UK Compliance Requirements

Compliance obligations for corporations doing business in the United Kingdom come from a variety of sources. Some apply universally, for example the UK’s legislation in respect of bribery and the facilitation of tax evasion. UK legislation in these areas requires corporates to have in place adequate prevention measures. Failures to do so could result in the corporate committing a criminal offence if an employee or other person associated with it commits an act of bribery or facilitates tax evasion (often referred to as failure-to-prevent offences). Other compliance requirements on UK corporates derive from sector-specific regulation.

The number of regulated sectors in the United Kingdom is high and includes (among others) charities, education, natural resources, construction, financials services, pensions, healthcare, law, social care, transport, gambling, audit, accountancy and actuarial services. Compliance failings are often at the heart of corporate crime and regulatory enforcement action in the United Kingdom. As such, those bodies that enforce the rules (as well as the industry bodies of certain sectors) have sought to provide guidance on what good compliance looks like.

This chapter considers the available guidance on compliance in respect of bribery and facilitation of tax evasion legislation. The first failure-to-prevent offence was introduced in the 2010 Bribery Bill, leaving many calling for guidance on the preventative steps required to avoid committing such an offence. Although guidance is now available in respect of both bribery and tax evasion, the apparent popularity of this type of offence means further guidance will be required. On 10 June 2022, the Law Commission published an options paper for the UK government on how it can improve the law to ensure that corporations are effectively held to account for committing serious crimes. The paper sets out several options, including the introduction of a number of new failure-to-prevent offences for (1) fraud, (2) human rights abuses, (3) ill-treatment or neglect, and (4) computer misuse.

This chapter also considers the obligations placed on certain sectors by UK anti-money laundering regulations. In this area, corporates must look to sector-specific publications for guidance on complying with their obligations under the regulations (e.g., the Joint Money Laundering Steering Group Guidance for those in the financial sector). Finally, this chapter considers two regulated sectors – financial services and gambling – and considers the available compliance guidance issued by regulators in those sectors.

Compliance failures: criminal risk

Bribery Act 2010, Section 7

The implementation of the Bribery Act 2010 represented a significant move away from corporate criminal liability based on the state of mind of a company’s ‘directing mind and will’. The Act introduced an offence under which corporate liability could be established by a ‘failure to prevent’ an act of bribery. Pursuant to Section 7(1) of the Bribery Act 2010, a ‘relevant commercial organisation’ commits an offence if a person associated with it bribes another person intending to obtain or retain business, or to obtain an advantage in the conduct of business, for the organisation. It is a complete defence to the offence if the organisation can prove that it ‘had in place adequate procedures designed to prevent persons associated with [the organisation] from undertaking such conduct’.^[2]

Ministry of Justice guidance

Whether such procedures are ‘adequate’ is ultimately a question of fact for the courts. However, the Ministry of Justice (MOJ) has published guidance for all businesses and sectors^[3] to assist with implementing a robust compliance framework – every step of which should be documented.^[4] The guidance sets out six key, outcome-focused principles:

• Proportionate procedures: Procedures should be proportionate to the risk faced by each organisation, taking into account the nature, scale and complexity of that organisation’s activities. The procedures must be clear, practical, accessible and effectively implemented and enforced.
• Top-level commitment: There must be a clear and demonstrable commitment to preventing bribery at the most senior levels. Top-level management must involve themselves in anti-bribery procedures, fostering a culture of integrity, and communicate, internally and externally, to ensure that it is known that bribery will never be accepted.
• Risk assessment: Organisations should regularly undertake an assessment to evaluate the nature and extent of their bribery risk. This should address external risk (including country, sectoral, transaction, business opportunity and business partnership) and internal risk (including evaluating the sufficiency of employee training, skills and knowledge; bonus culture; gifts and hospitality policy; financial controls; and the tone from the top).
• Due diligence: A proportionate and risk-based approach should be taken in respect of applying due diligence to any persons who perform services for or on behalf of the company. Due diligence should address the types of external and internal risks considered in regular risk assessments. This is particularly important with the use of third-party intermediaries.
• Communication: Policies and procedures should be proportionate, but well embedded through internal and external communication. There should also be regular training on the policies and procedures.
• Monitoring and review: Organisations should keep under close review whether their procedures are still fit for purpose, having regard to any changes to the bribery risk faced or the nature and scale of their business.

Serious Fraud Office guidance: Evaluating a Compliance Programme

The Serious Fraud Office (SFO) has published its own guidance on how it will evaluate the effectiveness of an organisation’s compliance programme.^[5] The SFO expects all companies, irrespective of individual circumstances, to have some form of risk-based compliance arrangements in place.^[6] The SFO is clear that those arrangements must go beyond a ‘paper-based exercise’, are effective and are reviewed regularly. The SFO will look at a company’s compliance programme in the round and assess carefully the programme that was in place at the time of the suspected offence; whether and how the programme has been amended since; and whether it will be amended in the future.

With reference to the MOJ’s six guiding principles, the SFO will use its internal guidance to determine key case decisions, including whether (1) a prosecution is in the public interest, (2) the organisation should be invited to negotiate a deferred prosecution agreement, (3) the organisation has a defence to the corporate offence pursuant to Section 7(1) of the Bribery Act 2010, and (4) the existence or nature of the compliance arrangements is relevant to sentencing considerations. The SFO will assess each case on its own facts, paying particular attention to the company’s risk assessment and steps taken to mitigate the risk.

The SFO guidance (read closely alongside the MOJ guidance) must be the cornerstone of any UK anti-corruption programme. Organisations should not only refer closely to the relevant guidance when designing their procedures but should also revisit it regularly when reviewing them.

Facilitation of tax evasion risk

Criminal Finances Act, Sections 45 and 46

The Criminal Finances Act 2017 (CFA) introduced the offences of failure to prevent the facilitation of UK tax evasion and failure to prevent the facilitation of foreign tax evasion. These offences hold a ‘relevant body’ criminally liable when a person associated with that body commits either a UK tax evasion facilitation offence (pursuant to Section 45) or a foreign tax evasion facilitation offence (pursuant to Section 46).

As with the Bribery Act offence, compliance-based defences are available, although on first reading the standard appears to vary between the two, owing to differing descriptions of the prevention procedures. Whereas the Bribery Act requires ‘adequate procedures’ to be in place, under the CFA, the corporate defendant must prove that ‘in all the circumstances’ it had ‘reasonable prevention procedures’ in place. There has been extensive criticism and scrutiny with regard to these seemingly differing standards, but a post-legislative House of Lords select committee suggested it be made clear in the relevant guidance that ‘adequate’ is not intended to mean anything stricter than ‘reasonable in all the circumstances’. That said, no change has yet been made to the guidance.

Separately, and in contrast with the Bribery Act, the CFA also specifically provides for a defence in circumstances where it was reasonable not to have any prevention procedures in place.

Her Majesty’s Revenue and Customs: Tackling tax evasion

In September 2017, Her Majesty’s Revenue and Customs (HMRC) published guidance in respect of the facilitation of tax evasion offences.^[7] As with the MOJ’s Bribery Act guidance, HMRC formulated its guidance around the same six principles. It emphasises the need for bespoke prevention procedures that apply to the corporate’s own circumstances and that even strict compliance with the guidance will not necessarily amount to having reasonable prevention procedures. The guidance makes clear that the company’s self-assessment of its own risks will be key.

Money Laundering Regulations 2017, Regulation 86

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLTF Regulations) came into force on 26 June 2017. They are intended to target the ‘gatekeepers’ of the UK financial system and apply to credit institutions, financial institutions, auditors, insolvency practitioners, external accountants and tax advisers, independent legal professionals, trust or company service providers, estate agents and letting agents, high-value dealers, casinos, cryptoasset exchange providers, custodian wallet providers and art market participants (together, Relevant Persons).^[8]

Relevant Persons are required to have certain measures in place to mitigate the risks of money laundering and terrorist financing (Relevant Requirements). There are numerous Relevant Requirements, including:

• conducting a risk assessment that takes appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject;^[9]
• establishing and maintaining policies, controls and procedures to mitigate and manage effectively the risks identified in any risk assessment;^[10]
• ensuring these policies, controls and procedures apply to all subsidiaries and branches (even when they are not located in the United Kingdom;^[11] and
• taking appropriate measures to ensure that its relevant employees are made aware of the law relating to money laundering and terrorist financing, and to the requirements of data protection.^[12]

Pursuant to Regulation 86 of the MLTF Regulations, a person commits an offence if they contravene a Relevant Requirement that is imposed on them. In deciding whether a corporate has committed an offence, the court will consider whether it followed any relevant guidance, including from the Financial Conduct Authority (FCA) and other supervisory authorities.^[13] No offence is committed if a corporate can demonstrate that it took ‘all reasonable steps’ and ‘exercised all due diligence’ to avoid committing it.^[14] In December 2021, National Westminster Bank PLC was fined £264.3 million for failing to comply with requirements under the Money Laundering Regulations 2007 (which were in place prior to the MLTF Regulations). This was the FCA’s first prosecution for money laundering offences.

Joint Money Laundering Steering Group guidance

Those operating in the financial sector should have regard to the guidance produced by the Joint Money Laundering Steering Group (JMLSG).^[15] This is aimed at firms operating under the auspices of the JMLSG’s 14 UK trade association member bodies, in addition to those regulated by the FCA. It is approved by HM Treasury and, therefore, relevant for the offences under the Proceeds of Crime Act 2002 (regulated sector) and Regulation 86 of the MLTF Regulations.

Although it is not legally binding, firms ‘will have to stand prepared to justify departures’ from the guidance, which is in three parts: Part I contains guidance relevant to all firms operating across the UK financial sector; and Parts II and III provide additional sector-specific guidance.

The focal point of the JMLSG guidance is the responsibility of senior managers (including the money laundering reporting officer) to identify, assess and effectively manage money laundering risks across different aspects of their businesses. The JMLSG emphasises that there are many similarities between the strategies adopted by businesses to combat money laundering and other types of financial crime, such as fraud and market abuse, and recommends fostering ‘strong links’ between those responsible for managing and reporting on these various areas of risks.

The JMLSG guidance is clear that there is no one-size-fits-all approach and that policies and procedures should be proportionate to the size and nature of the relevant business. There are strong parallels with the MOJ’s six principles contained within its Bribery Act guidance.

Compliance failures – regulatory risk

The United Kingdom has a broad range of regulators who have taken enforcement action for compliance breaches against those they regulate. They include sector-specific regulators such as the FCA and the Gambling Commission (discussed in more detail below). There are also many profession-specific bodies such as the Financial Reporting Council, the Solicitors Regulation Authority and the General Medical Council, to name but a few.

Financial Conduct Authority

The FCA regulates the financial markets and the conduct of around 51,000 financial services firms and financial markets in the United Kingdom. It derives its powers from the Financial Services and Markets Act 2000 (FSMA), which provides it with a broad range of civil, criminal and disciplinary tools that it can deploy to take action against both individuals and firms that fail to meet the required standards. Part 9A of the FSMA grants the FCA power to set its rules – as set out in the FCA Handbook^[16] – and to publish guidance on those rules.

The FCA’s approach to regulation involves a combination of high-level principles, binding rules relevant to corporate compliance (as set out in the FCA Handbook) and detailed non-binding guidance. The FCA’s Principles for Business^[17] (the Principles or high-level Principles), of which there are 11, set out the fundamental obligations that regulated firms are expected to uphold in the conduct of their business and underpin firms’ responsibilities to their clients. Some of the key Principles include that firms must conduct their business with integrity (Principle 1) and due skill, care and diligence (Principle 2), and take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems (Principle 3).^[18]

The high-level Principles provide a basis for the FCA both to supervise a firm’s activities and to commence enforcement action where it considers that there has been a contravention of the Principles. The enforcement action available to the FCA in respect of breaching the Principles or binding rules is wide-ranging and can include, among other things, imposing a financial penalty, issuing a public censure and suspending a firm’s permission to carry on regulated activity.

Guidance

In addition to the Principles, the FCA issues FCA Handbook guidance and other materials – including published FCA speeches, generic letters written by the FCA to chief executives in particular sectors,^[19] thematic reviews and final notices – that provide practical insight and are useful tools for firms to consider in order to supplement and give colour to the high-level Principles. The FCA’s website is a helpful source of information in this respect and aspects of its commentary can provide an indication of the FCA’s current and future supervisory and enforcement priorities.

The FCA’s Financial Crime Guide^[20] also provides guidance in respect of some of the high-level Principles and is designed to help firms establish, implement and maintain effective financial crime policies, systems and controls. In addition, the FCA’s Enforcement Guide complements other FCA guidance as it gives a steer as to how such guidance can be applied to the Principles. The Enforcement Guide also illustrates the importance of a firm implementing suitably robust systems and controls.

Although compliance with FCA rules and Principles is not negotiable, it is vital that firms are also alive to the relevant supporting guidance summarised above. In theory, the guidance is non-binding but the FCA may take available guidance and supporting material into account when either considering or actively pursuing enforcement action. For example, the FCA’s Enforcement Guide^[21] states that the relevant guidance could be used by the FCA to assess whether it could have been understood or predicted at the time that the conduct in question fell below the standards required by the Principles. Further, the available guidance could be used to inform a view of the overall seriousness of the breaches – the example given by the FCA is of a situation where a firm effectively fails to consider an FCA ‘Dear CEO’ letter to be relevant to its business – which could in turn lead to a higher financial penalty.^[22]

Although the standards set by the Principles are necessarily high, the way in which they are achieved can be exercised with a degree of flexibility.^[23] Each business is unique and the FCA is clear that it wishes to encourage firms to apply their judgement about, and take responsibility for, what the Principles mean for them in terms of how they conduct their business.^[24]

To satisfy the standards set out in the Principles, it is essential that the Principles are embedded in a firm’s operational processes. Senior managers must take responsibility for and carefully assess the risks inherent within their firm and ensure that appropriate systems and controls are put in place to mitigate and manage those risks. The steps a firm takes to maintain the required regulatory standards under the Principles must be proportionate to the potential risks, and its systems and controls should be sufficiently robust and adequately tested to ensure that they are effective in practice and that risks are properly managed.

The FCA’s guidance on how this can be actioned is sometimes referred to as the ‘reasonable predictability test’ or ‘condition of predictability’. Although this is not a legal test to be met in deciding whether there has been a breach of FCA rules, the FCA considers that firms must be able reasonably to predict, at the time of the action concerned, whether the conduct would breach the Principles. The FCA acknowledges that firms may comply with the Principles in different ways and that enforcement action will not be taken unless it was possible to determine at the time that the relevant conduct fell short of their requirements.^[25]

Gambling Commission

The Gambling Commission regulates the provision of facilities for gambling to persons in Great Britain, including the National Lottery. It licenses the individuals and businesses that offer gambling and provides them with advice and guidance.

The Commission derives its powers from the Gambling Act 2005.^[26] Under this Act (among other offences), it is a criminal offence to provide facilities for gambling to persons in Great Britain without a licence or an applicable exception.^[27] The Commission has the power to investigate whether an offence has been committed and may institute criminal proceedings against anyone found to be in breach.^[28] According to the Commission’s policy on licensing, compliance and enforcement under the Gambling Act 2005,^[29] as a general rule the Commission will not normally pursue a criminal investigation into the activities of a licensed operator, as it considers that, in most cases, the matter is likely to be capable of being dealt with by the exercise of the Commission’s regulatory powers. The Commission is very proactive in exercising its regulatory powers and conducts regular compliance assessments of its licensees. Since 2018, there have been numerous cases of the Commission exercising its regulatory powers against licensees and it has imposed significant penalties.^[30] During the year ending December 2021, the Commission revoked the licence of one gambling business and suspended the licences of another five operators, and 15 gambling businesses paid a total of £32.5 million in financing penalties and regulatory settlements.^[31]

The licence conditions and codes of practice (LCCP),^[32] issued from time to time by the Commission, embody the general conditions and codes of practice to which licensed operators are required to adhere. The codes of practice fall into two categories:

• social responsibility code provisions, which have the force of licence conditions and any breach of them may result in the exercise of the Commission’s regulatory powers; and
• ordinary code provisions, which do not have the force of licence conditions but outline good practice.^[33]

That said, ordinary code provisions are admissible in evidence in criminal or civil proceedings and may be taken into account (1) in any case in which the court or tribunal consider them to be relevant, and (2) by the Commission in the exercise of its functions.

The obligations of licensees under the LCCP are extremely wide-ranging and cover areas including the appointment of qualified persons, technical standards and testing, protection of customer funds, fair and open terms and practices, anti-money laundering, age and identity verification, information requirements and reporting, marketing and compliance with advertising codes and the protection of children and other vulnerable persons (including customer interaction and self-exclusion).

Guidance

The Commission publishes large volumes of guidance on its website, intended to assist licensed operators to design and implement effective policies, procedures and controls and meet their compliance obligations. Key aspects include guidance:

• to remote and non-remote casinos and gambling (non-casino) businesses on the prevention of money laundering and combating the financing of terrorism;
• on customer interaction (including additional guidance applicable during covid-19);
• on information to lottery players;
• on high-value customers;
• on fair and transparent terms and practices; and
• on policies, procedures and controls for handling customer complaints.

The Commission’s guidance is a mixture of specific directions clearly outlining the Commission’s expectations and more flexible, outcomes-focused guidance, which anticipates a degree of discretion as to how compliance obligations are met. Although the vast majority of guidance on the Commission’s website is not legally binding, certain licence conditions and social responsibility code provisions of the LCCP do require licensees to take account of some aspects of Commission guidance, including in respect of customer interaction (social responsibility code provision 3.4.1), information to lottery players (social responsibility code provision 4.3.3), high-value customer incentives (social responsibility code provision 5.1.1) and customer complaints (social responsibility code provision 6.1.1).^[34]

When conducting compliance assessments, depending on the scope of the assessment, the Commission does expect licensees to be able to provide evidence that guidance has been taken into account, including by demonstrating that the relevant guidance has been referred to in current versions of all applicable policies and procedures.

The Commission has broad powers to commence a review of a licence, including whether it has reason to suspect that activities may have been carried on in purported reliance on the licence but not in accordance with a condition of the licence and for any reason suspects that the licensee may be unsuitable to carry on the licensed activities, or thinks that a review would be appropriate.^[35] Following a review, the Commission may take no action, but may give the holder of the licence a warning, attach an additional condition to the licence, remove or amend a condition attached to the licence, suspend the licence, revoke the licence or impose a financial penalty (or a combination). It may also suspend the licence in other cases, including if at the time of deciding to conduct a review, or at any time during the course of a review, the Commission suspects that a licensed activity is being, or has been, carried on in a manner that is inconsistent with the licensing objectives, a condition of the licence has been breached, the licensee has failed to cooperate with a review or the licensee is unsuitable to carry on the licensed activities.^[36] Alternatively, the Commission may agree to reach a regulatory settlement with the licensee.

In determining the appropriate outcome, the Commission will have regard to its policy on licensing, compliance and enforcement under the Gambling Act 2005 and its statements of principles for licensing and regulation and for determining financial penalties.^[37] However, its policies are not prescriptive and the method by which financial penalties (for example) are calculated is somewhat opaque.

The Commission expects compliance to sit at the heart of a licensee’s businesses. This may seem obvious, but the Commission expects licensees to be able to demonstrate this and will test for it during compliance assessments by looking carefully at a licensee’s corporate governance framework. It expects to see clear reporting lines and allocation of responsibility and regular reporting between senior management and those responsible for the relevant specified management offices. At the conclusion of a licence review, if the Commission considers that breaches of licence conditions have occurred, it is not uncommon for it to subsequently review the personal management licences held by the individuals occupying the relevant specified management positions.

Effective corporate governance and the implementation of policies and procedures designed to ensure compliance with the terms and conditions of their licences, and controls to monitor their effectiveness, are therefore critical for all licensed operators. To address this issue, taking into account the size and nature of their business (and occasionally at the request of the Commission), a number of licensees have established formal compliance committees to ensure that:

• policies and procedures are regularly updated (including to reflect regulatory changes or the publication of new or updated guidance);
• adequate staff training is provided (both on induction and refresher sessions); and
• the board is informed of any compliance issues, developments and remedial action required.

In addition, licensed businesses often establish internal audit functions to identify, and prioritise remediation of, any gaps in compliance. On occasions, a licensed business will outsource the audit of its compliance framework (in some cases in accordance with a condition attached to a licence by the Commission following a licence review). The Commission’s expectations in this regard are clear; it expects its licensees to dedicate adequate resources to compliance and to put regulatory and commercial objectives on an equal footing.^[38]

The preparation and maintenance of an effective risk assessment is also a hallmark of an effective compliance framework. Licensees must ensure that such an assessment is appropriate and review it as necessary in light of changes in circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event review it at least annually.^[39] In line with the requirements under the LCCP, the Commission expects to see evidence of any risks identified in the assessment being addressed in the policies and procedures designed to mitigate those risks. Along with relevant guidance that it publishes itself, the Commission also expects licensees to demonstrate that they have taken account of the Commission’s own assessments of the money laundering and terrorist financing risks within the British gambling industry.

Compliance programme fundamentals

It is clear that compliance requires not only regard to the letter of the law and other rules but also to various forms of applicable guidance. This guidance, although helpful, is easily changed or updated, which increases the burden on those subject to it to ensure they remain up to date. In some cases, there is an almost overwhelming amount of guidance to keep on top of, whereas in others (for example the Bribery Act 2010), there is very little.

Although each piece of guidance is unique, there are recurring themes. It is clear that procedures need to be proportionate to the level of risk faced. This will mean different things in different contexts, but a good place to start is to consider size, complexity, sector, customer profile, geographical location, business partners, employee skill levels and financial controls. A good risk assessment is a living document that should be reviewed regularly and updated when the risk profile changes.

To establish whether certain procedures are proportionate, there should be a direct link between the risk assessment and the procedures in place. Corporations should ‘show their workings’, making it clear how their procedures address the risks identified. It is essential to be able to establish that the procedures reflect all relevant and current guidance on the matter.

The existence of the procedures, however well crafted, offers no protection if they remain the domain of a compliance department. The procedures only offer protection (both in preventing transgressions and in demonstrating compliance despite a transgression) if they are well instituted within the business. This must go significantly further than a page on an intranet site. Staff must be regularly trained on the procedures and understand how they apply in their specific roles. Management must become sponsors of the procedures and demonstrate a clear ‘tone from the top’.

As the compliance burden looks set to increase further, the financial burden on companies to institute procedures properly increases too. Although it is often said, it does not make it any less true that the costs involved in compliance will nearly always remain good value in comparison to the financial cost of a breach.

Footnotes