United Kingdom

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

General context, key principles and hot topics

1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

A number of high-profile investigations have been commenced by UK law enforcement in the past few years. In the main, investigations have focused, and continue to focus, on companies operating in traditionally high-risk sector areas.

The investigation by the UK’s Serious Fraud Office (SFO) into Unaoil (which involves allegations of bribery, corruption and money laundering) continues to draw interest, as much for the related investigations it has spawned as for the investigation into Unaoil’s affairs; during summer 2019, another individual (Basil Al Jarah, Unaoil’s former partner in Iraq) pleaded guilty to five offences of conspiracy to give corrupt payments. In July 2020, two other former Unaoil executives, Ziad Akle and Stephen Whiteley, were sentenced at Southwark Crown Court imprisonment for five and three years, respectively. The SFO’s Director, Lisa Osofsky, noted that the outcome ‘sends a clear message that the United Kingdom and the SFO will not tolerate criminal activity that undermines the fairness and integrity of international business’. On 8 October 2020, Basil Al Jarah was sentenced to three years four months’ imprisonment.

A related investigation into US engineering company KBR’s UK subsidiary has also raised interesting points during the past couple of years, particularly on the question of the extra­territorial reach of the SFO’s investigatory powers. In 2018, the UK High Court held that the SFO can lawfully require companies to produce materials held abroad, subject to sufficient UK nexus. In April 2019, the Supreme Court granted KBR Inc leave to appeal against the High Court decision, such that this remains an ongoing question. Indeed, since the sentencing of the Unaoil executives, KBR has announced that it was informed by the SFO that aspects of its investigations into KBR that relate to Unaoil have been closed, though other strands remain open. The matter was heard on 13 October 2020; judgment is awaited.

Her Majesty’s Revenue and Customs (HMRC, the UK’s tax administration) released data on 13 October 2020 confirming that 31 matters are currently under investigation or criminal review relating to corporates failing to prevent the facilitation of UK tax evasion (an offence introduced from 30 September 2017). The names of entities have not been published but the department has indicated that 10 diverse commercial sectors are affected, including financial services, oils, construction, labour provision and software design. Data is anticipated to be refreshed every six months.

A number of SFO investigations have been resolved by deferred prosecution agreements (DPAs) during the past year.

The SFO’s DPA with Airbus SE is particularly noteworthy in terms of the quantum and the level of cross-border co-operation undertaken by global law enforcement agencies; the aerospace conglomerate agreed to pay an unprecedented fine of €991 million in the UK, including £6.9 million in costs (which is greater than the sum of all previous DPA settlements made under the Bribery Act 2010) for offending during the period between 2011 and 2015. Further payments were agreed with the authorities in France (€2,083,137,455) and the United States (€525,655,000), bringing the global cost of resolution to €3.6 billion.

The DPA with Serco Geographix Ltd (Serco) resulted in Serco’s agreement to pay a financial penalty of £19.2 million, pursuant to the SFO’s investigation into fraud and false accounting arising from a scheme to dishonestly mislead the Ministry of Justice as to the true extent of Serco’s profits. (See question 8 for further comments on potential trends and learning from current DPAs.)

A DPA was also reached with G4S Care and Justice Services (UK) Ltd (G4S C&J) relating to a scheme to defraud the Ministry of Justice in connection with contracts for electronic monitoring of offenders. The quantum agreed in that matter was £38.5 million plus costs but, of perhaps greater significance, was the application of a reduced discount of 40 per cent said to relate to the delayed nature of G4S C&J’s substantial co-operation with the SFO.

2 Outline the legal framework for corporate liability in your country.

A corporation can be held criminally liable under the laws applicable to the United Kingdom (the laws of England and Wales, Northern Ireland and Scotland, referred to collectively as UK laws) and there are several ways this can arise, depending on the factual circumstances and the types of underlying conduct.

Typically, corporate criminal offences of strict liability and offences involving a company’s vicarious liability for its employees’ actions arise for a range of regulatory offences under UK laws. The features of corporate criminal liability are not considered in detail in this chapter as they tend to be less common in relation to financial crime matters, with the exception of offences involving company legislation. Generally, however, UK principles of vicarious liability of employers for the criminal conduct of employees differ markedly from the US doctrine of respondeat superior.

For some offences, including fraud and corruption, the law developed the ‘identification doctrine’ as a means of holding a corporate entity to account for its misdemeanours. In essence, this attributes the knowledge of a corporate’s directing mind – the individual or individuals who control the actions of the corporate (for example, its directors or senior managers) – to the corporate itself. Whereas the idea behind the doctrine was to attribute knowledge and action to an abstract entity, in practice this has proved difficult in all but the simplest cases involving small companies with unsophisticated structures. The difficulties are particularly apparent in larger companies or multinationals with more diffuse decision-making among management teams and where complex corporate structures may mean there are numerous reporting lines that would need to be assessed. An area that frequently needs careful analysis is where management teams or business units have been given delegated authority to act on the corporate’s behalf.

In recent years, to meet some of the criticisms of the identification doctrine, and the consequent difficulties in holding corporates criminally liable for misconduct, the UK has introduced two types of ‘failure to prevent’ corporate offences, essentially holding the corporate liable for failing to prevent certain types of wrongdoing, subject in each case to the corporate being able to raise a compliance-related defence (i.e. that it had in place either adequate or reasonable procedures designed to prevent the defined type of wrongdoing occurring). One example is the Bribery Act 2010’s corporate offence of failure to prevent bribery, in which a company (incorporated or carrying on part of its business in the UK) is liable for bribes paid by a third party to win business for or on behalf of the company anywhere in the world, unless it can demonstrate it had adequate procedures intended to prevent bribery. Third parties are broadly defined in the Bribery Act 2010 to include anyone who performs services for or on behalf of the company in whatever capacity (e.g. an employee, agent or intermediary). The Criminal Finances Act 2017 similarly introduced a new extraterritorial corporate offence of failure to prevent persons associated with the corporate facilitating third party tax evasion (whether UK or foreign) with an affirmative defence of reasonable prevention procedures.

3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

The UK has three legal systems and jurisdictions for criminal law purposes, each of which applies geographically: England and Wales, Northern Ireland and Scotland. The criminal laws of England and Wales and of Northern Ireland are similar, whereas Scots law and procedure is markedly different.

In the UK as a whole, allegations of corporate offending involve the same criminal process, enforcement agencies and court system as investigations and prosecutions of individuals. As a corporate is a legal rather than a natural person, certain steps vary because of this status (e.g., how it may need to respond to enquiries from a regulator, how a corporate will appear in court (via counsel) and how it is sentenced if guilty of an offence). Some key law enforcement authorities involved in the regulation, investigation or prosecution of corporates in the UK include (not exhaustively) the following:

  • SFO – set up with special powers under the Criminal Justice Act 1987 for the investigation and prosecution of large and complex corporate fraud and corruption. Unusually for UK law enforcement agencies, it combines investigative and prosecutorial functions.
  • National Crime Agency (NCA) and local police forces – tend to lead investigations involving significant but smaller-scale or less complex fraud or corporate crime, which is then prosecuted by the Crown Prosecution Service (CPS).
  • The Police Service of Northern Ireland – investigates crimes within the jurisdiction of Northern Ireland. Crimes are then prosecuted by the Public Prosecution Service of Northern Ireland (PPSNI).
  • The Police Service of Scotland (Police Scotland) – investigates crimes within the jurisdiction of Scotland. Crimes are then prosecuted by the Crown Office and Procurator Fiscal Service (COPFS).
  • HMRC – investigates tax-related offending (including money laundering) throughout the UK, which is then prosecuted by the CPS, PPSNI or the COPFS, as appropriate.
  • Financial Conduct Authority (FCA) – regulator of the financial services industry. As a regulator, it can impose civil sanctions for misconduct, but may also prosecute regulated firms or individuals for specific market-related offences, such as insider trading and market manipulation and associated money laundering. Frequently, cases involving financial services companies fall within the scope of both the FCA and the SFO’s investigative powers. In those cases, the SFO will usually take precedence in relation to the criminal proceedings as it may prosecute a wider range of offences.
  • Competition and Markets Authority (CMA) – investigates anticompetitive behaviour. It may impose civil sanctions but can also prosecute cartel offences.
  • Department for Business, Innovation and Skills – this government department investigates and prosecutes activities concerning the affairs of companies, including fraudulent trading and breaches of bankruptcy or disqualification orders.
  • Information Commissioner’s Office (ICO) – investigates and prosecutes or imposes civil sanctions for data protection offences.
  • Health and Safety Executive (HSE) and Health and Safety Executive for Northern Ireland (HSENI) – the HSE investigates and prosecutes or imposes civil sanctions for health and safety offences and works with the police on corporate manslaughter investigations. In Northern Ireland, the position is similar, except that it is the PPSNI (not the HSENI) that brings prosecutions. Prosecutions in Scotland are brought by the COPFS.
  • Office of Gas and Electricity Markets (known as Ofgem) – investigates and prosecutes certain criminal offences under legislation focused on the energy sector.
  • Environment Agency, Northern Ireland Environment Agency and Scottish Environmental Protection Agency – investigate and prosecute environmental crime (in Scotland, the prosecution is brought by the COPFS and in Northern Ireland by the PPSNI).
  • UK Office of Financial Sanctions Implementation (OFSI) – although not a prosecutor, it has significant additional powers to impose financial penalties for breaches of financial sanctions measures.

In Scotland, all criminal investigations are undertaken by Police Scotland and the COPFS. Police Scotland has a dedicated economic crime unit, but investigations into serious and complex frauds are overseen by COPFS’ economic crime unit. The SFO can also investigate crimes that have occurred in Scotland if they affect other parts of the UK, but it cannot prosecute cases in or exclusively from Scotland.

There can be concurrent jurisdiction between the SFO and the COPFS, particularly with respect to overseas bribery cases. In 2014, the SFO and the COPFS entered into a memorandum of understanding, which provides a framework for co-operation in cases of bribery or corruption that both organisations have (or may have) jurisdiction to prosecute under the Bribery Act 2010 and for determining ‘primacy’ to investigate and prosecute corporate bribery offences.

In late 2009, the SFO and the CPS published a joint guidance note for corporate prosecutions setting out general principles, and evidential and public interest factors that could be taken into account when making a prosecutorial decision in regard to a corporate.

In July 2011, the COPFS published its civil settlement guidance, which encourages Scottish and other companies that have committed bribery offences within the jurisdiction of Scotland to self-report to the COPFS in return for the opportunity to resolve the case through a civil settlement mechanism. The initiative must be reviewed and approved each year by the Lord Advocate and has recently been extended until 30 June 2021.

In February 2014, following the introduction of DPAs in England and Wales (but not Scotland or Northern Ireland) under Schedule 17 of the Crime and Courts Act 2013, the SFO and the CPS published a Deferred Prosecution Agreements Code of Practice setting out public interest factors for and against offering a corporate a non-prosecutorial resolution by way of a DPA.

In August 2019, the SFO issued its Corporate Co-operation Guidance as part of its Operational Handbook, which it will use in making charging decisions in relation to allegations of bribery and corruption.

4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

Law enforcement authorities must have reasonable grounds to suspect that a criminal offence has been committed to exercise their investigative powers; those suspicions may be founded on evidence or intelligence.

The SFO may investigate any suspected offence that appears, on reasonable grounds, to the director of the SFO to involve serious or complex fraud. The SFO’s powers to compel the production of evidence under section 2 of the Criminal Justice Act 1987 can be exercised in any case in which it appears to the director that there is good reason to do so for the purpose of investigating the affairs, or any aspect of the affairs, of any person.

Additionally, and only in relation to possible bribery and corruption with an inter­national dimension, the SFO may apply the even lower test under section 2A of the Criminal Justice Act 1987 of whether there is an ‘appearance’ that bribery and corruption may have taken place to initiate a pre-investigation (and use its powers under section 2 to determine whether a formal investigation should be undertaken). Therefore, the section 2A powers can only be exercised for the purpose of enabling the SFO to decide whether to open a formal investigation. However, the SFO has called for an extension to these powers to use compulsory powers pre-investigation.

HMRC has both criminal and civil functions. Its selective criminal investigation policy is a matter of public record(see https://www.gov.uk/government/publications/criminal-investigation/hmrc-criminal-investigation-policy). In summary, however, criminal investigations into suspected fraud will be considered if civil powers are considered inadequate to address the behaviour or risk, when the severity of the conduct or strong deterrent messaging is required.

5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

Depending on the authority and type of notice, it may be possible to agree informally on a narrower scope of information to be produced without having to challenge the lawfulness or scope formally. Otherwise the company may challenge the lawfulness or scope of the notice or production order by way of application to court. Usually this challenge will be by way of judicial review (in Scotland, a bill of suspension), although under certain statutes it may be possible for the company to seek a hearing before the court or tribunal that originally issued the notice or court order (where this is provided for under the applicable statute).

6 Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?

There is the possibility of immunity or leniency for individuals who assist or co-operate in the investigation or prosecution of criminal offences.

Section 71 of the Serious Organised Crime and Police Act 2005 (SOCPA) allows certain prosecutors, including the SFO, to grant any person immunity from prosecution in England and Wales or Northern Ireland by issuing a written immunity notice. This notice, which will specify the criminal offences for which no proceedings can be brought, ceases to have effect if the person fails to comply with the conditions contained in the notice. The use of section 71 is relatively rare.

Section 73 of SOCPA provides a means to incentivise assistance from defendants. A defendant who, pursuant to a written agreement with a relevant prosecutor, has provided, or has offered to provide, assistance to an investigator or prosecutor is eligible to receive a reduction in sentence, provided a guilty plea has been tendered. Judges are required to state in open court the sentence that would have been imposed but for the assistance given or offered, unless it would not be in the public interest to disclose that the sentence has been discounted.

Broadly equivalent principles relating to immunity and leniency apply in Scotland under Part 3 of the Police, Public Order and Criminal Justice (Scotland) Act 2006.

7 What are the top priorities for your country’s law enforcement authorities?

International corruption and a coordinated global approach to defeat it remains a top priority for the UK government and its law enforcement authorities, together with a desire to harness the expertise of the private sector if the objectives set out in the government’s Economic Crime Plan 2019–2022, published in July 2019, are to be achieved. Commitment to co-operation with other criminal justice agencies, both domestic and international, is echoed in the SFO’s Annual Report and Accounts 2019–2020, which points to the resolution in the Airbus SE case as demonstrating the agency’s ability to cement strong international ties and unified co-operation. Strengthening partnerships and exploring opportunities to tackle transnational economic crime in a coordinated and collaborative way remains a priority of the SFO.

Investment in digital technology to enhance efficiency and efficacy in investigating the most complex and data heavy cases is also a priority. For example, the SFO has embedded its own eDiscovery platform (Axcelerate) into the way it conducts its casework, and invested in an in-house digital forensics unit.

During the coronavirus pandemic, there has been an upsurge in those seeking to exploit the situation and to take advantage of the many schemes designed to preserve the economy. Law enforcement agencies, including HMRC, have been keen to send a clear message that frauds abusing coronavirus relief schemes will not be tolerated.

A focus on tax evasion led to the introduction of the new corporate criminal offence of failing to prevent the facilitation of tax evasion, which came into force in September 2017, and there have been increasing calls to extend the ‘failure to prevent’ offences to include a schedule of broader economic crimes, such as fraud and money laundering. The government is examining the case for reform of the law on corporate liability for economic crime. A government consultation on this issue closed in March 2017, for which the response is still awaited. In the meantime, some high-profile committees and officers, including the UK’s solicitor general and the director of the SFO, have given their public support to the introduction of such an offence.

A further focus is increased transparency of the beneficial ownership of foreign companies investing in UK property or bidding for government contracts. This has prompted the introduction of a register of beneficial ownership of foreign investors, which is intended as a measure to reduce both tax evasion and the likelihood of UK properties being used to launder foreign criminal funds, to be operational by 2021. The UK government seeks to make public registers the global norm by the end of 2023.

Effective from 31 January 2018, the Criminal Finances Act 2017 introduced unexplained wealth orders (UWOs) in respect of politically exposed persons or others suspected of involvement in serious crime. UWOs are High Court orders following an application from enforcement authorities, such as the FCA, NCA, SFO or HMRC, and may be accompanied by an interim freezing order. The respondent is required to set out the nature of interest in the specified property (which must be valued at more than £50,000) and how it was obtained. Failure to respond without reasonable excuse is met with a presumption that property is recoverable. It is a criminal offence to make reckless or false statements, for which there is a maximum two-year prison sentence and fine. The first UWOs have been obtained, with some guidance on their requirements emerging from the courts, and the NCA has indicated that more are in the pipeline. It should be noted, however, that the High Court discharged three UWOs in early 2020, finding that the assumptions the NCA had made were ‘unreliable’ and had been ‘rebutted by the cogent evidence’ presented by the registered owners of the properties. The Court was not satisfied that the NCA had proved that the properties subject to the order were bought with illicit funds.

8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?

The ‘failure to prevent’ offences introduced by the Bribery Act 2010 and the Criminal Finances Act 2017 require corporates to establish, to a civil standard, that they have adequate (bribery) or reasonable (tax) prevention procedures in place. The government has put in place high-level guidance in respect of each enactment to assist corporates and their advisers in assessing what might be considered adequate or reasonable.

Each set of guidance references the same six guiding principles that should be considered in designing a control framework: top-level commitment, risk assessment, proportional risk-based procedures, due diligence procedures, communications and training, and monitoring and review. In respect of Criminal Finances Act offences, sector-specific guides have additionally been issued by The Law Society of England and Wales and the financial services sector (and ratified by the UK government).

The efficacy of the programme of corporate reforms put in place by the new leadership of companies who are the subject of bribery DPAs has been cited in a number of rulings as a material factor in arriving at the ultimate settlement and, although there have not yet been equivalent tax facilitation agreements, it is likely that the two agencies (who share super­intendence of aspects of the tax facilitation offences) will develop aligned priorities in arriving at a unified enforcement view as to controls and co-operation.

Should there be an expansion to the ‘failure to prevent’ corporate criminal liability model to include a range of fiscal and associated offences (such as fraud and money laundering), such a schedule of offending would have the effect of shifting more of the compliance burden to corporates and, in that regard, allow investigations to be commenced without regard for the identification principle that requires the prosecution to evidence dishonesty of a controlling mind to a criminal standard.

In January 2020, the SFO published its Guidance on Evaluating a Compliance Programme, as part of its internal Operational Handbook, designed to guide investigations. It confirms that companies will be expected to keep their corporate compliance programmes under review to ensure that they are ‘genuinely proactive and effective’. According to the Guidance, the SFO will consider the effectiveness of a company’s compliance programme in all cases. Examples given include whether (1) prosecution is in the public interest, (2) an organisation should be invited to negotiate a DPA and (3) an organisation has a defence of ‘adequate procedures’ available against a charge of failure to prevent bribery.

The Guidance also indicates that the SFO will consider the effectiveness of a company’s compliance programme at the various stages of an investigation and, in some cases, once that investigation has concluded.

With regard to the SFO’s approach to compliance measures in the context of DPA negotiations, under the current leadership, the SFO has agreed a number of DPAs that shed further light on the importance of corporate co-operation. In the most recent case of G4S C&J (discussed in question 1), the financial penalty to be paid reflected a 40 per cent discount as a result of the company’s self-report and co-operation; this is only the second time that a discount of less than 50 per cent has been applied. The first instance was the SFO’s first DPA, that is the 2015 agreement with Standard Bank PLC, which attracted a 33 per cent discount in line with the Sentencing Guidelines for bribery. Subsequent DPAs have moved away from that starting point and this revised discount appears to be part of a broader trend; in the six other DPAs with the SFO, a discount of 50 per cent was approved on the basis of co-operation.

The Airbus SE DPA is particularly noteworthy with regard to the judge’s findings on the company’s compliance procedures. Prior to the reporting of the wrongdoing, Airbus SE had extensive policies in place, and had even secured independent certification in 2012. However, there were weaknesses in oversight, which enabled compliance measures to be circumvented. This changed once the wrongdoing was identified, and Airbus SE appears to have focused on the six guiding principles to direct an overhaul of its compliance programme. This resulted in Airbus SE putting in place the following remedial steps:

  • redesigning its compliance structure and oversight mechanisms;
  • rolling out improved and strengthened due diligence processes;
  • launching a required company-wide anti-bribery and corruption risk assessment;
  • bringing in a newly elected management team; and
  • launching internal investigations into the actions of existing and former employees.

These extensive and far-reaching steps were cited by the court, which noted that the overhaul to the management and compliance structure of the business left it ‘a changed company to that which existed when the wrongdoing occurred’. The Airbus SE DPA therefore reinforces the importance of remedial efforts as a condition for any company wishing to engage in the DPA process.

Cyber-related issues

9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.

Cybersecurity is regulated within the UK through a number of statutory regimes. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation (GDPR)), which came into force on 25 May 2018, requires that personal data is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’. Accordingly, organisations that control personal data must have sufficient cybersecurity measures in place to protect against attack. There are mandatory reporting obligations in place where certain attacks happen.

Enforcement of the GDPR falls to the relevant supervisory authority within each European country; in the UK, this is the ICO. From January 2021, it is intended that a version of the GDPR known as the UK GDPR will come into force, which will sit alongside the Data Protection Act 2018 (the DPA 2018). Because it mirrors the obligations in the GDPR, there will therefore be little to no change for those companies operating solely within the UK, and controllers will continue to need to consider any obligation to notify the ICO for cybersecurity-related failings. The GDPR itself may also still apply directly to those companies who operate in the European Union (EU), offer services and goods to individuals in the EU or monitor the behaviour of individuals in the EU.

Fines have been substantially increased under the GDPR, to up to 4 per cent of annual global turnover or €20 million (whichever is higher), and the ICO has indicated that it intends to use the full force of its powers for the most serious breaches. On 16 October 2020, the ICO issued its Monetary Penalty Notice against British Airways for a data breach affecting more than 400,000 customers, applying the Regulatory Action Policy to determine the appropriate level of fine (£20million).

Cybersecurity has far-reaching consequences, however, and a range of other regulators also require notification following a cybersecurity incident; these include the FCA, the Charity Commission and other professional regulatory bodies.

Cybersecurity is woven into a range of other statutory regimes. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) regulate providers of public electronic communication services. Service providers are similarly required to take appropriate technical and organisational steps to safeguard the security of their service. The PECR also have mandatory reporting obligations but impose a shorter time frame than the GDPR; within 24 hours of becoming aware of the essential facts. Under the GDPR, mandatory personal data breach reports must be made within 72 hours of becoming aware of a breach. Powers open to the ICO in enforcing the PECR include criminal prosecution and a fine of up to £500,000.

Additionally, the Network and Information Systems Regulations 2018 (the NIS Regulations), which came into force on 10 May 2018, govern the threat posed to essential network systems and seek to improve the functioning of the digital economy. The NIS Regulations apply to operators of essential services and relevant digital service providers. They follow a similar principles-based approach to the GDPR, requiring systems operators to ensure appropriate and proportionate technical and organisational measures so as to manage risks to the security of a network.

The UK has opted to regulate network and information systems according to sector, and there are therefore a range of ‘competent authorities’ that act as regulators, depending on the specific sector. The NIS Regulations provide for mandatory incident reporting, with a time limit of 72 hours (from becoming aware) for reporting any incident that has a significant effect on the continuity of the essential service. A breach of the Regulations can result in a fine of up to £17 million.

10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

The main regulations relating to cybercrime are the Computer Misuse Act 1990 (the CMA 1990), the DPA 2018 and the Cyber Attacks (Asset Freezing) Regulations 2019 (the 2019 Regulations).

The CMA 1990 has been amended to take account of the developing nature of cybercrime. Offences can be tried summarily or on indictment with a range of maximum sentences, depending on the offence committed.

Although prosecutions have been made over many years pursuant to the CMA 1990, the ICO secured its first conviction in November 2018. The prosecution was followed by an application under the Proceeds of Crime Act and a confiscation order.

The domestic legislation that sits alongside the GDPR is the DPA 2018, section 170 of which makes it an offence to knowingly or recklessly obtain, disclose, procure or retain personal data without the consent of a data controller and, on indictment, the maximum sentence is an unlimited fine. The offence slightly augments that under the previous legislation (the Data Protection Act 1998). Prosecutions being brought by the ICO currently tend to be pursuant to the 1998 Act in view of the time it takes to investigate and prosecute an offence.

Proceeds of crime legislation can be used as part of the enforcement toolkit; in June 2019, for example, the ICO secured the conviction of a former managing director of a claims management company who had unlawfully obtained and sold personal data. He was sentenced to a fine of £1,050 but the benefit derived from the illegal activity was valued at £1,434,679.60. In view of the defendant’s lack of assets, a nominal £1 order was made.

Aside from unauthorised access and use of information, cybercriminals also deploy ransomware to secure a ransom demand. The aim of the 2019 Regulations, which came into force on 11 June 2019, is to address this. Measures under the 2019 Regulations include sanctions, restrictive measures and offences connected with cyberattacks threatening the EU or its Member States.

The 2019 Regulations apply to UK nationals or any body incorporated in the UK. They have extraterritorial effect, and their measures are also applicable to conduct wholly or partly outside the UK that is perpetrated by a UK national, or a body incorporated or constituted under UK law.

The 2019 Regulations restrict interactions with ‘designated persons’ (adopting a similar approach to sanctions regimes). Dealing with or making funds available to such persons is a criminal offence. The maximum sentence under the 2019 Regulations is an unlimited fine, seven years’ imprisonment, or both. At the time of writing, six natural persons and three legal entities have so far been designated.

Cross-border issues and foreign authorities

11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

The jurisdictional basis of criminal law in the UK is generally territorial, as an offence will only be triable in the jurisdiction in which it takes place unless there is a specific provision to the contrary, for instance where specific statutes enable the courts of the UK to exercise extraterritorial jurisdiction.

Some examples of exceptions are worthy of note. First, under general common law principles, if a substantial part of an offence occurs in the UK (even if other parts occur outside the UK), the UK courts can have jurisdiction.

Second, under Part I of the Criminal Justice Act 1993, certain fraud, theft, forgery, false accounting, blackmail and cheat offences are triable in England and Wales if a relevant event, or part of the wrongful act within an offence, has occurred in England or Wales. The extension of jurisdiction under this statute also applies to attempts and conspiracies to commit these defined offences.

Third, the Bribery Act 2010 (and prior bribery and corruption legislation) has important provisions to allow law enforcement to investigate and prosecute cases of overseas corruption. A feature of the extraterritorial effect of the Bribery Act 2010 is that it applies to substantive corruption offences in which the acts and omissions are entirely outside the UK, if these involve UK nationals, others ordinarily resident in the UK, or UK companies, among other defined categories of a party with a close connection to the UK. The failure to prevent an offence also applies worldwide to corporates that carry on part of their business in the UK, whether their headquarters are in the UK or elsewhere.

Sections 45 and 46 of the Criminal Finances Act 2017 followed the ‘failure to prevent’ model pioneered by the Bribery Act 2010 and created corporate offences of failing to prevent the facilitation of UK or foreign tax evasion. The facilitation of UK evasion will be investigated by HMRC whereas facilitation of foreign tax evasion may be investigated by either the SFO or the NCA (depending on complexity). The offences are extraterritorial in nature, albeit the foreign offence requires a UK corporate nexus and dual criminality in respect of the conduct comprising the tax evasion and the facilitation. It is anticipated that the agencies will work together to develop a uniform understanding of how these offences should be superintended.

In September 2018, the High Court held that section 2(3) of the Criminal Justice Act 1987, which gives the SFO power to require a person to produce specified documents in connection with an SFO investigation, has extraterritorial effect to compel a foreign company to produce documents held outside the jurisdiction if there is a ‘sufficient connection’ between the company and the jurisdiction. As has been referenced, in April 2019, the UK Supreme Court granted leave to appeal this decision. In a financial filing in August 2020, KBR stated that the US Department of Justice (DOJ) and Securities Exchange Commission (SEC) ‘have informed us that their investigations with regard to KBR are now closed. The SFO has informed us that its KBR investigation is no longer focused on allegations of corruption involving Unaoil although some lines of inquiry remain under investigation’. The matter was heard on 13 October 2020 and judgment will be handed down in due course.

In February 2019, the Crime (Overseas Production Orders) Act 2019 received royal assent, allowing UK law enforcement agencies to apply for a court order with extraterritorial effect (an overseas production order), to obtain data stored electronically, directly from communication service providers based outside the UK.

12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

The challenges of dealing with cross-border investigations arise from inconsistencies in the approaches of the various law enforcement agencies and the application of different laws in the relevant jurisdictions.

The principal issues are:

  • the differences in the scope and application of legal professional privilege between the jurisdictions, and ensuring that privilege is adequately protected when dealing with document or information requests from the various authorities or when conducting the internal investigation;
  • the differences in data protection laws in each jurisdiction, and ensuring that breaches do not occur in the gathering and transferring of data between jurisdictions for the purposes of the internal investigation or responding to requests from a law enforcement authority;
  • whether any of the jurisdictions impose a positive statutory obligation to make a formal report once the corporation becomes aware, or begins to suspect, that a crime has been committed (Northern Ireland and Scotland have additional statutes that impose reporting duties that apply in addition to laws that apply UK-wide);
  • identifying which authorities may claim that the offending conduct occurred in their jurisdiction as a result of the fact that, with cloud-based communications (email, WhatsApp, iMessage, etc.), offending behaviour can occur in more than one location;
  • whether evidence-sharing or mutual assistance treaties exist between the relevant jurisdictions;
  • differing rules surrounding the admissibility of intercepted communications; and
  • whether there are sensitivities between the authorities in the various jurisdictions, for example, whether one authority is taking precedence, and if so whether the other authorities accept that position.

At the expiry of the transition period following the UK’s departure from the European Union, law enforcement co-operation between the UK and the EU will no doubt continue. However, the gateways and procedures for sharing intelligence and entering into joint investigation teams (JITs), the measure of future participation in institutions such as Eurojust and Europol, and access to tools such as European Investigation Orders and the European Arrest Warrant, among other things, will be dependent on the final terms of any agreement between the parties on future relations.

13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

The existence of the principle of double jeopardy means that a corporation cannot be prosecuted a second time in the UK for the same or similar offences on the same facts following a legitimate acquittal or conviction, or other appropriate disposal, such as a DPA, by a UK court. European law extends double jeopardy principles in cross-border cases within the EU.

However, the protections for corporates worldwide in relation to double jeopardy principles are more varied and likely to be an area of discussion with law enforcement authorities when a corporate is involved in cross-border investigations in multiple jurisdictions. If the predicate offending has been disposed of in one jurisdiction, double jeopardy will not preclude UK authorities from prosecuting ancillary or incidental offences, such as record-keeping or money laundering offences that occurred in the UK. Nevertheless, there is scope to engage with international regulators with close ties to UK enforcement agencies or mutual legal assistance arrangements with the UK (or both) to ensure that, in practice, one agency takes primary responsibility for the investigation and enforcement, to avoid any undue prejudice when a case spans multiple jurisdictions. Notwithstanding this, frequently corporates will be expected to respond to enquiries simultaneously from agencies inside and outside the UK, and there are no general, formal rights on the part of a company to seek to stay a UK investigation pending the outcome of a foreign investigation or set of criminal proceedings that may have commenced prior to the UK law enforcement agencies becoming involved.

There is no UK policy analogous to the ‘anti-piling on’ policy that exists in the United States. However, in situations of concurrent jurisdiction, there are memorandums of understanding between the various law enforcement and regulatory authorities in the UK. These provide a framework for co-operation between organisations that have (or may have) jurisdiction to prosecute an offence and for determining ‘primacy’ to investigate and prosecute offences.

14 Are ‘global’ settlements common in your country? What are the practical considerations?

Global settlements are becoming increasingly common. In November 2015, a DPA was agreed between the SFO and Standard Bank PLC that was coordinated with the settlement between Standard Bank and the US SEC.

In January 2020, as previously referenced, the SFO entered into a record-breaking DPA with the global aerospace company Airbus SE. This is the world’s largest global resolution for bribery to date.

The SFO will also reference the assistance it receives from foreign authorities at the conclusion of any successful prosecution.

15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

Law enforcement authorities in the UK generally try to co-operate with counter­parties in foreign jurisdictions. Usually at the outset of an investigation, the authorities will agree whether one jurisdiction should take precedence in the investigation and prosecution of the matter (e.g., if the majority of the misconduct took place in that jurisdiction or in the jurisdiction of incorporation) or agree what aspect of a larger cross-border enquiry involving a corporate each will lead on if the case involves a number of components.

Even if it is agreed that the predicate offending in a matter should be prosecuted in one particular country, incidental offences, such as books and records offences, can still be prosecuted in the other jurisdictions.

Ultimately, UK authorities are responsible for the conduct of their own investigations and prosecutions. The extent to which a decision by a foreign authority would influence a UK investigation will depend on the particular facts of the matter, the relationship between the UK and foreign authorities, and the relationship between the UK and the other country on a state or institutional level, including any history of co-operation in timely mutual legal assistance or the merits of establishing JITs under the coordination of Eurojust.

Economic sanctions enforcement

16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

Until recently, domestic sanctions were limited to the counterterrorism regime, with all other sanctions stemming from the EU (including those implementing the sanctions imposed by the United Nations). The regulations adopted by the Council of the European Union imposing sanctions, as a tool of the EU’s Common Foreign and Security Policy, are currently directly applicable in the UK.

The main types of sanctions the UK imposes are:

  • trade sanctions, including restrictions relating to military and dual-use items, certain industrial sectors and the provision of certain services (these sanctions are in addition to the UK’s general export control laws);
  • financial sanctions, including asset freezes; and
  • immigration sanctions, known as travel bans.

There may be specific exceptions under which it is possible to engage in an activity that would otherwise be prohibited. It may also be possible to get a licence or authorisation permitting activities that would otherwise be prohibited.

A principle of most sanctions regimes is the prohibition on knowingly and intentionally participating in activities that have the object or effect of circumventing any sanctions laws.

The Sanctions and Anti-Money Laundering Act 2018 will govern the sanctions regime following the UK’s exit from the EU. The UK government has been taking steps to ensure the uninterrupted application of EU sanctions post-exit, including in the event of a no-deal exit.

On 6 July 2020, the UK introduced its first autonomous sanctions under the Global Human Rights Sanctions Regulations 2020. This is the first time the UK has introduced sanctions measures separate from sanctions imposed by the EU. The Regulations give the UK government the power to designate persons (whether state or non-state actors) who are, or have been, involved in serious violations of human rights.

17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

Although the EU regulations imposing sanctions are directly effective, UK legislation is required to introduce the penalty regimes that apply for a contravention of sanctions.

The Department for International Trade implements and enforces trade sanctions and other trade restrictions. OFSI, which is part of HM Treasury, implements and enforces financial sanctions. The Home Office implements and enforces immigration sanctions.

The potential consequences for breaching sanctions laws are severe, including unlimited criminal fines, periods of imprisonment for individuals, the disgorgement of any profits and reputational damage.

The 2017 Policing and Crime Act introduced civil penalties for breaches of financial sanctions, available in cases where it is not in the public interest to prosecute.

To date, OFSI has imposed four civil penalties, against Raphaels Bank (February 2019), Travelex (UK) Ltd (May 2019), Telia (October 2019) and Standard Chartered (April 2020).

18 Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?

The UK has historically had a leading role in developing the EU’s sanctions policy and is embedded in a structure for co-operation on sanctions with other EU Member States.

OFSI has an international engagement branch that is leading an ‘initiative to help promote robust financial sanctions implementation on the world stage, not only through bilateral and multilateral meetings/events but also through technical assistance to other governments’.

19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

Council Regulation (EC) No. 2271/96 protecting against the effects of the extraterritorial application of legislation adopted by a third country and actions based thereon or resulting therefrom (the Blocking Regulation) is currently directly applicable in the UK.

The Blocking Regulation currently applies to certain sanctions imposed by the United States in respect of Cuba and Iran (referred to as the listed extraterritorial sanctions). The Blocking Regulation was updated in August 2018 following the United States’ withdrawal from the Joint Comprehensive Plan of Action known as the ‘Iran deal’.

The Blocking Regulation has the following four main components:

  • EU persons (currently including UK nationals and UK-incorporated entities) and those in the territory of the EU are prohibited, without authorisation from the European Commission, from complying, either directly or through a subsidiary or other third party, actively or by deliberate omission, directly or indirectly, with any requirement or prohibition with the listed extraterritorial sanctions.
  • EU persons whose economic or financial interests are directly affected by the listed extraterritorial sanctions must inform the European Commission of this within 30 days. In the case of EU businesses, the reporting obligation rests with directors, managers and others with managerial responsibility.
  • Judgments or decisions of non-EU courts, tribunals or administrative authorities giving effect to the listed extraterritorial sanctions are not enforceable in the EU. This is intended to shield EU persons, for example, from the effects of any decision requiring seizure or enforcement of any penalty in the EU based on the listed extra­territorial sanctions.
  • EU persons ‘engaging in international trade and/or the movement of capital and related commercial activities between the Community and third countries’ are entitled to recover damages caused to them by the application of the listed extraterritorial sanctions through the courts in Member States. Recovery can take the form of seizure and sale of the assets of the persons causing the damage, their representatives or intermediaries.

20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

It is a criminal offence in the UK to breach the prohibition or fail to comply with the reporting obligation provided in the Blocking Regulation. This offence is punishable by an unlimited fine.

If a UK national or incorporated entity wishes to comply with any listed extra­territorial sanctions in the Blocking Regulation, authorisation must first be obtained from the European Commission. Applications must be made in writing to the Commission, which will consider whether sufficient evidence has been provided that the interests of the applicant or the EU would be seriously damaged by non-compliance, based on 14 criteria set out in Commission Implementing Regulation (EU) 2018/1101. Authorisation is effective on the date when it is notified to the applicant.

To date, no UK nationals or UK-incorporated entities have been prosecuted for a breach of the Blocking Regulation.

Before an internal investigation

21 How do allegations of misconduct most often come to light in companies in your country?

In addition to the normal means for identifying misconduct, such as audits, screening procedures and whistleblowing, UK companies can become aware of allegations of misconduct through insolvencies, cybercrime or data breaches (e.g., the Unaoil and Panama Papers cases) and due diligence carried out in relation to commercial transactions, including mergers and acquisitions.

Allegations may also arise in hearings, such as employment tribunals and litigation proceedings.

Information gathering

22 Does your country have a data protection regime?

The UK implemented the DPA 2018 to complement the GDPR. The GDPR has direct effect across all EU Member States and applies directly to all organisations processing personal data within the EU. However, it allows each Member State limited opportunities to make provisions for how it applies in that country. The DPA 2018 essentially provides the details of local derogations, such as law enforcement processing. The two must therefore be read side by side. This new legislation supplements existing UK laws such as the Freedom of Information Act 2000 and the Regulation of Investigatory Powers Act 2000, and directly applicable EU legislation, such as the Privacy and Electronic Communications Regulations.

23 To the extent not dealt with above at question 9, how is the data protection regime enforced?

In publishing its first intended fines for serious cybersecurity incidents post-GDPR, the ICO has demonstrated its resolve to use the full force of its powers. In July 2019, it reported its intention to fine British Airways £183.39 million in relation to a cyber incident involving the compromise of personal details of more than 400,000 customers. The ICO has also reported its intention to fine Marriott International, Inc more than £99.2 million in relation to a cyber incident whereby the records of approximately 339 million guests globally were exposed. On 16 October 2020, the ICO announced that it would levy a fine of £20 million on British Airways. No further indication of the level of fine to be issued to Marriott International, Inc has been announced.

24 Are there any data protection issues that cause particular concern in internal investigations in your country?

Typically, a considerable amount of evidence will be reviewed in the course of any internal investigation and must be handled carefully to ensure compliance with the DPA 2018. It is very likely that it will be necessary to conduct a data privacy impact assessment before processing any information. Decisions taken with regard to the processing and disclosure of data should be made in accordance with the DPA 2018, and all reasons for those decisions should be documented. If any of the data reviewed contain or may contain personal data, particularly sensitive personal data, extra care should be taken. Firms should seek legal advice with regard to what additional measures should be taken in relation to this material. This includes whether redaction of any personal information is required and whether this would be an appropriate mechanism to avoid any data protection breaches.

Further, extra care should be taken in circumstances where there may be a transfer of the data outside the EU. Transfer of personal data to the United States needs particular review following the recent European Court of Justice decision in the Schrems II case, which has invalidated the EU–US Privacy Shield. International transfers generally have also been affected by Schrems II, as the case had some further implications for the use of the Standard Contractual Clauses (SCCs). At the time of writing, the ICO has advised that firms should review international transfers undertaken and be ready to react promptly as extra guidance and advice becomes available. The European Data Protection Board has recommended that firms conduct a risk assessment as to whether SCCs provide enough protection within the local framework, whether the transfer is to the United States or elsewhere. Additionally, unless the UK obtains an ‘adequacy’ decision from the EU following Brexit (and at the time of writing this looks unlikely), the UK will become a ‘third country’ for the purposes of the GDPR, and therefore transfers between the UK and EU Member States may become subject to further safeguard requirements.

25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

A range of factors must be taken into account when considering the monitoring of employee communications. These typically fall into two categories:

  • reviewing emails sent and received by an employee; and
  • intercepting emails before receipt.

In relation to the review of emails sent and received by an employee, the situation broadly involves considerations under the GDPR, the DPA 2018 and the Human Rights Act 2000. The processing of emails through review will require an employer to consider the extent to which it can satisfy a lawful condition of processing under the GDPR with balancing the data subject and privacy rights. However, consent is not typically a basis on which the processing would take place as, under the GDPR, consent has to be given freely and the ICO has stated that it is unlikely that consent could be so considered in an employer–employee relationship in view of the imbalance of power.

If monitoring does take place, this will often be overt monitoring, in that the employer will set out in its information technology use and privacy policies that it retains the right to access emails and messages sent and received on devices used by employers.

The ICO issued guidance prior to the implementation of the GDPR. As yet this has not been updated but recommends that covert monitoring only takes place in exceptional circumstances; for example, for the detection of crime.

It is essential, if monitoring is taking place, that the employer ensures that it is proportionate and undertaken only for as long as is necessary.

The GDPR sets out circumstances in which it is mandatory to conduct a data protection impact assessment, which includes assessing when processing is likely to result in a high risk to data subjects. As a matter of good practice, it may be prudent to work through a risk assessment prior to processing even when the high threshold has not been triggered, so that essential security and data minimisation measures are considered and adopted where necessary.

Up to 27 June 2018, the Provisions of the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) governed the interception of electronic communications during transmission. These have been replaced by the Investigatory Powers Act 2016 (IPA) and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 (S 2018/356) (the 2018 Regulations).

Under the IPA, it is a criminal offence to intercept communications without lawful authority. Although the 2018 Regulations include the detection of crime as authorised conduct in certain circumstances, given the criminal implications of interception without proper authority, every case must be assessed on its merits to ensure that the relevant standards are met.

Dawn raids and search warrants

26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

Authorities that investigate corporate crime in the UK, such as the SFO or HMRC, often conduct dawn raids of business or residential premises under the authority of a search warrant issued by a court. Depending on the specific powers of the law enforcement agency conducting a raid, the raid is often undertaken in conjunction with a local police force.

When a raid is carried out under a warrant (searches without warrant are permissible subject to overarching statutory controls), the authority may only search the premises specified in the warrant and seize items within the scope of the warrant.

In England, Wales and Northern Ireland, certain categories of material, such as confidential journalistic material or personal records created in the course of a business (e.g., patient records in a medical practice) cannot be seized during a raid without additional authorisations being obtained, in some circumstances from particular courts. Different rules apply in Scotland.

In the UK as a whole, legally privileged material cannot be seized unless it was created with the intention of the furtherance of a crime (the crime-fraud exception) or is inextricably linked to other, seizable material. If that is the case, material can be seized but must be sifted to exclude as far as possible any privileged material from the investigating team at the law enforcement agency. In England and Wales, a typical approach is for material subject to a claim of legal privilege to be examined by an independent lawyer before it is examined by the investigating team (and any privilege material excluded). The use of this power is also subject to the Criminal Justice and Police Act 2001, which entitles a corporate’s legal representative to be present at a review of the material and apply to a judge for the material to be returned. In Scotland, there is no statutory framework for dealing with privilege issues and it may be necessary to apply to the courts for the seizure of privilege material to be suspended.

The CMA may conduct a dawn raid of business premises without a warrant.

Some authorities have additional powers that can be exercised during a dawn raid; for example, the SFO and the CMA may compel a person to answer questions relevant to the search, such as regarding the location of certain documents. These powers, and equivalent sanctions, are mirrored by means of disclosure notices issued pursuant to sections 60 to 70 of the Serious Organised Crime and Police Act 2005, although the prosecutor rather than the investigator must sanction the use of these notices.

If there are significant errors in either the process of obtaining a warrant or authorising a raid, or in the execution of a raid, the raid can be challenged by judicial review and rendered unlawful and the material seized during the raid could be rendered inadmissible, or returned to the subject.

The Law Commission is reviewing the law governing search warrants. A consultation on the issue closed on 5 September 2018. In a report laid before Parliament in October 2020, the Commission made 64 recommendations to strengthen law enforcement powers, improve the search warrant process, clarify the rules around electronic material, and strengthen safeguards for those being investigated.

The onset of the covid-19 crisis, both in terms of effects on staff and of physical distancing, has affected the ability of law enforcement agencies to undertake dawn raids which, of necessity, involve numerous officers working in close proximity in an enclosed space.

27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

As a general rule, legally privileged material cannot be seized during a dawn raid unless the crime-fraud exception applies or where it is inextricably linked to seizable material (as described in question 26), in which case other safeguards, including those set out in question 26, should be adhered to. However, in relation to certain competition investigations, the European Commission does not regard advice from in-house lawyers as legally privileged, so it may seize such material during raids or inspections.

In England, Wales and Northern Ireland, the authorities that investigate corporate crime are routinely accompanied during raids by an independent lawyer specifically tasked with reviewing on-site any material that a company asserts as privileged. It is important, therefore, to be aware of where privileged material is likely to exist so that assertions can be made before items are seized.

If there is a dispute regarding privilege that cannot be resolved in situ, the authority will seize the material by sealing it in an opaque bag for review by an independent lawyer at a later date. The company is entitled to have its legal representative present during that review.

Digital devices containing both privileged and non-privileged items that cannot be separated may be seized or imaged during a raid. In practice, the privileged material will then be quarantined by digital forensic experts within the authority by applying search criteria provided by the company.

28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

In England, Wales and Northern Ireland, there is a qualified right of silence when being interviewed as a suspect, and a defendant in a criminal trial has a right not to give evidence. In both situations, the right is qualified as, in certain circumstances, adverse inferences can be drawn from this silence.

However, in Scotland the right to silence is not qualified and no negative inference can be drawn from an interviewee’s refusal to answer questions.

A right of silence does not apply when an authority such as the SFO, FCA or CMA (or HMRC or the police when SOCPA powers are in play) exercises specific statutory powers by issuing a notice compelling a witness to answer questions or produce documents. Failure to comply with such a notice without a reasonable excuse can constitute in a criminal offence. However, the contents of a compulsory interview under these powers cannot be used against the individual except in a prosecution specifically for making a false or misleading statement in that interview. In practice, complications can arise when an individual is initially a witness compelled to produce evidence and then later becomes a suspect in a criminal investigation. Any evidence provided in the subsequent interviews conducted under caution can be adduced against the individual.

Whistleblowing and employee rights

29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

The Public Interest Disclosure Act 1998 and the Public Interest Disclosure (Northern Ireland) Order 1998, as amended, combined with the Employment Rights Act 1996
and the Employment Rights (Northern Ireland) Order 1996, offer statutory protections to whistleblowers.

The dismissal of an employee will be automatically unfair if the principal reason for dismissal is that the individual has made a qualifying ‘protected disclosure’. Workers and employees are also protected from detrimental treatment (e.g., harassment, reduction in pay or dismissal) on the ground that they have made a qualifying protected disclosure.

There is no requirement for a minimum period of service nor is there any financial cap on the amount of compensation that can be awarded. An employee alleging automatic unfair dismissal on the grounds of being a whistleblower may make an immediate application for interim relief, which may result in effective reinstatement. A successful automatic unfair dismissal claim could also result in the individual being reinstated as an employee, although this is rare.

There are no financial incentive schemes in the UK for whistleblowers.

30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

Suspension pending investigation

Employment legislation does not specifically deal with suspension but case law and guidance issued by the Advisory, Conciliation and Arbitration Service (ACAS, a public body funded by the UK government), in the form of the ACAS Code of Practice on Disciplinary and Grievance Procedures (the ACAS Code), requires that employees be suspended only when this is necessary and that the period of suspension be as short as possible and kept under review. It is also important that employees be informed, preferably in writing, of the nature of the allegations made against them (whether in relation to an internal or external investigation) and, in most cases, suspension should be on full pay and with no loss of benefits. Any failure to follow these principles can result in a breach of the ACAS Code and could be a repudiatory breach of contract. In Northern Ireland, similar provisions apply, pursuant to the Labour Relations Agency, Code of Practice on Disciplinary and Grievance Procedures (the LRA Code).

The right to a fair hearing

The disciplinary process should be carried out in accordance with the ACAS Code. As a minimum, it should include an investigation to establish the facts before proceeding to a disciplinary hearing (assuming there is a case to answer). In good time ahead of a disciplinary hearing, the employee must be informed of the allegations against him or her and the right to be accompanied at the hearing by a colleague or a trade union representative. During the hearing, the accused should be given a full opportunity to answer the allegations before any decision is made by the employer.

Employers should carry out their own disciplinary process irrespective of any third-party finding of guilt (e.g., the police). The employer is still required to follow a fair disciplinary process (in accordance with the ACAS Code) as far as possible. As stated above, in Northern Ireland, compliance with the LRA Code (rather than the ACAS Code) is required but also note that, unlike in Great Britain, statutory dismissal procedures have been retained.

These requirements can be relaxed when employees do not have the requisite length of service with their employer to bring an unfair dismissal claim (two years in Great Britain and one year in Northern Ireland); however, it is best practice to follow a fair process in dismissals, to avoid allegations of whistleblowing or discriminatory treatment.

The right not to be unfairly dismissed

All employees with the requisite length of service have the right not to be unfairly dismissed. In the case of a successful claim, an employment tribunal can order reinstatement or re-engagement, or award compensation. In most cases in Great Britain, compensation is capped at one year’s pay or £88,519 (whichever is lower) plus a basic award of up to £16,140. In Northern Ireland, the one-year pay cap does not apply and unfair dismissal compensation is capped at £88,693, plus a basic award of up to £16,800, although in certain situations, employees can argue that this compensation cap should be disapplied.

The requirement for length of service and the statutory caps on compensation do not apply when the employee successfully alleges that the principal reason for dismissal is that the individual made a qualifying protected disclosure.

Company director considerations

Directors may also be employees (in which case the above will apply in tandem with any specific issues regarding directors’ duties). A director who is not an employee (i.e., a non-executive director) will not be subject to the above rules. However, directors are subject to general duties, which are set out in the Companies Act 2006, contained within a company’s articles and may also be set out in any letter of appointment. The company’s articles and any relevant letter of appointment will include provisions regarding the removal of a director who has acted in breach of one or more of his or her duties under the Companies Act. There are additional regulations that apply to directors of public companies.

31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

Rights regarding suspension, the right to a fair hearing and the right not to be unfairly dismissed all apply to employees who may have engaged in misconduct. In general, there is no strict employment law requirement to suspend or discipline those suspected of misconduct; that is a decision for the employer. Some heavily regulated employers, such as those within the financial services sector, may have increased obligations around suspension and disciplinary action where employees carry out regulated activities. In some cases, an employee’s misconduct must be reported to the regulator. Employees may also be regulated themselves and will have specific obligations towards the regulator.

Failure to take disciplinary action could be regarded by an authority as evidence of poor corporate culture. Furthermore, failure to suspend or dismiss an employee who is capable of impeding a criminal investigation by destroying documents or alerting or interfering with witnesses, could be regarded as obstruction of the criminal investigation.

32 Can an employee be dismissed for refusing to participate in an internal investigation?

In general, a request to participate in an internal investigation will be a reasonable management instruction and any unreasonable refusal to engage in this process may constitute misconduct in itself. Whether or not an employer could fairly dismiss in these circumstances will depend on the whole context and in particular, the seniority of the employee. At all times, it is important that the employer does not interrogate or put pressure on the employee to make admissions of guilt, and a range of safeguards as to how the investigation is conducted should be considered, to ensure fairness to the employee.

Commencing an internal investigation

33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

It is good practice to prepare an initial scope of an internal investigation, potentially with a written investigation plan, with target deadlines and a clear set of tasks where possible, before commencing the investigation proper, setting out:

  • its purpose;
  • the issues to be investigated;
  • the investigation team and reporting lines;
  • how legal privilege will be established and maintained (e.g., the investigation team is instructed by and reports to a lawyer);
  • how digital and hard copy material will be collected and preserved;
  • how staff interviews will be conducted; and
  • any other necessary immediate controls or steps, such as ceasing all future payments to third parties under suspicion.

The scope of an internal investigation and the client team may need to be kept under review, depending on factual findings and other developments that are possible at different stages in the investigation.

34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

In UK law, there are generally no formal legal obligations on a company to conduct an internal investigation into its own affairs. However, conduct rules applicable to some companies by the bodies that regulate them may mean an internal investigation is strongly recommended or even required. Generally, from an effective compliance perspective, a company should always investigate an issue as soon as it comes to light to enable the company to take the steps set out below (see also question 37).

The company will also need to consider whether a money laundering report is needed in accordance with the Proceeds of Crime Act 2002 (UK-wide application) and whether any additional report is required for the police in Northern Ireland or Scotland to comply with specific legislation that is applicable in those jurisdictions. In addition, the company should:

  • stop the offending behaviour, otherwise the company could be exposed to a risk of criminal liability itself for allowing potential offending to carry on unchecked and without investigation. Additionally, if the offending conduct has ceased and the company is aware or suspects that it possesses funds obtained from the conduct, but it fails to take any action in regard to those funds (for example, making a suspicious activity report to the NCA), the company could commit a further money laundering offence;
  • if there are grounds for suspecting (where that suspicion is more than merely fanciful) that funds relating to a future transaction may be tainted as the proceeds of crime, it is open to make a Defence Against Money Laundering (DAML) report to the NCA, requesting a defence to proceed with that transaction. The law creates a seven working day moratorium period (subject to extension), after which time, unless withheld, a defence may be deemed. Note that DAML reports are not available for historic transactions;
  • preserve all documents and material relevant to the issue. If a law enforcement authority becomes aware of the matter, it would expect the company to have taken all necessary steps to protect and preserve all material that would be relevant to its criminal investigation (including by creating forensic images of digital material) so that the material could be provided to them eventually. Failure to do so could impede a criminal investigation and would be viewed as a lack of co-operation by an authority. Furthermore, it can be a criminal offence to undertake any acts that can affect the administration of justice. Such conduct may include destroying, falsifying, concealing or disposing of relevant documents when a person knows or suspects an investigation of serious or complex fraud is already being, or is likely to be, undertaken by certain law enforcement agencies (see also the SFO’s updated guidance (dated 6 August 2019) to its Operational Handbook (corporate co-operation guidance section)). Criminal tipping-off considerations may also apply in instances where notifying a suspect of fact where those steps would be likely to prejudice any investigation into money laundering; and
  • take remedial or preventive action to ensure that the offending behaviour cannot occur in the company again.

If a company has failed to take any steps to address an allegation of bribery or facilitation of tax evasion, it is unlikely that it would be able to rely on the ‘adequate procedures’ defence in the event of a prosecution of corporate failure to prevent under the Bribery Act 2010 or Criminal Finances Act 2017.

35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

On receipt, the notice or court order should be sent immediately to the appropriate person within the business whose function is to deal with this type of external matter (usually within the legal department). All steps should be taken to ensure that evidence that may be relevant for production under the notice or court order is not deliberately or inadvertently lost, destroyed or altered, and that any individuals who may be involved in possible wrongdoing are not tipped off. The exact scope of the request should be determined, and clarifications sought if the scope is unclear. The deadline for responding should also be diarised. It is advisable to seek external legal advice if the legal department is inexperienced in dealing with such matters.

To the extent that a company has an internal policy setting out the steps to be taken following receipt of a notice or court order, this should be followed. Among other steps, the company should consider circulating document retention notices to ensure all relevant data is preserved, taking forensic images of all potentially relevant data sources (e.g., laptops, PCs, tablets, phones), and compiling a database that can be interrogated for documents falling within the request.

Once reviewed for relevance, the results should be double-checked for privilege, and copies retained of anything provided to the authorities.

36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

Privately owned companies are not required to publicly disclose the existence of internal investigations or contact from law enforcement.

Under the UK Listing Rules, publicly listed companies must issue a market announcement of any major new development that may affect their business without delay, if the development may lead to a substantial share price movement. A notice compelling the provision of documents would be unlikely to require an announcement, but confirmation from the authority that the company was a suspect in a criminal investigation would be likely to require an announcement.

Organisations that are authorised by the FCA also have an obligation to disclose to it anything relating to the firm of which it would reasonably expect notice. This would include breaches of UK laws and regulations, civil, criminal or disciplinary proceedings against a firm and fraud, errors and other irregularities.

Pubic companies are also required to complete a fraud and error declaration as part of their audit process, expressly referencing not only material misstatements but suspicions of fraud or control failures. A person commits a criminal offence pursuant to section 501 of the Companies Act 2006 if they knowingly or recklessly make a misleading, false or deceptive statement to an auditor.

37 How are internal investigations viewed by local enforcement bodies in your country?

UK authorities have publicly stated that they are not opposed to internal investigations that are carried out in a manner that would not impede a criminal prosecution. They expect data-gathering exercises to be carried out promptly, covertly and coordinated across multiple sites simultaneously. ‘Covert’ in this context is intended to ensure potential suspects in a later criminal investigation are not tipped off prior to data collection and so given an opportunity to destroy or delete incriminating material. It does not mean that companies should conduct internal investigations in a manner that involves unlawful surveillance or data-gathering techniques (whereby they could be separately liable for other offences). In practice, digital material should be forensically imaged and preserved by information technology specialists. All procedures used to gather and image data should be recorded and then fully disclosed to the relevant law enforcement authority.

Additionally, UK authorities expect that full and accurate accounts are made of any witness interviews and, in some circumstances, consideration may need to be given to whether certain interviews should be conducted at all. This is particularly important if there is a risk of criticism that a corporate conducted an interview knowing that a law enforcement agency would wish to speak to a witness first and obtain a first account from a witness prior to any internal investigation or review.

The SFO has repeatedly said that it expects to be given interview notes by corporates seeking to demonstrate co-operation in their investigation. While this is tempered to an extent by an acknowledgement that disclosure is not required when legal professional privilege applies, when such a claim is without foundation, co-operation is likely to be cast into doubt in the absence of such a disclosure.

Attorney–client privilege

38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

Legal professional privilege has traditionally been claimed over various aspects of internal investigations, which has increasingly been disputed by law enforcement authorities. However, in a 2018 Court of Appeal case, Eurasian Natural Resources Corporation Limited (ENRC) successfully repelled a challenge by the SFO relating to claims of privilege by the corporation. The SFO sought to challenge claims to privilege by ENRC regarding various documents that were produced by lawyers and forensic accountants during an internal investigation into allegations of bribery and corruption that had arisen from a whistleblower report. The documents in question fell into four categories:

  • category 1: notes taken by lawyers of interviews conducted during an internal investigation;
  • category 2: materials generated by forensic accountants as part of a ‘books and records’ review;
  • category 3: documents, such as presentation slides, containing or surmising factual evidence, that were used by lawyers to present to ENRC; and
  • category 4: emails between a senior executive and the head of mergers and acquisitions at ENRC, who was a Swiss qualified lawyer.

The Court of Appeal held that documents falling into categories 1, 2 and 4 were protected by litigation privilege. The High Court had already held that the factual updates provided in category 3 were protected by legal advice privilege.

In short, the Court of Appeal held that a criminal investigation by the SFO could be ‘litigation’ for privilege purposes and that although a party anticipating possible prosecution will often need to make further investigations before it can say with certainty that proceedings are likely, that uncertainty does not in itself prevent proceedings being in reasonable contemplation. The fact that ENRC did not have the information required to evaluate the whistleblower email, therefore causing it to be uncertain as to whether a crime had in fact taken place, was not a bar to having the protection of litigation privilege. The Court opined that it would be wrong to deny a potential defendant the benefit of litigation privilege when asking his or her lawyer to investigate the circumstances of the alleged offence. It concluded that ENRC did contemplate that prosecution was possible when the documents in question were created and these documents were therefore protected by litigation privilege.

The Court of Appeal decision went some way to restoring the status quo in relation to privilege but much of the reasoning in the case is highly fact specific; the judgment should not be interpreted to extend litigation privilege to all documents created in all internal investigations. Many pitfalls remain, with challenges increasingly likely by opponents and regulators and privilege issues continue to trouble businesses, their lawyers and the courts. Although some cases have confirmed the status of legal professional privilege as a fundamental right, there are no guarantees that any document created during an internal investigation will be legally privileged. Nevertheless, steps can be taken to maximise the chance of succeeding with such a claim, such as:

  • involving lawyers (whether external or in-house) as soon possible;
  • marking all communications pertaining to legal advice as ‘privileged and confidential’;
  • segregating privileged and non-privileged documents;
  • refraining from forwarding or creating new documents that summarise legal advice received;
  • encouraging employees not to amend or quote extracts from legal advice;
  • if there is the reasonable possibility of potential litigation at a later stage, recording this in writing when the future possibility arises in an internal investigation, to evidence any subsequent legitimate claim for litigation privilege; and
  • only circulating legal advice and privileged material on a strictly need-to-know basis.

Parties are able to obtain legal advice in the context of an internal investigation, and confidential communications between a lawyer and a client, provided they are for the dominant purpose of seeking or giving legal advice, are likely to be privileged under legal advice privilege principles. These principles generally do not protect communications involving third parties. However, the Court of Appeal in ENRC has expressly left open a question as to whether aspects of current UK law on legal advice privilege (see the Bank of England BIU case) should be reviewed at a later date by the UK Supreme Court. Subsequent cases (such as Glaxo Wellcome v Sandoz [2019] EWHC 2545) have echoed similar disquiet at the current state of the law in this respect, and in particular the very narrow definition of ‘client’ for these purposes. It is likely, therefore, that the subject of privilege in internal investigations will be a matter of continuing development of UK law.

39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

There are two main forms of legal professional privilege in the UK: (1) legal advice privilege, which protects confidential communications (and evidence of those communications) between a lawyer and a client (but not communications with third parties), provided that the communications are for the dominant purpose of seeking and receiving legal advice; and (2) litigation privilege, which protects confidential communications (and evidence of those communications) between a lawyer and a client or third party, or both, or between a client and a third party, created for the sole or dominant purpose of obtaining information or advice in connection with the conduct of existing or reasonably contemplated litigation (including avoiding or settling, as well as defending or resisting, that litigation).

The holder of the privilege is the client and survives the death or dissolution of the client (Addlesee v Dentons [2019] EWCA Civ 1600).

In the case of corporate investigations, the client tends to be represented by the group of individual employees or directors charged with seeking and receiving legal advice on behalf of the company (or commissioning or conducting the internal investigation) rather than the entire corporate entity. This group of individuals usually includes the in-house legal team and some or all of the board of directors or subcommittee established by a company, but this group should be defined as soon as any external lawyers are engaged or at the outset of an investigation. This helps to ensure that there is a defined group from whom instructions by lawyers can be received and to whom advice is provided, which safeguards any claim of legal advice privilege.

It is crucial to consider, in any given context, who is the lawyer’s client for that particular purpose; an individual can be a lawyer’s ‘client’ and is therefore entitled to communicate information to the lawyer under protection of privilege, for one purpose but not others (see Glaxo Wellcome).

40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?

Yes, although not in the context of an antitrust and competition investigation by the European Commission. In-house counsel must always be careful to ensure that they distinguish between legal advice and advice that is commercial in nature, since the latter will not attract legal professional privilege.

41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to (internal or external) investigations in your country?

Advice sought from foreign lawyers in investigations in the UK is subject to the same legal professional privilege as advice sought from lawyers within the UK. The UK courts will apply UK law on privilege to determine the extent to which privilege applies. If a document satisfies the test for legal advice privilege or litigation privilege under UK law, the document will be treated as privileged. This decision is made regardless of whether that document would not have been privileged under a foreign law.

This principle can have the opposite effect in respect of any documents that would be privileged under foreign law but do not meet the requirements for privilege under UK law. The foreign privileged documents would not attract legal professional privilege in the UK.

42 To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?

UK authorities have frequently stated that they have no interest in communications between a client and its lawyers as to questions of liability or rights; however, in recent years, law enforcement agencies, such as the SFO, have challenged assertions of legal professional privilege over factual aspects of internal investigations and have expected the waiver of claimed legal professional privilege in the event of any self-report. The authorities have stated previously that a refusal to waive a well-made-out claim of legal professional privilege will not be held against a company, but a waiver of such a claim would be good evidence of co-operation. False or exaggerated claims of legal professional privilege will continue to be considered strong evidence of not co-operating and will be challenged. The 2018 ENRC Court of Appeal judgment has confirmed that even when a party may lead the SFO to believe that it might in future waive privilege over certain documents, this does not in itself amount to a waiver of privilege and would only amount to such a waiver in the event of a formal agreement.

In summer 2019, the SFO issued some long-awaited guidance on its requirements for a company to be considered to be adopting a co-operative approach with the SFO in relation to allegations of fraud, bribery, money laundering and a failure to prevent the facilitation of tax evasion, which will influence its charging decisions. Other regulators may refer to the guidance in assessing whether the subject of an investigation has co-operated. In relation to legal professional privilege, the guidance provides that ‘if the organisation claims privilege, it will be expected to provide certification by independent counsel that the material in question is privileged’.

With regard to witness accounts collated in the course of internal investigations (presumably prior to reaching a conclusion that there was a potential corporate offence that should be notified to the SFO), companies are expected to provide those witness accounts to the SFO as a mark of co-operation.

43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

There is a concept of limited waiver of legal professional privilege, and it is for the individual or entity waiving the privilege to determine the extent of the waiver.

It is important to be very clear as to the scope of the waiver with regard to the purpose for which the privileged information can be used and with whom it can be shared, particularly if a party seeks to prevent the information being shared with other domestic or foreign enforcement authorities or parties in any related civil proceedings. Generally, there are various gateways where evidence is shared between law enforcement agencies in the UK (and sometimes elsewhere), and proposals for a limited waiver from a corporate may not be acceptable to a law enforcement agency given the wider duties of disclosure or information-sharing.

It is particularly important to beware of ‘cherry picking’, that is voluntary waiver of privilege in one document (or part of a document) to prove a point can lead to unintended waiver in related material (see Kasongo v. Humanscale [2019] UKEAT and PCP Capital Partners v. Barclays Bank plc, 2020 EWHC 1393). When a party to proceedings or potential proceedings deploys privileged material to support its case, the ‘cherry picking’ rule (also known as the principle of collateral waiver) means that the waiver may extend more broadly than intended. A court or tribunal may require the relevant party to disclose further privileged material, which relates to the same issue or transaction, to avoid giving an unfair or misleading impression based on the material disclosed.

The issue of limited waiver has also arisen in relation to an entity’s obligation to provide documents to its regulator. Although it is generally accepted that any privilege a client has in documents is not lost by their provision to a professional adviser on a limited waiver basis, recent case law has confirmed that in an issue with that adviser’s regulator, the adviser must form its own view on whether the documents are in fact privileged and therefore can be withheld and are not simply to restate an assertion to privilege made by their client (A v. B and another, 2020 EWHC 1491). This can be challenging for advisers, who could potentially find themselves facing either a sanction for not handing requested documents to the regulator, or a claim from their client for inappropriately releasing privileged material. Moreover, the issue can be particularly problematic if the client operates a global business, for example, in large group audits with audit files spanning multiple jurisdictions. The auditor may well require specialist foreign law advice in addition to English law advice. It is possible to have the status of a document as privileged or otherwise determined by the court, but this can be costly.

44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

This will depend on a number of factors, including the terms of the waiver, the circumstances in which the material was received by the UK authority, and whether the UK authority disputes the claim of privilege, for example, if the UK authority asserts that the material falls within the crime-fraud exception.

45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?

Common interest privilege exists in most parts of the UK (opinions are divided as to its existence in Scotland) and can be used to preserve privilege in documents disclosed to third parties who have, at the time of the disclosure, a common interest in the subject matter of the privileged document or the litigation for which the document was created.

It is advisable when disclosing information under the common interest privilege to ensure that the recipient understands that the document has been disclosed on this basis and to obtain undertakings from the recipient that the privilege will not be waived. Typically, in criminal-related investigations, common interest privilege has very limited practical scope, because it is often in doubt whether two parties do, in fact, have a common interest.

46 Can privilege be claimed over the assistance given by third parties to lawyers?

Privilege can be claimed over confidential communications (and evidence of those communications) between a lawyer and a client or third party, or both, or between a client and a third party, created for the sole or dominant purpose of obtaining information or advice in connection with the conduct of existing or reasonably contemplated litigation (including avoiding or settling, as well as defending or resisting, that litigation).

Witness interviews

47 Does your country permit the interviewing of witnesses as part of an internal investigation?

An internal investigation is a fact-finding exercise and interviews will often be central to any internal investigation. However, it is advisable always to be sensitive to the expectations of investigating authorities, to avoid any criticism that interviews could have prejudiced the law enforcement investigation.

48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?

As set out in question 38, the Court of Appeal held in ENRC that, on the facts of that case, factual notes of what is said by a witness to a lawyer constituted a privileged document.

It should also be borne in mind that when proceedings are not in contemplation, communications between interviewees and counsel not made in the course of giving instructions to counsel will not attract litigation privilege or legal advice privilege. Only communications between counsel and those entrusted by the company to give instructions to counsel will attract legal advice privilege.

As stated in question 42, in summer 2019, the SFO issued awaited guidance on its requirements for a company to be considered to be adopting a co-operative approach with the SFO, which includes guidance on witness interviews. The Law Society’s position is that no client should be put under pressure to waive privilege or conduct their affairs in such a way that properly construed privilege does not apply.

49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

Although there are no general, formal requirements when conducting witness interviews as part of an internal investigation, best practice dictates that, irrespective of whether the interviewee is an employee or a third party, they should be informed:

  • that the interview is part of a fact-finding exercise and, if applicable, in contemplation of litigation;
  • if they are implicated in any wrongdoing;
  • that the lawyer conducting the interview represents the company and not the interviewee;
  • that the interview notes created by the lawyer belong to the company and therefore any privilege in the notes rests with the company;
  • the company may choose to provide the notes to an authority (and this is at its election); and
  • that the interview is confidential and the contents of the interview should not be discussed with other employees or witnesses (to avoid contaminating their recollection and generally to protect the integrity of the process).

Care should also be taken not to taint a witness’s recollection, for example by disclosing previously unseen material or discussing another witness’s statement.

50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

It is common for interviewees not to be legally represented in initial fact-finding interviews during internal investigations; however, companies should not refuse a request from an individual to be legally represented at his or her own expense. In other circumstances, for example when employees may incriminate themselves during an interview, there are compelling ethical reasons why a company may suggest that an employee may wish to obtain his or her own independent legal advice.

Documents can be put to the interviewee. A copy of each of the documents referred to, or an interview pack, should be retained as part of the record of the interview, as a matter of good internal investigation practice. The manner in which interviews are conducted during the course of internal investigations has recently been the subject of scrutiny by the courts.

Reporting to the authorities

51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

The Proceeds of Crime Act 2002 (POCA) places a specific duty on employees of regulated businesses (i.e. financial services firms and professional services such as lawyers and accountants) to make a report to the NCA when they have reasonable grounds to know or suspect that another person is engaged in money laundering and that knowledge came to them within the course of their regulated business. Failure to make a report in those circumstances carries a risk of imprisonment or a fine, or both, for individuals (and fines for companies), unless, in the case of individuals, they have reported to their firm’s money laundering reporting officer (MLRO). Other similar offences arise in the case of MLROs who have failed to report to the NCA, given their designated statutory duties to do so.

Any company (regulated or non-regulated) should make a report to the NCA if it has a suspicion that it possesses funds obtained as a result of suspected criminal conduct by the company or its employees, as this may be a money laundering offence under POCA. Other offences can arise if transactions involve the facilitation of money laundering offences by other persons. A report to the NCA of any of these types of suspicions can provide a statutory defence to money laundering if made as soon as practicable.

A money laundering report to the NCA is not a self-report for the purposes of a DPA (see question 52) or mitigation of sentence. A self-report must be made directly to the relevant authority, such as the SFO.

In Scotland, there is an obligation to report any knowledge or suspicion of serious organised crime to the police when this knowledge or suspicion originates from information obtained in the course of business or as a result of a close personal relationship (Criminal Justice and Licensing (Scotland) Act 2010). In Northern Ireland, additional reporting duties apply under the Criminal Law (Northern Ireland) Act 1967.

52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

The question of when and whether to self-report in the UK has been the subject of considerable debate following the Rolls-Royce case, which involved a DPA (notwithstanding that there was no self-report) and the Airbus SE case, respectively.

Prior to the DPA agreed in Rolls-Royce in January 2017, it was considered advisable for a company to self-report if it wished a matter to be settled by way of a DPA; the SFO had articulated that one of the preconditions of a DPA was a genuinely proactive approach by the company, including a full self-report (i.e., complete disclosure of the facts).

However, doubt was cast on whether a self-report was a precondition to a DPA in light of the DPA secured by Rolls-Royce in circumstances that did not follow a self-report. The SFO, and indeed the court in approving the DPA, emphasised that the circumstances in which Rolls-Royce secured a DPA, notwithstanding that it had not self-reported, were due to the extraordinary level of co-operation with the SFO that followed once the offending conduct was already known in part to law enforcement authorities.

In respect of Airbus SE, the commercial and defence and space divisions were charged with five counts of failure to prevent bribery. The conduct covered by the UK DPA took place across Sri Lanka, Malaysia, Indonesia, Taiwan and Ghana, between 2011 and 2015. In her judgment, The Right Honourable Dame Victoria Sharp remarked that the seriousness of the criminality in this case was grave, with worldwide conduct that took place over many years. The considerations applied by the court, which nevertheless awarded a 50 per cent reduction, are set out in question 8, but notwithstanding the quantum of the award, the reduction underlines the need to focus on the central importance of self-reporting to the eventual outcome.

As stated in question 42, the SFO has now issued guidance on what it considers amounts to co-operation with its investigations, including a requirement to report a suspected fraud or bribery within a reasonable time of the suspicion arising. The guidance makes it clear that co-operation will be a relevant factor in making charging decisions (i.e., whether to prosecute, recommend a DPA or take no further action). There is no presumption that self-reporting will lead to no further action.

The SFO does not publish details of the self-reports that have led to no further action. Whether a DPA will be available in the absence of a self-report in future remains to be seen.

The question of when, and indeed whether, to self-report came into sharp focus again in relation to the Tesco Stores Limited DPA and subsequent acquittal of its senior executives. After discovering issues in the executives’ financial statements, Tesco referred itself to enforcement authorities. On 10 April 2017, Tesco entered into a DPA in respect of false accounting charges. This decision has subsequently been called into question by some following the collapse of the trial of two Tesco executives accused of the same false accounting. The judge concluded that the SFO’s evidence, taken at its highest, was such that a jury could not properly convict. The SFO subsequently offered no evidence at the trial of a third director.

Similar questions were raised following the DPA between the SFO and Güralp Systems Ltd, details of which were published in December 2019, where again subsequent acquittals of individuals allegedly involved in the wrongdoing prompted questions as to the value of companies self-reporting.

Therefore, companies must carefully assess the evidence against them before entering into a DPA. In cases that do not involve a ‘failure to prevent’ offence, the company may be hesitant to enter into a DPA, given the difficulties of prosecuting these offences. The importance of making the correct decision is reinforced by the expense of a DPA and the requirements of extensive co-operation with the SFO.

Note that DPAs are only available to corporate defendants and not to the individual employees or directors involved in the criminal conduct.

53 What are the practical steps you need to take to self-report to law enforcement in your country?

Before making a self-report, a company should undertake the appropriate level of investi­gation to ascertain the extent and nature of the offending, ensuring that the company will not be taken by surprise by further issues that could arise in the course of a criminal investigation.

UK authorities have advised that for a company to be afforded full credit for making a self-report, it must be made within the context of a genuinely proactive and co-operative approach by the company. The SFO’s Corporate Co-operation Guidance and HMRC’s Corporate Criminal Offence reporting portal set out the steps they expect an organisation to take to demonstrate co-operation.

The SFO’s outline of the process to be adopted by corporate bodies or their advisers when self-reporting provides that:

  • initial contact, and all subsequent communication, must be made through the SFO’s intelligence unit, using the secure reporting form;
  • hard copy reports setting out the nature and scope of any internal investigation must be provided to the SFO’s intelligence unit;
  • all supporting evidence, including, but not limited to, emails, banking evidence and witness accounts, must be provided to the SFO’s intelligence unit; and
  • further supporting evidence may be provided during the course of any current internal investigation.

In Scotland, the COPFS’s self-reporting policy, which applies in relation to corporate bribery offences, requires a written report to be submitted on the company’s behalf by a solicitor.

Responding to the authorities

54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

It is both possible and desirable to enter into a dialogue with the relevant authority before or on receipt of a notice or warrant to discuss any concerns the company has, for example that the deadline for compliance is unreasonable, or the description of the information and documents requested is unclear.

The authority should be willing to discuss such concerns and work with the company to find a reasonable and practical solution, so long as the result is that the relevant information and documents are ultimately received in a timely manner. With regard to search warrants served on businesses, the police do not usually contact a business to discuss the terms of a warrant prior to turning up and executing the warrant. However, depending on the circumstances, the police may be willing to discuss the implementation of the warrant to avoid unnecessary disruption to the business’s legitimate activities and the risk of the warrant being challenged.

Materials subject to legal professional privilege may be withheld when responding to a search warrant. Warrants often do not address how privileged materials should be handled, and dealing with issues of privilege tends to be a matter for negotiation. The legal agent for the company should object to privileged materials being reviewed or seized and offer to set aside potentially privileged materials for subsequent review by the company’s legal agent. If the authority will not agree to this course, it may be proposed to appoint independent counsel (usually an advocate, barrister or solicitor) to review potentially privileged material and to make a determination as to whether or not the material is, in fact, privileged. If the authority will not agree to proceed on that basis, the legal agent for the company should insist that any privileged material should be sealed, unread, and delivered to the court to enable it to adjudicate upon the matter. In the event that such suggestions are not acted upon by the authority, the company may need to seek to overturn the warrant by presenting to the court a judicial review (or a bill of suspension in Scotland). (See also question 27.)

55 Are ongoing authority investigations subject to challenge before the courts?

The exercise of powers by any public authority, such as in undertaking an investigation, can be challenged by application to the court for a judicial review (a bill of suspension in Scotland) if considered to be unlawful.

If found to be unlawful, the court can order various remedies, such as stopping the exercise of that power, rendering it ineffective, or awarding damages.

56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

While attempting to deal with notices or court orders issued by various jurisdictions as one consistent disclosure package would reduce effort and costs, it is generally advisable to deal with them separately but have protocols in place to ensure consistent approaches are maintained to any relevant documents to be produced. Court orders and notices issued under compulsory powers usually negate data protection laws and any obligations of confidentiality to third parties. Consequently, civil proceedings cannot be brought by third parties against a company for its actions in providing material in response to a lawful court order or compulsory notice as long as the material provided was within the scope of the notice or order. However, if the company voluntarily provides material beyond the scope of the notice or order, and in doing so breaches a confidentiality obligation or data protection law, it could expose itself to claims.

To avoid creating risks of civil and criminal liability, notices and orders should be responded to separately unless the company is able to satisfy itself that the scope of the orders or notices from each of the jurisdictions are identical in all important respects.

57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for, and produce material, in other countries to satisfy the request? What are the difficulties in that regard?

In general, if information is in the control of a company (e.g. a parent company with a right to take possession, inspect or take copies of a subsidiary’s documents), the company will be expected, and may be required, to search for and produce all requested material, even when it is located in another country. In practice, if a company wishes to seek credit for co-operation, it should comply with any reasonable requests, whether or not it is required to. (See also question 11.)

The exception is when the data protection legislation in the other country does not permit the removal or transfer of the data from that jurisdiction. In those cases, the requesting authority will generally need to use mutual legal assistance to obtain the material through foreign counterparts.

58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?

The UK authorities can and do share information and investigative materials with authorities in various other countries (for intelligence purposes and the detection and prevention of crime), whether or not there is a mutual legal assistance agreement with that country. This occurs regardless of whether the country is providing information or materials in return, although reciprocity is generally expected.

Where material is required for a prosecution, a mutual legal assistance request must be made. UK law authorities will only provide assistance that conforms with the UK’s laws and international obligations.

A list of the international mutual legal assistance and extradition agreements to which the UK is a party can be found on the UK government website (www.gov.uk/government/publications/international-mutual-legal-assistance-agreements).

The UK authorities can provide further assistance by conducting dawn raids in the UK on the foreign authority’s behalf, interviewing witnesses or suspects, freezing assets, or arresting and extraditing suspects.

59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

Law enforcement authorities have a general duty not to disclose information or material received during the course of an investigation, and which is not otherwise in the public domain, unless the public interest in the disclosure outweighs the private interests of the owner. Furthermore, before disclosing information to a third party, the law enforcement agency should provide the owner with sufficient notice of the request to allow an opportunity for objections to the disclosure (Marcel and Others v. Commissioner of Police of the Metropolis and Others [1992] 2 WLR 50). Any objections should be considered and advance notice should be provided of an intention to disclose regardless. Notice does not have to be given when it would be inappropriate or impracticable to provide notice, for example if it would prejudice an investigation by the law enforcement agency requesting the information (R (on the application of Kent Pharmaceuticals Ltd) v. Serious Fraud Office and another [2004] All ER (D) 191 (Nov)).

Section 3 of the Criminal Justice Act 1987 (the Act) further limits disclosure by the SFO to third parties. Information obtained during the course of an investigation by the SFO can only be disclosed to certain specific government departments or bodies, or competent authorities specified in the Act, and only for the purposes of any criminal investigation or criminal proceedings, whether in the UK or abroad and for the purposes of assisting any public or other authority under the order. The list of competent authorities is comprehensive and includes any entity with supervisory, regulatory or disciplinary functions; however, it does not include liquidators, provisional liquidators, administrators or administrative receivers.

Section 18 of the Commissioners for Revenue and Customs Act 2005 contains an additional statutory duty of confidentiality that criminalises the wrongful disclosure of information about, acquired as a result of, or held in connection with a function of HMRC. Disclosures made by HMRC will therefore be made in accordance with specific statutory gateways, such as section 19 of the Anti-terrorism, Crime and Security Act.

60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

In these circumstances, the company should not provide the documents, but should inform the requesting authority of the reason why these documents cannot be provided (i.e., that the data protection laws in the other country constitute reasonable excuse for lack of compliance).

61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

The collection and use of personal data in the UK are governed by the DPA 2018, including restrictions on the disclosure of personal data. Personal data is defined as data that relates to a living individual who can be identified from that data. However, broadly speaking, the non-disclosure provisions in the DPA 2018 do not apply if the material is requested by a notice or court order issued on the grounds that the material is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders, the assessment or collection of any tax or duty, or of any imposition of a similar nature.

The term ‘blocking statute’ is generally not applicable except in the field of financial and trade sanctions, for which there is blocking legislation in relation to specific US sections that have extraterritorial application.

62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

When material is provided voluntarily and without restrictions, the authority is free to share it with third parties or other authorities, and to use it for any purpose.

In general, it is advisable only to provide material voluntarily having obtained contractual undertakings that agree the restricted basis on which the material has been provided (e.g., only for use by that authority in the course of an investigation and not to be shared with other parties).

While contractual undertakings restrict an authority’s ability to voluntarily provide material to other parties, they do not prevent third parties from obtaining court orders against the authority requiring production of the material. However, production orders should only be granted when it is in the interests of justice, and the fact that the material came into the possession of the authority under the restrictions imposed by the undertakings may lead a court to determine that it is not appropriate to grant a production order against the authority in that context, particularly as the third party could attempt to obtain the documents from an unfettered source, such as the company.

In general, authorities are restricted as to how they can share material they obtain as a result of exercising their compulsory powers or court orders, and customarily such material should only be shared when it is necessary for an investigation and the disclosure is proportionate.

Prosecution and penalties

63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

Penalties on conviction include imprisonment for individuals, fines, compensation and confiscation orders. Individuals can also be disqualified from being a director of a company for up to 15 years. When DPAs are agreed, monitoring may be imposed.

Companies convicted of certain offences, including active bribery and money laundering, must also be debarred from public tendering for up to five years.

Regulatory authorities can impose additional penalties. For example, the FCA can withdraw a firm’s authorisation and prohibit it from undertaking specific regulated activities for up to 12 months, prohibit individuals from carrying out regulated activities, or impose fines on firms or individuals. The Prudential Regulation Authority (which is responsible for the prudential regulation and supervision of around 1,700 banks and other firms) can restrict a firm’s permission to conduct regulated activities or impose a fine. HMRC can also consider the imposition of restrictions in respect of regulation or licensing regimes for matters under its control, such as those that apply to the regulation of controlled oils or excise warehousing.

64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

The Public Sector Procurement Directive (2014/24/EU) was transposed into UK law by the Public Contracts Regulations 2015 (the 2015 Regulations). Under these Regulations, companies must be excluded from public procurement if they have been convicted in the past five years of any offences from a list that includes conspiracy, corruption, bribery, money laundering and fraud. The corporate offence of failure to prevent bribery (section 7 of the Bribery Act 2010) is not included in this list of offences and does not require mandatory debarment.

The 2015 Regulations also provide a list of offences that carry discretionary debarment for up to three years, including professional misconduct, non-payment of tax and distortion of competition.

However, the 2015 Regulations allow companies to recover eligibility to bid for public contracts following a debarment by demonstrating evidence of self-cleaning, such as the payment of compensation to the victim of the offending, clarification of the facts and circumstances of the offence in a comprehensive manner, co-operation with the investigating authority, and the implementation of appropriate measures to prevent further criminal offences or misconduct.

65 What do the authorities in your country take into account when fixing penalties?

When fixing penalties following conviction, courts must have regard to the sentencing guidelines published by the Sentencing Councils for England and Wales and Scotland.

Specific sentencing guidelines were published in 2014 for England and Wales in respect of corporate fraud, bribery and money laundering offences providing that, when sentencing a company, the court must first determine whether compensation or confiscation orders should be made. Thereafter, the court should consider, inter alia, the following issues:

  • the level of culpability and financial harm;
  • any aggravating or mitigating factors, for example whether the criminal activity was endemic or whether the corporate offered full co-operation with the law enforcement authority during the investigation;
  • the financial circumstances of the company; and
  • the stage at which a guilty plea was entered (if the matter was not contested).

Resolution and settlements short of trial

66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

DPAs have been available in England and Wales (as a result of the Crime and Courts Act 2013) since 2014 as an alternative disposal for corporate offending. DPAs are not currently available in Scotland, where a civil settlement regime applies, or in Northern Ireland. Non-prosecution agreements do not exist in the UK, although HMRC applies a published selective prosecution policy and so, in a range of situations, may pursue suspected wrongdoing by means of its civil powers, most specifically by the use of the ‘contractual disclosure facility’, which affords immunity from criminal action if full material disclosure is made within a civil enquiry and settlement into an individual (rather than body corporate).

The SFO and CPS have published a Code of Practice explaining the DPA process (the CPS rather than HMRC will determine the merits of seeking to agree a DPA in respect of domestic tax facilitation prosecutions). The SFO issued guidance in summer 2019 setting out factors amounting to co-operation with its investigations and, in October 2020, published a chapter from its handbook adding to the transparency around how it engages with companies when a DPA is in prospect.

A prosecutor may invite, at its discretion, a corporate suspect into DPA negotiations if it determines that having identified the full extent of the offending, the evidential test has been satisfied and the public interest would benefit from a DPA. Until the Rolls-Royce case, the orthodox view was that a corporate will only be invited to negotiations when a self-report has been made and the corporate has fully co-operated with the authority. Following Rolls-Royce, it is possible that a DPA may be negotiated in wider circumstances, including when there has been no self-report but subsequent extraordinary co-operation by a corporate with the law enforcement authority.

If it is possible to agree the terms of a DPA and a statement of facts, the corporate will be formally charged with the criminal offence or offences and the matter will be brought before a judge for approval. The judge will only approve the DPA if satisfied that it is in the interests of justice and the terms are fair, reasonable and proportionate. The judge can adjourn the matter to obtain further information or clarification as to the facts or terms.

If judicial approval is given, the criminal proceedings will be suspended for a set period as defined by the terms of the DPA. The terms and facts of the DPA will then be published on the authority’s website.

If the corporate complies with the terms of the DPA, the criminal proceedings will be formally discontinued at the conclusion of the set period. If the corporate breaches the terms and the breach cannot be remedied, the criminal proceedings will resume.

DPAs carry the advantage of avoiding a conviction, affording the opportunity of speedier resolution (relatively) and to continue trading under agreed parameters. They also enable the corporate to avoid the time and costs of an open-ended, lengthy and uncertain criminal investigation and trial that can adversely affect share price and access to finance, and cause difficulties in tendering.

The obvious disadvantage of entering into a DPA is if a corporate has substantially accepted that its conduct would have constituted a criminal offence, and then will need to accept penalties based on a prosecution case that has not been tested at trial, where a corporate could potentially have been acquitted of the relevant charges (as in the Tesco Stores Limited cases discussed in question 52). A further disadvantage to be carefully considered is that the terms of a DPA are likely to include regular monitoring and audit by an independent monitor (typically a large accountancy or law firm) for which the company will bear the costs.

To date, eight DPAs have been agreed in the UK.

67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

Reporting restrictions can be placed on DPAs while criminal proceedings against connected individuals are under way in the UK. Reporting restrictions were imposed on the Sarclad and Tesco DPAs because of ongoing proceedings against the individuals allegedly responsible for the misconduct. Following the conclusion of those proceedings, the reporting restrictions were lifted.

68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

Before entering into a settlement with a law enforcement authority, a company should assess: the merits and strength of the prosecution and defence cases; the likelihood of conviction; the expected time, cost, reputational damage and other adverse effects of a lengthy investigation and trial; and the likely penalties in the event of a conviction, including possible debarment from public procurement tenders.

The company should then carefully assess the terms of the proposed settlement, including the effect that continuing co-operation could have on the business (legal costs, staff resources, etc.); whether the settlement will resolve the matter in all relevant jurisdictions and, if not, the effect the settlement could have in regard to ongoing investigations in other jurisdictions (e.g., whether the authority that has settled will disclose information and assist foreign authorities); and any other adverse effects that the settlement could have on the future of the business.

Ultimately the company should balance the seriousness of the charge and the potential consequences of a conviction (including whether it results in debarment) against the terms of the settlement, as in some circumstances the terms of a settlement, including, for example, the costs of regular review and monitoring by an independent monitor (typically a large accountancy or law firm), could be more disadvantageous to a company than a conviction.

69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

The Crime and Courts Act 2013 and the related guidance permit the appointment of monitors in appropriate cases. The Deferred Prosecution Agreements Code of Practice (the DPA Code) sets out the roles, duties and mechanics of appointing monitors as a term of a DPA. The DPA Code stops short of requiring or even encouraging the appointment of a monitor as a condition of a DPA.

70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

Parallel private civil actions are allowed. Generally, but not always, the criminal proceedings will take precedence and civil proceedings can be stayed for the duration of the criminal investigation, so as not to prejudice any criminal proceedings.

Private plaintiffs will only gain access to specified information in the authority’s files if they obtain a court order. Before making any such order, the court would carefully consider the reason why the private plaintiff requires the information, whether the plaintiff would be able to obtain the information from any other source, the method by which the authority obtained the relevant information, for example if it was obtained under compulsory powers, and whether the information is likely to contain any confidential, privileged or personal information relating to third parties.

Increasingly, small numbers of private criminal prosecutions involving allegations of fraud are being conducted in the courts of England and Wales. The instigation of a private prosecution is provided for in section 6 of the Prosecution of Offences Act 1985 and is subject to a power of the director of public prosecutions to take over the private prosecution at any stage (and, if they choose, to discontinue it). Law enforcement agencies are facing increasing pressures on budgets and the criminal justice system is facing unprecedented challenges as the coronavirus pandemic produces an expanding pipeline of cases. The inevitable result will be delays, which will have an adverse effect on outcomes and may lead to more private prosecutions being sought. Statements by law enforcement and regulators concerning their focus on coronavirus-linked frauds may increase the desire to instigate more private prosecutions into broader economic crime.

Publicity and reputational issues

71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

It is a contempt of court to publish a report that creates a substantial risk that the course of justice in active criminal proceedings will be seriously impeded or prejudiced. Proceedings are active for this purpose after arrest or charge and until the proceedings have been concluded, for example by acquittal or conviction, or discontinuance by the authority. As a result, there is generally very little media reporting of criminal investigations in the UK until the end of a trial, other than to state the facts of arrests and report court hearings.

72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

It is common practice for companies to hire a public relations (PR) firm to manage a large-scale corporate crisis to mitigate potential reputational damage. It is important to ensure a consistent approach by opening good lines of communication between the company’s internal marketing team and the external PR firm, and to ensure that the PR firm is aware of any legal or corporate issues (including any agreements reached with the investigating authority with regard to press releases, etc.).

It is also vitally important that public statements do not have the potential effect of prejudicing ongoing criminal proceedings (for example, the trial of the company or individual employees) or contradict any defence on which the company may later seek to rely. For those reasons, statements issued by a company under investigation should be brief and factual, and should always be approved by the company’s criminal law advisers.

73 How is publicity managed when there are ongoing related proceedings?

As stated in question 72, it is vitally important that public statements issued by the company do not have the potential effect of prejudicing ongoing criminal proceedings, such as the related prosecution of employees or third parties.

Duty to the market

74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

Under the UK Listing Rules, publicly listed companies must issue a market announcement without delay regarding any major new development that may affect their business, if the development may lead to a substantial share price movement. The point at which a company is informed that it is the subject of an investigation would generally require an announcement, as would the settlement of criminal proceedings.

If the matter is to be settled by way of a DPA, the matter is not settled until it has actually been approved by a judge at a court hearing. In practice, prior to the final hearing (at which the parties will generally expect approval to be given, as the terms, among other things, will have been examined and challenged at preliminary hearings), the company and the authority will have agreed press statements to be released to the market and wider public as soon as approval is given.

Similarly, under the Alternative Investment Market Rules (AIM is a sub-market of the London Stock Exchange), an AIM company is required to update its nominated adviser, who is responsible to the London Stock Exchange, of any developments that may affect the business if that development may lead to a significant price movement of its securities. With the assistance of the nominated adviser, an AIM company is required to issue notifications of such developments to the market without delay.

Anticipated developments

75 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

The UK government is due to report on its call for evidence in expanding the ‘failure to prevent’ offence to include other economic crime (it currently covers bribery and the facilitation of tax evasion).

In April 2018, the European Parliament voted to adopt the Fifth Money Laundering Directive (5MLD). Intended to address weaknesses and update 4MLD, the final regulations for 5MLD were laid in Parliament on 20 December 2019 and came into force on 10 January 2020.

5MLD makes significant changes to the anti-money laundering regime in the EU, including designating virtual currency platforms and custodian wallet providers as obliged entities for the purposes of 4MLD and revising the scope of the customer due diligence provisions. It will also require enhanced due diligence to be carried out in transactions to and from high-risk countries; increase powers and access to information for national financial intelligence units; and require registers of corporates’ beneficial ownership information to be made available to the general public.

In June 2019, the Law Commission published its report on the suspicious activity reporting process, concluding that although the core of the current system should be retained, improvements and efficiencies are required if the reporting regime is to produce useful intelligence rather than simply volumes of low-quality information. Recommendations include:

  • the creation of an advisory board of industry experts to oversee the drafting of guidance and advise the secretary of state on appropriate improvements and how best to respond to emerging threats;
  • the production of a new standardised online suspicious activity report (SAR) form, to make the reporting process easier to navigate, promoting greater consistency in the information that is provided in an easy-to-read, accessible format that would also allow analytical techniques to be applied to it, and speed up the process; and
  • allowing ring-fencing of suspected criminal property by a credit of financial institution in certain circumstances. The practical effect of submitting an SAR is that whole accounts are frozen, not just the allegedly criminal property element, which can cause difficulties for both banks and account holders while a decision on consent to proceed is awaited (and even after that). This recommendation will give some comfort, particularly to banks, allowing for a more proportionate response to the reporting of suspected criminal property, enabling transactions on legitimate funds to continue while prohibiting the use of those under suspicion.

The UK government’s response to the recommendations is awaited.


[1] Tom Stocker, Neil McInnes, Natalie Sherborn, Andrew Sackey and Laura Gillespie are partners at Pinsent Masons. The firm’s white-collar crime, investigations and compliance team wishes to recognise the valuable contributions made by team members, specifically Stacy Keen, David Hamilton and Olga Tocewicz (senior associates), Katie Davighi (associate), Alistair Wood and Rebecca Devaney (solicitors), employment law specialists Paul Gillen (partner) and Christopher Evans (senior associate), cybercrime specialist Stuart Davey (senior associate) and data protection expert Anna Flanagan (senior associate).

Unlock unlimited access to all Global Investigations Review content