40 See National Crime Agency v. N [2017] EWCA Civ 253; and Lonsdale v. Natwest [2018] EWHC 1843 (QB), for example.

41 The term ‘corporate offences’ refers to the ‘failure to prevent the facilitation of tax evasion’ offences created by s.45 (in relation to UK tax) and s.46 (in relation to foreign tax) of the Criminal Finances Act 2017, pursuant to which a financial institution is required to report on any failure to prevent the criminal acts of its employees and other associated persons who have intentionally facilitated tax evasion while providing a service for or on its behalf.

42 This was expressly stated by the FCA in its AML annual report 2015/16.

43 PRIN 2.1.1 R, Principle 11 (Relations with Regulators).

45 For example, in 2015 the FCA fined The Bank of Beirut (UK) Ltd (Bank of Beirut) £2.1 million, prevented it from acquiring new customers from high-risk jurisdictions for 126 days, and fined two approved persons at the bank. The FCA noted that Bank of Beirut had also repeatedly provided the FCA with misleading information after it was required to address concerns regarding its financial crime systems and controls, including by indicating that it had completed remedial actions when it had not.

46 For example, Goldman Sachs International was fined £17.5 million in 2010 (one of the largest fines ever imposed, by that time) for failing to notify the Financial Services Authority (FSA) (the predecessor to the FCA) that it was under investigation for fraud in the United States, available at www.fca.org.uk/publication/final-notices/goldman_sachs_int.pdf. Similarly, the FSA fined Prudential plc £31 million and publicly censured its CEO in 2013 for its failure to inform the FSA (in its capacity as the UK Listing Authority (UKLA)) about its proposed acquisition of AIA from AIG for $35.5 billion in early 2010. Again, this was one of the heaviest fines ever imposed at that time. The FSA found that Prudential had failed to deal with the UKLA in an ‘open and co-operative manner’ (in breach of Listing Principle 6) when it made a decision not to notify the regulator (allegedly due to fears that doing so might cause a leak) until after the facts were leaked to the media in February 2010, available at www.fca.org.uk/publication/final-notices/fsa-pru-plc.pdf.

47 LR 7.2.1 R, Listing Principle 2.

48 FCA Annual Report and Accounts 2017/2018, at p. 24.

49 By way of recent example, the FCA did not impose a financial penalty on Tesco plc or Tesco Stores in early 2017 for engaging in market abuse, partly because Tesco Stores had entered into a DPA with the SFO, pursuant to which it would pay £128.9925 million. The FCA explained that it had also taken into account ‘the exemplary co-operative approach’ taken by Tesco plc and Tesco Stores with both the FCA and the SFO. See the FCA Final Notice, available at www.fca.org.uk/publication/final-notices/tesco-2017.pdf.

50 The Code for Crown Prosecutors, available at www.cps.gov.uk/publication/code-crown-prosecutors.

51 The joint guidance issued by the Director of Public Prosecutions, the Director of the Serious Fraud Office and the Director of the Revenue and Customs Prosecutions Office Guidance on Corporate Prosecutions, available at www.sfo.gov.uk/?wpdmdl=1457.

52 Bribery Act 2010: Joint Prosecution Guidance of The Director of the Serious Fraud Office and The Director of Public Prosecutions, 30 March 2011, available at www.sfo.gov.uk/?wpdmdl=1456.

53 Guidance on Corporate Prosecutions, para. 32 (‘Additional public interest factors against prosecution’).

54 SFO’s statement of policy and revised guidance on corporate self-reporting, October 2012.

55 See the Attorney General’s Guidance for prosecutors and investigators on their asset recovery powers under s.2A of the Proceeds of Crime Act 2002, available at www.gov.uk/guidance/asset-recovery-powers-for-prosecutors-guidance-and-background-note-2009.

56 Camilla de Silva, SFO Joint Head of Bribery and Corruption, speech at the Herbert Smith Freehills Corporate Crime Conference 2018, available at www.sfo.gov.uk/2018/06/21/corporate-criminal-liability-ai-and-dpas/.

57 Para. 2.8.2(i).

58 Ibid.

59 Guidance on Corporate Prosecutions, p. 8.

60 Serious Fraud Office v. XYZ Limited (Case No: U20150856), available at www.sfo.gov.uk/download/xyz-final-redacted/?wpdmdl=13285.

61 DPA Code, para 2.8.1 (vii)

62 PRIN 2.1.1 R. An equivalent obligation to notify the PRA is set out in Fundamental Rule 7.

63 DEPP 6.2.1 (2)(a)

64 DEPP 6.5A.3 (2)(a)

65 SYSC 6.1.1R

66 For example, the FCA’s fine of Bank of Beirut, discussed above.

67 In the United Kingdom, court approval is required for a DPA, which means that even if the SFO recommends a DPA after extensive co-operation, the court may reject it.

68 See the DOJ’s expression of gratitude to the SFO for its assistance in its press release, March 2010, available at www.justice.gov/opa/pr/bae-systems-plc-pleads-guilty-and-ordered-pay-400-
million-criminal-fine.

69 Sir David Green QC, former Director of the SFO, speech at the Cambridge Symposium on Economic Crime 2016 at Jesus College, Cambridge, 5 September 2016, available at www.sfo.gov.uk/2016/09/05/cambridge-symposium-2016/.

70 United States v. Allen, No. 16-898 (2d Cir. 2017).

71 Three Rivers District Council and Others v. The Governor and Company of the Bank of England [2003] EWCA Civ 474 (Three Rivers No. 5).

72 Especially as compared with smaller corporations, which the Court noted was the typical size and structure of the corporations involved in the 19th century cases considered in Three Rivers No. 5.

73 www.sfo.gov.uk/publications/guidance-policy-and-protocols/corporate-self-reporting/.

74 R (AL) v. Serious Fraud Office [2018] EWHC 856 (Admin).

75 Director of the Serious Fraud Office v. Eurasian Natural Resources Limited (Law Society intervening) [2018] EWCA Civ 2006.

76 Camilla de Silva (Joint Head of Bribery and Corruption, SFO), speech at Herbert Smith Freehills Corporate Crime Conference, 21 June 2018, available at www.sfo.gov.uk/2018/06/21/corporate-criminal-liability-ai-and-dpas/.

77 Indeed it is not clear on what other basis such a company would self-report.

78 Camilla de Silva (Joint Head of Bribery and Corruption, SFO), speech at Herbert Smith Freehills Corporate Crime Conference, 21 June 2018, available at www.sfo.gov.uk/2018/06/21/corporate-criminal-liability-ai-and-dpas/.

79 Director of the Serious Fraud Office v. Eurasian Natural Resources Limited (Law Society intervening) [2018] EWCA Civ 2006, at paras. 115-117.

80 Ibid.

81 Sir David Green QC, former SFO Director, speech at GIR Roundtable Discussion on Corporate Internal Investigations, 27 July 2015.

82 Sir David Green QC, former SFO Director, speech at a Q&A session organised by The Fraud Lawyers Association and the European Fraud and Compliance Lawyers Association in London, 17 June 2016. (See http://globalinvestigationsreview.com/article/1036163/david-green-sfo-
can-learn-from-fca-approach-to-internal-investigations).

83 s.166, Financial Services and Markets Act 2000.

84 It is unclear whether high levels of co-operation also influenced Sir Brian Leveson’s view of Tesco, because the DPA judgment remains subject to reporting restrictions at the time of writing.

85 DPA Code, para. 7.10(iii).

86 DPA Code, paras. 7.11 to 7.22.

88 Christopher M. Matthews, ‘Judge Blasts Compliance Monitors at Innospec Plea Hearing,’ (18 March 2010), https://globalinvestigationsreview.com/article/jac/1019218/judge-blasts-
compliance-monitors-at-innospec-plea-hearing.

89 R v. Innospec Ltd [2010] Lloyd’s Rep. F.C. 462, at para. 49.

92 Alun Milford, then SFO General Counsel, speech at GIR Live London in April 2017, www.globalinvestigationsreview.com/article/1144199/gir-live-london-dpas-the-new-normal.

93 PwC was given the role of producing a report on Standard Bank’s anti-bribery and corruption systems, controls, policies and procedures, the recommendations in respect of which the bank was then obliged to implement (to PwC’s satisfaction) and within a year of that report. Serious Fraud Office v. Standard Bank plc, available at www.judiciary.uk/wp-content/uploads/2015/11/sfo-v-standard-bank_Final_1.pdf.

94 Serious Fraud Office v. XYZ Limited (Case No: U20150856), available at www.sfo.gov.uk/download/xyz-final-redacted/?wpdmdl=13285.

95 Serious Fraud Office v. Rolls-Royce plc and Rolls-Royce Energy Systems Inc. (Case No: U20170036), at para. 43, available at www.judiciary.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf.

96 FCA Final Notice, Tesco plc and Tesco Stores Ltd (28 March 2017), at para. 4.10, available at www.fca.org.uk/publication/final-notices/tesco-2017.pdf.

97 United States of America v. HSBC USA N.A. and HSBC Holdings plc (Cr. No 12-763), 10 December 2012, available at www.sec.gov/Archives/edgar/data/83246/000119312512499980/d453978dex101.htm.

98 Bribery Act 2010: Joint Prosecution Guidance of The Director of the Serious Fraud Office and The Director of Public Prosecutions (30 March 2011).

99 Sir David Green QC, former SFO Director, speech at the Pinsent Masons and Legal Week Regulatory Reform and Enforcement Conference, 24 October 2013, available at www.sfo.gov.uk/2013/10/24/pinsent-masons-legal-week-regulatory-reform-enforcement-conference-2/.

100 Alun Milford, then SFO General Counsel, speech at the European Compliance and Ethics Institute, Prague, on 29 March 2016, available at www.sfo.gov.uk/2016/03/29/speech-compliance-professionals/.

101 Matthew Wagstaff (SFO Joint Head of Bribery and Corruption), speech at the 11th Annual Information Management, Investigations Compliance eDiscovery Conference, London, on 18 May 2016, available at www.sfo.gov.uk/2016/05/18/role-remit-sfo/.

102 Camilla de Silva (Joint Head of Bribery and Corruption, SFO), speech at ABC Minds Financial Services conference, 15 March 2018, available at www.sfo.gov.uk/2018/03/16/camilla-de-silva-
at-abc-minds-financial-services/.

103 Lisa Osofsy, SFO Director, speech at the American Bar Association’s London White Collar Crime conference alongside Sandra Moser (acting chief of the DOJ’s Fraud Section), 8 October 2018.

Previous Chapter:The Evolution of Risk Management in Global Investigations

Next Chapter:Self-Reporting to the Authorities and Other Disclosure Obligations: The US Perspective