UK Compliance Enforcement

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The UK Bribery Act 2010 was not the first step taken by the United Kingdom in using enforcement action in respect of compliance breaches as a means of corporate punishment and deterrence of economic crime[2] but it certainly represented a fundamental development in UK enforcement policy,[3] which has been supplemented and further developed in subsequent years.

Enforcement action in respect of compliance breaches, both criminal and regulatory, is now at the heart of the UK enforcement policy in respect of economic misconduct in all key areas, including bribery, money laundering, fraud, tax evasion and sanctions.[4]

As foreshadowed in this chapter in the previous edition, a new draft corporate criminal offence of failing to prevent fraud was announced by the government[5] and forms part of the Economic Crime and Corporate Transparency Bill. Crucially, prosecutors will no longer have to show that the ‘directing mind and will’ of a company were involved in the fraud. This will make it easier to pursue large organisations for economic crimes. The government will publish guidance prior to enactment.

This chapter sets out the main areas of general enforcement activity in the United Kingdom,[6] drawing on the lessons that can be derived from previous activity and statements of policy from the various UK enforcement agencies. This body of information provides a corporate with significant insight into how to approach compliance issues in respect of economic misconduct risk, including bribery, fraud, money laundering and facilitation of tax evasion, either from a proactive approach to ensure good compliance measures in these areas, or to inform a strategic approach when a compliance issue arises, in particular where it may engage UK enforcement agencies.

UK criminal law enforcement in respect of UK compliance issues


In England and Wales, criminal law enforcement in respect of corporate activity in economic crime was dominated for many decades by the legal principle known as ‘the identification doctrine’. By this means, the acts and intent of individuals were attributed to the corporate defendant in order to meet the requirements of a criminal offence involving economic crime. The identification doctrine placed a significant practical limitation on economic crime enforcement in respect of corporates as liability rested only on the basis of the conduct of persons whose status and authority allowed them to be judged as a corporate’s directing mind and will.[7]

Although the identification principle still exists and dominates issues of corporate criminal liability in the area of fraud (until the government enacts a new failure-to-prevent-fraud offence), corporate enforcement activity in respect of the key areas of bribery, money laundering and facilitation of tax evasion is now focused very heavily on and around compliance issues.

UK criminal enforcement bodies

UK criminal enforcement activity in respect of economic crime is undertaken principally by the Serious Fraud Office (SFO), the Crown Prosecution Service (CPS)[8] and the Financial Conduct Authority (FCA)[9]. These agencies have overlapping remits in respect of economic crime enforcement that are ordinarily resolved on a case-by-case basis. This may seem to be an unsatisfactory and ad hoc way of proceeding to the corporate but, in reality, most cases present a clear basis for one agency to take on the primary criminal enforcement role and the ‘piling on’ issue in respect of enforcement action that has historically presented problems in other jurisdictions[10] has not been an issue for corporates to the same degree in respect of UK criminal enforcement.

UK criminal enforcement mechanisms

There are two principal means of corporate economic crime enforcement: prosecution and deferred prosecution agreement (DPA). DPAs are available to both the SFO and the CPS[11] in respect of the full range of economic crime offences committed by corporate offenders,[12] including bribery, fraud and money laundering.[13] Non-prosecution agreements are not available in the United Kingdom.

UK criminal enforcement decision-making


There is a body of guidance that governs decision-making in respect of selecting the most appropriate enforcement mechanism in the event that a criminal investigation meets the relevant evidential threshold for enforcement action. The guidance that is publicly available is comprised of:

  • joint CPS and SFO guidance on corporate prosecutions;[14]
  • Deferred Prosecution Agreements: Code of Practice[15] (the DPA Code of Practice), issued by the SFO and CPS;
  • SFO Operational Guidance – Corporate self-reporting;[16]
  • SFO Operational Guidance – Corporate Co-operation Guidance;[17]
  • SFO Operational Guidance – Guidance for Corporates on Deferred Prosecution Agreements;[18] and
  • SFO Operational Guidance – Evaluating a Compliance Programme.[19]

Evidential issues

The evidential threshold for a criminal prosecution is the existence, to the prosecutor’s satisfaction, of ‘sufficient evidence to provide a realistic prospect of conviction against each suspect on each charge’.[20] In respect of an invitation to enter DPA negotiations, either the evidential threshold for prosecution must be met or there is a lesser evidential standard available, namely:

there is at least a reasonable suspicion based upon some admissible evidence that [a corporate] has committed the offence and there are reasonable grounds for believing that a continued investigation would provide further admissible evidence within a reasonable period of time, so that all the evidence together would be capable of establishing a realistic prospect of conviction in accordance with the Full Code Test.[21]

If cases where neither limb of the evidential stage can be met, the DPA Code of Practice[22] directs prosecutors to consider appropriate asset recovery powers under the Proceeds of Crime Act 2002.[23]

A critical feature of the evidential assessment in respect of certain offences is whether there is available to the corporate a defence based on the nature and quality of its compliance procedures at the time of the alleged offending.[24]

Public interest issues

Having determined that a relevant evidential threshold is met, the prosecutor must also make decisions in respect of public interest issues when determining whether there is a public interest in either entering into a DPA with the corporate or commencing a criminal prosecution.

Compliance issues are a key part of these public interest considerations. In respect of the DPA Code and public interest factors in favour of prosecution, Paragraph 2.8.1(iii) cites: ‘The offence was committed at a time when [the corporate] had no or an ineffective corporate compliance programme and it has not been able to demonstrate a significant improvement in its compliance programme since then’.

Conversely in respect of a public interest factor against prosecution but of entering into a DPA, the Code cites at Paragraph 2.8.2(iii): ‘The existence of a proactive corporate compliance programme both at the time of offending and at the time of reporting but which failed to be effective in this instance’. Additionally, the footnote to this paragraph of the Code states: ‘The prosecutor may choose to bring in external resource to assist in the assessment of [the corporate’s] compliance culture and programme for example as described in any self-report.’

The point is again emphasised in the Code at Paragraph 7.11., under the heading of ‘Monitors’: ‘An important consideration for entering into a DPA is whether [the corporate] already has a genuinely proactive and effective corporate compliance programme.’

These aspects of the Code demonstrate amply two important points when considering UK enforcement activity:

  • A corporate will best assist itself by a clear identification and presentation to the investigating authority of the full extent of a corporate’s compliance programme during the course of the criminal investigation. This may not just be limited to handing over the relevant written policies but may involve charting the evolution of those policies over time and organisational change, demonstrating relevant training, or producing witness statements from company personnel that speak to their usual effectiveness, citing examples.
  • The available evidence with regard to a corporate’s compliance programme will be scrutinised carefully, but if the evidence is robust, it can positively affect the enforcement authority’s decision, either to take no action or to invite the corporate into DPA negotiations, rather than commence a criminal prosecution.

Compliance lessons in UK enforcement outcomes

Bribery Act 2010 offences

This is the most evolved area of UK enforcement activity in respect of the interface between compliance procedures and UK criminal enforcement outcomes. As referred to above, the introduction of the Bribery Act 2010 in July 2011 – in particular the Section 7 offence of failure to prevent bribery – placed compliance issues at the centre of corporate criminal enforcement in respect of bribery. The statutory defence available under Section 7(2) negates criminal liability where a corporate can prove it had adequate procedures designed to prevent persons associated with the corporate from undertaking the alleged conduct.

On 3 November 2022, Glencore Energy UK Ltd (Glencore) was sentenced to a fine totalling £280,965,092.95 following a guilty plea to seven counts of bribery under the Bribery Act 2010. This is the largest ever financial penalty for an SFO case following a conviction. Counts 1 to 5 were offences of bribery contrary to Section 1 of the Bribery Act and Counts 6 and 7 were offences of failure of a commercial organisation to prevent bribery, contrary to Section 7 of the Bribery Act. Mr Justice Fraser, in sentencing Glencore, commented:

Bribery is a highly corrosive offence. It quite literally corrupts people and companies, and spreads like a disease. . . . Any bribes are serious, but when those bribes are measured in the millions of US dollars or Euros – and in count 4 here alone, in excess of 10 million Euros – then the figures speak for themselves. This is significant offending.[25]

It represents the first time since the introduction of the Bribery Act 2010 that a corporate has been convicted for the active authorisation of bribery, rather than purely a failure to prevent it.[26]

Of the 12 DPAs agreed by the SFO to date, nine have been (at least in part) in respect of Section 7 offences: Standard Bank,[27] Sarclad Ltd,[28] Rolls-Royce plc,[29] Güralp Systems Ltd,[30] Airbus SE,[31] Airline Services Ltd,[32] Amec Foster Wheeler Energy Ltd,[33] Bluu Solutions Ltd and Tetris Projects Ltd (previously referred to as AB Ltd and CD Ltd, respectively).[34]

In an early DPA, the judgment of the court in approving the agreement set out clearly the close public policy connection between the availability of DPAs in the United Kingdom and the promotion of effective compliance as a method of deterrence of economic crime:

it is important to send a clear message reflecting a policy choice in bringing DPAs into the law of England and Wales, that a company’s shareholders, customers and employees (as well as all those with whom it deals) are far better served by self-reporting and putting in place effective compliance structures. When it does so, that openness must be rewarded and be seen to be worthwhile.[35]

The available Statement of Facts that underpin these DPAs and the judgments of the UK court in approving the DPAs provide useful insight and learning opportunities.

Corporate culture[36]

‘Top down’ approach

The corporate culture must be geared towards exemplary compliance, and this must cascade downwards from the very top of an organisation. In the judgment approving the Airbus DPA, the court noted serious failings in respect of the oversight of Airbus’ compliance function by its relevant internal committee:

As it later emerged however, some committee members were aware of and or involved in the material wrongdoing. Further, the information provided to the committees was incomplete, misleading or inaccurate, in particular with regard to the process by which [the agent] was identified, the actual amount of compensation promised to [the agent], the identity of the beneficial owner of the remuneration provided or the underlying economic justification for [the relevant project]. In consequence, it is plain that the committees were not able to provide effective or properly informed oversight in the manner intended.[37]

The individuals who provide internal supervision to a company’s compliance function must personally demonstrate the exemplary compliance standards to which the corporate seeks to adhere and must personally take the necessary steps to ensure they are provided with the appropriate information to enable them to properly carry out their supervisory function. In the Bluu Solutions Ltd and Tetris Projects Ltd DPA,[38] the court noted that not only did AB Ltd have ‘just a single generic document which represented the totality of its anti-bribery and corruption policy. . . . There was no commitment to anti-bribery processes from top-level staff’.[39]

‘Whole organisation’ approach

Another important aspect of corporate compliance culture was amply demonstrated in the Standard Bank DPA, the first UK DPA – namely, the importance of a unified culture with fully connected processes. A corporate with disparate business units may face greater compliance risks because of a misplaced reliance by one on the other, or because some units are more remote from a central compliance function and subject to less oversight and scrutiny.[40]

‘Full adherence’ approach

Some UK enforcement cases have reflected blatant and flagrant breaches of compliance procedures. The Amec Foster Wheeler DPA is a good example of that:

Despite the policies and procedures in place, in the course of its investigation, the SFO became aware of a practice within [the company] of using Agents without informing [the company’s] compliance department. This was described by a [company] employee who was interviewed by the SFO about matters relating to compliance and culture at the [company] as a ‘try before you buy’ culture. The SFO’s investigation identified multiple occasions on which the above policies and procedures were circumvented and breached, leading the SFO to conclude that there existed within [the company] a culture of disregard for compliance policies and procedures.[41]

The Rolls-Royce DPA emphasised the vital importance of an empowered compliance function within an organisation with authority to act effectively.[42] In this case, a number of instances of corrupt arrangements involved sidestepping internal compliance concerns or putting pressure on internal compliance personnel to approve arrangements about which they had raised concerns.[43]

‘Full adoption’ approach

For large organisations, merger and acquisition (M&A) activity will present particular compliance challenges. Comprehensive due diligence will be necessary to ensure that any legacy economic crime issues of a purchased entity are fully addressed in a timely manner and that the purchased entity is fully adopted into the overall compliance regime of the company. The Sarclad DPA demonstrates the importance of a comprehensive due diligence assessment of compliance in an M&A context.

By its own admission, prior to 2012, Sarclad did not have adequate compliance provisions in place. In order to address this problem, in late 2011, Heico sought to improve matters in its subsidiary by implementing its global compliance programme . . . within Sarclad. It was within the context of this compliance programme that . . . concerns came to light about the way in which a number of contracts had been secured. Sarclad took immediate action.[44]

Fit-for-purpose compliance procedures

Proper application of appropriate external legal advice

Several UK DPAs have involved instances where a corporate sought external legal advice on the general requirements of procedures in respect of the UK Bribery Act 2010, but either failed properly to implement that advice, or failed properly to apply it to the particular circumstances of the business. Airline Services Ltd was a case where, notwithstanding external legal advice about the implementation of the Bribery Act in 2010, the company failed to promulgate and communicate the ‘anti-corruption policy and guidelines’ that were prepared for it and failed to implement the other recommendations made by their external legal advisers.[45] Its compliance programme was described by the court in its judgment approving the DPA as ‘negligible’.[46]

In Güralp, an anti-bribery and anti-corruption (ABC) policy was implemented following the introduction of the Bribery Act and an external law firm provided a presentation on the legislation. ‘Neither the presentation nor the ABC policy was effective in preventing the arrangement with [the agent] continuing.’[47]

Bespoke procedures to reflect the corporate reality

The Standard Bank DPA emphasised the importance of a practical identification and consideration of the risks faced by the corporate, with adequate procedures to meet those risks. In that case, owing to the circumstances of the particular transaction, the relevant know-your-customer (KYC) procedures sat within a sister company ‘in respect of which SB had no interest, oversight, control or involvement’.[48]

Substance over form

A perennial problem in achieving and maintaining exemplary compliance procedures is achieving substance over form. In the Standard Bank DPA, in relation to the identification of risk, ‘SB permitted the formal structures of a transaction or relationship . . . rather than the broader risks to dictate the existence of any obligation to conduct KYC due diligence checks’.[49]

Clear articulation and communication of compliance procedures

The Standard Bank DPA also recognised the fundamental importance of clarity in the expression of a corporate’s compliance procedures and the importance of communication and training. Both were found wanting in that case.[50] ‘Moreover it was not reinforced effectively to the SB deal team through effective communication or training.’[51]

Fraud and related offences

It is no surprise, given the current legal framework in respect of corporate criminal liability for fraud and related offences, that there are fewer corporate enforcement outcomes to draw on for compliance lessons in this area. Focusing on DPAs, three have been agreed in the United Kingdom in respect of fraud and related offences: Tesco Stores Ltd,[52] Serco Geografix Ltd[53] and G4S Care and Justice Services (UK) Ltd.[54] None focuses to any great extent on the relevant compliance failures in either the Statements of Facts or the judgments of the court in approving the DPAs.

Assuming enactment of the new corporate criminal offence of failing to prevent fraud and related offences takes place (see Chapter 1 on ‘UK Compliance Requirements’ for further details), when the first entities are prosecuted for the offence in the years that follow, the related enforcement outcomes and lessons to be learned will be significant and noteworthy.

Failure to comply with money laundering regulations (regulated sector)

In December 2021, National Westminster Bank plc (NatWest) pleaded guilty to offences of failure to comply with the UK Money Laundering Regulations 2007 (MLR 2017).[55] It was the first prosecution of its kind of a bank for failure to comply with money laundering regulations. Although it was accepted by the court[56] that the ‘overarching design of the Bank’s ongoing monitoring systems, and the policies and procedures in relation to ongoing monitoring, were in the line with industry guidance’, there were two key aspects to the compliance failures that resulted in the convictions:

  • First, ‘The Group’s policies and procedures did not address the need for staff to guard against overreliance being placed on relationship managers when considering suspicious activity on a customer account’.[57]
  • Second, the group’s policy stated that a particular form of monitoring ‘was only required “where the capability to do so exist. This would not in itself fulfil guidance issued by the Joint Money Laundering Steering Group that required firms to monitor transactions to ensure they were consistent with their risk profile’.[58]

The overreliance of any compliance system on a single individual and the failure to adhere to published guidance are useful lessons to be reminded of in respect of any form of compliance process, whether in the case of specific criminal offences applying to the regulated sector in respect of money laundering issues, or more widely.

In the case of NatWest, these failings had serious consequences, including the deposit of over £250 million of laundered cash in a four-year period. The outcome was equally serious for NatWest. After a one-third deduction in penalty for guilty pleas, NatWest was fined roughly £265 million.

Failure to prevent the facilitation of tax evasion

There is yet to be any UK enforcement outcome in respect of these offences, which came into force via Sections 45 and 46 of the Criminal Finances Act 2017 on 30 September 2017. It is a defence for an organisation to prove that it had procedures to prevent the facilitation of tax evasion in place.

In its Freedom of Information Release on 26 January 2023 His Majesty’s Revenue and Customs (HMRC) indicated that, as at 1 January 2023, there were nine live investigations into suspected offences with an additional 26 ‘live opportunities’ under review across a total of 11 business sectors.[59] HMRC intends to update this information biannually.[60] Prosecutions must undoubtedly be a priority for HMRC if this legislation is to have any teeth whatsoever.

Compliance measures in UK enforcement outcomes

Compliance programme improvements as a term of a DPA

Paragraph 5(3(e) of Schedule 17 of the Crime and Courts Act 2013 states that a DPA may impose on a company the requirement ‘to implement a compliance programme or make changes to an existing compliance programme’ relating to the organisation’s policies or to the training of the organisation’s employees or both. Paragraph 7.9 of the DPA Code of Practice specifically draws the prosecutor’s attention to the fact that putting in place a robust compliance or monitoring programme may be a term of a DPA.

This provision has been significantly utilised in the DPAs that have been agreed.[61] Terms agreed to date include:

  • to commission and submit to, at its own expense, an independent review of its existing internal anti-bribery and corruption controls, policies and procedures regarding compliance with the Bribery Act 2010 and other applicable anti-corruption laws;[62]
  • to undertake a review including the implementation of its existing internal controls, policies and procedures regarding compliance with the Bribery Act 2010 and other applicable anti-corruption laws, including an annual report from the chief compliance officer for the duration of the DPA;[63] and
  • to commission two sequential external reports commenting on and making recommendations for any improvements to the relevant compliance issues that were the subject of the DPA and to produce an implementation plan following the first report in respect of its recommendations.[64]

Airline Services Ltd[65] and AB Ltd[66] are exceptions where no form of compliance enhancement was required. In Airline Services Ltd the company was dormant and kept open only to facilitate the SFO’s investigation and to discharge the other requirements of the DPA. In AB Ltd the company was no longer undertaking new business and was being wound down in preparation for its dissolution. These cases demonstrate that it will be a truly exceptional circumstance, and likely only when the company is no longer operating, that a corporate will avoid any form of compliance enhancement as a term of a DPA.

Monitorships as a term of a DPA

Paragraphs 7.11 to 7.22 of the DPA Code of Practice address in some detail the use of monitorships as a term of a DPA. The Code cautions: ‘An important consideration for entering into a DPA is whether [a corporate] already has a genuinely proactive and effective compliance programme. The use of monitors should therefore be approached with care.’ This cautious perspective has been reflected in the UK DPAs agreed to date in that, although some quasi-monitor reporting has been a feature of some DPAs, none of the UK Bribery Act DPAs has yet featured a full monitorship requirement.

In SFO v. AB Ltd and CD Ltd,[67] the DPA in respect of CD, the operative company, included a term requiring reforms of its systems and implementation of a comprehensive compliance plan. The terms required regular reporting to the SFO at six-month intervals and included the provision of an independent report by the company’s external legal representatives after one year and again at the end of the period.[68]

In G4S Care and Justice Services Ltd,[69] a DPA relating to fraud offences in relation to UK government contracts, the appointment of a ‘Reviewer’ that shared some key characteristics of a monitor was a term of the DPA. There is some development of the Reviewer role beyond the scope of the external assessment required as a term of the Tesco DPA, as set out above. The Reviewer requirement addresses the compliance standard to be achieved via this term of the DPA by distinguishing between ‘requirements’ that are defined as ‘those improvements and/or additional steps that are necessary in order for [G4S] and/or [G4S]’s controls policies and procedures to meet the criteria in [the DPA]’[70] and ‘recommendations’ referring to ‘those improvements and/or additional steps that, while not necessary to meet those criteria, would nevertheless be desirable enhancements to [G4S] and [G4S] controls, policies and procedures’.[71]

UK regulatory enforcement in respect of compliance issues

Although dealt with more concisely in this chapter, corporates are faced with a more disparate regulatory enforcement landscape in respect of compliance issues in the United Kingdom. This was another area considered carefully and with a broad remit for possible reform by the Law Commission in its options paper in respect of corporate criminal liability. One of the proposed options, for example, was:

Introduction of a regime of administrative monetary penalties against companies. This could operate where a fraud was committed by an employee or agent with the intention of benefitting the company. In such cases the company would be liable to pay a penalty unless it could show that it had taken reasonable steps to prevent wrongdoing.[72]

The proposal of this option is a recognition of a well-established, if complex, system of regulatory enforcement of compliance issues in the United Kingdom that could be susceptible to significant further development, to avoid some of the cost, delay and complexity inevitably involved in bringing corporate criminal proceedings, whatever the circumstances.

Regulatory and investigatory powers are currently proposed to be incorporated into the Economic Crime and Corporate Transparency Bill and includes giving the Law Society powers to fine in cases relating to economic crime and amendments to the wording in respect of the SFO’s pre-investigation powers.[73]

Scope of regulatory compliance enforcement in the UK

Regulatory enforcement in respect of conduct breaches

Some aspects of the UK system of regulation that addresses compliance issues are sector (or profession[74]) specific while others are of general application. Two of the principal sector-specific areas of regulation for compliance purposes are the regulated sector as defined by the MLR 2017[75] and the financial services sector regulated by the FCA.

The MLR 2017 is a highly complex set of compliance requirements. Enforcement powers are addressed in Part 9 and include the power of a designated supervisory authority[76] to impose a financial penalty and a statement of censure.[77] Part 9 also empowers the FCA to cancel or suspend any permission an authorised person has to carry on regulated activity and other like authorisations.[78] Supervisory authorities are also empowered to impose either temporary or permanent prohibitions on management where an individual was ‘knowingly concerned in a contravention’ of the requirements.[79]

Part IXA of the Financial Services and Markets Act 2000 (FSMA) gives the FCA and Prudential Regulatory Authority (PRA) power to issues rules and guidance for the financial services sector. The FCA Handbook is a principal source of this material. The parts of the Handbook that have particular relevance to compliance issues include Block 1 ‘high level standards’, which includes modules on ‘principles for businesses’, ‘senior management arrangements, systems and controls’ and the code of conduct. Block 3 contains business standards across the full range of financial services activity.

The Regulatory Guides within the FCA Handbook contain a wealth of relevant and useful compliance guidance in relation to economic crime and misconduct, particularly in the ‘Financial Crime Guide: A firm’s guide to countering financial crime risk (FCG)’ and the ‘Financial Crime Thematic Reviews’. The regulatory enforcement measures that the FCA and the PRA may take for breaches of these rules are set out in Part XIV of the FSMA and include financial penalties[80] and public censure.[81]

Two decisions of the FCA highlight priorities for UK regulators in enforcement action for conduct breaches. In June 2022, the FCA fined JLT Specialty Ltd £7.8 million (after a 30 per cent early settlement discount) for financial control failings, which in one instance had resulted in bribery of more than US$3 million taking place.[82] Bribes were paid to government officials via a third-party introducer to help retain and secure business for the company. The FCA has indicated that it will continue to focus on the systems in place to prevent financial crime in respect of the sectors that it regulates and bring enforcement actions where corporates fall short of the required standards.

AML compliance failures were the focus of FCA enforcement action in the same month, in this instance in respect of Ghana International Bank.[83] The bank failed to perform adequate checks when it established relationships with overseas banks in respect of corresponding banking services. In addition, there were further failures in annual reviews in respect of information held on the overseas banks, failure to give staff adequate training on how to scrutinise transactions properly and failure to establish appropriate policies and procedures for staff. The FCA noted that there was no evidence of actual money laundering, though the risk of money laundering as a result of the deficient systems was significant. The bank was fined £5.8 million (after a 30 per cent early settlement discount).

Part V of the FSMA gives the FCA and the PRA additional powers concerning those performing senior management functions and those performing roles that require certification, with associated disciplinary powers.[84]

The landscape can be even more complex where an entity is subject to multiple forms of compliance regulation in respect of the same area of business. Solicitors acting in the money laundering regulated sector who are subject to both the MLR 2017 and the Solicitors Regulation Authority (SRA) Standards and Regulations is a good example of this intersection, which is subject to consistently high levels of risk and high levels of enforcement activity by the SRA. Similarly, the Gambling Commission has enforcement powers both in respect of its licensing regime and (as set out above) as a supervisory authority in respect of the MLR 2017.

Although the Law Commission considered an option of extending the FCA regime of regulatory enforcement of the financial services sector more widely into the corporate sector, this option was rejected. The Law Commission recognised the very great difficulty of ‘designing obligations that were equally appropriate in all sectors’ and the equally difficult option of producing ‘several sets of detailed obligations . . . one for each sector’.

Regulatory enforcement regarding corporate public reporting breaches

A developing method of compliance enforcement in the United Kingdom concerns requirements to produce public statements in relation to certain economic misconduct prevention issues. This is an area that is also ripe for further additional UK government policy initiatives in the near future, some of which have already been specifically signalled.

Section 54 of the Modern Slavery Act 2015 requires companies that supply goods and services, and that carry out at least part of their business in the United Kingdom, meeting a monetary threshold[85] to prepare an annual slavery and human trafficking statement setting out the steps the organisation has taken to ensure that slavery and human trafficking are not taking place in any of its supply chains or in any part of its business; or a statement that it has taken no such steps. Although there are currently no enforcement sanctions in respect of breaches of these obligations, the UK government has previously announced an intention to introduce financial penalties for failure to meet the requirements of Section 54.[86]

The UK Companies Acts, in particular the 2006 Act, impose additional reporting requirements for certain categories of companies, some of which are focused on compliance standards in respect of economic crime issues. For example, traded companies, banking and insurance companies that have more than 500 employees are required to publish either details of bribery and corruption policies or a statement that is has no such policies in place.[87]

Anticipated developments in regulatory compliance enforcement

In 2021, the Department for Business, Energy and Industrial Strategy (BEIS)[88] published a White Paper consultation on a proposal to reform auditing and corporate governance.[89] Highly significant proposals with relevance to compliance standards for economic crime and misconduct issues are under consideration, including the proposal for a new regulator (the Audit, Reporting and Governance Authority), an extension in the scope of compliance reporting requirements, including to private companies, and a requirement to require directors of certain categories of companies to report on the steps taken to prevent and detect material fraud.

In May 2022, BEIS responded to the consultation responses and has signalled a strong intention to prepare and publish a draft Bill in respect of these reforms.[90]


Compliance enforcement in the United Kingdom is expanding with ever-increasing scope and complexity in both the criminal and regulatory spheres. The coming year is likely to bring further change, largely with the anticipated enactment of the failure-to-prevent-fraud offence, and with even greater and more fundamental developments on the horizon in the future.


[1] Alison Pople KC is a barrister at Cloth Fair Chambers, and Fallon Alexis is a barrister at QEB Hollis Whiteman Chambers.

[2] The description ‘economic crime’ is one used by the UK government in its Economic Crime Plan 2 2023-2026 to refer to a broad category of activity involving money, finance or assets, the purpose of which is to unlawfully obtain a profit or advantage for the perpetrator or to cause loss to others.

[3] This chapter refers to UK enforcement policy throughout. It relies on the laws and policies applicable in England and Wales. In relation to particular issues in respect of Scotland or Northern Ireland, it may be necessary to give separate consideration to any differences applying to those jurisdictions.

[4] This publication does not cover sanctions issues, which are dealt with comprehensively in Rachel Barnes KC et al. (eds.), The Guide to Sanctions, 3rd edn., Law Business Research, 2022.

[5] GOV.UK, Policy Paper, Factsheet: failure to prevent fraud offence, updated 20 June 2023, (accessed 10 August 2023).

[6] Enforcement activity by professional regulators such as the Solicitors Regulatory Authority or the Financial Reporting Council is not covered in this chapter.

[7] Tesco v. Nattrass [1971] UKHL 1 AC 153.

[8] Investigations by His Majesty’s Revenue and Customs (HMRC) are prosecuted by the Crown Prosecution Service (CPS).

[9] Certain aspects of economic crime are also within the criminal enforcement powers of other bodies, including the Competition and Markets Authority and the Insolvency Service.

[10] See, e.g., US Department of Justice, ‘Deputy Attorney General Rod Rosenstein Delivers Remarks to the New York City Bar White Collar Crime Institute’, 9 May 2018, (accessed 10 August 2023).

[11] Both the Director of the Serious Fraud Office and the Director of Public Prosecutions are designated prosecutors for this purpose under the Crime and Courts Act 2013, Schedule 17, Part 1, Paragraph 3.

[12] Deferred prosecution agreements (DPAs) are not available to individual defendants in the United Kingdom.

[13] To date the Serious Fraud Office (SFO) has entered 12 DPAs. SFO, ‘About us’, (accessed 10 August 2023)), whereas the CPS has yet to enter any.

[14] CPS, ‘Corporate Prosecutions. 12 October 2021, (accessed 10 August 2023).

[15] SFO and CPS, Deferred Prosecution Agreements: Code of Practice Crime and Courts Act 2013 (the DPA Code of Practice). Pursuant to the Crime and Courts Act 2013, Schedule 17, Part 1, Paragraph 6(6), prosecutors ‘must take account of the Code when exercising any of its functions’ in respect of DPAs.

[20] Code for Crown Prosecutors, 26 October 2018 at 4.6.

[21] DPA Code of Practice, Section 1.2.i.b.

[22] ibid., Section 1.7

[23] The Code of Practice refers to the Attorney General’s guidance to prosecuting bodies on their asset recovery powers under the Proceeds of Crime Act 2002, issued 5 November 2009. Although this guidance does not reflect more recently enacted asset recover powers now available under the Proceeds of Crime Act 2002, the issue of principle is an important one.

[24] This is considered separately in Chapter 1 on ‘UK Compliance Requirements’ in this Guide, in respect of particular types of economic crime.

[25] SFO v. Glencore Energy UK Ltd, Sentencing Remarks of Mr Justice Fraser, 3 November 2022, Paragraph 9.

[26] SFO, News Release, ‘Glencore to pay £280 million for ‘highly corrosive’ and ‘endemic’ corruption’, 3 November 2022, (accessed 10 August 2023).

[27] SFO v. Standard Bank plc, 30 November 2015, Case No. U20150854, Approved Judgment.

[28] SFO v. Sarclad Ltd, 11 July 2016, Case No. U20150856, Approved Judgment.

[29] SFO v. Rolls-Royce plc, Roll-Royce Energy Systems Inc., 17 January 2017, Case No. U20170036, Approved Judgment.

[30] SFO v. Güralp Systems Ltd, 22 October 2019, Case No. U20190840, Approved Judgment.

[31] SFO v. Airbus SE, 31 January 2020, Approved Judgment (Airbus).

[32] SFO v. Airlines Services Ltd, 30 October 2020, Case No. U20201913, Approved Judgment.

[33] SFO v. Amec Foster Wheeler Energy Ltd, 1 July 2021, Case No. U20210867, Approved Judgment.

[34] SFO v. AB Ltd and CD Ltd, 19 July 2021, Case No. U20210959, Judgment (AB and CD). This was the first occasion on which the court’s approval was sought for two separate DPAs arising out of connected facts and a single indictment. The judgment of the court set out the ‘good reasons’ for this approach at Paragraph 75.

[35] Sarclad, Preliminary Judgment, Paragraph 45.

[36] This topic is dealt with comprehensively in Chapter 14 on ‘Understanding and Shaping Organisational Culture to Disrupt the Cycle of Misconduct’.

[37] Airbus, Paragraph 27.

[38] The company names were revealed post the removal of reporting restrictions. Before that, this case was widely known and referred to as SFO v. AB Ltd and CD Ltd. (see AB and CD).

[39] AB and CD, Paragraph 56.

[40] Standard Bank, Statement of Facts, Paragraph 200h&I: ‘The SB compliance team did not have the opportunity to address the role of [the third party] because it was reliant on the SB business unit identifying and raising any substantive concerns about [the third party] or its role and the SB business unit relied on the findings of the KYC conducted by [the sister company] which did not identify such risks.’

[41] Amec Foster Wheeler, Statement of Facts, Paragraphs 33–34.

[42] For further details, see Chapter 14 on ‘Understanding and Shaping Organisational Culture to Disrupt the Cycle of Misconduct’.

[43] Rolls-Royce, Judgment, Paragraphs 105–07.

[44] Sarclad, Preliminary Judgment, Paragraph 23.

[45] Airlines Services, Statement of Facts, Paragraphs 89–93.

[46] Airlines Services, Approved Judgment, Paragraph 51f.

[47] Güralp, Statement of Facts, Paragraph 51.

[48] Standard Bank, Statement of Facts, Section 200a.

[49] ibid., Section 200e.

[50] ibid., Section 199a: ‘The applicability of the Introducers and Consultants policy was unclear on the face of the policy.’

[51] id.

[52] SFO v. Tesco Stores Ltd, 10 April 2017, Case No. U20170287, Approved Judgment.

[53] SFO v. Serco Geographix Ltd, 4 July 2019, Case No. U20190413, Judgment.

[54] SFO v. G4S Services Ltd, 17 July 2020, Case No. U20201392, Approved Judgment.

[55] Now superseded by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

[56] Regina (Financial Conduct Authority) v. National Westminster Bank PLC, Sentencing remarks of Mrs Justice Cockerill, 13 December 2021, in particular Paragraph 15.

[57] The court noted that the Financial Conduct Authority’s Financial Crime Guide specifically highlighted this risk, but the Joint Money Laundering Steering Group Guidance did not.

[58] National Westminster Bank, Paragraph 15(b).

[59] GOV.UK, FOI release, Number of live Corporate Criminal Offences investigations, updated 27 July 2023, (accessed 10 August 2023).

[60] id.

[61] For further details regarding the monitorship components of settlements agreed to date, see, Judith Seddon and Andris Ivanovs, ‘United Kingdom-Ordered Monitorships’, in Anthony S Barkow, Neil M Barofsky and Thomas J Perrelli (eds.), The Guide to Monitorships, 3rd edn., Law Business Research, 2022.

[62] Standard Bank, Approved Judgment.

[63] Sarclad, Approved Judgment.

[64] Tesco Stores Ltd, Approved Judgment.

[65] Airlines Services, Approved Judgment.

[66] AB and CD, Approved Judgment.

[67] id.

[68] ibid., Paragraph 126.

[69] SFO v. G4S Services Ltd, Approved Judgment.

[70] G4S DPA, Paragraph 35cii.

[71] id.

[72] Law Commission, Corporate Criminal Liability: Summary of the options paper, p. 12.

[73] Economic Crime and Corporate Transparency Bill, Section 199.

[74] For example, SRA or FRC regulation (op. cit. note 4).

[75] Regulations 8 to 14 are the suite of provisions by which a person can determine whether a particular aspect of their activity is governed by the MLR 2017. In some situations, this can be a highly complex determination in itself.

[76] The supervisory authorities are defined in Regulation 7 and include the Financial Conduct Authority (FCA), HMRC, the Gambling Commission and relevant professional bodies.

[77] Regulation 76.

[78] Regulation 77.

[79] Regulation 78.

[80] Financial Services and Markets Act 2000 (FSMA), Section 206.

[81] FSMA, Section 205.

[82] FCA, Press Release, ‘FCA fines insurance broker JLT Specialty Limited £7.8m for financial crime control failings’, 22 June 2022, (accessed 10 August 2023).

[83] FCA, Press Release, ‘FCA fines Ghana International Bank Plc £5.8m for failings in its anti-money laundering controls’, 23 June 2022, (accessed 10 August 2023).

[84] FSMA, Section 66.

[85] Currently an annual turnover of not less than £36 million, as set out in Paragraph 3.1 of the guidance issued under Section 54(9) of the Modern Slavery Act 2015. See Home Office, ‘Transparency in Supply Chains etc.: A practical guide’.

[86] Department for Business, Energy and Industrial Strategy (BEIS), ‘Establishing a new single enforcement body for employment rights, Government Response’, June 2021.

[87] Companies Act 2006, Section 414CB(1).

[88] On 7 February 2023 it was announced that the creation of the Department for Business and Trade ‘brings together the business focused functions of the former Department for Business, Energy and Industrial Strategy (BEIS) and the Department for International Trade (DIT).’ ‘[C]reating a department with all the levers to unleash the power of British businesses, reform regulation to reduce burdens and unlock Brexit freedoms.’ See GOV.UK, Policy Paper, ‘Making Government Deliver for the British People (HTML)’, 7 February 2023, (accessed 10 August 2023).

[89] BEIS, ‘Restoring trust in audit and corporate governance: Consultation on the government’s proposals’, March 2021.

[90] BEIS, ‘Restoring trust in audit and corporate governance: Government response to the consultation on strengthening the UK’s audit, corporate reporting and corporate governance systems’, May 2022.

Unlock unlimited access to all Global Investigations Review content