Europe Overview
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Introduction
The European investigations landscape is characterised by a patchwork of varying legislative and regulatory frameworks and enforcement approaches, which are often shaped by past events and current political priorities in particular jurisdictions. These variations and the pace of change mean that cross-border investigations, whether involving multiple European jurisdictions or parallel investigations by enforcement authorities in other regions (or sometimes both), frequently present thorny practical and tactical challenges.
This overview does not seek to duplicate the commentary and analysis set out in many of the chapters in this volume. Rather, it looks at some of the key priorities of enforcement authorities, focusing on anti-bribery, corruption and anti-money laundering. These are areas where there is particularly significant ongoing activity, and in which some authorities are adapting their approaches to make effective use of changes in the law and additions to their toolkits. It also looks ahead to seek to identify the key issues and trends on which those who are subject to investigations throughout Europe should be focusing.
Areas of enforcement risk
Anti-bribery and corruption
A substantial number of investigations by enforcement authorities have arisen following significant legislative developments that introduced corporate offences of failure to prevent bribery, which have extraterritorial effect (such as the UK Bribery Act 2010 (UKBA) and France’s Sapin II Law). These legislative developments have been accompanied by new mechanisms enabling criminal investigations that involve corporate organisations to be concluded through negotiated settlements. To date in Europe, these mechanisms have been used mainly (although not exclusively) in cases concerning historic bribery and corruption involving corporate organisations.
The continuing expansion of corporate criminal liability for financial offences, however, is not a foregone conclusion. In the United Kingdom, despite enforcement agencies lobbying for the corporate offences of ‘failure to prevent’ relating to bribery and the facilitation of tax evasion[2] to be extended to cover economic crime more generally,[3] there appears to be little legislative appetite to enact such an offence.
Further important changes to anti-bribery and corruption legislation are in progress in other European jurisdictions. For example, in Ireland an offence analogous to the UK corporate offence of failure to prevent bribery came into force in July 2018.[4] This offence has not yet formed the basis of any publicised enforcement action. There is no guidance akin to that published by the UK Ministry of Justice in relation to ‘adequate procedures’ under the UKBA. There is some remaining uncertainty, therefore, among corporate organisations and their advisers as to exactly what ‘taken all reasonable steps and exercised all due diligence’ means, and how to avail oneself of a defence to the corporate offence. In addition, the introduction of deferred prosecution agreements (DPAs) is under consideration in Ireland as an additional measure to bolster its enforcement capabilities in the near future. Together, these developments may increase the number of investigations in this area. Given the nature of the Irish economy, and in particular its attractiveness to multinational technology and financial services companies, there is potential for these investigations to have significant cross-border elements.
Other significant changes are in prospect in Germany and Poland. Broadly, German criminal law does not currently recognise the concept of corporate criminal liability. However, in August 2019, the German government announced legislation that would introduce the concept to German law and impose strict penalties for corporate criminal conduct.[5] It is anticipated that the legislation will be implemented before autumn 2021, when the current parliamentary session ends. In Poland, legislation enabling prosecutors to take action against organisations for anti-bribery and corruption and other economic offences is expected to be enacted in 2021.
In jurisdictions where changes have already been made, clearer legislation and high-profile successes have buoyed the confidence of authorities and bolstered their resources.[6]
Anti-money laundering
Although approaches to and the resources available for investigations vary quite considerably between European jurisdictions, anti-money laundering (AML) remains high on most enforcement authorities’ agendas. Some of the highest penalties imposed in recent years have resulted from investigations by Sweden’s Financial Supervisory Authority[7] and the Netherlands’ Public Prosecution Service.[8] These fines were issued for breaches of regulatory requirements and criminal law by major institutions in relation to their AML systems and controls. This marks a change, since France and the United Kingdom have historically imposed the heaviest fines in the region for AML-related transgressions.
The level of fines is not the only notable feature of enforcement activity in this area. Reflecting an increasingly close focus on individual accountability (particularly in financial services, as discussed in more detail below), regulators are now ready and able to pursue individuals whom they consider to have played a part in AML failings.
In recent years, enforcement activity in this area has been particularly intense in Scandinavia, where regulators and prosecutors are taking action against a number of institutions and individuals in relation to well-publicised AML failings. The uptick in enforcement activity already seen in this part of the region looks set to continue more broadly across Europe as authorities seek to restore confidence in the robustness of financial crime compliance regulation. Several investigations into German and Dutch financial institutions are under way in respect of AML failings.
Enforcement action in future cases is likely to be conspicuously more decisive and coordinated, and penalties considerably higher than those imposed in past cases. National legislators have signalled their intent clearly. For example, in Denmark, it is intended that the maximum fine that may be imposed for AML failings will be increased eightfold.[9]
Elsewhere in Europe, some authorities are increasingly exploring how AML compliance provides a template for how firms should comply with their other regulatory obligations. For instance, in the United Kingdom, the Financial Conduct Authority (FCA) has stated that it expects regulated firms to take steps to prevent, rather than simply react to, criminal market abuse.[10] In doing so, it has taken rules that have long been a central tenet of AML compliance and applied them to a different section of its financial crime remit.
Increased pressure and incentives to co-operate
In England and Wales, the body of cases in which DPAs have been concluded between the Serious Fraud Office (SFO) and co-operating corporate organisations is slowly growing, although the figure of 20 agreements per year predicted during the passage of the legislation that introduced DPAs seems unlikely to be achieved in the near term. Indeed, the SFO has itself been under pressure, having failed to date to secure the conviction of any individual named as an alleged offender in any of the DPAs. Against this backdrop it remains to be seen if the UK DPA regime will be considered a success. This may have knock-on consequences for the appetite of other jurisdictions to adopt a similar model. The SFO may also find itself under increasing scrutiny after it was revealed that the agency’s enforcement activity was markedly reduced during the coronavirus pandemic.
In France, the authorities responsible for investigating and prosecuting financial crime, the French Anti-Corruption Agency (AFA) and Le Parquet National Financier (PNF), have now concluded 10 published judicial public interest agreements (CJIPs) with companies of various sizes, including one in which the global penalties imposed exceeded US$3.9 billion. However, in light of the coronavirus pandemic, the AFA has announced that it will temporarily cease inspecting businesses for compliance with French anti-corruption laws.
Mechanisms similar to DPAs and CJIPs (or aspects of them) exist in some other jurisdictions around Europe, including Belgium, the Czech Republic, Romania and Slovakia. However, these arrangements do not cover corruption offences in all cases, nor is the practice and procedure as clearly set out in these jurisdictions. Concluded cases of the same magnitude as seen in the United Kingdom and France have yet to be publicised.
As noted above, it is possible that Ireland will be the next jurisdiction in which corporate organisations may conclude criminal investigations through a negotiated settlement. In August 2019, the Irish Law Reform Commission proposed the adoption of arrangements similar to the UK’s DPA regime. This would closely follow the entry into force of a new corporate offence of failure to prevent bribery.
The different approaches of European jurisdictions should be considered when dealing with global settlements. Dutch company VEON, for example, entered into a joint global settlement with Dutch and US authorities to resolve an enforcement action under the US Foreign Corrupt Practices Act (FCPA), whereas Ericsson became the subject of an investigation by the Swedish authorities shortly after reaching a settlement to resolve an FCPA action with the US authorities.
Authorities’ and courts’ expectations of co-operating corporate organisations for (1) negotiations to take place, and (2) a settlement to be agreed and approved, are becoming clearer. In particular, the AFA and the PNF in France, and the SFO in the United Kingdom (in June and August 2019, respectively) have released guidance that clarifies their views on the co-operation needed to create the right conditions for a negotiated settlement to follow.[11]Courts and prosecutors have also provided guidance on whether corporate organisations are demonstrating the required levels of co-operation, while maintaining claims to legal professional privilege (where it is available).
Culture and individual accountability
Among the most prominent themes in investigations concerning corporate organisations is the focus on culture, both at the time when alleged misconduct occurred and when any investigation is commenced. The definition of what constitutes ‘good culture’ is elusive. Authorities, deciding whether to commence, continue and discontinue investigations and selecting which charges to pursue, attach substantial importance to whether they consider alleged conduct (including individuals’ conduct outside the workplace) to be indicative of a poor culture.
In some cases, culture is forming the primary basis for enforcement action. In the United Kingdom in 2018–2019, the FCA opened more cases concerned with culture and governance than in any previous year. The FCA’s most recent statistics indicate that this type of case now accounts for more than 10 per cent of all active investigations.[12] The FCA has announced that one of its key priorities for 2019–2020 was to extend the Senior Managers and Certification Regime (SMCR) to all regulated firms.[13] The implementation period for solo-regulated firms, however, was delayed until March 2021 in light of the coronavirus pandemic.
The SMCR in the United Kingdom goes further than previous regulatory initiatives directed towards individual accountability. It gives the FCA and the Prudential Regulation Authority (PRA) powers to take action against a much broader population of individuals within firms. It also requires firms to document the specific responsibilities of their most senior executives, thus providing the FCA and PRA with clear road maps that may be used to hold those individuals accountable for breaches of regulatory requirements by firms. The FCA is now routinely using the SMCR for this purpose during enforcement investigations. Although enforcement authorities around Europe have been watching to see how the FCA and PRA seek to use these mechanisms to drive up standards of behaviour within the financial services industry, it remains to be seen whether other European regulators will follow the SMCR approach. By contrast, other common law jurisdictions, such as Singapore, Hong Kong and Australia,[14] have enacted regimes similar to the SMCR in recent years.
In July 2018, the Central Bank of Ireland released a report, produced in conjunction with the Dutch Central Bank, based on behaviour and culture reviews of five retail banks based in Ireland.[15] The report’s recommendations mirror many of those made by the UK Parliamentary Commission on Banking Standards, from which the SMCR ultimately flowed. They include the introduction of new Conduct Standards and a Senior Executive Accountability Regime, both of which would be similar in most respects to the SMCR. At the time of writing, the Irish parliament was in the process of passing legislation to this effect.
Even in countries where enforcement authorities have not explicitly named culture as an enforcement priority, boards are increasingly concerned to demonstrate their commitment to culture. Cases across Europe have shown the substantial reputational damage that can result from allegations of poor cultural practices and the speed at which allegations can cross borders (including into jurisdictions where enforcement authorities are active in this area).
Data protection
The General Data Protection Regulation (GDPR) is now more than two years old, and several themes are emerging. The most significant trend is the willingness of European data protection authorities to enforce the GDPR aggressively. Between July 2018 and June 2020, a total of 293 fines were issued, or declared, for a cumulative total of €471,265,982.[16] The largest fines have also been significant. British Airways Plc may be fined up to €204 million by the UK data protection authority (the fine is yet to be formally levied), and Google Inc was fined €50 million by the French data protection authority in 2019.
However, this enforcement action has not kept up with the level of private complaints being made to data protection authorities. Ireland, for example, received 7,215 complaints in 2019, representing a 75 per cent increase on the total number of complaints in 2018.[17] In the United Kingdom, the number of complaints almost doubled between reporting years 2017–2018 and 2018–2019, from 21,019 to 41,661.[18] These numbers suggest that there is an increased awareness of data protection issues and the powers that data protection authorities now have under the GDPR.
Further evidence of an increased demand for redress in respect to data protection concerns can be seen in the increasing rise in collective litigation. Corporates should be aware that oversight of their data protection practices may be undertaken by private citizens, via the courts, and not just regulators.
In any event, investigators must now keep issues relating to data protection in mind when tackling a cross-border investigation. In particular, issues relating to the international transfer of personal data are becoming increasingly difficult globally, not just in Europe.
Information sharing and multi-jurisdictional investigations
European investigation and enforcement authorities continue to collaborate actively with one another and with their counterparts globally, using mutual legal assistance and less formal arrangements. There have been particularly noticeable increases in efforts to collaborate across borders in jurisdictions where anti-bribery and corruption legislation has recently been overhauled, and where authorities have acquired the ability to enter into global settlements involving overseas enforcement authorities.[19]
Across Europe, traditional boundaries between enforcement authorities’ remits are becoming increasingly blurred. Enforcement authorities are having to take an increasingly flexible view of what they are responsible for investigating, which authority should take the lead and how they should most effectively collaborate. Overlaps between the remits of antitrust, data protection and financial services enforcement authorities are becoming increasingly apparent.
Enforcement authorities, conscious of the potential for duplication and delay, are anticipating these overlaps, both within and between jurisdictions. For example, in the United Kingdom, the FCA and the Information Commissioner’s Office have in place a detailed memorandum of understanding (most recently updated in February 2019) setting out how they will work together following incidents in which they both have an interest.[20] Although convictions and other enforcement outcomes in one jurisdiction will commonly be the product of extensive information sharing between authorities, there are as yet few significant concluded examples of enforcement authorities simultaneously pursuing enforcement cases against the same targets in multiple European jurisdictions.
EU institutions as enforcement authorities
Historically, there have been relatively few examples of supranational European authorities (other than the European Commission (EC) in its role as an antitrust enforcement authority) taking overarching enforcement action. That said, there is a clear movement to facilitate greater co-operation and coordination with respect to enforcement activity at a European level. This is both as a response to past incidents in which regulatory arrangements have been found to have been lacking and in an effort to counter perceived growing threats.
In particular, the European Union has stepped up its focus on a pan-European approach to AML enforcement following AML failings in various European states. In early 2020, the EC sent letters of notice to eight European states for failing to implement the Fifth AML Directive adequately. In addition, the European Banking Authority (EBA) was given additional powers following several well-publicised AML failings and an inability to review the conduct in question adequately. Until now, AML legislation encouraging closer collaboration between national investigation and enforcement authorities has taken the form of successive AML Directives (which, as they are not directly effective instruments and require transposition by Member States into their national laws, have been implemented in different ways and to different extents).
From 1 January 2020, the EBA has been:
- tasked with coordinating national authorities’ supervisory responsibilities of AML activity;
- empowered to lead on the establishment of AML policies by national authorities; and
- required to monitor the implementation of AML standards within Europe.[21]
The EBA published its first report highlighting the approach that national authorities are taking to reform their supervision of AML in February 2020.[22]
The European Union has also introduced an extraterritorial approach to AML supervision. Technical guidance was published in September 2019 clarifying the EU’s approach to the level of AML compliance required for non-EU branches of EU domiciled banks.[23] In addition, the European Union identified 23 countries on 13 February 2019 that, when connected to a transaction, require additional due diligence as they pose a heightened AML risk because of their weak approach to the problem.[24]
In some instances, bilateral and multinational arrangements are in place, helping authorities to deploy their resources as effectively and efficiently as possible in cross-border AML investigations. The most recent example, which is also a response to the concerns about previous enforcement arrangements already mentioned, is a formal mechanism to enable Baltic and Nordic AML regulators to exchange information and coordinate enforcement action. There are also increasingly sophisticated mechanisms in place in some jurisdictions to enable information sharing between private sector organisations, and with enforcement authorities.[25] In July 2020, the Netherlands Bankers’ Association announced that the country’s three largest banks and two smaller lenders would create a purely private joint transaction monitoring body,[26] designed to flag concerning activity that would not necessarily be identified as suspicious by a single institution’s compliance department.
However, arrangements are far from uniform across Europe. The extent to which the requirements set out in successive Money Laundering Directives have been effectively transposed, and other provisions relating to cross-border collaboration and resourcing of national authorities have been implemented, varies widely between jurisdictions.
Away from AML enforcement, the EC remains active as an antitrust enforcement authority. Some long-standing themes continue to feature in European antitrust investigations. There are exceptions to rules relating to legal professional privilege (in jurisdictions where it is part of the legal landscape). Leniency provisions often do not dovetail neatly with other regulatory mandatory reporting obligations. There are significant variations in the approaches taken by the EC and national competition authorities. There would also appear to be a different focus on sectors of enforcement. The EC appears to be concentrating on technology companies, as opposed to perhaps the more traditional financial crime targets of financial institutions and extractive industries. These, and other themes, mean that European antitrust investigations have to be handled differently from those pursued by other regulators.
In other areas, authorities with a pan-European remit have been active. The European Anti-Fraud Office (known as OLAF), the division of the EC responsible for investigating fraud against the EU budget, and corruption and serious misconduct within EU institutions, has been particularly active in conducting investigations. OLAF’s most recent available statistics indicate that it concluded 167 investigations and commenced 219 investigations during 2018 and recommended that national authorities take action to recover more than €370 million in 2018.[27]
In addition, Europol has conducted extensive work to seek to coordinate national responses and lay the foundations for possible future multilateral criminal enforcement action in a number of areas, including notably in relation to large-scale cyberattacks.[28]
It seems likely that levels of coordinated pan-European criminal enforcement action will increase in future. Despite potential tensions raised by the selection of the Maltese representative, a new European Public Prosecutor’s Office (EPPO) is due to become operational in November 2020. In the 22 Member States that have signed up to the arrangements establishing it,[29] the EPPO will have powers to investigate and prosecute crimes against the EU budget, such as fraud, corruption and tax fraud valued at over €10 million. It will not replace OLAF or other existing investigating and prosecuting authorities (or national enforcement authorities) but will pool experience, adopt a consistent prosecution policy, and be able to use streamlined procedures for the exchange of information across borders. In September 2019, Laura Codruţa Kövesi, who formerly headed Romania’s National Anticorruption Directorate and served as the Romanian prosecutor general, was confirmed as the head of EPPO and Europe’s new chief prosecutor. She has indicated a willingness to use EPPO’s powers extensively when the agency becomes operational.[30]
Brexit uncertainty
At the time of writing, significant questions remain unanswered as to what the effect of Brexit will be on the mechanisms by which UK authorities work with their counterparts in mainland Europe, especially if no deal is agreed. Until 31 December 2020, the existing arrangements between the European Union and the United Kingdom will continue. As regards the position after this transition period, a German report leaked in April 2020 claimed that the United Kingdom wanted to ‘approximate the position of a member state as closely as possible’[31] with respect to the security arrangements it enjoyed as an EU Member State. However, it appears that without some form of agreement, the United Kingdom will be unable to engage effectively with many of the frameworks and initiatives to which it previously had access. This includes, but is not limited to, the following European agencies, organisations or systems:
- Europol (but not INTERPOL) and the Europol Intelligence System;
- Eurojust;
- European Arrest Warrant System;
- Schengen Information System;
- European Investigation Orders; and
- European Criminal Records Information System.
A no-deal situation would mean that authorities would have to fall back on a tangled web of specific agreements. Delays would inevitably follow and practical issues could conceivably flow from the operation of blocking statutes in some jurisdictions (most notably in France and Switzerland).
Footnotes
[1] Robert Dalling and Kelly Hagedorn are partners, and Matthew Worby is an associate, at Jenner & Block London LLP. This chapter updates the Europe Overview in the fourth edition, written by Judith Seddon, Amanda Raad and Chris Stott of Ropes & Gray LLP.
[2] UK: Namely UK Bribery Act 2010, section 7, and Criminal Finances Act 2017, sections 45 and 46.
[3] UK: See the oral evidence given to the Justice Committee, 18 December 2018, at http://data.parliament.uk/ writtenevidence/committeeevidence.svc/evidencedocument/justice-committee/serious-fraud-office/oral/94785.html.
[4] Ireland: Criminal Justice (Corporate Offences) Act 2018.
[5] Germany: draft Corporate Sanctions Act.
[6] For details of the increases in and reorganisation of resources devoted to anti-bribery and corruption investigations and enforcement action in France, see, e.g., French Anti-Corruption Agency, ‘Annual Report 2017’, at https://www.agence-francaise-anticorruption.gouv.fr/files/files/AFA_rapportAnnuel2017GB.pdf. For details of revenue generated by deferred prosecution agreements in the UK, see, e.g., Serious Fraud Office [SFO], ‘Annual Report and Accounts 2018–19’, at https://www.sfo.gov.uk/wp-content/uploads/2019/07/SFO-Annual-Report-and-Accounts-2018-2019.pdf.
[7] Sweden: Swedbank was fined US$386 million for compliance deficiencies relating to Baltic money laundering.
[8] Netherlands: ING Groep was fined US$900 million for broad failures relating to financial crime compliance controls.
[9] Denmark: See Danish Financial Services Authority, government statement and report, 28 January 2019, at https://www.dfsa.dk/~/media/Nyhedscenter/2019/Report_on_the_Danish_FSAs_supervision_of_ Danske-Bank_as_regards_the_Estonia_case-pdf.pdf?la=en, at https://em.dk/media/10757/english-summary- aml-agreement_september-2018.pdf.
[10] UK: See, e.g., Financial Conduct Authority [FCA] Handbook, Senior Management Arrangements, Systems and Controls, Rule 6.1.1 (Adequate policy and procedures), at https://www.handbook.fca.org.uk/handbook/SYSC/6/?view=chapter, and Financial Crime Guide, at https://www.handbook.fca.org.uk/handbook/FCG/1/?view=chapter.
[11] UK: See SFO, Corporate Co-operation Guidance, at https://www.sfo.gov.uk/download/corporate-co-operation- guidance/?wpdmdl=24184. France: https://www.agence-francaise-anticorruption.gouv.fr/files/files/Lignes%20directrices%20PNF%20CJIP.pdf; https://www.agence-francaise-anticorruption.gouv.fr/fr/lafa-et-parquet-national- financier-precisent-mise-en-oeuvre-convention-judiciaire-dinteret-public.
[12] UK: See FCA, ‘Enforcement annual performance report 2018/19’, at https://www.fca.org.uk/publication/corporate/annual-report-2018-19-enforcement-performance.pdf.
[13] UK: See FCA press release, at https://www.fca.org.uk/news/press-releases/fca-sets-out-its-priorities-2019-20.
[14] Singapore: Individual Accountability and Conduct Regime; Hong Kong: Manager-in-Charge Regime; Australia: Banking Executive Accountability Regime.
[15] Ireland: See Central Bank of Ireland report, Behaviour and Culture of Irish Retail Banks, July 2018, at https://www.centralbank.ie/docs/default-source/publications/corporate-reports/behaviour-and-culture-of-the- irish-retail-banks.pdf?sfvrsn=2.
[16] This figure includes notices of an intention to fine, and so may be subject to change.
[17] Ireland: See Data Protection Commission, Annual Report for 2019, at https://www.dataprotection.ie/sites/default/files/uploads/2020-02/DPC%20Annual%20Report%202019.pdf.
[18] UK: See ‘Information Commissioner’s Annual Report and Financial Statements 2018-19’, at https://ico.org.uk/media/about-the-ico/documents/2615262/annual-report-201819.pdf.
[19] For example, in France, the National Finance Office [PNF] made 103 requests for mutual legal assistance and extradition to overseas agencies in 2018 (after the introduction of Sapin II) compared with 14 such requests in 2014 – Bilan et Activité 2018 du Parquet National Financier (January 2019), at https://www.tribunal-de-paris.justice.fr/sites/default/files/2019-01/PNF_synthese%202018.pdf.
[20] UK: See ‘Memorandum of Understanding between the Information Commissioner and the Financial Conduct
Authority’, at https://ico.org.uk/media/about-the-ico/documents/2614342/financial-conduct-authority- ico-mou.pdf.
[21] Regulation (EU) 2019/2175.
[22] See European Banking Authority press release, at https://eba.europa.eu/eba-acts-improve-amlcft- supervision-europe.
[23] Regulation (EU) 2019/758.
[24] See European Commission press release, at https://ec.europa.eu/commission/presscorner/detail/en/IP_19_781.
[25] In the UK, with effect from October 2017, previously voluntary arrangements enabling information sharing within the private sector and between private sector organisations and enforcement authorities were placed on a statutory footing – Criminal Finances Act 2017, section 11 (which amended the Proceeds of Crime Act 2002).
[26] Netherlands: See Netherlands Bankers’ Association press release, at https://www.nvb.nl/english/transaction- monitoring-netherlands-a-unique-step-in-the-fight-against-money-laundering-and-the-financing-of-terrorism/.
[27] See European Anti-Fraud Office, ‘The OLAF Report 2018’, at https://ec.europa.eu/anti-fraud/sites/antifraud/files/olaf_report_2018_en.pdf.
[28] See Europol press release, 18 March 2019, at https://www.europol.europa.eu/newsroom/news/law-enforcement- agencies-across-eu-prepare-for-major-cross-border-cyber-attacks.
[29] Sweden, Hungary, Denmark, Ireland and Poland having opted out.
[30] See further details in relation to the European Public Prosecutor’s Office, at https://europa.eu/rapid/press-release_ MEMO-17-1551_en.htm, and the appointment of the European Chief Prosecutor, at www.europarl.europa.eu/news/en/press-room/20190923IPR61749/kovesi-to-become-eu-chief-prosecutor.
[31] See media coverage of a leaked German government report, at https://www.theguardian.com/world/2020/apr/23/uk-making-impossible-demands-over-europol-database-in-eu-talks.