This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The European investigations landscape is characterised by a patchwork of varying legislative and regulatory frameworks and enforcement approaches, which are often shaped by past events and current political priorities in particular jurisdictions. These variations and the pace of change mean that cross-border investigations, whether involving multiple European jurisdictions or parallel investigations by enforcement authorities in other regions (or sometimes both), frequently present thorny practical and tactical challenges.
This overview does not seek to duplicate the commentary and analysis set out in many of the chapters in this volume. Rather, it looks at some of the key priorities of enforcement authorities, focusing on anti-bribery and corruption and anti-money laundering, areas where there is particularly significant ongoing activity and in which some authorities are adapting their approaches to make effective use of changes in the law and additions to their toolkits. It also looks ahead to seek to identify the key issues and trends on which those who are subject to investigations around Europe should be focusing.
Areas of enforcement risk
Anti-bribery and corruption
A substantial number of investigations by enforcement authorities have arisen following significant legislative developments introducing corporate offences of failure to prevent bribery, which have extraterritorial effect (such as the UK Bribery Act 2010 (UKBA) and France’s Sapin II Law). These legislative developments have been accompanied by new mechanisms enabling criminal investigations involving corporate organisations to be concluded through negotiated settlements. To date in Europe, these mechanisms have been mainly (although not exclusively) used in cases concerning historic bribery and corruption involving corporate organisations. In the United Kingdom, momentum is building for the corporate ‘failure to prevent’ offences relating to bribery and the facilitation of tax evasion to be extended to cover economic crime more generally.
Further important changes to anti-bribery and corruption legislation are in progress in other jurisdictions. For example, in Ireland an offence analogous to the UK corporate offence of failure to prevent bribery came into force in July 2018. At the time of writing, this offence has not formed the basis of any publicised enforcement action. In the absence of guidance akin to that published by the UK Ministry of Justice in relation to ‘adequate procedures’ under the UKBA, there is some remaining uncertainty among corporate organisations and their advisers as to exactly what they need to do to be deemed to have ‘taken all reasonable steps and exercised all due diligence’ and thereby availed themselves of a defence to the corporate offence. As noted below, it seems that the new corporate offence in Ireland is likely to be followed by the introduction of deferred prosecution agreements (DPAs). Arrangements for investigating and prosecuting bribery and corruption and other corporate crime in Ireland are also being overhauled. Together, these developments may have the effect of increasing the number of investigations in this area. Given the nature of the Irish economy, and in particular its attractiveness to multinational technology and financial services companies, there is potential for these investigations to have significant cross-border elements.
Other significant changes are under way in Poland, where legislation enabling prosecutors to take action against corporate organisations for anti-bribery and corruption and other economic offences is in the course of being introduced. This legislation will increase maximum fines and enable corporate organisations to avoid trials by voluntarily admitting liability.
In jurisdictions where changes have already been made, clearer legislation and high-profile successes where it has been used have buoyed the confidence of authorities and bolstered their resources.
Although approaches and the resources available for investigations vary quite considerably between European jurisdictions, anti-money laundering (AML) remains high on most enforcement authorities’ agendas. Some of the highest penalties to have been imposed in recent years have resulted from investigations by the UK’s Financial Conduct Authority (FCA) and by France’s National Finance Office (PNF) for breaches by major institutions of regulatory requirements and criminal law in relation to their AML systems and controls.
The size of fines is not the only notable feature of enforcement activity in this area. Reflecting an increasingly close focus on individual accountability (particularly in financial services, as discussed in more detail below), regulators are showing themselves to be ready and able to pursue individuals whom they consider to have played a part in AML failings.
At the time of writing, enforcement activity in this area is particularly intense in Scandinavia, where regulators and prosecutors are taking action against a number of institutions and individuals in relation to well-publicised AML failings. The uptick in enforcement activity already seen in this part of the region looks set to continue as authorities seek to restore confidence in the robustness of financial crime compliance regulation. Enforcement action in such future cases is likely to be conspicuously more decisive and coordinated and penalties considerably higher than those imposed in past cases. National legislators have signalled their intent clearly. For example, in Denmark, the maximum fines that may be imposed for AML failings have been increased eightfold.
Elsewhere in Europe, some authorities are increasingly exploring how AML compliance provides a template for how firms should comply with their other regulatory obligations. For instance, in the UK the FCA has stated that it expects regulated firms to take steps to prevent rather than simply react to criminal market abuse. In doing so, it has taken rules that have long been a central tenet of AML compliance and applied them to a different section of its financial crime remit.
Increased pressure and incentives to co-operate
In England and Wales, the body of cases in which DPAs have been concluded between the Serious Fraud Office (SFO) and co-operating corporate organisations is slowly growing, although the 20 agreements per year predicted during the passage of the legislation that introduced DPAs still seem some way off.
Notwithstanding recommendations from the Organisation for Economic Co-operation and Development that they should be available across the United Kingdom, the Scottish prosecution authority (the Crown Office and Procurator Fiscal Service (COPFS)) has eschewed the introduction of DPAs and has confirmed that it remains committed to the continued use of civil recovery proceedings in cases where prosecution of corporates is not deemed appropriate. This disparity, in conjunction with the fact that the UKBA applies equally in all parts of the United Kingdom, has led to parallel investigations by the SFO and COPFS in at least one ongoing investigation.
In France, the authorities responsible for investigating and prosecuting financial crime, the French Anti-Corruption Agency (AFA) and the PNF, have now concluded five judicial public interest agreements (CJIPs) with companies of various sizes, including one in which global penalties imposed exceeded US$1 billion.
Mechanisms similar to DPAs and CJIPs (or aspects of them) exist in some other jurisdictions around Europe, including Belgium, the Czech Republic, Romania and Slovakia, although these arrangements do not cover corruption offences in all cases, nor is the practice and procedure as clearly set out in these jurisdictions, and there are yet to be any publicised concluded cases of the same magnitude as seen in the United Kingdom and France.
As noted above, it looks likely that Ireland will be the next jurisdiction in which it will be possible for corporate organisations to conclude criminal investigations through negotiated settlements. In August 2019, the Irish Law Reform Commission proposed the adoption of arrangements similar to the UK DPA regime. This would closely follow the entry into force of a new corporate offence of failure to prevent bribery.
Where they are available, authorities’ and courts’ expectations as to what is expected of co-operating corporate organisations for negotiations to take place, and for a settlement to be agreed and approved, are becoming clearer. In particular, the AFA and the PNF in France and the SFO in the UK (in June and August 2019, respectively) have released guidance that clarifies what they consider amounts to co-operation to create the right conditions for a negotiated settlement to follow. Courts and prosecutors have also provided guidance on whether corporate organisations may claim to be demonstrating required levels of co-operation while maintaining claims to legal professional privilege (where it is available).
Culture and individual accountability
Among the most prominent themes in investigations concerning corporate organisations is the focus on culture, both at the time when alleged misconduct occurred and when any investigation is commenced. The definition of what constitutes ‘good culture’ is elusive. Authorities, deciding whether to commence, continue and discontinue investigations and selecting which charges to pursue, attach substantial importance to whether they consider alleged conduct (including individuals’ conduct outside the workplace) to be indicative of a poor culture.
In some cases, culture is forming the primary basis for enforcement action. In the United Kingdom in 2018–2019, the FCA opened more cases concerned with culture and governance than in any previous year. Its most recent statistics indicate that this type of case now accounts for more than 10 per cent of all active investigations. The FCA is likely to remain a comparatively active authority in relation to these types of investigations, and has reiterated its commitment to pursuing more enforcement action in this area, including against individuals.
When doing so, it and the Prudential Regulation Authority (PRA) have the benefit of the Senior Managers and Certification Regime (SMCR), which has been in force for banks since 2016 and insurance firms since 2017, and which will be extended to all financial services firms from December 2019. The SMCR in the UK goes further than previous regulatory initiatives directed towards individual accountability. It gives the FCA and the PRA powers to take action against a much broader population of individuals within firms. It also requires firms to document the specific responsibilities of their most senior executives, thus providing the FCA and PRA with clear road maps that may be used to hold those individuals accountable for breaches of regulatory requirements by firms. The FCA is now routinely using the SMCR for this purpose during enforcement investigations. Enforcement authorities around Europe have been watching carefully how the UK regulators are seeking to use these mechanisms to drive up standards of behaviour within the financial services industry by taking dissuasive enforcement action against individuals. It appears likely that similar changes will follow in due course elsewhere in Europe.
The UK regulators are not the only ones to attach particular importance to individual accountability and culture. For example, the SMCR was preceded by amendments to the Banking Code in the Netherlands, including a requirement from 1 April 2015 for bankers to swear an oath or declaration that they will perform their duties to the best of their ability and with integrity. While some commentators have pointed to improvements in standards of individual conduct within Dutch institutions since these reforms were introduced, it has not led to substantial increases in the numbers of investigations or enforcement cases pursued against individuals.
In July 2018, the Central Bank of Ireland released a report produced in conjunction with the Dutch national financial services enforcement authority (De Nederlandsche Bank) based on behaviour and culture reviews of five Ireland-based retail banks. The report’s recommendations mirror many of those made by the UK Parliamentary Commission on Banking Standards, from which the SMCR ultimately flowed. They include the introduction of new Conduct Standards and a Senior Executive Accountability Regime, both of which would be similar in most respects to the SMCR. The report also recommends the unification of currently fragmented investigative processes to enable enforcement action to be more effectively and efficiently pursued, particularly against individuals.
Even in countries where enforcement authorities have not explicitly named culture as an enforcement priority, boards are increasingly concerned to demonstrate their commitment to culture. Cases across Europe have shown the substantial reputational damage that can result from allegations of poor cultural practices and the speed at which allegations can cross borders (including into jurisdictions where enforcement authorities are active in this area).
Information sharing and multi-jurisdictional investigations
European investigation and enforcement authorities continue to collaborate actively with one another and with their counterparts globally, using mutual legal assistance and less formal arrangements. There have been particularly noticeable increases in efforts to collaborate across borders in jurisdictions where anti-bribery and corruption legislation has recently been overhauled and where authorities have acquired the ability to enter into global settlements involving overseas enforcement authorities.
Across Europe, traditional boundaries between enforcement authorities’ remits are becoming increasingly blurred. Enforcement authorities are having to take an increasingly flexible view of what they are responsible for investigating, which authority should take the lead and how they should most effectively collaborate. Overlaps between the remits of antitrust, data protection and financial services enforcement authorities are becoming increasingly apparent.
Enforcement authorities, conscious of the potential for duplication and delay, are anticipating these overlaps, both within and between jurisdictions. For example, in the United Kingdom, the FCA and the Information Commissioner’s Office have in place a detailed memorandum of understanding (most recently updated in February 2019) setting out how they will work together following incidents in which they both have an interest. A particular area where collaboration is required is data privacy. Regulators responsible for this area across Europe are building up their enforcement capabilities following the implementation of the General Data Protection Regulation (GDPR). The body of decided cases in respect of breaches of the GDPR is growing relatively rapidly, and some very significant penalties have been imposed in cases that have also featured close collaboration between national authorities.
Although convictions and other enforcement outcomes in one jurisdiction will commonly be the product of extensive information-sharing between authorities, there are as yet few significant concluded examples of enforcement authorities simultaneously pursuing enforcement cases against the same targets in multiple European jurisdictions. No negotiated settlements in criminal cases entered into by European enforcement authorities have yet involved coordinated settlements in more then one European jurisdiction (although there is at least one case in the pipeline which could involve negotiated settlements in the United Kingdom and France).
EU institutions as enforcement authorities
There have to date been relatively few examples of supranational European authorities (other than the European Commission (EC) in its role as an antitrust enforcement authority) taking overarching enforcement action. That said, there are some signs that frameworks to facilitate a greater number of such cases may develop, both as a response to past incidents in which regulatory arrangements have been found to have been lacking and in an effort to counter perceived growing threats.
Investigations in response to AML failings in various Scandinavian institutions provide an example. The investigation by the European Banking Authority (EBA), commenced in February 2019, was concerned with the adequacy of Danish and Estonian regulators’ AML supervision and enforcement arrangements, and in particular whether deficiencies in these arrangements amounted to a breach of EU law.
The EBA’s investigation did not examine in detail the underlying alleged misconduct by institutions or individuals and was closed in April 2019 without any formal action being taken. Politicians around Europe and the EBA itself have pointed to this investigation as an illustration of the need for its investigative and enforcement powers to be bolstered to enable it more effectively to coordinate action by national authorities and to take more wide-ranging action if those authorities’ responses to wrongdoing are not sufficiently robust.
Adding to the EBA’s enforcement powers in this way would take time and would require further European legislation. The most effective form for this to take would be a directly applicable regulation imposing uniform powers in all EU Member States. Until now, AML legislation encouraging closer collaboration between national investigation and enforcement authorities has taken the form of successive Money Laundering Directives (which, as they are directly effective instruments requiring transposition by Member States into their national laws, have been implemented in different ways and to different extents).
In some instances, bilateral and multinational arrangements are in place, helping authorities to deploy their resources as effectively and efficiently as possible in cross-border AML investigations. The most recent example, which is also a response to the concerns about previous enforcement arrangements already mentioned, is a formal mechanism to enable Baltic and Nordic AML regulators to exchange information and coordinate enforcement action. There are also increasingly sophisticated mechanisms in place in some jurisdictions to enable information-sharing between private sector organisations and enforcement authorities. However, arrangements are far from uniform across Europe. The extent to which the requirements set out in successive Money Laundering Directives have been effectively transposed, and other provisions relating to cross-border collaboration and resourcing of national authorities have been implemented, varies widely between jurisdictions.
Away from AML enforcement, the EC remains active as an antitrust enforcement authority. Some long-standing themes continue to feature in European antitrust investigations. There are exceptions to rules relating to legal professional privilege (in jurisdictions where it is part of the legal landscape). Leniency provisions often do not dovetail neatly with other regulatory mandatory reporting obligations. There are significant variations in the approaches taken by the EC and national competition authorities. These and other themes mean that European antitrust investigations have to be handled differently from those pursued by other regulators.
In other areas, authorities with a pan-European remit have been active. The European Anti-Fraud Office (OLAF), the division of the EC responsible for investigating fraud against the EU budget and corruption and serious misconduct within EU institutions, has been particularly active in bringing investigations. Its most recent available statistics indicate that it concluded 197 investigations and commenced 215 investigations during 2017 and recommended that national authorities take action to recover more than €3 billion.
Also at the investigative level, Europol has conducted extensive work to seek to coordinate national responses and lay the foundations for possible future multilateral criminal enforcement action in a number of areas, including notably in relation to large-scale cyber attacks.
It seems likely that levels of coordinated pan-European criminal enforcement action will increase in years to come. A new European Public Prosecutor’s Office (EPPO) is due to become operational in late 2020. In Member States that have signed up to the arrangements establishing it (which is 22 at the time of writing, with Sweden, Hungary, Denmark, Ireland and Poland having opted out), EPPO will have powers to investigate and prosecute crimes against the EU budget, such as fraud, corruption and tax fraud valued at over €10 million. It will not replace OLAF or other existing investigating and prosecuting authorities (or national enforcement authorities) but will pool experience, adopt a consistent prosecution policy and be able to use streamlined procedures for the exchange of information across borders. In September 2019, Laura Codruţa Kövesi, who formerly headed Romania’s National Anticorruption Directorate and served as the Romanian prosecutor general, was confirmed as the head of EPPO and Europe’s new chief prosecutor. She has indicated a willingness to use EPPO’s powers extensively when the agency becomes operational.
At the time of writing, significant questions remain unanswered as to what the effect of Brexit will be on the mechanisms by which UK authorities work with their counterparts in mainland Europe, especially if no deal is agreed. The withdrawal agreement negotiated between the UK government and the European Union (but which has not been approved by the UK Parliament) does provide for some continuity in relation to existing mechanisms, such as European investigation orders, at least until new arrangements are negotiated. A no-deal situation would mean that authorities would have to fall back on a tangled web of specific agreements. Delays would inevitably follow and practical issues could conceivably flow from the operation of blocking statutes in some jurisdictions (most notably in France and Switzerland).
1 Judith Seddon and Amanda Raad are partners and Chris Stott is a senior attorney at Ropes & Gray LLP.
2 Namely section 7, UK Bribery Act 2010 and sections 45 and 46, Criminal Finances Act 2017.
3 UK: See, for example, the UK government’s call for evidence on corporate liability for economic crime https://www.gov.uk/government/consultations/corporate-liability-for-economic-crime-call-for-evidence. The consultation period for this ended on March 2017. The government’s response to this consultation is still awaited at the time of writing.
4 Ireland: Criminal Justice (Corporate Offences) Act 2018.
5 For details of the increases in and reorganisation of resources devoted to anti-bribery and corruption investigations and enforcement action in France see, for example, the 2017 Annual Report of the French Anti-Corruption Agency https://www.agence-francaise-anticorruption.gouv.fr/files/files/AFA_rapportAnnuel2017GB.pdf;. For details of revenue generated by deferred prosecution agreements in the UK, see, for example, the Annual Report and Accounts of the Serious Fraud Office 2018–19 https://www.sfo.gov.uk/wp-content/uploads/2019/07/SFO-Annual-Report-and-Accounts-2018-2019.pdf;.
6 Denmark: Legislation is not yet published at the time of writing but see government statement and report published by the Danish Financial Services Authority https://www.dfsa.dk/~/media/Nyhedscenter/2019/Report_on_the_Danish_FSAs_supervision_of_Danske-Bank_as_regards_the_Estonia_case-pdf.pdf?la=en; <https://em.dk/media/10757/english-summary-aml-agreement_september-2018.pdf;.
7 UK: See, for example, Rule 6.1.1 in the Senior Management Arrangements, Systems and Controls section of the Financial Conduct Authority’s Handbook and to its Financial Crime Guide https://www.handbook.fca.org.uk/handbook/SYSC/6/?view=chapter; and https://www.handbook.fca.org.uk/handbook/FCG/1/?view=chapter;.
8 UK (Scotland): See report by Organisation for Economic Co-operation and Development https://www.oecd.org/corruption/anti-bribery/UK-Phase-4-Report-ENG.pdf;. See details of prosecutions and civil settlements to date in Scotland under the UK Bribery Act https://www.copfs.gov.uk/publications/bribery-act;.
9 UK: See the Serious Fraud Office’s Corporate Co-operation Guidance https://www.sfo.gov.uk/download/corporate-co-operation-guidance/?wpdmdl=24184;.
France: https://www.agence-francaise-anticorruption.gouv.fr/files/files/Lignes%20directrices%20PNF%20CJIP.pdf; https://www.agence-francaise-anticorruption.gouv.fr/fr/lafa-et-parquet-national-financier-precisent-mise-en-oeuvre-convention-judiciaire-dinteret-public;.
10 UK: See Financial Conduct Authority [FCA] Enforcement annual performance report 2018/19 https://www.fca.org.uk/publication/corporate/annual-report-2018-19-enforcement-performance.pdf;.
11 UK: See FCA Annual Report and Accounts 2018/19 https://www.fca.org.uk/publication/annual-reports/annual-report-2018-19.pdf;.
12 Netherlands: See details of The Banker’s Oath https://www.tuchtrechtbanken.nl/en/the-bankers-oath;.
13 Ireland: See Central Bank of Ireland report,Behaviour and Culture of Irish Retail Banks, July 2018 https://www.centralbank.ie/docs/default-source/publications/corporate-reports/behaviour-and-culture-of-the-irish-retail-banks.pdf?sfvrsn=2;.
14 For example, in France, the National Finance Office [PNF] made 103 requests for mutual legal assistance and extradition to overseas agencies in 2018 (after the introduction of Sapin II) compared with 14 such requests in 2014 – Bilan et Activité 2018 du Parquet National Financier (January 2019) https://www.tribunal-de-paris.justice.fr/sites/default/files/2019-01/PNF_synthese%202018.pdf;.
15 UK: See ‘Memorandum of Understanding between the Information Commissioner and the Financial Conduct Authority’ https://ico.org.uk/media/about-the-ico/documents/2614342/financial-conduct-authority-ico-mou.pdf;.
16 See European Banking Authority press release, 19 February 2019 https://eba.europa.eu/-/eba-opens-formal-investigation-into-possible-breach-of-union-law-by-the-estonian-and-danish-competent-authorities-regarding-money-laundering-activitie;.
17 In the UK, with effect from October 2017, previously voluntary arrangements enabling information sharing within the private sector and between private sector organisations and enforcement authorities were placed on a statutory footing – section 11, Criminal Finances Act 2017 (which amended Proceeds of Crime Act 2002).
18 See European Anti-Fraud Office statistics https://ec.europa.eu/anti-fraud/investigations/fraud-figures_en;.
19 See Europol press release, 18 March 2019 https://www.europol.europa.eu/newsroom/news/law-enforcement-agencies-across-eu-prepare-for-major-cross-border-cyber-attacks;.
20 See further details in relation to European Public Prosecutor’s Office https://europa.eu/rapid/press-release_
MEMO-17-1551_en.htm; and the appointment of the European Chief Prosecutor http://www.europarl.europa.eu/news/en/press-room/20190923IPR61749/kovesi-to-become-eu-chief-prosecutor;.