Europe Overview

Introduction

The European investigations landscape is characterised by a patchwork of varying legislative and regulatory frameworks and enforcement approaches. These are often shaped by past events and current political priorities in particular jurisdictions. These variations and the pace of change mean that cross-border investigations, whether involving multiple European jurisdictions or parallel investigations by enforcement authorities in other regions (or sometimes both), frequently present thorny practical and tactical challenges.

This overview does not seek to duplicate the commentary and analysis set out in many of the chapters in this volume. Rather, it looks at some of the key priorities of European enforcement authorities, focusing on anti-bribery and corruption, anti-money laundering, tax evasion and data protection. There is significant ongoing activity in these areas, and some authorities are adapting their approaches to make effective use of changes in the law and additions to their toolkits. This overview also looks ahead to seek to identify the key issues and trends on which those who are subject to investigations throughout Europe should be focusing.

Areas of enforcement risk

Anti-bribery and corruption

A substantial number of investigations by enforcement authorities have arisen following significant legislative developments that introduced corporate offences of failure to prevent bribery with extraterritorial effect (such as the UK Bribery Act 2010 (UKBA) and France’s Sapin II Law). These legislative developments have been accompanied by new mechanisms enabling criminal investigations that involve corporate organisations to be concluded through negotiated settlements. To date in Europe, these mechanisms have been used mainly (although not exclusively) in cases concerning historic bribery and corruption involving corporate organisations.

Following these developments, and despite a slow start, there has been increasing pressure for corporate criminal liability to be expanded to encompass other financial offences. The UK government, for example, commissioned a consultation in 2021 on the extent to which corporate criminal liability should be further reformed in England and Wales.^[2]

Several other jurisdictions have introduced anti-bribery legislation in recent years, some of which has been the subject of criticism. In Ireland, for example, an offence analogous to the UK corporate offence of failure to prevent bribery came into force in July 2018.^[3] However, the Irish statute has been described as flawed for failing to meet guidelines published by the Organisation for Economic Co-operation and Development (OECD). This is because the Irish statute requires dual criminality for an offence to be committed overseas.^[4] Further, there is no guidance akin to that published by the UK Ministry of Justice in relation to ‘adequate procedures’ under the UKBA. There is therefore some remaining uncertainty among corporate organisations and their advisers as to exactly what ‘taken all reasonable steps and exercised all due diligence’ means in the Irish legislation, and how to avail oneself of a defence to the corporate offence. Given the nature of the Irish economy, and in particular its attractiveness to multinational technology and financial services companies, there is potential for investigations in Ireland to have significant cross-border elements, and clarity on this point would be welcome.

Elsewhere, German criminal law does not currently recognise the concept of corporate criminal liability. Although the German government introduced draft legislation in this area in August 2019, the legislation was not passed before the end of the same legislative session. As a result, the German government will need to reintroduce the draft legislation after the federal elections in September 2021 if it is to become law. It is unclear whether there is any appetite to do so.^[5] In Poland, the OECD has described delays to legislation amending liability under Polish law for legal persons, and increasing financial penalties against corporations, as ‘a serious concern’. It unclear whether the Polish government will enact any reform.^[6]

Anti-money laundering

Although anti-money laundering (AML) enforcement remains high on most enforcement authorities’ agenda, approaches to, and the resources available for, investigations vary considerably between European jurisdictions. This is despite the introduction of various iterations of the EU Money Laundering Directives (MLDs), which aim to standardise this area of enforcement. The latest MLD was the sixth, which EU Member States were due to implement by 3 December 2020. The sixth MLD seeks to regularise further the AML enforcement landscape in Europe, for example by:

• standardising the 22 predicate offences that must be considered ‘criminal activity’ for the purposes of money laundering by EU Member States;
• requiring EU Member States to expand criminal liability for money laundering to legal persons; and
• setting certain increased EU-wide minimum penalties for money laundering.

Although the effect of the sixth MLD is yet to be fully felt, enforcement action across Europe has continued apace. Some of the highest penalties imposed in recent years have resulted from investigations by Sweden’s Financial Supervisory Authority^[7] and the Netherlands’ Public Prosecution Service.^[8] These fines were issued for breaches of regulatory requirements and criminal law by major institutions in relation to their AML systems and controls. This marks a change, since France and the United Kingdom have historically imposed the heaviest fines in the region for AML-related transgressions. That is not to say that France’s AML-related enforcement has not remained effective. The Autorité de Contrôle Prudentiel et de Résolution has reportedly focused in 2020 on smaller financial institutions, including payment service providers, rather than larger banks and money services businesses.

Fines are not the only notable feature of enforcement activity in this area. First, reflecting an increasingly close focus on individual accountability, regulators are now ready and able to pursue individuals considered to have played a part in AML failings. Second, it would appear that some European regulators are starting to initiate criminal prosecutions for this conduct at a corporate level. In 2021, the UK Financial Conduct Authority (FCA), for example, initiated its first criminal prosecution of a major financial institution for allegedly failing to prevent money laundering. It remains to be seen whether this prosecution will be successful, and the extent to which non-monetary penalties, such as reputational damage, will influence the approach of financial institutions in the future.

Tax evasion

Tax evasion is also increasingly attracting authorities’ attention. In particular, several jurisdictions are seeking to prosecute a trading activity, known as cum-ex trading, whereby banks and stockbrokers engage in trading shares in a manner that allows both sides of a transaction to claim a tax rebate on the dividends purportedly paid by the shares. Germany is the most prominent example, where an estimated €31.8 billion was fraudulently claimed from the government in the form of rebates between 2001 and 2016.^[9] It has been estimated that the total cost to the European taxpayer is more than €55 billion between 2001 and 2012.^[10]

Enforcement action in response to such long-standing and wide-ranging conduct is complex, but has enjoyed some success. The Danish tax authority (SKAT), for example, charged three UK nationals and three US nationals for their role in allegedly defrauding the Danish treasury.^[11] At least one former executive of a private bank in Germany has been sentenced to five and a half years for similar conduct, and two British nationals received suspended sentences in Germany.^[12] However, enforcement action in response to this activity has not been entirely successful. Denmark, for example, is currently seeking to appeal a UK High Court decision ruling that SKAT cannot pursue a lawsuit seeking to recover £1.5 billion in the English courts.

More generally, the impact of fraud on the support measures introduced by various governments in response to the coronavirus pandemic has been well publicised. The UK government has announced an investment of £100 million in a Taxpayer Protection Taskforce to recover funds paid out incorrectly or as a result of fraud during the pandemic.^[13] We anticipate other European jurisdictions will take a similar approach.

Data protection

The General Data Protection Regulation (GDPR) is now three years old and several themes are emerging. Following Brexit, we are yet to see any substantive divergence by the United Kingdom away from the GDPR, probably because of the UK’s need to obtain an adequacy decision in respect of its data protection legislation, which it duly received in June 2021. Now that this decision has been obtained, potential divergence by the United Kingdom is a trend to watch for in 2022, as the UK government starts to consider how best to approach the digital economy and data protection outside the European Union.

The most significant trend we have seen thus far is the willingness of European data protection authorities to enforce the GDPR aggressively. A total of 880 fines have been issued, or declared, for a cumulative total of €1,291,357,143.^[14] The largest fines have also been significant. Amazon may be fined up to €746 million by Luxembourg’s data protection authority (at the time of writing the fine had been issued but was still subject to challenge by Amazon), and Google Inc was fined €50 million by the French data protection authority in 2019.

A developing trend of note is the role that non-governmental organisations have played in initiating data protection enforcement actions in the European Union. For example, La Quadrature du Net and None of Your Business (NOYB), French and Austrian pressure groups respectively, have reportedly filed (either collectively or individually) complaints that prompted the enforcement actions against Amazon and Google mentioned above. In addition to filing complaints, pressure groups are also litigating data protection issues directly. NOYB, through its leader Max Schrems, conducted the litigation that resulted in the US–EU Privacy Shield being declared invalid, and the Dutch pressure group Privacy Collective is reportedly suing Salesforce and Oracle in a class action targeting the cookie-tracking practices deployed by both companies. Corporates should therefore be aware that oversight of their data protection practices may be undertaken by civil society, not just regulators, and that those grievances may be taken to court.

Beyond the increasing importance of data protection as a risk area for corporates, investigators must now also keep data protection issues in mind when tackling a cross-border investigation. In particular, issues arising from the international transfer of personal data are becoming increasingly difficult globally, not just in Europe.

Increased pressure and incentives to co-operate

In England and Wales, the body of cases in which deferred prosecution agreements (DPAs) have been concluded between the Serious Fraud Office (SFO) and co-operating corporate organisations is slowly growing. Although the figure of 20 agreements per year predicted during the passage of the legislation that introduced DPAs seems unlikely to be achieved in the near term, the SFO entered into three DPAs in 2020 and three in 2021 (so far). This is the highest annual total for the SFO since the introduction of DPAs in the United Kingdom. Despite this increase, the SFO has itself been under pressure, having failed to date to secure the conviction of any individual named as an alleged offender in any of the DPAs. Against this backdrop, it remains to be seen whether the UK DPA regime will be considered a success, and if corporates will consider co-operation to be worthwhile. The SFO may also find itself under increasing scrutiny after it was revealed that the agency’s enforcement activity has been markedly reduced during the coronavirus pandemic.

In France, the authorities responsible for investigating and prosecuting financial crime, the French Anti-Corruption Agency (AFA) and the National Financial Prosecutor’s Office (PNF), have now concluded 13 published judicial public interest agreements (CJIPs)^[15] with companies of various sizes, including one in which the global penalties imposed exceeded US$3.9 billion. A recent example also indicates that co-operation with the French authorities can result in a significant reduction in penalty. Systra, a transport company, saw its theoretical potential fine of €187 million ultimately levied at €7.5 million after the French authorities viewed the comprehensive compliance programme, in conjunction with historic offending, favourably.^[16]

It remains to be seen whether further jurisdictions will enact similar measures. A November 2020 report published by the Irish government as part of measures to enhance Ireland’s ability to fight economic crime declined to recommend the introduction of a deferred prosecution regime. In their report, the authors stated that they were ‘not convinced that the introduction of a DPA regime will yield any significant benefit given the UK experience so far’.^[17]

Although mechanisms similar to DPAs and CJIPs (or aspects of them) exist in some other jurisdictions around Europe, including Belgium, the Czech Republic, Romania and Slovakia, they are available only in some of these jurisdictions to resolve allegations of corruption, and the practice and procedure around the use of those mechanisms is not always clearly set out. It is also unclear whether any of these jurisdictions wish to expand these mechanisms. Concluded cases of the same magnitude as those seen in the United Kingdom and France have yet to be publicised.

The different approaches of European jurisdictions should be considered when dealing with global settlements. The Dutch company VEON, for example, entered into a joint global settlement with Dutch and US authorities to resolve an enforcement action under the US Foreign Corrupt Practices Act (FCPA), whereas Ericsson became the subject of an investigation by the Swedish authorities shortly after reaching a settlement to resolve an FCPA action with the US authorities.

In jurisdictions where DPAs are already established, authorities’ and courts’ expectations of co-operating corporate organisations in order for (1) negotiations to take place and (2) a settlement to be agreed and approved, are becoming clearer. In particular, the AFA and the PNF in France, and the SFO in the United Kingdom (in June and August 2019, respectively) have released guidance that clarifies their views on the co-operation needed to create the right conditions for a negotiated settlement to follow.^[18] Courts and prosecutors have also provided guidance on whether corporate organisations are demonstrating the required levels of co-operation, while maintaining claims to legal professional privilege (where it is available).

Culture and individual accountability

Among the most prominent themes in investigations concerning corporate organisations is the focus on culture, both at the time when alleged misconduct occurred and when any investigation is commenced. The definition of what constitutes ‘good culture’ is elusive. Authorities deciding whether to commence, continue and discontinue investigations (and selecting which charges to pursue) attach substantial importance to whether they consider alleged conduct (including individuals’ conduct outside the workplace) to be indicative of a poor culture.

Although the FCA has historically published information about culture and governance as categories of enforcement data in their own right, it no longer does so. This perhaps suggests that the FCA views culture as pervasive across the firms that it regulates, and so it no longer needs to be explicitly identified as a stand-alone category.

The UK Senior Managers Certification Regime (SMCR) goes further than previous regulatory initiatives directed towards individual accountability. It gives the FCA and the Prudential Regulation Authority (PRA) powers to take action against a much broader population of individuals within firms. It also requires firms to document the specific responsibilities of their most senior executives, thus providing the FCA and PRA with clear road maps that may be used to hold those individuals accountable for breaches of regulatory requirements by firms. The FCA is now routinely using the SMCR for this purpose during enforcement investigations. Although enforcement authorities around Europe have been watching to see how the FCA and PRA seek to use these mechanisms to drive up standards of behaviour within the financial services industry, it remains to be seen whether other European regulators will follow the SMCR approach. By contrast, other common law jurisdictions, such as Singapore, Hong Kong and Australia,^[19] have enacted regimes similar to the SMCR in recent years.

Even in countries where enforcement authorities have not explicitly named culture as an enforcement priority, boards are increasingly concerned to demonstrate their commitment to culture. Cases across Europe have shown the substantial reputational damage that can result from allegations of poor cultural practices and the speed at which allegations can cross borders (including into jurisdictions where enforcement authorities are active in this area).

Information sharing and multi-jurisdictional investigations

European investigation and enforcement authorities continue to collaborate actively with one another and with their counterparts globally, using mutual legal assistance treaties and other informal arrangements. There have been particularly noticeable increases in efforts to collaborate across borders where authorities have acquired the ability to enter into global settlements involving overseas enforcement authorities, and in GDPR-related enforcement.

Across Europe, traditional boundaries between enforcement authorities’ remits are becoming increasingly blurred. The authorities are having to take an increasingly flexible view of what they are responsible for investigating, which authority should take the lead and how they should most effectively collaborate. Overlaps between the remits of antitrust, data protection and financial services enforcement authorities are becoming increasingly apparent. One example of this flexibility was the close co-operation between Luxembourg’s and France’s data protection authorities when Amazon was investigated for violating the GDPR.^[20]

Enforcement authorities, conscious of the potential for duplication and delay, are anticipating these overlaps, both within and between jurisdictions, and are implementing mechanisms to facilitate collaboration. For example, following Brexit, the FCA entered into a series of detailed memoranda of understanding with the relevant national competent authorities within the European Union and the European Economic Area, setting out how these agencies will co-operate and exchange information.^[21] Although convictions and other enforcement outcomes in one jurisdiction will commonly be the product of extensive information sharing between authorities, there are as yet few significant concluded examples of enforcement authorities simultaneously pursuing enforcement cases against the same targets in multiple European jurisdictions.

EU institutions as enforcement authorities

Historically, there have been relatively few examples of supranational European authorities (other than the European Commission (EC) in its role as an antitrust enforcement authority) taking overarching enforcement action. That said, there is a clear movement to facilitate greater co-operation and coordination with respect to enforcement activity at a European level. This is both as a response to past incidents in which regulatory arrangements were found to have been lacking and in an effort to counter perceived growing threats.

In particular, the European Union has stepped up its focus on a pan-European approach to AML enforcement following AML failings in various European states. Until now, AML legislation encouraging closer collaboration between national investigation and enforcement authorities has taken the form of successive AML Directives (which, as they are not directly effective instruments and require transposition by Member States into their national laws, have been implemented in different ways and to different extents). For example as of May 2021:

• only 70 per cent of EU Member States had been identified as having fully transposed the fifth MLD into their national laws, despite a deadline of January 2020;^[22] and
• the fourth MLD had yet to be completely transposed into the national laws of all EU Member States, despite 16 June 2017 being the deadline for doing so.^[23]

The European Banking Authority (EBA) was given additional powers following several well-publicised AML failings. As of 1 January 2020, the EBA has been:

• tasked with coordinating national authorities’ supervisory responsibilities in respect of AML activity;
• empowered to lead on the establishment of AML policies by national authorities; and
• required to monitor the implementation of AML standards within Europe.^[24]

An example of the EBA’s work in this area can be found in the revised guidelines on money laundering and terrorist financing risk factors published in March 2021. As part of a general update to the AML landscape in the European Union (EU AML), the guidelines address new money laundering risk factors and seek to develop more effective and consistent supervisory approaches across Europe.^[25] It is apparent that the EBA will continue to rationalise the AML landscape. On 2 August 2021, the authority published a consultation paper^[26] seeking views on draft guidelines setting out the role, tasks and responsibilities of AML compliance officers under the fourth MLD. It is the first time that the regulatory expectations for AML compliance officers have been set out at a European level, apparently with a view to adopting a similar EU-wide approach such as that required under the GDPR for data protection officers.

Despite this activity, arrangements are still far from uniform across Europe. The extent to which the requirements set out in successive MLDs have been effectively transposed, and other provisions relating to cross-border collaboration and resourcing of national authorities have been implemented, varies widely between jurisdictions and will require further action to resolve.

In some instances, bilateral and multinational arrangements are in place, helping authorities to deploy their resources as effectively and efficiently as possible in cross-border AML investigations. The most recent example, which is also a response to the concerns about previous enforcement arrangements already mentioned, is a formal mechanism to enable Baltic and Nordic AML regulators to exchange information and coordinate enforcement action. There are also increasingly sophisticated mechanisms in place in some jurisdictions to enable information sharing between private sector organisations, and with enforcement authorities.^[27] In July 2020, the Netherlands Bankers’ Association announced that the country’s three largest banks and two smaller lenders would create a purely private joint transaction monitoring body, called Transaction Monitoring Netherlands,^[28] designed to flag activity of concern that would not necessarily be identified as suspicious by a single institution’s compliance department. Transaction Monitoring Netherlands is due to begin monitoring trans­actions in 2021. However, at the time of writing, it was unclear whether it had.^[29]

The EC also appears determined to take further action. On 20 July 2021, it unveiled a further package of legislative proposals to strengthen the EU AML framework. The package included the creation of a new EU enforcement agency tasked with combating money laundering, called the Anti-Money Laundering Authority (AMLA).^[30] The intent is to establish AMLA as a ‘centrepiece’ of a supervisory system that includes national authorities. This will allow the EC to directly supervise certain high-risk entities and join the front-line of AML enforcement. This is a welcome development in light of recent AML scandals, which invariably involve a cross-border element, leaving national enforcement agencies piecing together an incomplete picture after the conduct has completed.

Away from AML enforcement, the EC remains active as an antitrust enforcement authority. Some long-standing themes continue to feature in European antitrust investigations. There are exceptions to rules relating to legal professional privilege (in jurisdictions where it is part of the legal landscape). Leniency provisions often do not dovetail neatly with other regulatory mandatory reporting obligations. There are significant variations in the approaches taken by the EC and national competition authorities. There would also appear to be a different focus on sectors of enforcement. The EC appears to be concentrating on technology companies, as opposed to perhaps the more traditional financial crime targets, namely financial institutions and extractive industries. These, and other themes, mean that European antitrust investigations have to be handled differently from those pursued by other regulators.

In other areas, authorities with a pan-European remit have been active. The European Anti-Fraud Office (known as OLAF), the division of the EC responsible for investigating fraud against the EU budget, and corruption and serious misconduct within EU institutions, has been particularly active in conducting investigations. The most recent available statistics indicate that OLAF concluded 230 investigations and commenced 290 investigations during 2020 and recommended that national authorities take action to recover nearly €294 million in 2020.^[31]

In addition, Europol has conducted extensive work to seek to coordinate national responses and lay the foundations for possible future multilateral criminal enforcement action in a number of areas, including notably in relation to large-scale cyberattacks^[32] and the coronavirus pandemic.^[33]

It seems likely that levels of coordinated pan-European criminal enforcement action will increase in future. The new European Public Prosecutor’s Office (EPPO) became operational in June 2021. In the 22 Member States that have signed up to the arrangements establishing it,^[34] EPPO will have powers to investigate and prosecute crimes against the EU budget, such as fraud, corruption and tax fraud valued at over €10 million. It will not replace OLAF or other existing investigating and prosecuting authorities (or national enforcement authorities) but will pool experience, adopt a consistent prosecution policy, and be able to use streamlined procedures for the exchange of information across borders. Laura Codruţa Kövesi, the current head of EPPO and European Chief Prosecutor, has indicated a willingness to use EPPO’s powers extensively.^[35] Indeed, following a lengthy preparatory phase, EPPO started its investigations promptly, organising a coordinated series of searches in early August 2021 across five European jurisdictions in connection with a VAT fraud estimated to be worth €14 million.^[36]

Brexit certainty?

Despite fears that Brexit would cause significant damage to cross-border investigations and enforcement, the December 2020 trade and co-operation deal (the Brexit Deal) did much to limit the consequences of Brexit in the areas of enforcement and investigations. In the context of the Irish border (a potential enforcement flashpoint), a UK parliamentary committee found (in April 2021) that ‘Brexit had had no discernible operational impact on cross-border policing and the ability to co-operate with partners in the EU has been maintained’.^[37]

In addition to the Brexit Deal, the steps that the UK government took to maintain access to a similar level of information from European enforcement agencies following Brexit appear to be helping to maintain the status quo. In February 2021, the UK government stated that the Interpol systems and Warning Index used by the United Kingdom for law enforcement purposes, which are no longer automatically integrated into the UK Police National Computer following Brexit, update at broadly the same speed as the pre-Brexit systems.^[38]

It should be noted, however, that Brexit is still only a recent development and that a greater impact may become apparent over time. It is likely that an assessment will only be possible once the backlog of pre-Brexit investigations and cases is resolved, and authorities begin to tackle post-Brexit investigations and cases. Areas of future concern include the European Investigation Order scheme and issues in replacing the European Arrest Warrant (EAW) scheme in the United Kingdom.

The United Kingdom is no longer part of the European Investigation Order scheme. The Brexit Deal provided that UK–EU arrangements would revert to a mutual legal assistance scheme governed by a 1959 convention. It would appear that the process of obtaining information under these new arrangements might take longer. Although the European Investigation Order scheme gave states 30 days from the receipt of a request to decide whether to execute it, the new arrangements allow 45 days.

Further, following its withdrawal from the EAW system, 10 EU Member States have notified the United Kingdom of their intention to exercise an absolute bar on the extradition of their own nationals to the United Kingdom, and an additional two nations shall only extradite their own nationals to the United Kingdom with the individual’s consent.^[39] It appears that the European and United Kingdom will need to take care to ensure cross-border enforcement action can be maintained, otherwise it is possible that the UK government will soon find it difficult to close cases against individuals of certain nationalities who have returned to their home nation in Europe. Before Brexit, the EAW would probably have resolved the issue. It remains to be seen whether this will prove to be a significant challenge for UK enforcement activity in the future.

Footnotes