UK Compliance Enforcement

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The UK Bribery Act 2010 was not the first step taken by the United Kingdom in using enforcement action in respect of compliance breaches as a means of corporate punishment and deterrence of economic crime[2] but it certainly represented a fundamental development in UK enforcement policy,[3] which has been supplemented and further developed in subsequent years.

Enforcement action in respect of compliance breaches, both criminal and regulatory, is now at the heart of the UK enforcement policy in respect of economic misconduct in all key areas, including bribery, money laundering, fraud, tax evasion and sanctions.[4]

That enforcement policy continues to evolve at pace. As recently as 10 June 2022, the UK Law Commission published an options paper on corporate criminal liability in respect of economic crime.[5] One of the options put forward by the Law Commission for government consideration is the creation of an offence of ‘failure to prevent fraud by an associated person’ where the associated person (likely an employee or agent) commits an offence of fraud with intent to benefit the corporate or another person or entity, to whom the associated person provides services on behalf of the corporate. It remains to be seen which of the proposed options are preferred by UK government policymakers, but the fact that this fundamental reform is considered as an option by the Law Commission demonstrates that compliance issues will remain at the very heart of UK enforcement policy.

This chapter sets out the main areas of general enforcement activity in the United Kingdom,[6] drawing on the lessons that can be derived from previous activity and statements of policy from the various UK enforcement agencies. This body of information provides a corporate with significant insight into how to approach compliance issues in respect of economic misconduct risk, including bribery, fraud, money laundering and facilitation of tax evasion, either from a proactive approach to ensure good compliance measures in these areas, or to inform a strategic approach when a compliance issue arises, in particular where it may engage UK enforcement agencies.

UK criminal law enforcement in respect of UK compliance issues


In England and Wales, criminal law enforcement in respect of corporate activity in economic crime was dominated for many decades by the legal principle known as ‘the identification doctrine’. By this means, the acts and intent of individuals were attributed to the corporate defendant in order to meet the requirements of a criminal offence involving economic crime. The identification doctrine placed a significant practical limitation on economic crime enforcement in respect of corporates as liability rested only on the basis of the conduct of persons whose status and authority allowed them to be judged as a corporate’s ‘directing mind and will’.[7]

Although the identification principle still exists and dominates issues of corporate criminal liability in the area of fraud (until any proposed UK government reform is enacted in this area), corporate enforcement activity in respect of the key areas of bribery, money laundering and facilitation of tax evasion is now focused very heavily on and around compliance issues.

UK criminal enforcement bodies

UK criminal enforcement activity in respect of economic crime is undertaken principally by the Serious Fraud Office (SFO), the Crown Prosecution Service (CPS)[8] and the Financial Conduct Authority (FCA)[9]. These agencies have overlapping remits in respect of economic crime enforcement that are ordinarily resolved on a case-by-case basis. This may seem to be an unsatisfactory and ad hoc way of proceeding to the corporate but, in reality, most cases present a clear basis for one agency to take on the primary criminal enforcement role and the ‘piling on’ issue in respect of enforcement action that has historically presented problems in other jurisdictions[10] has not been an issue for corporates to the same degree in respect of UK criminal enforcement.

UK criminal enforcement mechanisms

There are two principal means of corporate economic crime enforcement: prosecution and deferred prosecution agreement (DPA). DPAs are available to both the SFO and the CPS[11] in respect of the full range of economic crime offences committed by corporate offenders,[12] including bribery, fraud and money laundering.[13] Non-prosecution agreements are not available in the United Kingdom.

UK criminal enforcement decision-making


There is a body of guidance that governs decision-making in respect of selecting the most appropriate enforcement mechanism in the event that a criminal investigation meets the relevant evidential threshold for enforcement action. The guidance that is publicly available is comprised of:

  • joint CPS and SFO guidance on corporate prosecutions;[14]
  • Deferred Prosecution Agreements Code of Practice[15] (DPA Code of Practice), issued by the SFO and CPS;
  • SFO Operational Guidance – Corporate self-reporting;[16]
  • SFO Operational Guidance – Corporate Co-operation Guidance;[17]
  • SFO Operational Guidance – Guidance for Corporates on Deferred Prosecution Agreements;[18] and
  • SFO Operational Guidance – Evaluating a Compliance Programme.[19]

Evidential issues

The evidential threshold for a criminal prosecution is the existence, to the prosecutor’s satisfaction, of ‘sufficient evidence to provide a realistic prospect of conviction against each suspect on each charge’.[20] In respect of an invitation to enter DPA negotiations, either the evidential threshold for prosecution must be met or there is a lesser evidential standard available, namely:

there is at least a reasonable suspicion based upon some admissible evidence that [a corporate] has committed the offence and there are reasonable grounds for believing that a continued investigation would provide further admissible evidence within a reasonable period of time, so that all the evidence together would be capable of establishing a realistic prospect of conviction.[21]

If cases where neither limb of the evidential stage can be met, the DPA Code of Practice[22] directs prosecutors to consider appropriate asset recovery powers under the Proceeds of Crime Act 2002.[23]

A critical feature of the evidential assessment in respect of certain offences will be whether there is available to the corporate a defence based on the nature and quality of its compliance procedures at the time of the alleged offending (this is considered separately in the chapter on UK Compliance Requirements in this Guide, in respect of particular types of economic crime).

Public interest issues

Having determined that a relevant evidential threshold is met, the prosecutor must also make decisions in respect of public interest issues when determining whether there is a public interest in either entering into a DPA with the corporate or commencing a criminal prosecution.

Compliance issues are a key part of these public interest considerations. In respect of the DPA Code and public interest factors in favour of prosecution, Paragraph 2.8.1(iii) cites: ‘The offence was committed at a time when [the corporate] had no or an ineffective corporate compliance programme and it has not been able to demonstrate a significant improvement in its compliance programme since then.’ Conversely in respect of a public interest factor against prosecution but of entering into a DPA, the Code cites at para 2.8.2(iii): ‘The existence of a proactive corporate compliance programme both at the time of offending and at the time of reporting but which failed to be effective in this instance’. Additionally, the footnote to this paragraph of the Code states: ‘The prosecutor may choose to bring in external resource to assist in the assessment of [the corporate’s] compliance culture and programme for example as described in any self-report.’

The point is again emphasised in the Code at Paragraph 7.11., under the heading of Monitors: ‘An important consideration for entering into a DPA is whether [the corporate] already has a genuinely proactive and effective corporate compliance programme.’

These aspects of the Code demonstrate amply two important points when considering UK enforcement activity:

  • A corporate will best assist itself by a clear identification and presentation to the investigating authority of the full extent of a corporate’s compliance programme during the course of the criminal investigation. This may not just be limited to handing over the relevant written policies but may involve charting the evolution of those policies over time and organisational change, demonstrating relevant training, or producing witness statements from company personnel that speak to their usual effectiveness, citing examples.
  • The available evidence as to a corporate’s compliance programme will be scrutinised carefully, but if the evidence is robust, it can positively affect the enforcement authority’s decision, either to take no action or to invite the corporate into DPA negotiations, rather than commence a criminal prosecution.

Compliance lessons in UK enforcement outcomes

Bribery Act 2010 offences

This is the most evolved area of UK enforcement activity in respect of the interface between compliance procedures and UK criminal enforcement outcomes. As referred to above, the introduction of the Bribery Act 2010 in July 2011 – in particular the Section 7 offence of failure to prevent bribery – placed compliance issues at the centre of corporate criminal enforcement in respect of bribery. The statutory defence available under Section 7(2) negates criminal liability where a corporate can prove it had adequate procedures designed to prevent persons associated with the corporate from undertaking the alleged conduct.

Of the 12 DPAs agreed by the SFO to date, nine have been (at least in part) in respect of Section 7 offences: Standard Bank,[24] Sarclad Ltd,[25] Rolls-Royce plc,[26] Güralp Systems Ltd,[27] Airbus SE,[28] Airline Services Ltd,[29] Amec Foster Wheeler Energy Ltd[30] and two others that, at the time of writing, are subject to reporting restrictions.

In an early DPA, the judgment of the court in approving the agreement set out clearly the close public policy connection between the availability of DPAs in the United Kingdom and the promotion of effective compliance as a method of deterrence of economic crime:

it is important to send a clear message reflecting a policy choice in bringing DPAs into the law of England and Wales, that a company’s shareholders, customers and employees (as well as all those with whom it deals) are far better served by self -reporting and putting in place effective compliance structures. When it does so, that openness must be rewarded and be seen to be worthwhile.[31]

The available Statement of Facts that underpin these DPAs and the judgments of the UK court in approving the DPAs provide useful insight and learning opportunities.

Corporate culture[32]

‘Top down’ approach

The corporate culture must be geared towards exemplary compliance, and this must cascade downwards from the very top of an organisation. In the judgment approving the Airbus DPA, the court noted serious failings in respect of the oversight of Airbus’ compliance function by its relevant internal committee:

As it later emerged however, some committee members were aware of and or involved in the material wrongdoing. Further, the information provided to the committees was incomplete, misleading or inaccurate, in particular with regard to the process by which [the agent] was identified, the actual amount of compensation promised to [the agent], the identity of the beneficial owner of the remuneration provided or the underlying economic justification for [the relevant project]. In consequence, it is plain that the committees were not able to provide effective or properly informed oversight in the manner intended.[33]

The individuals who provide internal supervision to a company’s compliance function must personally demonstrate the exemplary compliance standards to which the corporate seeks to adhere and must personally take the necessary steps to ensure they are provided with the appropriate information to enable them to properly to carry out their supervisory function.

‘Whole organisation’ approach

Another important aspect of corporate compliance culture was amply demonstrated in Standard Bank, the first UK DPA, namely the importance of a unified culture with fully connected processes. A corporate with disparate business units may face greater compliance risks because of a misplaced reliance by one on the other, or because some units are more remote from a central compliance function and subject to less oversight and scrutiny.[34]

‘Full adherence’ approach

Some UK enforcement cases have reflected blatant and flagrant breaches of compliance procedures. The Amec Foster Wheeler DPA is a good example of that:

Despite the policies and procedures in place, in the course of its investigation, the SFO became aware of a practice within [the company] of using Agents without informing [the company’s] compliance department. This was described by a [company] employee who was interviewed by the SFO about matters relating to compliance and culture at the [company] as a “try before you buy” culture. The SFO’s investigation identified multiple occasions on which the above policies and procedures were circumvented and breached, leading the SFO to conclude that there existed within [the company] a culture of disregard for compliance policies and procedures.[35]

The Rolls-Royce DPA emphasised the vital importance of an empowered compliance function within an organisation with authority to act effectively.[36] In Rolls-Royce, a number of instances of corrupt arrangements involved sidestepping internal compliance concerns or putting pressure on internal compliance personnel to approve arrangements about which they had raised concerns.[37]

‘Full adoption’ approach

For large organisations, merger and acquisition (M&A) activity will present particular compliance challenges. Comprehensive due diligence will be necessary to ensure that any legacy economic crime issues of a purchased entity are fully addressed in a timely manner and that the purchased entity is fully adopted into the overall compliance regime of the company. The Sarclad DPA demonstrates the importance of a comprehensive due diligence assessment of compliance in an M&A context.

By its own admission, prior to 2012, Sarclad did not have adequate compliance provisions in place. In order to address this problem, in late 2011, Heico sought to improve matters in its subsidiary by implementing its global compliance programme . . . within Sarclad. It was within the context of this compliance programme that . . . concerns came to light about the way in which a number of contracts had been secured. Sarclad took immediate action.[38]

Fit-for-purpose compliance procedures

Proper application of appropriate external legal advice

Several UK DPAs have involved instances where a corporate sought external legal advice on the general requirements of procedures in respect of the UK Bribery Act 2010, but either failed properly to implement that advice, or failed properly to apply it to the particular circumstances of the business. Airline Services Ltd was a case where, notwithstanding external legal advice about the implementation of the Bribery Act in 2010, the company failed to promulgate and communicate the ‘anti-corruption policy and guidelines’ that were prepared for it and failed to implement the other recommendations made by their external legal advisers.[39] Its compliance programme was described by the court in its judgment approving the DPA as ‘negligible’.[40]

In Güralp, an anti-bribery and anti-corruption (ABC) policy was implemented following the introduction of the Bribery Act and an external law firm provided a presentation on the legislation. ‘Neither the presentation nor the ABC policy was effective in preventing the arrangement with [the agent] continuing.’[41]

Bespoke procedures to reflect the corporate reality

The Standard Bank DPA emphasised the importance of a practical identification and consideration of the risks faced by the corporate, with adequate procedures to meet those risks. In that case, owing to the circumstances of the particular transaction, the relevant know-your-customer (KYC) procedures sat within a sister company ‘in respect of which SB had no interest, oversight, control or involvement’.[42]

Substance over form

A perennial problem in achieving and maintaining exemplary compliance procedures is achieving substance over form. In the Standard Bank DPA, in relation to the identification of risk, ‘SB permitted the formal structures of a transaction or relationship . . . rather than the broader risks to dictate the existence of any obligation to conduct KYC due diligence checks’.[43]

Clear articulation and communication of compliance procedures

The Standard Bank DPA also recognised the fundamental importance of clarity in the expression of a corporate’s compliance procedures and the importance of communication and training. Both were found wanting in that case.[44] ‘Moreover it was not reinforced effectively to the SB deal team through effective communication or training.’[45]

Fraud and related offences

It is no surprise, given the current legal framework in respect of corporate criminal liability for fraud and related offences, that there are fewer corporate enforcement outcomes to draw on for compliance lessons in this area. Focusing here on DPAs, three have been agreed in the United Kingdom in respect of fraud and related offences: Tesco Stores Ltd,[46] Serco Geografix Ltd[47] and G4S Care and Justice Services (UK) Ltd.[48] None focuses to any great extent on the relevant compliance failures in either the Statements of Facts[49] or the judgments of the court in approving the DPAs. Should a change in the law prevail in respect of corporate criminal liability for fraud and related offences in the next few years, the enforcement outcomes and lessons to be learned from the first cases coming through in relation to any failure to prevent fraud offences will be significant and noteworthy.

Failure to comply with money laundering regulations (regulated sector)

In December 2021, National Westminster Bank plc (NatWest) pleaded guilty to offences of failure to comply with the UK Money Laundering Regulations 2007 (MLR 2017).[50] It was the first prosecution of its kind of a bank for failure to comply with money laundering regulations. Although it was accepted by the court[51] that the ‘overarching design of the Bank’s ongoing monitoring systems, and the policies and procedures in relation to ongoing monitoring, were in the line with industry guidance’, there were two key aspects to the compliance failures that resulted in the convictions. First, ‘The Group’s policies and procedures did not address the need for staff to guard against overreliance being placed on relationship managers when considering suspicious activity on a customer account.’[52] Second, the group’s policy stated that a particular form of monitoring ‘was only required “where the capability to do so exists”. This would not in itself fulfil guidance issued by the Joint Money Laundering Steering Group that required firms to monitor transactions to ensure they were consistent with their risk profile.’[53]

The overreliance of any compliance system on a single individual and the failure to adhere to published guidance are useful lessons to be reminded of in respect of any form of compliance process, whether in the case of specific criminal offences applying to the regulated sector in respect of money laundering issues, or more widely. In the case of NatWest, these failings had serious consequences, including the deposit of over £250 million of laundered cash in a four-year period. The outcome was equally serious for NatWest. After a one-third deduction in penalty for guilty pleas, NatWest was fined roughly £265 million.

Failure to prevent the facilitation of tax evasion

There is yet to be any UK enforcement outcome in respect of these offences, which came into force via Sections 45 and 46 of the Criminal Finances Act 2017 on 30 September 2017. In its Freedom of Information Release on 30 June 2022, Her Majesty’s Revenue and Customs (HMRC) indicated that, as at 13 May 2022, there were seven live investigations into suspected offences with an additional 21 ‘live opportunities’ under review across a total of 11 business sectors.[54] The next HMRC update is promised within two years, by which time the legislation will have been in force for more than seven years. Prosecutions must undoubtedly be a priority for HMRC if this legislation is to have any teeth whatsoever.

Compliance measures in UK enforcement outcomes

Compliance programme improvements as a term of a DPA

Paragraph 5(3(e) of Schedule 17 of the Crime and Courts Act 2013 states that a DPA may impose on a company the requirement ‘to implement a compliance programme or make changes to an existing compliance programme’ relating to the organisation’s policies or to the training of the organisation’s employees or both. Paragraph 7.9 of the DPA Code of Practice specifically draws the prosecutor’s attention to the fact that putting in place a robust compliance or monitoring programme may be a term of a DPA.

This provision has been significantly utilised in the DPAs that have been agreed. Terms agreed to date include:

  • to commission and submit to, at its own expense, an independent review of its existing internal anti-bribery and corruption controls, policies and procedures regarding compliance with the Bribery Act 2010 and other applicable anti-corruption laws;[55]
  • to undertake a review including the implementation of its existing internal controls, policies and procedures regarding compliance with the Bribery Act 2010 and other applicable anti-corruption laws, including an annual report from the chief compliance officer for the duration of the DPA;[56] and
  • to commission two sequential external reports commenting on and making recommendations for any improvements to the relevant compliance issues that were the subject of the DPA and to produce an implementation plan following the first report in respect of its recommendations.[57]

Airline Services Ltd is the only real exception where no form of compliance enhancement was required, as the company was dormant and kept open only to facilitate the SFO’s investigation and to discharge the other requirements of the DPA. This demonstrates that it will be a truly exceptional circumstance in which a corporate will avoid any form of compliance enhancement as a term of a DPA.

Monitorships as a term of a DPA

Paragraphs 7.11 to 7.22 of the DPA Code of Practice address in some detail the use of monitorships as a term of a DPA. The Code cautions: ‘An important consideration for entering into a DPA is whether [a corporate] already has a genuinely proactive and effective compliance programme. The use of monitors should therefore be approached with care.’ This cautious perspective has been reflected in the UK DPAs agreed to date in that, although some quasi-monitor reporting has been a feature of some DPAs, none of the UK Bribery Act DPAs has yet featured a full monitorship requirement. In G4S Care and Justice Services Ltd,[58] a DPA relating to fraud offences in relation to UK government contracts, the appointment of a ‘Reviewer’ that shared some key characteristics of a monitor was a term of the DPA. There is some development of the Reviewer role beyond the scope of the external assessment required as a term of the Tesco DPA, as set out above. The Reviewer requirement addresses the compliance standard to be achieved via this term of the DPA by distinguishing between ‘requirements’ that are defined as ‘those improvements and/or additional steps that are necessary in order for [G4S] and/or [G4S]’s controls polices and procedures to meet the criteria in [the DPA]’ and ‘recommendations’ referring to ‘those improvements and/or additional steps that, while not necessary to meet those criteria, would nevertheless be desirable enhancements to [G4S] and [G4S] controls, policies and procedures’.

UK regulatory enforcement in respect of compliance issues

Although dealt with more concisely in this chapter, corporates are faced with a more disparate regulatory enforcement landscape in respect of compliance issues in the United Kingdom. This is another area considered carefully and with a broad remit for possible reform by the Law Commission in its recent options paper in respect of corporate criminal liability. For example, one proposed option is:

Introduction of a regime of administrative monetary penalties against companies. This could operate where a fraud was committed by an employee or agent with the intention of benefitting the company. In such cases the company would be liable to pay a penalty unless it could show that it had taken reasonable steps to prevent wrongdoing.[59]

The proposal of this option is a recognition of a well-established, if complex, system of regulatory enforcement of compliance issues in the United Kingdom that could be susceptible to significant further development, to avoid some of the cost, delay and complexity inevitably involved in bringing corporate criminal proceedings, whatever the circumstances.

Scope of regulatory compliance enforcement in the UK

Regulatory enforcement in respect of conduct breaches

Some aspects of the UK system of regulation that addresses compliance issues are sector (or profession[60]) specific while others are of general application. Two of the principal sector-specific areas of regulation for compliance purposes are the regulated sector as defined by the MLR 2017[61] and the financial services sector regulated by the FCA.

The MLR 2017 is a highly complex set of compliance requirements. Enforcement powers are addressed in Part 9 and include the power of a designated supervisory authority[62] to impose a financial penalty and a statement of censure.[63] Part 9 also empowers the FCA to cancel or suspend any permission an authorised person has to carry on regulated activity and other like authorisations.[64] Supervisory authorities are also empowered to impose either temporary or permanent prohibitions on management where an individual was ‘knowingly concerned in a contravention’ of the requirements.[65]

Part IXA of the Financial Services and Markets Act 2000 (FSMA) gives the FCA and Prudential Regulatory Authority (PRA) power to issues rules and guidance for the financial services sector. The FCA handbook[66] is a principal source of this material. The parts of the handbook that have particular relevance to compliance issues include Block 1 ‘high level standards’, which includes modules on ‘principles for businesses’, ‘senior management arrangements, systems and controls’ and the code of conduct. Block 3 contains business standards across the full range of financial services activity. The Regulatory Guides within the FCA Handbook contain a wealth of relevant and useful compliance guidance in relation to economic crime and misconduct, particularly in the ‘Financial Crime Guide: A firm’s guide to countering financial crime risk (FCG)’ and the ‘Financial Crime Thematic Reviews’. The regulatory enforcement measures that the FCA and the PRA may take for breaches of these rules are set out in Part XIV of the FSMA and include financial penalties[67] and public censure.[68]

Two recent decisions of the FCA highlight priorities for UK regulators in enforcement action for conduct breaches. In June 2022, the FCA fined JLT Specialty Ltd £7.8 million (after a 30 per cent early settlement discount) for financial control failings, which in one instance had resulted in bribery of more than US$3 million taking place.[69] Bribes were paid to government officials via a third-party introducer to help retain and secure business for the company. The FCA has indicated that it will continue to focus on the systems in place to prevent financial crime in respect of the sectors that it regulates and bring enforcement actions where corporates fall short of the required standards.

AML compliance failures were the focus of FCA enforcement action in the same month, in this instance in respect of Ghana International Bank.[70] The bank failed to perform adequate checks when it established relationships with overseas banks in respect of corresponding banking services. In addition, there were further failures in annual reviews in respect of information held on the overseas banks, failure to give staff adequate training on how to scrutinise transactions properly and failure to establish appropriate policies and procedures for staff. The FCA noted that there was no evidence of actual money laundering, though the risk of money laundering as a result of the deficient systems was significant. The bank was fined £5.8 million (after a 30 per cent early settlement discount).

Part V of the FSMA gives the FCA and the PRA additional powers concerning those performing senior management functions and those performing roles that require certification, with associated disciplinary powers.[71]

The landscape can be even more complex where an entity is subject to multiple forms of compliance regulation in respect of the same area of business. Solicitors acting in the money laundering regulated sector who are subject to both the MLR 2017 and the Solicitors Regulation Authority (SRA) Standards and Regulations is a good example of this intersection, which is subject to consistently high levels of risk and high levels of enforcement activity by the SRA. Similarly, the Gambling Commission has enforcement powers both in respect of its licensing regime and (as set out above) as a supervisory authority in respect of the MLR 2017.

Although the Law Commission recently considered an option of extending the FCA regime of regulatory enforcement of the financial services sector more widely into the corporate sector, this option was rejected. The Law Commission recognised the very great difficulty of ‘designing obligations that were equally appropriate in all sectors’ and the equally difficult option of producing ‘several sets of detailed obligations . . . one for each sector’.

Regulatory enforcement regarding corporate public reporting breaches

A developing method of compliance enforcement in the United Kingdom concerns requirements to produce public statements in relation to certain economic misconduct prevention issues. This is an area that is also ripe for further additional UK government policy initiatives in the near future, some of which have already been specifically signalled.

Section 54 of the Modern Slavery Act 2015 requires companies that supply goods and services, and that carry out at least part of their business in the United Kingdom, meeting a monetary threshold[72] to prepare an annual slavery and human trafficking statement setting out the steps the organisation has taken to ensure that slavery and human trafficking are not taking place in any of its supply chains or in any part of its business; or a statement that it has taken no such steps. Although there are currently no enforcement sanctions in respect of breaches of these obligations, the UK government has previously announced an intention to introduce financial penalties for failure to meet the requirements of Section 54.[73]

The UK Companies Acts, in particular the 2006 Act, impose additional reporting requirements for certain categories of companies, some of which are focused on compliance standards in respect of economic crime issues. For example, traded companies, banking and insurance companies that have more than 500 employees are required to publish either details of bribery and corruption policies or a statement that is has no such policies in place.[74]

Anticipated developments in regulatory compliance enforcement

In 2021, the UK government Department for Business, Energy and Industrial Strategy (BEIS) published a White Paper consultation on a proposal to reform auditing and corporate governance.[75] Highly significant proposals with relevance to compliance standards for economic crime and misconduct issues are under consideration, including the proposal for a new regulator (the Audit, Reporting and Governance Authority), an extension in the scope of compliance reporting requirements, including to private companies, and a requirement to require directors of certain categories of companies to report on the steps taken to prevent and detect material fraud. In May 2022, BEIS responded to the consultation responses and has signalled a strong intention to prepare and publish a draft Bill in respect of these reforms.[76]


Compliance enforcement in the United Kingdom is expanding with ever-increasing scope and complexity in both the criminal and regulatory spheres. The coming year is likely to bring further change, with even greater and more fundamental developments on the horizon in the future.


[1] Alison Pople KC and Kathryn Arnot Drummond are barristers at Cloth Fair Chambers.

[2] The description ‘economic crime’ is one used by the UK government in its Economic Crime Action Plan 2021 to refer to a broad category of activity involving money, finance or assets, the purpose of which is to unlawfully obtain a profit or advantage for the perpetrator or to cause loss to others.

[3] This chapter refers to UK enforcement policy throughout. It relies on the laws and policies applicable in England and Wales. In relation to particular issues in respect of Scotland or Northern Ireland, it may be necessary to give separate consideration to any differences applying to those jurisdictions.

[4] This publication does not cover sanctions issues, which are dealt with comprehensively in the Guide to Sanctions published by Global Investigations Review.

[6] Enforcement activity by professional regulators such as the Solicitors Regulatory Authority or the Financial Reporting Council is not covered in this chapter.

[7] Tesco v. Natrass [1971] UKHL 1 AC 153.

[8] Investigations by Her Majesty’s Revenue and Customs are prosecuted by the Crown Prosecution Service.

[9] Certain aspects of economic crime are also within the criminal enforcement powers of other bodies, including the Competition and Markets Authority and the Insolvency Service.

[11] Both the Director of the Serious Fraud Office and the Director of Public Prosecutions are designated prosecutors for this purpose under the Crime and Courts Act 2013, Schedule 17, Part 1, Paragraph 3.

[12] Deferred prosecution agreements (DPAs) are not available to individual defendants in the United Kingdom.

[13] To date the Serious Fraud Office has entered 12 DPAs, whereas the Crown Prosecution Service has yet to enter any.

[15] (last accessed 21 June 2022) (DPA Code of Practice). Pursuant to the Crime and Courts Act 2013, Schedule 17, Part 1, Paragraph 6(6), prosecutors ‘must take account of the Code when exercising any of its functions’ in respect of DPAs.

[20] The Code for Crown Prosecutors (2018), at 4.6, at (last accessed 21 June 2022).

[21] DPA Code of Practice, Section 1.2.i.b.

[22] ibid., Section 1.7

[23] The Code of Practice refers to the Attorney General’s guidance to prosecuting bodies on their asset recovery powers under the Proceeds of Crime Act 2002, issued 5 November 2009. Although this guidance does not reflect more recently enacted asset recover powers now available under the Proceeds of Crime Act 2002, the issue of principle is an important one.

[24] SFO v. Standard Bank plc, 30 November 2015, U20150854.

[25] SFO v. Sarclad Ltd, 11 July 2016, U20150856.

[26] SFO v. Rolls-Royce plc, Roll-Royce Energy Systems Inc., 17 January 2017, U20170036.

[27] SFO v. Güralp Systems Ltd, 22 October 2019, U20190840.

[28] SFO v. Airbus SE, 31 January 2020.

[29] SFO v. Airlines Services Ltd, 30 October 2020, U20201913.

[30] SFO v. Amec Foster Wheeler Energy Ltd, 1 July 2021, U20210867.

[31] Sarclad (op. cit. note 25), Preliminary Judgment, Paragraph 45.

[32] This topic is dealt with comprehensively in Chapter 14 of this Guide.

[33] Airbus SE (op. cit. note 28), Paragraph 27.

[34] Standard Bank, Statement of Facts, Paragraph 200h&I – ‘The SB compliance team did not have the opportunity to address the role of [the third party] because it was reliant on the SB business unit identifying and raising any substantive concerns about [the third party] or its role and the SB business unit relied on the findings of the KYC conducted by [the sister company] which did not identify such risks.’

[35] Amec Foster Wheeler Ltd (op. cit. note 30), Statement of Facts, Paragraphs 33–34.

[36] For further details, see Chapter 14 on corporate culture and compliance.

[37] Rolls-Royce (op. cit. note 26), Judgment, Paragraphs 105–07.

[38] Sarclad (op. cit. note 25), Preliminary Judgment, Paragraph 23.

[39] Airline Services Ltd, Statement of Facts, Paragraphs 89–93.

[40] Airline Services Ltd (op. cit. note 29), Paragraph 51f.

[41] Güralp Systems Ltd (op. cit. note 27), Statement of Facts, Paragraph 51.

[42] Standard Bank, Statement of Facts, Section 200a.

[43] ibid., Section 200e.

[44] ibid., Section 199a (‘The applicability of the Introducers and Consultants policy was unclear on the face of the policy.’).

[46] SFO v. Tesco Stores Ltd, 10 April 2017, U20170287.

[47] SFO v. Serco Geographix Ltd, 4 July 2019, U20190413.

[48] SFO v. G4S Services Ltd, 17 July 2020, U20201392.

[49] At the time of writing, the Statement of Facts in relation to the G4S DPA is not publicly available.

[50] Now superseded by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

[51] See sentencing remarks of Mrs Justice Cockerill dated 13 December 2021, in particular Paragraph 15, at (last accessed 21 June 2022)

[52] The court noted that the Financial Conduct Authority’s Financial Crime Guide specifically highlighted this risk, but the Joint Money Laundering Steering Group Guidance did not.

[53] See note 51 (emphasis in original).

[55] Standard Bank (op. cit. note 24).

[56] Sarclad (op. cit. note 25).

[57] Tesco Stores Ltd (op. cit. note 46).

[58] e.g., SRA or FRC regulation (op. cit. note 4).

[59] Law Commission, Corporate Criminal Liability: Summary of the options paper (op. cit. note 5), at p. 12.

[60] e.g., SRA or FRC regulation (op. cit. note 4).

[61] Regulations 8 to 14 are the suite of provisions by which a person can determine whether a particular aspect of their activity is governed by the MLR 2017. In some situations, this can be a highly complex determination in itself.

[62] The supervisory authorities are defined in Regulation 7 and include the Financial Conduct Authority, Her Majesty’s Revenue and Customs, the Gambling Commission and relevant professional bodies.

[63] Regulation 76.

[64] Regulation 77.

[65] Regulation 78.

[66] (last accessed 21 June 2022).

[67] Pursuant to the Financial Services and Markets Act 2000 (FSMA), Section 206.

[68] Pursuant to FSMA, Section 205.

[71] Pursuant to FSMA, Section 66.

[72] Currently an annual turnover of not less than £36 million.

[73] Department for Business, Energy and Industrial Strategy (BEIS), ‘Establishing a new single enforcement body for employment rights, Government Response’ (June 2021).

[74] Companies Act 2006, Section 414CB(1).

[75] BEIS, Restoring Trust in Audit and Corporate Governance 2021.

[76] ‘Restoring trust in audit and corporate governance: Government response to the consultation on strengthening the UK’s audit, corporate reporting and corporate governance systems’ (May 2022), -corporate-governance-govt-response.pdf (as accessed 21 June 2022).

Unlock unlimited access to all Global Investigations Review content